question

ToddAnderson-1015 avatar image
1 Vote"
ToddAnderson-1015 asked BenOwens-4675 commented

Prevent users from Joining personal computers to Azure Active Directory but still allow User-Driven Autopilot

My company allows users to register personal computers with our AAD. We also provide corporate computers and use user-driven Autopilot to provision them. The challenge we found is that since users are admin on their personal computers they have the ability to Join a personal computer to AAD from Settings>Accounts>Access Work or School>Connect using the Join to AAD link. When they join the device it is considered company owned by default and when it auto enrolls to Intune it receives all the corporate device assigned apps and policies etc.

We would like to prevent users from Joining to AAD and only allow them to register personal devices but without breaking the ability to use User-driven Autopilot. We tried restricting the "Allow users to join AAD" to only IT support but this breaks user-driven Autopilot.

The only way that I can currently think to achieve this is to use Autopilot for pre-provisioned deployment and could then disallow the main user base from joining devices to AAD but we don't want to do this for general provisioning.

Anyone know of some secret sauce to achieve this?

mem-autopilotazure-ad-device-management
· 5
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ToddAnderson-1015 avatar image ToddAnderson-1015 ·

Feels like there should be a setting that restricts how devices can be joined by users. Like only during Autopilot for instance.

0 Votes 0 ·
BenOwens-4675 avatar image BenOwens-4675 ToddAnderson-1015 ·

Any success in finding a way to achieve this?

The way I see it currently see it....

To allow Autopilot user driven mode, the "Users may join devices to Azure AD" needs to be set to 'All' or at least the people you want to allow to complete Autopilot user driven deployments.

You can set-up enrolment restrictions to stop personal devices being enrolled. That would only allow enrolment of device listed in Corporate Device Identifiers in Intune, device registered and enrolled via Autopilot, or enrolment via Hybrid Azure AD Join.

However, that leaves a gap where a user could Azure AD Join a device, but not enrolled in Intune. You could have conditional access policies in place to require devices are Compliant to access resources; that plugs a security gap. But apart from that, I imagine a periodic administrative task would be required to cross reference Autopilot registered serial numbers against Azure AD joined device serial numbers. The serial numbers which are not registered in Autopilot would suggest they're personal devices joined to Azure AD and should be removed from Azure AD. Not exactly seamless. Anybody have a different suggestion?

0 Votes 0 ·
SimonPayne-1252 avatar image SimonPayne-1252 BenOwens-4675 ·

If you have auto-enrollment enable, any attempted to join a PC to azure AD will fail if personal devices are denied to enrol as it seems to combine the AADJ with the enrolment. When it gets to enrolment it fails but therefore also seems to fail the AADJ.
Seemed to be sufficient for me

1 Vote 1 ·
Show more comments

3 Answers

MrSbaa avatar image
1 Vote"
MrSbaa answered BenOwens-4675 commented

There are several ways to do this but imo I would suggest to use enrollment restrictions if you don't want users to enroll personal devices in Intune.

https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set

· 8
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ToddAnderson-1015 avatar image ToddAnderson-1015 ·

Thanks for the response. Enrollment restrictions only applies to Intune enrollment correct? If a user manually joins a personal device to AAD it is treated as a Company device and enrollment restrictions would not recognize it as a personal device, as far as I understand and have seen. We actually don’t want to restrict enrollment into intune but restrict join of personal devices to AAD.

1 Vote 1 ·
MrSbaa avatar image MrSbaa ToddAnderson-1015 ·

We use a group to restrict the AAD join so that only Autopilot users can join their device in AAD.

0 Votes 0 ·
ToddAnderson-1015 avatar image ToddAnderson-1015 MrSbaa ·

Well this would be great. What do you apply to the group to restrict the join to only Autopilot?

0 Votes 0 ·
Show more comments
JonBudnik-9885 avatar image JonBudnik-9885 MrSbaa ·

This option is close, however all of the autopilot users still have the ability to register their personal computers to Azure AD correct?

0 Votes 0 ·
JamesTran-MSFT avatar image JamesTran-MSFT ·

@ToddAnderson-1015
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·
ToddAnderson-1015 avatar image ToddAnderson-1015 JamesTran-MSFT ·

@JamesTran-MSFT
Nothing going yet. Was reminded today about this issue when someone accidentally joined their new personal computer to our AAD, enrolled into Intune and auto registered into our Autopilot. Then when the user tried to reset it and set it back up she no longer had the option to choose Personal since its in our Autopilot. User had to call our help desk and issue eventually got escalated and autopilot registration removed etc.. Doesn't happen often but is not great that we can't prevent it.

Really seems we need another option/setting to restrict users from joining a device to AAD unless it is during the Autopilot process.

1 Vote 1 ·
BenOwens-4675 avatar image BenOwens-4675 ToddAnderson-1015 ·

Could you confirm the settings you have in place for this.

I have revisited this in the lab and have Enrolment Device Restriction set to Disable enrolment of 'Personal' devices. With that in place, on a BYOD Windows device, I cannot get a device to join using AADJ only via Access Work and School or using the main connect option in Access Work and School. In both cases it fails.

However, when I upload the hardware hash of the BYOD to autopilot registered devices, the joining of the BYOD devices works; that's because it's now registered as an autopilot device and recognised as corporate.

What are your Enrolment Device Restrictions settings in Intune set to for Windows devices?

0 Votes 0 ·
SimonPayne-7376 avatar image
0 Votes"
SimonPayne-7376 answered SimonPayne-7376 published

Did this every get solved?
I too would like users to use autopilot but block them from joining personal devices to AAD

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SimonPayne-7376 avatar image
0 Votes"
SimonPayne-7376 answered ToddAnderson-1015 commented

I can see the restriction does not apply to Autopilot in self deployment mode but we wish to use user-driven mode
181232-image.png



image.png (13.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ToddAnderson-1015 avatar image ToddAnderson-1015 ·

Yeah can confirm this does break User-Driven Autopilot

0 Votes 0 ·