I see more and more customers that are allowing Azure Active Directory join of Windows 10 Devices also with automatic MDM enrollement into Intune, and many are concerned about letting personal devices getting into Intune and there for having the possibility to be complaint. When a device is compliant, we can use it to give access to corporate resources with Conditional Access.
There is a way to block Intune enrollment of personal devices, but it requires that you need to understand the consequences for doing that.
A Windows device that the end user is enrolling into Intune is personal unless that you tell Intune that it is a corporate device or you AzureAD join from OOBE.
A corporate Windows devices is also:
- Hybrid joined Windows device with automatic MDM enrollment GPO set
- SCCM Co-managed device
- Autopilot device
- Bulked enrolled with WCD or set up school PC
- Enrollment with a Device Enrollment Manager
How to configure the device restriction to only allow corporate Windows device
Start the Microsoft 365 device management portal
- Click on Device enrollment
- Click on Device restriction
- Click on default
- Click on properties
- Click on Select platforms
- Ensure that you are allowing Windows (MDM) enrollment set to allow or all Windows enrollment will be blocked
- Click on properties
- Click on configure
- Click on block for Windows personally owned
From a end user perspective they will get a welcome message when the device is a Autopilot device
Note: If you are injecting the AutopilotConfigurationFile.json file in you image solution or other ways with out uploading the Autopilot device information to Intune, it does not have a corporate ID in Intune and are there for a personal device!
But when it is not a Autopilot device – AKA a personal device the end user will get a error message that the device will not enroll and you need to contact your system administrator
If you have configured Windows Information Protection (WIP) without enrollment it will still work.
When a user is installing Office365 ProPlus C2R from https://office365download.com after the installation has ended the end user normally just click yes without reading what there is written – and if WIP is not configured and the end user will get a error here. In my case WIP without enrollment is configured to secure access to corporate data.
The device will be registered to AzureAD so that Microsoft can check Office activation and check if the device need to be automatic MDM enrolled, WIP without enrollment or just do the device registering
After is it done you can check in the settings app that the device mas a management server address : https://wip.mam.manage.microsoft.com that shows it is not managed but get the WIP without enrollment policy from Intune (This still requires a Intune license)
Happy testing 🙂
Blocking personal Windows devices