Revisiting Autopilot Tenant Lockdown

A few months ago I wrote a post on Device Advice about how to lock down devices to your tenant by assigning them to a user. Now this is no longer required! So what changed? And how can we use it? Let’s explore.

First, Windows 10 added a CSP called “TenantLockdown.” You can learn the details on the CSP documentation page. Despite the name, the CSP really only prevents users from skipping the network connection screen in OOBE. According to Michael Niehaus’s blog post on this setting, the TenantLockdown CSP correlates to a UEFI variable that is set to require a network connection and a change in Windows 10 1809 that checks this variable.

To deploy this setting, you’ll need to create a Device Restrictions profile and select “Requires users to connect to a network during device setup” under General.

This means we have half the puzzle – if users can’t skip connecting to a network, they’ll absolutely get an Autopilot profile. But can’t they skip that?

Not anymore! When you create an Autopilot profile, you can select “Hide account change options”. This will block local account creation.

Now we effectively have tenant lockdown. Devices are required to join the network, and once they have they’ll receive an Autopilot profile telling them they must log in to their assigned Azure AD tenant.

But there are always a few caveats, and you may have already guessed them. For one – you can’t assign an Intune device restriction to a device that’s never been managed by Intune. This means that tenant lockdown only really supports reset/wipe or white glove scenarios. (To explain further, once the device has reached Intune and gets the network requirement device restriction, since it’s a UEFI variable, it’ll persist during a wipe).

The other issue is that since this requires an Autopilot profile, 3rd party MDM’s can’t take advantage of tenant lockdown. The Store for Business Autopilot settings haven’t been updated to include the hide change account options setting.

At the end of the day, we’re one step closer to full tenant lockdown. Stay tuned for further updates and instructions!

You may also like...

1 Response

  1. January 6, 2020

    […] There’s been an update to this content! Visit this blog post for more information: Revisiting Autopilot Tenant Lockdown […]

Leave a Reply

Your email address will not be published. Required fields are marked *