SCCM Rookie

Home » Azure, Intune, » Stop Personal PCs from Enrolling into Intune: The New Setting Explained

Stop Personal PCs from Enrolling into Intune: The New Setting Explained

One of the most common (and frustrating) issues for an IT Administrator is finding the Microsoft Intune inventory cluttered with employees' personal devices.

This often happens because a user, while trying to access Outlook or OneDrive from their home PC, clicks "Yes" to a system prompt without reading the implications. In this article, we’ll explore a new feature that puts an end to this accidental enrollment scenario.

Note: This feature is currently in public preview but is highly recommended for production environments to maintain a clean inventory.

The Problem: Accidental MDM Enrollment

When a user adds a work or school account to a personal Windows device, they often encounter the message: "Allow my organization to manage my device". By clicking Yes:

  • The PC is registered in Microsoft Entra ID.
  • The device is automatically enrolled in Intune (MDM).
  • Corporate policies (e.g., mandatory BitLocker encryption) are applied to a private PC, often catching the user off guard.

This creates privacy concerns for the user and unnecessary "noise" in the corporate device inventory.

The Solution: Disable Automatic MDM Enrollment

Microsoft has introduced a specific toggle to block MDM enrollment while still allowing the account to be registered for app access (Entra Registration).

How to Enable the Feature:

  1. Log in to the Microsoft Intune Admin Center.
  2. Navigate to Devices > Enrollment.
  3. Select Windows enrollment > Automatic Enrollment.
  4. Look for the new option: "Disable MDM enrollment when adding work or school account on Windows".
  5. Set the toggle to Yes and click Save.

What Changes for the User?

With this policy active, the user experience changes significantly:

  • The second prompt (asking to manage the device) no longer appears.
  • The device will still show as "Registered" in Entra ID (to allow for Conditional Access), but the MDM state will remain as "None".
  • In the PC settings (Accounts > Access work or school), the account will appear, but without the "Info" button typical of an MDM-enrolled device.

Why You Should Enable It Now

Unless your organization explicitly supports BYOD (Bring Your Own Device) scenarios with full Intune management, there is no reason to let users enroll their private PCs.

Key Benefits:

  • Clean Inventory: Keep Intune focused on corporate-owned assets.
  • Fewer Help Desk Tickets: Prevent users from getting locked out by policies on personal hardware.
  • Security: Maintain the benefits of Entra Registration for identity-based security.

Global Traffic Node
LIVE
Flag
Initializing...
FETCHING_IP_DATA
Geo-location based on IP routing. Compliance: GDPR/AdSense.

© SCCM Rookie - Midnight Admin Edition

Powered by SCCM Rookie Tech Stack