By: Madison Holdaas, Sr. Product Manager | Microsoft Intune
How identifying corporate devices has worked in Microsoft Intune
As an administrator, you want to make sure that only authorized and compliant devices can access your organization's resources and data. To do that, you need to identify which devices are corporate-owned and which are personal. However, this isn’t always easy, especially when you have a large and diverse fleet of devices running different operating systems and platforms.
Today, Intune has a variety of methods to identify a device as “corporate” for Windows platform. If a device hasn’t enrolled using one of our true corporate methods, we do our best to determine an unknown device’s ownership by how the user enrolled the device. For instance, if a user automatically enrolls by registering the device to Microsoft Entra through Windows settings, then we determine that device to be corporate. If a user automatically enrolls by adding a work account from Windows settings instead, then the device is marked personal by Intune.
How enrollment restrictions have worked when blocking personal devices
One way to prevent personal or unknown devices from enrolling in your tenant is to use enrollment restrictions. Enrollment restrictions are policies that you can create and assign to groups of users or devices to control who can enroll which devices and how many. You can create two types of enrollment restrictions: device type restrictions and device limit restrictions.
Device type enrollment restrictions allow you to block or allow specific types of devices from enrolling, such as Windows, iOS, Android, or macOS. You can also block or allow for specific configurations, such as blocking personally owned or unknown devices. The setting to block personally owned devices prevents the following from being enrolled, even though they are assumed corporate by Intune when allowed to enroll:
- Automatic MDM enrollment with Microsoft Entra join during Windows setup
- Automatic MDM enrollment with Microsoft Entra join from Windows Settings
- Automatic MDM enrollment with Microsoft Entra join or hybrid Entra join via Windows Autopilot for existing devices
New corporate device identifiers for Windows
The new Windows corporate identifier feature is a solution that can help you identify and manage your corporate Windows devices more easily and securely. The feature allows you to upload a CSV file with the serial number, manufacturer, and model of your known Windows devices to your tenant. This will mark the devices as corporate during enrollment to work with personal enrollment restrictions.
Note that the feature only works for Windows 11, version 22H2 and later with KB5035942 (OS Builds 22621.3374 and 22631.3374) or newer.
Important: Enrollment device type restrictions are only editable by the Intune Service Administrator or Global Administrator. Corporate device identifiers have their own permission that must be assigned. Since these permissions are not the same, confirm that any existing enrollment restrictions will not be impacted before uploading a corporate device identifier.
To use the new feature, follow these steps:
- Create a CSV file with the serial number, manufacturer, and model of your corporate Windows devices. You can use any tool or method to generate the CSV file, as long as it follows the format and requirements specified in the documentation.
- In the Intune admin center, upload the CSV file to your tenant. You can find the upload option under Devices > Windows > Corporate identifiers. You can upload up to 5,000 devices or 5MB in a CSV. If you need to upload more, we recommend using PowerShell and interacting with the Microsoft Graph API directly.
- Verify that the upload was successful and that the devices are marked as corporate during enrollment. Note that after enrollment, Intune uses the existing enrollment type logic to define Personal and Corporate. See the Without corporate identifiers column in the table below for more details. You can view the status and details of the upload under Devices > Windows > Corporate identifiers. You can also view the device ownership and other properties of the devices under Devices > All devices.
A screen capture of adding a corporate identifier in the Intune admin center.
