Hello, I need to create a conditional access policy for Windows OS, that allows the Microsoft Intune Enrollment app if and only if the provisioning machine has been registered and provided with a specific tag (e.g. COMP-HYBRID). To achieve this goal I created the following CAP: Target user group = EMS_Enabled_Users Target resource = Selected app -> Microsoft Intune Enrollment Conditions Device platform = Windows Filter for devices = Included filtered devices -> Rule: device.physicalIds -notContains "[OrderId]:COMP-HYBRID" Grant = Block Access Unfortunately, such rule doesn't work as expected, because after the sign-in the rule is applied to not properly tagged resources and to properly tagged too. Any suggestion? Thanks in advance!!!

New posts

Forums on Intune, SCCM, and Windows 11

Welcome to the forums. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your topics and posts, as well as connect with other members through your own private inbox!

NEW Authorizing only tagged Autopilot resources for enrollment

Thread starter TheUndertaker
Start date Apr 9, 2024
Replies 0
Views 584

TheUndertaker

New Member

Apr 9, 2024

Hello,
I need to create a conditional access policy for Windows OS, that allows the Microsoft Intune Enrollment app if and only if the provisioning machine has been registered and provided with a specific tag (e.g. COMP-HYBRID).
To achieve this goal I created the following CAP:

Target user group = EMS_Enabled_Users
Target resource = Selected app -> Microsoft Intune Enrollment
Conditions
- Device platform = Windows
- Filter for devices = Included filtered devices -> Rule: device.physicalIds -notContains "[OrderId]:COMP-HYBRID"
Grant = Block Access

Unfortunately, such rule doesn't work as expected, because after the sign-in the rule is applied to not properly tagged resources and to properly tagged too.

Any suggestion?
Thanks in advance!!!