Onboarding a Windows Device into M365 Business Premium: Step-by-Step Checklist

This guide provides a comprehensive checklist to onboard a Windows 10/11 device into Microsoft 365 Business Premium, ensuring it becomes fully managed and protected. Each step includes detailed instructions and best practices for both company-owned and personal (BYOD) devices. Follow the steps in order and refer to the notes for special considerations like security policies, personal device handling, and troubleshooting.

Prerequisites and Preparation

Before you begin, make sure the following prerequisites are in place:

• Windows Pro Edition: The device must be running Windows 10/11 Pro (version 1703 or later). Windows 10/11 Home edition does not support Azure AD join or Intune management, and will prompt for an upgrade to Pro[1][2]. (Microsoft 365 Business Premium requires Windows Pro; it provides an upgrade benefit for devices running Windows 7/8/8.1 Pro to move up to Windows 10/11 Pro[1]). Upgrade the OS if needed before onboarding.
  

• Microsoft 365 Business Premium License: Ensure the user of the device has an active M365 Business Premium license assigned. This license includes Azure AD and Intune (mobile device management) rights needed for device enrollment[3], as well as security features like Defender for Business. If the user account is not already in your Microsoft 365 tenant, create it and assign the license.
  

• Internet Connectivity: The device should be online with a reliable internet connection during setup, as it will need to contact Azure Active Directory and Intune cloud services.
  

• Administrative Access: Have administrator credentials ready. You will either need the local admin account on the PC (for preparing settings) or be prepared to log in with the user’s new M365 account which will become a local admin by default on an Azure AD joined device.
  

• Backup Important Data: If the Windows PC was used prior (for example, a personal device being onboarded or a repurposed PC), backup any important files. The onboarding process might create a new user profile or enforce policies (like drive encryption) that could affect existing data. Plan for data migration if needed.

Step-by-Step Onboarding Process

Following is the step-by-step checklist for enrolling the device and applying protections:

1. Enable Microsoft 365 Device Management Features: Prepare your M365 tenant for device onboarding.

   • Set Intune as MDM Authority – In most cases, Microsoft Intune is already the mobile device management authority for Business Premium. Verify this in the Microsoft Endpoint Manager admin center (Intune) settings[3].
     

   • Enable Automatic Enrollment – Configure Azure AD to auto-enroll devices into Intune. In the Azure AD (Entra ID) portal, navigate to Mobility (MDM and MAM) and set MDM user scope to All (or at least to the specific group of users you’re onboarding)[4]. This ensures that when a user registers a device with Azure AD, it automatically gets enrolled in Intune MDM.
     

   • Set Up Compliance & Configuration Policies – Optionally, prepare any Intune compliance policies (requirements like requiring encryption, password complexity, etc.) and configuration profiles (for setting Wi-Fi, enabling BitLocker, etc.) that should apply upon enrollment. Microsoft 365 Business Premium comes with pre-configured default device protection policies that automatically apply baseline security (Defender AV settings, firewall rules, etc.) as soon as devices are onboarded[5]. Review these defaults in the Microsoft 365 Defender portal or Intune and adjust if necessary, or create custom policies for your organization’s needs.
     

   • (Optional) Configure Windows Autopilot – If this is a new or reset Windows device, consider using Windows Autopilot for zero-touch provisioning[6]. Autopilot allows you to pre-register the device in Intune and Azure AD, so that when it first boots, it will automatically join your organization, enroll in Intune, and even install apps/policies during the initial setup experience. This can greatly streamline onboarding for company-owned devices. Ensure you have created an Autopilot deployment profile in Intune if you choose this route. (Skip this if you plan to manually join via Windows Settings.)

2. Prepare the Windows Device: Get the device ready for enrollment.

   • Update Windows OS – Install the latest Windows updates on the PC to ensure it’s up-to-date and secure. This can prevent enrollment issues and ensures the latest Intune management features are available.
     

