Enrolling Windows 10 Devices Using Azure AD: Workspace ONE UEM Operational TutorialVMware Workspace ONE UEM 2105 and later
VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. This tutorial provides you with practical information and exercises to help you set up Windows device onboarding to your Workspace ONE UEM environment, in conjunction with Microsoft Azure Active Directory (AAD) for authentication.
This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments.
Both current and new administrators can benefit from using this tutorial. Familiarity with Windows Out of Box Experience (OOBE), Microsoft Active Directory (AD), and Microsoft Azure Active Directory (AAD) is assumed.
Integrating Microsoft Azure Active Directory (AAD) with Workspace ONE UEM
Azure Active Directory Integration Use-Cases
VMware Workspace ONE UEM integrates with Microsoft Azure Active Directory (AAD), providing a robust selection of on-boarding workflows that apply to a wide range of Windows 10 use cases. However, Azure licensing requirements stipulate that you must purchase an additional Azure AD Premium license to complete this integration.
Enterprises that are leveraging Azure AD typically use one of the following on-boarding options:
Note: The Azure AD Premium license supports on-boarding capabilities. If you want only Windows Store for Business (Business Store Portal) integration, this step is not required.
YES - Azure AD and OOBE/Auto-Pilot work with Workspace ONE Drop Ship Provisioning!
Workspace ONE Drop Ship Provisioning supports the following Active Directory (AD) Types (use cases):
Active Directory Domain Join
- Ability to join the on-premises active directory domain. The device needs access to the domain when booting up for the first time in order to join the domain successfully.
Azure Active Directory Basic
- Ability to join AAD without a premium license and still enroll into Workspace ONE UEM
Azure Active Directory Premium
- Ability to join AAD with the option of using Autopilot as well.
- Enrolls device into Workspace ONE UEM using a local Windows account.
For more information on Workspace ONE Drop Ship Provisioning, see Drop Ship Provisioning: VMware Workspace ONE Operational Tutorial
Microsoft Azure AD is generally used for onboarding new devices, and may already be used to co-manage existing SCCM-managed devices. As you perform this tutorial, ensure that separate Active Directory groups are configured when configuring integration with Azure AD and Workspace ONE UEM.
Before you can perform the procedures in this tutorial, verify that your system meets the following prerequisites:
- Workspace ONE UEM 1810 or later.
- Workspace ONE UEM Admin Account.
- Microsoft Azure AD Premium P1 or greater license, or any Microsoft bundle which includes this license.
- Microsoft Azure AD Admin Account to configure integration with Workspace ONE UEM.
- A valid, configured Directory Type under Directory Services in the Workspace ONE UEM console. If Azure AD is your source of truth directory (Pure AAD Model), select None for your Directory Type.
Note: You do not need an Azure Active Directory (AD) Premium account to integrate with the Microsoft Store for Business. This integration is a separate process from the automatic MDM enrollment.
If you want only Microsoft Store for Business (Formerly Windows Business Store Portal) integration, this step is not required. See Integrating Microsoft Store for Business: VMware Workspace ONE Operational Tutorial.
Planning Your Implementation
Understanding Azure AD Integration Methods
Azure AD supports 2 main integration and sync options to directory services. These include :
Azure AD Cloud Authentication
- Azure AD password hash synchronization. Users can use the same credentials that they use on-premises without having to deploy any additional infrastructure. Some premium features of Azure AD, like Identity Protection and Azure AD Domain Services, require password hash synchronization, no matter which authentication method you choose.
- Azure AD Pass-through Authentication. Provides a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. The servers validate the users directly with your on-premises Active Directory, which ensures that the password validation doesn't happen in the cloud.
- When you choose this authentication method, Azure AD hands off the authentication process to a separate trusted authentication system.
- This system can be an on-premises Active Directory Federation Services (AD FS), or an Identity Provider (IDP) which supports both WS-Trust and WS-Fed protocols, to validate the user’s credentials.
What Workspace ONE UEM Integration method do I choose?
To simplify these options, we will focus on how you add your users into Azure AD.
Users that are synced into Azure AD using the Hybrid Azure AD Integration method will obtain an Immutable ID attribute. This Immutable ID attribute is required in later steps.
