MicrosoftStephen600 I think you can work around this problem.
Since you buy smaller batches you can still enroll them as corporate and block personal devices by just inserting the hardware IDs into the Autopilot service but not using Autopilot (just don't assign an Autopilot profile).
If you look here: Set enrollment restrictions in Microsoft Intune | Microsoft Docs it says this about corporate devices: The device is registered with Windows Autopilot but isn't an MDM enrollment only option from Windows Settings.
So basically you use Automatic MDM enrollment through OOBE that would normally be blocked but if the device has the hardware ID registered it is allowed anyway, even if it isn't enrolling through Autopilot.
I didn't test this scenario myself, but if you will, would you report your testing back?
