The identity of a mobile-enabled device, such as a Windows PC, is traditionally contained in a device called a Subscriber Identity Module (SIM) and packaged as a separate SIM card. Managing SIM cards for a fleet of devices can be expensive and time-consuming. Therefore, Windows 10 and Windows 11 support eSIM (embedded subscriber identity module) technology as a digital alternative to separate SIM cards. Windows 11 provides more ways to deploy and manage eSIM content with mobile device management (MDM) features such as Microsoft Intune.
Om eSIM technology
eSIM technology has created a global ecosystem of mobile devices and mobile operators based on a common GSM Association (GSMA) specification. The adoption of eSIM technology is growing with its inclusion in popular smartphones. Windows supports eSIM for PC since 2017.
eSIM separates the secure operating environment of the plastic SIM card from the SIM credentials it contains. The secure container is called an eUICC (embedded universal integrated circuit card). In the same way that each physical SIM card has a unique identity, each eUICC has a unique identity called an eUICC identifier (EID).
Credentials and related other configurations that uniquely identify your mobile subscription are contained in a digital (software) package called an eSIM profile. Multiple eSIM profiles can be installed in the eUICC. One of the installed eSIM profiles is enabled (and the others are disabled). The combination of an active eSIM profile and its eUICC container behaves exactly like a traditional SIM card.
Stor eSIM computer configuration
eSIM digitizes the delivery of SIM cards to devices such as personal computers, eliminating the need to acquire and deploy physical SIM cards. ThatMobile plansThe Windows application further reduces friction by offering a user interface that allows you to interact with the mobile operator of your choice and coordinate the download and installation of the appropriate eSIM profile.
The Mobile Plans app is suitable for the needs of consumers and businesses with multiple computers. However, this requires user interaction on each shared device, which involves effort and cost that can become significant at scale. To support larger managed environments (such as enterprises or educational organizations), Windows provides eSIM support through mobile device management (MDM), such as Microsoft Intune.
When a company provides an eSIM through an MDM solution such as Microsoft Intune, it also sets up the eSIM deployment along with other company settings and policies. When an MDM server registers with an end user's work or school account, it transfers the configuration to the computer during its lifecycle. Once the eSIM information is set on your computer, the eSIM profile is downloaded from your carrier's download server (SM-DP+).
In Windows it is calledeUICC Configuration Service Provider (CSP)supports eSIM placement. In addition, the company can also configure some eSIM policies through the CSP, and each computer gets its own eSIM profile from the CSP.
Along with your connected Windows 11 PC (eSIM-enabled PC) managed via Microsoft Intune, you need the following information:
A mobile network operator that can provide eSIM profiles to a set of known devices based on their EIDs. This in turn requires some means by which the company (or school) must be able to provide the operator with the EIDs of their personal computers as part of the contract with the mobile operator.
One option is for the company to obtain the EIDs for its computers from the computer's packaging and send them directly to the carrier.
Alternatively, for bulk device purchases, their computer EIDs may be contained in a manifest file created by the device OEM or dealer/distributor and provided to the device company or directly to the carrier.
Once the mobile operator knows the EIDs of the user computers, it will create eSIM profiles for each computer on its download server (SM-DP+). The company must know the fully qualified domain name (FQDN) of the download server (SM-DP+). For example smdp.example.com. However, it does not require individual activation codes. When each computer contacts the download server (SM-DP+), the download server (SM-DP+) authenticates the computer's EID and assigns it an eSIM profile specific to that device.
The general flow of the process is as follows:
To set up a managed eSIM deployment, a business user must have a contract with a mobile operator and obtain information from the operator about their eSIM download server (SM-DP+). The company then configures policies and settings to apply to all connected eSIM-enabled computers, including the operator's SM-DP+ Fully Qualified Domain Name.
The MDM administrator creates an eSIM configuration profile pointing to the download server (SM-DP+) provided by the mobile operator and assigns the profile to the required groups.
As described earlier, the company or its supplier (computer manufacturer or distributor) provides the operator with the EIDs of the connected computers. For each EID, the carrier creates an eSIM profile on its download server (SM-DP+) for that device. After the initial setup is complete, the following process occurs for each computer:
The end user unpacks the computer, turns it on and goes through the initial Windows systeman unconventional experience. As part of this process, the end user connects the computer to the Wi-Fi network and logs on to itwork or schoolaccount.
When the user authenticates to the company's (or school's) Azure Active Directory, a work or school account is configured on the device. As part of this process, the computer is enrolled in the MDM system, which then secures it according to the company's configuration (in step 1). This configuration includes the FQDN of the carrier download server (SM-DP+).
After the configuration is complete, the computer connects to the download server (SM-DP+) according to the standard eSIM download protocol. As part of this process, the download server (SM-DP+) receives and authenticates the computer's EID. The download server (SM-DP+) searches for an eSIM profile for this EID (created in step 2) and downloads this eSIM profile to the computer.
The computer installs and activates the eSIM profile. Windows recognizes your mobile network operator and configures mobile network settings such as access point name (APN), and your computer is now connected via a mobile network.
The described process flow is focused on the initial configuration of the device. However, eSIM provisioning can also be done at any point in the device lifecycle for managed devices.
Intune eSIM download server configuration
Intune configuration of the eSIM server for carrier download is done via a configuration profile assigned to a group.
This feature applies to:
- Windows 11
To deploy eSIM to devices using Intune, use the following:
- Devices with an eSIM card enabled, asSurface Pro 9 z 5G: at seif your device supports eSIM.
- Windows 11(version 22H2 (Build 22621) or later) enrolled in MDM and managed by Intune
- eSIM Download Server (SM-DP+ or SM-DS) Fully Qualified Domain Name (FQDN)provided by your mobile operator. Contact your mobile network operator for details.
Devices with an eSIM card enabled
If you are not sure whether your devices support eSIM, please contact the device manufacturer. On Windows devices, you can verify eSIM support. For more information seeUse an eSIM card for a mobile data connection on a Windows client device.
After your carrier has confirmed that you need to create eSIM profiles on the download server (SM-DP+), go to Microsoft Intune and create a profile for the EIDs associated with eSIM-enabled Windows devices that you will activate with eSIM.
Create an Azure AD device group
Create a device group containing eSIM-enabled devices.Add groupslist the steps.
We recommend that you create a static Azure AD device group that includes eSIM devices. Group usage confirms that you are only targeting eSIM devices.
Create a profile
Register atMicrosoft Intune administrationscenter.
ChooseUnits>configuration profiler>Create a profile.
ToPlatformfield, select itWindows 10 and newer.
ToProfiltypefield, select itProduct catalogue.
ChooseTo createand follow the wizard to complete the steps.
wBasic, basictab, enterTo doandDescriptionprofile and selectFollow.
wconfiguration settingslabel, selection+ Addsettings and searchnpin the mode dial. Once you have selected an eSIM card, you can choose which settings you want to make available in your policy.
1 - Automatic ignition: Specifies whether the registered profile should be automatically activated after installation. The default descending value isTurn on. ChooseAutomatic ignitionwhether the eSIM profile should be activated automatically (regardless of other eSIM profiles stored in the eUICC).
2 - Server name: This is the fully qualified domain name of the SM-DP+ server used for profile discovery. E.g,smdp.example.com(does not includehttps://)
3 - Display the local user interface: Determines whether eSIM settings can be viewed and changed in the Settings app on supported eSIM compatible devices. True if available, false otherwise. IfShow local user interfaceis set to Disabled,Automatic ignitionshould be checked.
Enter the server name, select the desired settings, and then selectFollow.
wDometa labelstab, add the necessary tags and selectFollow.
wAssignmentsselect a user or device group to assign the profile to. For more information about assigning a profile to a user or device group, go toAssign device profilesin Microsoft Intune. Additionally, groups must be created before creating a profile. For more information, see Adding groups to organize users and devices.
wBrowse + Createtab, view all details and selectTo create.
Best practices and troubleshooting
Create an Azure AD device group that contains only the target eSIM devices. (Note: if the rule is implemented on a device that does not support eSIM,Job statuswill display an error).
The current implementation supports only one server name. Even if multiple server names are added, only the first one will be used.
ILocal user interfaceis not disabled in the configuration profile, you can change the active profile, stop using or delete any eSIM profile stored on the device.
Similar to other settings in Intune, when the deployment status is shown assuccessfulit just means that the settings have been applied, not necessarily that the eSIM profile has also been downloaded and activated.
There is currently no way to delete an eSIM profile using Intune. The profile must be manually removed from the device.
Intune does not distinguish eSIM devices from non-eSIM devices.
Configure device profiles