Device Enrollment

Hi, with Microsoft 365 Business Basic + Intune Plan 1 add-on and devices currently Azure AD Registered, the “best” enrollment path depends on how those devices are owned/managed today.

A couple of quick questions first (these decide everything):

1. Are the devices Windows 10/11 and company-owned (not BYOD)?
2. Are they currently joined to on-prem AD (hybrid) or just personal/AAD registered?
3. Do you use local admin accounts today or do users have admin rights?
4. Do you want devices to become Azure AD Joined (recommended for corporate management) or remain personal-style?

Default recommendation (most common / simplest if they’re company-owned)

Convert to Azure AD Joined + enroll into Intune via GPO (“MDM enrollment”/auto-enroll) if you have on-prem AD (Hybrid Join), or enroll via Company Portal after moving to AAD Join if you don’t.

Why: “Azure AD Registered” is typically BYOD posture and limits what you can enforce cleanly. For corporate control (policies, compliance, BitLocker, updates), AAD Joined + Intune is the straight road.

Two likely paths (pick based on your answers)

A) If devices are Hybrid AD Joined (on-prem AD exists):

• Enable Intune automatic enrollment (MDM user scope)
• Configure GPO: Enable automatic MDM enrollment using Azure AD credentials
• Devices enroll silently when users sign in

Pros: minimal user effort, scalable for 150+
Cons: requires hybrid join + correct GPO targeting/boundaries

B) If devices are NOT hybrid joined (no on-prem AD join):

• Move devices to Azure AD Joined (manual or scripted)
• Enroll using Company Portal (user-driven)

Pros: no on-prem dependency
Cons: more user interaction, needs a process (and admin rights planning)