MDM-enrolled devices can't sign in to the company portal through Internet Explorer


Mobile Device Manager (MDM)-enrolled devices that are running Windows 8.1 and later cannot sign in to the Company Portal website through Internet Explorer.


During the enrollment process for devices that are running Windows 8.1 and later, the URL for the Company Portal website ( is automatically added to the local intranet zone in Internet Explorer when a user enters his or her credentials. Even for devices that don't successfully enroll, the URL is added to the local intranet zone when the user authenticates during the enrollment process.

During the login process, UI STS (which is hosted on the root domain) sets a cookie that the browser must send to the IWP redirector. The IWP redirector is hosted on the subdomain. Because Internet Explorer doesn’t permit sites to set cookies across security zones, access is denied.


To resolve this issue, remove the URL for the Company Portal from the user’s local intranet zone in Internet Explorer. If this is not desirable, you can opt to turn off protected mode in Internet Explorer. Be aware that you must take these actions again for repeated enrollment attempts.

Artikelnummer: 3087058 – Letzte Überarbeitung: 28.10.2015 – Revision: 1