Allow user to AAD Join & InTune Enroll company devices only , not personal owned Win Pro/Ent device
I am trying to work out the best way of achieving the following restrictions: Allow Staff user accounts to be able to AAD Join and InTune AutoEnroll company owned devices Block Staff from AAD Joining and AutoEnrolling personal devices The obvious configuration for this is to set the staff users accounts group in AAD to be allowed to AAD Join and in InTune allow them to Auto Enroll whilst setting an Enrollment Restriction Policy for blocking personal devices. That is all good in theory , but the reality of that is that if a staff user has a personal devices that has Windows Pro, Enterprise or Education installed this configuration means they can still AAD Joined and InTune AutoEnroll. Is there a way to make certain only company owned devices can be Joined/Enrolled? The fact that most personal users will have Windows Home mitigate some of the risk and we are planning to use AutoPilot registration as an additional way of controlling things so we can design the InTune app and policy assignments groups so that they are populated only by devices with the HWID registered, so if done correctly even if they do enroll a personal device it wont receive any apps or policies anyway. There is the setting to restrict users to only be able to enroll or AAD join 1 device that could be configured but that doesn't stop them enrolling a personal device if they haven't enrolled a device already plus it is a tenant wide setting so removes flexibility for users that we might want to allow to enroll and join multiple devices. I cant help but wonder if there is a simpler , more robust way of doing this? The ideal scenario for us is to simply be able to say - only devices with registered HWID can be enrolled. Am I missing something that enables this? Thanks