IT Connect
Your connection to information technology at the UW

Cloud-based Device Management Glossary

This document lists common terminology and definitions in association with Microsoft cloud-based device management.

Term
Synonyms
Definition
Autopilot Deployment -Autopilot Enrollment
-Autopilot OOBE
A cloud-directed process which brings a device to the right initial configuration. There are four types: user-driven, self-deploying, white glove, and reset. Autopilot deployment is dependent on AAD join and Intune enrollment.
Autopilot Profile -Autopilot device profile
-Device Profile
A profile of settings that needs to be applied to assigned devices.
Autopilot Registration Autopilot registration allows a device to be uniquely identified by Microsoft’s Autopilot deployment service as belonging to a given organization. There are two types of autopilot registration: vendor-based and organization-based.

Vendor-based is considered more authoritative and some Autopilot activities are only allowed to vendor-based registration. Vendor-based registration requires prior setup with the vendor, and at the time of the order, the customer can provide specific information that results in a specific AutoPilot image within our Intune tenant.

Autopilot Reset An autopilot action which takes the device back to a business-ready state, removing personal files, apps, and settings and reapplying a device’s original settings, maintaining its identity connection to Azure AD and its management connection to Intune. Local reset can be initiated by a user in the Intune Service Administrator role. Remote reset can be triggered only for devices which were not self-deploying.
Azure Active Directory -Azure AD
-AAD
A cloud-based identity product from Microsoft. Similar to Active Directory but with many differences.
Azure AD Device Delete Deletes the Azure AD device object.

Unclear what happens to Intune device record. See https://docs.microsoft.com/en-us/mem/Intune/remote-actions/devices-wipe#delete-devices-from-the-azure-active-directory-portal for Microsoft documentation.

Azure AD Device Join -AAD Join
-Azure AD Join (AADJ)
-Cloud Device Join (CDJ)
A device is said to be Azure AD joined when it has registered with Azure AD AND primary sign in to that device requires an Azure AD user account. An Azure AD joined device can also have limited device management benefits, especially if a Mobile Device Management (MDM) provider is associated with the Azure AD tenant. The UW has Intune as its MDM provider, but device management capabilities are extremely limited at this time. There are a few other device management capabilities outside Intune, for example Bitllocker key recovery and Enterprise State Roaming.

In contrast, primary sign in to an an Azure AD registered device does not require an Azure AD user account.

Azure AD Device Registration -AAD Register
-Azure AD Register
-AAD Workplace Join (WPJ)
A device which is Azure AD registered has an association with Azure AD that allows sign in to Azure AD applications, but primary sign in on the device is not through Azure AD. The registration experience includes issuance of a certificate that can be used to provide information security; data from those applications can be protected and access to any downloaded data can be lost if the device loses its Azure AD registration.

In contrast, primary sign in to an Azure AD joined device requires an Azure AD user account.

Azure AD Hybrid Join -Hybrid Join
-DJ++
A device is said to be hybrid joined if it has both an AD object and an AAD object, which allow users of that device to sign in with an AD user account, which provides access to resources which are protected by either the AD or the AAD user.

A hybrid joined computer is joined to both AD and AAD, but the AD join is primary because the device initially uses AD authentication. Only Windows devices can be hybrid joined.

See Hybrid Join via a Delegated OU.

Client Attach This is a fancy term for co-management, usually used in conjunction with tenant attach or cloud attach. A device which is client attached is managed by ConfigMgr but also visible in the MEM portal. A client attached device gains the following benefits: conditional access, autopilot, MEM portal visibility.
Cloud Attach A device which is cloud attached is managed by ConfigMgr but also visible in the MEM portal. The device can be cloud attached via either tenant attach or client attach. Typically, the device is primarily managed via ConfigMgr.
Cloud Management Gateway -CMG Enables MECM to manage devices over the internet
Co-existence Devices are managed by ConfigMgr and another MDM product which is not Intune.
Co-Management -Co-Managed Devices are fully managed by both ConfigMgr and Intune with explicit admin intent on which workload is managed by either ConfigMgr or Intune.
Company Portal -Intune Company Portal

 

A cloud-based service provided by Microsoft whose content is managed by an organization. The company portal provides a user interface to access apps, device data, and resources that the organization publishes. https://go.microsoft.com/fwlink/?linkid=2010980 is a generic link to the company portal. See https://docs.microsoft.com/en-us/mem/intune/user-help/using-the-intune-company-portal-website for more info.
Desktop Analytics -DA A cloud-based service which provides insight and intelligence into your Windows clients. See https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview for more info.
Device Firmware Configuration Interface -DFCI A (new) feature of UEFI that enables secure, programattic configuration of BIOS hardware settings.
Dynamic Group A type of Azure AD group which does not have a static membership. Membership is computed on a recurring basis, based on a set of defined rules. A given dynamic group can only allow all users or all devices; no mixed membership.
Group Policy -GP A hybrid joined device may have group policy. Group policy is a set of settings derived from AD. Settings from Intune profiles and policy settings may conflict with group policy settings–there is a set of complex rules which determines which wins.
Group Policy Object -GPO A single, specific group policy
Group Policy Preferences -GPP A feature of group policy which has more flexibility than most group policy settings
Hardware ID -hardware hash The hardware ID, also commonly referred to as a hardware hash, contains several details about the device, including its manufacturer, model, device serial number, hard drive serial number, and many other attributes that can be used to uniquely identify that device.

