Forum Discussion

Vikas19's avatar
Vikas19
Copper Contributor
Nov 27, 2025

Device Enrollment

Hi everyone,

I need some guidance regarding a device-management scenario in my environment.

We currently have Microsoft 365 Business Basic with the Intune Plan 1 add-on. All of our devices (about 150+) are Azure AD Registered, and I’m trying to determine the best method to enroll them into Intune using only our existing licenses.

I’m unsure which enrollment method is most appropriate for this setup, and I haven’t been able to find a solid, recommended approach. I want to avoid unnecessary complexity and I cannot upgrade or change our licensing.

I would really appreciate a well-structured explanation that covers:

The best enrollment method for this scenario
Why this method should be used
Step-by-step guidance
Pros and cons of the proposed method

Any insights from those who have handled similar situations would be extremely helpful.
Thanks in advance!

Device enrollment
Intune
Intune MDM
mobile device management (mdm)

3 Replies

  • barryallen's avatar
    barryallen
    Copper Contributor
    Dec 16, 2025

    Hi Simone,

    The devices are Surfaces (ARM) and are not joined to our on-prem AD. These devices are only used to connect to our virtual environment. 

    We are running into issues during the OOBE joining the devices to AAD. With Windows 11, you have to bypass the OOBE in order to get to the section for AAD. 

    We see the device listed in AAD and see the device assigned to our AutoPilot and other groups but the user profile does not appear to be created. For example, if I use my account (AccountA) to join AAD during the OOBE, once the device finishes and reboots, I cannot login using my account (AccountA). 

    We have also tried perfroming an AAD join after OOBE has completed but this is "hit and miss". We would like to avoid using Company Portal. 

    • Simone_Termine's avatar
      Simone_Termine
      Copper Contributor
      Dec 18, 2025

      Hi barryallen​ , thanks for the extra context.
      For ARM Surface devices (not on-prem AD joined) and wanting to avoid Company Portal, the cleanest approach is Autopilot user-driven + Microsoft Entra ID Join + automatic Intune enrollment.

      From what you describe (device object appears in Entra/Autopilot groups, but no user profile is created and the user can’t sign in after reboot), two things are usually the root cause:

      1. Windows edition mismatch (Home vs Pro/Enterprise)
        Windows Home does not support Microsoft Entra join during OOBE, and can behave like it “registers” the device but won’t complete a proper Entra join/sign-in flow. Please confirm the Surfaces are running Windows 11 Pro (or higher) (Autopilot supported editions are https://learn.microsoft.com/en-us/entra/identity/devices/device-join-out-of-box). 

      2. Automatic enrollment not enabled for the user (MDM user scope)
        If MDM automatic enrollment isn’t enabled (or the user isn’t in scope / not licensed), the join flow can be inconsistent and you end up with a device object but no proper managed sign-in experience.
        Check in Intune: Devices > Enrollment > Windows > Automatic enrollment and set MDM user scope to All (or a group containing these users).

       

      Quick validation on an affected device (after OOBE):

      • Run dsregcmd /status and verify AzureAdJoined : YES. If it’s NO and only WorkplaceJoined is YES, you’re ending up with registration, not a true Entra join. 

       

      If you confirm the Windows edition + paste the dsregcmd /status “Device State” section from a failing device, I can tell you immediately whether this is edition limitation or enrollment scope/config.

       

  • Simone_Termine's avatar
    Simone_Termine
    Copper Contributor
    Dec 16, 2025

    Hi, with Microsoft 365 Business Basic + Intune Plan 1 add-on and devices currently Azure AD Registered, the “best” enrollment path depends on how those devices are owned/managed today.

    A couple of quick questions first (these decide everything):

    1. Are the devices Windows 10/11 and company-owned (not BYOD)?
    2. Are they currently joined to on-prem AD (hybrid) or just personal/AAD registered?
    3. Do you use local admin accounts today or do users have admin rights?
    4. Do you want devices to become Azure AD Joined (recommended for corporate management) or remain personal-style?

     

    Default recommendation (most common / simplest if they’re company-owned)

    Convert to Azure AD Joined + enroll into Intune via GPO (“MDM enrollment”/auto-enroll) if you have on-prem AD (Hybrid Join), or enroll via Company Portal after moving to AAD Join if you don’t.

    Why: “Azure AD Registered” is typically BYOD posture and limits what you can enforce cleanly. For corporate control (policies, compliance, BitLocker, updates), AAD Joined + Intune is the straight road.

     

    Two likely paths (pick based on your answers)

    A) If devices are Hybrid AD Joined (on-prem AD exists):

    • Enable Intune automatic enrollment (MDM user scope)
    • Configure GPO: Enable automatic MDM enrollment using Azure AD credentials
    • Devices enroll silently when users sign in

    Pros: minimal user effort, scalable for 150+
    Cons: requires hybrid join + correct GPO targeting/boundaries

     

    B) If devices are NOT hybrid joined (no on-prem AD join):

    • Move devices to Azure AD Joined (manual or scripted)
    • Enroll using Company Portal (user-driven)

    Pros: no on-prem dependency
    Cons: more user interaction, needs a process (and admin rights planning)

     

Resources