How To Block Windows Home Devices From Enrolling In Intune

A common problem with Intune enrolment is that, once you enable user enrolment, nothing stops your users from enrolling any device into your environment by default. You can of course prevent un-authorised or non-compliant devices from accessing resources using conditional-access, but this doesn’t prevent them from enrolling in the first place. 

In this tutorial, I am going to show you how you can use device filters to prevent Windows Home devices and other Windows versions from enrolling into Intune.

Prerequisites

To complete the tasks in this tutorial, you need to have the Intune administrator role assigned to your admin user. You can also create custom role assignments to limit the tasks your admin users can perform, see: How to create custom Intune role assignments.

You should also ensure all your users have an Intune license assigned, the following license SKUs include Microsoft Intune:

  • Microsoft 365 E5
  • Microsoft 365 E3
  • Enterprise Mobility + Security E5
  • Enterprise Mobility + Security E3
  • Microsoft 365 Business Premium
  • Microsoft 365 F1
  • Microsoft 365 F3
  • Microsoft 365 Government G5
  • Microsoft 365 Government G3
  • Intune for Education

Create a device filter to target Windows Home

A device filter is a rule or set of rules which apply to devices within Intune. They can be users when assigning policies, apps and profiles to dynamically target a device based on a specific attribute. Depending on the logic you apply when creating policies you can either include or exclude devices based on your filter, of which there are various supported platforms and properties.

Supported platforms

The following platforms are supported when creating a device filter:

  • Windows 10 and later
  • iOS/iPadOS
  • Andrion device administrator
  • macOS
  • Andriod Enterprise

Support device properties

There are various supported properties you can target when creating a device filter, these include:

  • Device name (deviceName)
  • manufacturer (Manufacturer)
  • model (Model)
  • Device category (deviceCategory)
  • OS version (osVersion)
  • Ownership (deviceOwnership)
  • Enrollment profile name (enrollmentProfileName)
  • Operating system SKU (operatingSystemSKU)

Create a device filter that targets Windows Home

Lets walk through how to create a device filter that targets Windows Home devices.

1. Start by logging into Microsoft Intune at https://endpoint.microsoft.com/ or https://intune.microsoft.com/

2. Select Tenant administration from the left-hand menu.

Select Tenant administration
Select Tenant administration

3. Select Filters.

Select Filters
Select Filters

4. Click Create to launch the new filter creation wizard.

Click create
Click create

5.  Start by entering a meaningful name for the filter and selecting the platform type Windows 10 and later, then click Next.

Complete the basics tab

6. On the rules tab, select the following options:

  • Property: OperatingSystemSKU
  • Operator: Contains
  • Value: Core

This will create the following rule syntax to target all devices where the operating system SKU includes the word Core (equivalent to Home). (device.operatingSystemSKU -contains “Core”)

Add a device filter rule

If you are unsure of the specific SKU of your device, you can run the following command to output the ID using PowerShell:

Get-WmiObject -Class Win32_OperatingSystem |select operatingsystemSKU

You output will look similar to the below and provide you a numeric value:

Operating system SKU

Once you have the value of your operating system, use the below table to lookup which version of Windows you are running and what the supported value is to include in your rule.

Supported valueOS SKU definition
BusinessNWindows 10/11 Professional N (49)
CloudEditionCloudEdition (Windows 11 SE (203)
CloudEditionNCloudEditionN (Windows 11 SE N (202)
CoreWindows 10/11 Home (10/111)
CoreCountrySpecificWindows 10/11 Home China (99)
CoreNWindows 10/11 Home N (98)
CoreSingleLanguageWindows 10/11 Home single language (100)
EducationWindows 10/11 Education (121)
EducationNWindows 10/11 Education (122)
EnterpriseWindows 10/11 Enterprise (4)
EnterpriseEvalWindows 10/11 Enterprise Evaluation (72)
EnterpriseGWindows 10/11 Enterprise G (171)
EnterpriseGNWindows 10/11 Enterprise G N (172)
EnterpriseNWindows 10/11 Enterprise N (27)
EnterpriseNEvalWindows 10/11 Enterprise N Evaluation (84)
EnterpriseSWindows 10 Enterprise LTSC (125)
EnterpriseSEvalWindows 10 Enterprise LTSC Evaluation (129)
EnterpriseSNWindows 10 Enterprise LTSC N (162)
HolographicWindows 10 Holographic (136)
IoTUAPWindows 10 IoT Core (123)
IoTUAPCommercialWindows 10 IoT Core Commercial (131)
IoTEnterpriseWindows 10/11 IoT Enterprise (188)
PPIProWindows 10 TeamOS (119)
ProfessionalWindows 10/11 Professional (48)
ProfessionalEducationWindows 10/11 Professional Education (164)
ProfessionalEducationNWindows 10/11 Professional Education N (165)
ProfessionalWorkstationWindows 10/11 Professional for workstation (161)
ProfessionalNWindows 10/11 Professional for workstation N (162)
ProfessionalSingleLanguageWindows 10/11 Professional Single Language (138)
ServerRdshWindows 10/11 Enterprise multi-session (175)

