Conditional access - Block enrollment unless device is listed in the Autopilot devices
Would be nice to be able to block enrollment of devices if they are not imported to the "Windows Autopilot devices" list and with the option to also check that it has an Autopilot profile attached to it.
Should also be a compliance setting to check if the device has gone through an Autopilot setup or not. If not, then mark as non-compliant.
Matthias Hübner commented
Maybe the option to block private Windows (MDM) devices in the MEM enrollment restriction will solve your problem.
New devices from our OEM are onl configured according to our corporate policies when someone logs in as a AAD user and thus enrolls the device into MDM. So there should be now way to escape from logging in as AAD user during the OOBE. Especially it should not be possible to create local accounts.
Not all enterprises allow BYOD.
AFAIK there is no enrollment restriction which would allow us to just enroll devices from our OEM or the ones we have registered intentionally.
This it would be great to add a enroll restriction that forbids to enroll any non-registered device