I got some questions about device enrollment with Intune, so to meet those requests I am writing in details how to enroll devices in Intune.
For those interested, a brief introduction. Well, a few weeks ago I first wrote about how you can build a modern IT department. And then in the next post I showed what Intune is and why it is important from the point of IT management in the company. But it turns out that discussing registration methods for some people was too shallow, so today it will be more complete and thorough.

Basic configuration of enrollment devices in Intune

I assume that you already know what Intune is, so it’s time to put into use. For me, the first item that should be set is the Intune device enrollment permission. By default, these permissions are at the level of the selected group. Some organization set that only the IT department can add new devices in Intune. It kills the whole essence of this service. The idea is to minimize the amount of work that the IT department must get to prepare a new computer. That is why I personally give every user in the company such permission.
The setting I am talking about can be found in the Intune console -> Devices -> Enroll devices | Windows enrollment. There you set MDM user scope and MAM user scope to ALL.

Basic configuration of enrollment devices in Intune
Basic configuration of enrollment devices in Intune

I also assume here that your users can add devices to Azure AD. It is worth mentioning that when a computer is added to a domain, it is also good to add additional administrators. This is an especially useful option that can make things easier for us in the future. If you want to read about other settings, please visit this Microsoft page.

Automatic Enrollment

At this point, the settings we have made earlier mean that when you attach your device to Azure AD it will also be added to Intune. What is worth emphasizing, the screens may differ from the version of Windows 10, which was pre-installed by the hardware manufacturer. The entire process comes down to two steps.
When you turn on a new computer, first connect it to the internet. Then you must choose that it will be used in the company (Set up for an organization). This is important because if you choose it for personal use, we will be working in the context of either a local user or a Microsoft Account. And we don’t want that.

Then we must provide our company email address and password. At this point, our computer will connect to Intune and Azure AD. Then it will start processing policies and downloading prepared software for it. That’s it. The length of the process depends on several factors, including the speed of the Internet connection, whether it is encrypted immediately, and how many applications must be downloaded, etc.
However, at this point, nothing prevents you from starting to work.

A few words about AutoPilot

There is one more scenario worth mentioning. I mean AutoPilot Deployment. In this case, after turning on and connecting the computer to the Internet, we only provide our email and password (and sometimes only the password). The system immediately knows which organization it belongs to. In this case, the welcome screen can also be adapted to the needs of our company. How it’s working? Well, the hardware manufacturer must send us a csv file, which will contain:

  • Device Serial Number
  • Windows Product ID
  • Hardware Hash
  • Group Tag
  • Assigned User

What’s more, it is possible to configure the provider to load this file to the system by himself. Of course, such a solution requires cooperation on the part of the supplier. And it is not always possible, but there is another possibility.

How do I convert devices in Intune to AutoPilot?

The scenario that I will discuss now has only been available in the service recently. Well, existing devices in Intune can be converted to AutoPilot. Someone may ask what do we need this for? A computer in AutoPilot gives us some bonuses. When we must pass it on to another user and it is needed to restore it to the initial state.

  • When we use the autopilot scenario, we have the option that the user is not the computer administrator. This is the case in normal scenario.
  • It is possible to configure the welcome screen.
  • We have fewer screens at the beginning to go through
  • We could configure the computer name
  • The device in autopilot mode can already be attached to our Azure AD, as well as contain all applications. Only user-assigned applications will remain for installation. This significantly reduces computer preparation time

To register devices for autopilot, we need two things. The first is the security group that will contain the computers that we want to convert. The second is the profile for Autopilot deployment, which will have the option: “Convert all targeted devices to Autopilot” set to “Yes”. In this case, each computer affected by the profile will be loaded into the list: “Windows Autopilot devices“. Thus, the system will be treated from now on as a device, the data of which was provided by the manufacturer and registered for the Autopilot option

What’s next?

I encourage you to familiarize yourself with all the possibilities that the service gives us. The devices in Intune are just the beginning. When they are there, you can do anything or almost everything 🙂 without moving from your armchair. The solution has exciting potential, and Microsoft is gradually developing it. Its implementation can save you a huge amount of time that you can spend on other things. Soon I will try to show you even more what else you can do with Intune.