cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Home

Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

%3CLINGO-SUB%20id%3D%22lingo-sub-89452%22%20slang%3D%22en-US%22%3ESurface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-89452%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%2C%3C%2FP%3E%3CP%3EMy%20company%20just%20purchased%20some%20EMS%20licenses%20with%20the%20intention%20on%20deploying%20some%20Surface%20Pro%20devices%20to%20our%20mobile%20workforce.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20these%20are%20joined%20to%20Azure%20AD%20using%20a%20Device%20Enrollment%20Manager%20account%20-%20do%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune-classic%2Fdeploy-use%2Fenroll-corporate-owned-devices-with-the-device-enrollment-manager-in-microsoft-intune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ethese%20limitations%3C%2FA%3E%26nbsp%3Bstill%20apply%3F%20%26nbsp%3BHaving%20no%20specific%20device%20user%3F%20%26nbsp%3BNot%20being%20able%20to%20to%20use%20per-user%20conditional%20access%20policies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20guess%20I%20understand%20this%20with%20an%20iOS%20device%20--%20because%20it%20only%20has%201%20user%20-%20but%20with%20a%20windows%20device%2C%20the%20user%20authenticates%20with%20their%20Azure%20AD%20credentials%2C%20I%20would%20hope%20that%20user%20specific%20configuration%20would%20be%20able%20to%20apply%20to%20the%20device%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20input%20would%20be%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3Esb%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-89452%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92374%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3Bamp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92374%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20see%20Devices%20under%20the%20Manage%20page%20when%20you%20log%20into%20Windows%20Store%20for%20Business%20or%20EDU.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92362%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3Bamp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92362%22%20slang%3D%22en-US%22%3EThank%20you.%20I%20would%20like%20to%20look%20into%20this.%20How%20do%20I%20know%20if%20it%20is%20available%20in%20my%20tenant%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92348%22%20slang%3D%22en-US%22%3ERE%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3Bamp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92348%22%20slang%3D%22en-US%22%3EI%20agree%20with%20Per%20Larsen.%20Windows%20AutoPilot%20is%20the%20way%20to%20go%20in%20the%20long-term.%20It%20is%20fairly%20new%20and%20not%20all%20tenants%20may%20have%20it%20enabled%20at%20this%20time.%20Your%20tenant%20might%20be%20ready%2C%20so%20visit%20the%20link%20below%20for%20more%20info.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fwindows-10-auto-pilot%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fwindows-10-auto-pilot%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92219%22%20slang%3D%22en-US%22%3ERe%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92219%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20was%20you%20I%20will%20try%20out%20Windows%20AutoPilot%20instead%20of%20DEM%20account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20Reregards%3C%2FP%3E%3CP%3EPer%20Larsen%3C%2FP%3E%3CP%3EMVP%20-%20Enterprise%20Mobility%3C%2FP%3E%3CP%3EBlog%3A%20%3CA%20href%3D%22https%3A%2F%2Fosddeployment.dk%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fosddeployment.dk%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-89764%22%20slang%3D%22en-US%22%3ERe%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-89764%22%20slang%3D%22en-US%22%3EFor%20Windows%201703%2C%20you%20can%20enroll%20those%20devices%20with%20a%20DEM%20account.%20Conditional%20access%20will%20work%20with%20a%20nonDEM%20account%20once%20the%20account%20logs%20in.%3C%2FLINGO-BODY%3E
Highlighted
Stephen Bell
Stephen Bell
Contributor

‎07-23-2017 05:02 PM

‎07-23-2017 05:02 PM

Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

Hello all,

My company just purchased some EMS licenses with the intention on deploying some Surface Pro devices to our mobile workforce.  

 

If these are joined to Azure AD using a Device Enrollment Manager account - do these limitations still apply?  Having no specific device user?  Not being able to to use per-user conditional access policies?

 

I guess I understand this with an iOS device -- because it only has 1 user - but with a windows device, the user authenticates with their Azure AD credentials, I would hope that user specific configuration would be able to apply to the device?

 

Any input would be appreciated.

 

Thanks

sb

860 Views
0 Likes
5 Replies
Reply
5 Replies
Highlighted
Michael Jones

‎07-24-2017 04:32 PM

‎07-24-2017 04:32 PM

Solution

Re: Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

For Windows 1703, you can enroll those devices with a DEM account. Conditional access will work with a nonDEM account once the account logs in.
Best Response confirmed by Stephen Bell (Contributor)
1 Like
Reply
Highlighted
Per Larsen

‎08-01-2017 11:24 AM

‎08-01-2017 11:24 AM

Re: Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

Hi

 

 

If I was you I will try out Windows AutoPilot instead of DEM account.

 

Kind Reregards

Per Larsen

MVP - Enterprise Mobility

Blog: https://osddeployment.dk

0 Likes
Reply
Highlighted
Michael Jones

‎08-01-2017 05:11 PM

‎08-01-2017 05:11 PM

RE: Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

I agree with Per Larsen. Windows AutoPilot is the way to go in the long-term. It is fairly new and not all tenants may have it enabled at this time. Your tenant might be ready, so visit the link below for more info. https://docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot
0 Likes
Reply
Highlighted
Stephen Bell

‎08-01-2017 06:42 PM

‎08-01-2017 06:42 PM

Re: RE: Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

Thank you. I would like to look into this. How do I know if it is available in my tenant?
0 Likes
Reply
Highlighted
Michael Jones

‎08-01-2017 07:42 PM - edited ‎08-01-2017 07:42 PM

‎08-01-2017 07:42 PM - edited ‎08-01-2017 07:42 PM

Re: RE: Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

If you see Devices under the Manage page when you log into Windows Store for Business or EDU.

0 Likes
Reply
Related Conversations
Open Source Virtual Summit
 Jenn Jinhong in Community Events List on 02-26-2020
0 Replies
MCAS and logs collection
 Stephane KLOIS in Azure on 02-26-2020
0 Replies
Get the Intune enrolled devices synced into Azure Active Directory and show up as devices
 Ali Fadavinia in Microsoft Intune on 02-25-2020
5 Replies
Azure Backup Agent update notification
 timrosenbecker in Azure on 02-25-2020
0 Replies
What's the point of an update to Azure Data Lake WHEN IT NEVER INSTALLS??????????????????
 Rod Falanga in Localization Feedback on 02-24-2020
0 Replies
M365 E3 assigned to gbl Admin but no access to Azure computing
 Aluca12 in Azure Active Directory on 02-24-2020
4 Replies