For more information on Azure AD syncing to Active Directory, see
|Where Directory Users are Created||Azure AD Integration|
|Users are created directly in Azure AD
||Pure Azure AD Integration|
|Users are created in an on-premises AD or another third-party user source
Hybrid Azure AD Integration
Pure Azure AD Integration with Workspace ONE UEM
Figure: Pure Azure AD Integration Model
Hybrid Azure AD Integration using Azure AD Connect
Figure: Hybrid Azure AD Model using Azure AD Connect
- The administrator configures the integration between Azure AD and Workspace ONE UEM.
- End-users begin one of the Azure AD-based onboarding flows. Based on the user's email/UPN, Azure AD retrieves the authentication endpoint (managed/federated) and redirects users to authenticate and provide MFA if configured.
- Device redirects to Workspace ONE UEM and enrollment restrictions are checked, if enabled. Workspace ONE UEM parses the JWT token to obtain Azure AD directory ID (TID), Object ID (OID), and the UPN for the user. Workspace ONE UEM uses these attributes to query Azure AD for the user’s attributes, including the Immutable ID if present.
- If there is no Immutable ID, then we follow the Pure Azure AD model and the user is created in Workspace ONE UEM using the obtained attributes from Azure AD. If there is an Immutable ID, then Workspace ONE UEM attempts to match this attribute with the Immutable ID Mapping Attribute configured in the Workspace ONE UEM Console.
- Azure AD sends Access Token to the device which is forwarded to Workspace ONE UEM. Workspace ONE UEM parses token and saves the device into the database, keeping track of the Azure AD Device ID.
- Lastly, Workspace ONE UEM performs any additional configured enrollment restrictions. If triggered the device is wiped, if not the device has successfully joined Azure AD and enrolled into Workspace ONE UEM.
Integrating Azure AD with Workspace ONE UEM
This exercise walks you through the procedures for configuring enrollment for both SaaS and On-Premises applications. Screenshots are from the Microsoft Azure tenant available at the time this document was written.
1. Enable Azure AD For Identity Services in Workspace ONE UEM
1.1. Log in to the Workspace ONE UEM Console
- In the Workspace ONE UEM console login window, enter your user name and password.
- Click Log In.
1.4. Enable Azure AD For Identity Services
- Scroll down to the Advanced options.
- Click Use Azure AD For Identity Services.
1.5. Locate and copy the Workspace ONE URLs
- In the organization group configured to enroll Windows 10 devices, copy the following:
- MDM Enrollment URL
- Save the URLs to a text file.
2. Workspace ONE UEM On-Premises or Dedicated Saas Environments
In the majority of cases, you will use the AirWatch by VMWare application in the Azure application gallery. This application includes all permission required for integration.
The AirWatch by VMware application will also include a list of Workspace ONE UEM SaaS Environments.
If you have Workspace ONE UEM On-Premises or a Dedicated SaaS Environment, would need to add the On-Premises applications as well. This is required to create trust between the UEM instance and Azure AD. You may also need to do this step if the Workspace ONE UEM shared SaaS instance has recently been provisioned.
3. Azure Active Directory Admin Console Configurations
Navigate to Azure Active Directory
- Log in to the Microsoft Azure tenant, and in the navigation bar on the left, click Azure Active Directory.
- Click Mobility (MDM and MAM).
- Click Add application.
Note: Make sure that you do not assign the same users to both Workspace ONE and other third-party MDM providers.
3.2. Add On-Prem Application
Click Add application.
Note: Generally, you need to add the on-premises app only if you have a custom host name. This means you have a dedicated SaaS or on-premises. However, adding the app causes no harm to your setup. It also enables you to avoid the need to troubleshoot Azure enrollment errors when enrolling devices.
- Select the On-premises MDM application.
- Click Add.
Click On-premises MDM application which was just added, to begin configuration.
3.3. Configure the On-Prem Application with Workspace ONE UEM Details
- Assign the proper MDM user scope. You can select All or Some and choose a group of users.
- Complete the following:
- Paste your MDM Enrollment URL from the Workspace ONE console into the MDM discovery URL field in Azure.
- Under Configure, click Save.
- Click On-premises MDM application settings.
- Click Expose an API.
- Click Edit next to Application ID URI.
- Enter your Device Services URL (hostname of the other URLs) into the Application ID URI text box.
- Click Save.
3.4. Confirm User has correct Azure Licenses Assigned
4. Copy Azure Active Directory Tenant Properties
Copy the Azure Active Directory Tenant Properties to enter into Workspace ONE UEM shortly.
- Click Properties.
