How to Prevent Windows Devices from Enrolling to Intune

1

I have seen a scenario where Intune is exclusively used for managing iOS and Android Devices. Windows devices are managed through SCCM. And there is a requirement to disable or prevent Windows devices from enrolling to Intune. We can achieve this with new Intune Enrollment restriction policies. I have a blog post to explain “How to Use Intune Enrollment Restriction Rules“.

Video Tutorial – Disable Windows Devices from Enrolling to Intune – here

I tested Windows 10 enrollment to Intune via “Add Work or School Account“. This was tested successfully before restricting Windows 10 devices from Intune console. Check out the following message after successful enrollment of Windows 10 device. More details in the above video.

We’ve added your account successfully and you now have access to your organization’s apps and Services. The last step is setting up your new PIN to unlock this device.

Prevent Windows Devices from Enrolling to Intune

Change the Intune Device Enrollment Policy to Restrict Windows Device

Navigate through New Azure portal – Microsoft Intune – Device Enrollment – Enrollment restrictions. You would be able to see two Intune enrollment restrictions policies called 1. Device Type Restrictions and 2. Device Limit Restrictions. Device Type restriction is where we can restrict Windows (8.1 +) devices from enrolling to Intune.

This policy will prevent Windows 8.1 and later devices from Intune management. This Include Windows 10 device ENROLLMENT restriction as well. Windows 10 mobile devices will also get blocked when we configure this policy.

Prevent Windows Devices from Enrolling to Intune

End User Experience of Windows 10 Device Restriction

I successfully added Work or School account to Windows 10 1703 device. The one change I noticed through enrollment process is that it didn’t prompt for MFA. The message I received after this enrollment was different from the one I got above. The message was :-

We’ve added your account successfully and you now have access to your organization’s apps and Services.

Moreover, the machine was NOT available in the company portal application under “My Devices” list. So, the device enrollment never failed as I expected. The device got enrolled without any error. But the main question is whether this device would be managed via Intune? Did the device receive Intune policies? And the Answer is there in the below paragraph.

Prevent Windows Devices from Enrolling to Intune

Experience on Azure – Intune Portal for Windows 10 Restriction

The Windows 10 enrolled device was NOT listed in Intune – All Devices (Microsoft AzureMicrosoft Intune – Devices – All Devices). But the device was listed in Azure AD as you can see in the video tutorial here.

The Windows 10 device was listed under Azure AD against users devices (Microsoft Azure – Users and groups – All users > Kaith Nair). But, as you can see in the below screen capture the Windows device is NOT MANAGED by INTUNE. Hence the device won’t get any Intune policies and won’t be managed through Intune. There for it won’t get corporate mail, SharePoint, OneDrive and Skype for Business access.

Prevent Windows Devices from Enrolling to Intune

References :-

  • Set Intune enrollment restrictions policies – here
  • How to configure device restriction settings in Microsoft Intune – here

1 COMMENT

  1. But that also means that NO windows device can be enrolled, right?
    I want only prevent the enrollment of private devices, is that possible?

LEAVE A REPLY

Please enter your comment!
Please enter your name here