Intune Stuff | The Community place for Microsoft Intune, Intune Suite, Autopilot, macOS Management, Copilot for Security.

No More Accidental MDM Enrollments??

by | Apr 1, 2026 | Blog, Device Management, Intune, MDM, Microsoft, Most Popular, Top Stories | 0 comments

If you’ve been managing Windows devices with Microsoft Intune for a while, you’ve encountered accidental MDM enrollments. When a user for example adds their work account to Teams on a personal laptop, clicks through a prompt they don’t understand, and suddenly the device shows up in your Intune and Entra tenant fully enrolled, policies raining down, and you’re left cleaning up the mess. Imagine a personal device being bitlockered….? You don’t want this!
How do these personal devices get enrolled you might ask? Well the “Allow my organization to manage my device” screen that appears whenever a user adds a work or school account on Windows is the bad guy/girl here.

MDM

We need to be honest, the new screen is an improvement compared to the old one but almost nobody will read it, let alone understand the consequences. What happens, people just click OK….

MDM

The problem

When a user adds a work or school account on a Windows device in Teams, Outlook, Edge,… Windows triggers a Workplace Join flow behind the scenes. If that user happened to be in scope for automatic MDM enrollment (which many organizations set to All (not the best idea) or Some), the device would silently attempt to enroll into Intune. There was no separation between account registration and device enrollment.
This caused several painful scenarios:

  • BYOD devices in Intune by accident: users just wanted to sign into Teams, not get their device managed.
  • Entra-registered devices automatically became MDM-managed: one prompt and the device was fully enrolled.
  • MAM-only: organizations that have Mobile Application Management enabled over full MDM enrollment had no control to prevent the enrollment step from triggering.
  • Multi-tenant: users adding a second work or school account could enroll their device into a completely different organization’s MDM which is not good.

The only workaround for managed devices was a registry key (BlockAADWorkplaceJoin under HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin), but that is not the golden ticket solution.

The solution

Finally Microsoft introduced a way to have control on this. Check out the Windows enrolment blade in your intune portal, under automatic enrolment. Here you will find the toggle to enable or disable this feature.

And as always if you feel there is something in error or you want to add some stuff from your own experience don’t hesitate to contact me!

When this is enabled, Windows will stop doing the device enrollment after registering the account with Entra ID. So it will not start MDM enrollment, even if the user belongs to an automatic enrollment group.
The device gets registered if needed, but the enrollment step is skipped entirely. And this is what we want and what administrators have been asking for: to let users add their work accounts for app access without a full device enrolment.

What this setting applies to

According to the Microsoft documentation you can find here and here This setting applies to:

  • Users in the Some or All (again not a good idea) category in the MDM auto-enrollment configuration.
  • Users on Entra-registered and workplace-joined devices.
  • Users who add their account for the first time via Microsoft Edge or a native app such as Teams.

Important to know, this setting does not apply to users adding their account through the Windows Settings flow. Users can still MDM-enroll their device through Windows Settings if they’re in scope for automatic enrollment, and through prompts they receive when accessing a resource that requires MDM enrollment. This means you’re not blocking enrollment completely, you are just preventing it from happening.

Enable MDM automatic enrollment for Windows - Microsoft Intune
Enable Intune automatic enrollment for Windows devices joining or registering with your Microsoft Entra ID.
Rethinking “Allow my organization to manage my device” Why opt‑in enrollment works better for Intune | Microsoft Community Hub
By: Ramya B Sharma – Senior Software Engineer | Microsoft Intune
 
A new public preview feature in Microsoft Intune, we’ve introduced a toggle that...

The new registration experience

Microsoft is updating the entire account registration experience on Windows. The flow is now properly split into two different stages: Registration and Enrollment. In the past, these happened together. The new feature determines whether the enrollment stage is presented at all during the flow.
When the setting is enabled, users only see the registration step. The “Allow my organization to manage my device” screen never appears because the MDM enrollment flow is never started during account addition on Entra-registered devices. So no screen means no room for users clicking the wrong buttons.

Testing it yourself

If you want to test this, here’s what you need to do:

  • Open the Intune admin center and navigate to Devices > Device onboarding > Enrollment > Windows > Automatic Enrollment.
  • Set the “Disable MDM enrollment when adding work or school account on Windows” toggle to Enabled.
  • On a test device, add a work or school account through Teams or Edge.
  • Verify that the device registers with Entra but does not appear as MDM-enrolled in Intune.

With the setting enabled, the “Allow my organization to manage my device” prompt no longer appears, and the device stays out of MDM management. Exactly what we wanted.

Important considerations

Before you flip the switch, keep a few things in mind:

  • It doesn’t block all enrollments: users can still enroll through Windows Settings or when prompted by a resource that requires MDM enrollment (such as a Conditional Access policy requiring a compliant device). If you want to block this you will need to do it on the Device Platform restrictions – Keep in mind if you do this, the only option left over to enrolle devices is Autopilot.
  • MAM scenarios: if you’re enforcing Windows MAM for work or school accounts, Microsoft recommends enabling this setting so that MAM policies apply without triggering unwanted MDM enrollment.

Wrapping up

This is one of those small changes that solves an in my opinion huge problem. For years, the “Allow my organization to manage my device” prompt has been the main reason of accidental enrollments, confused end users, and unnecessary cleanup work for IT admins. With the new “Disable MDM enrollment when adding work or school account on Windows” toggle, Microsoft finally gives administrators a proper service-side control to separate account registration from device enrollment.

And as always if you feel there is something in error or you want to add some stuff from your own experience don’t hesitate to contact me!

SHARE THIS:

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Buy me a Duvel 😉

Discover more from IntuneStuff

Subscribe now to keep reading and get access to the full archive.

Continue reading