cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Home

Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

%3CLINGO-SUB%20id%3D%22lingo-sub-89452%22%20slang%3D%22en-US%22%3ESurface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-89452%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%2C%3C%2FP%3E%3CP%3EMy%20company%20just%20purchased%20some%20EMS%20licenses%20with%20the%20intention%20on%20deploying%20some%20Surface%20Pro%20devices%20to%20our%20mobile%20workforce.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20these%20are%20joined%20to%20Azure%20AD%20using%20a%20Device%20Enrollment%20Manager%20account%20-%20do%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune-classic%2Fdeploy-use%2Fenroll-corporate-owned-devices-with-the-device-enrollment-manager-in-microsoft-intune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ethese%20limitations%3C%2FA%3E%26nbsp%3Bstill%20apply%3F%20%26nbsp%3BHaving%20no%20specific%20device%20user%3F%20%26nbsp%3BNot%20being%20able%20to%20to%20use%20per-user%20conditional%20access%20policies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20guess%20I%20understand%20this%20with%20an%20iOS%20device%20--%20because%20it%20only%20has%201%20user%20-%20but%20with%20a%20windows%20device%2C%20the%20user%20authenticates%20with%20their%20Azure%20AD%20credentials%2C%20I%20would%20hope%20that%20user%20specific%20configuration%20would%20be%20able%20to%20apply%20to%20the%20device%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20input%20would%20be%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3Esb%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-89452%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92374%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3Bamp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92374%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20see%20Devices%20under%20the%20Manage%20page%20when%20you%20log%20into%20Windows%20Store%20for%20Business%20or%20EDU.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92362%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3Bamp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92362%22%20slang%3D%22en-US%22%3EThank%20you.%20I%20would%20like%20to%20look%20into%20this.%20How%20do%20I%20know%20if%20it%20is%20available%20in%20my%20tenant%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92348%22%20slang%3D%22en-US%22%3ERE%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3Bamp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92348%22%20slang%3D%22en-US%22%3EI%20agree%20with%20Per%20Larsen.%20Windows%20AutoPilot%20is%20the%20way%20to%20go%20in%20the%20long-term.%20It%20is%20fairly%20new%20and%20not%20all%20tenants%20may%20have%20it%20enabled%20at%20this%20time.%20Your%20tenant%20might%20be%20ready%2C%20so%20visit%20the%20link%20below%20for%20more%20info.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fwindows-10-auto-pilot%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fwindows-10-auto-pilot%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92219%22%20slang%3D%22en-US%22%3ERe%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92219%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20was%20you%20I%20will%20try%20out%20Windows%20AutoPilot%20instead%20of%20DEM%20account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20Reregards%3C%2FP%3E%3CP%3EPer%20Larsen%3C%2FP%3E%3CP%3EMVP%20-%20Enterprise%20Mobility%3C%2FP%3E%3CP%3EBlog%3A%20%3CA%20href%3D%22https%3A%2F%2Fosddeployment.dk%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fosddeployment.dk%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-89764%22%20slang%3D%22en-US%22%3ERe%3A%20Surface%20Pro%2C%20EMS%2C%20Azure%20AD%20Join%20%26amp%3B%20Device%20Enrollment%20Managers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-89764%22%20slang%3D%22en-US%22%3EFor%20Windows%201703%2C%20you%20can%20enroll%20those%20devices%20with%20a%20DEM%20account.%20Conditional%20access%20will%20work%20with%20a%20nonDEM%20account%20once%20the%20account%20logs%20in.%3C%2FLINGO-BODY%3E
Stephen Bell
Stephen Bell
Contributor

‎07-23-2017 05:02 PM

‎07-23-2017 05:02 PM

Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

Hello all,

My company just purchased some EMS licenses with the intention on deploying some Surface Pro devices to our mobile workforce.  

 

If these are joined to Azure AD using a Device Enrollment Manager account - do these limitations still apply?  Having no specific device user?  Not being able to to use per-user conditional access policies?

 

I guess I understand this with an iOS device -- because it only has 1 user - but with a windows device, the user authenticates with their Azure AD credentials, I would hope that user specific configuration would be able to apply to the device?

 

Any input would be appreciated.

 

Thanks

sb

841 Views
0 Likes
5 Replies
Reply
5 Replies
Michael Jones

‎07-24-2017 04:32 PM

‎07-24-2017 04:32 PM

Solution

Re: Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

For Windows 1703, you can enroll those devices with a DEM account. Conditional access will work with a nonDEM account once the account logs in.
Best Response confirmed by Stephen Bell (Contributor)
1 Like
Reply
Per Larsen

‎08-01-2017 11:24 AM

‎08-01-2017 11:24 AM

Re: Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

Hi

 

 

If I was you I will try out Windows AutoPilot instead of DEM account.

 

Kind Reregards

Per Larsen

MVP - Enterprise Mobility

Blog: https://osddeployment.dk

0 Likes
Reply
Michael Jones

‎08-01-2017 05:11 PM

‎08-01-2017 05:11 PM

RE: Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

I agree with Per Larsen. Windows AutoPilot is the way to go in the long-term. It is fairly new and not all tenants may have it enabled at this time. Your tenant might be ready, so visit the link below for more info. https://docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot
0 Likes
Reply
Stephen Bell

‎08-01-2017 06:42 PM

‎08-01-2017 06:42 PM

Re: RE: Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

Thank you. I would like to look into this. How do I know if it is available in my tenant?
0 Likes
Reply
Michael Jones

‎08-01-2017 07:42 PM - edited ‎08-01-2017 07:42 PM

‎08-01-2017 07:42 PM - edited ‎08-01-2017 07:42 PM

Re: RE: Surface Pro, EMS, Azure AD Join & Device Enrollment Managers

If you see Devices under the Manage page when you log into Windows Store for Business or EDU.

0 Likes
Reply
Related Conversations
Microsoft Teams Syncronization between desktop and mobile
 Ibrahim Bou Ncoula in Microsoft Teams on 01-07-2018
20 Replies
Calendar not available for older AD accounts
 _jancis in Microsoft Teams on 01-15-2020
0 Replies
Question regarding Azure AD license
 Marcos95 in Azure Active Directory on 12-28-2019
7 Replies
Android device password not applying in Kiosk mode
 Noel Fairclough in Microsoft Intune on 11-29-2018
8 Replies
Creating dynamic groups with custom attribute
 Johan Pauly in Azure Active Directory on 07-04-2019
9 Replies
We use ADFS for SSO, can we use Azure conditional access policies for apps other than Office365?
 brentmattson in Azure Active Directory on 03-21-2019
3 Replies