- if you add custom domain and you want to simplify windows enrollment witout AZ AD

premium, you can use CNAME option

- intune auto enrollment (azure ad), only in intune(personal) => it can cause
problems later for example conditional access policies which works only for azure
ad joined devices,
- to join windows 11, you can do it via settings or organizational portal
- you can group devices managed by intune in dynamic group for a better management.
the update can takes time
- device categories auto creates an azure ad sec group once a device falls under
one of them. using this sec group , a device can be assigned proper policies and
apps .
- Users can choose a category from the list when using the Company Portal on
devices. You can disable end-user category selection using customization policy.
- to update the device category of multiple devices, you can use graph api and
intune powershell module.
- you can assign a category manually to a device in the device properties
- when you rename a category , all devices using it are auto updated .
- a device enrollment manager is non admin user who can enroll devices in itune .
DEM account can enroll and manage up to 1000 devices and non admin acont can only
enroll 15. it requires an intune license.
- the dem user cannot wipe dem enroll devices on the device using the company
portal application. it enrolls win10/11 in shared device mode so device limit
restriction won't work on them. instead we can configure a hard limit in AD admin
center .
- the dem user will be the admin on the machine enrolled and the user will not be
able to disconnect. it will be added in the admin group on the local machine .
- the primary user property is used to map a licensed intune user to their devices.
an intune device can have 0 or 1 primary user . when there is no primary user , the
device is refered as a shared device.
- we can change a device name from intune on device properties.
- You can configure an auto cleanup rule to clean inactive, stale devices. depends
on organization but 90 days is recommended . only applies to intune not Azure AD
devices
- You can customize company branding on company portal .
https://portal.manage.microsoft.com
- the first user that creates an AZ AD tenant is assigned global admin role.
- installation of M365 apps won't succeed if there are pre-existing .MSI apps on
end user devices.
- You can view managed apps status per machine in device options.
- progressive web app are apps developped with html, css... a json script might be
necessary .
- You can deply MSI app to windows.
-

difference between azure joined and registered

" " shared and user device