By: Ramya B Sharma – Senior Software Engineer | Microsoft Intune
A new public preview feature in Microsoft Intune, we’ve introduced a toggle that allows admins to block automatic mobile device management (MDM) enrollment during the modern app sign-in flow on Windows. This enhancement directly responds to frequent customer requests for greater control over device enrollment, specifically the ability to prevent automatic MDM enrollment on Windows devices during app sign-in.
While Microsoft Entra generally recommends automatic enrollment by default, most Intune customers - especially those supporting bring your own device (BYOD), mixed ownership, or multi-tenant access scenarios - benefit from an opt-in enrollment model instead.
Recommended best practice
Keep “MDM user scope” set to All so enrollment is available when needed, but configure the new toggle “Disable MDM enrollment when adding a work or school account on Windows” to Yes so MDM enrollment is not automatically selected by default during app sign in. This ensures devices are enrolled into Intune only through intentional enrollment flows, reducing accidental enrollments, support burden, and difficult recovery scenarios. Learn more:
Automatic MDM enrollment in the Intune admin center.
Why this matters
For years, Windows users signing into work or school apps have been presented with:
“Allow my organization to manage my device.”
In most environments, this option was selected by default or clicked through without full understanding. That single action could result in:
- Microsoft Entra device registration
- Automatic Intune MDM enrollment
- Immediate policy application to the device
For IT teams, this often led to:
- Unintended device enrollments
- Personal or BYOD devices becoming fully managed
- Difficult unenrollment and recovery experiences
The new public preview toggle directly addresses these long‑standing issues.
How the modern app sign in enrollment flow works
When a user signs into a Microsoft work or school app on Windows, Windows may start a device registration flow. Historically, if:
- Automatic enrollment was enabled, and
- The user was in the MDM user scope
Then registration could immediately turn into full MDM enrollment, even though the user only intended to sign into an app.
What the new toggle changes
The new setting“Disable MDM enrollment when adding a work or school account on Windows”:
- Allows account registration
- Stops the flow before MDM enrollment
- Removes the “Allow my organization to manage my device” screen from the app sign-in flow
- Preserves intentional enrollment paths
Important: This setting applies to modern app sign in flows, not Windows settings–based enrollment.
Allowing enrollment versus forcing enrollment
This distinction is critical.
Allowing enrollment:
- MDM user scope is configured to “All” or “Some”
- Enrollment is available when needed
- Devices enroll through deliberate flows
Forcing enrollment
- Enrollment triggered implicitly
- App sign in becomes an enrollment decision
- Users may not realize the device is managed
- Recovery is harder later
The new toggle lets organizations separate these behaviors.
Impact across common Windows enrollment scenarios
|
Scenario |
Default behavior |
Opt-in recommended behavior |
|
BYOD / personal devices |
High risk of accidental enrollment |
App access without device takeover |
|
Microsoft Office / Teams sign in |
May initiate MDM enrollment |
No MDM enrollment unless user chooses |
|
Microsoft Entra hybrid join (corporate) |
Microsoft Entra joined |
Microsoft Entra joined |
|
Windows settings enrollment |
MDM enrollment |
MDM enrollment |
|
Windows Autopilot / provisioning |
MDM enrollment |
MDM enrollment |
Security and governance benefits
Opt-in enrollment supports:
- Least surprise
- Explicit consent
- Cleaner BYOD posture
- Safer break glass scenarios
- Reduced support escalations
It also aligns well with Conditional Access and app level protection strategies.
When to use the default behavior
Default automatic enrollment may still be appropriate for:
- Fully corporate owned device fleets
- Locked down environments
- Dedicated provisioning scenarios
The key is that it should be a conscious decision, not an accidental one.
Summary
In conclusion, for most organizations, the modern best practice is:
Allow enrollment everywhere - require intent.
Using the new Intune toggle to make enrollment opt-in during app sign in reduces risk, improves user trust, and simplifies the device lifecycle - without sacrificing Intune’s management capabilities.
Recommended reading: For a concrete example of the end‑user experience with this model, see Step 6: Understand Microsoft Edge for Business End User Experience for Windows, which walks through how opt‑in enrollment and app‑level management are presented to users in Microsoft Edge for Business.
Understand Microsoft Edge for Business End User Experience for Windows.
If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam!
Microsoft