Microsoft Intune

Windows enrollment restrictions

It seems some days become worthy of a blog post, if only due to the coincidental collision of research and customer questions.  Today is one of those days.  I started off the day looking at the behavior of a Windows enrollment restriction that can be configured in Intune to block the enrollment of personal devices (those that aren’t registered with Autopilot, aren’t set up using a provisioning package, etc.).  That can be configured like so:

image

Once you do that, you can try to “Add a work account” to a Windows 10 device (assuming you’ve configured automatic MDM enrollment in Azure AD):

image

Click to “Connect”, then type in your e-mail address (UPN):

image

Then your password:

image

And you’ll see an error:

image

That’s one of the better MDM enrollment errors, as it gives you an error code and a reasonable text explanation.

Now let’s try a different restriction: only allowing certain Windows 10 versions.  In this case, I specified that only version 10.0.19042.0 to version 10.0.19042.0 would be accepted – basically, only a version that I wasn’t using (I was using 19041, a.k.a. Windows 10 2004).  If you go through the same process as above, you’ll see a less friendly error at the end:

clip_image002

Same error code, different dialog.  Go figure.  At least you can look in the event log (DeviceManagement-Enterprise-Diagnostics-Provider) to see the detailed message that Intune provided back to the client:

clip_image002[5]

Very clear.  But there is one detail that’s worth calling out:  My device was running version 10.0.19041.261.  See what the event above says?  It says 10.0.19041.0.  So, that means that the patch level of the OS isn’t being provided, so it’s not possible to create an enrollment restriction that looks for a minimum patch level.  (You can use Conditional Access for things like that, post-enrollment.)

A general suggestion:  Any time you see an error code that starts with “8018” (meaning “MDM”), check that event log to see what details were provided by Intune, beyond just the error code.  The reason text is often useful.

Categories: Microsoft Intune

7 replies »

  1. I have seen this error also when you are Azure AD joining a device rather that just AAD Registering, hence it would turn into a “Corporate” device. But with the restriction set to disallow personal devices, the AAD Join is also blocked. Shouldn’t it be possible to do that?

    Like

    • We are working on the Home SKU restriction. Interestingly, filtering based on platform (x86, x64, ARM) isn’t possible because that info isn’t provided by Windows to Intune.

      Like

      • well, if a user is targeted by both MDM and MAM scope, then his/her personal devices will be targeted by app protection policies (if any) and not MDM enrolled, even without an enrollment restriction, isn’t it?

        Like