🖥️ How to Stop Personal Laptops from Enrolling in Intune with Autopilot
If users buy laptops from places like Amazon and sign in with a work account, those devices might automatically try to enroll in Intune through Windows Autopilot. This can cause problems if the device isn’t company-owned or intended for management.
Here’s how to prevent it.
1. Block Personal Device Enrollment
To stop personally owned devices from enrolling in Intune:
- Go to Microsoft Intune admin center → Devices → Enrollment → Enrollment restrictions.
- Edit the Device type restriction or create a new one.
- Under Platform settings, set Personal devices to Block.
- Assign this restriction to All users or specific groups as needed.
This ensures only corporate-owned devices can enroll into Intune.
2. Restrict Azure AD Join Permissions
Next, limit who can join devices to Microsoft Entra ID (formerly Azure AD):
- Open Microsoft Entra admin center → Devices → Device settings.
- Under Users may join devices to Azure AD, select None or Selected users.
- Choose only admins or authorized users who should be allowed to join devices.
This prevents random users from joining personal laptops to your organization’s directory.
✅ Result
With both settings applied:
- Only approved users can Azure AD Join devices.
- Only company-owned devices can enroll in Intune.
- Personal laptops bought online stay unmanaged.
