Imagine looking at your Intune environment and detecting a load of personal Windows clients that are enrolled… the first thing you scream at your colleagues…. “Who enabled the ability for users to enroll their personal devices???”. Well no need to scream at your colleagues, apologise to them and tell them you found the solution to the issue ;).
Okay, you have seen personal devices in your environment… whats next?
Well in very simple words. You can just click “Retire”. If you do that the end user will get a message stating : “<OrganisationName> has removed your workplace account and deleted all of the information associated with your workplace account (including business apps, password requirements, and other policies) from your device.”.
If this isn’t a problem and you can manage by sending out communication to your users that their personal devices could see that message, then there is nothing stopping you.
If your users don’t know their devices are onboarded in Intune and you don’t want the users calling your helpdesk to explain how the h*** their personal devices could be managed by the organisation… then there is an extra step to be done.
Well we are managing the devices now anyway… can’t we disable the specific notification from popping up? Sure we can! The notification option can be disabled by manually disabling the notifications. That manual action sets the following Registry Key:
HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.DeviceEnrollmentActivity
In that key a DWORD value will be visible named "Enabled" with a value of 0.Ok that sounds pretty simple right? Let’s automate that!!
Well… in theory that should be simple… but when I tested this I had a lot of issues and especially waiting time before the setting got rolled out to the client. Well… a personal device isn’t joined to AAD but is AAD Registered (yes I know it is called Entra ID these days…). As a device is AAD registered, everything that has a user context will not be evaluated and thus will be marked as not Applicable. If you look at the IntuneManagementExtension.log file you will find the following result: “<App ID> will not be evaluated as it has user install context and the device is configured as workplace joined. The app will be reported as not applicable”.
So next I tried if maybe the same key would work in device context (HKLM)… lets see what we get then. Well we got a eureka moment! The key works!.. That means it is now time to automate it. I created a MSI installer using Advanced Installer that sets the correct registry key. The key that is set is:
And we set a DWORD entry named Enabled with value 0
Now we wait until all devices got the Registry Keyin place….. get a cup of coffee or something stronger maybe and let the waiting begin.
After the Registry Key landed on all devices, simply fire a Retire command from the Intune Management portal and within minutes the enrollment will be gone without any impact and notifications on the endpoint.
