Forum Discussion
Documentation about Inune only enrollment on Microsoft Docs and use cases
Hello, I was reading this doc: https://docs.microsoft.com/en-us/archive/blogs/nzedu/10-ways-to-enroll-windows-10-into-intune and to view all of the 10 ways, it was suggested to go to this page:...
- If you don't do an Azure AD join, the user doesn't login with his AAD credentials. This isn't desired
A user can always change policies if the user is a local admin on his device. With this enrollment method this is always the case.
I would strongly advise that a user isn't a local admin. You can use the site I linked above to check what enrollment suits you best
I'll test this, I'll let you know when I have tested
But I thought enrollment requires the device in AAD
But I thought enrollment requires the device in AAD
Thank you so much!
- I just tested
If you use this method, it indeed only joins to Intune. I was mistaken
It does create a device in AAD (on object), but it's not joined to AAD.
As mentioned on the blog post this would only be used in BYOD (personal devices that require management) or if you don't have automatic enrollment.
Why are you planning to use it?- Thank you, appreciate that!
I'm just trying to evaluate different approaches. I think if a device is only joined to MDM and not AAD, it is less secure and less controlled, right? because the user still has full Admin rights.
and more importantly, the group policies that I set in MDM for that device, can be changed by the user of that device, am I right?- If you don't do an Azure AD join, the user doesn't login with his AAD credentials. This isn't desired
A user can always change policies if the user is a local admin on his device. With this enrollment method this is always the case.
I would strongly advise that a user isn't a local admin. You can use the site I linked above to check what enrollment suits you best
