%3CLINGO-SUB%20id%3D%22lingo-sub-279952%22%20slang%3D%22en-US%22%3EWhich%20CNAMEs%20to%20use%20for%20Auto-discovery%20during%20MDM%20Enrollment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279952%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EFirst%20published%20on%20TechNet%20on%20Mar%2004%2C%202017%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20We%E2%80%99ve%20had%20questions%20about%20the%20CNAME%20configuration%20required%20for%20Windows%20devices%20to%20automatically%20discover%20the%20MDM%20server%20for%20mobile%20device%20management%20(MDM).%20We%E2%80%99ve%20also%20had%20questions%20about%20the%20MDM%20server%20address%20users%20have%20to%20enter%20manually%20if%20prompted.%20This%20blog%20hopes%20to%20help%20you%20understand%20the%20requirements.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1651322722%22%20id%3D%22toc-hId-1703718494%22%20id%3D%22toc-hId-1703718494%22%20id%3D%22toc-hId-1703718494%22%20id%3D%22toc-hId-1703718494%22%3EDevice%20Enrollment%3C%2FH2%3E%0A%3CP%3E%3CBR%20%2F%3E%20If%20you%20have%20iOS%20or%20Android%20devices%2C%20they%20don%E2%80%99t%20have%20to%20worry%20about%20auto-discovery%20or%20manual%20enrollment%3B%20as%20long%20as%20the%20Company%20Portal%20is%20installed%2C%20it%20knows%20how%20to%20find%20the%20right%20server%20to%20get%20the%20device%20enrolled.%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1097347744%22%20id%3D%22toc-hId--1044951972%22%20id%3D%22toc-hId--1044951972%22%20id%3D%22toc-hId--1044951972%22%20id%3D%22toc-hId--1044951972%22%3EWindows%20Device%20Enrollment%20-End%20User%20Experience%3C%2FH3%3E%0A%3CP%3E%3CBR%20%2F%3E%20Unlike%20iOS%20and%20Android%2C%20Windows%20devices%20(Windows%20Phone%208.1%2C%20and%2010%20and%20Windows%20PCs%208.1%20and%2010)%20have%20UI%20built%20into%20the%20operating%20system%20to%20enroll%20a%20device%20for%20management.%20The%20user%20enters%20a%20corporate%20email%20address%20which%20matches%20the%20User%20Principal%20Name%20(UPN)%20set%20for%20user%20identity.%20The%20device%20tries%20to%20auto-discover%20the%20server%20and%20start%20the%20enrollment%20process.%20%3CBR%20%2F%3E%20Underneath%20the%20covers%2C%20here%E2%80%99s%20what%20happens%20when%20enrolling%20a%20Windows%20Phone%208.1%20device%3A%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20300px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58567i1D1ADAB0DD04A6AF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20In%20Windows%20Phone%208.1%20it%20looks%20like%20this%3A%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20300px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58568i6A8F94D817F31986%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20300px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58569iEB7F3FB6BC90EDEB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20If%20there%20is%20no%20CNAME%20configured%2C%20the%20device%20enrollment%20server%20won%E2%80%99t%20be%20found%2C%20and%20the%20device%20presents%20a%20screen%20to%20allow%20the%20user%20to%20enter%20the%20server%20address.%20%3CBR%20%2F%3E%20%3CSTRONG%3EIMPORTANT%20%3C%2FSTRONG%3E%20%3A%20The%20server%20address%20the%20user%20needed%20to%20enter%20used%20to%20be%20%3CSTRONG%3E%20manage.microsoft.com%20%3C%2FSTRONG%3E%20%2C%20but%20due%20to%20the%20changes%20necessary%20to%20move%20to%20the%20new%20grouping%20and%20targeting%20structure%2C%20the%20FQDN%20to%20enroll%20a%20device%20to%20Microsoft%20Intune%20changed%20to%20%3CSTRONG%3E%20enrollment.manage.microsoft.com%20%3C%2FSTRONG%3E%20.%20Both%20FQDNs%20can%20be%20used%20now%2C%20but%20support%20for%20manage.microsoft.com%20ended%20in%20February%20of%202017.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20210px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F58570i803034F77BA7E24C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20For%20more%20information%20about%20the%20MDM%20enrollment%20protocol%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fmt221945.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fmt221945.aspx%20%3C%2FA%3E%20.%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-645462591%22%20id%3D%22toc-hId-697858363%22%20id%3D%22toc-hId-697858363%22%20id%3D%22toc-hId-697858363%22%20id%3D%22toc-hId-697858363%22%3EWindows%2010%20Automatic%20MDM%20Enrollment%3C%2FH3%3E%0A%3CP%3E%3CBR%20%2F%3E%20If%20you%20are%20enrolling%20Windows%2010%20devices%20using%20automatic%20MDM%20enrollment%2C%20you%20don%E2%80%99t%20have%20to%20worry%20about%20configuring%20CNAMEs%20because%20the%20MDM%20server%20is%20configured%20by%20default%20when%20you%20enable%20automatic%20MDM%20enrollment.