diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index 5d78440379..c062325002 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -1,7 +1,7 @@ --- title: Azure Active Directory integration with MDM description: Azure Active Directory is the world's largest enterprise cloud identity management service. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -11,7 +11,7 @@ author: vinaypamnani-msft ms.collection: - highpri - tier2 -ms.date: 12/31/2017 +ms.date: 04/05/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index ad2ed3b4a8..1c9d410723 100644 --- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -1,36 +1,29 @@ --- -title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal -description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal +title: Automatic MDM enrollment in the Intune admin center +description: Automatic MDM enrollment in the Intune admin center ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 12/18/2020 -ms.reviewer: +ms.date: 04/05/2023 +ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 11 - ✅ Windows 10 --- -# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Intune admin center +# Automatic MDM enrollment in the Intune admin center -Microsoft Intune can be accessed directly using its own admin center. For more information, go to: - -- [Tutorial: Walkthrough Intune in Microsoft Intune admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) -- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -If you use the Azure portal, then you can access Intune using the following steps: +Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure Portal. 1. Go to your Azure AD Blade. + 1. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app. -1. Select **Microsoft Intune** and configure the blade. -![How to get to the Blade.](images/azure-mdm-intune.png) +1. Select **Microsoft Intune** and configure the blade. You can specify settings to allow **All** users to enroll a device, or choose to allow **Some** users (and specify a group). -Configure the blade + ![Configure the Blade.](images/azure-intune-configure-scope.png) -![Configure the Blade.](images/azure-intune-configure-scope.png) - -You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users). +1. Select **Save** to configure MDM auto-enrollment for Azure AD joined devices and bring-your-own-device scenarios. diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md index 199bd846e9..e3f53846a8 100644 --- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md @@ -1,22 +1,22 @@ --- title: Bulk enrollment -description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and Windows 11. -ms.reviewer: +description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 04/05/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 --- -# Bulk enrollment +# Bulk enrollment using Windows Configuration Designer -Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario. +Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario. ## Typical use cases @@ -26,7 +26,7 @@ Bulk enrollment is an efficient way to set up a large number of devices to be ma - Set up industrial machinery. - Set handheld POS devices. -On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain. +On the desktop, you can create an Active Directory account, such as `enrollment@contoso.com` and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain. On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as `enroll@contoso.com` and `enrollmentpassword`. These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them. @@ -35,7 +35,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro > - Bulk-join is not supported in Azure Active Directory Join. > - Bulk enrollment does not work in Intune standalone environment. > - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console. -> - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. +> - To change bulk enrollment settings, login to **Azure AD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. > - Bulk Token creation is not supported with federated accounts. ## What you need @@ -44,6 +44,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro - Windows Configuration Designer (WCD) tool. To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd). + - Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.). - Wi-Fi credentials, computer name scheme, and anything else required by your organization. @@ -55,38 +56,40 @@ Using the WCD, create a provisioning package using the enrollment information re 1. Open the WCD tool. 1. Select **Advanced Provisioning**. - ![icd start page.](images/bulk-enrollment7.png) 1. Enter a project name and select **Next**. 1. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then select **Next**. 1. Skip **Import a provisioning package (optional)** and select **Finish**. -1. Expand **Runtime settings** > **Workplace**. -1. Select **Enrollments**, enter a value in **UPN**, and then select **Add**. - The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". -1. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. - Here's the list of available settings: +1. Expand **Runtime settings** > **Workplace**. +1. Select **Enrollments**, enter a value in **UPN**, and then select **Add**. The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as `enrollment@contoso.com`. +1. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. Here's the list of available settings: + - **AuthPolicy** - Select **OnPremise**. - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. - **Secret** - Password - For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). - Here's the screenshot of the WCD at this point. + + For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). Here's the screenshot of the WCD at this point. ![bulk enrollment screenshot.](images/bulk-enrollment.png) -1. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). + +1. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). 1. When you're done adding all the settings, on the **File** menu, select **Save**. -1. On the main menu, select **Export** > **Provisioning package**. +1. On the main menu, select **Export** > **Provisioning package**. ![icd menu for export.](images/bulk-enrollment2.png) + 1. Enter the values for your package and specify the package output location. ![enter package information.](images/bulk-enrollment3.png) ![enter additional information for package information.](images/bulk-enrollment4.png) ![specify file location.](images/bulk-enrollment6.png) + 1. Select **Build**. ![icb build window.](images/bulk-enrollment5.png) + 1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). 1. Apply the package to your devices. @@ -99,28 +102,31 @@ Using the WCD, create a provisioning package using the enrollment information re 1. Enter a project name and select **Next**. 1. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions. 1. Skip **Import a provisioning package (optional)** and select **Finish**. -1. Specify the certificate. - 1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**. - 2. Enter a **CertificateName** and then select **Add**. - 3. Enter the **CertificatePasword**. - 4. For **CertificatePath**, browse and select the certificate to be used. - 5. Set **ExportCertificate** to False. - 6. For **KeyLocation**, select **Software only**. +1. Specify the certificate: + + 1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**. + 1. Enter a **CertificateName** and then select **Add**. + 1. Enter the **CertificatePassword**. + 1. For **CertificatePath**, browse and select the certificate to be used. + 1. Set **ExportCertificate** to False. + 1. For **KeyLocation**, select **Software only**. ![icd certificates section.](images/bulk-enrollment8.png) + 1. Specify the workplace settings. - 1. Got to **Workplace** > **Enrollments**. - 2. Enter the **UPN** for the enrollment and then select **Add**. - The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". - 3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. - Here's the list of available settings: + + 1. Got to **Workplace** > **Enrollments**. + 1. Enter the **UPN** for the enrollment and then select **Add**. The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as `enrollment@contoso.com`. + 1. