Deploy Intune
      Back to home
      1. Sittadel Knowledge Base
      2. Deploy Intune

      Windows Corporate Device Out of Box Onboarding

      This guide will provide background information on the onboarding process for a Windows Corporate Device utilizing Autopilot to Intune join.

      What is Onboarding?

      When we refer to the term onboarding, what we really mean is joining the device to our tenant so that we can manage it. We need to be able to manage devices not to see user’s files, actions, or information, but to push down security policy to protect them. When a device is onboarded, it means we can manage the device in these ways along with disabling them or pushing actions to them.

      Corporate vs Personal Devices

      With so many people working from home, it is become commonplace for users to use whichever computer they like to access company resources. While certainly convenient, it is creating a huge problem for organizations that want to keep their data secure and devices managed. These devices may also be referred to as “BYOD”, or “Bring Your Own Device”. Bearing this in mind, if a computer wishes to access company resources as an internal user – whether the device is corporate owned or not – the device must be onboarded.

      Personal Devices

      Personal devices are seen as those devices which are not provided/owned by the organization. When a device is not owned by the organization, certain security policies will not be applied to allow the users to still retain ownership of their devices. However, this does not absolve them of the critical security policy that must be applied to all computers, whether personal or corporate. The organization will determine in which situations a user should be allowed to use a personal device, and access into the tenant may be removed at any time, along with de-joining the device from being managed by the organization. The organization and user may determine if wiping the device is appropriate to clear any lingering security policy or company data.

      Corporate Devices

      Corporate devices are seen as those devices which are provided/owned by the organization. These devices fall under the full control of the organization and are secured with methodology that reflects this. The same critical security policies are applied, along with additional security to help the organization protect its assets and data to a more comprehensive level. These devices will also call out to the organization when reset, and will prevent outside organizations from being signed in on them via Autopilot.

      When a device is converted to a corporate device, if the account currently signed in is not that corporate account, then the new corporate account will need to be signed in to. This means a transfer of information from the current profile to the new one may be required, with the prepended OneDrive sign in steps helping to ensure the easy transfer of essential information contained in the Desktop, Documents, and Pictures folders. Most programs and applications should transfer with the switch. If a complete profile transfer must occur, such as windows settings or local bookmarks, we recommend getting in touch with the IT provider and determining if a tool such as User Profile Wizard would be appropriate.

      What to do if you need Help

      While we’ve tried to make this onboarding as simple as possible sometimes you might have a question, or you may encounter an error. When you were sent this document, you may have noticed the Security Essentials Enrollment Assistance document that was also included. When you run into any trouble with the enrollment process, you can use this document to get assistance and hopefully keep the onboarding going smoothly.

      Onboarding Flowchart

      Verify Autopilot Capable Devices

      1. Navigate to the Windows Autopilot Devices – Intune portal, here we will want to verify that the device we are wishing to autopilot join is showing up within the list. If it is not, we will cover the necessary steps that need to be issued to ensure autopilot functionality can be carried out on the device in the section below.

      Onboard a New Device as Corporate (Pro)

      1. With the un-setup device, proceed through basic setup until this screen is reached. (Note: In some cases, this will not show, and if it shows the step 2 screen before showing this screen, simply proceed to step 2.) Select the “Set up for work or school” option. The following authentication prompt will be displayed after selecting the option listed above.
      2. Before providing any information for the authentication prompt, we will want to issue the (Shift + F10) keystrokes to open an administrative command prompt. From the command prompt window, we will want to supply powershell.exe to start a PS PowerShell Command Prompt.
      3. We will want to provide the following PowerShell Script from the table below into the session to initiate the automatic hash upload for the current device. Note: If prompted to install any additional packages through PSGallery, consent yes to properly utilize this script.

        PowerShell Script

        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

        Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned

        Install-Script -Name Get-WindowsAutopilotInfo -Force

        Get-WindowsAutopilotInfo -Online

      4. During the script execution, an authentication window will open. You will be required to sign-in with an account that possesses at least the Intune Administrator role.
      5. During the first run of this script, you will be prompted to approve the required app registration permissions. Note: If currently enrolled in Security Essentials you will need to be a part of the Admin.Application group to successfully consent, if not you will need to submit a request that will need to be approved by a fellow administrator.
      6. After successful authentication, the device hash will be automatically uploaded to Intune.
      7. We will want to go to the Windows Autopilot Devices – Intune portal to verify that the hardware hash uploaded successfully, and the device is showing as a registered Windows Autopilot device.
      8. Once we have verified that the device hash has successfully imported, we will want to close out of any open windows and supply the necessary credentials for the account we want associated with this machine during Intune joining.
      9. Once successful authentication has taken place, you should see that an autopilot deployment profile has begun to initiate for the device and the machine will be accessible again once the necessary components have been verified completed.

      You're Finished!

      You should have successfully onboarded your Windows device as a personal or corporate device, this will allow you to get all of the security features and app deployment packages offered by your organization through the Intune management agent. For any other problems or questions, reach out to us!