@Leonardo Santana, the AutoPilot registration and Intune registration are separate things. When an AutoPilot registered device is received by a user, they would need to connect it to the network to complete the build/installation. This would require network connectivity to internet-based systems like Entra ID and Intune.
In this initial phase, the device would have no certificate and would not yet be enrolled with Intune, so ISE would have nothing to use for authentication and nothing to identify it as a Corporate-owned device. You would likely need to look at options like the following for this initial connectivity.
- Connecting to a non-802.1x Wifi network (like PSK, hotspot, etc) with basic internet connectivity to complete the initial build and enrolment/registration with Intune
- Connecting to a dedicated build Wired network (ideally with physical security) that provides basic internet connectivity
- Capturing the MAC address of the device, adding it to an 'AllowList' Endpoint Identity Group, and having a Wired MAB policy that would permit it limited access to an internet proxy or some other segmented network access. This could be done using manual GUI configuration or APIs, but would still add operational overhead.
Once the Intune enrolment is complete and the device has a certificate enrolled with the GUID, the user could connect to the secure Wired/Wireless corporate networks.
Ideally, MS would add some method to connect to an 802.1x secured network during the initial stages, but they never even implemented that in traditional builds using SCCM, so I won't hold my breath for that.