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. Here's the list of available settings: - **AuthPolicy** - Select **Certificate**. - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. - **Secret** - the certificate thumbprint. - For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). -1. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). + + For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). + +1. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). 1. When you're done adding all the settings, on the **File** menu, select **Save**. 1. Export and build the package (steps 10-13 in the procedure above). 1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). @@ -128,37 +134,30 @@ Using the WCD, create a provisioning package using the enrollment information re ## Apply a provisioning package -Here's the list of articles about applying a provisioning package: +- [Apply a package during initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#during-initial-setup) +- [Apply a package after initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup) +- [Apply a package directly](/windows/configuration/provisioning-packages/provisioning-apply-package#apply-directly) +- [Apply a package from the Settings app](#apply-a-package-from-the-settings-app). -- [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package) -- [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) -- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - article below +## Apply a package from the Settings app -## Apply a package from the Settings menu - -1. Go to **Settings** > **Accounts** > **Access work or school**. +1. Go to **Settings** > **Accounts** > **Access work or school**. 1. Select **Add or remove a provisioning package**. 1. Select **Add a package**. -## Validate that the provisioning package was applied +## Validate that the provisioning package was applied -1. Go to **Settings** > **Accounts** > **Access work or school**. -1. Select **Add or remove a provisioning package**. - You should see your package listed. +1. Go to **Settings** > **Accounts** > **Access work or school**. +1. Select **Add or remove a provisioning package**. You should see your package listed. ## Retry logic if there's a failure -If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row. +- If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row. +- If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from the SYSTEM context. +- It will also retry to apply the provisioning each time it's launched, if started from somewhere else as well. +- In addition, provisioning will be restarted in the SYSTEM context after a sign in and the [system has been idle](/windows/win32/taskschd/task-idle-conditions). -If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from a SYSTEM context. - -It will also retry to apply the provisioning each time it's launched, if started from somewhere else as well. - -In addition, provisioning will be restarted in a SYSTEM context after a sign in and the system has been idle ([details on idle conditions](/windows/win32/taskschd/task-idle-conditions)). - -## Other provisioning articles - -Here are links to step-by-step provisioning articles: +## Related articles - [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps) - [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) diff --git a/windows/client-management/certificate-authentication-device-enrollment.md b/windows/client-management/certificate-authentication-device-enrollment.md index 526ac9e52c..bf9d1e373f 100644 --- a/windows/client-management/certificate-authentication-device-enrollment.md +++ b/windows/client-management/certificate-authentication-device-enrollment.md @@ -1,14 +1,14 @@ --- title: Certificate authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 04/05/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -21,13 +21,8 @@ This section provides an example of the mobile device enrollment protocol using > [!NOTE] > To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package). -## In this topic - -- [Discovery service](#discovery-service) -- [Enrollment policy web service](#enrollment-policy-web-service) -- [Enrollment web service](#enrollment-web-service) - -For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). +> [!NOTE] +> For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). ## Discovery Service @@ -40,34 +35,33 @@ User-Agent: Windows Enrollment Client Host: EnterpriseEnrollment.Contoso.com Content-Length: xxx Cache-Control: no-cache - - - + + http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover - - urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 - - http://www.w3.org/2005/08/addressing/anonymous - + + urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 + + http://www.w3.org/2005/08/addressing/anonymous + https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc - - - - - + + + + + user@contoso.com 101 10.0.0.0 - 3.0 + 3.0 10.0.0.0 Certificate - - - + + + ``` @@ -79,7 +73,7 @@ Content-Length: 865 Content-Type: application/soap+xml; charset=utf-8 Server: EnterpriseEnrollment.Contoso.com Date: Tue, 02 Aug 2012 00:32:56 GMT - @@ -90,9 +84,9 @@ http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoverySer urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 - - Certificate @@ -120,11 +114,11 @@ User-Agent: Windows Enrollment Client Host: enrolltest.contoso.com Content-Length: xxxx Cache-Control: no-cache - @@ -142,12 +136,12 @@ Cache-Control: no-cache http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> B64EncodedSampleBinarySecurityToken - + - - @@ -193,29 +187,29 @@ Content-Type: application/soap+xml Content-Length: xxxx - http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse - d4335d7c-e192-402d-b0e7-f5d550467e3c urn:uuid: 69960163-adad-4a72-82d2-bb0e5cff5598 - - - - + - - @@ -271,11 +265,11 @@ Host: enrolltest.contoso.com Content-Length: 3242 Cache-Control: no-cache - @@ -292,7 +286,7 @@ Cache-Control: no-cache 2014-10-16T17:55:13Z 2014-10-16T17:57:13Z - + - - + MessageDigestValue - SignedMessageBlob/ds:SignatureValue> + SignedMessageBlob/ds:SignatureValue> - - + @@ -333,8 +327,8 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue - DER format PKCS#10 certificate request in Base64 encoding Insterted Here @@ -356,7 +350,7 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol - 7BA748C8-703E-4DF2-A74A-92984117346A + 7BA748C8-703E-4DF2-A74A-92984117346A 3J4KLJ9SDJFAL93JLAKHJSDFJHAO83HAKSHFLAHSKFNHNPA2934342 @@ -378,8 +372,8 @@ Content-Type: application/soap+xml; charset=utf-8 Server: Microsoft-IIS/7.0 Date: Fri, 03 Aug 2012 00:32:59 GMT - @@ -395,14 +389,14 @@ Date: Fri, 03 Aug 2012 00:32:59 GMT - http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken - - + - - + + - + @@ -482,7 +476,7 @@ The following example shows the encoded provisioning XML. - + @@ -497,7 +491,7 @@ The following example shows the encoded provisioning XML. - ``` diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index d22d2d0223..6f3424abb1 