Today I will be looking at enrollment restrictions in Intune, which is a method to block personally owned devices. Did you know that all users (with an Azure AD P1 and Intune license) in your Azure AD by default is allowed to enroll (Azure AD join) their devices into Intune, they will then get all of your company configuration and local admin permission on the device.
So, with that in mind and looking from a security point of view, I would not recommend that all users can enroll their own devices, and I think that every organizations should consider which devices can be enrolled into their Intune environment.
I will show you how to restrict the enrollment of personally owned Windows devices for all users, but still make it possible for a few trustworthy users (e.g. IT staff)