7.4 Enabling Access Manager with Microsoft Windows Autopilot

This feature is supported in Access Manager 5.0 Service Pack 2 and later.

From initial deployment to end-of-life, Windows Autopilot simplifies the Windows device lifecycle. The device is brought to a business-ready state for the user regardless of its location. The user must simply log in with the user mail ID and have a constant network connection. The user's device is synced with the business policies set on the Azure Active Directory portal. The tested and verified Office 365 integration is WS-Trust/WS-Federation. It provides the following benefits:

From initial deployment to end-of-life, Windows Autopilot simplifies the Windows device lifecycle. It provides the following benefits:

  • Less time spent on deploying, managing, and retiring devices.

  • Fewer infrastructure requirements to maintain the devices.

  • Enhanced usability for all types of end-users.

After integrating Windows Autopilot with Access Manager, you can manage Windows devices with the following applications:

  • Microsoft Intune

  • Windows Update for Business

  • Microsoft Endpoint Configuration Manager

  • Other similar applications

Perform the following steps to achieve this configuration:

  1. Integrate with Office 365 using WS Trust. For more information see, Configuring an Office 365 Domain By Using WS-Trust Protocol.

  2. Integrate with Kerberos contract. For more information, see Creating the Authentication Class, Method, and Contract. Go to Identity Servers > Edit > WS-Trust > STS Configuration and ensure that the Kerberos method is in the top in priority order.

    NOTE:Restart Identity Server if you have not invoked the Kerberos method during the device registration or device enrollment process.

  3. Enable MEX by following the procedure outlined in Section 7.1.2, Setting Up Automatic Hybrid Azure AD Join for Windows Devices.

  4. On the Windows server, enable the Device Registration policy and disable IE Enhanced Security Configuration as recommended by Microsoft. The Device registration policy is enabled as part of Hybrid Azure Active Directory only. For Intune connector installation, you must disable IE Enhanced Security.

  5. Download AAD connect and install it on the same on-premise Active Directory. Configure and check the connection from the Microsoft tenant by using the global administrator role.

  6. Download and install Intune connector on the Windows server using on-premise active directory and upload the hardware IDs of the device. For information, see Section 7.3, Registering Devices to Microsoft Intune Mobile Device Management

  7. Assign the hardware ID to a user. For more information, see Microsoft Support and Microsoft Documentation.

    You might be required to work with device vendor for this procedure.

  8. Download Windows 10 OEM image and deploy Windows 10. For more information, see Microsoft Documentation.

  9. Verify the device registration and device authentication using kerberos on Identity Server’s catalina logs. Device name should be visible with $ sign in Identity Server catalina logs.

  10. NOTE:If the organization uses VPN, ensure that the OEM image deployed Windows 10 device can access the internet and Identity Server for authentication during the Autopilot account set up. Otherwise, the account setup phase fails after some time (~40 minutes) and the device sync will happen using FALLBACK Sync rather than FEDERATED Authentication/Sync.

  11. Verify that the devices are registered and enrolled on the Microsoft Tenant portal and that it displays the time stamp. The devices must not be in the pending state.

  12. Verify the Autopilot login on the device. After logging in using username/email, you must see the Home Screen on Windows 10 Device.

  13. NOTE:If the AzureAdPrt is NO, reboot the Windows 10 client and verify. If the device status is still pending for Device Registration, verify:

    • If the device restoration policy is enabled on the on-premise Active Directory.

    • Delete the pending items from the devices and restart device registration.

    • Check the Identity Server logs to verify if STS and RST token are received by Access Manager from the Azure tenant during the device authorization using Kerberos.

    • Ensure that Kerberos is functioning normally.

    • The Autopilot designated devices cannot be deleted directly from the AAD Device Registration Portal.

For information about scenarios where this feature can be used, see Microsoft Documentation.