Forum Discussion
Enrollment Scope only AzureAD Joined
Hi, I'm new to intune and was wondering how I could prevent AzureAD registered devices to enroll on intune.
I've tried using a security group and limiting the enrollment scope to this group. The dynamic rules were set to
(device.deviceOSType -eq "Windows") and (device.deviceTrustType -eq "AzureAD")
However, the result was that the device wasn't enrolled at all (just as if the AAD joined tag was set at a later stage after intune checking for it). The group does indeed match all the devices that I want to target (I can see them in the preview).
Is there a best practice for this or another dynamic rule that will work? We don't get our hardware hashes yet to use autopilot right away so I want new notebooks to at least enroll automatically to intune when
davidscharf Hi, to restrict enrollment in Microsoft Intune only to devices joined to Azure AD and prevent enrollment of devices registered to Azure AD, I would do this:
Registration Restrictions in Intune: configure restrictions to block personal devices, ensuring that only enterprise devices joined to Azure AD can enroll (assign these restrictions to the appropriate user groups.
Registration Scope in Azure AD)Set the MDM (Mobile Device Management) scope to include only users who need to enroll joined devices in Azure AD.
Set the MAM (Mobile Application Management) scope to “None” to exclude registered devices.
Dynamic Groups: use a proper dynamic group rule: (device.deviceOSType -eq “Windows”) and (device.deviceTrustType -eq “AzureADJoined”)
This configuration will ensure that only devices joined to Azure AD can be enrolled in Intune.
Clearly as soon as you can activate Autopilot 🙂
