Menu

Enroll a Windows device with Azure AD

If your Knox Manage tenant syncs Active Directory resources from your Azure AD tenant, you can enroll and provision Windows devices in your fleet with your user's Azure AD accounts. Enrolling with Azure AD offers the benefits of rapid cloud-based provisioning technology like Windows Out of Box Experience and Windows Autopilot.

In the Azure AD ecosystem, there are two types of managed devices:

  • Registered devices — BYOD devices such as employee-owned laptops, 2-in-1 computers, tablets, and phones. For a full description of this type, see Azure AD registered devices in the Microsoft docs.
  • Joined devices — Company-owned devices such as workstations, laptops, 2-in-1 computers, tablets, and kiosks. For a full description of this type, see Azure AD joined devices in the Microsoft docs.

Depending on your enterprise needs and deployment strategy, there are four available methods for enrolling and provisioning devices in Knox Manage through Azure AD:

  • Windows Settings — Provisioning an enterprise user account by adding it as Windows account. Available for registered and joined devices.
  • Windows Out of Box Experience (OOBE) — Enrolling a device in the startup wizard when the device is first turned on. Available for joined devices.
  • Windows Autopilot — Enrolling a device with a customized OOBE profile. Available for joined devices.
  • Provisioning package (PPKG) — Enrolling a device with a configuration file. Available for joined devices.

Before you can begin enrolling Windows devices using these methods, you must configure your Knox Manage tenant to sync information with your Azure AD tenant. Refer to Sync user information with Azure AD through Microsoft Graph API for a full explanation and details.

Supported platforms

The following Windows editions support enrollment in Knox Manage through Azure AD:

  • Windows 10/11 Pro
  • Windows 10/11 Business
  • Windows 10/11 Enterprise
  • Windows 10/11 Education
  • Windows 10 Mobile

Enroll a device through Windows Settings

In this enrollment method for joined and registered devices, the device user adds their Azure AD account to their device in the Windows Settings, which provisions their enterprise identity and enrolls the device in your Knox Manage tenant through the Samsung Knox EMM cloud app. These actions take place during a regular user session after the device has already been set up for personal use.

For more details about this feature, see Register your personal device on your work or school network in the Microsoft support pages.

To enroll a device through Windows Settings, the device user first adds their Azure AD account:

  1. On the device, go to Start > settings Settings, then in the Settings window click Accounts > Access work and school.
  2. Click + Connect. A dialog for setting up a work or school account opens.
  3. Authenticate with the Azure AD account:

    1. Enter the account name:

      • For a registered device, enter the Azure AD account name, then click Next.

        Entering the Azure AD account name when enrolling a joined device with Windows Settings

      • For a joined device, click Join this device to Azure Active Directory. In the Microsoft account dialog, enter the Azure AD account name, then click Next.

        Joining to an Azure AD when enrolling a registered device with Windows Settings

        Entering the Azure AD account name when enrolling a registered device with Windows Settings

    2. If the account is recognized, both the password prompt and the Knox Manage branding shows in the dialog. Enter the account password and click Sign in.

      Entering the Azure AD account password when enrolling with Windows Settings

  4. If they read and agree to the terms of Knox Manage Privacy Policy and End User License Agreement, they select I Agree and then click Accept.

    Agreeing to the Knox Manage Privacy Policy and End User License Agreement when enrolling with Windows Settings

  5. For a registered device, confirm both the Azure domain and the username is correct.

    Confirming the domain when enrolling a registered device with Windows Settings

  6. If the provisioning succeeds, the dialog reads The device is connected to Samsung EMM. Click Done. The Azure AD account is added to the device.

    The success dialog when enrolling with Windows Settings

  7. Back in the Settings window, ensure the Azure AD account is in the account list.

After the device user adds their Azure AD account, the device is provisioned and enrolled through the Samsung Knox Management App.

Lastly, it's best if you ensure that the device is enrolled in your Knox Manage tenant:

  1. On the Knox Manage console, go to Device.
  2. Search for the user's device by its IMEI/MEID, serial number, or by their user name.
  3. Check whether the device's status is Enrolled.

    The device with the Enrolled status on the Device page of the Knox Manage console

Enroll a device with Windows Out of Box Experience

In this enrollment method for joined devices, the device user provisions the Azure AD account after turning on the device for the first time, also known as the standard OOBE on Windows 10 and 11. This process can only take place if the device hasn't yet been configured for work or personal use.

To learn more about this technology, see Windows Out of Box Experience in the Microsoft docs.

NOTE — The images shown here depict the OOBE screens in Windows 11. The screens in Windows 10 consist of similar instructions and descriptions.

To enroll a device with OOBE, the device user must:

  1. Ensure the device is connected to the Internet, and turn it on. The OOBE flow starts.
  2. Follow the on-screen instructions to specify their language, region, and keyboard settings.

    Selecting the region in the OOBE flow

  3. If the device connects to the Internet through Wi-Fi or mobile data, choose an access point to connect to or select the cellular option. If the device uses mobile data, but no SIM card is present, they must insert a SIM card before they can connect to a cellular network.
  4. Follow the on-screen instructions until they reach the End User License Agreement. If they read and agree to it, select Next.
  5. On the How would you like to set up this device? screen, select Set up for work or school, then select Next.

