Microsoft Intune preview: block automatic MDM enrollment

Microsoft Intune introduces a public preview toggle to block automatic MDM enrollment during Windows modern app sign‑in. Opt‑in enrollment prevents accidental BYOD management, reduces support and recovery incidents, preserves user consent, and aligns enrollment with deliberate IT policies.

A new Intune public preview adds a toggle to block automatic MDM enrollment during modern app sign-in on Windows. This change responds to customer requests to avoid accidental device management and reduce support complexity.

Main feature and impact

The new toggle, “Disable MDM enrollment when adding a work or school account on Windows,” stops automatic MDM enrollment during app sign-in. It preserves account registration while removing the “Allow my organization to manage my device” prompt from the flow. Organizations can keep MDM user scope set to All yet prevent accidental enrollments. This reduces unintended device management and simplifies recovery for BYOD scenarios.

Practical implications

Opt‑in enrollment becomes the default user experience for app sign-in flows when the toggle is enabled. Users access apps without implicit device takeover, and intentional enrollment requires deliberate actions. IT retains full enrollment paths such as Windows settings or Autopilot provisioning. Conditional Access and app protection still function for managed devices. Support volume and unenrollment complexity should decrease for mixed ownership environments.

“Allow my organization to manage my device.” “Disable MDM enrollment when adding a work or school account on Windows.”

This change separates account registration from device management, reducing accidental enrollments and support incidents. Administrators should evaluate their device ownership and provisioning models and enable the toggle for BYOD or mixed ownership environments. For corporate fleets requiring forced enrollment, maintain automatic enrollment where appropriate and document the decision.

Key points from the article:

Toggle disables automatic MDM enrollment during app sign‑in

Opt‑in model reduces accidental BYOD device management

Reduces support tickets and difficult recovery scenarios

Preserves explicit user consent for device management

Aligns enrollment with conditional access and compliance

Related Coverage:

• Protect browser-based work on agency-managed Windows PCs
• Announcing Windows 11 Insider Preview Build 28020.1673 (Canary Channel)
• Announcing New Optional Windows 11 Insider Preview Build for Canary Channel 29531.1000

From the Intune Customer Success articles

---