Forum Discussion
MDM Scope enrollement : Users or device groupe ?
Hi
I would like to know in this part, do I have to specify a group of equipment or a group of users?
knowing that if I declare a user group, the user will be able to join his personal pc to azure ad so he can have the intune strategies, also if he executes the "sysprep" he can execute the autopilot
Zied_Berrima , agree with NielsScheffers and also, screenshots could help (image size set to large). Just to be clear, you will have to use a security group with users, not devices. Furthermore, when a user runs sysprep, it does not mean the device will enroll with a Autopilot (AP) profile. For that to happen the device hash should have been uploaded to Windows AP service, or you have configured an AP profile that converts devices to AP. The default setting is No.
"by this way i can apply some intune policies like configuration profil to a group of devices without enroll them to intune : in the assignement i choice the device group .. and worked fine"
This shouldn't be possible. You cannot deploy Intune policies (device restrictions/settings catalog/templates) to devices that are not managed by Intune. However, App protection policies can be configured for managed/unmanaged devices. Could you share your config?
could you rund dsregcmd /status from a command prompt on one of the devices that seem to be Azure AD joined, but not MDM enrolled (or seem to have configuration policies applied) , and share the results? Perhaps its a reporting issue with Intune.
Finally, I did a blog on this topic a while ago but it's still relevant: Configuring Intune MDM User Scope and MAM User Scope (allthingscloud.blog). Perhaps that might help with a little more background info.
Oktay Sari, thanks for stepping in. Just a quick clarification (as you request the output of dsregcmd /status😞
I've already confirmed the device exists in Intune (I think
). The device is visible in Azure AD and shows a "Manage" button and that button actually redirects to the device in Intune). Zied_Berrima says he can can't find it when using the search and actually only sees two devices (and I assume he expects many more to be visible).
dear gentlemen, thank you for your reactivity and your answers.
Like any functionality in the Microsoft cloud world, it requires a wait of time for propagation, a huge latency which leads to doubt: maybe I on my side I misconfigured the thing 😞
you have to wait a time which could be up to 12 hours.
Today in the morning , I was able to see the devices in the intune portal.
Oktay Sari for the configuration profiles : imagine that you have devices in Azure AD ( Joined or hybride or registred) you can put them in a security group, so you can mention this group in the "assignement" step when you create a configuation profil.
This configuration specifies which users are allowed to (auto)enroll devices in MDM/MAM. Of course, as you mention, you don't want them to just enroll any device. To prevent this, you will then need to configure enrollment restrictions. You can, among other things, block enrollment of personally owned devices.
For more information:
Set enrollment restrictions in Microsoft Intune | Microsoft Docs
Edit: I just noticed you mention "join [...] to azure ad". AAD joining is restricted via the Azure AD setting "Users may join devices to Azure AD" (found under "Devices").
the problem is i can't see the devices in the Intune Portal , and i can see it in the Azure AD portal and the Intune is the MDM solution.
by this way i can apply some intune policys like configuration profil to a group of devices without enroll them to intune : in the assignement i choice the device group .. and worked fineSomehow I can't open your screenshot,
but if you can see the devices in the Intune portal, they are enrolled. The fact that the Azure AD device also shows "Intune" as the MDM is also an indication of that fact. As such, policies are applied to those devices.Edit: misread your reply... you clearly state you can't see the devices in Intune.
If Azure AD thinks Intune managed them, they should appear in Intune. If you click on the Azure AD device, doesn't it show a "Manage" button in the top of the screen?
