My name is Windows. Can I get into the club?

Jonas Bøgvad
Jonas Bøgvad

Table of Contents

Right now, it's 2 AM. I couldn't leave this blog post because it was much more complicated than I first anticipated. Please give me a heads up if I missed something. Enjoy the story😍

I start my device management workshops using Microsoft Endpoint Manager (MEM) with enrollment, but to remember everything, I make up a story in my mind, therefore I share one of them with you.

Introduction

When we talk about enrollment in Intune, we must remember that we have our device identity💻📱 but also our user identity🆔. I come up with a small story to make this easier to understand. We have the following:

  • Name = Windows (you)
  • Club = Intune (where you want to go and stay)
  • Doormen = Mrs. Azure and Mr. Intune (who you need to pass)

Now our doorman comes into play, which is called: Mrs. Azure AD and Mr. Intune. They decided if we were allowed to enroll, and they both got assistants.

Let me introduce our doormen.

Introducing doorman Mrs. Azure AD and her crew:

  • Azure AD Conditional Access
  • Users may join devices to Azure AD
  • Maximum number of devices per user in Azure AD

Introducing doorman Mr. Intune and his crew:

  • Device Enrollment restriction
  • Device limit restriction

Device and primary user

  • Device with primary user (device + user = two identities)
  • Device without a primary user (device = one identity)

Ready to start the journey? 💻😊

The beginning of a simple story as a Windows device

Let me take you on a little journey, Imagine going to a club, and you are the device, and you need to decide if you are with a friend or not.

Let's begin by answering the following;

Your name is Windows💻

Are you with a friend? 😊

  • Yes = Primary user
  • No = without primary user

Example; My name is Windows, and I'm not with a friend

Ready to get going? Let's go to the club! 🚀

We will now walk to the club and meet both doormen, and they will ask us if we are with a friend and what our name is every time we want to enter... That will mean if you decide to bring a friend or not, you will automatically be thrown out of the club and need to go back to the beginning.

What is your answer❓

My name is Windows, and I'm with a friend

My name is Windows, and I'm not with a friend

Windows

💡We have enabled Automatic MDM enrollment in Intune to All Users

My name is Windows, and I'm with a friend.

First, we will need to check if you are a personal(BYOD) or corporate-owned device since that will decide if you need to speak to my assistants.

Are you a personal(BYOD) or a corporate-owned device?

You will be getting a stamp depending on which answer you choose. Remember it.

You can answer personal if (click)
The stamp here is the fruit, or Azure AD Joined or Azure AD Registered

  • Azure AD Join During Windows Setup* (🍉Azure AD Joined)
  • Azure Active Directory Join from Windows Settings* (🍉Azure AD Joined)
  • Add Work Account from Windows Settings* (🍊Azure AD Registered)
  • MDM enrollment only option from Windows Settings. (🍊Azure AD Registered)

*if registered for Autopilot, you will be corporate; change the answer to corporate,

You can answer corporate if (click)
The stamp here is the fruit or entire line

  • 🍈Windows Autopilot (Azure AD Joined)
  • 🍉Windows Autopilot (Hybrid Azure AD Joined)
  • 🍋Group Policy enrollment (Hybrid Azure AD Joined)
  • 🍌Automatic Enrollment from Config Mgr for co-management (Azure AD Joined)
  • 🍍Automatic Enrollment from Config Mgr for co-management (Hybrid Azure AD Joined)

I'm a Personal owned device

What stamp did you get from Mrs. Azure AD?

🍊Azure AD Registered

User context

Click to expand

Go and say hey to Mrs. Azure's AD assistants;

  • Azure AD Conditional access (Yes, user context)
  • Users may join devices to Azure AD (Never, because we are Azure AD Registered)
  • Maximum number of devices per user in Azure AD (Yes, user context)

If you pass✅ every assistant, we can continue...

Say Hello to Mr. Intune's assistants;👋

  • Device Enrollment restriction (Yes, user context)
  • Device limit restriction (Yes, user context)

If you pass✅ every assistant, we can now continue...oh! I see the light!

🥳Congratz, Access the club!🥳 (Click on the link)

🍉Azure AD Joined

User context

Click to expand

Go and say hey to Mrs. Azure's AD assistants;

  • Azure AD Conditional access (Yes, user context)
  • Users may join devices to Azure AD (only if Azure AD Joined without Autopilot)
  • Maximum number of devices per user in Azure AD (Yes, user context)

If you pass✅ every assistant, we can continue...

Say Hello to Mr. Intune's assistants;👋

  • Device Enrollment restriction (Yes, user context)
  • Device limit restriction (Yes, user context)

If you pass✅ every assistant, we can now continue...oh! I see the light!

🥳Congratz, Access the club!🥳 (Click on the link)

I'm a corporate-owned device

What stamp did you get?

🍈Windows Autopilot (Azure AD Joined)

Device and User context

Click to expand

Go and say hey to Mrs. Azure's AD assistants;

  • Azure AD Conditional access (Yes, user context)
  • Users may join devices to Azure AD (Yes and no, if pre-provisioned = no, otherwise = yes)
  • Maximum number of devices per user in Azure AD (Yes, user context)

If you pass✅ every assistant, we can continue...

Say Hello to Mr. Intune's assistants;👋

  • Device Enrollment restriction (default applies if we use pre-provisioning)
  • Device limit restriction (Never, because we deploy with Autopilot)

If you pass✅ every assistant, we can now continue...oh! I see the light!

