Workspace ONE UEM offers a range of methods to enroll your Windows 10 and 11 devices. The complete list of enrolment types are listed here. In addition, my colleague Bryan Garmon has also created a great diagram illustrating the various enrollment types.
A very popular method to easily enroll your Windows 10 devices is to integrate Workspace ONE UEM with Azure Active Directory (Azure AD). Through integration with Microsoft Azure AD, Windows devices automatically enroll into Workspace ONE UEM with minimal end-user interaction.
Two popular enrollment flows are:
- Out of Box Experience enrollment (or OOBE)
The setup of both methods are detailed in this article.
Out of the Box Experience (or OOBE)
When customers turn on their Windows PCs for the first time, they will see the Windows Out of Box Experience (OOBE). OOBE consists of a series of screens that require customers to accept the license agreement, connect to the internet, log in with, or sign up for a Microsoft Account, and share information with the OEM. An OOBE enrollment is synonymous with an Azure AD enrollment. The following section details how to integrate Workspace ONE UEM with Azure AD.
Integrating Workspace ONE UEM with Azure AD
The following VMware Techzone tutorial provides all the instructions you need to integrate Workspace ONE UEM and Azure AD. A few things to point out when setting up this integration.
For Workspace ONE UEM shared SaaS environments, the AirWatch by VMware Application is all that you’ll need to enable in Azure AD. As noted in the article, generally you need to add the on-premises app only if you have a custom host name. This means you have a dedicated SaaS or on-premises. However, adding the app causes no harm to your setup. It also enables you to avoid the need to troubleshoot Azure enrollment errors when enrolling devices.
Below is a screen capture from my lab where I’ve highlighted the items I configured:
Whilst you’re in the Azure AD portal, you may wish to apply some branding of your tenant so that users are prompted with a personalised message when they enrol their device. Select Company Branding and edit the Default Locale as shown:
What about Intune?
If you’re migrating from Microsoft Intune (or a population of your staff are still using it) then it’s important you appropriately set the groups for the Microsoft Intune and Microsoft Intune Enrollment to None or a specific Azure AD group as follows:
Testing with a Windows 10 virtual machine
Next build a new Windows 10 (virtual machine is easiest) and when you reach the Sign in with Microsoft, enter your user’s Azure AD userid and click Next
You should then be prompted for your password. Note how some of the branding of Azure has been applied too:
You’ll be then guided through a number of screens and to also setup a Windows hello PIN. You will then see the Windows desktop as shown and the Intelligent Hub app catalog as shown.
If you don’t see the Hub on your device, ensure that you’ve configured Workspace ONE UEM to publish the Hub. This can be enabled by selecting Groups and Settings > All Settings > Devices & Users > Windows > Windows Desktop > Intelligent Hub Application then enable Publish Workspace ONE Intelligent Hub as shown.
Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. It’s equivalent to Apple Device Enrollment Program (DEP) or Google Zero-Touch.
If you login to the Microsoft Store for Business, you should see a list a list of devices from your OEM. If you’re testing with your own devices you can run this Powershell script on your devices to export the required serial number (and other information) and list these devices into the Microsoft Store for Business portal.
To do this, open a Windows command prompt (as administrator) and start Powershell. Next run the following command Install-Script -Name Get-WindowsAutoPilotInfo. Select Y when prompted. This installs a Powershell script called Get-WindowsAutoPilotInfo which is used to collect the required information to add this Windows 10 machine to Autopilot.
Next execute the script by performing the following:
cd C:\Program Files\WindowsPowerShell\Scripts
.\Get-WindowsAutoPilotInfo.ps1 -OutputFile AutopilotHWID.csv
Now from the Microsoft Store for Business portal, select Add devices and browse to the AutopilotHWID.CSV file you created previously. After refreshing the portal screen you should see the serial number of the virtual machine you just imported.
Next select Autopilot deployment – Create new profile.
Create a new Autopilot profile as per the following example, then click Create.
Then make sure you’ve applied this Autopilot profile to all of your test devices as shown:
With my Windows 10 virtual machine, to ensure that it’s in a state whereby it presents the same hardware information to the Autopilot servers, I ran the following command to prepare it for deployment.
C:\Windows\System32\Sysprep\sysprep.exe /oobe /shutdown
Note that the /generalize switch is not used, so as to not effect the hardware information exported from the Get-WindowsAutoPilotInfo.ps1 script
I then took a VMware snapshot before starting the virtual machine. The difference this time is that instead of the Windows OOBE login, my test workstation was recognised as my corporate device so it immediately prompted me for my userid:
Some of the Windows 10 startup screens such as privacy settings, EULA are also bypassed (as per the above settings).
Once you’ve entered your userid/password, Windows 10 completes it’s final setup including Windows Hello and they are ready to go!
That’s it! You’re now ready to have users have their Windows 10/11 device enrolled over the air using their Azure AD userid, or have their new device quickly enrolled into Workspace ONE using Autopilot. It’s very easy to setup!