Cloud-based Device Management Glossary

Last updated: November 15, 2023
Audience: All UW

This document lists common terminology and definitions in association with Microsoft cloud-based device management.

Autopilot Deployment -Autopilot Enrollment
-Autopilot OOBE
A cloud-directed process which brings a device to the right initial configuration. There are four types: user-driven, self-deploying, white glove, and reset. Autopilot deployment is dependent on Entra ID join and Intune enrollment.
Autopilot Profile -Autopilot device profile
-Device Profile
A profile of settings that needs to be applied to assigned devices.
Autopilot Registration Autopilot registration allows a device to be uniquely identified by Microsoft’s Autopilot deployment service as belonging to a given organization. There are two types of autopilot registration: vendor-based and organization-based.

Vendor-based is considered more authoritative and some Autopilot activities are only allowed to vendor-based registration. Vendor-based registration requires prior setup with the vendor, and at the time of the order, the customer can provide specific information that results in a specific AutoPilot image within our Intune tenant.

Autopilot Reset An autopilot action which takes the device back to a business-ready state, removing personal files, apps, and settings and reapplying a device’s original settings, maintaining its identity connection to Entra ID and its management connection to Intune. Local reset can be initiated by a user in the Intune Service Administrator role. Remote reset can be triggered only for devices which were not self-deploying.
Entra ID -Azure Active Directory
-Azure AD
A cloud-based identity product from Microsoft. Similar to Active Directory but with many differences.
Entra ID Device Delete Deletes the Entra ID device object.

Unclear what happens to Intune device record. See for Microsoft documentation.

Entra ID Device Join -Entra ID Join
-Cloud Device Join (CDJ)
A device is said to be Entra ID joined when it has registered with Entra ID AND primary sign in to that device requires an Entra ID user account. An Entra ID joined device can also have limited device management benefits, especially if a Mobile Device Management (MDM) provider is associated with the Entra ID tenant. The UW has Intune as its MDM provider, but device management capabilities are extremely limited at this time. There are a few other device management capabilities outside Intune, for example Bitllocker key recovery and Enterprise State Roaming.

In contrast, primary sign in to an Entra ID registered device does not require an Entra ID user account.

Entra ID Device Registration -Entra ID Register
-Entra ID Workplace Join (WPJ)
A device which is Entra ID registered has an association with Entra ID that allows sign in to Entra ID applications, but primary sign in on the device is not through Entra ID. The registration experience includes issuance of a certificate that can be used to provide information security; data from those applications can be protected and access to any downloaded data can be lost if the device loses its Entra ID registration.

In contrast, primary sign in to an Entra ID joined device requires an Entra ID user account.

Entra ID Hybrid Join -Hybrid Join
A device is said to be hybrid joined if it has both an AD object and an Entra ID object, which allow users of that device to sign in with an AD user account, which provides access to resources which are protected by either the AD or the Entra ID user.

A hybrid joined computer is joined to both AD and Entra ID, but the AD join is primary because the device initially uses AD authentication. Only Windows devices can be hybrid joined.

See Hybrid Join via a Delegated OU.

Client Attach This is a fancy term for co-management, usually used in conjunction with tenant attach or cloud attach. A device which is client attached is managed by ConfigMgr but also visible in the MEM portal. A client attached device gains the following benefits: conditional access, autopilot, MEM portal visibility.
Cloud Attach A device which is cloud attached is managed by ConfigMgr but also visible in the MEM portal. The device can be cloud attached via either tenant attach or client attach. Typically, the device is primarily managed via ConfigMgr.
Cloud Management Gateway -CMG Enables MECM to manage devices over the internet
Co-existence Devices are managed by ConfigMgr and another MDM product which is not Intune.
Co-Management -Co-Managed Devices are fully managed by both ConfigMgr and Intune with explicit admin intent on which workload is managed by either ConfigMgr or Intune.
Company Portal -Intune Company Portal


A cloud-based service provided by Microsoft whose content is managed by an organization. The company portal provides a user interface to access apps, device data, and resources that the organization publishes. is a generic link to the company portal. See for more info.
Corporate device Typically this is a device which is owned by the university, however, the Microsoft products use the following methods to determine whether it is a corporate device:

Desktop Analytics -DA A cloud-based service which provides insight and intelligence into your Windows clients. See for more info.
Device Firmware Configuration Interface -DFCI A (new) feature of UEFI that enables secure, programattic configuration of BIOS hardware settings.
Dynamic Group A type of Entra ID group which does not have a static membership. Membership is computed on a recurring basis, based on a set of defined rules. A given dynamic group can only allow all users or all devices; no mixed membership.
Group Policy -GP A hybrid joined device may have group policy. Group policy is a set of settings derived from AD. Settings from Intune profiles and policy settings may conflict with group policy settings–there is a set of complex rules which determines which wins.
Group Policy Object -GPO A single, specific group policy
Group Policy Preferences -GPP A feature of group policy which has more flexibility than most group policy settings
Hardware ID -hardware hash The hardware ID, also commonly referred to as a hardware hash, contains several details about the device, including its manufacturer, model, device serial number, hard drive serial number, and many other attributes that can be used to uniquely identify that device.

