The Intune enrollment methods for Windows endpoints is fully covered in the official docs at https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods.
Based on what you've noted, I think this will be a manual process on each device using an account that is local admin (unless you plan on resetting the devices). Assuming the users have local admin permissions, they can do this themselves although yes, an IT Pro can also do this using a DEM account. Don't let any IT Pros use their own account for this though.
For devices that aren't AAD joined, assuming they are also not AD joined and just in a workgroup, you can use a provisioning package to both join them to AAD and enroll in Intune.