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -1,5 +1,5 @@ --- -title: Enroll a Windows 10 device automatically using Group Policy +title: Enroll a Windows device automatically using Group Policy description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. ms.author: vinpa ms.topic: article @@ -7,7 +7,7 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 04/30/2022 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.collection: - highpri @@ -17,18 +17,18 @@ appliesto: - ✅ Windows 10 --- -# Enroll a Windows 10 device automatically using Group Policy +# Enroll a Windows device automatically using Group Policy -Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices. +You can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices. The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account. -Requirements: +**Requirements**: -- Active Directory-joined PC running Windows 10, version 1709 or later -- The enterprise has configured a mobile device management (MDM) service -- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad) -- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`) +- The Active Directory joined device must be running Windows 10, version 1709 or later. +- The enterprise has configured a Mobile Device Management (MDM) service. +- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad). +- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`). - The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. For more information, see [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan). > [!TIP] @@ -45,14 +45,100 @@ The auto-enrollment relies on the presence of an MDM service and the Azure Activ When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. -In Windows 10, version 1709 or later, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM. Since Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins). +- Starting in Windows 10, version 1709, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM. +- Starting in Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins). For this policy to work, you must verify that the MDM service provider allows Group Policy initiated MDM enrollment for domain-joined devices. +## Configure the auto-enrollment for a group of devices + +To configure auto-enrollment using a group policy, use the following steps: + +1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. +1. Create a Security Group for the PCs. +1. Link the GPO. +1. Filter using Security Groups. + +If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803 or later installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible. + +1. Download the administrative templates for the desired version: + + - [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) + - [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) + - [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) + - [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591) + - [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445) + - [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) + - [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124) + - [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) + - [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677) + - [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593) + +1. Install the package on the Domain Controller. + +1. Navigate to `C:\Program Files (x86)\Microsoft Group Policy`, and locate the appropriate sub-directory depending on the installed version. + +1. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`. + + If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain. + +1. Wait for the SYSVOL DFSR replication to be completed for the policy to be available. + +## Configure the auto-enrollment Group Policy for a single PC + +This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise. + +1. Run `GPEdit.msc`. Choose **Start**, then in the text box type `gpedit`. + +1. Under **Best match**, select **Edit group policy** to launch it. + +1. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**. + +1. Double-click **Enable automatic MDM enrollment using default Azure AD credentials**. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**. + + :::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png"::: + + > [!NOTE] + > In Windows 10, version 1903 and later, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. The default behavior for older releases is to revert to **User Credential**. + > + > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop). + +When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). + +If two-factor authentication is required, you'll be prompted to complete the process. Here's an example screenshot. + +![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png) + +> [!TIP] +> You can avoid this behavior by using Conditional Access Policies in Azure AD. Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview). + +## Verify enrollment + +To verify successful enrollment to MDM, go to **Start** > **Settings** > **Accounts** > **Access work or school**, then select your domain account.Select **Info** to see the MDM enrollment information. + +![Work School Settings.](images/autoenrollment-settings-work-school.png) + +> [!NOTE] +> If you don't see the **Info** button or the enrollment information, enrollment might have failed. Check the status in [Task Scheduler app](#task-scheduler-app). + +## Task Scheduler app + +Select **Start**, then in the text box type `task scheduler`. Under **Best match**, select **Task Scheduler** to launch it. + +In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**. + +:::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png"::: + +To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. You can see the logs in the **History** tab. + +The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy. + +> [!NOTE] +> The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies. + ## Verify auto-enrollment requirements and settings -To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. -The following steps demonstrate required settings using the Intune service: +To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service: 1. Verify that the user who is going to enroll the device has a valid [Intune license](/mem/intune/fundamentals/licenses). @@ -83,7 +169,7 @@ The following steps demonstrate required settings using the Intune service: ![Azure AD device list.](images/azure-ad-device-list.png) -1. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc +1. Verify that the MDM discovery URL during auto-enrollment is `https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc`. ![MDM discovery URL.](images/auto-enrollment-mdm-discovery-url.png) @@ -91,166 +177,15 @@ The following steps demonstrate required settings using the Intune service: :::image type="content" alt-text="Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png"::: -1. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune. - -You may contact your domain administrators to verify if the group policy has been deployed successfully. - -1. Verify that the device isn't enrolled with the old Intune client used on the Intune Silverlight Portal (the Intune portal used before the Azure portal). +1. