Support tip: Unblock Windows “Set up for Work or School” enrollment

Hi Jason Katz , with the enrollment restrictions in place (blocking personally owned devices) then any Windows device not considered as corporate it is blocked. Personal enrollment is not permitted if you block it.

Practically speaking, if Intune can somehow recognize the device as a corporate device:

HW IDs for Autopilot -> uploaded by OEM or you for preapproved devices

Domain Join for GPO / SCCM -> If the device is domain joined / SCCM managed then it's always corporate by definition

Device Enrollment Manager account -> the IT is in control of this account

Bulk Provisioning Package -> the IT is in control of this package

it will allow enrollment, otherwise it will block it. This is what you typically want if you don't have a BYOD scenario going on / your org owns all the Windows devices.

If you leave the device restrictions open, allowing both corporate and personal devices then Intune will mark as corporate any device falling in these categories, and any other device will be considered as personal. This is what you typically want if BYOD is permitted in your organization.

Please note that in the case of Azure AD Joined devices (and only for those) this goes hands in hands with who can actually join them to Azure AD and it is regulated on Azure AD side, by default everyone can. The most restrictive of the two (Enrollment Restrictions + Azure AD Join restrictions) wins:

If everybody can Azure AD Join BUT only corporate devices are permitted -> Azure AD Join of personal devices will fail.

If everybody can Azure AD Join AND personal devices are permitted -> Azure AD Join of personal devices will succeed.

If nobody can Azure AD Join -> Enrollment restrictions does not matter anymore.

Please remember to enable automatic enrollment for Azure AD Joined devices.

I think this article is at most incomplete because you can't dismiss some complex subject as this with a few lines saying "just let anyone enroll their home PC into your tenant". It should have been paraphrased better. This way it's really dangerously incomplete because if people just go and put the gates looses, then the fiesta of user owned PCs in your tenant begins.

LucaCavana , thanks for sharing.  So essentially with the device enrollment restriction in place (only allowing corporate enrollment) by default the device enrollment is considered personal.  Exceptions being enrollment via the Device Enrollment Manager and Autopilot, along with a few other methods mentioned in the doc you've linked.

Does that seem correct?  Just want to make sure I fully understand.  

Thank you!

LucaCavana  Duly noted ... I was trying to differentiate my questions from the quotes.

Thanks for the link ... it has the answer I was looking for.

JeffH88 please don't write in all caps, it's considered bad etiquette and spoils the pleasure of helping others.

You can refer to this Docs to understand how Intune differentiates between Windows personal or corporate devices: Set enrollment restrictions in Microsoft Intune | Microsoft Docs.

For this particular scenario, being enrollment by the OOBE screen, if you login with a Device Enrollment Manager account it will be recognized as corporate, otherwsie if you login with a normal user account it will be recognized as personal.

In relation to Jason Katz's question above ...

"Some customers run into issues during the out-of-box experience (OOBE) when enrolling Windows devices, specifically when the device is recognized as a personal device and the tenant does not allow for this device type."

HOW IS THE DEVICE "RECOGNIZED AS A PERSONAL DEVICE" WHEN ALL THE USER HAS DONE SO FAR IS TURN IT ON AND LET IT BOOT TO THIS SCREEN?

" This scenario can occur during device setup when the user chooses Set up for work or school and then signs in with an organization-linked Azure Active Directory (Azure AD) account."

ISN'T THIS EXACTLY HOW USERS ARE SUPPOSED TO ENROLL CORPORATE DEVICES?

To clarify -- these are for Windows Pro versions, opposed to Windows Home versions? 

To my understanding "Setup for Work or School" creates an Azure AD Join (as opposed to a registration).  For the OOBE and initial enrollment, can you provide an example where the device would be recognized as Personal prior to registration with Work or School?