Support tip: Unblock Windows “Set up for Work or School” enrollment

To my understanding "Setup for Work or School" creates an Azure AD Join (as opposed to a registration).  For the OOBE and initial enrollment, can you provide an example where the device would be recognized as Personal prior to registration with Work or School?

In relation to Jason Katz's question above ...

"Some customers run into issues during the out-of-box experience (OOBE) when enrolling Windows devices, specifically when the device is recognized as a personal device and the tenant does not allow for this device type."

HOW IS THE DEVICE "RECOGNIZED AS A PERSONAL DEVICE" WHEN ALL THE USER HAS DONE SO FAR IS TURN IT ON AND LET IT BOOT TO THIS SCREEN?

" This scenario can occur during device setup when the user chooses Set up for work or school and then signs in with an organization-linked Azure Active Directory (Azure AD) account."

ISN'T THIS EXACTLY HOW USERS ARE SUPPOSED TO ENROLL CORPORATE DEVICES?

Hi Jason Katz , with the enrollment restrictions in place (blocking personally owned devices) then any Windows device not considered as corporate it is blocked. Personal enrollment is not permitted if you block it.

Practically speaking, if Intune can somehow recognize the device as a corporate device:

HW IDs for Autopilot -> uploaded by OEM or you for preapproved devices

Domain Join for GPO / SCCM -> If the device is domain joined / SCCM managed then it's always corporate by definition

Device Enrollment Manager account -> the IT is in control of this account

Bulk Provisioning Package -> the IT is in control of this package

it will allow enrollment, otherwise it will block it. This is what you typically want if you don't have a BYOD scenario going on / your org owns all the Windows devices.

If you leave the device restrictions open, allowing both corporate and personal devices then Intune will mark as corporate any device falling in these categories, and any other device will be considered as personal. This is what you typically want if BYOD is permitted in your organization.

Please note that in the case of Azure AD Joined devices (and only for those) this goes hands in hands with who can actually join them to Azure AD and it is regulated on Azure AD side, by default everyone can. The most restrictive of the two (Enrollment Restrictions + Azure AD Join restrictions) wins:

If everybody can Azure AD Join BUT only corporate devices are permitted -> Azure AD Join of personal devices will fail.

If everybody can Azure AD Join AND personal devices are permitted -> Azure AD Join of personal devices will succeed.

If nobody can Azure AD Join -> Enrollment restrictions does not matter anymore.

Please remember to enable automatic enrollment for Azure AD Joined devices.

I think this article is at most incomplete because you can't dismiss some complex subject as this with a few lines saying "just let anyone enroll their home PC into your tenant". It should have been paraphrased better. This way it's really dangerously incomplete because if people just go and put the gates looses, then the fiesta of user owned PCs in your tenant begins.

Stephen600 

I agree totally ... that initial screen should be more intuitive.

The two options should be:

1. Set up for personal use (the device gets configured as a personal device with no option to use a corp email address and no way of connecting to any corp services ... unless allowed by the policy).

2. Set up for work or school (the device gets connected to your corp services with no option to use a personal MS account and no way of getting configured as a personal device).

Hi all and thank you for all the feedback!

Jason Katz, when enrolling a device, depending on the enrollment method, it can allow a device to be classified as personal before a user has signed in. Intune specifies devices as personally owned by default and we have examples which explain more here: Intune enrollment methods for Windows devices | User self-enrollment in Intune. Hope this helps!

NJReyes, for a list a current supported Windows versions, see: Windows Autopilot software requirements to learn more.

Stephen600 JeffH88, thank you both for the feedback! For the scenario regarding devices being purchased at consumer level and no hardware hash being provided, the IT admin would need to obtain the hardware hash manually. We understand that this may not be possible as the device is being sent to the user directly so, you may need to leverage a different enrollment method such as ‘Bulk enrollment for Windows Devices’. See https://aka.ms/mem-Windows-bulkjoin-blog for more info. There are also several other methods you can leverage to enroll your workforce's devices in Intune. Each method has different best practices and capabilities. See these docs for more info: Intune enrollment methods for Windows devices - Microsoft Intune | Microsoft Docs & Intune enrollment method capabilities for Windows devices - Microsoft Intune | Microsoft Docs. 

We understand your frustration and we at Intune take feedback on board to help us improve. Share your feedback and allow others to vote via our Feedback portal here: aka.ms/IntuneFeedback.

To clarify -- these are for Windows Pro versions, opposed to Windows Home versions? 

JeffH88 please don't write in all caps, it's considered bad etiquette and spoils the pleasure of helping others.

You can refer to this Docs to understand how Intune differentiates between Windows personal or corporate devices: Set enrollment restrictions in Microsoft Intune | Microsoft Docs.

For this particular scenario, being enrollment by the OOBE screen, if you login with a Device Enrollment Manager account it will be recognized as corporate, otherwsie if you login with a normal user account it will be recognized as personal.

LucaCavana  Duly noted ... I was trying to differentiate my questions from the quotes.

Thanks for the link ... it has the answer I was looking for.

LucaCavana , thanks for sharing.  So essentially with the device enrollment restriction in place (only allowing corporate enrollment) by default the device enrollment is considered personal.  Exceptions being enrollment via the Device Enrollment Manager and Autopilot, along with a few other methods mentioned in the doc you've linked.

Does that seem correct?  Just want to make sure I fully understand.  

Thank you!

Thanks for the extensive and in-depth response LucaCavana !