Prevent Personal Windows 10 devices from enrolling into Intune

This post will show how you can easily configure Enrollment Restrictions in Intune to prevent personal Windows 10 devices from enrolling into Intune. It will also show what Intune authorizes as corporate enrollment, and the end user experience of when a user with a personal device tries to enroll.

The Intune enrollment restrictions support the following platforms:

  • Android
  • Android work profile
  • iOS
  • macOS
  • Windows

However this post will focus on Windows 10.

Further reading: Set enrollment restrictions https://docs.microsoft.com/en-us/intune/enrollment-restrictions-set

Intune will allow the following corporate methods to be enrolled:

  • The enrolling user is using a device enrollment manager account.
  • The device enrolls through Windows AutoPilot.
  • The device is registered with Windows Autopilot but is not an MDM enrollment only option from Windows Settings.
  • The device’s IMEI number is listed in Device enrollment > Corporate device identifiers. (Not supported for Windows Phone 8.1.)
  • The device enrolls through a bulk provisioning package.
  • The device enrolls through automatic enrollment from SCCM for co-management.

These corporate enrollment methods will be blocked:

  • Automatic MDM enrollment with Azure Active Directory join during Windows setup (unless registered with Autopilot)
  • Automatic MDM enrollment with Azure Active Directory join from Windows Settings (unless registered with Autopilot)

These personal enrollment methods will be blocked:

  • Automatic MDM enrollment with Add Work Account from Windows Settings*.
  • MDM enrollment only option from Windows Settings.

How to block the enrollments that aren’t authorized corporate devices:

To block the enrollment of Windows personal devices, inn portal.azure.com or https://devicemanagement.microsoft.com, select Intune, Device Enrollment, Enrollment restrictions, then Create restriction (you can modify the Default restriction if you like, but be careful as it targets all users)

enrollrestrictions01

Give it a name, and select Device Type Restriction, then click select platforms. In my example I have allowed all platforms then clicked OK.

enrollrestrictions02

Click on Configure platforms. Now for Windows (MDM) I am going to block personal enrollments then click OK.

enrollrestrictions14

 

It now needs to be assigned to a group.

enrollrestrictions03.jpg

So what happens if I try to enroll a personal Windows 10 device?

  • Automatic MDM enrollment with Azure Active Directory join during Windows setup (unless registered with Autopilot)

enrollrestrictions04enrollrestrictions05

  • Automatic MDM enrollment with Azure Active Directory join from Windows Settings (unless registered with Autopilot)

enrollrestrictions06enrollrestrictions07

  • Automatic MDM enrollment with Add Work Account from Windows Settings

enrollrestrictions08enrollrestrictions09

  • MDM enrollment only option from Windows Settings.

enrollrestrictions10enrollrestrictions11

You can also view the errors in the Enrollment Status page under Device Enrollment. If I click on the Windows data then I can see the Enrollment failures saying Enrollment restrictions not met.

enrollrestrictions12

enrollrestrictions13

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s