Forum Discussion

Zied_Berrima's avatar
Zied_Berrima
MCT
Jun 01, 2022

MDM Scope enrollement : Users or device groupe ?

Hi   I would like to know in this part, do I have to specify a group of equipment or a group of users? knowing that if I declare a user group, the user will be able to join his personal pc to azur...
Intune
mobile device management (mdm)
Oktay Sari's avatar
Oktay Sari
Iron Contributor
Jun 02, 2022

Hi Zied_Berrima , good to hear things worked out eventually . Sounds like you had a huge delay in devices showing up in Intune. Thx for the update.

Zied_Berrima's avatar
Zied_Berrima
MCT
Jun 02, 2022
what do you think about the configuration profil assignement for devices aren't enrolled to intune ? it seams weired but that's work fine ..
  • Oktay Sari's avatar
    Oktay Sari
    Iron Contributor
    Jun 07, 2022

    Hi Zied_Berrima, Did you had a chance to have a look at your configuration? There are some things that might apply to Windows 10 devices that are not enrolled with Intune, but the only thing I can think of is Windows Information Protection without enrollment. And yes, compliance policies (combined with conditional access) might hit unmanaged devices, requiring users to take action. 

     

    I'm curious to know what's causing the configuration assignment for unmanaged devices??

  • Oktay Sari's avatar
    Oktay Sari
    Iron Contributor
    Jun 04, 2022

    Hi Zied_Berrima, My thoughts? Wel... I'm kinda curious..

     

    Don't get me wrong... MEM 101:  Devices won’t receive configuration policies if they are not enrolled in Microsoft Endpoint Manager. So, I'm very curious as to how you managed to apply configuration policies to Azure AD joined devices that are not MDM enrolled in MEM.

     

    Could you share with us, some information on a device that is not mdm enrolled but is receiving config from MEM?

     

    On the device open a admin cmd promt and type in: dsregcmd /status

    Here is an example of a device that is Azure AD joined, but not MDM enrolled.

     

     

     

    If the device is receiving policies from Intune, you should be able to run a MDM Diagnostics report from settings>Access work or school: (Do you have the info button?) Assuming the device is not MDM enrolled, the info button should not be there.. Confirming the device is not MDM managed

     

    There is another method to generate the MDM Diagnostics report: in you admin cmd type in:

    mdmdiagnosticstool -out c:\temp\MDM make sure the c:\temp directory exists 

    Then open the report MDMDiagReport.html in that folder.

     

    I'm again assuming the device is still not managed and your report should look something like this:

     

    In Azure, check the device and share a screenshot with us:

    If you want to do a POC for a device and see if it is receiving policies from MEM/Intune without being enrolled you should have a Azure AD joined device that shows the MDM is set to None, like the above example. You should also have a AAD security group and add this device to that group. Than create a policy in Intune and assign that policy to this group. Than....wait....

     

    For example a device restriction policy blocking access to some of the settings:

    If for some reason I don't understand, the policy does apply, and the device is not MDM enrolled, you should not be able to access time and language for example. If that is the case.. Contact Microsoft support and keep us informed..

     

    Please note: I'm using a test tenant...Don't change tenant wide settings in a production tenant. :smile:

     

    Regards

    Oktay

     

     

     

Resources