Difference Between Intune Enrollment Restriction Device Restriction Profile | Configuration Manager ConfigMgr

Difference Between Intune Enrollment Restriction Device Restriction Profile | Configuration Manager ConfigMgr? I was going through one of the TechNet documentation and got confused with enrollment restriction policies and device restriction policies. I have posted about both of these policies.

1. “Video Experience Intune Device Restriction Policy Deployment to Windows 10 Device” 

2. “How to Restrict Personal Android Devices from Enrolling into Intune“.

Patch My PC

Device restrictions are entirely different from Enrollment restrictions. Both options have different use cases and that will be explained in this post. These two policies are used in modern device management solutions like Intune and Azure AD.

Enrollment Device Platform Restrictions

Intune Device restriction profiles (Enrollment Device Platform Restrictions) are policies similar to GPO from the traditional device management world. Most enterprise organizations use GPO to restrict corporate-owned devices. These are security policies that need to apply to devices. Intune Device restriction policies control a wide range of settings and features of mobile devices (iOS, Android, macOS, and Windows 10).

  • MDM – Allow or Block
  • Allow – min/max range
  • Personally owned devices – Allow or Block

Device Type Restriction in Intune

1E Nomad

Enrollment device platform restrictions make more sense. Navigate to Devices – Enroll Devices – Enrollment Device Platform Restrictions.

Enrollment Device Platform Restrictions
Enrollment Device Platform Restrictions

This type of policy could be applicable to different categories including security, browser, hardware, and data sharing settings. For example, you could create a device restriction profile policy that prevents users of Windows devices from sharing the internet or using Cortana, etc.

Intune Device Restriction profiles can be deployed to specific users/devices in AAD groups whereas Intune Enrolment restriction policies can’t be deployed to specific user/device groups in Azure AD. More details are available in the following section of this post.

Intune Device Limit Restrictions

Enrollment is the first part of Mobile Device Management (MDM). Why do we need to enroll a mobile device into Intune? Enrollment is the first step for management. When a device is enrolled in Intune, they have issued an MDM certificate, which that device then uses to communicate with the Intune service.

In several scenarios, we need to block employees from enrolling their personal devices into the corporate management platform. You want to block devices that are not secured enough to enroll into Intune. For example, You want to block personal devices from enrolling.

Also, we could be able to block lower OS version devices How is this possible from Intune? Difference Between Intune Enrollment Restriction Device Restriction Profile | Configuration Manager ConfigMgr

Navigate through Microsoft IntuneEnroll DevicesEnrollment device limit restrictions. You would be able to see two Intune enrollment restrictions policies called

1. Device Type Restrictions and 2. Device Limit Restrictions.

Device Type restriction is where we can define which platforms, versions, and management types can enroll. So all other devices are blocked from Intune enrollment.

The only problem with Intune enrollment restriction that I can think of is: – Device type restrictions in Intune are deployed to “All Users, ” and we can’t deploy or assign Intune enrollment restriction policies to “specific user group”. At the moment, the device type restrictions policies are tenant-wide configurations.

Device Limit Restrictions in Intune

Navigate to Devices – Enroll Devices – Enrollment Device Limit Restrictions to configure the limitation.

Device Limit Restrictions in Intune
Device Limit Restrictions in Intune

Difference Between Intune Enrollment Restriction Device Restriction Profile | Configuration Manager ConfigMgr?


  • Set Intune enrollment restrictions policies – here 
  • How to configure device restriction settings in Microsoft Intune – here

1 thought on “Difference Between Intune Enrollment Restriction Device Restriction Profile | Configuration Manager ConfigMgr”

  1. Hi Anoop,

    I have setup a POC lab for SCCM and Intune Integration. Everything is working great up to the point where I want to enroll devices.

    I have setup everything that needs to be done from SCCM and Intune perspective. When I view the Platforms Configuration under the default Device Type Restriction Policy located here:

    Home > Microsoft Intune > Device enrollment – Enrollment restrictions > All Users – Platforms Configuration

    It tells me:

    All device platforms are blocked. Allow platform enrollment to enable platform configuration.

    So I go to edit the platforms section to edit the default Device Type Restrictions, allow android enrollment and then save the configuration I get an error and the policy wont save. How can I enable Android enrollment if the policy wont save?

    An error occurred.
    An error occurred while saving. Request ID: 59ea85b9-c6a2-4f71-b1ea-879dfb8d1d73

    Thanks in advance.



Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.