   • Verify Windows Edition – Double-check that the device is running Windows 10/11 Pro as noted in prerequisites. If the device shows “Windows Home,” upgrade it to Pro before proceeding (M365 Business Premium does not directly upgrade Home editions; a separate purchase or upgrade license may be required[2]).
     

   • Reset if Necessary – If this device was previously used by someone else and you want a clean start (for a new employee or repurposed machine), you might factory reset or use Windows Autopilot Reset to wipe personal data and settings. Starting from a fresh state (out-of-box experience) with Windows Autopilot or normal setup will ensure no old configurations interfere with the new management. (If you reset, you can immediately proceed to Step 3 during the out-of-box setup.)
     

   • Install Company Portal (if BYOD) – For personal devices that will be enrolled but not Azure AD joined, the user should have the Intune Company Portal app available. It can be downloaded from the Microsoft Store. (On company-owned devices using Azure AD join, Company Portal is not strictly required for enrollment, but is useful for device info and installing available apps later.)

3. Register/Join the Device to Azure AD: Connect the Windows device to your organization’s Azure Active Directory, which also initiates Intune management. There are two main paths, depending on ownership:
   a. Company-Owned Device (Azure AD Join) – For organization-owned devices, perform a full Azure AD Join so the device is fully managed:

   • During OOBE (first boot or after reset): When prompted “Who owns this PC?” or to choose setup, select “Set up for an organization”, then sign in with the user’s work (M365) credentials. This will join the device to your Azure AD tenant and enroll it in Intune automatically.
     

   • On an existing Windows install: Log in with a local or existing account that has admin rights, then open Settings > Accounts > Access work or school. Click Connect and in the dialog, choose “Join this device to Azure Active Directory.” Sign in with the user’s Microsoft 365 Business account credentials[3] and follow the prompts. Confirm the organization name and click Join to finalize the Azure AD join[3]. After a moment, you should see a message that the device is connected to Azure AD.
     

   • Switch to the Azure AD User Profile: Once joined, Windows will create a new user profile tied to the Azure AD account. Sign out of the old local account and sign in using the new work account (the email/username just used) at the Windows login screen[3]. This ensures the user is now working in the managed profile. Upon first sign-in, an Enrollment Status screen may appear (if configured) while Intune policies and apps apply. Wait for this to complete.
     

   • (Note: If migrating from a local account, you may need to migrate user data to the new profile. Ensure any needed files from the old profile are copied to OneDrive or transferred, since the user will primarily use the new Azure AD profile going forward.)

   b. Personal BYOD Device (Azure AD Registration) – For personal devices that the user wants to use for work, a full Azure AD join might not be appropriate. Instead, the user can register the device (sometimes called Azure AD Workplace Join) and enroll in Intune without changing their primary local account:

   • In Settings > Accounts > Access work or school, click Connect. This time, sign in with the work account when prompted, but do not select the “Join this device to Azure AD” option if presented. On Windows 11, the process will default to registering the device. On Windows 10, if given a choice, choose “Connect” or “Register” instead of the full join.
     

   • This action adds a Work or School account to the device (visible under the Access work or school section). The device becomes Azure AD registered and MDM enrolled in Intune (since we enabled auto-enrollment) but the user continues to log into Windows with their personal account. Intune will still manage the device’s security settings and apps in a limited way.
     

   • If using the Company Portal app, the user can alternatively open it after signing in with their work account and follow the guided enrollment steps (which achieves the same outcome of device registration and Intune enrollment)[2][7].
     

   • After registration, the user may be prompted to install a management certificate and complete device setup for work. Once done, the device will appear in Intune with “Personal” ownership, and corporate policies (like app protection or some device configurations) will apply without taking full control of the device.

4. Verify Enrollment and Initial Policy Application: Confirm that the device is now managed in Intune and receiving security policies.

   • Check Intune Portal – In the Microsoft Endpoint Manager admin center (Intune), navigate to Devices > Windows > Devices and verify the PC appears on the list. It should show the user’s name and an Enrollment Status (and eventually “Compliant” or “Not Compliant” once evaluation happens). This confirms the MDM enrollment succeeded.
     

