Hi, I’m new to intune and was wondering how I could prevent AzureAD registered devices to enroll on intune.

I’ve tried using a security group and limiting the enrollment scope to this group. The dynamic rules were set to 

(device.deviceOSType -eq “Windows”) and (device.deviceTrustType -eq “AzureAD”)

However, the result was that the device wasn’t enrolled at all (just as if the AAD joined tag was set at a later stage after intune checking for it). The group does indeed match all the devices that I want to target (I can see them in the preview).

Is there a best practice for this or another dynamic rule that will work? We don’t get our hardware hashes yet to use autopilot right away so I want new notebooks to at least enroll automatically to intune when  

​Hi, I’m new to intune and was wondering how I could prevent AzureAD registered devices to enroll on intune.I’ve tried using a security group and limiting the enrollment scope to this group. The dynamic rules were set to  (device.deviceOSType -eq “Windows”) and (device.deviceTrustType -eq “AzureAD”) However, the result was that the device wasn’t enrolled at all (just as if the AAD joined tag was set at a later stage after intune checking for it). The group does indeed match all the devices that I want to target (I can see them in the preview). Is there a best practice for this or another dynamic rule that will work? We don’t get our hardware hashes yet to use autopilot right away so I want new notebooks to at least enroll automatically to intune when    Read More

​