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully. 1. Verify that Microsoft Intune should allow enrollment of Windows devices. :::image type="content" alt-text="Enrollment of Windows devices." source="images/auto-enrollment-enrollment-of-windows-devices.png" lightbox="images/auto-enrollment-enrollment-of-windows-devices.png"::: -## Configure the auto-enrollment Group Policy for a single PC +## Troubleshoot auto-enrollment -This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices). - -Requirements: - -- AD-joined PC running Windows 10, version 1709 or later -- Enterprise has MDM service already configured -- Enterprise AD must be registered with Azure AD - -1. Run `GPEdit.msc`. Choose **Start**, then in the text box type `gpedit`. - - ![GPEdit desktop app search result.](images/autoenrollment-gpedit.png) - -1. Under **Best match**, select **Edit group policy** to launch it. - -1. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**. - - :::image type="content" alt-text="MDM policies." source="images/autoenrollment-mdm-policies.png" lightbox="images/autoenrollment-mdm-policies.png"::: - -1. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the **Selected Credential Type to use**. - - :::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png"::: - -1. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**. - - > [!NOTE] - > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. The default behavior for older releases is to revert to **User Credential**. - > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop). - - When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called "Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory." - - To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). - - If two-factor authentication is required, you'll be prompted to complete the process. Here's an example screenshot. - - ![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png) - - > [!TIP] - > You can avoid this behavior by using Conditional Access Policies in Azure AD. - Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview). - -1. To verify successful enrollment to MDM, go to **Start** > **Settings** > **Accounts** > **Access work or school**, then select your domain account. - -1. Select **Info** to see the MDM enrollment information. - - ![Work School Settings.](images/autoenrollment-settings-work-school.png) - - If you don't see the **Info** button or the enrollment information, enrollment might have failed. Check the status in [Task Scheduler app](#task-scheduler-app). - -### Task Scheduler app - -1. Select **Start**, then in the text box type `task scheduler`. - - ![Task Scheduler search result.](images/autoenrollment-task-schedulerapp.png) - -1. Under **Best match**, select **Task Scheduler** to launch it. - -1. In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**. - - :::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png"::: - - To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). You can see the logs in the **History** tab. - - If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy. - - > [!NOTE] - > The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies. - -## Configure the auto-enrollment for a group of devices - -Requirements: - -- AD-joined PC running Windows 10, version 1709 or later -- Enterprise has MDM service already configured (with Intune or a third-party service provider) -- Enterprise AD must be integrated with Azure AD. -- Ensure that PCs belong to same computer group. - -> [!IMPORTANT] -> If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible. - -1. Download: - - - 1803 --> [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) - - - 1809 --> [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) - - - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) - - - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591) - - - 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445) - - - 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) - - - 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124) - - - 21H2 --> [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) - - - 22H2 --> [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677) - - - 22H2 --> [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593) - -1. Install the package on the Domain Controller. - -1. Navigate, depending on the version to the folder: - - - 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2** - - - 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** - - - 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3** - - - 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)** - - - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)** - - - 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)** - - - 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)** - - - 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update V2 (21H2)** - - - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2022 Update (22H2)** - - - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)** - -1. Rename the extracted Policy Definitions folder to `PolicyDefinitions`. - -1. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`. - - If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain. - -1. Wait for the SYSVOL DFSR replication to be completed for the policy to be available. - -This procedure will work for any future version as well. - -1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. - -1. Create a Security Group for the PCs. - -1. Link the GPO. - -1. Filter using Security Groups. - -## Troubleshoot auto-enrollment of devices - -Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. - -To collect Event Viewer logs: +Investigate the logs if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows device. To collect Event Viewer logs: 1. Open Event Viewer. @@ -263,61 +198,49 @@ To collect Event Viewer logs: :::image type="content" alt-text="Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png" lightbox="images/auto-enrollment-troubleshooting-event-id-75.png"::: - If you can't find event ID 75 in the logs, it indicates that the auto-enrollment failed. This failure can happen because of the following reasons: +If you can't find event ID 75 in the logs, it indicates that the auto-enrollment failed. This failure can happen because of the following reasons: - - The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here's an example screenshot that shows that the auto-enrollment failed: +- The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here's an example screenshot that shows that the auto-enrollment failed: - :::image type="content" alt-text="Event ID 76." source="images/auto-enrollment-troubleshooting-event-id-76.png" lightbox="images/auto-enrollment-troubleshooting-event-id-76.png"::: + :::image type="content" alt-text="Event ID 76." source="images/auto-enrollment-troubleshooting-event-id-76.png" lightbox="images/auto-enrollment-troubleshooting-event-id-76.png"::: - To troubleshoot, check the error code that appears in the event. For more information, see [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors). + To troubleshoot, check the error code that appears in the event. For more information, see [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors). - - The auto-enrollment didn't trigger at all. In this case, you'll not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section. +- The auto-enrollment didn't trigger at all. In this case, you'll not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described below: - The auto-enrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot: + The auto-enrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot: - :::image type="content" alt-text="Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png"::: + :::image