Microsoft Intune Enrollment Restriction Update

Since the arrival of Microsoft Intune Enrollment Restrictions, I have been waiting for a way to have more granular control of the restrictions. We have been forced to have the same setting for all users and with no exceptions at all. I have a lot of customers who wants to block the common user from enrolling personal iOS devices or even Windows 10 MDM as the company are not ready for it at the moment. 
Finally customers now have the opportunity to have different settings for different groups of users. Let us go through this with a normal scenario today. Most users at the company uses iOS or Android personal devices and a onpremises Doman Joined Windows 10 device and they want to block users from starting to enroll Windows 10 devices into Intune. At the same time the want to do a test/pilot of Modern Windows 10 management. They are also looking at allowing a few users to start using MacOS devices with Intune. Lets quickly go through how this can be done with this new feature in Intune

Step 1: Configure the Default policy to block MacOS and Windows 10 MDM Enrollment

Go to Intune Blade – Device Enrollment and Enrollment restrictions. Click on Default policy under Device Type Restriction:

If you take a look at properties and so on for this policy, you will see that it is not possible to change assignment for this policy, it is the default policy assigned to All Users.

Now we go into Platforms and choose to block MacOS and Windows 10 MDM Enrollment.


We also have the option to require minimum and maximum OS versions, this page is dynamic so ti will only show enabled platforms at this time.

Step 2: Create 2 new Enrollment Restriction Policies to allow either Windows 10 MDM or MacOS Enrollment

Now lets go and create a new Device Type restriction

We need to give it a Name, Description and choose type:

As we can see now moving to Configure platforms we have all platforms available for further restrictions on version and/or personally owned. After we have created this policy it needs to be assigned to a user group.

Step 3: Assign to User Groups

After your policy is created  you will need to assign this users.

The UI will tell you your policy is not assigned to any users and you will need to assign this to a group in Azure AD.

Now your allowed users are ready to enroll the new platform. If you have more than one custom restriction policy, there is a priority list on which policy gets applied first. This can be changed by just dragging one policy to to top. We cannot change the default policy, it is always applied to all users with the lowest priority.

By using priorites we could also just stop using the Default Policy and create a new All Users policy with more description on what is does, right now it is quite hard to see from a UI perspective that the Default is to block Windows 10 and MacOS.

Thanks for reading, the official documentation on this feature should be here:


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.