IAMinerva
HomeBlogAbout
m3M365 NewscoMicrosoft CopilotteMicrosoft TeamsshSharePoint & OneDriveinIntune & SecurityexExchange & OutlookpoPower PlatformazAzure & Entra IDtuTutorials & GuidesevEvents & ConferencesseSecuritywiWindows
IAMinerva

Professional blog dedicated to the Microsoft 365 ecosystem.

Quick links

HomeBlogAboutNewsletter

Stay informed

Get the latest Microsoft 365 news delivered straight to your inbox.

© 2026 IAMinerva. All rights reserved.

Built withNext.js&Tailwind
Comment désactiver l'inscription des appareils Windows personnels dans Intune
BlogIntune & SecurityHow to Disable Personal Windows Device Enrollment in Intune
Intune & Security#Intune#For IT Professionals#MDM

How to Disable Personal Windows Device Enrollment in Intune

Learn how to globally disable personal Windows device enrollment in Intune for better BYOD management in your business environment.

Houssem MAKHLOUF
February 22, 2026
4 min read

TL;DR par Minerva

généré par IA

Learn how to globally disable personal Windows device enrollment in Intune for better BYOD management in your business environment.

Introduction

Managing personal Windows devices in a BYOD (Bring Your Own Device) environment can be complex. Thanks to a new feature, available in public preview, Intune administrators can now prevent users from enrolling their personal devices in Microsoft Intune, thus simplifying policy management.

i

Good to know

The feature discussed in this article is currently available in public preview. Details may change before general availability.

Context: Device Registration under Workplace Join

For Windows devices that are neither Entra Join nor Entra Hybrid Join, users can register their device or the specific application in the organization's directory, a process known as Workplace Join. This creates a registration in Entra with the status "Entra Registered" and enables SSO (Single Sign-On) for work or school accounts on the device.

Before this new feature, users saw a prompt where instructions were not always clear, often pushing them to inadvertently enroll their devices in Intune. In most cases, this resulted in the device being classified as Personal instead of Corporate, thus complicating management for administrators.

Changes in User Prompts

The new options simplify the registration process. Here's what changes:

  • If the user chooses NO: The device is only registered in Entra, but is not enrolled in Intune.
  • If the user chooses YES: The device is enrolled in Intune in addition to being registered in Entra.

However, duplicate registrations in Entra with different usernames could complicate device tracking. These new options strengthen conditional access control policies for BYOD devices, but are less useful for corporate devices.

✩

Tip

When an MDM enrollment prompt appears, it is recommended to select only "This app only" to avoid automatic enrollment of the entire device.

New Feature: Global BYOD Enrollment Blocking

In the current public preview, Intune administrators have a feature that allows them to globally block personal device enrollment. This means users will no longer see the "Yes" or "No" option when the "Allow your organization to manage your device" prompt appears.

The device will still be registered in Entra, but will not be enrolled in Intune, thus reducing the risk of unwanted management of personal devices.

Observations and Current Limitations

It is important to note that in public preview, when multiple user accounts are added on the same device, the enrollment process may not be consistent. Example: when the second account is added, the device may be automatically enrolled in Intune. In this case, it is necessary to disconnect the account via Settings -> Work or school access -> Disconnect before the expected behavior is restored.

!

Caution

Since this feature is in public preview, it is advisable to test it carefully before deploying it in a production environment.

Tutorial: Enable Global Blocking in Intune

1

Access the Intune console

Sign in to the Microsoft Endpoint Manager Admin Center and select "Intune".

2

Configure MDM

Navigate to Tenant Administration > Connectors and tokens > MDM Configuration and enable the global blocking feature for BYOD.

3

Test the configuration

Test this configuration on a personal device by following the usual enrollment steps. Verify that Intune enrollment is blocked.

Glossary

  • BYOD: Bring Your Own Device, use of personal devices in a business environment.
  • Entra Join: Process of integrating devices with Azure AD.
  • SSO: Single Sign-On, single authentication to access multiple systems.
  • MDM: Mobile Device Management, management of mobile devices.

Useful Links

  • Official Microsoft Intune Documentation
  • Azure AD Join Configuration Guide
  • BYOD Best Practices with Intune
Share:
HM

Houssem MAKHLOUF

Microsoft 365 enthusiast & IT professional.

Previous article

Microsoft Entra Global Secure Access: Complete SSE/ZTNA Guide to Replace Your VPN Infrastructure

Feb 19, 2026
Next article

Security Exposure Management in Microsoft 365: From Vulnerability Detection to Risk Reduction

Feb 23, 2026

Related articles

Réseau représenté par des cercles connectés et une horloge sur fond noir.intune

Intune EPM: Network Configuration and Time Synchronization

Explore the new EPM features in Microsoft Intune enabling secure management of network settings and time synchronization. Discover how to configure the rules.

Jun 26, 20264 min
Intune : Resoudre l'erreur x-msft-approval-justificationintune

Intune: Resolving the x-msft-approval-justification Error

Fix Intune Multi Admin Approval errors. Technical guide to integrate MAA exclusions and resolve x-msft-approval-justification.

Jun 24, 20264 min
Comment empĂȘcher les invitĂ©s d'inviter d'autres invitĂ©s dans Microsoft Entraazure

How to Prevent Guests from Inviting Other Guests in Microsoft Entra

Prevent guests in Microsoft Entra from adding other users by configuring external permissions. Follow this guide to secure your tenant.

Jun 11, 20263 min