type="content" alt-text="Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png"::: - > [!NOTE] - > This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task. + > [!NOTE] + > This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task. - This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs: - **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Azure Active Directory is triggered by event ID 107. + This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs: **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Azure Active Directory is triggered by event ID 107. - :::image type="content" alt-text="Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png"::: + :::image type="content" alt-text="Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png"::: - When the task is completed, a new event ID 102 is logged. + When the task is completed, a new event ID 102 is logged. - :::image type="content" alt-text="Event ID 102." source="images/auto-enrollment-event-id-102.png" lightbox="images/auto-enrollment-event-id-102.png"::: + :::image type="content" alt-text="Event ID 102." source="images/auto-enrollment-event-id-102.png" lightbox="images/auto-enrollment-event-id-102.png"::: - The task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It doesn't indicate the success or failure of auto-enrollment. + The task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It doesn't indicate the success or failure of auto-enrollment. - If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Azure AD is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required. - One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: + If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Azure AD is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required. + One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: - :::image type="content" alt-text="Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png"::: + :::image type="content" alt-text="Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png"::: - By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs** > **Microsoft** > **Windows** > **Task Scheduler** > **Operational** event log file under event ID 7016. + By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs** > **Microsoft** > **Windows** > **Task Scheduler** > **Operational** event log file under event ID 7016. - A resolution to this issue is to remove the registry key manually. If you don't know which registry key to remove, go for the key that displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: + A resolution to this issue is to remove the registry key manually. If you don't know which registry key to remove, go for the key that displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: - :::image type="content" alt-text="Manually deleted entries." source="images/auto-enrollment-activation-verification-less-entries.png" lightbox="images/auto-enrollment-activation-verification-less-entries.png"::: + :::image type="content" alt-text="Manually deleted entries." source="images/auto-enrollment-activation-verification-less-entries.png" lightbox="images/auto-enrollment-activation-verification-less-entries.png"::: -### Related topics +## Related topics - [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) - [Create and Edit a Group Policy Object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754740(v=ws.11)) - [Link a Group Policy Object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732979(v=ws.11)) - [Filter Using Security Groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc752992(v=ws.11)) - [Enforce a Group Policy Object Link](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753909(v=ws.11)) -- [Group Policy Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) - [Getting started with Cloud Native Windows Endpoints](/mem/cloud-native-windows-endpoints) -- [A Framework for Windows endpoint management transformation](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/a-framework-for-windows-endpoint-management-transformation/ba-p/2460684) -- [Success with remote Windows Autopilot and Hybrid Azure Active Director join](https://techcommunity.microsoft.com/t5/intune-customer-success/success-with-remote-windows-autopilot-and-hybrid-azure-active/ba-p/2749353) - -### Useful Links - -- [Windows 10 Administrative Templates for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) -- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124) -- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591) -- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495) -- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576) diff --git a/windows/client-management/federated-authentication-device-enrollment.md b/windows/client-management/federated-authentication-device-enrollment.md index 44ea3c1a36..7ae977249a 100644 --- a/windows/client-management/federated-authentication-device-enrollment.md +++ b/windows/client-management/federated-authentication-device-enrollment.md @@ -1,14 +1,14 @@ --- title: Federated authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using federated authentication policy. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 07/28/2017 +ms.date: 04/05/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -20,28 +20,23 @@ This section provides an example of the mobile device enrollment protocol using The `` element the discovery response message specifies web authentication broker page start URL. -For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). +For details about the Microsoft mobile device enrollment protocol for Windows, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). -## In this topic - -[Discovery service](#discovery-service) -[Enrollment policy web service](#enrollment-policy-web-service) -[Enrollment web service](#enrollment-web-service) - -For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). +> [!NOTE] +> For the list of enrollment scenarios not supported in Windows, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). ## Discovery service The discovery web service provides the configuration information necessary for a user to enroll a phone with a management service. The service is a restful web service over HTTPS (server authentication only). > [!NOTE] -> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. +> The administrator of the discovery service must create a host with the address `enterpriseenrollment..com`. -The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain "enterpriseenrollment" to the domain of the email address, and by appending the path "/EnrollmentServer/Discovery.svc". For example, if the email address is "sample@contoso.com", the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`. +The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain **enterpriseenrollment** to the domain of the email address, and by appending the path `/EnrollmentServer/Discovery.svc`. For example, if the email address is `sample@contoso.com`, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`. The first request is a standard HTTP GET request. -The following example shows a request via HTTP GET to the discovery server given user@contoso.com as the email address. +The following example shows a request via HTTP GET to the discovery server given `user@contoso.com` as the email address. ```http Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc @@ -73,16 +68,16 @@ Content-Type: text/html Content-Length: 0 ``` -After the device gets a response from the server, the device sends a POST request to enterpriseenrollment.*domain\_name*/EnrollmentServer/Discovery.svc. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to enterpriseenrollment.