Understanding corporate identifiers for Windows devices

This week is sort of a follow up to the post of last week. That post was focused on understanding enrollment time grouping in Windows Autopilot device preparation. This post will focus on corporate identifiers for Windows devices. Corporate device identifiers are an important, but not required, addition to the Windows Autopilot device preparation experience. As the concept of Windows Autopilot device preparation is slightly different compared to the Windows Autopilot deployment profiles, there are also different requirements to still register a device as a corporate device. There is no longer the requirement to register devices with the Windows Autopilot deployment service. That, however, also means that there must be something different to make sure that only trusted devices can go through the Windows Autopilot device preparation experience. Exactly that can be achieved by using corporate identifiers. Without using corporate identifiers, every device going through the Windows Autopilot device preparation experience will be registered as a corporate device. This post will look in more detail at corporate identifiers for Windows devices. The configuration, followed with the result.

Important: Keep in mind that corporate identifiers are not required for Windows Autopilot device preparation.

Note: Using corporate identifiers for Windows devices, also enables organizations to block personal Windows device enrollment in combination with Windows Autopilot device preparation.

Configuring corporate identifiers for Windows devices

When looking at configuring corporate identifiers for Windows devices, it’s important to start with the requirements for adding those identifiers. The main requirement is the format. Adding corporate identifiers for Windows devices requires importing a CSV-file that contains specific information of the Windows devices. That information is the manufacturer, the model, and the serial number of those Windows devices. The CSV-file must be formatted as shown below and doesn’t require any specific headers. Only the device identifiers, and one device per line.

<Manufacturer>,<Model>,<SerialNumber>

For existing devices, that information can be easily gathered by using PowerShell to query WMI. The manufacturer and model information can be found in the Win32_ComputerSystem class and the serial number information can be found in the Win32_BIOS class. The PowerShell script snippet below provides an example to easily gather that information. It can be a lot shorter, probably even a one liner, but this provides the best overview of the classes and properties to gather.

$objBIOSInfo = Get-Ciminstance -Class Win32_BIOS
$objComputerInfo = Get-Ciminstance -Class Win32_ComputerSystem 
$strManufacturer = $objComputerInfo.Manufacturer
$strModel = $objComputerInfo.Model
$strSerialNumber = $objBIOSInfo.SerialNumber
$strDeviceIdentifier = "$strManufacturer,$strModel,$strSerialNumber"
Set-Content -Path "C:\Temp\DeviceIdentifier.csv" -Value $strDeviceIdentifier

After gathering the required information of the Windows devices, it’s time to look at adding the information to Microsoft Intune. Luckily, that’s a pretty straight forward process. The following three steps walk through that process.

  1. Open the Microsoft Intune admin center navigate to Devices Enrollment > Corporate device identifiers
  2. On the Devices | Enrollment page, click Add > Upload CSV file
  3. On the Add identifiers page, as shown below in Figure 1, provide the following information and click Add
  • Select identifier type: Select Serial number, manufacturer, and model (Windows only) for Windows devices
  • Import identifiers: Select the generated CSV-file

Important: When adding corporate identifiers for Windows devices, only devices matching those added identifiers will be defined as corporate-owned. All other devices will be defined as personal-owned.

Experiencing corporate identifiers for Windows devices

When the corporate identifiers are added for Windows devices, there are multiple options for verifying a successful configuration. That can of course be by blocking the enrollment of personal Windows devices (see this post for reasons why this might be a good idea) and looking at the enrollment experience. That is, however, difficult to show in a single screenshot. A lot easier to show is the added corporate identifier and the status. Below in Figure 2 is a corporate identifier of a Windows device that is enrolled. That shows clearly the status and the last contact of that Windows device.

More information

For more information about Windows Autopilot device preparation and corporate identifiers, refer to the following docs.

5 thoughts on “Understanding corporate identifiers for Windows devices”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.