Intune and Autopilot use this to uniquely identify a device. Unfortunately, Entra ID doesn’t use it to disambiguate Entra ID registrations from Entra ID joins.

Intune Assignment An Intune assignment is made when an Intune profile is assigned to a user or a device. The Intune profile may have a variety of settings. A user assignment follows the user across all Intune enrolled devices. A device assignment applies to all users of that device.
Intune Profile -Intune Configuration Profile

-Device Configuration Profile

-Configuration Profile

An Intune Profile is a set of settings. An Intune Profile is similar to a group policy object. A profile can be assigned to users or devices.
Intune Device Category An Intune property that can be assigned to each enrolled device. Valid values are defined by the MDM operator. Device category is one of the only useful properties that can be used in the rules for a device dynamic group.
Intune Device Delete Intune Device action which removes all org data from the device and removes the device from Intune. The device immediately is removed from Intune; when the device checks in next it will receive this command to remove org data.
Intune Device Fresh Start Intune Device action which removes any apps that are installed on a PC running Windows 10, version 1703 or later. Fresh Start helps remove pre-installed (OEM) apps that are typically installed with a new PC. If ‘retain user data on this device’ is checked, AAD join and Intune enrollment are kept, and the device user’s Home folder are kept, but apps and settings are removed.
Intune Device MacOS Erase Intune Device action which erases all data from a macOS device, including the operating system. The device will also be removed from Intune management. No warning will be given to the end user.
Intune Device Retire Intune Device action which removes all org data from the device and removes the device from Intune. The device remains in Intune until the device checks in and receives this action.
Intune Device Wipe Intune Device action which restores the device to factory default settings. If ‘retain enrollment state and user account’ is checked, user data is kept and enrollment maintained.
Intune Policy set An Intune Policy is more than just a set of settings; it’s a statement of requirement often related to compliance. Intune compliance policy settings override Intune profile settings.
Intune Scope The combination of an Intune scope tag and scope group. Intune scope is poorly explained in Microsoft documentation; see for the best existing info.
Intune Scope Group An Entra ID group of devices, users, or both, by which an Intune scope tag is conditionally assigned to an Intune role. Scope groups are poorly explained in Microsoft documentation; see for the best existing info.
Intune Scope Tag An Intune property that can be assigned to each enrolled device or any other Intune object. Valid values are defined by the MDM operator. Scope tags are used to limit the scope of permissions. If you have Intune permissions and a scope tag on your account, those permissions are limited to objects with a matching scope tag.
MDM Enrollment -Device Enrollment
-Intune Enrollment
A device is said to be MDM enrolled when it is managed by a MDM product like Intune.

Any Entra ID registered device can be Intune enrolled, but not all Entra ID registered devices are Intune enrolled; it takes more than just Entra ID registration to become Intune enrolled but Entra ID registration is a minimum requirement.

An Entra ID tenant can be configured for automatic MDM enrollment, so that all Entra ID device joins are MDM enrolled. This is similar to Autopilot, but with fewer features and no requirement to explicitly enroll a device prior to join.

Microsoft Endpoint Configuration Manager MECM
The new name for Configuration Manager aka SCCM. See
Microsoft Endpoint Manager -MEM

-Cloud portal

A new Microsoft brand and license which includes Configuration Manager, Intune, and Desktop Analytics. MEM refers to the complete set of solutions.
Microsoft Intune -Intune Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM).

Mobile Application Management -MAM Refers to the suite of Intune management features that lets you publish, push, configure, secure, monitor, and update mobile apps.
Intune supports two MAM configurations:
-MAM without enrollment (MAM-WE), i.e. device does not have Intune but has a 3rd party agent
-MAM with MDM, i.e. device has Intune
Mobile Device Management -MDM MDM is an industry term for the administration of mobile devices, including smartphones, tablets, laptops, and personal computers that aren’t necessarily very mobile. MDM seeks to simplify device management at scale across a diverse set of platforms.

MDM capabilities usually include:
-configuration to a consistent standard and set of supported applications via a policy
-updating applications and configuration in a scalable manner
-monitoring and tracking devices
-provide for efficient troubleshooting and diagnoses

Security is often a key configuration quality cited by MDM solutions.

MDM is based on the Open Mobile Alliance OMA Device Management specification. See and for more.

Personal device -BYOD Any device which is not considered a corporate device.

This term is sometimes loosely used to reference devices which have not been MDM enrolled, but are Entra ID registered.

Tenant Attach Tenant attach is where your SCCM data is imported to your MEM portal. This results in cloud attach. The benefits of tenant attach are: ATP integration, Desktop Analytics, User Experience Analytics, MEM portal visibility.
Windows Autopilot -Autopilot A collection of technologies used to set up and pre-configure new devices, getting them ready for productive use.

Autopilot is not a deployment method, it’s an initial provisioning method to bootstrap the system into AAD and Intune and in turn ConfigMgr if desired. Task sequences can be used in a variety of scenarios and a new feature in 2002 allows them to be kicked off automatically after the client agent is installed.

Windows Subscription Activation see