%20For%20more%20information%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fdeploy-use%2Fset-up-windows-device-management-with-microsoft-intune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fdeploy-use%2Fset-up-windows-device-management-with-microsoft-intune%20%3C%2FA%3E%20.%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1906694370%22%20id%3D%22toc-hId--1854298598%22%20id%3D%22toc-hId--1854298598%22%20id%3D%22toc-hId--1854298598%22%20id%3D%22toc-hId--1854298598%22%3EWindows%20Device%20Enrollment%20-Configuring%20Auto-Discovery%3C%2FH3%3E%0A%3CP%3E%3CBR%20%2F%3E%20To%20configure%20auto-discovery%20of%20the%20enrollment%20server%2C%20there%20has%20to%20be%20a%20CNAME%20record%20to%20point%20to%20the%20enrollment%20server.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3EType%26nbsp%3BHost%20name%26nbsp%3BPoints%20to%26nbsp%3BTTL%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%3ECNAME%3C%2FTD%3E%0A%3CTD%3EEnterpriseEnrollment.%20%3CEM%3E%20company_domain.com%20%3C%2FEM%3E%3C%2FTD%3E%0A%3CTD%3EEnterpriseEnrollment-s.manage.microsoft.com%3C%2FTD%3E%0A%3CTD%3E1%20hour%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20The%20%3CEM%3E%20company_domain%20%3C%2FEM%3E%20in%20the%20FQDN%20should%20be%20the%20registered%20domain%20name(s)%20you%20are%20using%20for%20single%20sign%20on%20with%20the%20UPN.%20For%20example%20if%20users%20at%20Contoso%20use%20name%40contoso.com%20as%20their%20email%2FUPN%2C%20the%20Contoso%20DNS%20admin%20would%20need%20to%20create%20the%20following%20CNAMEs.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3EType%26nbsp%3BHost%20name%26nbsp%3BPoints%20to%26nbsp%3BTTL%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%3ECNAME%3C%2FTD%3E%0A%3CTD%3EEnterpriseEnrollment.%20%3CSTRONG%3E%20contoso.com%20%3C%2FSTRONG%3E%3C%2FTD%3E%0A%3CTD%3EEnterpriseEnrollment-s.manage.microsoft.com%3C%2FTD%3E%0A%3CTD%3E1%20hour%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20If%20you%20have%20more%20than%20one%20UPN%20suffix%2C%20you%20need%20to%20create%20one%20CNAME%20for%20each%20domain%20name%20and%20point%20each%20one%20to%20EnterpriseEnrollment-s.manage.microsoft.com.%20For%20example%20if%20users%20at%20Contoso%20use%20name%40contoso.com%2C%20but%20also%20use%20name%40us.contoso.com%2C%20and%20name%40eu.constoso.com%20as%20their%20email%2FUPN%2C%20the%20Contoso%20DNS%20admin%20would%20need%20to%20create%20the%20following%20CNAMEs.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3EType%26nbsp%3BHost%20name%26nbsp%3BPoints%20to%26nbsp%3BTTL%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%3ECNAME%3C%2FTD%3E%0A%3CTD%3EEnterpriseEnrollment.%20%3CSTRONG%3E%20contoso.com%20%3C%2FSTRONG%3E%3C%2FTD%3E%0A%3CTD%3EEnterpriseEnrollment-s.manage.microsoft.com%3C%2FTD%3E%0A%3CTD%3E1%20hour%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3ECNAME%3C%2FTD%3E%0A%3CTD%3EEnterpriseEnrollment.%20%3CSTRONG%3E%20us.contoso.com%20%3C%2FSTRONG%3E%3C%2FTD%3E%0A%3CTD%3EEnterpriseEnrollment-s.manage.microsoft.com%3C%2FTD%3E%0A%3CTD%3E1%20hour%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3ECNAME%3C%2FTD%3E%0A%3CTD%3EEnterpriseEnrollment.%20%3CSTRONG%3E%20eu.contoso.com%20%3C%2FSTRONG%3E%3C%2FTD%3E%0A%3CTD%3EEnterpriseEnrollment-s.manage.microsoft.com%3C%2FTD%3E%0A%3CTD%3E1%20hour%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20For%20more%20information%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fdeploy-use%2Fset-up-windows-device-management-with-microsoft-intune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fdeploy-use%2Fset-up-windows-device-management-with-microsoft-intune%3C%2FA%3E%20.%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--163884035%22%20id%3D%22toc-hId--111488263%22%20id%3D%22toc-hId--111488263%22%20id%3D%22toc-hId--111488263%22%20id%3D%22toc-hId--111488263%22%3EAdditional%20Endpoints%20Are%20Supported%20but%20Not%20Recommended%3C%2FH3%3E%0A%3CP%3E%3CBR%20%2F%3E%20EnterpriseEnrollment-s.manage.microsoft.com%20is%20the%20preferred%20FQDN%20for%20enrollment%2C%20but%20there%20are%20two%20other%20endpoints%20that%20have%20been%20used%20by%20customers%20in%20the%20past%20and%20are%20supported.%20%3CSTRONG%3EEnterpriseEnrollment.manage.microsoft.com%20%3C%2FSTRONG%3E%20(without%20the%20-s)%20and%20%3CSTRONG%3E%20manage.microsoft.com%20%3C%2FSTRONG%3E%20both%20work%20as%20the%20target%20for%20the%20auto-discovery%20server%2C%20but%20the%20user%20will%20have%20to%20touch%20OK%20on%20a%20confirmation%20message.%20If%20you%20point%20to%20%3CSTRONG%3E%20EnterpriseEnrollment-s.manage.microsoft.com%20%3C%2FSTRONG%3E%20%2C%20the%20user%20won%E2%80%99t%20have%20to%20do%20the%20additional%20confirmation%20step%2C%20so%20this%20is%20the%20recommended%20configuration.