Introduction
Managing personal Windows devices in a BYOD (Bring Your Own Device) environment can be complex. Thanks to a new feature, available in public preview, Intune administrators can now prevent users from enrolling their personal devices in Microsoft Intune, thus simplifying policy management.
Good to know
The feature discussed in this article is currently available in public preview. Details may change before general availability.
Context: Device Registration under Workplace Join
For Windows devices that are neither Entra Join nor Entra Hybrid Join, users can register their device or the specific application in the organization's directory, a process known as Workplace Join. This creates a registration in Entra with the status "Entra Registered" and enables SSO (Single Sign-On) for work or school accounts on the device.
Before this new feature, users saw a prompt where instructions were not always clear, often pushing them to inadvertently enroll their devices in Intune. In most cases, this resulted in the device being classified as Personal instead of Corporate, thus complicating management for administrators.
Changes in User Prompts
The new options simplify the registration process. Here's what changes:
- If the user chooses NO: The device is only registered in Entra, but is not enrolled in Intune.
- If the user chooses YES: The device is enrolled in Intune in addition to being registered in Entra.
However, duplicate registrations in Entra with different usernames could complicate device tracking. These new options strengthen conditional access control policies for BYOD devices, but are less useful for corporate devices.
Tip
When an MDM enrollment prompt appears, it is recommended to select only "This app only" to avoid automatic enrollment of the entire device.
New Feature: Global BYOD Enrollment Blocking
In the current public preview, Intune administrators have a feature that allows them to globally block personal device enrollment. This means users will no longer see the "Yes" or "No" option when the "Allow your organization to manage your device" prompt appears.
The device will still be registered in Entra, but will not be enrolled in Intune, thus reducing the risk of unwanted management of personal devices.
Observations and Current Limitations
It is important to note that in public preview, when multiple user accounts are added on the same device, the enrollment process may not be consistent. Example: when the second account is added, the device may be automatically enrolled in Intune. In this case, it is necessary to disconnect the account via Settings -> Work or school access -> Disconnect before the expected behavior is restored.
Caution
Since this feature is in public preview, it is advisable to test it carefully before deploying it in a production environment.
Tutorial: Enable Global Blocking in Intune
Access the Intune console
Sign in to the Microsoft Endpoint Manager Admin Center and select "Intune".
Configure MDM
Navigate to Tenant Administration > Connectors and tokens > MDM Configuration and enable the global blocking feature for BYOD.
Test the configuration
Test this configuration on a personal device by following the usual enrollment steps. Verify that Intune enrollment is blocked.
Glossary
- BYOD: Bring Your Own Device, use of personal devices in a business environment.
- Entra Join: Process of integrating devices with Azure AD.
- SSO: Single Sign-On, single authentication to access multiple systems.
- MDM: Mobile Device Management, management of mobile devices.