7. Once you have completed your Rules, click Next and on the final page click Create.

Create the device enrolment platform restrictions

Now we have created our device filter, we need to create some device enrolment restrictions and apply some logic. The idea behind the restrictions is that if the device does not match the assignment of the first profile, they get applied to the second. The first profile will allow enrolment and the second (or default in most scenarios) will block enrolment.

1. Start by logging into Microsoft Intune and selecting Devices, then Enrollment device platform restrictions.

Enrolment device platform restrictions
Enrolment device platform restrictions

2. Open the Windows restrictions tab and select Create restriction.

Create restriction
Create restriction

3. Enter a meaningful name and click Next.

Enter a meaningful name
Enter a meaningful name

4. On the platform settings page, set both the MDM and Personally owned devices options to Allow, then click Next.

Set both options to allow
Set both options to allow

5. On the Scope tags page define any scope tags you need if you are using RBAC to control admin access to resources, then click Next.

6. Click Add all users on the assignments tab. 

Add all users to assignments
Add all users to assignments

7. Click Next and then Create. This will create the policy, however we now need to edit the policy and apply the filter.

8. Click on the new policy you created, then click Properties and then Edit next to assignments.

Edit the policy settings
Edit the policy settings

7. Next to All users under the groups heading to the right-hand side, select Edit filter.

Click Edit filter
Click Edit filter

8. The idea at this step is to Exclude the filtered devices, however, the Exclude option is missing from the list of behaviours. To resolve this we can use the Microsoft Graph explorer tool to expose and apply the needed settings. 

Click Include filtered devices in assignment and select the filter you created, then click Next and Review + save.

Include your filter
Include your filter

9. Before you click the final save button, we are going to open your web page developer tools to steal the Microsoft Graph request URL and request Body. Right click the page and click Inspect.

Inspect element
Inspect element

10. Once the developer tools are open it will look like the screenshot below. Select the Network tab.

Click the Network tab
Click the Network tab

11. While the developer tools are open, click Save on the final steps of the enrollment profile restriction wizard. 

12. On the Network tab, you will now see some network requests appear under the name heading. Select assign from the list, then click Headers and copy the request URL. Save this somewhere to use shortly.

Save the request URL
Save the request URL

13. Now select the Payload tab and right-click and copy the request payload like the one below, also save this somewhere to use next.

Copy the payload value
Copy the payload value

14. Now in a new browser tab, open the Microsoft Graph Explorer tool at https://developer.microsoft.com/en-us/graph/graph-explorer.

15. Click on the profile icon and log in as your Microsoft 365 tenant administrator.

Login to the Microsoft Graph Explorer

16. Copy and paste the request header into the request URL text box and change the method to POST.

Enter the request URL
Enter the request URL

17. Now click on the Modify permissions tab and consent to all the listed permissions.

Consent to permissions
Consent to permissions

18. Now select the Request body tab and paste the request payload we copied earlier.

The current request payload
The current request payload

19. Change the device filter type in the request body from include to exclude. Your request will now look like the below.

the new request payload
the new request payload

19. Click Run now at the top right and you should see a successful but empty response.

Empty response
Empty response

20. If you now return to the properties of your new enrollment restriction profile in the Intune portal, the filter mode will now show as Exclude.

Filter mode exclude
Filter mode exclude

Setting the default policy to block personal devices

Once your custom policy has been created, by default, when Windows Home devices skip the new policy due to the exclude filter, they will adhere to the default policy.

This means to ensure they are blocked, we need to block personal devices from being enrolled by the default policy.

1. From the Enrollment device platform restrictions page, select All users next to the default priority policy.
Edit the default policy
Edit the default policy

2. Select Properties then Edit next to the platform settings.

Edit the platform settings
Edit the platform settings

3. Ensure personal enrollment is set to block. Then click Review + save, then Save.

Block personal enrollment

The end user experience

From the user’s perspective, when they open their settings and try to enrol or attempt to manually enrol using the company portal app they will be blocked.

Once they enter their company log in details, the device will be evaluated and they will receive the following error:

Windows home is now blocked
Windows home is now blocked

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 2 Comments

  1. Nick

    Payload tab is missing and chrome is update to latest version. How to go ahead on this ?

    1. Daniel

      Can you provide a screenshot? it will be there somewhere…

Leave a Reply