   • Apply Baseline Security Policies – Microsoft 365 Business Premium automatically applies certain default security configurations to managed devices. These include Microsoft Defender Antivirus settings (next-generation protection) and Windows Firewall rules to ensure the endpoint is protected from malware and network threats[5]. Additional default policies cover features like web content filtering, controlled folder access (to guard against ransomware by protecting documents), and attack surface reduction (ASR) rules to harden the system[5]. Review these policies in the Intune or Defender for Business portal under device configuration/security policies. They should already be assigned to the device (often via “All Devices” or similar group) so that as soon as the device is onboarded, these protections are in effect[5].
     

   • Enable Device Encryption (BitLocker) – Ensure that BitLocker drive encryption is enabled on the Windows device to protect data at rest. Intune can enforce this via a device configuration profile or compliance policy (e.g., requiring encryption). On Azure AD joined devices, BitLocker can be enabled and the recovery key will be stored to Azure AD automatically. Microsoft recommends enabling BitLocker to secure data in case the device is lost or stolen[8]. If it’s not already on, configure BitLocker manually or through Intune (Settings > Update & Security > Device Encryption/BitLocker, turn it on, and save the recovery key to Azure AD or a safe location).
     

   • Check Microsoft Defender Status – Since Defender is built into Windows 10/11, verify that Microsoft Defender Antivirus is active and updated. Intune’s default “next-gen protection” policy for Business Premium may have configured cloud protection, real-time protection, and automatic sample submission settings[5]. In Windows Security app on the device, ensure no alerts are present and that virus definitions are current.
     

   • Verify Firewall and Other Settings – Confirm the Windows Defender Firewall is enabled on all network profiles (Intune’s firewall policy should enforce this[5]). If a web content filtering policy is provided (via Defender for Business), it will be active at this point to block categorized dangerous sites. Controlled Folder Access and ASR rules (if included or additionally configured by you) should now be turned on to provide ransomware and exploit protection – for example, Offices apps might be prevented from creating executables in certain directories as per ASR rules[5]. You can check these on the device (Windows Security > Virus & threat protection > see Ransomware protection for Controlled Folder Access, and App & browser control for Exploit/ASR settings).
     

   • Note: Microsoft 365 Business Premium includes Microsoft Defender for Business, an enterprise-grade endpoint protection solution. Because the device is enrolled, it is also onboarded to Defender for Business automatically, meaning any alerts or malware detections on this device will show up in the Microsoft 365 Defender security portal. You may group devices or adjust Defender for Business policies via Intune or the security portal as needed (the default policies cover most scenarios). This integration ensures the device is actively monitored for threats.

5. Install and Configure Applications: Set up required applications (especially Microsoft 365 Apps) on the device.

   • Microsoft 365 Apps (Office) – Install the Office suite (Word, Excel, PowerPoint, Outlook, Teams, OneDrive, etc.) if not already present. Since the user has a Business Premium license, they can install Office on their PC. You can push this via Intune by assigning an “Office 365 app” installation policy or have the user log into the https://www.office.com/ and download the installer. Getting the latest Office apps deployed is important for productivity[6][9].
     

   • Microsoft Teams – Teams might be included with the Office install; if not, ensure Teams is installed so the user can collaborate. Intune can also deploy Teams as a separate package if needed.
     

   • OneDrive Sync – Configure the OneDrive client (built into Windows 10/11) to sign in with the user’s work account. This will enable file backup for Desktop/Documents/Pictures (known-folder move) and ensure cloud copies of important files (adding a layer of protection and easy transfer if the device is replaced).
     

   • Company Portal & Other Apps – Verify that the Company Portal app is installed (it often is auto-installed during enrollment on corporate devices). Through Company Portal, publish any additional business applications the user might need (for example, specialized software, VPN client, or browser). The user can open the portal to self-service install any available apps.
     

   • Browser and Productivity Tools – Install or configure required browsers or plugins. For instance, if your organization uses Microsoft Edge, ensure it’s updated and maybe sign the user into Edge with their work account for favorites/password sync. Similarly, install PDF readers or other tools as appropriate.
     

