In order to assist with calculations and with the Discovery phase heres a bit of information I hope can help with Hardening/Intune/Defender projects. Here is a single sheet explaining the requirements, warnings, and how to calculate out the projects for this particular component. If the customer is NOT going to manually enroll via Work Instructions (WIs) then we need to have the hours available and the engineer able to possibly travel etc.

If we need to have a 30 minute session to review and discuss let me know I would love to get us all on the same page, from engineers to end-customer support (ITMs).

Thank you! ~ Damon

A Valid License from the list below. The device being protected MUST have a licensed user attached to it.

• Microsoft 365 E5

• Microsoft 365 E3

• Enterprise Mobility + Security E5

• Enterprise Mobility + Security E3

• Microsoft 365 Business Premium

• Microsoft 365 F1

• Microsoft 365 F3

• Microsoft 365 Government G5

This method sets a GPO to the device that uses the logged in credentials to attempt to auto configure and enroll. If ANY of the below requirements are not met, you cannot auto enroll in Intune.

• DEVICE must be running Windows 10 Pro/Enterprise OR Windows 11 Pro/Enterprise

• DEVICE must be Azure AD Joined or Hybrid Azure AD Joined Only (NOT registered)

• DEVICE must not have a ConfigMgr Agent installed

• DEVICE must be connected to the internet and able to browse to the MS enrollment URLs

• DEVICE must NOT be connected to a different tenant

• DEVICE must be able to receive GPOs and apply them

• USER initiating the enrollment must be a Local Admin on the Device*

• USER initiating the enrollment must have a matching UPN between on premise and the tenant

• USER initiating the enrollment must be licensed for Intune/Defender

If the above is not available then this is the method for enrollment. Either the end users/a local technician/or N-Central must complete the enrollment on these devices. If Centrex is doing this, please calculate 15 minutes a device x the number of devices.

• USER initiating the enrollment must be a local Admin

• USER initiating the enrollment must be licensed for Intune/Defender

• DEVICE must not have a ConfigMgr Agent installed

• DEVICE must not be connected to a different tenant

If devices show up in Azure AD as Registered instead of joined there is no command to convert these objects. There is TWO choices for these devices…

• Remove the device from Azure AD Devices and Re-Enroll Properly following the correct procedure for joining a Hybrid device. (Please calculate 15 minutes a device x the number of devices + downtime for each device as it will require TWO reboots)

• Manually Enroll the Devices for MDM Management If the device shows up in Azure AD Devices as Registered these devices will need to be manually changed to Corp Ownership (as they will all default to PERSONAL devices, and policies cannot apply fully), for calculating time to fix this, please add 5 minutes x the number of devices.

If NEW devices are being added to the customer and they are appearing in Azure AD Devices as Registered instead of Azure AD Joined or Hybrid Azure AD Joined please modify the Azure AD Connect Sync client to the CORRECT settings for a hybrid environment. Improper sync settings will cause this issue.

If USERS are not properly licensed you can enroll a device using a service account. As long as that service account maintains its license it can cover up to 15 devices.

*The LOCAL ADMIN requirement is ONLY required for initial setup, once the device is enrolled in Intune/Defender the user can have rights removed without affecting the device anymore.