Intune and Autopilot use this to uniquely identify a device. Unfortunately, Azure AD doesn’t use it to disambiguate AAD registrations from AAD joins.

Intune Assignment An Intune assignment is made when an Intune profile is assigned to a user or a device. The Intune profile may have a variety of settings. A user assignment follows the user across all Intune enrolled devices. A device assignment applies to all users of that device.
Intune Profile -Intune Configuration Profile

-Device Configuration Profile

-Configuration Profile

An Intune Profile is a set of settings. An Intune Profile is similar to a group policy object. A profile can be assigned to users or devices.
Intune Device Category An Intune property that can be assigned to each enrolled device. Valid values are defined by the MDM operator. Device category is one of the only useful properties that can be used in the rules for a device dynamic group.
Intune Device Delete Intune Device action which removes all org data from the device and removes the device from Intune. The device immediately is removed from Intune; when the device checks in next it will receive this command to remove org data.
Intune Device Fresh Start Intune Device action which removes any apps that are installed on a PC running Windows 10, version 1703 or later. Fresh Start helps remove pre-installed (OEM) apps that are typically installed with a new PC. If ‘retain user data on this device’ is checked, AAD join and Intune enrollment are kept, and the device user’s Home folder are kept, but apps and settings are removed.
Intune Device MacOS Erase Intune Device action which erases all data from a macOS device, including the operating system. The device will also be removed from Intune management. No warning will be given to the end user.
Intune Device Retire Intune Device action which removes all org data from the device and removes the device from Intune. The device remains in Intune until the device checks in and receives this action.
Intune Device Wipe Intune Device action which restores the device to factory default settings. If ‘retain enrollment state and user account’ is checked, user data is kept and enrollment maintained.
Intune Policy set An Intune Policy is more than just a set of settings; it’s a statement of requirement often related to compliance. Intune compliance policy settings override Intune profile settings.
Intune Scope The combination of an Intune scope tag and scope group. Intune scope is poorly explained in Microsoft documentation; see https://docs.microsoft.com/en-us/mem/intune/fundamentals/scope-tags for the best existing info.
Intune Scope Group An Azure AD group of devices, users, or both, by which an Intune scope tag is conditionally assigned to an Intune role. Scope groups are poorly explained in Microsoft documentation; see https://docs.microsoft.com/en-us/mem/intune/fundamentals/scope-tags for the best existing info.
Intune Scope Tag An Intune property that can be assigned to each enrolled device or any other Intune object. Valid values are defined by the MDM operator. Scope tags are used to limit the scope of permissions. If you have Intune permissions and a scope tag on your account, those permissions are limited to objects with a matching scope tag.
MDM Enrollment -Device Enrollment
-Intune Enrollment
A device is said to be MDM enrolled when it is managed by a MDM product like Intune.

Any AAD registered device can be Intune enrolled, but not all AAD registered devices are Intune enrolled; it takes more than just AAD registration to become Intune enrolled but AAD registration is a minimum requirement.

An Azure AD tenant can be configured for automatic MDM enrollment, so that all AAD device joins are MDM enrolled. This is similar to Autopilot, but with fewer features and no requirement to explicitly enroll a device prior to join.

Microsoft Endpoint Configuration Manager MECM
SCCM
CMConfigMgr
The new name for Configuration Manager aka SCCM. See https://docs.microsoft.com/en-us/mem/configmgr/core/understand/microsoft-endpoint-manager-faq.
Microsoft Endpoint Manager -MEM

-Cloud portal

A new Microsoft brand and license which includes Configuration Manager, Intune, and Desktop Analytics. MEM refers to the complete set of solutions.
Microsoft Intune -Intune Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM).

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot

Mobile Application Management -MAM Refers to the suite of Intune management features that lets you publish, push, configure, secure, monitor, and update mobile apps.
Mobile Device Management -MDM MDM is an industry term for the administration of mobile devices, including smartphones, tablets, laptops, and personal computers that aren’t necessarily very mobile. MDM seeks to simplify device management at scale across a diverse set of platforms.

MDM capabilities usually include:
-configuration to a consistent standard and set of supported applications via a policy
-updating applications and configuration in a scalable manner
-monitoring and tracking devices
-provide for efficient troubleshooting and diagnoses

Security is often a key configuration quality cited by MDM solutions.

MDM is based on the Open Mobile Alliance OMA Device Management specification. See http://www.openmobilealliance.org/wp/Overviews/dm_overview.html and http://openmobilealliance.org/release/DM/ for more.

Tenant Attach Tenant attach is where your SCCM data is imported to your MEM portal. This results in cloud attach. The benefits of tenant attach are: ATP integration, Desktop Analytics, User Experience Analytics, MEM portal visibility.
Windows Autopilot -Autopilot A collection of technologies used to set up and pre-configure new devices, getting them ready for productive use.

Autopilot is not a deployment method, it’s an initial provisioning method to bootstrap the system into AAD and Intune and in turn ConfigMgr if desired. Task sequences can be used in a variety of scenarios and a new feature in 2002 allows them to be kicked off automatically after the client agent is installed.

Windows Subscription Activation see https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation

 

Last reviewed October 21, 2020