   • Verify App Policies – If you use Intune App Protection Policies (MAM) for mobile apps, ensure that policies for Office apps on the PC are in place if needed. For example, in BYOD scenarios, app policies might restrict saving attachments to personal locations. With full MDM on Windows, much of this is handled via device policy instead, but it’s good to confirm that after Office/Teams installation, the user can access resources (if conditional access requires apps to be protected or device to be compliant, etc., the fact that we onboarded should satisfy that).

6. Configure User Accounts & Access Settings: Set up the user’s accounts on the device with appropriate permissions and security.

   • User Account Type – By default, the first Azure AD account on a Windows 10/11 device is added to the local Administrators group. This means the user will have admin rights on their machine (unless you have configured Intune to restrict this). While this can be convenient for the user, from a security standpoint you may want to restrict admin privileges. Consider using Intune Endpoint Security policy to remove local admin rights or using Azure AD roles for least privilege. At minimum, educate the user to use caution with their admin rights (install only trusted applications, etc.).
     

   • Additional Accounts – If an IT admin or another user needs access to the device, add their account under Settings > Accounts > Other users (for local accounts) or, if they are an Azure AD user, they can sign in directly by selecting “Other user” at the login screen (just ensure the device settings allow other Azure AD users to sign in, which it does by default for Azure AD join). For shared devices, you might create a dedicated local admin account and keep it secured for maintenance tasks.
     

   • Email and Office Apps Login – Have the user open Outlook and configure their work mailbox (with the account that’s already on the device; it should auto-discover in most cases). Likewise, ensure apps like Teams, OneDrive, and Office are activated using the user’s credentials (the Office apps will prompt the user to sign in on first launch if not already).
     

   • Multi-Factor Authentication – Verify that MFA is enabled on the user’s account before they start accessing resources. MFA adds a vital layer of security for sign-ins[9]. If not already enforced, configure MFA in Azure AD and have the user complete registration (using the Authenticator app or SMS/phone). This should be done ideally at first login to any Microsoft 365 app.
     

   • Conditional Access Policies – If your organization uses Azure AD Conditional Access, make sure the appropriate policies are in place for this device/user. For example, you can require that only compliant devices (i.e., Intune-managed and meeting policy) can access certain sensitive apps, or that MFA is required for certain logins[8]. Business Premium includes Azure AD Premium P1, allowing Conditional Access setup. This ensures that the newly onboarded device actually grants the user access to needed services (if the device wasn’t compliant, CA policies might block access, so having our security/compliance policies from step 4 is crucial).
     

   • OneDrive Backup Policy – Optionally, use Intune or user education to enable Known Folder Move (Documents/Desktop/Pictures backup to OneDrive). This protects user data and makes transitions easier.
     

   • User Training on Security – Advise the user on good security practices: e.g. not to install unapproved software, not to disable antivirus or tamper with settings (note: Defender Tamper Protection is on by default to prevent changes), and to report any unusual behavior or warnings (like malware detections) to IT.

7. Verify Compliance and Security Posture: After initial setup, double-check that the device meets all compliance requirements and is fully protected.

   • Intune Compliance Status – In the Endpoint Manager portal, check the device’s Compliance state. If you configured a compliance policy (e.g., requiring BitLocker, a passcode of certain complexity, etc.), ensure the device is marked Compliant. If not, identify what setting is non-compliant and address it (the portal will show which requirement failed). For example, if encryption was required but BitLocker isn’t on, enable BitLocker and then sync the device to re-evaluate compliance.
     

   • Security Center Review – In the Microsoft 365 Defender security portal (security.microsoft.com), navigate to Devices (or the Defender for Business section) and verify the device appears there as Onboarded/Healthy. This indicates it’s reporting into Defender for endpoint protection. Check that no active security alerts are listed for the device.
     

   • Test Policy Enforcement – Perform a quick test of whether policies are active: e.g., try to download the EICAR test file (harmless virus test string) to see if Defender catches it, or attempt an action that should be blocked by policy (for instance, access a blocked website category if web filtering is enabled, or try to save a file to a protected folder by an untrusted app to see if Controlled Folder Access intervenes). These tests can confirm that the protections are working as intended.
     

