Intune Device Enrollment — Pick a Path — Free Mind Map

Autopilot lets a user receive a brand-new Windows device direct from the OEM (Dell, HP, Lenovo, Microsoft) and turn it on at home — Windows OOBE recognises the device hash, joins Entra ID, downloads Intune policies/apps, and delivers a fully configured corporate laptop without IT physically touching it. The 'touch' in question is IT touching the device. Modern alternatives to imaging + provisioning packages. The default for new Windows deployments in 2026.

No, for new deployments — Microsoft itself recommends cloud-only Entra Join for new devices. Hybrid (joined to both on-prem AD and Entra) only makes sense if you have legacy on-prem apps that authenticate via Kerberos and you can't refactor them to use Entra/SAML. Even then, plan a migration: on-prem apps can be modernised with Entra App Proxy or Entra Domain Services. Hybrid adds complexity for diminishing returns.

MAM (Mobile App Management) only: Intune protects the WORK APPS on the device (Outlook, Teams, OneDrive, etc.) — encryption, copy-paste blocks, conditional launch, remote-wipe of work data only. The device itself is not enrolled or managed; user owns the OS. Full enrollment: device joins Intune, full MDM. For BYOD, MAM-only is the right answer most of the time — protects org data without forcing users to surrender their personal phones to IT.

Intune Suite (separate licence) bundles Endpoint Privilege Management, Remote Help, Advanced Endpoint Analytics, Microsoft Tunnel for MAM, Cloud PKI, and Enterprise App Management. Useful for orgs that want to consolidate vendor tools — replaces several point products. Not required for basic Intune enrollment / policy work, but worth evaluating if you're paying for separate Privilege Management or Remote Support tools today.