In the last blog we discussed an overview of windows enrollment. We discussed on the ways to perform and an in short one liner. With a higher view the there are two ways one which involve user intervention and other which requires Admin to take the driving seat.
Lets us start from where we left and connecting from the previous blog. The two ways on enrolling a windows device are:
1. Self-enrollment of windows devices by the users.
2. Enrollment by admins without any user intervention.
Let’s dig into the first way of enrolment and find out what happens behind the scenes when a device is enrolled.
Self-enrollment of windows devices by the users.
Clearly a user will be involved who needs to manually carry out the steps that will end up enrolling the device.
As we already discussed in the previous blog, this can be further divided into four categories.
Some basic prerequisites to perform a BYOD type of enrollment on your device are:
There are two ways to perform a Windows BYOD enrollment.
Enrolling a device from setting by registering in AAD:
The second method of enrolling a device is by Install Company Portal app.
You might already have the Company Portal app installed on your device. Check for the app in your All apps list. If you don’t see Company Portal in your list of apps, follow these steps to install it.
To enable automatic enrollment: Navigate to MEM admin center > Devices> Windows> Windows Enrollment> Automatic Enrollment > Toggle the switch for MDM user scope to all.
Once the Automatic enrollment is in place let’s look into the steps to join the device to AAD.
So far, we have covered the steps needed to perform BYOD, MDM Only enrollment and AAD joined enrollment. Looking at the above screenshots we see that the user lands up on the same page where he needs to enter the O365 credentials. Let’s discuss exactly what happens here after the user enters his UPN.
The pop-up windows where the user enters the O365 credentials is called an enrollment client.
The typical enrollment process consists of the following steps:
Discovery Service: This is the first stage where the enrollment client will reach out to Discovery Service. Using the UPN the enrollment client will create a DNS request. Using the CNAME records it will determine the MDM enrollment service. If no CNAME registration records are found, then the user will be prompted for the server address.
Enrollment Service: When the enrollment client sends request to Discovery Service, the discovery service responds with a Discovery Response Message. This Discovery Response Message contains URL for the service endpoint which is to be hit for enrollment.
Authentication: This is the step which the user is authenticated against the Azure Active Directory. By default, this uses a Web based authentication however admins can use federation, Multi-factor authentication etc. The client receives a security token to authenticate itself against the enrollment service.
Certificate Deployment: At this point the service recognizes the request and the requester. The client now sends a request called GetPolicy message. The enrollment service end point responds with a GetPoliciesResponse message. This response contains a certificate policy. This policy contains a certificate template and the CA’s address from where the cert is to be fetched.
First Policy Synchronization: The Enrollment client now send another message i.e. RequestSecurityToken message to the endpoint, this request is carved using the security token received in Authentication phase. The service responds with RequestSecurityTokenResponseCollection message. The response contains information such as Device Management Service (DMS) address and MDM client which completes the entire process of enrollment.
Device Enrollment Phases
This was User based Windows Enrollment part 1. In Part 2 we will get into Windows Autopilot and its background play.
Stay Tuned!!! Goodbye
Author is Bachelor of Technology in Electronics & Communication graduate in 2013 and have made the career establishment precisely in the field of Cloud IT infrastructure. Got associated with the Microsoft technologies right from the bottom of the ladder as Help desk operator. Working for Microsoft support with Convergys gave an end to end insight on Microsoft Intune and SAAS based technologies. Further worked for multiple clients to migrate their device management strategies from on-prem to cloud mostly Intune and AirWatch (VMware Workspace ONE). Worked with HCL and now with ITC infotech as Intune consultant for planning and implementation of device management for one of the biggest Beer manufacturing company globally.