   • Check Device Configuration – Review the device’s settings to make sure everything configured by policy took effect: encryption is on, antivirus is running, firewall is on, etc. Also check Windows Update settings (under Update & Security) to verify it’s either managed by Intune or set to automatic updates (see next step).
     

   • User Acceptance – Have the end-user confirm they can do all their work: access email, open files, print, use Wi-Fi, etc. Sometimes settings (like firewall or device name change) can incidentally affect things like network drive access or printers; verifying now ensures a smooth handover.

8. Provide User Documentation and Support: As part of onboarding, supply the user with resources and information about their new managed device.

   • Onboarding Guide – Give the user a quick orientation on what it means for their device to be managed. For example, explain that certain security software is running (Defender) and that some settings might be enforced by the company (like password requirements or screensaver lock). If you have an internal Acceptable Use Policy or IT handbook, this is the time to share it and highlight key points (e.g., policies about personal use, installing software, etc.).
     

   • Instruction for Essentials – Provide instructions or documentation for common tasks new to a managed environment: how to log into Office 365, how to access the company SharePoint/Teams, how to use OneDrive for file backup, and how to get support if something goes wrong. If the user is not familiar with MFA, include a brief guide on using the Authenticator app or receiving codes.
     

   • List of Installed Apps and Services – Let the user know what software has been installed or is available. For instance: “Your device has Office 365 (Word, Excel, Outlook, etc.), Teams for collaboration, OneDrive for file backups, and Company Portal for additional apps. If you need any other application, check Company Portal or contact IT.” This sets expectations and encourages them to use the provided tools.
     

   • Privacy and Monitoring Transparency – Especially for BYOD users, clarify what the company can and cannot see on their device. For example, Intune does not collect personal files, browsing history, or photos; it mainly reports device compliance info and enforces policies. Company email and data is protected, and if the device is ever lost or the user leaves, the company can remove its data (through a remote wipe of only work data in the case of BYOD). Being transparent builds trust and ensures the user is comfortable with the management.
     

   • Contact Information – Provide the IT support contact details. Ensure the user knows how to reach the helpdesk or IT admin for any issues (e.g., a phone number or email, and support hours). Encourage them to report incidents like lost device immediately.

9. Ongoing Management and Monitoring: After onboarding, IT should continuously manage and monitor the device through Microsoft 365 services.

   • Microsoft Endpoint Manager (Intune) – Regularly review the device’s status in Intune. Check that it remains compliant and check-in is happening (devices that haven’t reported in for a long time might be offline or have an issue). Intune provides device reports you can consult, and you can even set an alert if a device becomes non-compliant. Through Intune, you can also push future configuration changes or apps to the device as needed.
     

   • Microsoft Defender Security Portal – Monitor security alerts or recommendations for the device. Microsoft Defender for Business will log detections of malware, vulnerabilities, or risky behavior on the endpoint[8]. Ensure someone on the IT team is assigned to follow up on any alerts (e.g., malware quarantined, or abnormal activity). The Defender portal’s incident queue should be checked periodically.
     

   • Conditional Access and Sign-in Logs – Use Azure AD’s sign-in logs and Conditional Access reports to monitor how the device is being used. For example, if there are sign-in attempts from unexpected locations or many failed logins, it could indicate a problem. The device compliance report in Azure AD can show if the device ever falls out of compliance (someone turning off BitLocker, etc.).
     

   • User Feedback – Keep communication open with the user. Check in after a week or two to ensure they aren’t experiencing any problems under management (sometimes policies might need tweaking if they hinder productivity). Also remind them to report any issues promptly.
     

   • Device Grouping – In Intune or Defender, group devices (e.g., all “Sales Laptops” or all “BYOD”) for easier management. This is more for IT organization, but Business Premium allows creating device groups and targeting policies to them[5]. This way, as you onboard more devices, you apply consistent policies and can monitor by groups.
     

