SOLVED
Home

Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

%3CLINGO-SUB%20id%3D%22lingo-sub-89452%22%20slang%3D%22en-US%22%3ESurface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-89452%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%2C%3C%2FP%3E%3CP%3EMy%20company%20just%20purchased%20some%20EMS%20licenses%20with%20the%20intention%20on%20deploying%20some%20Surface%20Pro%20devices%20to%20our%20mobile%20workforce.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20these%20are%20joined%20to%20Azure%20AD%20using%20a%20Device%20Enrollment%20Manager%20account%20-%20do%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune-classic%2Fdeploy-use%2Fenroll-corporate-owned-devices-with-the-device-enrollment-manager-in-microsoft-intune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ethese%20limitations%3C%2FA%3E%26nbsp%3Bstill%20apply%3F%20%26nbsp%3BHaving%20no%20specific%20device%20user%3F%20%26nbsp%3BNot%20being%20able%20to%20to%20use%20per-user%20conditional%20access%20policies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20guess%20I%20understand%20this%20with%20an%20iOS%20device%20--%20because%20it%20only%20has%201%20user%20-%20but%20with%20a%20windows%20device%2C%20the%20user%20authenticates%20with%20their%20Azure%20AD%20credentials%2C%20I%20would%20hope%20that%20user%20specific%20configuration%20would%20be%20able%20to%20apply%20to%20the%20device%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20input%20would%20be%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3Esb%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-89452%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92374%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3Bamp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92374%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20see%20Devices%20under%20the%20Manage%20page%20when%20you%20log%20into%20Windows%20Store%20for%20Business%20or%20EDU.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92362%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3Bamp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92362%22%20slang%3D%22en-US%22%3EThank%20you.%20I%20would%20like%20to%20look%20into%20this.%20How%20do%20I%20know%20if%20it%20is%20available%20in%20my%20tenant%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92348%22%20slang%3D%22en-US%22%3ERE%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3Bamp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92348%22%20slang%3D%22en-US%22%3EI%20agree%20with%20Per%20Larsen.%20Windows%20AutoPilot%20is%20the%20way%20to%20go%20in%20the%20long-term.%20It%20is%20fairly%20new%20and%20not%20all%20tenants%20may%20have%20it%20enabled%20at%20this%20time.%20Your%20tenant%20might%20be%20ready%2C%20so%20visit%20the%20link%20below%20for%20more%20info.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fwindows-10-auto-pilot%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fwindows-10-auto-pilot%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92219%22%20slang%3D%22en-US%22%3ERe%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92219%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20was%20you%20I%20will%20try%20out%20Windows%20AutoPilot%20instead%20of%20DEM%20account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20Reregards%3C%2FP%3E%3CP%3EPer%20Larsen%3C%2FP%3E%3CP%3EMVP%20-%20Enterprise%20Mobility%3C%2FP%3E%3CP%3EBlog%3A%20%3CA%20href%3D%22https%3A%2F%2Fosddeployment.dk%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fosddeployment.dk%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-89764%22%20slang%3D%22en-US%22%3ERe%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-89764%22%20slang%3D%22en-US%22%3EFor%20Windows%201703%2C%20you%20can%20enroll%20those%20devices%20with%20a%20DEM%20account.%20Conditional%20access%20will%20work%20with%20a%20nonDEM%20account%20once%20the%20account%20logs%20in.%3C%2FLINGO-BODY%3E
Stephen Bell
Contributor

Hello all,

My company just purchased some EMS licenses with the intention on deploying some Surface Pro devices to our mobile workforce.  

 

If these are joined to Azure AD using a Device Enrollment Manager account - do these limitations still apply?  Having no specific device user?  Not being able to to use per-user conditional access policies?

 

I guess I understand this with an iOS device -- because it only has 1 user - but with a windows device, the user authenticates with their Azure AD credentials, I would hope that user specific configuration would be able to apply to the device?

 

Any input would be appreciated.

 

Thanks

sb

5 Replies
Solution
For Windows 1703, you can enroll those devices with a DEM account. Conditional access will work with a nonDEM account once the account logs in.

Hi

 

 

If I was you I will try out Windows AutoPilot instead of DEM account.

 

Kind Reregards

Per Larsen

MVP - Enterprise Mobility

Blog: https://osddeployment.dk

I agree with Per Larsen. Windows AutoPilot is the way to go in the long-term. It is fairly new and not all tenants may have it enabled at this time. Your tenant might be ready, so visit the link below for more info. https://docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot
Thank you. I would like to look into this. How do I know if it is available in my tenant?

If you see Devices under the Manage page when you log into Windows Store for Business or EDU.

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies