# Entra device enrollment

This guide applies to environments using **Microsoft Entra Joined** Windows devices managed through Microsoft Intune. It covers how to configure Peig as the Web Sign-In provider so that Windows lock screen authentication flows through Peig.

{% hint style="info" %}
This guide is only relevant if your team uses Windows devices enrolled in Microsoft Entra ID. If your team uses personal or unmanaged devices, you can skip this page.
{% endhint %}

## Entra Joined vs. Entra Registered

|                       | Entra Joined                                  | Entra Registered        |
| --------------------- | --------------------------------------------- | ----------------------- |
| **Scope**             | Corporate-owned, fully managed devices        | Personal / BYOD devices |
| **Device management** | Full Intune management and Conditional Access | No advanced management  |
| **Peig Web Sign-In**  | ✅ Supported                                   | ❌ Not applicable        |

Peig Web Sign-In at the Windows lock screen level requires devices to be **Entra Joined**.

## How to enrol a device

{% stepper %}
{% step %}

### Log on to the device

Log on to the device using a local administrator or temporary account
{% endstep %}

{% step %}

### Open Access work or school

Open **Settings → Accounts → Access work or school**
{% endstep %}

{% step %}

### Join Microsoft Entra ID

Click **Connect → Join this device to Microsoft Entra ID**
{% endstep %}

{% step %}

### Enter the user's email address

Enter the user's Entra ID email address
{% endstep %}

{% step %}

### Complete the sign-in flow

* **Federated tenants:** select your domain, then complete Web Sign-In by scanning the QR code
* **Using TAP:** select the alternate domain, enter the UPN, choose Temporary Access Pass, and enter the code
  {% endstep %}

{% step %}

### Sign in at the lock screen

After the join completes, sign in at the lock screen with **Other user** and the user's Entra ID credentials
{% endstep %}
{% endstepper %}

**Confirm enrolment** by opening PowerShell and running:

```powershell
dsregcmd /status
```

Verify the output shows `AzureAdJoined : YES` and `DomainJoined : NO`.

## Choose your scenario

<table data-view="cards"><thead><tr><th>Title</th><th>Description</th><th data-card-target data-type="content-ref">Target</th></tr></thead><tbody><tr><td><strong>Scenario 1: With Windows Hello for Business</strong></td><td>Windows Hello is the primary sign-in method. Peig Web Sign-In and TAP are configured as fallbacks.</td><td><a href="/pages/6e175945bbe832f54f4908cc0d7775ec39e70db5">/pages/6e175945bbe832f54f4908cc0d7775ec39e70db5</a></td></tr><tr><td><strong>Scenario 2: Without Windows Hello for Business</strong></td><td>Windows Hello is disabled. Peig Web Sign-In is the primary sign-in method, with TAP as backup.</td><td><a href="/pages/1cb15e6806f48134b981d2d3340cbc1b51198feb">/pages/1cb15e6806f48134b981d2d3340cbc1b51198feb</a></td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.peig.io/welcome-to-peig-documentation/deployment-guides/microsoft-365/entra-device-enrollment.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.