   • Logging and Auditing – Ensure that actions like device wipes, policy changes, or user role changes are audited. M365 has audit logs – useful for tracking lifecycle events for the device.

10. Maintenance: Updates and Patching: Keep the device and its software up to date to maintain security over time.

    • Windows Updates – Microsoft 365 Business Premium supports Windows Update for Business, allowing you to manage Windows Updates through Intune policies. Configure update rings in Intune to automatically deploy Windows quality updates (patches) and feature updates on a defined schedule. This ensures the device always has the latest security patches[8]. The device should be set to install updates automatically (often the default). Regularly verify in Intune or on the device (Settings > Windows Update) that updates are being applied successfully.
      

    • Microsoft 365 Apps Updates – Office apps update themselves via Click-to-Run. You can set the update channel via policy (e.g., Monthly Enterprise Channel for less frequent changes or Current Channel for latest features). Make sure the Office apps are updating – users should periodically accept updates if prompted, or IT can force updates via Intune scripting if needed.
      

    • Defender Updates – Defender AV definitions and threat intelligence updates are automatic through Windows Update or cloud delivery. Just ensure the device checks in to Microsoft Update. Intune can report on AV signature status. No heavy action is needed here aside from monitoring.
      

    • Third-Party Software – Keep any other installed software (browsers, PDF readers, etc.) updated. Intune can deploy some app updates or you may need a third-party patching solution for comprehensive coverage. At minimum, enable auto-update within apps (for example, Google Chrome’s auto-update) when possible.
      

    • Periodic Review – It’s wise to periodically review the device’s configuration against your baseline. For instance, every quarter verify BitLocker is still enabled and keys are escrowed, check that the device is running a supported Windows version, and confirm compliance with new policies (if you tightened standards, e.g., required a shorter lock screen timer, etc.).
      

    • User Training Refreshers – As part of maintenance, remind the user about security practices and any new threats (for example, phishing awareness). The human element is critical to maintain protection beyond just technical updates.

11. Troubleshooting Common Onboarding Issues: Be prepared to troubleshoot if things don’t go as planned during device onboarding.

    • Cannot Join or Enroll Device – If the Azure AD join/registration fails or Intune enrollment doesn’t happen, double-check prerequisites: Is the Windows edition Pro? (If the user sees a message about needing Windows 10 Pro, upgrade the OS first[2].) Is the user’s account definitely licensed for Business Premium/Intune? (Without an Intune license, enrollment will be refused.) Also verify the device’s time and region settings are correct (sign-in can fail if the system clock is far off).
      

    • Device Not Showing in Intune – If Azure AD join succeeded but the device doesn’t appear in Intune, ensure auto-enrollment was enabled (Step 1). You may manually initiate enrollment via Company Portal as a fallback. Also, in Azure AD portal check the device’s MDM status; it should list “Microsoft Intune”. If it says “none”, the MDM scope might’ve been misconfigured – set the MDM user scope to All and try again (you can disconnect and re-join the device to Azure AD after fixing MDM settings).
      

    • Policies Not Applying – If the device enrolls but isn’t getting the expected policies or apps, force a sync. On the device, go to Settings > Accounts > Access work or school, click the connected account and choose Info > Sync. Or use Company Portal app’s Sync function. Ensure the device is in the group targeted by the policies. It may take some time (several minutes) after enrollment for everything to come down. In Intune portal, you can view the device’s Device Configuration to see if there are errors applying any profile. Resolve any conflicts or scope issues (e.g., two policies setting contradictory password requirements can cause one to fail).
      

    • User Login or Profile Issues – After Azure AD join, if the user cannot log in with their work account, double-check that the account credentials are correct. If the device says “no logon servers” or similar, that indicates no internet – ensure the device has connectivity at login (Azure AD login needs internet for the first sign-in). If the user is stuck on a temporary profile or cannot see their old data, recall that their old local account is separate – you may need to migrate files (see note in Step 3).
      

