SOLVED

Documentation about Inune only enrollment on Microsoft Docs and use cases

MVP

Hello,

I was reading this doc:

https://docs.microsoft.com/en-us/archive/blogs/nzedu/10-ways-to-enroll-windows-10-into-intune

 

and to view all of the 10 ways, it was suggested to go to this page:

https://docs.microsoft.com/en-us/archive/blogs/microscott/managing-windows-10-with-intune-the-many-w...

 

but It doesn't exist.

 

I'm looking for a documentation on Microsoft docs for this specific scenario:

Scenario 3: Enrol in MDM Only (User Driven)

 

could anyone point me to it? thanks in advance

9 Replies

Looks like it's this:

https://docs.microsoft.com/en-us/windows/client-management/mdm/mdm-enrollment-of-windows-devices#con...

 

can't be sure since that one gives 404 error.

by the way just wanna check and confirm this, if a device is only enrolled in Microsoft MDM and not AAD, Intune or endpoint management can still control that device such as setting policies etc, right? will there be any limitations?

If you would enroll it like #3, the device would also be joined to AAD

To my knowledge, all W10 devices that enroll into Intune are also joined to AAD, no exceptions
I'll test this, I'll let you know when I have tested
But I thought enrollment requires the device in AAD
I just tested
If you use this method, it indeed only joins to Intune. I was mistaken
It does create a device in AAD (on object), but it's not joined to AAD.

As mentioned on the blog post this would only be used in BYOD (personal devices that require management) or if you don't have automatic enrollment.

Why are you planning to use it?

Thank you, appreciate that!
I'm just trying to evaluate different approaches. I think if a device is only joined to MDM and not AAD, it is less secure and less controlled, right? because the user still has full Admin rights.

and more importantly, the group policies that I set in MDM for that device, can be changed by the user of that device, am I right?

best response confirmed by HotCakeX (MVP)
Solution
If you don't do an Azure AD join, the user doesn't login with his AAD credentials. This isn't desired

A user can always change policies if the user is a local admin on his device. With this enrollment method this is always the case.
I would strongly advise that a user isn't a local admin. You can use the site I linked above to check what enrollment suits you best
1 best response

Accepted Solutions
best response confirmed by HotCakeX (MVP)
Solution
If you don't do an Azure AD join, the user doesn't login with his AAD credentials. This isn't desired

A user can always change policies if the user is a local admin on his device. With this enrollment method this is always the case.
I would strongly advise that a user isn't a local admin. You can use the site I linked above to check what enrollment suits you best

View solution in original post