Intune enrollment method capabilities for Windows devices

There are several methods to enroll your workforce's devices in Intune. Each method has different best practices and capabilities, as shown in the tables below.

Best practices by enrollment method

Best practices Azure AD joined Azure AD joined with Autopilot (User driven mode) Azure AD joined with Autopilot (Self deploying mode) Bulk DEM BYOD GPO Co-management
Commonly used in EDU X Check X Check Check X X X
Devices can be used as shared devices X X Check Check Check X X X
Personal devices must access company resources X X X X X Check X X
Self-servicing of apps Check Check Check X X Check Check Check

Capabilities by enrollment method

Capabilities Azure AD joined Azure AD joined with Autopilot (User driven mode) Azure AD joined with Autopilot (Self deploying mode) Bulk DEM BYOD GPO Co-management
Conditional Access Check Check Check Check** Check** Check Check Check
User gets associated with the device Check Check X X X Check Check Check
Requires Azure AD Premium X Check Check Check X X Check Check
Device can assess resources protected by CA Check Check Check Check X Check Check Check
Users must not be admins on their devices X Check Check Check X X X X
Ability to configure the device setup experience X Check Check X X X X X
Ability to enroll devices without user interaction X X Check Check Check X Check Check
Ability to run PowerShell scripts Check Check Check Check Check X X Check*
Supports automatic enrollment after AD domain join X X X X X X Check Check
Supports automatic enrollment after Hybrid Azure AD join X X X X X X Check Check
Supports automatic enrollment after Azure AD join Check Check Check Check Check Check X X

* Client apps workloads in Configuration Manager must be moved to Intune Pilot or Intune.

** Devices are blocked for Conditional Access with the exception of Windows 10 (version 1803 and later) and Windows 11.

Next steps

Set up enrollment for Windows