Disable MDM enrollment for School of Work account
This is a feature many have been waiting for. For years, it was necessary to guide users step by step to prevent them from accidentally enrolling their personal devices into Intune when adding a work or school account. This was mainly due to the well-known dialog where the wrong option was often selected. Now this is changing. With this new feature, the experience is much smoother—read on to learn how it works:
Intune Automatic Enrollment
Before we dive into this new feature, which is in Public Preview, it's good to understand where the struggle lies for those personal devices. When using Intune, we can make use of the Automatic Enrollment option in the MDM user scope. This is great because devices that are added into Entra-ID are also enrolled into Intune so they become managed device. This flow is automated. We can find this setting in Intune:
From the Intune Portal:
Devices > Enrollment > Automatic Enrollment
For Automatic enrollment we need to change this setting to Some or All. But there was a caveat with this setting.
Sign in form and Manage Device Question
So devices that are added to Entra-ID are enrolled in Intune, great, But overtime its possible that also personal non corporate devices where enrolled, this causes problems and our device fleet becomes messy. This had to do especially with installing the Microsoft Office Suite on the non corporate devices. When installing we need to activate Office or we just want to use Teams for example with your organization credentials on the non corporate Windows devices. When a user installs this suite they get a dialog for adding our Work or School account, with the famous dialog, to Sign-in.
Most users will select 'Yes'; this option is also selected by default. However, 'Yes' is not the correct answer. By selecting 'Yes', they are shown another dialog box asking whether this device may be managed. Here too, 'Yes' is the most common answer, but it is incorrect. The result is that the device is added to Entra-ID and, when automatic enrollment is enabled, is managed by Intune.
The Solution
Now we have to option to disable the second question when a user is prompted for the sign-in for apps on the device. Enable this feature (currently in Public Preview) in your Automated Enrollment in Intune to prevent the MDM enrollment for the non corporate devices.
From the Intune Portal:
Devices > Enrollment > Automatic Enrollment
Enable to option Disable MDM enrollment when adding work or school account on Windows.
When this option is enabled the user will still get the first dialog, but when they select Yes, the second option to manage the device is not shown. A much beter flow, resulting in less personal devices onboarded by mistake.
The device is still onboarded in Entra-ID and on the device the account is added, but the device isn't Managed in Intune and we still have the automatic enrollment option enabled for our devices..
Recap
With the option to disable the MDM enrollment when adding our Work or School account on Windows we have a beter flow for our users and this will result in less non corporate devices being onboard. If you want to block the personal devices, you still need to make an Enrollment Device Platform restriction for this, keep this in mind.