In this post I am going to cover blocking personal Windows devices from enrolling into Intune and which methods will be allowed through as corporate. When you block personal Windows Enrollment the following methods will be the only way of enrolling into Intune:
- Bulk Enrollment Package
- Enrollment via GPO
- Enrollment via a DEM Account
- Enrollment through Autopilot
- The device is registered with the Autopilot Service and the method of Enrollment is not “MDM Enrollment Only” from Windows Settings
- The device’s IMEI number is Pre-Staged in Intune Corporate Identifiers
So now you know which methods will be allowed, I will show you how to block the rest.
- Navigate to Intune https://aka.ms/intuneportal
- Choose Device Enrollment
- Click Enrollment Restrictions
- Under Device Type Restrictions Choose Default
Note: You can create a new restriction if you only want certain users to have restrictions but to keep it simple I am going to assume everyone will have the same restrictions and edit the default one.
- Select Properties
- Choose Configure Platforms
- Under the Personally Owned Column Change Windows (MDM) from Allow to Block
- Click OK
- Click Save
There you have it, the restrictions are now in place for all users (providing you used the default restriction).