* At this time not all enrollment options or functionality are available for Intune. See 'How do I enroll devices?' below for more information.


What is Intune?


Intune is a Mobile Device Management (MDM) system that enables Administrators to configure and manage devices remotely. Intune can manage Windows and Android devices (Apple Devices management coming at a future date). Manageability of the different platforms depends on the specific OS version.


How does Intune Work?


Intune is a cloud-hosted management server. Devices are enrolled into Intune and then receive policies and other configurations as they come into scope to the devices. 


After enrollment, devices check into Intune for policy changes at predetermined intervals which varies by operating system. New policies created after devices are enrolled are pushed out to devices as they become available, independent from the device’s normal check in period.


Communications between the server and the devices are encrypted and no personal information such as browsing history, file contents, or passwords are collected.


How do I enroll devices?


* At this time not all enrollment options are available for Intune. Only hybrid-join enrollment for Windows devices is available, which requires a department have devices in the managed Central Services Domain. Other options, while documented below, are not available.


There are several methods of enrolling devices, depending on the operating system (also see the Intune enrollment and capabilities section below):


Where can I find Technical Documentation, resources, training materials, etc.?


Technical Documentation and information for Intune can be found at:



Is in-person or live remote training or assistance available?


Training is available subject to scheduling and availability. It is available for initial onboarding as well as follow up and can be customized based on need. You can request training from one of VT Intune’s Service Administrators by completing the IT Service Catalog item here


The #intune slack channel or the Intune User’s Group is also a place where questions can be asked to other VT Intune users. Service administrators are also available for assistance with any issues or questions.


How can I start using Intune?


You can get started using Intune by requesting access through the Service Catalog by clicking here. Pricing and other information is available within the catalog item.


What are the different Intune Management Capabilities for Windows 10 and Android?

Windows 10 devices can be enrolled in Intune using one of two enrollment methods: either Hybrid Azure AD Joined (organizationally-owned) or Azure AD Registered (BYOD). Android devices can be enrolled through Android Enterprise or BYOD (note Android BYOD enrollment is slowly being deprecated).

The method used to enroll the device is important because it will affect the management capabilities available. There may be requirements to use a particular enrollment.

For Windows 10, Intune offers the fullest management capabilities for Windows devices in a managed Central Services Domain (CSD) OU which are ‘hybrid joined’ to Azure AD. Windows devices not in the CSD OU will use the ‘BYOD’ enrollment method and are registered to Azure AD which has relatively fewer features. For Android devices, Intune offers the fullest management for devices enrolled through Android Enterprise.

See below for an overview of types of device joins, their requirements, and capabilities.


Device join types




Intune enrollment method

Hybrid Joined (Windows)

Azure AD Registered (Windows)*

* this enrollment method is currently not available

Requirements for enrollment method

Windows devices must be in a managed OU in Central Services Domain (CSD)

Enrolling user must be licensed

How devices are enrolled

In the department’s managed CSD OU, the department creates a child OU named ‘[OU]-Intune’. Windows device objects in that child OU will be synced to Azure AD.

The Microsoft Company Portal app is downloaded, installed, and used to enroll the device. The user authenticates with their credentials.

General capabilities (from Microsoft documentation)


User gets associated with device


Device can access resources protected by CA


Ability to configure the device setup experience


Ability to enroll devices without user interaction


* user will get a 2-factor Duo prompt.

Ability to run PowerShell scripts (custom scripting)


Supports automatic enrollment after AD domain join


Supports automatic enrollment after Hybrid Azure AD Join


General capabilities (Windows and Android*)
* Android Enterprise enrollment left column and Android BYOD right column, scroll down for Android-specific section


Customized reporting and device compliance reporting

Compliance reporting through Intune portal; customized reporting with Power BI (external to Intune)

Allow administrator to reset a device pin/passcode

✘ *

* Only iOS/iPadOS enrolled via DEP/ASM, Android devices on version 6.x or earlier, and Android Enterprise devices enrolled as Device Owner.

Perform full wipe of device


Perform selective wipe of the organization’s intellectual property


Compartmentalize data


User portal for OS versions supported

Uses Company Portal, distributed or downloaded

Prevent user unenrolling device


* A profile can be used to prevent unenrolling

Remove/uninstall apps remotely

*for Android must be Managed Play Store Apps

Application allow/block list


Windows-specific capabilities


Manage operating system patches on devices

Updates via assigning Windows update rings and schedule, not KB push / SUS management

Roll back packages and updates

Can roll back Feature or Quality for Update Rings

Force system restore / create restore points

Rebuild system only, not backup files, cannot create restore points. System restore points are an old style of backup. Intune offers wipe/restore options.

Check BIOS


Configure deployment/installation of native Windows files (.exe, .msi)

Deploying .exe requires wrapping installer in proprietary .intune file format.

Configure Bitlocker


Configure Applocker


Disable peer-to-peer distribution of updates


Wake on LAN


Bulk MDM enrollment


Android-specific capabilities


Intune enrollment method

Android Enterprise

Android BYOD (can be used, but being deprecated)


How device enrolled

On wiped Android device, token entered or QR code scanned (depends on OS version). Then user authenticates with credentials.

The Microsoft Company Portal app is downloaded, installed, and used to enroll the device. The user authenticates with credentials.


Force OS Upgrade


For Enterprise (Fully Managed) Update settings (Automatic, Device Default, etc) are available, but no functionality to force the device to perform update on demand.

Performs check of security updates


See comment for ‘Force OS Upgrade’ above.

Supports zero-touch enrollment


Variable capability affected by device manufacturer, Google Play integration, OS version, and more.

Support devices in kiosk mode


Prevent content sharing through Android Beam


In Device Administrator Management (BYOD) blocking beam done by disabling NFC entirely.

Supports Google Play Private Channel

Only available if Google Play license agreement review completes (still underway).