%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1578926300%22%20id%3D%22toc-hId-1631322072%22%20id%3D%22toc-hId-1631322072%22%20id%3D%22toc-hId-1631322072%22%20id%3D%22toc-hId-1631322072%22%3EAlternate%20Methods%20of%20Redirection%20Are%20Not%20Supported%3C%2FH3%3E%0A%3CP%3E%3CBR%20%2F%3E%20Using%20a%20method%20other%20than%20the%20CNAME%20configuration%20is%20not%20supported.%20For%20example%2C%20using%20a%20proxy%20server%20to%20redirect%20enterpriseenrollment.contoso.com%2FEnrollmentServer%2FDiscovery.svc%20to%20either%20enterpriseenrollment-s.manage.microsoft.com%2FEnrollmentServer%2FDiscovery.svc%20or%20manage.microsoft.com%2FEnrollmentServer%2FDiscovery.svc%20is%20not%20supported.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--776717156%22%20id%3D%22toc-hId--724321384%22%20id%3D%22toc-hId--724321384%22%20id%3D%22toc-hId--724321384%22%20id%3D%22toc-hId--724321384%22%3ERegistration%20vs%20Enrollment%20CNAMEs%3C%2FH2%3E%0A%3CP%3E%3CBR%20%2F%3E%20Azure%20Active%20Directory%20has%20a%20different%20CNAME%20that%20it%20uses%20for%20device%20registration%20for%20iOS%2C%20Android%2C%20and%20Windows%20devices.%20Intune%20conditional%20access%20requires%20devices%20to%20be%20registered%2C%20also%20called%20%E2%80%9Cworkplace%20joined%E2%80%9D.%20If%20you%20plan%20to%20use%20conditional%20access%2C%20you%20should%20also%20configure%20the%20EnterpriseRegistration%20CNAME%20for%20each%20company%20name%20you%20have.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3EType%26nbsp%3BHost%20name%26nbsp%3BPoints%20to%26nbsp%3BTTL%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%3ECNAME%3C%2FTD%3E%0A%3CTD%3EEnterpriseRegistration.%20%3CEM%3E%20company_domain.com%20%3C%2FEM%3E%3C%2FTD%3E%0A%3CTD%3EEnterpriseRegistration.windows.net%3C%2FTD%3E%0A%3CTD%3E1%20hour%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20For%20more%20information%20about%20device%20registration%2C%20see%20%3CBR%20%2F%3E%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-conditional-access-device-registration-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-conditional-access-device-registration-overview%20%3C%2FA%3E%20.%20%3CBR%20%2F%3E%20Hopefully%20this%20information%20helps%20clarify%20the%20CNAMEs%20and%20FQDNs%20needed%20for%20auto-discovery.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-279952%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20published%20on%20TechNet%20on%20Mar%2004%2C%202017%20We%E2%80%99ve%20had%20questions%20about%20the%20CNAME%20configuration%20required%20for%20Windows%20devices%20to%20automatically%20discover%20the%20MDM%20server%20for%20mobile%20device%20management%20(MDM).%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-330435%22%20slang%3D%22en-US%22%3ERe%3A%20Which%20CNAMEs%20to%20use%20for%20Auto-discovery%20during%20MDM%20Enrollment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-330435%22%20slang%3D%22en-US%22%3E%3CP%3EEven%20though%20the%20change%20to%20%22-s%22%20was%20implemented%20in%20%3CA%20href%3D%22https%3A%2F%2Fintunedin.net%2F2017%2F01%2F29%2Fpointing-to-manage-microsoft-com-will-no-longer-work-for-enrollment%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E2017%3C%2FA%3E%20(I%20missed%20it%20back%20then)%2C%20some%20documentation%20agrees%2C%20like%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fadmin%2Fdns%2Fcreate-dns-records-using-windows-based-dns%3Fview%3Do365-worldwide%23add-cname-records%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%3C%2FA%3E%2C%20but%20others%20do%20not%2C%20like%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fadmin%2Fdns%2Fcreate-dns-records-at-cloudflare%3FredirectSourcePath%3D%25252fen-US%25252farticle%25252fCreate-DNS-records-at-Cloudflare-for-Office-365-84acd4fc-6eec-4d00-8bed-568f036ae2af%26amp%3Bview%3Do365-worldwide%23add-the-six-cname-records-that-are-required-for-office-365%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEven%20the%20DNS%20checker%20in%20the%20admin%20portal%20warns%20of%20possible%20service%20issues%20and%20shows%20this.%20How%20can%20this%20possibly%20be%20at%20this%20point%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F71906iFE53AD6BE33A1159%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Capture.JPG%22%20title%3D%22Capture.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-449688%22%20slang%3D%22en-US%22%3ERe%3A%20Which%20CNAMEs%20to%20use%20for%20Auto-discovery%20during%20MDM%20Enrollment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-449688%22%20slang%3D%22en-US%22%3E%3CP%3EWill%20a%20%22HSTS%20includeSubDomains%22%20header%20break%20CNAME%20resolutions%20for%20Windows%2010%20Azure%20AD%20join%2C%20Outlook%2C%20Skype%20for%20Business%20etc.%20since%20the%20certificate%20mismatch%3F%20IE%2FEdge%20show%20a%20HSTS%20error%20and%20block%20access%20when%20using%20includeSubDomains%20on%20the%20above%20CNAMEs.%3C%2FP%3E%3C%2FLINGO-BODY%3E