🥳Congratz, Access the club!🥳 (Click on the link)

🍉Windows Autopilot (Hybrid Azure AD Joined)

User context

Click to expand

Go and say hey to Mrs. Azure's AD assistants;

  • Azure AD Conditional access
  • Users may join devices to Azure AD (Never, because we deploy with Autopilot)
  • Maximum number of devices per user in Azure AD

Say Hello to Mr. Intune's assistants;👋

  • Device Enrollment restriction
  • Device limit restriction (Never, because we deploy with Autopilot)

If you pass✅ every assistant, we can now continue...oh! I see the light!

🥳Congratz, Access the club!🥳 (Click on the link)

🍋Group Policy enrollment (Hybrid Azure AD Joined)

Device or user context (switch from user to device credentials in GPO)

Click to expand

Go and say hey to Mrs. Azure's AD assistants;

  • Azure AD Conditional access (yes if user credential, no if device credential)
  • Users may join devices to Azure AD (Never, only applies to Azure AD Joined without Autopilot)
  • Maximum number of devices per user in Azure AD (Never, of Hybrid Azure AD Joined)

If you pass✅ every assistant, we can continue...

Say Hello to Mr. Intune's assistants;👋

  • Device Enrollment restriction (default applies if device credential)
  • Device limit restriction (Never, because we use GPO)

If you pass✅ every assistant, we can now continue...oh! I see the light!

🥳Congratz, Access the club!🥳 (Click on the link)

🍌Automatic Enrollment from Config Mgr for co-management (Azure AD Joined)

Device context

Click to expand

Go and say hey to Mrs. Azure's AD assistants;

  • Azure AD Conditional Access (No, because we enroll as device context)
  • Users may join devices to Azure AD (only if Azure AD Joined without Autopilot)
  • Maximum number of devices per user in Azure AD (Never, because of Hybrid Azure AD Joined)

If you pass✅ every assistant, we can continue...

Say Hello to Mr. Intune's assistants;👋

  • Device Enrollment restriction (default applies, because of co-management and device context)
  • Device limit restriction (Never, because of co-management)

If you pass✅ every assistant, we can now continue...oh! I see the light!

🥳Congratz, Access the club!🥳 (Click on the link)

🍍Automatic Enrollment from Config Mgr for co-management (Hybrid Azure AD Joined)

Device context

Click to expand

Go and say hey to Mrs. Azure's AD assistants;

  • Azure AD Conditional Access (No, because of co-management which only uses device context)
  • Users may join devices to Azure AD (only if Azure AD Joined)
  • Maximum number of devices per user in Azure AD (No, because of Hybrid Azure AD Join)

If you pass✅ every assistant, we can continue...

Say Hello to Mr. Intune's assistants;👋

  • Device Enrollment restriction (default applies, because of co-management and device context)
  • Device limit restriction (Never, because of co-management)

If you pass✅ every assistant, we can now continue...oh! I see the light!

🥳Congratz, Access the club!🥳 (Click on the link)

My name is Windows, and I'm not with a friend

Remember that you will get a stamp depending on which answer you choose.
The stamp here is the fruit or entire line.

🍊Bulk provisioning package (Azure AD Joined)

User context and device

Click to expand

Go and say hey to Mrs. Azure's AD assistants;

  • Azure AD Conditional Access (Yes, user context at token creation)
  • Users may join devices to Azure AD AD(Yes, at creation)
  • Maximum number of devices per user in Azure AD (Never, because we are considered userless)

If you pass✅ every assistant, we can continue...

Say Hello to Mr. Intune's assistants;👋

  • Device Enrollment restriction (only default applies because we use bulk provisioning)
  • Device limit restriction (No, because we use bulk provisioning)

If you pass✅ every assistant, we can now continue...oh! I see the light!

🥳Congratz, Access the club!🥳 (Click on the link)

🍇Device enrollment manager (Azure AD Joined)

User context

Click to expand

Go and say hey to Mrs. Azure's AD assistants;

  • Azure AD Conditional Access (Yes, we use user context)
  • Users may join devices to Azure AD (Yes, we use user context)
  • Maximum number of devices per user in Azure AD (Yes, user context)

If you pass✅ every assistant, we can continue...

Say Hello to Mr. Intune's assistants;👋

  • Device Enrollment restriction only default applies because we use DEM)
  • Device limit restriction (No, because we use a DEM account)

If you pass✅ every assistant, we can now continue...oh! I see the light!

🥳Congratz, Access the club!🥳 (Click on the link)

🍉Windows Autopilot self-deploying mode (Azure AD Joined)

Device context

Click to expand

Go and say hey to Mrs. Azure's AD assistants;

  • Azure AD Conditional Access (Never, we are userless)
  • Users may join devices to Azure AD (only if Azure AD Joined) (Never, we are userless)
  • Maximum number of devices per user in Azure AD (Never, we are userless)

Say Hello to Mr. Intune's assistants;👋

  • Device Enrollment restriction
    Only the default Intune enrollment restriction will apply to it. (Device context)
  • Device limit restriction (Never, we deploy with Autopilot)

If you pass✅ every assistant, we can now continue...oh! I see the light!

🥳Congratz, Access the club!🥳 (Click on the link)

🥳Congrats, you are now inside the club🥳

But be ready sometimes, Mr. Intune comes and checks if you are compliant with the club's rules now and then, depending on the club's policies.

Conclusion

I hope this gave you a better understanding of enrollment and each step we need to complete before we are enrolled and become compliant. Maybe you will be able to troubleshoot if something goes wrong or if you are planning any deployment.

More information

Screenshots

You might also like

For starters, what is Passkeys? Members Public

Explore how passkeys replace passwords for enhanced security and simpler logins, featuring Entra ID.

😊Identity🔐Security

Use case: Phishing resistant MFA of a privileged role Members Public

Protecting privilege roles with Microsoft Entra Identity Governance. We explore Authentication Context, Authentication Strength, and more to secure important areas.

🔐Security😊Identity