Intune goes beyond merely provisioning and safeguarding mobile devices, such as iOS or Android phones; it also possesses the capacity to manage Windows operating systems. This is critical in the remote workforce environment, which necessitates the ability to secure remote devices that users will use as their main workstation. My recommendation is for organizations to exclusively distribute and manage Windows devices through corporate enrollment.
Nevertheless, each company may adopt its own approach. The following sections will outline methods for provisioning personal Windows devices seeking access to company resources.
Goal: Enroll a personal windows devices to access company resources.
Prerequisites
- The device must have Windows 10/11 (Home, S, Pro, Education, Enterprise, and IoT Enterprise editions)
- Create Security Groups (assigned)
- Configure Compliance Policy
- Automatic Enrollment Setup
- Windows Hello For Business (Optional)
- Configure Notification (optional)
Create Security Groups (assigned)
Once the license are in place, create security groups in Entra (Azure AD), assign E3/E5 license to those groups. I recommend assigning license based on USER and not devices. Below are the following groups created for this lab.
Assigned group (Assigned groups requires IT Admin to manually add users):
Windows_MAM_Scope-BYOD – (Users here can enroll personal windows devices)
Compliance Policy (Custom Policy, Default policy and Notifications)
Review Default compliance policy:
For any device enrolling under a MDM, it must meet a security baseline requirement and has to be secured in order to access company data. Note that there is Default Device compliance policy in place that Intune applies to all devices regardless of whether a compliance policy is created or not. This default policy is a base minimum so we must create an additional custom policy to enforce to all devices.
Has compliance Policy assigned- The setting is tied to "Mark device with no compliance policy assigned as" - Not compliant so it checks if there is a custom compliance policy assigned to device. If it finds one, state is green. Is active - relies on the default 30 days grace validity period. The device must check into Intune within 30 days, check in refresh every 8 hours. Check in depends if devices has internet connection and not whether the primary user is logged in or not. For shared devices with multiple users, the device just have to connect to internet. Enrolled User exists- Checks if the primary user exist with a valid license for the enrolled device. For shared devices or devices enrolled under a DEM (Device Enrollment Manager), I suggest changing the primary user. I do not recommend deleting any users from Entra ID (Azure AD).
Creating a custom policy:
Navigate to Intune admin center > Endpoint Security > Device Compliance > compliance policy setting > toggle “Not Compliant”
This will mark all devices with no manually assigned compliance policy as not compliant. So we must create an compliance policy for every type of OS, which is highly recommended.
Compliance status validity period– The device must check into Intune within 30 days, check in refresh every 8 hours. After 30 days past and there is no active sync, device is marked non-compliant. This is tied to “Is Active” setting under default device compliancy policy.
Navigate back to Policies > Create policy > edit the properties to meet company requirement.
My compliance policy for personal device is to require OS to be at least 20H1 and password needs to be in place. There are additional requirements like firewall must be on, Bitlocker encryption and defender risk score level that can be customized as well. However, I will leave those for corporate device enrollment.
The assigned user group will be Windows_MAM_Scope-BYOD
If device is not compliant, user will get an email and push notification and the device will be marked non-compliant. (IT Admin can put a grace period of days that settings can be fixed to become compliant. The default value is 0, which immediately marks the device as non-compliant if restrictions are not met)
Actions for noncompliance - Each device compliance policy includes one or more actions for noncompliance. These actions are rules that get applied to devices that don’t meet the conditions you set in the policy. Examples of actions include: • Sending email alerts to users and groups with details about the noncompliant device. You might configure the policy to send an email immediately upon being marked as noncompliant, and then again, periodically, until the device becomes compliant. • Remotely lock devices that have been noncompliant for some time. • Retire devices after they’ve been noncompliant for some time. This action marks a qualifying device as ready to be retired. An admin can then view a list of devices marked for retirement and must take an explicit action to retire one or more devices. Retiring a device removes the device from Intune management and removes all company data from the device.
Compliance policy Notifications: (*Optional- Email user if device is non-compliant)
Create a notification message template
To send email to your users, create a notification message template. When a device is noncompliant, the details you enter in the template is shown in the email sent to your users.
- In the Intune admin center, select Devices > Compliance policies > Notifications > Create notification.
- Enter the following information for the Basics step:
- Name: Contoso Admin
- Email header – Include company logo: Set to Enabled to show your organization’s logo.
- Email footer – Include company name: Set to Enabled to show your organization’s name.
- Email footer – Include contact information: Set to Enabled to show your organization’s contact information.
- Company Portal Website Link: Set to Disabled.
Automatic Enrollment Setup
Configure the personal windows device enrollment by navigating to:
Devices > windows enrollment > Automatic enrollment > MAM user scope > select some > target Windows_MAM_Scope-BYOD group.
Why MAM user scope?
