Blog Post

Intune Customer Success
1 MIN READ

Support tip: Unblock Windows “Set up for Work or School” enrollment

Liz_Cox's avatar
Liz_Cox
Icon for Microsoft rankMicrosoft
Jan 25, 2022
Some customers run into issues during the out-of-box experience (OOBE) when enrolling Windows devices, specifically when the device is recognized as a personal device and the tenant does not allow fo...
Updated Dec 19, 2023
Version 10.0
Mobile Device Management (MDM)
Support Tip
windows
LucaCavana's avatar
LucaCavana
Iron Contributor
Jan 29, 2022

Hi Jason Katz , with the enrollment restrictions in place (blocking personally owned devices) then any Windows device not considered as corporate it is blocked. Personal enrollment is not permitted if you block it.

 

Practically speaking, if Intune can somehow recognize the device as a corporate device:

HW IDs for Autopilot -> uploaded by OEM or you for preapproved devices

Domain Join for GPO / SCCM -> If the device is domain joined / SCCM managed then it's always corporate by definition

Device Enrollment Manager account -> the IT is in control of this account

Bulk Provisioning Package -> the IT is in control of this package

it will allow enrollment, otherwise it will block it. This is what you typically want if you don't have a BYOD scenario going on / your org owns all the Windows devices.

 

If you leave the device restrictions open, allowing both corporate and personal devices then Intune will mark as corporate any device falling in these categories, and any other device will be considered as personal. This is what you typically want if BYOD is permitted in your organization.

 

Please note that in the case of Azure AD Joined devices (and only for those) this goes hands in hands with who can actually join them to Azure AD and it is regulated on Azure AD side, by default everyone can. The most restrictive of the two (Enrollment Restrictions + Azure AD Join restrictions) wins:

If everybody can Azure AD Join BUT only corporate devices are permitted -> Azure AD Join of personal devices will fail.

If everybody can Azure AD Join AND personal devices are permitted -> Azure AD Join of personal devices will succeed.

If nobody can Azure AD Join -> Enrollment restrictions does not matter anymore.

Please remember to enable automatic enrollment for Azure AD Joined devices.

 

I think this article is at most incomplete because you can't dismiss some complex subject as this with a few lines saying "just let anyone enroll their home PC into your tenant". It should have been paraphrased better. This way it's really dangerously incomplete because if people just go and put the gates looses, then the fiesta of user owned PCs in your tenant begins.