A common problem with Intune enrolment is that, once you enable user enrolment, nothing stops your users from enrolling any device into your environment by default. You can of course prevent un-authorised or non-compliant devices from accessing resources using conditional-access, but this doesn’t prevent them from enrolling in the first place.
In this tutorial, I am going to show you how you can use device filters to prevent Windows Home devices and other Windows versions from enrolling into Intune.
Prerequisites
To complete the tasks in this tutorial, you need to have the Intune administrator role assigned to your admin user. You can also create custom role assignments to limit the tasks your admin users can perform, see: How to create custom Intune role assignments.
You should also ensure all your users have an Intune license assigned, the following license SKUs include Microsoft Intune:
- Microsoft 365 E5
- Microsoft 365 E3
- Enterprise Mobility + Security E5
- Enterprise Mobility + Security E3
- Microsoft 365 Business Premium
- Microsoft 365 F1
- Microsoft 365 F3
- Microsoft 365 Government G5
- Microsoft 365 Government G3
- Intune for Education
Create a device filter to target Windows Home
A device filter is a rule or set of rules which apply to devices within Intune. They can be users when assigning policies, apps and profiles to dynamically target a device based on a specific attribute. Depending on the logic you apply when creating policies you can either include or exclude devices based on your filter, of which there are various supported platforms and properties.
Supported platforms
The following platforms are supported when creating a device filter:
- Windows 10 and later
- iOS/iPadOS
- Andrion device administrator
- macOS
- Andriod Enterprise
Support device properties
There are various supported properties you can target when creating a device filter, these include:
- Device name (deviceName)
- manufacturer (Manufacturer)
- model (Model)
- Device category (deviceCategory)
- OS version (osVersion)
- Ownership (deviceOwnership)
- Enrollment profile name (enrollmentProfileName)
- Operating system SKU (operatingSystemSKU)
Create a device filter that targets Windows Home
Lets walk through how to create a device filter that targets Windows Home devices.
1. Start by logging into Microsoft Intune at https://endpoint.microsoft.com/ or https://intune.microsoft.com/
2. Select Tenant administration from the left-hand menu.
3. Select Filters.
4. Click Create to launch the new filter creation wizard.
5. Start by entering a meaningful name for the filter and selecting the platform type Windows 10 and later, then click Next.
6. On the rules tab, select the following options:
- Property: OperatingSystemSKU
- Operator: Contains
- Value: Core
This will create the following rule syntax to target all devices where the operating system SKU includes the word Core (equivalent to Home). (device.operatingSystemSKU -contains “Core”)
If you are unsure of the specific SKU of your device, you can run the following command to output the ID using PowerShell:
Get-WmiObject -Class Win32_OperatingSystem |select operatingsystemSKU
You output will look similar to the below and provide you a numeric value:
Once you have the value of your operating system, use the below table to lookup which version of Windows you are running and what the supported value is to include in your rule.
Supported value | OS SKU definition |
---|---|
BusinessN | Windows 10/11 Professional N (49) |
CloudEdition | CloudEdition (Windows 11 SE (203) |
CloudEditionN | CloudEditionN (Windows 11 SE N (202) |
Core | Windows 10/11 Home (10/111) |
CoreCountrySpecific | Windows 10/11 Home China (99) |
CoreN | Windows 10/11 Home N (98) |
CoreSingleLanguage | Windows 10/11 Home single language (100) |
Education | Windows 10/11 Education (121) |
EducationN | Windows 10/11 Education (122) |
Enterprise | Windows 10/11 Enterprise (4) |
EnterpriseEval | Windows 10/11 Enterprise Evaluation (72) |
EnterpriseG | Windows 10/11 Enterprise G (171) |
EnterpriseGN | Windows 10/11 Enterprise G N (172) |
EnterpriseN | Windows 10/11 Enterprise N (27) |
EnterpriseNEval | Windows 10/11 Enterprise N Evaluation (84) |
EnterpriseS | Windows 10 Enterprise LTSC (125) |
EnterpriseSEval | Windows 10 Enterprise LTSC Evaluation (129) |
EnterpriseSN | Windows 10 Enterprise LTSC N (162) |
Holographic | Windows 10 Holographic (136) |
IoTUAP | Windows 10 IoT Core (123) |
IoTUAPCommercial | Windows 10 IoT Core Commercial (131) |
IoTEnterprise | Windows 10/11 IoT Enterprise (188) |
PPIPro | Windows 10 TeamOS (119) |
Professional | Windows 10/11 Professional (48) |
ProfessionalEducation | Windows 10/11 Professional Education (164) |
ProfessionalEducationN | Windows 10/11 Professional Education N (165) |
ProfessionalWorkstation | Windows 10/11 Professional for workstation (161) |
ProfessionalN | Windows 10/11 Professional for workstation N (162) |
ProfessionalSingleLanguage | Windows 10/11 Professional Single Language (138) |
ServerRdsh | Windows 10/11 Enterprise multi-session (175) |
7. Once you have completed your Rules, click Next and on the final page click Create.
Create the device enrolment platform restrictions
Now we have created our device filter, we need to create some device enrolment restrictions and apply some logic. The idea behind the restrictions is that if the device does not match the assignment of the first profile, they get applied to the second. The first profile will allow enrolment and the second (or default in most scenarios) will block enrolment.
1. Start by logging into Microsoft Intune and selecting Devices, then Enrollment device platform restrictions.
2. Open the Windows restrictions tab and select Create restriction.
3. Enter a meaningful name and click Next.
4. On the platform settings page, set both the MDM and Personally owned devices options to Allow, then click Next.
5. On the Scope tags page define any scope tags you need if you are using RBAC to control admin access to resources, then click Next.
6. Click Add all users on the assignments tab.
7. Click Next and then Create. This will create the policy, however we now need to edit the policy and apply the filter.
8. Click on the new policy you created, then click Properties and then Edit next to assignments.
7. Next to All users under the groups heading to the right-hand side, select Edit filter.
8. The idea at this step is to Exclude the filtered devices, however, the Exclude option is missing from the list of behaviours. To resolve this we can use the Microsoft Graph explorer tool to expose and apply the needed settings.
Click Include filtered devices in assignment and select the filter you created, then click Next and Review + save.
9. Before you click the final save button, we are going to open your web page developer tools to steal the Microsoft Graph request URL and request Body. Right click the page and click Inspect.
10. Once the developer tools are open it will look like the screenshot below. Select the Network tab.
11. While the developer tools are open, click Save on the final steps of the enrollment profile restriction wizard.
12. On the Network tab, you will now see some network requests appear under the name heading. Select assign from the list, then click Headers and copy the request URL. Save this somewhere to use shortly.
13. Now select the Payload tab and right-click and copy the request payload like the one below, also save this somewhere to use next.
14. Now in a new browser tab, open the Microsoft Graph Explorer tool at https://developer.microsoft.com/en-us/graph/graph-explorer.
15. Click on the profile icon and log in as your Microsoft 365 tenant administrator.
16. Copy and paste the request header into the request URL text box and change the method to POST.
17. Now click on the Modify permissions tab and consent to all the listed permissions.
18. Now select the Request body tab and paste the request payload we copied earlier.
19. Change the device filter type in the request body from include to exclude. Your request will now look like the below.
19. Click Run now at the top right and you should see a successful but empty response.
20. If you now return to the properties of your new enrollment restriction profile in the Intune portal, the filter mode will now show as Exclude.
Setting the default policy to block personal devices
Once your custom policy has been created, by default, when Windows Home devices skip the new policy due to the exclude filter, they will adhere to the default policy.
This means to ensure they are blocked, we need to block personal devices from being enrolled by the default policy.
2. Select Properties then Edit next to the platform settings.
3. Ensure personal enrollment is set to block. Then click Review + save, then Save.
The end user experience
From the user’s perspective, when they open their settings and try to enrol or attempt to manually enrol using the company portal app they will be blocked.
Once they enter their company log in details, the device will be evaluated and they will receive the following error:
Payload tab is missing and chrome is update to latest version. How to go ahead on this ?
Can you provide a screenshot? it will be there somewhere…