Preparing discovered devices for push enrollment

Before you begin push enrollment to discovered Windows devices, you must enable administrative rights on the devices and modify some firewall settings.
These tasks are required only to enroll the devices remotely using the push enrollment method. You can reverse these changes afterward, but you must apply them again to perform another remote enrollment.
Tasks to prepare unmanaged Windows devices for remote enrollment
Step
Action
Step 1
Enable administrative rights on your unmanaged devices
Windows User Account Control (UAC) blocks local administrative accounts from remotely accessing remote administrative shares such as C$ and Admin$. This share is disabled on all Windows operating systems where latest updates are installed.
To enable the administrative share (
devicename
\admin$) on unmanaged Windows devices, you must create a value in registry.
If the unmanaged device is part of an Active Directory domain, you must use domain administrator account credentials for a remote enrollment. Otherwise, have the administrator credentials available for each unmanaged device that you want to enroll.
Step 2
Modify firewall settings to allow communication between the components.
For remote device enrollment and to enable communication between the components, you need to set up firewall exclusions for the following ports:
Communication ports
Protocol and port number
Used for
  Listener process
TCP/IP: 445
Network Logon
System
TCP/IP: 139
UDP: 137, 138
File Sharing
System
TCP/IP: 135
Remote Task Management Service
svchost.exe
TCP/IP range: 49154-65535
Remote Task Management Service
services.exe
You can reduce this port range if you do not want to open a wide range of TCP/IP ports. However, you must also limit the default number of Remote Procedure Call (RPC) ports and add three registry values in your Active Directory GPO policy.
To find more information about the registry values in the following Microsoft article, see:
If the unmanaged devices are part of an Active Directory domain, you can use an Active Directory Group Policy Object (GPO) to perform the described preparation steps.
  1. To prepare discovered devices for push enrollment using an Active Directory GPO
  2. Configure registry keys:
    1. In the Group Policy Object Editor, go to
      Preferences > Windows Settings > Registry
      .
    2. Add a new registry item.
      To enable the administrative share (
      devicename
      \admin$) on unmanaged Windows devices, you must create a value in the registry.
      • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
      • Value: LocalAccountTokenFilterPolicy, value 1, type DWORD32
      For more information about configuring a registry key in a GPO policy, refer to the following Microsoft article:
  3. Create firewall exceptions:
    1. In the Group Policy Object Editor, go to
      Security Settings > Windows Firewall with Advanced Security
      .
    2. Create firewall exclusion rules for the ports that are listed in the table above.
      For more information about creating firewall exceptions in a GPO policy, refer to the following Microsoft article: