question

ChrisTempleton-3647 avatar image
0 Votes"
ChrisTempleton-3647 asked PaD-7009 answered

Catch 22 with unenrolled devices with conditional access

we have a mixture of corporate and BYOD windows devices in our environment. Initially we didn't have any kind of "WIP" policy in place so that any BYOD device wouldn't have been stopped from being able to take data away etc. so we have created an "unenrolled" CA which picks up if a device is enrolled or not and if not access is denied unless they do the whole add work account element.

The problem now is that the corporate windows devices won't finish the autopilot setup because the Unenrolled CA policy stops it from continuing - Essentially a catch-22 as I need it to enroll [in AAD/Intune] to become a corporate device!

I surely can't be the first person to come across this issue and wondered what I can do ?

mem-intune-enrollmentazure-ad-conditional-accessmem-autopilotmem-intune-conditional-access
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

PaD-7009 avatar image
2 Votes"
PaD-7009 answered

I came across this scenario. You have to take a different approach to this,

Instead of using CA to blatantly block unmanaged device, do this.

1) Devices > Enrollment Restrictions > Device Type Restrictions > Properties > for Windows block personally owned
2) Now you have already exported hardware hash for Windows. Because this Intune treats all your Autopilot devices as "Corporate"

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.