Understanding enrollment restrictions for Windows devices

This week is a follow up to the post of last week. That post was focused on understanding corporate identifiers for Windows devices. A method to identify specific devices as corporate Windows devices, which is especially useful in combination with Windows Autopilot device preparation. This post will actually add-on to those corporate identifiers, by focusing on enrollment restrictions for Windows devices. Enrollment restrictions for Windows devices can be used to restrict devices from enrolling in Microsoft Intune. The main differentiators so far, however, were the ownership and OS version of the devices. But something changed in that area as well. With the assignment of device enrollment restrictions for Windows devices it’s now also possible to use specific filters. Using those filters provides more granularity in which Windows devices are allowed to enroll. Including the ability to filter on specific manufacturers or device models. This post will go through the steps for using filters with enrollment restrictions for Windows devices, followed with experiencing that configuration.

Note: Keep in mind that not every filter property can be used for enrollment restrictions.

Configuring enrollment restrictions for Windows devices

When looking at configuring enrollment restrictions for Windows devices, it’s important to keep in mind that the configuration basically contains of two steps. First creating the filter for specific Windows devices and second creating the configuration of the enrollment restriction itself. So, with the created filter the devices are filtered based on specific properties and with the created enrollment restrictions the behavior for those devices is determined. Together that provides more and more flexibility for determining which devices can enroll.

Creating filter for specific Windows devices

So, the first step is creating a filter for specific Windows devices. That filter can then be used to more granularly determine which devices are allowed to enroll. Before creating that filter, however, it’s important to understand that enrollment restrictions support fewer filter properties than other policies. That is mainly because the devices aren’t enrolled at that point, so not all information is available to support all those properties. The table below provides an overview of the supported properties. 

PropertyDescription
ManufacturerProperty used for filtering on the manufacturer of the device. This property is only available for Windows 11, version 22H2 and later with KB5035942.
ModelProperty used for filtering on the model of the device. This property is only available for Windows 11, version 22H2 and later with KB5035942.
OS versionProperty used for filtering on the OS version of the device.
Operating system SKUProperty used for filtering on the Operating system SKU of the device.
OwnershipProperty used for filtering on the ownership of the device.
Enrollment profile nameProperty used for filtering on the enrollment profile name of the device.

After being familiar with the properties that are supported with enrollment restrictions, it’s time to look at creating a filter specifically for those enrollment restrictions. That filter can only be used as an include on the enrollment restriction, which is important to keep in mind. The following five steps walks through the process of creating such a filter for non-corporate VMs.

Note: Keep in mind that something similar can also be used to filter on specific models and manufacturers.

  1. Open the Microsoft Intune admin center navigate to Devices > Filters
  2. On the Devices | Filters page, click Create > Managed devices
  3. On the Basics page, provide a unique name and description and click Next
  4. On the Rules page, as shown below in Figure 1, add lines for the different property rules that should be part of the filter and click Next
  1. On the Review + create page, review the configuration and click Create

Note: Keep in mind to only use properties that are supported by enrollment restrictions for Windows devices.

Creating enrollment restrictions for Windows devices

After configuring the specific filter for the required scenario, it’s time to look at using the created filter with enrollment restrictions for Windows devices. That enrollment restrictions can only be used with an include of the filter, which is important to keep in mind. The following seven steps walks through the process of creating such an enrollment restriction.

  1. Open the Microsoft Intune admin center navigate to Devices Enrollment > WindowsDevice platform restrictions
  2. On the Enrollment restrictions page, click Create restriction
  3. On the Basics page, provide a unique name and description and click Next
  4. On the Platform settings page, configure the platform restriction configurations for the filtered devices and click Next
  1. On the Scope tags page, configure the required scope tags and click Next
  2. On the Assignments page, as shown below in Figure 2, add the configured filter as an include on the created assignment and click Next
  1. On the Review + create page, review the configuration and click Create

Note: Keep in mind that only include filters can be used with enrollment restrictions for Windows devices.

Experiencing enrollment restrictions for Windows devices

When the configuration of the enrollment restrictions for Windows devices is in place, it’s time to look at the experience. From a user perspective that experience is pretty straight forward. Simply go through the out-of-box experience and try to enroll the, in this case, unregistered VM in Hyper-V. That directly provides an 80180032 error code, as shown below in Figure 3, which refers to the platform being blocked by enrollment restrictions.

The other place that provides an overview of that experience is the Enrollment failures report. That report, as shown below in Figure 4, provides an easy overview of the enrollment failures. Simply select the line of the specific device and it clearly shows the status that the enrollment failed due to the device platform being blocked.

More information

For more information about enrollment restrictions for Windows devices, refer to the following docs.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.