Back to top

Enroll a Windows device with Entra ID

Last updated January 2nd, 2024

If your Knox Manage tenant syncs Active Directory resources from your Microsoft Entra tenant, you can enroll and provision Windows devices in your fleet with your users’ Entra accounts. Enrolling with Entra ID offers the benefits of rapid cloud-based provisioning technology like Windows Out of Box Experience and Windows Autopilot.

In the Entra ecosystem, there are two types of managed devices:

Device type Definition
Microsoft Entra registered device A BYOD device such as an employee-owned laptop, a 2-in-1 computers, a tablet, or a phone. For a full description of this type, see Microsoft Entra registered devices in the Microsoft docs.
Microsoft Entra joined device A company-owned device such as a workstation, a laptop, a 2-in-1 computer, a tablet, or a kiosk. For a full description of this type, see Microsoft Entra joined devices in the Microsoft docs.

Depending on your enterprise needs and deployment strategy, there are four available methods for enrolling and provisioning devices in Knox Manage through Entra ID:

Method Pathway
Windows Settings Provisioning an enterprise user account by adding it as Windows account. Available for registered and joined devices.
Windows Out of Box Experience (OOBE) Enrolling a device in the startup wizard when the device is first turned on. Available for joined devices.
Windows Autopilot Enrolling a device with a customized OOBE profile. Available for joined devices.
Provisioning package (PPKG) Enrolling a device with a configuration file. Available for joined devices.

Before you can begin enrolling Windows devices using these methods, you must configure your Knox Manage tenant to sync information with your Azure tenant. Refer to Connect to Azure AD for a full explanation and details.

Supported platforms

The following Windows editions support enrollment in Knox Manage through Entra:

  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Windows 10 Mobile

Enroll a device through Windows Settings

In this enrollment method for joined and registered devices, the device user adds their Entra AD account to their device in the Windows Settings, which provisions their enterprise identity and enrolls the device in your Knox Manage tenant through the Samsung Knox EMM cloud app. These actions take place during a regular user session after the device has already been set up for personal use.

For more details about this feature, see Register your personal device on your work or school network in the Microsoft support pages.

To enroll a device through Windows Settings, the device user first adds their Entra account:

  1. On the device, go to Start > settings Settings, then in the Settings window click Accounts > Access work and school.

  2. Click + Connect. A dialog for setting up a work or school account opens.

  3. Authenticate with the Entra account:

    1. Enter the account name:

      • For a registered device, enter the Entra account name, then click Next.

        Entering the Entra account name when enrolling a joined device with Windows Settings.

      • For a joined device, click Join this device to Azure Active Directory. In the Microsoft account dialog, enter the Entra account name, then click Next.

        Joining to an Entra when enrolling a registered device with Windows Settings.

        Entering the Entra account name when enrolling a registered device with Windows Settings.

    2. If the account is recognized, both the password prompt and the Knox Manage branding shows in the dialog. Enter the account password and click Sign in.

      Entering the Entra account password when enrolling with Windows Settings.

  4. If they read and agree to the terms of Knox Manage Privacy Policy and End User License Agreement, they select I Agree and then click Accept.

    Agreeing to the Knox Manage Privacy Policy and End User License Agreement when enrolling with Windows Settings.

  5. For a registered device, confirm both the Azure domain and the username is correct.

    Confirming the domain when enrolling a registered device with Windows Settings.

  6. If the provisioning succeeds, the dialog reads The device is connected to Samsung EMM. Click Done. The Entra account is added to the device.

    The success dialog when enrolling with Windows Settings.

  7. Back in the Settings window, ensure the Entra account is in the account list.

After the device user adds their Entra account, the device is provisioned and enrolled through the Samsung Knox Management App.

Lastly, it’s best if you ensure that the device is enrolled in your Knox Manage tenant:

  1. On the Knox Manage console, go to Device.

  2. Search for the user’s device by its IMEI/MEID, serial number, or by their user name.

  3. Check whether the device’s status is Enrolled.

    The device with the Enrolled status on the Device page of the Knox Manage console

Enroll a device with Windows Out of Box Experience

In this enrollment method for joined devices, the device user provisions the Entra account after turning on the device for the first time, also known as the standard OOBE on Windows 10 and 11. This process can only take place if the device hasn’t yet been configured for work or personal use.

To learn more about this technology, see Windows Out of Box Experience in the Microsoft docs.

Note

The images shown here depict the OOBE screens in Windows 11. The screens in Windows 10 consist of similar instructions and descriptions.

To enroll a device with OOBE, the device user must:

  1. Ensure the device is connected to the Internet, and turn it on. The OOBE flow starts.

  2. Follow the on-screen instructions to specify their language, region, and keyboard settings.

    Selecting the region in the OOBE flow

  3. If the device connects to the Internet through Wi-Fi or mobile data, choose an access point to connect to or select the cellular option. If the device uses mobile data, but no SIM card is present, they must insert a SIM card before they can connect to a cellular network.

  4. Follow the on-screen instructions until they reach the End User License Agreement. If they read and agree to it, select Next.

  5. On the How would you like to set up this device? screen, select Set up for work or school, then select Next.

    Selecting a work or school account setup in the OOBE flow.

  6. When prompted for sign in information, enter their Entra account name, then select Next.

    Entering the Entra account name in the OOBE flow.

