Session Objective

I logged the full handoff in Notion here: Intune Enrollment Pilot Handoff — 2026-04-24

What I already verified

• SAIL-Audit-Visibility now has strong Intune Graph access.
• Live tenant checks succeeded.
• The tenant is still basically clean:
  • managedDevices = 0
  • Autopilot devices = 0
  • device configurations = 0
  • compliance policies = 0
• Windows enrollment is allowed in the default platform restriction.

Open These In Notion On The Windows Side

• Credentials and Microsoft app registration values: API Keys & App Secrets
• Windows login, VPN, and RDP details: A - Passwords
• Broader IT/domain/license context: SAIL - IT Transition Plan

Inline Handoff

1. Pick pilot Windows 10/11 workstation. Do not start with servers.
2. On the pilot, run:

dsregcmd /status

1. What we want:
   • DomainJoined : YES
   • AzureAdJoined : YES
2. If DomainJoined : YES but AzureAdJoined : NO, stop there. Hybrid join is the missing prerequisite.
3. In Entra, confirm the pilot user is inside the automatic MDM enrollment scope.
4. In Group Policy, enable:
   • Computer Configuration > Administrative Templates > Windows Components > MDM > Enable automatic MDM enrollment using default Microsoft Entra credentials