Creating an Enrollment Policy for an Entra Join (On-premises) Enrollment Type

About this task

Use this procedure to create a Windows Modern Desktop policy to enroll Windows Modern Desktop devices using Entra Join (On-premises).

Procedure

  1. From the main menu in the top-left corner, select Policies > Enrollment. The Enrollment Policies view displays.
  2. Select Add Enrollment Policy. The Enrollment Policy wizard launches.
  3. Select the Windows > Windows Modern platform. The General tab displays.
  4. On the General tab, enter a name and description for the policy. Make the name brief and informative to distinguish it from others, especially if you plan to create many enrollment policies.
  5. Select Next. The Enrollment Type tab displays.
  6. Select Microsoft Entra Join (On-premises) as the enrollment type, then select Next.
  7. From the Groups view, select to add Active Directory groups or select Block Access.
    Group selection
    Note: To add a new directory service connection, select Manage Services. From the menu, choose Directory. See Adding an Azure Directory Service Connection for more information.
  8. For each group:
    1. Select a Device Group for enrollment, or select Block Access to prevent a user group from membership in a device group under this policy.
    2. Select an applicable terms and conditions agreement. To understand how to use these agreements, see Managing Terms and Conditions.
      Terms and conditions selection
  9. Select Next. The Settings view displays.
    Settings options
  10. Update the settings as required.
    Enrolled Device Name Select an identifier for the device.

    Select the gear icon to insert macros to autofill portions of the device name.

    Example: The following example shows device naming using the Enrolled User Username (%ENROLLEDUSER_USERNAME%) macro to generate device names like Ottawa Sales - sarah.

    Sample name with a macro
    Preserve Device Location on Re-enrollment SOTI MobiControl remembers the group membership of the device when it is re-enrolled.
    Preserve Device Name on Re-Enrollment When a deleted device is re-enrolled, SOTI MobiControl remembers the deleted assigned device's name.
    Activation Date Specify the date that activates the policy.
    Activation Time Specify the time that activates the policy.
    Set Deactivation Date Specify the date and time to deactivate the policy.
    Device Enrollment Limit Set the maximum number of devices you can enroll using this enrollment policy.
    Note: You must enable Enrollment Restrictions to set a device enrollment limit.
  11. Select a certificate authentication authority. Select Next.
    Certificate authority selection
    Tip: To add or update a certificate authority, select Manage Certificate Authorities. See Certificate Authority Page.
  12. Select Finish. The Enrollment Policy Info window opens.
  13. Copy the terms of use, discovery URLs and the enrollment policy PIN for distribution.
    Terms of use and discovery URLs and the enrollment policy PIN
  14. Select OK.

Results

Your Windows Modern Desktop enrollment policy is complete.

What to do next

Distribute the terms of use, discovery URLs, and the enrollment policy PIN to the end users. Instruct them to complete the steps in Performing a Microsoft Entra ID (On-prem) Enrollment by the User to enroll their device(s).