Device management through Intune has become prevalent in organizations, creating opportunities for Red Team operations to simulate attacks targeting this system. Attackers can use tools like pytune to register fake devices within an organization's Intune tenant. This allows them to potentially exfiltrate sensitive information, such as configuration profiles and PowerShell scripts, or manipulate device compliance to access corporate resources. However, enrollment of fake devices often fails due to enrollment restrictions aimed at preventing unauthorized access. The article outlines the device enrollment process in Intune, which includes joining Entra ID, enrolling in Intune, and device check-ins. Device enrollment starts with the device being registered in Entra ID, where it obtains a device certificate necessary for further actions. Following this, enrollment in Intune allows the device to receive a signed certificate for communication with the Intune server. The check-in process involves exchanging device information and compliance status with Entra ID. A significant focus is placed on device enrollment restrictions, particularly those related to device ownership. Intune can block personal devices from accessing corporate resources to enhance security. This restriction is configured in the Microsoft Intune admin center and prevents unauthorized devices from enrolling. The article lists authorized methods for enrolling corporate-owned Windows devices, such as Windows Autopilot and Group Policy, highlighting the challenges attackers face when these restrictions are in place.