    • Compliance Errors – If Intune marks the device non-compliant (and perhaps Conditional Access is blocking the user), review the compliance policy. A common issue is missing BitLocker encryption or an outdated OS version. Have the device implement the required setting (enable BitLocker, install updates, etc.), then sync. If compliance policies require a device reboot (e.g., after encryption) make sure to reboot. You can also initiate a Fresh Scan for compliance from the Intune portal for the device.
      

    • Defender for Business Onboarding – Usually Intune takes care of this. But if in the security portal the device is not listed, you might need to manually onboard it. (This is rare for Business Premium – devices auto-onboard via Intune.) You could download a local onboarding script from the Defender portal and run it on the device as admin[4][4], but ensure this isn’t needed by checking the portal first.
      

    • Support Resources – Be aware of official Microsoft docs and tools for troubleshooting. Microsoft provides a Troubleshooting Windows device enrollment guide with common errors and resolutions[7]. Also, the Intune Diagnostics app (built into Windows 10/11 – accessed via tracker.ddiagnostics in browser) can collect logs if an issue is persistent. Leverage Microsoft support if a blocking issue arises.

12. Handling Personal Devices vs. Company-Owned Devices: Adjust the approach based on ownership of the device.

    • Enrollment Method – For company-owned devices, prefer Azure AD Join with full Intune enrollment (as detailed above) for complete management control. For BYOD (Bring Your Own Device) where users may be cautious about IT control, use Azure AD registration + MAM or ask the user to enroll via Company Portal. This will apply security controls to corporate apps/data without fully taking over the device. Microsoft 365 Business Premium supports both scenarios and includes tools for each.

    • Policy Variations – You can have different Intune policies for personal devices vs. corporate. Intune tags Azure AD joined devices as “Corporate” and registered ones as “Personal”. For corporate devices, you might enforce stricter policies (mandatory BitLocker, software installation restrictions, etc.). For personal devices, you might choose lighter-touch policies or just rely on App Protection (e.g., require a PIN for Outlook app, encryption of work files, but not encrypt the whole device). App Protection Policies keep company data within approved apps and can prevent data from being saved to personal locations[10]. Use Conditional Access to ensure that if a device is not fully compliant or not corporate-owned, the user can only access cloud data in protected apps, not download to device.

    • Data Privacy – Assure BYOD users that their personal content remains private. Intune’s MDM on personal Windows 10/11 will primarily enforce security settings and isn’t poking into personal files. If users are uncomfortable with MDM, you could allow them to access M365 resources via web or MAM-only policies (though on Windows, MAM-only is less common than on mobile). It’s a balance of security vs. user privacy that your organization’s policy should define. Clearly document what corporate IT will manage on a BYOD (perhaps requiring a device PIN, the right to wipe corporate data, etc.).

    • Removal and Support – For corporate devices, IT can fully wipe or re-image the machine as needed (e.g., when the employee leaves or the device is repurposed). For personal devices, if the employee leaves or opts out, you should perform a Selective Wipe (Intune Retire action) to remove only company data/profiles, leaving personal stuff intact[10]. Users should know they can unenroll their personal device if they leave the company, restoring it to purely personal use.

    • Summary of Differences:

      Aspect
      Company-Owned Device (Fully Managed)
      Personal/BYOD Device (Lightly Managed)

      Enrollment
      Azure AD Join + Intune MDM (device appears as Corporate)
      Azure AD Registered + Intune MDM (or MAM only), marked as Personal

      Control Level
      Full control: device-wide policies, full wipe if needed
      Limited control: primarily protects corporate apps/data, can retire corporate data

      Policies Applied
      All device policies (AV, firewall, encryption, etc.) enforced
      Basic device compliances (maybe require AV, PIN) or just app protection policies

      Data Separation
      Not applicable (device is dedicated to company use)
      Company data kept in separate apps/containers[10], personal data not touched by IT

      User Admin Rights
      Typically yes (by default), but IT may restrict if desired
      Yes, it’s the user’s own device – admin rights not removed

      Device Removal
      Full wipe or reassignment via Intune (device can be factory reset remotely)
      Corporate access removed via Retire (apps and accounts removed, no OS reset)[10]

    Both scenarios benefit from Business Premium’s security features, but the implementation will differ to respect ownership. Always apply minimum necessary management for BYOD to secure corporate data while preserving user privacy, and use stronger management on corporate assets where the company has full responsibility for the device.

13. Decommissioning a Device: When a device is no longer needed or is being replaced or the user leaves, properly remove it from management.

    • Intune Retire/Wipe – In the Endpoint Manager portal, locate the device and decide whether to Retire or Wipe it. Retire removes Intune management and all company data (managed apps, profiles, etc.) but leaves personal data intact – use this for BYOD or scenarios where the user keeps the device for personal use[10][8]. Wipe triggers a factory reset (all data removed, device returns to out-of-box state) – use for company-owned devices being repurposed or returned, or a lost device that you need to brick for security. There is also a Selective Wipe specifically for just removing work account data (especially on mobile devices), which is essentially what Retire does for Windows.
      

    • BitLocker Recovery and Key – If the device was encrypted and is being transferred or disposed of, make sure you have the BitLocker recovery key if needed to access the drive. For reuse within company, you might simply re-encrypt after reassigning. For disposal or return to a leasing company, a full wipe (with BitLocker in place) is usually sufficient to ensure data cannot be accessed. You can also choose to securely overwrite the disk if required by policy.
      

    • Azure AD Device Cleanup – In Azure AD > Devices, find the device entry and disable or delete it after it’s been wiped/retired. This removes the object from Azure AD (tidying up the directory and preventing stale entries). If the device was Autopilot-registered, you might also remove its registration if it’s leaving permanently.
      

    • License Reclamation – Unassign any dedicated licenses if the user or device was consuming one (in Business Premium, licenses are per user, so if the user leaves, free up that license in the Microsoft 365 admin center for re-use). There’s no license tied specifically to the device aside from Windows (which is OEM or the upgrade rights); the Windows 10/11 Pro remains on the device for the next owner as it was purchased or obtained via subscription.
      

    • Documentation – Update your asset inventory to mark the device as decommissioned. If it’s being reused for another employee, you’ll be onboarding it again (consider using Autopilot Reset to prepare it). If it’s being disposed or transferred, log that detail. Keep a record of Intune wipe actions and Azure AD deletions (these actions are logged in the audit logs) in case you need proof that data was wiped for compliance.
      

    • User Offboarding – If the user tied to the device is leaving the organization, ensure their M365 account is disabled or removed according to your user offboarding process, and mail/data retention is handled (this is beyond device scope but important for completeness).

By following this checklist, your Windows device should be successfully onboarded to Microsoft 365 Business Premium with full management and protection. The device will be protected by enterprise-grade security (virus protection, firewall, encryption, threat detection) and controlled via Intune policies, as well as monitored for compliance[8][8]. Both the IT administrator and the end-user have clear steps to ensure the device remains secure and functional throughout its life cycle in the organization. This process not only hardens the device against threats but also integrates it into your company’s cloud environment, enabling secure remote work and easy access to resources. Keep this checklist handy for future onboardings, and update it as Microsoft evolves the Business Premium features or your company’s policies change. Good device management is an ongoing process – with the device now in Intune, you are well-positioned to manage updates, security incidents, and eventual offboarding with confidence. [5][8]

References

[1] Does MICROSOFT 365 E3 (not Office 365 E3) include Windows 10 or not!?

[2] new device to add to 365 business account – Microsoft Community

[3] Step-by-Step Guide For Windows Devices Enrollment In Microsoft Intune …

[4] Onboard devices to Microsoft Defender for Business

[5] View or edit device protection policies – Microsoft 365 Business …

[6] Secure managed devices with Microsoft 365 Business Premium

[7] Enroll Windows 10/11 devices in Intune | Microsoft Learn

[8] Overview of Microsoft 365 Business Premium Security

[9] Set up unmanaged devices with Microsoft 365 Business Premium …

[10] Microsoft 365 Business Premium