Some enrollment methods will always be considered corporate enrollment because we trust devices enrolling through these methods are known devices. Once an admin has uploaded a single Windows corporate identifier, the way we define Corporate and Personal changes to the following in the table during enrollment only:
| Windows enrollment types | Without corporate identifiers | With corporate identifiers |
| The device enrolls through Windows Autopilot | Corporate | Corporate |
| The device enrolls through GPO, or automatic enrollment from Configuration Manager for co-management | Corporate | Corporate |
| The device enrolls through a bulk provisioning package | Corporate | Corporate |
| The enrolling user is using a device enrollment manager account | Corporate | Corporate |
| The device enrolls through Azure Virtual desktop (non-hybrid) | Corporate | Corporate |
| Automatic MDM enrollment with Microsoft Entra join during Windows setup | Corporate, but will be blocked by personal enrollment restriction | Personal, unless defined by corporate identifiers |
| Automatic MDM enrollment with Microsoft Entra join from Windows Settings | Corporate, but will be blocked by personal enrollment restriction | Personal, unless defined by corporate identifiers |
| Automatic MDM enrollment with Microsoft Entra join or hybrid Entra join via Windows Autopilot for existing devices | Corporate, but will be blocked by personal enrollment restriction | Personal, unless defined by corporate identifiers |
| Autopilot device preparation profile | Corporate, but will be blocked by personal enrollment restriction | Personal, unless defined by corporate identifiers |
| Automatic MDM enrollment with Add Work Account from Windows Settings | Personal | Personal, unless defined by corporate identifiers |
| MDM enrollment only option from Windows Settings | Personal | Personal, unless defined by corporate identifiers |
| Enrollment using the Intune Company Portal app | Personal | Personal, unless defined by corporate identifiers |
| Enrollment via a Microsoft 365 app, which occurs when users select the Allow my organization to manage my device option during app sign-in | Personal | Personal, unless defined by corporate identifiers |
Admins that want to use the existing enrollment method logic to determine corporate versus personal during enrollment (i.e. the “Without corporate identifiers” column) can just delete or remove all Windows corporate identifiers and ownership goes back to behaving as previously done in Intune.
New enrollment restriction experience using model and manufacturer device properties in filters
The new Windows corporate identifier feature also enables a new enrollment restriction experience that allows you to use the model and manufacturer device properties in filters to block devices from enrolling more granularly. You can block specific models or manufacturers of Windows devices from enrolling, such as Manufacturer = Microsoft or Model = VM. Note that model and manufacturer properties only work for Windows 11 version 22H2 and above at enrollment time.
To use the new enrollment restriction experience, navigate to the Intune admin center and follow these steps:
- Create a device filter with the model and manufacturer device properties. You can find the device filter option under Devices > Filters. You can create up to 100 device filters per tenant, and each device filter can have up to 10 conditions.
- Create an enrollment restriction policy with the device filter. You can find the enrollment restriction option under Devices > Enrollment> Device platform restrictions. You can assign the device filter to your enrollment restriction policy in the Assignments tab.
- Assign the enrollment restriction policy to a group of users. You can assign the policy to any group that you have created or synced in your tenant, such as security groups or dynamic groups. You can also assign the policy to the default group, which applies to all users in your tenant. Reminder that enrollment restrictions are user based – so they don’t apply to user-less enrollments.
A screen capture of creating a filter in the Intune admin center, using model and manufacturer device properties.
Note that since model and manufacturer properties only work for Windows 11 version 22H2 and above – to address unsupported versions – we recommend including the null values of manufacturer and model.
Note – Windows 10 will be a supported feature starting July 9th – devices will need to be updated to the following KB: KB5039299.
With this new feature, you can easily distinguish between corporate and personal devices and apply different enrollment policies accordingly. Additionally, you can leverage the model and manufacturer device properties to create more granular filters to block unwanted devices from enrolling.
Known limitations
Windows corporate identifiers are applied only during enrollment. This means that they only define Ownership at enrollment time, not for the device lifecycle within the tenant. For example, if using Windows corporate identifiers and a user enrolls using the Add work account from Windows settings (not Entra join), if there’s an identifier uploaded for this device, it will be considered Corporate at enrollment, be allowed to enroll, and then once in the tenant it will be defined as a Personal device, because of the enrollment method used. This is a current limitation.
If you have any questions or feedback, leave a comment below or reach out to us on X @IntuneSuppTeam.
Post updates:
09/24/24: Updated the table that includes the type of ownership given to devices when they enroll without corporate identifiers and when they enroll with corporate identifiers.
12/12/24: Added a new section "Known limitations".
Updated Dec 12, 2024
Version 6.0
Intune_Support_Team
Microsoft
Microsoft
