Understanding corporate identifiers for Windows devices

This week is sort of a follow up to the post of last week. That post was focused on understanding enrollment time grouping in Windows Autopilot device preparation. This post will focus on corporate identifiers for Windows devices. Corporate device identifiers are an important, but not required, addition to the Windows Autopilot device preparation experience. As the concept of Windows Autopilot device preparation is slightly different compared to the Windows Autopilot deployment profiles, there are also different requirements to still register a device as a corporate device. There is no longer the requirement to register devices with the Windows Autopilot deployment service. That, however, also means that there must be something different to make sure that only trusted devices can go through the Windows Autopilot device preparation experience. Exactly that can be achieved by using corporate identifiers. Without using corporate identifiers, every device going through the Windows Autopilot device preparation experience will be registered as a corporate device. This post will look in more detail at corporate identifiers for Windows devices. The configuration, followed with the result.

Important: Keep in mind that corporate identifiers are not required for Windows Autopilot device preparation.

Note: Using corporate identifiers for Windows devices, also enables organizations to block personal Windows device enrollment in combination with Windows Autopilot device preparation.

Configuring corporate identifiers for Windows devices

When looking at configuring corporate identifiers for Windows devices, it’s important to start with the requirements for adding those identifiers. The main requirement is the format. Adding corporate identifiers for Windows devices requires importing a CSV-file that contains specific information of the Windows devices. That information is the manufacturer, the model, and the serial number of those Windows devices. The CSV-file must be formatted as shown below and doesn’t require any specific headers. Only the device identifiers, and one device per line.

<Manufacturer>,<Model>,<SerialNumber>

For existing devices, that information can be easily gathered by using PowerShell to query WMI. The manufacturer and model information can be found in the Win32_ComputerSystem class and the serial number information can be found in the Win32_BIOS class. The PowerShell script snippet below provides an example to easily gather that information. It can be a lot shorter, probably even a one liner, but this provides the best overview of the classes and properties to gather.

$objBIOSInfo = Get-Ciminstance -Class Win32_BIOS
$objComputerInfo = Get-Ciminstance -Class Win32_ComputerSystem 
$strManufacturer = $objComputerInfo.Manufacturer
$strModel = $objComputerInfo.Model
$strSerialNumber = $objBIOSInfo.SerialNumber
$strDeviceIdentifier = "$strManufacturer,$strModel,$strSerialNumber"
Set-Content -Path "C:\Temp\DeviceIdentifier.csv" -Value $strDeviceIdentifier

After gathering the required information of the Windows devices, it’s time to look at adding the information to Microsoft Intune. Luckily, that’s a pretty straight forward process. The following three steps walk through that process.

  1. Open the Microsoft Intune admin center navigate to Devices Enrollment > Corporate device identifiers
  2. On the Devices | Enrollment page, click Add > Upload CSV file
  3. On the Add identifiers page, as shown below in Figure 1, provide the following information and click Add
  • Select identifier type: Select Serial number, manufacturer, and model (Windows only) for Windows devices
  • Import identifiers: Select the generated CSV-file

Important: When adding corporate identifiers for Windows devices, only devices matching those added identifiers will be defined as corporate-owned. All other devices will be defined as personal-owned.

Experiencing corporate identifiers for Windows devices

When the corporate identifiers are added for Windows devices, there are multiple options for verifying a successful configuration. That can of course be by blocking the enrollment of personal Windows devices (see this post for reasons why this might be a good idea) and looking at the enrollment experience. That is, however, difficult to show in a single screenshot. A lot easier to show is the added corporate identifier and the status. Below in Figure 2 is a corporate identifier of a Windows device that is enrolled. That shows clearly the status and the last contact of that Windows device.

More information

For more information about Windows Autopilot device preparation and corporate identifiers, refer to the following docs.


Discover more from All about Microsoft Intune

Subscribe to get the latest posts sent to your email.

14 thoughts on “Understanding corporate identifiers for Windows devices”

  1. Hi Peter.

    Do you know if OEMs will have the ability to add devices to the corporate identifiers to automate this (just like we’ve done with Autopilot V1)?

    Reply
  2. I found an issue with this process. The new Microsoft Surface model is: “Microsoft Surface Laptop, 7th Edition”
    Yep, the whole thing, including the comma.. which is obviously an issue if you’re trying to add the model to a “comma separated file”.

    Yep, that is the model returned from powershell, not just on the box, it even shows as that in intune when I’ve added the device without autopilot.

    Reply
  3. Hi Peter,

    When I test this, during OOBE I initially get the option to choose a device name and after that I get to choose between enrolling it as a private device or a work/school device. Is this by design?

    Also, it is mentioned that when adding corporate identifiers for Windows devices, only devices matching those added identifiers will be defined as corporate-owned. All other devices will be defined as personal-owned. Does this mean that other (non-autopiloted) Windows devices in my environment, that get hybrid joined to Entra via Entra ID connect and then automatically try to onboard to Intune can’t do so anymore because they’re marked as Personal devices which I block in my tenant?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.