  7. If the account name is recognized, the Knox Manage branding shows, and they are prompted for the account password. Enter the password for the Entra account, then click Sign in.

    Entering the Entra account password in the OOBE flow.

  8. If they read and agree to the terms of Knox Manage Privacy Policy and End User License Agreement, they select I Agree and then click Accept.

    Agreeing to the Knox Manage Privacy Policy and EULA.

  9. Follow the remaining on-screen instructions until they are prompted to approve the sign in request. The preferred means of authentication is the Microsoft Authenticator app on a separate device.

    Verifying the account request in the OOBE flow

    • If the device user doesn’t have the Microsoft Authenticator app, they must select I can’t use my Microsoft Authenticator app right now, and select an alternative authentication method:

      • A verification code from their mobile app

      • An SMS message

      • A phone call

      Verifying the account request using an alternative method in the OOBE flow

  10. Enter a personal PIN for the device and finish the OOBE flow.

After the device user completes the OOBE flow, the device is provisioned with their Entra account and enrolled through the Samsung Knox Management App.

Lastly, it’s best if you ensure that the device is enrolled in your Knox Manage tenant:

  1. On the Knox Manage console, go to Device.

  2. Search for the user’s device by its IMEI/MEID, serial number, or by their user name.

  3. Check whether the device’s status is Enrolled.

    The device with the Enrolled status on the Device page of the Knox Manage console

Register a device in Windows Autopilot

For more information about this technology, see Windows Autopilot in the Microsoft docs.

If you plan to enroll a joined device in Knox Manage with Entra ID and an Autopilot profile, you must first prepare it by registering it with the Autopilot cloud service. There are several registration methods:

To manually register a device in Windows Autopilot, first locally capture its hardware ID:

  1. Turn on the device for the first time. The OOBE flow begins.

  2. Without following the on-screen instructions, press Shift + F10 to open PowerShell.

  3. Run the following commands to save the hardware ID as a CSV file on the device:

    New-Item -Type Directory -Path "C:\HWID"
    Set-Location -Path "C:\HWID"
    $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
    Install-Script -Name Get-WindowsAutopilotInfo
    Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv
    
  4. Copy AutopilotHWID.csv to an external storage device or networked drive.

  5. Turn off the device.

  6. If you are registering multiple devices at the same time, combine the CSV files for each of them into one.

Next, upload the hardware ID to the Windows Autopilot cloud service:

  1. On the Microsoft Admin Center, go to Device > Autopilot.

    The Autopilot page on the Microsoft Admin Center

  2. On the Devices tab, click + Add Devices, then upload the device CSV file. Save the device.

  3. Create and configure an Autopilot profile for the device.

  4. On the Azure portal, check the list of devices to ensure the device is present with the Autopilot icon:

    The registered device on the Azure portal.

After the device is registered, it’s ready for OOBE enrollment.

Enroll a device with a provisioning package for Entra ID

In this enrollment method for joined devices, you create a provisioning package (PPKG) that configures the enrollment, then install it to the device.

Create a provisioning package

In order to build a PPKG, you need the Windows Configuration Designer app.

To build a PPKG for Entra ID:

  1. Open Windows Configuration Designer.

  2. Under Create, click Provision desktop devices. The PPKG wizard starts.

  3. On the Set up device screen, enter a name for the device, then click Next.

    Tip

    You can use the %SERIAL% substitution token to add the device’s serial number to the name.

  4. (Optional) On the Set-up network screen, you need to perform enrollment over a specific network, you can set it at the Set up network stage. Otherwise, click Next.

  5. On the Account Management screen, select Enroll in Azure AD, then click Get Bulk Token. A sign-in dialog opens.

  6. Enter your Entra tenant name, then click Next.

    Entering the Entra tenant name on the Account Management screen.

  7. If the account is recognized, the Knox Manage branding shows, and you’re prompted for your account password. Enter the password for the Entra account, then click Sign in.

    Entering the Entra account password on the Account Management screen.

  8. On the Stay signed in to all your apps screen, deselect Allow my organization to manage my device, then click No, sign in to this app only.

    Forcing sign in with one app only on the Stay signed in to all your apps screen

  9. Configure the settings on the Add applications and Add certificates screens as needed.

  10. On the Finish screen, click Create to generate the PPKG file. After it generates, a link at the bottom of the screen shows you where the file is saved in your local storage.

    Generating the PPKG file on the Finish screen

The PPKG file is prepared and ready to be deployed to devices in your fleet.

Enroll a device with the provisioning package

These actions take place during a regular user session after the device has already been set up for personal use.

To enroll a device with the PPKG:

  1. Copy the PPKG file to the device, either physically through USB storage, a VPN, or other secure means.

  2. Have the device user open the PPKG file. A popup asks for verification.

  3. If the PPKG appears genuine and trustworthy, the device user clicks Yes, add it. The PPKG enrolls the device.

    The PPKG verification popup

After the PPKG finishes applying, the device is provisioned and enrolled through the Samsung Knox Management App.

Lastly, it’s best if you ensure that the device is enrolled in your Knox Manage tenant:

  1. On the Knox Manage console, go to Device.

  2. Search for the user’s device by its IMEI/MEID, serial number, or by their user name.

  3. Check whether the device’s status is Enrolled.

    The device with the Enrolled status on the Device page of the Knox Manage console

See also

Is this page helpful?