    Selecting a work or school account setup in the OOBE flow

  6. When prompted for sign in information, enter their Azure AD account name, then select Next.

    Entering the Azure AD account name in the OOBE flow

  7. If the account name is recognized, the Knox Manage branding shows, and they are prompted for the account password. Enter the password for the Azure AD account, then click Sign in.

    Entering the Azure AD password in the OOBE flow

  8. If they read and agree to the terms of Knox Manage Privacy Policy and End User License Agreement, they select I Agree and then click Accept.

    Agreeing to the Knox Manage Privacy Policy and EULA
  9. Follow the remaining on-screen instructions until they are prompted to approve the sign in request. The preferred means of authentication is the Microsoft Authenticator app on a separate device.

    Verifying the account request in the OOBE flow
    • If the device user doesn't have the Microsoft Authenticator app, they must select I can't use my Microsoft Authenticator app right now, and select an alternative authentication method:

      • A verification code from their mobile app
      • An SMS message to their phone
      • A call to their phone

      Verifying the account request using an alternative method in the OOBE flow

  10. Enter a personal PIN for the device and finish the OOBE flow.

After the device user completes the OOBE flow, the device is provisioned with their Azure AD account and enrolled through the Samsung Knox Management App.

Lastly, it's best if you ensure that the device is enrolled in your Knox Manage tenant:

  1. On the Knox Manage console, go to Device.
  2. Search for the user's device by its IMEI/MEID, serial number, or by their user name.
  3. Check whether the device's status is Enrolled.

    The device with the Enrolled status on the Device page of the Knox Manage console

Register a device in Windows Autopilot

For more information about this technology, see Windows Autopilot in the Microsoft docs.

If you plan to enroll a joined device in Knox Manage with Azure AD and an Autopilot profile, you must first prepare it by registering it with the Autopilot cloud service. There are several registration methods:

To manually register a device in Windows Autopilot, first locally capture its hardware ID:

  1. Turn on the device for the first time. The OOBE flow begins.
  2. Without following the on-screen instructions, press Shift + F10 to open PowerShell.
  3. Run the following commands to save the hardware ID as a CSV file on the device:

    New-Item -Type Directory -Path "C:\HWID"
    Set-Location -Path "C:\HWID"
    $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
    Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
    Install-Script -Name Get-WindowsAutopilotInfo
    Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv
    
  4. Copy AutopilotHWID.csv to an external storage device or networked drive.
  5. Turn off the device.
  6. If you are registering multiple devices at the same time, combine the CSV files for each of them into one.

Next, upload the hardware ID to the Windows Autopilot cloud service:

  1. On the Microsoft Admin Center, go to Device > Autopilot.

    The Autopilot page on the Microsoft Admin Center

  2. On the Devices tab, click + Add Devices, then upload the device CSV file. Save the device.
  3. Create and configure an Autopilot profile for the device.
  4. On the Azure AD portal, check the list of devices to ensure the device is present with the Autopilot icon:

    The registered device on the Azure AD portal

After the device is registered, it's ready for OOBE enrollment.

Enroll a device with a provisioning package for Azure AD

In this enrollment method for joined devices, you create a provisioning package (PPKG) that configures the enrollment, then install it to the device.

Create a provisioning package

In order to build a PPKG, you need the Windows Configuration Designer app.

To build a PPKG for Azure AD:

  1. Open Windows Configuration Designer.
  2. Under Create, click Provision desktop devices. The PPKG wizard starts.
  3. On the Set up device screen, enter a name for the device, then click Next.

    TIP — You can use the %SERIAL% substitution token to add the device's serial number to the name.
  4. (Optional) On the Set-up network screen, you need to perform enrollment over a specific network, you can set it at the Set up network stage. Otherwise, click Next.
  5. On the Account Management screen, select Enroll in Azure AD, then click Get Bulk Token. A sign-in dialog opens.
  6. Enter your Azure AD tenant account name, then click Next.

    Entering the Azure AD account name on the Account Management screen
  7. If the account is recognized, the Knox Manage branding shows, and you're prompted for your account password. Enter the password for the Azure AD account, then click Sign in.

    Entering the Azure AD account password on the Account Management screen

  8. On the Stay signed in to all your apps screen, deselect Allow my organization to manage my device, then click No, sign in to this app only.

    Forcing sign in with one app only on the Stay signed in to all your apps screen
  9. Configure the settings on the Add applications and Add certificates screens as needed.
  10. On the Finish screen, click Create to generate the PPKG file. After it generates, a link at the bottom of the screen shows you where the file is saved in your local storage.

    Generating the PPKG file on the Finish screen

The PPKG file is prepared and ready to be deployed to devices in your fleet.

Enroll a device with the provisioning package

These actions take place during a regular user session after the device has already been set up for personal use.

To enroll a device with the PPKG:

  1. Copy the PPKG file to the device, either physically through USB storage, a VPN, or other secure means.
  2. Have the device user open the PPKG file. A popup asks for verification.
  3. If the PPKG appears genuine and trustworthy, the device user clicks Yes, add it. The PPKG enrolls the device.

    The PPKG verification popup

After the PPK finishes applying, the device is provisioned and enrolled through the Samsung Knox Management App.

Lastly, it's best if you ensure that the device is enrolled in your Knox Manage tenant:

  1. On the Knox Manage console, go to Device.
  2. Search for the user's device by its IMEI/MEID, serial number, or by their user name.
  3. Check whether the device's status is Enrolled.

    The device with the Enrolled status on the Device page of the Knox Manage console

See also