In this post I will be discussing on the Windows corporate identifier which is a newly released feature by Microsoft. This feature allows the organizations to identify the device is corporate one by uploading the csv mentioning Manufacturer, model and serial number of the device.
Corporate Identifier for Windows
Until now the corporate identifier feature was available for Android, iOS/iPadOS and macOS only. However, now we have the option available for Windows devices as well.
You need to have csv file ready mentioning Manufacturer, model and serial number. Once the device is uploaded to Microsoft Intune admin center, the device will be considered as corporate device.
Benefits of Corporate Identifier
This new feature allows to distinguish the personally owned devices vs corporate owned devices. This comes with an additional advantage when combined with device platform restrictions. When we use Device platform restriction, we can block the windows MDM enrollment for personally owned devices. All devices which are workgroup joined won’t be able to enroll the device manually (for example: using work or access account, company portal etc), however if device’s corporate identifier is uploaded, they will be treated as corporate device and will be allowed to enroll the device.
This can help organizations which does want to utilise the enrollment of personally owned devices but at the same time needs to have a logic to make the device known as corporate device.
This can also be useful for Autopilot device preparation profile (aka Autopilot v2). As hardware hash is no longer required in this scenario, user can initiate the Autopilot device preparation profile when in OOBE phase. But with corporate identifier along with Device platform restrictions, devices marked as corporate (ie. Identifier) will only be able to run the Autopilot provisioning.
Pre-requisite for Corporate Identifier
To use the Windows Corporate Identifier, you need to have Windows 11 version 22H2 or later with KB5035942 (22621.3374 / 22631.3374 build). The patch KB5035942 was released on March 26’2024. Hence, you need to make sure the device is patched with at least this patch version to start utilizing the corporate identifier feature of Windows.
With recent change, now Windows 10 is also supported. For that you need to have KB5039299 patch which translates to OS Build 19045.4598 for June 24 Update.
Create Corporate Identifier csv file.
You can collect the information of Manufacturer, Model and Serial Number in a notepad separated by comma and save it into csv format, which is ready to be uploaded to Intune portal.
Other way could be, to use a handy PowerShell script which grabs the info of Manufacturer, Model and Serial Number and save the csv file output in c:\temp directory.
The script is:
#Create c:\temp folder if doesn't exists
$path = "c:\temp"
If(!(Test-Path -PathType container $path))
{
New-Item -ItemType Directory -Path $path
}
#Get Model and Manufacturer
$ComputerSystemInfo = Get-WmiObject Win32_ComputerSystem
$ManufacturerValue = $ComputerSystemInfo.Manufacturer
$ModelValue = $ComputerSystemInfo.Model
#Get Serial Number
$BIOSInfo = Get-WmiObject Win32_BIOS
$SerialNumberValue = $BIOSInfo.SerialNumber
#Combining all values
$WinCorpIdentifier = "$ManufacturerValue,$ModelValue,$SerialNumberValue"
#Output CSV
$WinCorpIdentifier | Out-File $path\WinCorpIdentifier.csvThis is how the Script, the output and the content of csv file will look like:
You can see the csv shows all 3 values which has been captured.
Before uploading to Intune portal, let’s discuss a bit on the next topic related to device restriction.
Device Platform restrictions
Device Platform restriction setting allows us to allow / block specific platform to enroll, it also has the setting to block the enrollment of personally owned device.
Browse Microsoft Intune Admin center and navigate to Devices | Enrollment | Device platform restriction.
Here you can see default restriction policy which applies to all platforms such as Windows, Android restrictions, macOS restrictions and iOS restrictions. This default policy is targeted to all users by default.
If you open and edit the policy, you will all platforms having option to select Allow / block. You will also see the Personally owned column which has the setting allow / block.
We are specifically interested in Personally owned setting. We want to get this disable so as personal devices are not allowed to enroll the device. This is where corporate identifier will play a vital role. Any device whose corporate identifier is uploaded will be treated as Corporate owned device, rest others will be treated as Personally owned device.
Let’s change the setting for Windows platform by setting Personally owned as Block.
It is recommended to create the new policy for Windows device restrictions rather than making change into the default policy.
Let’s try to enroll the device the personal device, in my case it is Virtual Machine.
For enrolling, go to Access work or school and click on Connect and proceed with Join this device to Microsoft Entra ID.
You will get the error “This feature is not supported. Contact your system administrator with the error code 80180014”
As the personal device enrollment was blocked, this was expected. Let’s move on to making the device as Corporate device.
Upload csv file for Windows Corporate Identifier
As our csv file is ready with the PowerShell script shared previously. Under Microsoft Intune admin center, navigate to Devices | Enrollment | Corporate device identifiers and click on Upload CSV file.
Under Add Identifiers page, select Manufacturer, model and serial number (Windows only) and Import identifiers by browsing to csv file previously created and click on Add.
Navigate back to Corporate Identifier page and we will see one device added with the info. This device is now the corporate device.
Let’s initiate the enrollment again on same device again. And this time the enrollment will succeed.
Important Links
Discover more from SCCM | Intune | Device Management| Enterprise Mobility & Security
Subscribe to get the latest posts sent to your email.
For windows 10, is June 24 update required and not 25?
Thanks for correcting me, it was typo error and has been updated. Much appreciated.
Awesome article Manish