By: Madison Holdaas, Sr. Product Manager | Microsoft Intune
How identifying corporate devices has worked in Microsoft Intune
As an administrator, you want to make sure that only authorized and compliant devices can access your organization's resources and data. To do that, you need to identify which devices are corporate-owned and which are personal. However, this isn’t always easy, especially when you have a large and diverse fleet of devices running different operating systems and platforms.
Today, Intune has a variety of methods to identify a device as “corporate” for Windows platform. If a device hasn’t enrolled using one of our true corporate methods,we do our best to determine an unknown device’s ownership by how the user enrolled the device. For instance, if a user automatically enrolls by registering the device toMicrosoft Entra through Windows settings, then we determine that device to be corporate. If a user automatically enrolls by adding a work account from Windows settings instead, then the device is marked personal by Intune.
How enrollment restrictions have worked when blocking personal devices
One way to prevent personal or unknown devices from enrolling in your tenant is to use enrollment restrictions. Enrollment restrictions are policies that you can create and assign to groups of users or devices to control who can enroll which devices and how many. You can create two types of enrollment restrictions: device type restrictions and device limit restrictions.
Device type enrollment restrictions allow you to block or allow specific types of devices from enrolling, such as Windows, iOS, Android, or macOS. You can also block or allow for specific configurations, such as blocking personally owned or unknown devices. The setting to block personally owned devices prevents the following from being enrolled, even though they are assumed corporate by Intune when allowed to enroll:
- Automatic MDM enrollmentwithMicrosoft Entra join during Windows setup
- Automatic MDM enrollmentwithMicrosoft Entra join from Windows Settings
- Automatic MDM enrollmentwith Microsoft Entra join or hybrid Entra join viaWindows Autopilot for existing devices
New corporate device identifiers for Windows
The new Windows corporate identifier feature is a solution that can help you identify and manage your corporate Windows devices more easily and securely. The feature allows you to upload a CSV file with the serial number, manufacturer, and model of your known Windows devices to your tenant. This marks the devices as corporate in the Microsoft Intune admin center and applies the appropriate policies and settings to them once they enroll into your tenant. Note that the feature only works for Windows 11, version 22H2 and later withKB5035942 (OS Builds 22621.3374 and 22631.3374) or newer.
Important: Enrollment device type restrictions are only editable by the Intune Service Administrator or Global Administrator. Corporate device identifiers have their own permission that must be assigned. Since these permissions are not the same, confirm that any existing enrollment restrictions will not be impacted before uploading a corporate device identifier.
To use the new feature, follow these steps:
- Create a CSV file with the serial number, manufacturer, and model of your corporate Windows devices. You can use any tool or method to generate the CSV file, as long as it follows the format and requirements specified in the documentation.
- In the Intune admin center, upload the CSV file to your tenant. You can find the upload option under Devices > Windows > Corporate identifiers. You can upload up to 5,000 devices or 5MB in a CSV. If you need to upload more, we recommend using PowerShell and interacting with the Microsoft Graph API directly.
- Verify that the upload was successful and that the devices are marked as corporate in the Intune admin center. You can view the status and details of the upload under Devices > Windows > Corporate identifiers. You can also view the device ownership and other properties of the devices under Devices > All devices.
A screen capture of adding a corporate identifier in the Intune admin center.
Some enrollment methods will always be considered corporate enrollment because we trust devices enrolling through these methods are known devices. Once an admin has uploaded a single Windows corporate identifier, the way we define Corporate and Personal changes to the following in the table:
Windows enrollment types | Without corporate identifiers | With corporate identifiers |
The device enrolls throughWindows Autopilot | Corporate | Corporate |
The device enrolls through GPO, orautomatic enrollment from Configuration Manager for co-management | Corporate | Corporate |
The device enrolls through abulk provisioning package | Corporate | Corporate |
The enrolling user is using adevice enrollment manager account | Corporate | Corporate |
The device enrolls through Azure Virtual desktop (non-hybrid) | Corporate | Corporate |
Automatic MDM enrollmentwithMicrosoft Entra join during Windows setup(Including new Autopilot device preparation profiles) | Corporate, but blocked by Personal enrollment restriction | Personal |
Automatic MDM enrollmentwithMicrosoft Entra join from Windows Settings | Corporate, but blocked by Personal enrollment restriction | Personal |
Automatic MDM enrollmentwith Microsoft Entra join or hybrid Entra join viaWindows Autopilot for existing devices | Corporate, but blocked by Personal enrollment restriction | Personal |
Automatic MDM enrollmentwithAdd Work Account from Windows Settings | Personal | Personal |
MDM enrollment onlyoption from Windows Settings | Personal | Personal |
Enrollment using the Intune Company Portal app | Personal | Personal |
Enrollment via a Microsoft 365 app, which occurs when users select theAllow my organization to manage my deviceoption during app sign-in | Personal | Personal |
Admins that want to use the existing enrollment method logic to determine corporate versus personal (i.e. the “Without corporate identifiers” column) can just delete or remove all Windows corporate identifiers and ownership goes back to behaving as previously done in Intune.
New enrollment restriction experience using model and manufacturer device properties in filters
The new Windows corporate identifier feature also enables a new enrollment restriction experience that allows you to use the model and manufacturer device properties in filters to block devices from enrolling more granularly. You can block specific models or manufacturers of Windows devices from enrolling, such as Manufacturer = Microsoft or Model = VM. Note that model and manufacturer properties only work for Windows 11 version 22H2 and above at enrollment time.
To use the new enrollment restriction experience, navigate to the Intune admin center and follow these steps:
- Create a device filter with the model and manufacturer device properties. You can find the device filter option under Devices > Filters. You can create up to 100 device filters per tenant, and each device filter can have up to 10 conditions.
- Create an enrollment restriction policy with the device filter. You can find the enrollment restriction option under Devices > Enrollment> Device platform restrictions. You can assign the device filter to your enrollment restriction policy in the Assignments tab.
- Assign the enrollment restriction policy to a group of users. You can assign the policy to any group that you have created or synced in your tenant, such as security groups or dynamic groups. You can also assign the policy to the default group, which applies to all users in your tenant. Reminder that enrollment restrictions are user based – so they don’t apply to user-less enrollments.
A screen capture of creating a filter in the Intune admin center, using model and manufacturer device properties.
Note that since model and manufacturer properties only work for Windows 11 version 22H2 and above – to address unsupported versions – we recommend including the null values of manufacturer and model.
Note – Windows 10 will be a supported feature starting July 9th – devices will need to be updated to the following KB: KB5039299.
With this new feature, you can easily distinguish between corporate and personal devices and apply different enrollment policies accordingly. Additionally, you can leverage the model and manufacturer device properties to create more granular filters to block unwanted devices from enrolling.
If you have any questions or feedback, leave a comment below or reach out to us on X @IntuneSuppTeam.
