This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 57.00000000000001%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
We are migrating to Intune and transitioning all our Azure hybrid managed devices to Intune managed devices. Only corporate managed devices are enrolled in Intune, while personal devices are not accepted.
We operated without a domain controller and created new VPN. However, when attempting to connect to the new Azure VPN from new devices, an error occurs stating that the device can't be registered. Devices that previously connected to the old VPN can connect to the new VPN without issues.
It appears that the problem may be related to the policy against enrolling Intune devices, which we prefer to maintain. We provide users with the necessary steps to connect to the VPN, including software, XML configuration, and required certificates. All devices involved are running Windows 10.
Suggestions for resolving this issue would be greatly appreciated, as remote work functionality is essential for us. Thank you for any assistance!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Melissa Ray, Long time not heard from you. I am writing to see if the following suggestion fix your issue. If the answer is helpful, would you mind clicking "Accept Answer" to help others quickly find the suggestion. Thanks!
@Melissa Ray, Thanks for posting in Q&A. From your description, I know we set Intune enrollment policy to block personal device. For the new devices, when it connects to new Azure VPN, it is asked to register the device. Based as I know, For Windows device which join type is Microsoft Entra registered, it is considered as personal device. This can be the reason which it is blocked I think.
If this is a corporate managed device. You can firstly enroll it into Intune as corporate device to make it as Microsoft Entra joined type in Microsoft Entra ID. Then try to connect the new Azure VPN to see if it works.
https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-windows
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Melissa Ray, Hope things are going well. If there's any update on our issue, feel free to let us know.
Hello! I'm very sorry for the late reply, I was sick. Thank you for helping!
corporate devices are enrolled just fine, the problem is the employees' personal laptops or devices, which we don't enroll to Intune. I am not sure what can be done to fix it but thank you for the explanation for why it might not be working right now. Any help on making it work despite not enrolling the employees' devices (used soley to enter the VPN to work from home) will be gladly appreciated.
Have a good day!
@Melissa Ray, No worries at all. I hope you're feeling better now. It was my pleasure to help!
For the method to make VPN work without enroll into Intune, I am not sure. One thing I can think is to ensure we don't set conditional access policy to require device compliant for VPN.
Meanwhile, we can disable automatic enrollment for the user with personal device to avoid it trigger to do Intune enroll when Microsoft Entra join or register occurs.
https://learn.microsoft.com/en-us/mem/intune/enrollment/quickstart-setup-auto-enrollment
In addition, you can contact Azure VPN support to see if Microsoft Entra register is forced when we configure Azure VPN. If there's any possible to skip it.