This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 98%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFH%3C/text%3E%3C/svg%3E)
Greetings
I realize I've missed some change notification along the line because the Defender ATP enrollment workflow seems to have changed. We used to have a "Microsoft Defender ATP (Windows 10 Desktop)" configuration profile with the ATP enrollment package assigned to our Microsoft Enpoint Manager/Intune PCs with "Corporate" ownership only. This way we didn't push ATP to the employees who MEM enrolled their home PCs, we simply doesn't have a business case for that scenario.
We also have our Defender ATP connected to MEM but isn't using that for conditional access at the moment. When reading up on the changes it seems having this connection between ATP and MEM is all thats required for Defender ATP to enroll PCs and thus consume ATP licenses. This also includes the previously omitted personally enrolled PCs.
So, is there some way for me, in this new workflow, to restore my enrollment process and leave the personal PCs out? Or do I have to rethink my own workflow?
Regards
Fredrik
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Based on the scenario, your corporate plans to integrate Microsoft Defender ATP with Microsoft Intune as a Mobile Threat Defense solution. By using Conditional Access, only the marked compliant devices can be enrolled in Intune, or allowed to access the corporate resources.
Please click the following link for more details about integrating Defender ATP with Intune.
Enforce compliance for Microsoft Defender ATP with Conditional Access in Intune
To allow the enrollment for home PC without consuming ATP license, you can exclude the home devices from the compliance policy in Intune, so that the home PCs will not be evaluated as non-compliance.
You can create a dynamic device group based on the device ownership, in which the home PCs will be put into the group automatically. Then, exclude that group from the compliance policy. Please click the following links for more info about dynamic group and compliance policy.
groups-dynamic-membership
device-compliance-get-started
There is another way for managing home PC. Instead of MDM enrollment, you can deploy the MAM policies for protecting the corporate data at the apps level.
To learn more about Intune MAM, please click the following link.
What is Microsoft Intune app management?
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.