First published on TechNet on Mar 04, 2017
We’ve had questions about the CNAME configuration required for Windows devices to automatically discover the MDM server for mobile device management (MDM). We’ve also had questions about the MDM server address users have to enter manually if prompted. This blog hopes to help you understand the requirements.

Device Enrollment


If you have iOS or Android devices, they don’t have to worry about auto-discovery or manual enrollment; as long as the Company Portal is installed, it knows how to find the right server to get the device enrolled.

Windows Device Enrollment -End User Experience


Unlike iOS and Android, Windows devices (Windows Phone 8.1, and 10 and Windows PCs 8.1 and 10) have UI built into the operating system to enroll a device for management. The user enters a corporate email address which matches the User Principal Name (UPN) set for user identity. The device tries to auto-discover the server and start the enrollment process.
Underneath the covers, here’s what happens when enrolling a Windows Phone 8.1 device:



In Windows Phone 8.1 it looks like this:





If there is no CNAME configured, the device enrollment server won’t be found, and the device presents a screen to allow the user to enter the server address.
IMPORTANT : The server address the user needed to enter used to be manage.microsoft.com , but due to the changes necessary to move to the new grouping and targeting structure, the FQDN to enroll a device to Microsoft Intune changed to enrollment.manage.microsoft.com . Both FQDNs can be used now, but support for manage.microsoft.com ended in February of 2017.



