Intune: User Based Windows Enrollment Part 1

In the last blog we discussed an overview of windows enrollment. We discussed on the ways to perform and an in short one liner. With a higher view the there are two ways one which involve user intervention and other which requires Admin to take the driving seat.

Lets us start from where we left and connecting from the previous blog. The two ways on enrolling a windows device are:

1. Self-enrollment of windows devices by the users.

2. Enrollment by admins without any user intervention.

Let’s dig into the first way of enrolment and find out what happens behind the scenes when a device is enrolled.

Self-enrollment of windows devices by the users.

Clearly a user will be involved who needs to manually carry out the steps that will end up enrolling the device.

As we already discussed in the previous blog, this can be further divided into four categories.

1. Bring your own device (BYOD)
2. MDM only enrollment
3. Azure Active Directory joined
4. Windows Autopilot

• Bring your own device: We have started hearing this analogy very often now. Bring your own device method is used with organizations which are flexible with employees using their personal devices to access the corporate resources. Well no enterprise will be comfortable in using unmanaged and possibly insecure device. Also providing devices to the employees involve costs and additional expense. Intune comes to the rescue here. There is a method where the devices can be enrolled in Intune and things like compliance check can be done so that the device meets the security parameters. To perform a device enrollment is a fairly simple task.

Some basic prerequisites to perform a BYOD type of enrollment on your device are:

1. Windows version 1607 and later.
2. User assigned with a valid Intune license (Intune_A)
3. Windows 10 (Home, S, Pro, Education, and Enterprise versions)

There are two ways to perform a Windows BYOD enrollment.

Enrolling a device from setting by registering in AAD:

1. Open the Settings app. If the app isn’t readily available in your apps list, go to the search bar and type “settings.”
2. Select Accounts > Access work or school > Connect.

• To get to your organization’s Intune sign-in page, enter your work or school email address. Then select Next.

• Sign into Intune with your work or school account.

• You’ll eventually see a message that your company or school is registering your device.
• On the You’re all set! screen, select Done. Your device is now enrolled.
• To double-check your connection, go back to Settings > Accounts > Access work or school. Your account should now be listed.

The second method of enrolling a device is by Install Company Portal app.

You might already have the Company Portal app installed on your device. Check for the app in your All apps list. If you don’t see Company Portal in your list of apps, follow these steps to install it.

1. Open Microsoft Store on your device.
2. In the Search field, type Company Portal.
3. In the list of results, select Company Portal > Install.
4. Select either Install or Free. There is no difference between these two options; the words appear based on how your organization set up the app.

• MDM only enrollment: This type of enrollment only enrolls the device into Intune and does not actually registered the device in AAD. This however is not a recommended option, but it does enroll the device in Intune hence it is worth mentioning.
• Launch the Settings app.

• Next, navigate to Accounts.

• Navigate to Access work or school.

• Select the Enroll only in device management link (available in servicing build 14393.82, KB31769

• Type in your work email address.

• Azure Active Directory Joined: Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education can be connected to an Active Directory domain using the Settings app. The device can be automatically enrolled by joining to Azure AD. This can be done by leveraging Auto enrollment. The functionality comes with Azure AD premium subscription.

To enable automatic enrollment: Navigate to MEM admin center > Devices> Windows> Windows Enrollment> Automatic Enrollment > Toggle the switch for MDM user scope to all.

Once the Automatic enrollment is in place let’s look into the steps to join the device to AAD.

1. Launch the Settings app.

• Next, select Accounts.

• Navigate to Access work or school.

• Select Connect.

• Under Alternate actions, select Join this device to a Azure Active Directory domain.

• Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.

So far, we have covered the steps needed to perform BYOD, MDM Only enrollment and AAD joined enrollment. Looking at the above screenshots we see that the user lands up on the same page where he needs to enter the O365 credentials. Let’s discuss exactly what happens here after the user enters his UPN.

The pop-up windows where the user enters the O365 credentials is called an enrollment client.

The typical enrollment process consists of the following steps:

• Discovery Service
• Enrollment Service
• Authentication 
• Certificate deployment 
• First policy synchronization 

Discovery Service: This is the first stage where the enrollment client will reach out to Discovery Service. Using the UPN the enrollment client will create a DNS request. Using the CNAME records it will determine the MDM enrollment service. If no CNAME registration records are found, then the user will be prompted for the server address.

Enrollment Service: When the enrollment client sends request to Discovery Service, the discovery service responds with a Discovery Response Message. This Discovery Response Message contains URL for the service endpoint which is to be hit for enrollment.

Authentication: This is the step which the user is authenticated against the Azure Active Directory. By default, this uses a Web based authentication however admins can use federation, Multi-factor authentication etc. The client receives a security token to authenticate itself against the enrollment service.

Certificate Deployment: At this point the service recognizes the request and the requester. The client now sends a request called GetPolicy message. The enrollment service end point responds with a GetPoliciesResponse message. This response contains a certificate policy. This policy contains a certificate template and the CA’s address from where the cert is to be fetched.

First Policy Synchronization: The Enrollment client now send another message i.e. RequestSecurityToken message to the endpoint, this request is carved using the security token received in Authentication phase. The service responds with RequestSecurityTokenResponseCollection message. The response contains information such as Device Management Service (DMS) address and MDM client which completes the entire process of enrollment.

Device Enrollment Phases

This was User based Windows Enrollment part 1. In Part 2 we will get into Windows Autopilot and its background play.

Stay Tuned!!! Goodbye