- Under Tenant Properties, copy the Tenant Name. This will typically be a text field.
- Under Tenant Properties, copy the Tenant ID. This will generally be a long list of numbers.
5. Paste the Azure Details in Workspace ONE UEM
Return to the Workspace ONE UEM Console.
- Navigate back to System>Enterprise Integration>Directory Services and scroll down to Azure integration.
- Paste the copied Tenant ID from Azure into the Directory ID text box in Workspace ONE UEM.
- Paste the copied Tenant Name from Azure into the Tenant Name text box in Workspace ONE UEM.
- Update the Immutable ID Mapping Attribute if needed and Click Save
- Specify the AD attribute Source Anchor in Azure AD Connect. The Source Anchor is mapped to the Immutable ID in Azure AD. Workspace ONE UEM uses this to assign devices to AD users during enrollment through Azure AD.
Note: By default,
objectGUID is used for the Immutable ID Mapping Attribute.
However, this value will differ if the sourceAnchor attribute was changed when setting up Azure AD Connect or if using a third-party user source.
You must match the sourceAnchor attribute being sent to Azure AD with the Immutable ID Mapping Attribute in the Workspace ONE UEM console.
The most common attribute used after the default
mS-DS-ConsistencyGuid. For more details about sourceAnchor attributes, see Azure AD Connect: Design Concepts.
Device Onboarding using Azure Active Directory
Enroll using Azure Out-of-Box-Experience
This enrollment option is used primarily for new company-owned devices that are not domain joined, and is triggered the first time an end user powers on a device. The user joins the device to the Azure cloud domain as part of the initial setup process. This workflow does not require end users to have admin privileges.
Note: If you are leveraging Microsoft Windows Autopilot, end-user configuration is simplified and streamlined, but requires having the original equipment manufacturer (OEM) of your device preregister these devices with Microsoft.
When end users power on a device for the first time, they respond to the following device prompts:
- Enter corporate credentials.
- Set up multi-factor authentication.
Note: In most cases, end users are prompted to provide a phone number for a call or text. However, Windows Hello for Business provides more advanced options, such as facial recognition, retinal scanning, or creating a unique PIN.
Devices then join the Azure cloud domain, and register with VMware Workspace ONE UEM for management.
Enroll using Azure Autopilot
You can use Windows Autopilot to simplify device enrollment, and to set up and pre-configure new devices for productive use, or to reset, repurpose, or recover devices. You can avoid the need to build, maintain, and apply custom operating system images to the devices.
With every Autopilot deployment, devices do the following by default (you can create deployment profiles to customize additional options):
- Skip Cortana, OneDrive, and OEM registration setup pages
- Automatically set up for work or school
- Get a customized Sign-In experience with company or school branding
For more information from Microsoft, see Manage Windows device deployment with Windows Autopilot Deployment. For a production example, see Microsoft Autopilot with VMware Workspace ONE UEM.
What Is Autopilot?
Windows Autopilot is a capability from Microsoft that allows pre-configuration for Windows 10 devices in conjunction with the Out-Of-Box-Enrollment (OOBE) experience. One of the most significant capabilities is that you can directly ship an end-user a Windows 10 device and as soon as it is powered on, it shows the user a customized login screen during OOBE requesting the user to enter their credentials. After successful authentication, the device is joined to Azure AD, automatically enrolled into Workspace ONE, and all the user's apps and configurations are automatically installed.
Before you can perform the procedures in this exercise, verify that the following components are installed and configured:
- A Windows 10 Professional, Enterprise, or Education device (physical or virtual) running version 1703 or later with internet access
- Azure AD Premium P1 or P2
- Azure AD integrated with Workspace ONE UEM (see Integrating Azure AD with Workspace ONE UEM)
- Users must have permission to join devices to Azure AD
- Check this in your Azure Portal at Azure Active Directory > Devices > Device Settings and allow everyone, no-one, or a specific group. You can also configure adding other administrator accounts to the device during Azure AD join here.
