Preparing discovered devices for push enrollment
Before you begin push enrollment to discovered Windows devices, you must enable administrative rights on the devices and modify some firewall settings.
These tasks are required only to enroll the devices remotely using the push enrollment method. You can reverse these changes afterward, but you must apply them again to perform another remote enrollment.
Step | Action |
---|---|
Step 1 | Enable administrative rights on your unmanaged devices Windows User Account Control (UAC) blocks local administrative accounts from remotely accessing remote administrative shares such as C$ and Admin$. This share is disabled on all Windows operating systems where latest updates are installed. To enable the administrative share ( devicename \admin$) on unmanaged Windows devices, you must create a value in registry.If the unmanaged device is part of an Active Directory domain, you must use domain administrator account credentials for a remote enrollment. Otherwise, have the administrator credentials available for each unmanaged device that you want to enroll. |
Step 2 | Modify firewall settings to allow communication between the components. |
For remote device enrollment and to enable communication between the components, you need to set up firewall exclusions for the following ports:
Protocol and port number | Used for | Listener process |
---|---|---|
TCP/IP: 445 | Network Logon | System |
TCP/IP: 139 UDP: 137, 138 | File Sharing | System |
TCP/IP: 135 | Remote Task Management Service | svchost.exe |
TCP/IP range: 49154-65535 | Remote Task Management Service | services.exe |
You can reduce this port range if you do not want to open a wide range of TCP/IP ports. However, you must also limit the default number of Remote Procedure Call (RPC) ports and add three registry values in your Active Directory GPO policy.
You can find more information about the registry values in the following Microsoft article:
If the unmanaged devices are part of an Active Directory domain, you can use an Active Directory Group Policy Object (GPO) to perform the described preparation steps.
- To prepare discovered devices for push enrollment using an Active Directory GPO
- Configure registry keys:
- In the Group Policy Object Editor, go toPreferences > Windows Settings > Registry.
- Add a new registry item.To enable the administrative share (devicename\admin$) on unmanaged Windows devices, you must create a value in the registry.
- Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Value: LocalAccountTokenFilterPolicy, value 1, type DWORD32
For more information about configuring a registry key in a GPO policy, refer to the following Microsoft article:
- Create firewall exceptions:
- In the Group Policy Object Editor, go toSecurity Settings > Windows Firewall with Advanced Security.
- Create firewall exclusion rules for the ports that are listed in the table above.For more information about creating firewall exceptions in a GPO policy, refer to the following Microsoft article