This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
MDM Enrollment
We are deploying MDM. All users have the same license assigned.
New equipment with Windows 10 Enterprise
Some Devices simply refuse to enroll in MDM and enroll in MAM instead
Devices are Hybrid AD joined. Some of these machines work beautifully and all our apps become enlightened
Every time a work file is opened in Outlook, regardless of type this is received
Exclusion policies make no difference, checking Enterprise context simply lists Personal. On the machines, where the MDM enrollment works the same apps (same version etc.) are listed as enlightened.
Event Viewer is of no help, some of the machines enroll and never list into Endpoint Device Management
...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 84%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
From your description, it seems those device use the MAM without device enrollment, or MAM-WE to access corporate resources. For such kind of MAM, it allows IT administrators to manage apps using MAM and app protection policies on devices not enrolled with Intune MDM. So when you use app protection policies, please make sure that the office suite apps have been added to Allowed apps blade, and there is no restriction settings to corporate data in Advance settings part.
Here is a sample for MAM-WE with app protection policy, just for your reference.
https://www.petervanderwoude.nl/post/windows-10-mam-we-and-office-desktop-apps/
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi
All the app exclusions are in-place.
Other machines same domain, simply do not enlist these exclusions and enroll with MAM (WIP) and does not switch over to MDM (Intune)
Your suggestion does not work
Thanks
Would you please double check if the Outlook has added in Targeted apps? From the description, it seems to indicate Outlook app hasn't configured correctly to open corporate resource. Therefore, please make sure that Outlook app has added to Allowed app in Target app. Also, in Windows 10 Enterprise client, locate to Task Manager->Details, make sure the enterprise context of Outlook app belongs to company not personal.
Hi
Yes, it is. We have several hundred people and for most, it works just fine.
There are several people with the issue mentioned and there is no indication of the why.
Thanks
This situation is usually because the corporate resource is encrypted. When you use the personal app that isn’t added to Allowed app to access corporate resource, it cannot be accessed because corporate resource cannot be decrypted by personal app. Only this app has been added in Targeted apps, can it access corporate resource. For deeper root cause analysis, we need to collect logs and analyze them from the backend, I would recommend to create an online support ticket to find the root cause more effectively. Here is the link:
https://learn.microsoft.com/en-us/intune/get-support#help-and-support-experience
HI Chris,
I am having same issue with my clients, have you found any resolution on it yet?