Admin-Based Enrollment Options in Intune
Start course

In this course, we review the enrollment options available and processes to follow for enrolling Windows devices in Microsoft 365.

Learning Objectives

  • An overview of the different enrollment methods for Windows devices
  • Understand the self-enrollment options
  • Understand the administrator-based enrollment options
  • Know how to enable Windows automatic enrollment

Intended Audience

This course is intended for those who wish to learn about enrolling Windows devices in Microsoft 365 via Intune and Mobile Device Manager.


You will require a basic understanding of Mobile Device Management in Microsoft 365.

Welcome to administrator-based enrollment options. In this lesson, we’ll take a closer look at the handful of admin-based options for enrolling in Intune. The methods we’re gonna look at over the next few minutes are used to enable enrollment without the need for user interaction. We’re gonna look at Hybrid Azure AD Join, Configuration Manager Con-Management, Device Enrollment Manager, Bulk Enrollment, and at IoT Core device enrollment. Let’s start with Hybrid Azure AD Join.

If you have an existing Active Directory implementation, you can take advantage of some of the functionality that comes with Azure AD by implementing hybrid Azure AD joined devices. As you would expect, hybrid joined devices are joined to an on-prem Active Directory while also being registered with Azure Active Directory.

When you use Hybrid Azure AD Join, you use Group Policy in AD to automatically enroll devices that are hybrid Azure AD joined. Now, that said, hybrid Azure AD joined devices have to have what’s called a “network line of sight” to the on-prem Active Directory DCs, at least on a periodic basis. If they don’t have this connectivity to the on-prem DCs, they become unusable. 

Organizations will often use Azure AD hybrid joined devices if they need to support devices that run Windows 7 or Windows 8.1. They will also often use it when they need, or want, to use existing imaging solutions to deploy and configure those devices. If an organization has Win32 apps that rely on Active Directory machine authentication deployed to their devices, Hybrid Azure AD Join becomes an option.

Let’s talk a little bit bout prerequisites now. To leverage Hybrid Azure AD Join, you need to be running Azure AD Connect version 1.1.819.0 or later – and you can’t exclude the default device attributes from the Azure AD Connect sync configuration. As far as permissions go, you’ll need Global administrator credentials for your Azure AD tenant, and you’ll need Enterprise administrator credentials for the on-prem AD forest. If you are working with federated domains, you’ll need Windows Server 2012 R2 or later, with ADFS installed. The URL on your screen provides step-by-step instructions for configuring Hybrid Azure AD Join:

Co-management allows you to attach an existing Configuration Manager deployment to Microsoft 365. It allows you to manage Windows 10 or later devices via a combination of Configuration Manager and Microsoft Intune. Co-management offers the flexibility to use whichever solution works best for your organization – be it Intune or Configuration Manager.

The cool thing about Configuration Manager Co-Management is that when you have Windows devices with the Configuration Manager client installed, while being enrolled to Intune, you get the benefits of both services. In other words, you can continue using Configuration Manager to manage devices that you don't switch to Intune.

The image on your screen show what a typical configuration would look like:

Enrolling existing Configuration Manager clients in co-management provides you with several benefits. For example, you get access to conditional access with device compliance AND you can start leveraging Intune-based remote actions like restart, remote control, and factory reset for your devices. You can also link users, devices, and apps with Azure AD.

Now, before you can use co-management, you need to meet several prerequisites. Right out of the gate, you need to be using Azure AD premium. If you have EMS, that EMS subscription includes both Azure Active Directory Premium and Microsoft Intune. Speaking of Intune licensing, you’ll need at least one Intune license for the administrator, so they can access the Microsoft Endpoint Manager admin center.

To use Co-management, you’ll also need to be running version 1710 or later of Configuration Manager. I should also mention that your Windows devices need to be connected to Azure AD. They can be Hybrid Azure AD-joined, or they can be Azure AD-joined.

You’ll also need to have Intune setup, obviously, and you’ll need to have auto-enrollment enabled. Possibly most importantly, your Windows devices need to be running Windows 10, version 1709 or higher, before you can use co-management. As far as permissions and roles go, the table on your screen highlights what needs to be in place:

Once you’ve met all these prerequisites, you can deploy co-management. For step-by-step instructions, visit the URL that you see on your screen:

Now let’s turn our attention to Device enrollment manager, or DEM. A Device enrollment manager account is a special service account with permissions that allow authorized users to enroll and manage multiple corporate-owned devices. This enrollment option is useful in situations where devices are enrolled and prepared before they are distributed to the user base. 

By design, there's a limit of 150 Device Enrollment Manager accounts in Microsoft Intune. You can use Windows Autopilot to enroll devices using DEM accounts, you can use Windows device bulk enrollment with DEM accounts, and you can perform DEM initiated enrollments via the Company Portal.

However, I do want to mention that there are quite a few limitations to be aware of, when using Device Enrollment Manager to enroll devices. Instead of just reading them off to you, I’m just gonna point you to the URL that you see on your screen:

To add a device enrollment manager account in Microsoft Endpoint Manager, login to the Endpoint Manager Admin Center with a Global Admin account or with an Intune Service Administrator account and browse to Devices. Once there, you can click the Enroll devices link to view and add Device enrollment managers. Once created, you can use the account to enroll your devices. Now, let’s take a look at bulk enrollment.

Using bulk enrollment, you can join large numbers of new Windows devices to Azure AD and Intune. To do this, you need to first create a provisioning package with the Windows Configuration Designer app. Once you have a provisioning package created, you apply it to your corporate-owned devices. This, in turn, joins those devices to the Azure AD tenant and then enrolls them in Intune. 

Windows devices that are enrolled in Intune via Windows bulk enrollment can use the Company Portal app to install available apps. To use bulk enrollment, your devices need to be running Windows 11 or Windows 10 Creator update (which is build 1709) or later. Windows automatic enrollment has to also be setup as well. The complete, step-by-step process of using bulk enrollment is available at the URL that you see on your screen:

Now, before we wrap up here, I just want to briefly touch on enrolling Windows IoT Core devices, just for the sake of completeness. You can manage Windows IoT Core devices and IoT Enterprise devices right alongside other managed Windows devices, using Intune.

You enroll Windows IoT Core devices via the Windows IoT Core Dashboard. You prepare your devices, and then you use Windows Configuration Designer to create a provisioning package for them. During the initial bootup of the device, using SD Card media, it installs the provisioning package which automatically enrolls the device into Intune. The URL on your screen provides the step-by-step process for enrolling Windows IoT Core devices in Intune:

And with that, let’s call it a wrap for administrator-based enrollment options in Intune.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.