Windows Autopilot & Device Preparation with Certificate Based Authentication


In the earlier parts of our series on certificate-based authentication, we covered the basics of setting things up, explored authentication strength and conditional access policies, and dived into cross-tenant authentication with certificates. Those were pretty in-depth, so let’s keep this one a bit shorter.

Today, we’re focusing on a key aspect: what happens during an Autopilot deployment and Intune enrollment when devices and users don’t yet have the required certificates to sign in to our tenant. This can be a tricky situation since our goal is to ensure only devices with the correct certificate can access our systems.

To solve this, we’ll create a second Conditional Access (CA) policy and tweak our existing one to exclude the Intune service. The new CA policy will include only the Intune service and use passwordless authentication strength. We’ll also look at another option: using a Temporary Access Token to get around this issue during the enrollment process.

Let’s dive in and see how we can make this work smoothly and securely.

Conditional access policy & User experience

Autopilot Experience Before Changing Policy

Conditional Acces policy

As you can see in the video, we encounter an issue when enrolling devices with the Conditional Access policy we set up in part 2. To resolve this, we need to modify the existing policy and create a new one that allows users to enroll their devices into Intune. In my example, I’m using passwordless authentication strength, but you can adapt this to fit your specific needs.

Edit Existing Policy

  • Target Resources:
    • Include: All cloud apps
    • Exclude:
      • Microsoft Intune
      • Microsoft Intune Enrollment

Duplicate Existing Policy

  • Rename Policy
  • Target Resources:
    • exclude: none
    • include:
      • Microsoft Intune
      • Microsoft Intune Enrollment


  • Authenctication Streght
    • Passwordless
  • Turn on and Save

Autopilot Experience After Changing Policy

Once you’ve implemented the changes mentioned above, you should be able to enroll your devices into Intune, whether through Autopilot or Windows Autopilot device preparations. Everything should now be set up for smooth device enrollments.

So, what did we actually do? We modified the existing policy to exclude the Intune and Intune Enrollment services. Then, we created a new policy specifically for these services, requiring passwordless authentication. This means that during the enrollment phase, we use a passwordless authentication method instead of a certificate. By doing this, we can successfully enroll devices into Intune, even though we don’t have the required certificate we need to authenticate in all other instances.

A few weeks ago, I encountered some issues with device preparation enrollments, but these problems seem to have been resolved. If you experience any issues, please let me know. I was planning to deep dive into the problem, but I can’t reproduce it anymore. Check out the video below to see my experience.

Whats up next

Exciting times ahead! In my next topics around certificate-based authentication, we’ll dive into deploying Root and SCEP certificates on iOS devices, Android devices, and Macs (my Mac mini is on order can’t wait! 😉 ). I’ll guide you through the process for each device type and share what the user experience is like on each platform.

If you run into any issues or have questions along the way, don’t hesitate to reach out I’m always happy to help. Stay tuned for more fun and informative content!

Leave a Reply

Your email address will not be published. Required fields are marked *