cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

%3CLINGO-SUB%20id%3D%22lingo-sub-89452%22%20slang%3D%22en-US%22%3ESurface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-89452%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%2C%3C%2FP%3E%3CP%3EMy%20company%20just%20purchased%20some%20EMS%20licenses%20with%20the%20intention%20on%20deploying%20some%20Surface%20Pro%20devices%20to%20our%20mobile%20workforce.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20these%20are%20joined%20to%20Azure%20AD%20using%20a%20Device%20Enrollment%20Manager%20account%20-%20do%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune-classic%2Fdeploy-use%2Fenroll-corporate-owned-devices-with-the-device-enrollment-manager-in-microsoft-intune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ethese%20limitations%3C%2FA%3E%26nbsp%3Bstill%20apply%3F%20%26nbsp%3BHaving%20no%20specific%20device%20user%3F%20%26nbsp%3BNot%20being%20able%20to%20to%20use%20per-user%20conditional%20access%20policies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20guess%20I%20understand%20this%20with%20an%20iOS%20device%20--%20because%20it%20only%20has%201%20user%20-%20but%20with%20a%20windows%20device%2C%20the%20user%20authenticates%20with%20their%20Azure%20AD%20credentials%2C%20I%20would%20hope%20that%20user%20specific%20configuration%20would%20be%20able%20to%20apply%20to%20the%20device%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20input%20would%20be%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3Esb%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-89452%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92374%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3Bamp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92374%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20see%20Devices%20under%20the%20Manage%20page%20when%20you%20log%20into%20Windows%20Store%20for%20Business%20or%20EDU.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92362%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3Bamp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92362%22%20slang%3D%22en-US%22%3EThank%20you.%20I%20would%20like%20to%20look%20into%20this.%20How%20do%20I%20know%20if%20it%20is%20available%20in%20my%20tenant%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92348%22%20slang%3D%22en-US%22%3ERE%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3Bamp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92348%22%20slang%3D%22en-US%22%3EI%20agree%20with%20Per%20Larsen.%20Windows%20AutoPilot%20is%20the%20way%20to%20go%20in%20the%20long-term.%20It%20is%20fairly%20new%20and%20not%20all%20tenants%20may%20have%20it%20enabled%20at%20this%20time.%20Your%20tenant%20might%20be%20ready%2C%20so%20visit%20the%20link%20below%20for%20more%20info.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fwindows-10-auto-pilot%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fwindows-10-auto-pilot%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92219%22%20slang%3D%22en-US%22%3ERe%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92219%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20was%20you%20I%20will%20try%20out%20Windows%20AutoPilot%20instead%20of%20DEM%20account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20Reregards%3C%2FP%3E%3CP%3EPer%20Larsen%3C%2FP%3E%3CP%3EMVP%20-%20Enterprise%20Mobility%3C%2FP%3E%3CP%3EBlog%3A%20%3CA%20href%3D%22https%3A%2F%2Fosddeployment.dk%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fosddeployment.dk%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-89764%22%20slang%3D%22en-US%22%3ERe%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-89764%22%20slang%3D%22en-US%22%3EFor%20Windows%201703%2C%20you%20can%20enroll%20those%20devices%20with%20a%20DEM%20account.%20Conditional%20access%20will%20work%20with%20a%20nonDEM%20account%20once%20the%20account%20logs%20in.%3C%2FLINGO-BODY%3E
Stephen Bell
Frequent Contributor

‎Jul 23 2017 05:02 PM

‎Jul 23 2017 05:02 PM

Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

Hello all,

My company just purchased some EMS licenses with the intention on deploying some Surface Pro devices to our mobile workforce.  

 

If these are joined to Azure AD using a Device Enrollment Manager account - do these limitations still apply?  Having no specific device user?  Not being able to to use per-user conditional access policies?

 

I guess I understand this with an iOS device -- because it only has 1 user - but with a windows device, the user authenticates with their Azure AD credentials, I would hope that user specific configuration would be able to apply to the device?

 

Any input would be appreciated.

 

Thanks

sb

1,083 Views
0 Likes
5 Replies
Reply
5 Replies
best response confirmed by Stephen Bell (Frequent Contributor)
Michael Jones

‎Jul 24 2017 04:32 PM

‎Jul 24 2017 04:32 PM

Solution

Re: Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

For Windows 1703, you can enroll those devices with a DEM account. Conditional access will work with a nonDEM account once the account logs in.
1 Like
Reply
Per Larsen

‎Aug 01 2017 11:24 AM

‎Aug 01 2017 11:24 AM

Re: Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

Hi

 

 

If I was you I will try out Windows AutoPilot instead of DEM account.

 

Kind Reregards

Per Larsen

MVP - Enterprise Mobility

Blog: https://osddeployment.dk

0 Likes
Reply
Michael Jones

‎Aug 01 2017 05:11 PM

‎Aug 01 2017 05:11 PM

RE: Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

I agree with Per Larsen. Windows AutoPilot is the way to go in the long-term. It is fairly new and not all tenants may have it enabled at this time. Your tenant might be ready, so visit the link below for more info. https://docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot
0 Likes
Reply
Stephen Bell

‎Aug 01 2017 06:42 PM

‎Aug 01 2017 06:42 PM

Re: RE: Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

Thank you. I would like to look into this. How do I know if it is available in my tenant?
0 Likes
Reply
Michael Jones

‎Aug 01 2017 07:42 PM - edited ‎Aug 01 2017 07:42 PM

‎Aug 01 2017 07:42 PM - edited ‎Aug 01 2017 07:42 PM

Re: RE: Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

If you see Devices under the Manage page when you log into Windows Store for Business or EDU.

0 Likes
Reply