Allow user to AAD Join & InTune Enroll company devices only , not personal owned Win Pro/Ent device

JanBakkerOrphaned 

the planned restrictions will be :

-  in AAD set staff user group to be allowed to AAD join devices

- in Intune set staff user group to be allowed to AutoEnroll in InTune (tested having this disabled but this stops Autopilot from working properly)

- Enrollment restriction policy - set to Allow Windows 10 but block personal devices and block all other platform types.

We are planning to only enroll devices by either AutoPilot for new builds or with staff enrolling themselves for other devices. So DEM accounts, provisioning packages etc wont apply in this case as we don't want to encounter the limitations they incur.

In the above configuration a staff user wont be able to AAD join or InTune Enroll a Windows 10 HOME device , which will be the majority of BYOD devices.

Windows Home cannot AAD join anyway so essentially all blocking personal devices does is stop AAD registered devices from InTune Enrolling.

The problem im trying to resolve is the specific case of when a staff user (therefore allowed to AAD enroll) has their own device that has Windows Pro/Enterprise level OS , which results in them being able to AAD and therefore InTune Enroll because an AAD joined device is seen as Corporate automatically.

I think the issue / confusion lies in the way the label 'Personal' is use and lack of ability to differenciate between a company owned device and a personally owned device by using registration of HWIDs, serial numbers etc.

'Personal' device simply means a device that is AAD registered and not AAD joined , which actually makes sense giving AAD registered is mostly for BYOD. However, if you are trying to let users enroll company devices , as will be a common enough requirement in todays WFH scenarios, it doesnt seem straight forward to be able to stop them from enrolling personal Win Pro/Ent machines.