- A functional Azure AD tenant and an Azure AD admin account that can log in to
- A Microsoft Business Store account that can log in to
Dell, HP, and Lenovo are Original Equipment Manufacturers (OEMs). When a new computer is purchased from an OEM, before the device leaves the OEM, the device has had several configuration tasks applied to it. These tasks include the initial installation of the Windows 10 Operating System (OS). Part of this process involves running an EXE file named Sysprep in Audit Mode. Audit Mode allows the OEM to install drivers, add applications, change windows settings, and generally get the PC ready to ship directly to an end user. Understanding the details behind Sysprep and Audit Mode is beyond the scope of this tutorial. What a VMware Workspace ONE UEM Administrator needs to understand is that when a person takes the computer out of the box and powers on the device for the first time, Sysprep has just exited Audit Mode. Thus, the first thing the end user is going to see on the device is a series of questions from Microsoft that are designed to finish the configuration of the computer. Microsoft named the Q&A section of the Windows Setup process the Out of Box Experience (OOBE). The purpose of Windows Autopilot is to reduce the number of questions the end-user is asked during OOBE by letting the IT Administrator pre-answer some of the questions.
The exact number of questions seen by the end-user during OOBE varies per OEM. Each OEM can choose to add more questions to the list based on the services they are providing with the computer. The specific version of Windows 10 also plays a factor in which questions are presented. The total number of questions seen by the end-user also varies based on if the user already has existing Windows 10 devices. It also varies based on how Windows Hello is configured. Regardless of the total number of questions asked, we can all agree that the fewer questions an end user must answer to start using Windows 10, the better the experience will be for everyone.
The most crucial point to remember about leveraging Workspace ONE UEM integrated with Windows Autopilot is that this process DOES NOT join a Windows 10 computer to an on-premises Active Directory Domain. If you want to automatically register your domain-joined devices, please refer to the Enrolling Using On-Premises Active Directory Domain section. If you want to domain-join your devices, consider using Dell Provisioning for VMware Workspace ONE for Dell devices or using the Command-Line Enrollment options.
The Windows 10 installation generates a unique hardware identifier. For Autopilot to start, the hardware identifier must be registered with Microsoft. Each OEM has a different process to handle this for all new hardware purchases made directly with the OEM. If a new computer is purchased from a third party like SHI, or Ingram Micro, or Best Buy, or the IT admin is using virtual machines, then the IT administrator is responsible for registering these systems with Microsoft. This tutorial covers how to register a single device.
The remainder of this tutorial walks through the entire setup and testing process for using Windows Autopilot with VMware Workspace ONE UEM.
1. Register Devices in the Microsoft Store for Business
Your Windows 10 devices need to be pre-registered in Microsoft Store for Business portal. This portal lists all devices for your organization so that you can assign an Autopilot profile. The easiest method is purchasing a device from participating OEM (as of May 2019 - Dell, HP, Lenovo, Surface or Toshiba) and they will automatically be added to your device portal.
If your OEM is not listed here or you have existing devices, it is still possible to get the required information to upload these devices to the Microsoft Store for Business portal manually.
There is a Powershell script
Get-WindowsAutoPilotInfo which you can run against the machines to export the serial number and other required information into a CSV file to manually upload.
2. Install PowerShell Script
Install the Get-WindowsAutoPilotInfo script by opening a PowerShell session as an administrator.
- Run the install command
Install-Script -Name Get-WindowsAutoPilotInfo -Force
-Force parameter is used to overwrite older versions of this script. You may also see a warning about using an untrusted repository, type
A, then press Enter to continue.
3. Install PowerShell Script Using Group Policy or WMI
This script can also be run remotely using Group Policy or WMI. To get the current device info run:
Get-WindowsAutoPilotInfo.ps1 -OutputFile C:\Temp\W10.csv
If you are using a virtual machine, copy the
W10.csv file to your local device. If using a physical device, you can copy the
W10.csv to a USB drive or a network share. You upload this file in the next step.
The next step is to import the device into the Microsoft Store for Business and to create a Windows Autopilot profile which defines the steps and what the end-user sees during the OOBE process.
4. Import CSV File
https://businessstore.microsoft.com/en-au/manage/dashboard then select Add Devices and import your
W10.csv file containing the hardware information for your device.
5. Create New Profile
On success, you should see a message appear that confirms your device was added. You can also see your new device in the list of devices upon refreshing your browser.
- Click Autopilot Deployment.
- Click Create New Profile.
6. Save Autopilot Deployment Profile
Select the settings you want in the Profile:
- Enter a name for your Autopilot Deployment profile.
- Choose which optional settings you want to enable.
- Click Create to save your profile.
- Skip privacy settings accepts the default settings on behalf of the users.
- Disabling local admin will not create any local admins on the device.
- Skip EULA also accepts on the end user's behalf.
