MDM vs MAM Windows Auto Enrollment

Copper Contributor

Greetings - 

I have a question on the setting of Windows Automatic Enrollment in Intune.  First, understanding that Windows Autopilot REQUIRES that the MDM auto-enroll be set as enabled but should it be "SOME" or "ALL"?  Any reason we wouldn't allow "ALL" here for corporate owned Windows PC's?  Second, I have seen documentation where the MAM setting is set to "NONE".  We do not want any personal/BYOD Windows devices in Intune.  However, that is also BLOCKED by the Enrollment Device Platform Restrictions set to "BLOCK" personal devices.  I have also read MSFT documentation on WIP and/or App Protection Policies, which seem to indicate that the setting for MAM should be enabled - set to Some or All.  In addition, MSFT states that by default, Windows auto-enrollment using MDM would take preference if both settings are targeting the same users.  Thanks MSFT - it's as clear as mud in your documentation.  Can someone clarify?  Again - we do not want personal Windows devices enrolling, and no BYOD MAM scenario for Windows PC's.  We DO want to enable App Protection Policies however, so what is the recommended setting for MAM then?  Thanks!

2 Replies
Maybe this blog is more clear avbout the MAM/MDM scope

Thank you Rudy. Does it clear it up? Sort of. I noted in your matrix -which is appreciated - that you don't show a 'hybrid join' device. In any case, MSFT in all it's wisdom (cough cough) has once again over complicated what seems to be a simple thing. Just tell us that MAM configured to NONE here is valid when you are NOT intending to use any Windows BYOD devices. Otherwise, you can allow 'ALL' (with no impact to 'Corp' devices in MDM), or "Some" and specify some group of users who actually may want to use their personal Windows devices which can have their apps managed (WIP). I was not confused at all that this setting is for Windows devices only, but I can see where that can happen. Thank you again for your feedback. Caso cerrado (case closed).