Now it is finally available – that being the feature to restrict enrollment for Windows device in Intune to corporate owned device only. There is many companies that will not allow there user to enroll private owned devices in there corporate environment. It has been a possibility for some time on other device type like IOS, Android and macOS.
The following methods qualify as being authorized as a Windows corporate enrollment:
- The enrolling user is using a device enrollment manager account.
- The device enrolls through Windows AutoPilot.
- The device is registered with Windows Autopilot but is not an MDM enrollment only option from Windows Settings.
- The device’s IMEI number is listed in Device enrollment > Corporate device identifiers. (Not supported for Windows Phone 8.1.)
- The device enrolls through a bulk provisioning package.
- The device enrolls through automatic enrollment from SCCM for co-management.
How to set it up:
Start the Microsoft 365 Device Management portal
Click on Device enrollment
- Click Enrollment restrictions
- Click Default
- Click Properties
- Click Configure
- Click Block
Now the end user is not allowed to enroll a personal Windows Devices.
What is the end user experience like:
When trying to enroll a device from the settings app on Windows 10
- Access work or school
- Enroll only in Device management
- Enter the Azure AD credential
Then this message will show up for the end user
There is many scenarios where the device enrollment restriction can be of value – but please only use it if you need it and under no circumstances allow your users to use there own devices.
If you allow users to use there own devices – I will be a great idea to let the end user be able to enroll there devices so that they can be Intune managed and be marked as compliant to use with Conditional Access.
Is there a way to mark a device as corporate before it enrolls? Such as the using the serial number with mobile devices?
Or is it only AutoPilot? Does WCD package mark it as corporate?