*domain\_name* to the enrollment server. +After the device gets a response from the server, the device sends a POST request to `enterpriseenrollment./EnrollmentServer/Discovery.svc`. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to `enterpriseenrollment.` enrollment server. The following logic is applied: 1. The device first tries HTTPS. If the server cert isn't trusted by the device, the HTTPS fails. 1. If that fails, the device tries HTTP to see whether it's redirected: - - If the device isn't redirected, it prompts the user for the server address. - - If the device is redirected, it prompts the user to allow the redirect. + - If the device isn't redirected, it prompts the user for the server address. + - If the device is redirected, it prompts the user to allow the redirect. -The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address +The following example shows a request via an HTTP POST command to the discovery web service given `user@contoso.com` as the email address ```http https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc @@ -93,34 +88,37 @@ The following example shows the discovery service request. ```xml - - - http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover - - urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 - - http://www.w3.org/2005/08/addressing/anonymous - - - https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc - - - - - - user@contoso.com - 3 - 3.0 - WindowsPhone - 10.0.0.0 - - OnPremise - Federated - - - - + xmlns:s="http://www.w3.org/2003/05/soap-envelope"> + + + http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover + + urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc + + + + + + user@contoso.com + 3 + + 3.0 + + WindowsPhone + + 10.0.0.0 + + OnPremise + Federated + + + + ``` @@ -142,7 +140,7 @@ When authentication policy is set to be Federated, Web Authentication Broker (WA > - Append the OS version as a parameter in the AuthenticationServiceURL. > - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication. -A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist. +A new XML tag, **AuthenticationServiceUrl**, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist. > [!NOTE] > The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service, the enrollment client is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented. @@ -168,7 +166,7 @@ After authentication is complete, the auth server should return an HTML form doc > To make an application compatible with strict Content Security Policy, it's usually necessary to make some changes to HTML templates and client-side code, add the policy header, and test that everything works properly once the policy is deployed. ```html -HTTP/1.1 200 OK +HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 556 @@ -200,35 +198,34 @@ The following example shows a response received from the discovery web service t ```xml - - - http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse - - - d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8 - - urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 - - - - - Federated - 3.0 - - https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - - - https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - - - https://portal.manage.contoso.com/LoginRedirect.aspx - - - - + xmlns:a="http://www.w3.org/2005/08/addressing"> + + + http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse + + + d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8 + + urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 + + + + + Federated + 3.0 + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + https://portal.manage.contoso.com/LoginRedirect.aspx + + + + ``` @@ -245,7 +242,7 @@ For Federated authentication policy, the security token credential is provided i As was described in the discovery response section, the inclusion of the `` element is opaque to the enrollment client, and the client doesn't interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the `` element of `` and the enterprise server. -The `` element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the `` element. +The `` element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the `` element. - wsse:BinarySecurityToken/attributes/ValueType: The `` ValueType attribute must be `http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken`. @@ -255,42 +252,39 @@ The following example is an enrollment policy request with a received security t ```xml - - - http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies - - urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 - - http://www.w3.org/2005/08/addressing/anonymous - - - https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - - - - B64EncodedSampleBinarySecurityToken - - - - - - - - - - - - + xmlns:a="http://www.w3.org/2005/08/addressing" + xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" + xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" + xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" + xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization"> + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies + + urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + + B64EncodedSampleBinarySecurityToken + + + + + + + + + + + + ``` @@ -499,8 +493,8 @@ Here's a sample RSTR message and a sample of OMA client provisioning XML within The following example shows the enrollment web service response. ```xml - @@ -516,7 +510,7 @@ The following example shows the enrollment web service response. - @@ -524,7 +518,7 @@ The following example shows the enrollment web service response. - @@ -552,7 +546,7 @@ The following code shows sample provisioning XML (presented in the preceding pac - + @@ -618,15 +612,15 @@ The following code shows sample provisioning XML (presented in the preceding pac ``` > [!NOTE] -> +> > - `` and `` elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase. -> +> > - In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML. -> +> > - Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document. -> +> > - The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique. -> +> > - Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate. -> +> > - CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it. diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md index db2ff0f60d..12f7e3eb21 100644 --- a/windows/client-management/implement-server-side-mobile-application-management.md +++ b/windows/client-management/implement-server-side-mobile-application-management.md @@ -6,8 +6,8 @@ ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 08/03/2022 -ms.reviewer: +ms.date: 04/05/2023 +ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 11 diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 5f5eab5ac7..755bf07aa0 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -3,10 +3,10 @@ title: Manage Windows devices in your organization - transitioning to modern man description: This article offers strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment. ms.prod: windows-client ms.localizationpriority: medium -ms.date: 06/03/2022 +ms.date: 04/05/2023 author: vinaypamnani-msft ms.author: vinpa -ms.reviewer: +ms.reviewer: manager: aaroncz ms.topic: overview ms.technology: itpro-manage diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index ae5405e2db..e11560c9bf 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -1,6 +1,6 @@ --- -title: MDM enrollment of Windows 10-based devices -description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organization’s resources. +title: MDM enrollment of Windows devices +description: Learn about mobile device management (MDM) enrollment of Windows devices to simplify access to your organization's resources. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -37,7 +37,7 @@ Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education c > [!NOTE] > Mobile devices can't be connected to an Active Directory domain. -### Out-of-box-experience +#### Out-of-box-experience Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) isn't supported. To join a domain: @@ -53,7 +53,7 @@ Joining your device to an Active Directory domain during the out-of-box-experien ![create pc account.](images/unifiedenrollment-rs1-4.png) -### Use the Settings app +#### Use the Settings app To create a local account and connect the device: @@ -81,7 +81,7 @@ To create a local account and connect the device: ![type in domain name.](images/unifiedenrollment-rs1-10.png) -### Help with connecting to an Active Directory domain +#### Help with connecting to an Active Directory domain There are a few instances where your device can't be connected to an Active Directory domain. @@ -96,7 +96,7 @@ There are a few instances where your device can't be connected to an Active Dire All Windows devices can be connected to an Azure AD domain. These devices can be connected during OOBE. Additionally, desktop devices can be connected to an Azure AD domain using the Settings app. -### Out-of-box-experience +#### Out-of-box-experience To join a domain: @@ -116,7 +116,7 @@ To join a domain: ![azure ad signin.](images/unifiedenrollment-rs1-13.png) -### Use the Settings app +#### Use the Settings app To create a local account and connect the device: @@ -154,7 +154,7 @@ To create a local account and connect the device: ![corporate sign in screen](images/unifiedenrollment-rs1-20.png) -### Help with connecting to an Azure AD domain +#### Help with connecting to an Azure AD domain There are a few instances where your device can't be connected to an Azure AD domain. @@ -171,11 +171,9 @@ There are a few instances where your device can't be connected to an Azure AD do Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 doesn't require a personal Microsoft account on devices to connect to work or school. -### Connect to a work or school account - All Windows 10-based devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps, such as the universal Office apps. -### Use the Settings app +### Register device in AAD and enroll in MDM To create a local account and connect the device: @@ -209,13 +207,9 @@ To create a local account and connect the device: ![account successfully added.](images/unifiedenrollment-rs1-27.png) -### Connect to MDM on a desktop (enrolling in device management) +### Enroll in device management only -All Windows 10-based devices can be connected to MDM. You can connect to an MDM through the Settings app. - -### Use the Settings app - -To create a local account and connect the device: +All Windows 10-based devices can be connected to MDM. You can connect to an MDM through the Settings app. To create a local account and connect the device: 1. Launch the Settings app. @@ -257,7 +251,7 @@ There are a few instances where your device may not be able to connect to work. | You don't have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. | | We couldn't auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | -## Connect your Windows 10-based device to work using a deep link +## Connect your Windows device to work using a deep link Windows 10-based devices may be connected to work using a deep link. Users will be able to select or open a link in a particular format from anywhere in Windows 10, and be directed to the new enrollment experience. diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md index efa9cb8b51..c741f52e64 100644 --- a/windows/client-management/mdm-overview.md +++ b/windows/client-management/mdm-overview.md @@ -1,7 +1,7 @@ --- title: Mobile Device Management overview -description: Windows 10 and Windows 11 provide an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy. -ms.date: 03/24/2023 +description: Windows provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy. +ms.date: 04/05/2023 ms.technology: itpro-manage ms.topic: article ms.prod: windows-client diff --git a/windows/client-management/mobile-device-enrollment.md b/windows/client-management/mobile-device-enrollment.md index 863f8db087..cae59a41d2 100644 --- a/windows/client-management/mobile-device-enrollment.md +++ b/windows/client-management/mobile-device-enrollment.md @@ -1,14 +1,14 @@ --- title: Mobile device enrollment -description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise. -ms.reviewer: +description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise. +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 03/29/2023 +ms.date: 04/05/2023 ms.collection: - highpri - tier2 diff --git a/windows/client-management/new-in-windows-mdm-enrollment-management.md b/windows/client-management/new-in-windows-mdm-enrollment-management.md index c70b4ab1a5..4309b6be4d 100644 --- a/windows/client-management/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/new-in-windows-mdm-enrollment-management.md @@ -1,7 +1,7 @@ --- title: What's new in MDM enrollment and management -description: Discover what's new and breaking changes in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. -ms.reviewer: +description: Discover what's new and breaking changes in mobile device management (MDM) enrollment and management experience across all Windows devices. +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,7 +9,7 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.localizationpriority: medium -ms.date: 09/16/2022 +ms.date: 04/05/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/client-management/on-premise-authentication-device-enrollment.md b/windows/client-management/on-premise-authentication-device-enrollment.md index 95dce3e717..362b0467bb 100644 --- a/windows/client-management/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/on-premise-authentication-device-enrollment.md @@ -1,14 +1,14 @@ --- title: On-premises authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 04/05/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 @@ -18,51 +18,44 @@ appliesto: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). -## In this topic - -- [On-premises authentication device enrollment](#on-premises-authentication-device-enrollment) - - [In this topic](#in-this-topic) - - [Discovery service](#discovery-service) - - [Enrollment policy web service](#enrollment-policy-web-service) - - [Enrollment web service](#enrollment-web-service) - -For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). +> [!NOTE] +> For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). ## Discovery service The discovery web service provides the configuration information necessary for a user to enroll a device with a management service. The service is a restful web service over HTTPS (server authentication only). > [!NOTE] -> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. +> The administrator of the discovery service must create a host with the address `enterpriseenrollment..com`. -The device's automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain "enterpriseenrollment" to the domain of the email address, and by appending the path "/EnrollmentServer/Discovery.svc". For example, if the email address is "sample@contoso.com", the resulting URI for first Get request would be: http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc +The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain **enterpriseenrollment** to the domain of the email address, and by appending the path `/EnrollmentServer/Discovery.svc`. For example, if the email address is `sample@contoso.com`, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`. The first request is a standard HTTP GET request. The following example shows a request via HTTP GET to the discovery server given user@contoso.com as the email address. -``` +```http Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc Content Type: unknown Header Byte Count: 153 Body Byte Count: 0 ``` -``` +```http GET /EnrollmentServer/Discovery.svc HTTP/1.1 User-Agent: Windows Phone 8 Enrollment Client Host: EnterpriseEnrollment.contoso.com Pragma: no-cache ``` -``` +```http Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc Content Type: text/html Header Byte Count: 248 Body Byte Count: 0 ``` -``` +```http HTTP/1.1 200 OK Connection: Keep-Alive Pragma: no-cache @@ -71,18 +64,18 @@ Content-Type: text/html Content-Length: 0 ``` -After the device gets a response from the server, the device sends a POST request to enterpriseenrollment.