Home

How to control who can Workplace Join Windows 10 devices

%3CLINGO-SUB%20id%3D%22lingo-sub-366601%22%20slang%3D%22en-US%22%3EHow%20to%20control%20who%20can%20Workplace%20Join%20Windows%2010%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-366601%22%20slang%3D%22en-US%22%3EHello%20to%20all%20members%20of%20this%20great%20community.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20co-managing%20with%20SCCM%20and%20Intune%20with%20primary%20auth%20being%20AD%2FSCCM.%20Hybrid%20Azure%20AD%20Join%20works%20fine.%3CBR%20%2F%3E%3CBR%20%2F%3ERecently%20we%20had%20to%20enable%20MAM%20enrollment%20in%20Intune%20so%20to%20provide%20iOS%20and%20Android%20device%20management.%20This%20also%20works%20fine%20and%20the%20devices%20properly%20register%20to%20Azure%20AD.%3CBR%20%2F%3E%3CBR%20%2F%3EAt%20that%20point%2C%20I%20realized%20that%20even%20after%20using%20Enrollment%20Restrictions%2C%20the%20end%20result%20is%20that%20this%20only%20controls%20Intune%20Enrollment%20for%20Windows%2010%20devices%20and%20not%20Azure%20AD%20Registration%20which%20happens%20either%20ways.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20tried%20to%20check%20if%20Intune%20provides%20a%20way%20to%20control%20this%20behavior%20and%20only%20allow%20users%20in%20a%20specific%20group%20to%20Azure%20AD%20Register%20(Workplace%20Join(%20their%20Windows%2010%20devices.%20I%20haven%E2%80%99t%20found%20such%20a%20setting%20or%20policy.%3CBR%20%2F%3E%3CBR%20%2F%3ECan%20anyone%20point%20me%20to%20a%20proper%20direction%20for%20this%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-366601%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-808675%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20control%20who%20can%20Workplace%20Join%20Windows%2010%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-808675%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20getting%20an%20answer%20up%20so%20its%20useful%20to%20others.%20This%20is%20done%20under%20Intune%20-%26gt%3B%20Device%20Enrollment%20-%26gt%3B%20Enrollment%20Restrictions.%20There%20you%20can%20create%20restriction%20profiles%20with%20different%20restrictions%20and%20assign%20users%20to%20those%20restriction%20profiles.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Alexander Kanakaris
Occasional Contributor
Hello to all members of this great community.

We are co-managing with SCCM and Intune with primary auth being AD/SCCM. Hybrid Azure AD Join works fine.

Recently we had to enable MAM enrollment in Intune so to provide iOS and Android device management. This also works fine and the devices properly register to Azure AD.

At that point, I realized that even after using Enrollment Restrictions, the end result is that this only controls Intune Enrollment for Windows 10 devices and not Azure AD Registration which happens either ways.

I tried to check if Intune provides a way to control this behavior and only allow users in a specific group to Azure AD Register (Workplace Join( their Windows 10 devices. I haven’t found such a setting or policy.

Can anyone point me to a proper direction for this?

Thanks
1 Reply

Just getting an answer up so its useful to others. This is done under Intune -> Device Enrollment -> Enrollment Restrictions. There you can create restriction profiles with different restrictions and assign users to those restriction profiles.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies