Automatic enrollment lets users enroll their Windows 10 devices in Intune. To enroll, users add their work account to their personally owned devices or join corporate-owned devices to Azure Active Directory. In the background, the device registers and joins Azure Active Directory and then automatically enrolls in Intune with no further intervention. The device is then managed with Intune.
There seems to be several
ways to configure this and it can be a little confusing. The configurations are
slightly different depending on the scenario.
Intune automatic
enrollment allows you to ensure that any Windows 10 device (1709 and later)
that is joined to Azure AD is also enrolled in Intune. When a device is joined to Azure
AD, admins can control access to corporate resources based on conditional
access policies applied to the device identity. Enrolling these devices in
Intune also allows us to manage the deployment of applications and security
policies.
This comes in the form of a GPO. You'll need to enable this setting:
Computer Configuration
> Policies > Administrative
Templates > Windows Components > MDM > Enable
Automatic MDM enrollment using default Azure AD credentials.
When SCCM (or Microsoft Endpoint Configuration Manager) is introduced in the mix, everything changes. The GPO will have no effect in this case. If the SCCM agent is detected running on a device, when the device becomes Azure AD joined, no attempt is made to enrol in Intune, even if Intune automatic enrolment is configured.
That’s when co-management is needed. When you configure co-management, you signal your intention to allow the device to be managed by SCCM and MDM (Intune) at the same time. When co-management is enabled, the SCCM client becomes aware that the device should also be enrolled in Intune. Then automatic Intune enrolment kicks in and enrols the device in Intune. Co-management essentially allows the device to be managed by SCCM and Intune at the same time.
It’s important to
realize that devices can be managed by SCCM and MDM at the same time per
workload. Take client applications and compliance policies as workload examples.
Co-managements means that, on a co-managed device, the applications workload
can be managed by SCCM while the compliance workload can be managed by Intune.
It does not mean that the applications workload can be managed by SCCM and
Intune.
I hope this helps. Until next time.....