*domain\_name*/EnrollmentServer/Discovery.svc. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to enterpriseenrollment.*domain\_name* to the enrollment server. +After the device gets a response from the server, the device sends a POST request to `enterpriseenrollment./EnrollmentServer/Discovery.svc`. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to `enterpriseenrollment.` enrollment server. The following logic is applied: 1. The device first tries HTTPS. If the server cert is not trusted by the device, the HTTPS fails. 1. If that fails, the device tries HTTP to see whether it is redirected: - - If the device is not redirected, it prompts the user for the server address. - - If the device is redirected, it prompts the user to allow the redirect. + - If the device is not redirected, it prompts the user for the server address. + - If the device is redirected, it prompts the user to allow the redirect. The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address: -``` +```http https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc ``` @@ -174,42 +167,42 @@ For the OnPremise authentication policy, the UsernameToken in GetPolicies contai The following example shows the policy web service request. ```xml - - - - http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies - - urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 - - http://www.w3.org/2005/08/addressing/anonymous - - - https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - - - - user@contoso.com - mypassword - - - - - - - - - - - - - + + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies + + urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + + user@contoso.com + mypassword + + + + + + + + + + + + + ``` After the user is authenticated, the web service retrieves the certificate template that the user should enroll with and creates enrollment policies based on the certificate template properties. A sample of the response can be found on MSDN. @@ -304,7 +297,7 @@ This web service implements the MS-WSTEP protocol. It processes the RequestSecur The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on match the certificate template), the client can enroll successfully. -The RequestSecurityToken will use a custom TokenType (http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken), because our enrollment token is more than an X.509 v3 certificate. For more details, see the Response section. +The RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken`), because our enrollment token is more than an X.509 v3 certificate. For more details, see the Response section. The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. @@ -314,11 +307,11 @@ The RST may also specify a number of AdditionalContext items, such as DeviceType The following example shows the enrollment web service request for OnPremise authentication. ```xml - @@ -347,8 +340,8 @@ The following example shows the enrollment web service request for OnPremise aut http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue - DER format PKCS#10 certificate request in Base64 encoding Insterted Here @@ -386,7 +379,6 @@ The following example shows the enrollment web service request for OnPremise aut 7BA748C8-703E-4DF2-A74A-92984117346A - True @@ -399,8 +391,8 @@ The following example shows the enrollment web service request for OnPremise aut The following example shows the enrollment web service response. ```xml - @@ -416,14 +408,15 @@ The following example shows the enrollment web service response. - http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken - - + + B64EncodedSampleBinarySecurityToken - + 0 @@ -443,7 +436,7 @@ The following example shows the enrollment web service response. The following example shows the encoded provisioning XML. -``` +```xml @@ -455,17 +448,17 @@ The following example shows the encoded provisioning XML. - + - - + + - + @@ -516,7 +509,7 @@ The following example shows the encoded provisioning XML. - ``` diff --git a/windows/client-management/push-notification-windows-mdm.md b/windows/client-management/push-notification-windows-mdm.md index efc700f21d..e99451394d 100644 --- a/windows/client-management/push-notification-windows-mdm.md +++ b/windows/client-management/push-notification-windows-mdm.md @@ -1,14 +1,14 @@ --- title: Push notification support for device management description: The DMClient CSP supports the ability to configure push-initiated device management sessions. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 09/22/2017 +ms.date: 04/05/2023 appliesto: - ✅ Windows 11 - ✅ Windows 10 diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml index 88b3b3f800..00104f6638 100644 --- a/windows/client-management/toc.yml +++ b/windows/client-management/toc.yml @@ -10,7 +10,7 @@ items: items: - name: What is MDM? href: mdm-overview.md - - name: What's new in MDM enrollment and management + - name: What's new in MDM href: new-in-windows-mdm-enrollment-management.md - name: Azure Active Directory integration with MDM href: azure-active-directory-integration-with-mdm.md @@ -25,22 +25,20 @@ items: items: - name: Enrollment overview href: mobile-device-enrollment.md - - name: Enrollment methods - items: - - name: Manual enrollment - href: mdm-enrollment-of-windows-devices.md - - name: Automatic enrollment - href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md - - name: Group Policy enrollment - href: enroll-a-windows-10-device-automatically-using-group-policy.md - - name: Bulk enrollment - href: bulk-enrollment-using-windows-provisioning-tool.md - - name: Federated authentication enrollment - href: federated-authentication-device-enrollment.md - - name: Certificate authentication enrollment - href: certificate-authentication-device-enrollment.md - - name: On-premises authentication enrollment - href: on-premise-authentication-device-enrollment.md + - name: Manual enrollment + href: mdm-enrollment-of-windows-devices.md + - name: Automatic enrollment + href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md + - name: Group policy enrollment + href: enroll-a-windows-10-device-automatically-using-group-policy.md + - name: Bulk enrollment + href: bulk-enrollment-using-windows-provisioning-tool.md + - name: Federated authentication enrollment + href: federated-authentication-device-enrollment.md + - name: Certificate authentication enrollment + href: certificate-authentication-device-enrollment.md + - name: On-premises authentication enrollment + href: on-premise-authentication-device-enrollment.md - name: Manage devices expanded: true items: