Allow Deployment of Win32 Apps and PowerShell scripts without Autoenrollment
After much digging into why Win32 (preview) apps were not deploying to end users, I found a comment on this page by Jason Hartman: https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Sneak-peek-Public-preview-of-Win32-application-deployment-using/ba-p/264460
The Intune Management Extension is only installed when a device is auto-enrolled via Azure AD. Deployment of Win32 Apps and PowerShell scripts require the Intune Management Extension.
Auto-enrollment requires a very expensive Azure AD P2 license that costs more than Intune itself, presumably because it contains many advanced features not particularly related to MDM. However, app deployment and PowerShell scripts are fundamental to MDM.
Charles Roller commented
You should be using Intune with at least Azure AD P1, preferably EMS E3 for the best experience. That being said, the device does need to be Azure AD Joined or Hybrid Azure AD Joined to receive the management agent. A regular Intune enrollment through the company portal or device settings only does an Azure AD Register and hence, no management extension.
P1 is still an additional license on top of Intune, whose primary purpose is almost entirely unrelated to Intune. It's unclear whether the IME is intentionally not included, and lacks a fix for devices already enrolled that are missing IME.
Mark Thomas commented
P2 isn't needed for auto-enrolment, only P1 which comes with EMS E3.