(Mobile Application Management) is used for BYOD devices which applies policies that targets the user account. The device is NOT enrolled under Intune MDM but shows as Azure AD registered that has access to the following features:
- SSO to cloud resources
- Conditional Access when enrolled into Intune
- Conditional Access via App protection policy
An Azure AD registered device has limited restrictions in which the organization does not gain access to your personal files, nor can they deploy any applications. However, they do have control over corporate or work profile-related applications and policies as part of the MAM user scope.
*When MAM scope is enabled, this overrides MDM scope if its set to all.
MAM is the option for users who don’t want to enroll their personal devices, but still wanted to use organization resources / apps such as Office 365, teams etc.
MDM user scope applies to target the device and have it enrolled into Intune, giving IT Admin powerful tools like device wipe. This type of feature is risky if a personal device gets enrolled into Intune.
The reason why MDM and MAM user scope is both toggled to [Some] is because the lab will test both BYOD and COBO deployment for specific group of users. (The MDM user scope targets the COBO group)
If the organization only requires windows devices to be corporate owned or personal device enrolled into Intune, enabling MDM for ALL and set MAM user scope to NONE should suffice.
If company requires only personal device that does not need to enroll into Intune, toggle all for MAM and none for MDM should be fine.
MAM user scope: When set to Some or All, the organization account on the device is managed by Intune. Devices are "registered" in Azure AD. Devices aren't "joined" to Azure AD, and aren't managed by Intune. This option is designed for BYOD or personal devices. For example: • If you want to manage the organization account on the device, then choose Some or All. • If you don't want to manage the organization account on the device, then choose None. • If you want to only manage the device, then choose None, and configure the MDM user scope. • If you want to manage the device and manage the organization account on the device, then choose Some or All, and configure the MDM user scope.
MAM/MDM Precedence:
Enrollment
For this lab, I will not be fully managing personal devices and they will not get enrolled into Intune. I believe it’s best to only join fully manage corporate devices in Intune. Personal devices will only require registration in Azure AD to facilitate the deployment of assigned policies for that specific group, thus the guide will not “join” the personal device to azure.
With User enrollment, you can "register" the devices with Azure AD or "join" the devices in Azure AD: Register: When you register devices in Azure AD, the devices show as personal in the Intune admin center. Users get access to organization resources, such as email. This option is common for BYOD or personal devices. (Proceed to sign in with company email address under access work or school for BYOD) Azure registered-(can sign in with Local account) • SSO to cloud resources • Conditional Access when enrolled into Intune • Conditional Access via App protection policy • Enables Phone sign in with Microsoft Authenticator app
Join: When you join devices in Azure AD, the devices are fully managed by Intune, and will receive any policies you create. This option is common for organization-owned devices. If users want their personal devices fully managed by Intune (and their organization IT), then they can join their personal devices.(Select the Join this device to AAD to have it fully managed for COBO) Azure AD Join- (must sign in with domain account) • SSO to both cloud and on-premises resources • Conditional Access through MDM enrollment and MDM compliance evaluation • Self-service Password Reset and Windows Hello PIN reset on lock screen • Requiring storage to be encrypted • Password complexity • Software installation • Software updates
For user enrollment with MAM approach:
Navigate to the Settings > Accounts > Access school or work feature on the devices. I will opt to select connect > sign in with my work email. This will push any conditional access policy, app protection policy, MFA sign in to that personal device. That will suffice as far as personal device enrollment goes.
**DO NOT SELECT JOIN THIS DEVICE TO AZURE AD (Unless Admin wants to fully manage it under Intune)
Verify on Entra ID (Azure AD):
Since it is not managed by Intune, there is no option to restart, retire, wipe or lock the device.
Windows Hello For Business (Optional)
I suggest disabling windows hello for business if it’s not being used since users will keep getting prompt to set it up if its enabled.
Windows enrollment > windows hello for business > Toggle disabled.
Configure General notification (Optional)
Configure email and push notifications to be sent to users after they enroll. Notifications improve security by notifying users if someone enrolls a device with their credentials. IT admins can also use enrollment notifications to send users a welcome email or onboarding information following enrollment.
Navigate to Intune admin center > devices > Windows > Window enrollment > Enrollment notifications
Under Windows Notification > create new notification
Configure depending on organization needs. For example, I have it configure to send email notification on devices enrolled and the target is all users.
Notes:
**Devices with workplace join (Azure AD registered) are treated as personal device.
**Under Intune panel- check device restriction if windows device are allowed to join.
**If a user has both Company and personal device, it is possible to have them in the same group as MAM and MDM, but MAM user scope will take over. If that’s the case, click [join this device to AAD for corp device under access work or school account setting]. Don’t recommend putting users in both MAM and MDM group.
**Azure registered – BYOD / Azure Join- for company device COBO
Source:
https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-windows
https://learn.microsoft.com/en-us/mem/intune/fundamentals/supported-devices-browsers
https://osddeployment.dk/2020/05/09/valid-windows-operating-system-builds-in-compliance-policy/
https://www.manishbangia.com/mdm-user-scope-vs-mam-user-scope/
https://allthingscloud.blog/configuring-intune-mdm-user-scope-and-mam-user-scope/
https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register
Steven's Event Log 