Intune Enrollment Issues - Found a workaround but it doesn't make sense

Copper Contributor



I am curious if anybody else has this issue and knows a fix...


Basically, we had a bunch of these devices that were originally in Intune and working fine. These were Enrolled into Intune via Group Policy. (Note: All devices get automatically converted to Autopilot devices also).


These users eventually got terminated and the devices were removed from Active Directory. Later on, the business decided to re-use these devices. Some were reimaged via WDS, some were just re-added to the domain... long story short none of them will enroll into Intune. 


When I looked at the enrollment errors, I got the following error message: This device attempted to enroll via a method not allowed from the device's Autopilot profile.


I thought it was interesting because we are not even trying to enroll it via Autopilot or even using it in this case as the device was never reset.


I decided to delete a few of them from Autopilot just to see what would happen. Now I get a new error saying: This device can't be enrolled as a personal device while the platform is Blocked under Device Type Restrictions. 



I eventually figured out that if you add someone as an "Enrollment manager", they can bypass this... so I had a tech sign into some of the devices and they enroll... They just need to switch the primary user back to the new user as it registers as themselves. 



What I am confused about is why is it working this way? It wasn't like this before. Should I allow Windows (MDM) personal devices to be enrolled? If so, how do I actually block true personal devices?


These devices are in AD & Entra and those are the only "Windows" devices we want to be allowed to enroll into Intune, unless they are actually enrolled via Autopilot (resetting) of course. 


Also, using Autopilot does work and does enroll the devices without issues.


What I haven't tested: Keeping the device in Autopilot and having an "Enrollment Manager" sign in

2 Replies
Reimaged the device or readded to the domain.... what happens if you just wipe such a device and perform the regular steps by adding it to the domain and let it hybrid join and enroll to intune? That should just work..

The image that you were using... i am hoping that was a clean image that had never seen the lights of intune/entra before? The same with the devices that were readded... i assume those devices also had some lingering old enrollments

Also if you are indeed blocking personal devices and removing the autopilot object, the autopilot service wouldn't recognize that device and would block it because it thinks it s a personal device
Well if we wipe it, then it would go through the Autopilot steps and it would work. The problem is the techs already handed a bunch of these out to users...

I just need to understand why these won't enroll as they normally would if they were brand new. It only seems to affect devices that were once upon a time in Intune.