Tag Archives: Windows 10

Intune: Enrollment restrictions for Windows 10 devices

Yeah, finally it’s here!

Many companies has requested this for a long time, and now it’s possible to restrict enrollment for Windows corporate owned device only in Intune. I know for sure that this has been a blocker in many organization, which has made the shift to modern management for Windows 10 impossible, with this new feature the show can go on 🙂

How to

First you need to sign-in to the Microsoft 365 Device Management portal and then Device enrollment

Now go to Enrollment restrictions -> Default (or Create restriction if you want to test it for a small group of users)

Go to Properties -> Configure

Change ‘Windows (MDM)’ to Block to prevent your users from enrolling a personal owned Windows devices into Intune.

block

When your users is trying to enroll a personal owned Windows device, they will see the following message, and the device will not be enrolled.

 

Create an Autopilot device group

The Windows Autopilot simplifies enrolling devices. With Microsoft Intune and Autopilot, you can give new devices to your end users without the need to build, maintain, and apply custom operating system images to the devices. When you use Intune to manage Autopilot devices, you can manage policies, profiles, apps, and more after they’re enrolled.

I normally create different kinds of groups to support various scenarios, to do so please go to the Microsoft 365 Device Management portal and then Groups -> New group

In the Group blade

  • For Group type, choose Security
  • Type a Group name and Group description
  • For Membership type, choose either Assigned or Dynamic Device

If you chose Assigned for Membership type in the previous step, then in the Group blade, choose Members and add Autopilot devices to the group. Autopilot devices that aren’t yet enrolled are devices where the name equals the serial number of the device.

If you chose Dynamic Devices for Membership type above, then in the Group blade, choose Dynamic device members and type any of the following code in the Advanced rule box.

If you want to create a group that includes all of your Autopilot devices, type

(device.devicePhysicalIDs -any _ -contains “[ZTDId]”)

If you want to create a group that includes all of your Autopilot devices with a specific order ID, type

(device.devicePhysicalIds -any _ -eq “[OrderID]:159753852456”)

If you want to create a group that includes all of your Autopilot devices with a specific Purchase Order ID, type

(device.devicePhysicalIds -any _ -eq “[PurchaseOrderId]:654258357951”)

After adding the Advanced rule code, choose Save and Create