For more information about the MDM enrollment protocol, see https://msdn.microsoft.com/en-us/library/mt221945.aspx .

Windows 10 Automatic MDM Enrollment


If you are enrolling Windows 10 devices using automatic MDM enrollment, you don’t have to worry about configuring CNAMEs because the MDM server is configured by default when you enable automatic MDM enrollment. For more information, see https://docs.microsoft.com/en-us/intune/deploy-use/set-up-windows-device-management-with-microsoft-... .

Windows Device Enrollment -Configuring Auto-Discovery


To configure auto-discovery of the enrollment server, there has to be a CNAME record to point to the enrollment server.


Type Host name Points to TTL

CNAME EnterpriseEnrollment. company_domain.com EnterpriseEnrollment-s.manage.microsoft.com 1 hour




The company_domain in the FQDN should be the registered domain name(s) you are using for single sign on with the UPN. For example if users at Contoso use name@contoso.com as their email/UPN, the Contoso DNS admin would need to create the following CNAMEs.


Type Host name Points to TTL

CNAME EnterpriseEnrollment. contoso.com EnterpriseEnrollment-s.manage.microsoft.com 1 hour




If you have more than one UPN suffix, you need to create one CNAME for each domain name and point each one to EnterpriseEnrollment-s.manage.microsoft.com. For example if users at Contoso use name@contoso.com, but also use name@us.contoso.com, and name@eu.constoso.com as their email/UPN, the Contoso DNS admin would need to create the following CNAMEs.


Type Host name Points to TTL

CNAME EnterpriseEnrollment. contoso.com EnterpriseEnrollment-s.manage.microsoft.com 1 hour
CNAME EnterpriseEnrollment. us.contoso.com EnterpriseEnrollment-s.manage.microsoft.com 1 hour
CNAME EnterpriseEnrollment. eu.contoso.com EnterpriseEnrollment-s.manage.microsoft.com 1 hour




For more information, see https://docs.microsoft.com/en-us/intune/deploy-use/set-up-windows-device-management-with-microsoft-... .

Additional Endpoints Are Supported but Not Recommended


EnterpriseEnrollment-s.manage.microsoft.com is the preferred FQDN for enrollment, but there are two other endpoints that have been used by customers in the past and are supported. EnterpriseEnrollment.manage.microsoft.com (without the -s) and manage.microsoft.com both work as the target for the auto-discovery server, but the user will have to touch OK on a confirmation message. If you point to EnterpriseEnrollment-s.manage.microsoft.com , the user won’t have to do the additional confirmation step, so this is the recommended configuration.

Alternate Methods of Redirection Are Not Supported


Using a method other than the CNAME configuration is not supported. For example, using a proxy server to redirect enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc to either enterpriseenrollment-s.manage.microsoft.com/EnrollmentServer/Discovery.svc or manage.microsoft.com/EnrollmentServer/Discovery.svc is not supported.

Registration vs Enrollment CNAMEs


Azure Active Directory has a different CNAME that it uses for device registration for iOS, Android, and Windows devices. Intune conditional access requires devices to be registered, also called “workplace joined”. If you plan to use conditional access, you should also configure the EnterpriseRegistration CNAME for each company name you have.


Type Host name Points to TTL

CNAME EnterpriseRegistration. company_domain.com EnterpriseRegistration.windows.net 1 hour




For more information about device registration, see
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-device-... .
Hopefully this information helps clarify the CNAMEs and FQDNs needed for auto-discovery.

2 Comments
Contributor

Even though the change to "-s" was implemented in 2017 (I missed it back then), some documentation agrees, like this, but others do not, like this.

 

Even the DNS checker in the admin portal warns of possible service issues and shows this. How can this possibly be at this point?

 

Capture.JPG

 

Occasional Visitor

Will a "HSTS includeSubDomains" header break CNAME resolutions for Windows 10 Azure AD join, Outlook, Skype for Business etc. since the certificate mismatch? IE/Edge show a HSTS error and block access when using includeSubDomains on the above CNAMEs.