7. Assign Autopilot Profile to Devices
Now, assign the Windows Autopilot profile to your devices:
- Select your device(s) in the list.
- Click Autopilot Deployment.
- Click Apply Tech Zone Autopilot or your newly created profile.
Note: It is critical that both the Device Model and the Profile are reflecting properly in the Microsoft Business Store portal before continuing. Notice that the Profile Column includes a Profile Name assigned to it. If the Profile column is blank, Autopilot will not function for the device.
8. Run Sysprep from Command Prompt
For your Windows 10 device to go through OOBE it must have the Sysprep process run against it. Open a Command Prompt (as an administrator) and run Sysprep using the command:
C:\Windows\System32\Sysprep\sysprep.exe /oobe /shutdown
Note: Do not use the
/generalize switch as this changes the hardware identifiers which were generated using the
You have successfully configured Windows Autopilot to work with VMware Workspace ONE UEM and your Windows 10 device. The next step is to power on your Windows 10 device or virtual machine to see the benefits of streamlining the OOBE process for your end users. Remember that the OOBE process will look different depending on the build version, keep this in mind when creating end-user documentation.
Enroll using Azure AD Join
This enrollment option is triggered from the device settings. Also referred to as cloud-domain join, this workflow is typically used for existing company-owned devices that are not already joined to an on-premises domain. End users must have admin privileges and use their corporate credentials to join the device to the Azure cloud domain.
- From System Settings, users complete the following tasks:
- Enter corporate credentials.
- First-time Azure account users are prompted to provide a phone number for account recovery.
- Register for Windows Hello for Business by creating a unique PIN.
Note: Configure a Passport for Work profile to specify this PIN’s complexity.
- Devices join the Azure cloud domain, and register with Workspace ONE UEM for management.
Enroll with Office Applications using Azure Connect
This enrollment option is primarily used for existing company-owned or personal-owned devices that are not domain-joined, and is triggered when end users open a Microsoft Office app for the first time. End users must have admin privileges, and connect their Azure accounts to the device. Use this workflow if you already have Azure AD Premium licenses and do not want to join the device to the Azure cloud domain.
- End users open a Universal Windows Platform version of any Office 365 app, which connects their Azure account to the device.
- Enrollment begins.
Summary and Additional Resources
This tutorial introduces you to the device enrollment functionality of Workspace ONE UEM, and explains how to use this functionality to enroll Windows 10 devices. A set of exercises describe the process of configuring the Microsoft Azure onboarding method, including the procedures for configuring enrollment for both SaaS and On-Premises applications, and how to select the best enrollment option to meet your business needs. The end result is your ability to manage the Windows 10 device enrollment through the Azure AD.
For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.
For information about deployment, see Deploying Workspace ONE Intelligence and VMware Carbon Black Cloud: Workspace ONE Operational Tutorial.
Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.
For more information on Managing Windows 10 Devices with Workspace ONE, see the Understanding Windows 10 Management activity path. The content in this path helps you establish a basic understanding of Windows 10 management in the following categories:
Searching for More Information
When looking for more VMware documentation, you can focus the search using the Advanced Search option.
- In the VMware Workspace ONE Documentation window, select the gear icon to start an advanced search.
- Enter words or phrases to start the search.
Example: To search for an article that you think is called Compliance Profile Overview, you might include just the key words, in case the article now has a different name.
- Narrow the results by selecting specific criteria.
Example: The search is limited to the specific product and version.
- Click Advanced Search.
- In the resulting hit list, you can select a hit. Or you can either apply Sort By filters, or narrow the results further by clicking Advanced Search.
About the Authors
This tutorial was written by:
- Josué Negrón, EUC Staff Architect, End-User-Computing Technical Marketing, VMware
- Hannah Jernigan, EUC Technical Marketing Manager, End-User-Computing Technical Marketing, VMware
Considerable contributions were made by the following subject matter experts:
- Darren Weatherly, Specialist Systems Engineer, VMware
- Aditya Kunduri, Group Product Marketing Manager, EUC Mobile Marketing, VMware
- Bryan Garmon, Sr. Solutions Engineer, VMware
- Pete Lindley, Sr. Specialist Systems Engineer, VMware
- Mike Nelson, Sr. Solutions Architect, VMware
- Ameya Jambavalikar, Sr. Solutions Architect, VMware
Your feedback is valuable.
To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at firstname.lastname@example.org.