How to Block Windows Devices from Enrolling to Intune Microsoft Endpoint Manager Windows 10? I have seen a scenario where Intune is exclusively used for managing iOS and Android Devices.
Windows devices are managed through SCCM. And there is a requirement to disable or prevent Windows devices from enrolling in Intune.
We can achieve this with new Intune Enrollment restriction policies. I have a blog post to explain “How to Use Intune Enrollment Restriction Rules“.
Video Tutorial – Disable Windows Devices from Enrolling to Intune-here
Add Work or School Account
I tested Windows 10 enrollment to Intune via “Add Work or School Account“. This was tested successfully before restricting Windows 10 devices from Intune console.
Check out the following message after successful enrollment of the Windows 10 device. More details are in the above video.
“We’ve added your account successfully, and you now have access to your organization’s apps and Services. The last step is setting up your new PIN to unlock this device.”
Change the Intune Device Enrollment Policy to Restrict Windows Device
Navigate through the New Azure portal – Microsoft Intune – Device Enrollment – Enrollment restrictions. You would be able to see two Intune enrollment restrictions policies called 1.
Device Type Restrictions and 2. Device Limit Restrictions. Device Type restriction is where we can restrict Windows (8.1 +) devices from enrolling to Intune.
This policy will prevent Windows 8.1 and later devices from Intune management. This Includes Windows 10 device ENROLLMENT restriction as well. Windows 10 mobile devices will also get blocked when we configure this policy.
End-User Experience of Windows 10 Device Restriction
I successfully added a Work or School account to Windows 10 1703 device. The one change I noticed through the enrollment process is that it didn’t prompt for MFA. After this enrollment, the message I received was different from the one I got above. The message was
We’ve added your account successfully, and you now have access to your organization’s apps and Services.
Moreover, the machine was NOT available in the company portal application under the “My Devices” list. So, the device enrollment never failed as I expected. The device got enrolled without any error.
But the main question is whether this device would be managed via Intune? Did the device receive Intune policies? And the answer is there in the below paragraph.
Experience on Azure – Intune Portal for Windows 10 Restriction
The Windows 10 enrolled device was NOT listed in Intune – All Devices (Microsoft Azure – Microsoft Intune – Devices – All Devices). But the device was listed in Azure AD, as you can see in the video tutorial here.
The Windows 10 device was listed under Azure AD against the user’s devices (Microsoft Azure – Users and groups – All users > Kaith Nair). But, as you can see in the below screen capture, the Windows device is NOT MANAGED by INTUNE.
Hence the device won’t get any Intune policies and won’t be managed through Intune. Therefore it won’t get corporate mail, SharePoint, OneDrive, and Skype for Business access.
- Set Intune enrollment restrictions policies – here
- How to configure device restriction settings in Microsoft Intune – here
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………
5 thoughts on “How to Block Windows Devices from Enrolling to Intune Microsoft Endpoint Manager Windows 10”
But that also means that NO windows device can be enrolled, right?
I want only prevent the enrollment of private devices, is that possible?
Quick question: I want to go for devices auto enrolment to AAD and Intune but I don’t want the user to be the local admin for that device. I have enable the GPO but it not helped.
We have an option to remove the admin rights via AutoPilot profiles
Do you know the device enrollment restriction also restricts HAADJ auto enrollment?
HAADJ devices are treated as corperate owned devices and mostly enrolled using group policy. I’m not 100% sure whether it’s supported or not. But it’s worth a try