Catch 22 with unenrolled devices with conditional access

Question

we have a mixture of corporate and BYOD windows devices in our environment. Initially we didn't have any kind of "WIP" policy in place so that any BYOD device wouldn't have been stopped from being able to take data away etc. so we have created an "unenrolled" CA which picks up if a device is enrolled or not and if not access is denied unless they do the whole add work account element.

The problem now is that the corporate windows devices won't finish the autopilot setup because the Unenrolled CA policy stops it from continuing - Essentially a catch-22 as I need it to enroll [in AAD/Intune] to become a corporate device!

I surely can't be the first person to come across this issue and wondered what I can do ?

Answer 1

I came across this scenario. You have to take a different approach to this,

Instead of using CA to blatantly block unmanaged device, do this.

1) Devices > Enrollment Restrictions > Device Type Restrictions > Properties > for Windows block personally owned
2) Now you have already exported hardware hash for Windows. Because this Intune treats all your Autopilot devices as "Corporate"