deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update enrollment

Browse Source
This commit is contained in:
Vinay Pamnani 2023-04-03 11:43:04 -04:00
parent aa70cdd108
commit b813bf46d4
1 changed files with 45 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

147
windows/client-management/mobile-device-enrollment.md
View File

@ -9,12 +9,12 @@ ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft author: vinaypamnani-msft
ms.date: 03/29/2023 ms.date: 03/29/2023
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 and later</a>
ms.collection: ms.collection:
- highpri - highpri
- tier2 - tier2
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
--- ---
# Mobile device enrollment # Mobile device enrollment
@ -23,21 +23,16 @@ Mobile device enrollment is the first phase of enterprise management. The device
The enrollment process includes the following steps: The enrollment process includes the following steps:
1. Discovery of the enrollment endpoint 1. **Discovery of the enrollment endpoint**: This step provides the enrollment endpoint configuration settings.
1. **Certificate installation**: This step handles user authentication, certificate generation, and certificate installation. The installed certificates will be used in the future to manage client/server Secure Sockets Layer (SSL) mutual authentication.
This step provides the enrollment endpoint configuration settings. 1. **DM Client provisioning**: This step configures the Device Management (DM) client to connect to a Mobile Device Management (MDM) server after enrollment via DM SyncML over HTTPS (also known as Open Mobile Alliance Device Management (OMA DM) XML).
1. Certificate installation
This step handles user authentication, certificate generation, and certificate installation. The installed certificates will be used in the future to manage client/server Secure Sockets Layer (SSL) mutual authentication.
1. DM Client provisioning
This step configures the Device Management (DM) client to connect to a Mobile Device Management (MDM) server after enrollment via DM SyncML over HTTPS (also known as Open Mobile Alliance Device Management (OMA DM) XML).
## Enrollment protocol ## Enrollment protocol
There are many changes made to the enrollment protocol to better support various scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). There are many changes made to the enrollment protocol to better support various scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see:
- [[MS-MDM]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f).
- [[MS-MDE2]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
The enrollment process involves the following steps: The enrollment process involves the following steps:
@ -47,7 +42,9 @@ The discovery request is a simple HTTP post call that returns XML over HTTP. The
### Certificate enrollment policy ### Certificate enrollment policy
The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in \[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](/openspecs/windows_protocols/ms-xcep/08ec4475-32c2-457d-8c27-5a176660a210) The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in [MS-XCEP]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse).
For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](/openspecs/windows_protocols/ms-xcep/08ec4475-32c2-457d-8c27-5a176660a210)
### Certificate enrollment ### Certificate enrollment
@ -72,19 +69,7 @@ The following topics describe the end-to-end enrollment process using various au
## Enrollment support for domain-joined devices ## Enrollment support for domain-joined devices
Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device. Devices that are joined to an on-premises Active Directory can enroll into MDM via **Settings** > **Access work or school**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
## Disable MDM enrollments
In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. With the GP editor being used, the path is **Computer configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **MDM** &gt; **Disable MDM Enrollment**.
![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png)
Here's the corresponding registry key:
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM
Value: DisableRegistration
## Enrollment scenarios not supported ## Enrollment scenarios not supported
@ -93,6 +78,15 @@ The following scenarios don't allow MDM enrollments:
- Built-in administrator accounts on Windows desktop can't enroll into MDM. - Built-in administrator accounts on Windows desktop can't enroll into MDM.
- Standard users can't enroll in MDM. Only admin users can enroll. - Standard users can't enroll in MDM. Only admin users can enroll.
## Disable MDM enrollments
In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using the **Disable MDM Enrollment** group policy.
Group Policy Path: **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**.
Corresponding registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM\DisableRegistration (REG_DWORD)`
![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png)
## Enrollment error messages ## Enrollment error messages
The enrollment server can decline enrollment messages using the SOAP Fault format. Errors created can be sent as follows: The enrollment server can decline enrollment messages using the SOAP Fault format. Errors created can be sent as follows:
@ -122,49 +116,17 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma
**Sample error messages**: **Sample error messages**:
- **Namespace**: `s:` | Namespace | Subcode | Error | Description | HRESULT |
- **Subcode**: MessageFormat |-----------|----------------------|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
- **Error**: MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR | s: | MessageFormat | MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR | Invalid message from the Mobile Device Management (MDM) server. | 80180001 |
- **Description**: Invalid message from the Mobile Device Management (MDM) server. | s: | Authentication | MENROLL_E_DEVICE_AUTHENTICATION_ERROR | The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator. | 80180002 |
- **HRESULT**: 80180001 | s: | Authorization | MENROLL_E_DEVICE_AUTHORIZATION_ERROR | The user isn't authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator. | 80180003 |
| s: | CertificateRequest | MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR | The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator. | 80180004 |
| s: | EnrollmentServer | MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR | The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator. | 80180005 |
| a: | InternalServiceFault | MENROLL_E_DEVICE_INTERNALSERVICE_ERROR | There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator. | 80180006 |
| a: | InvalidSecurity | MENROLL_E_DEVICE_INVALIDSECURITY_ERROR | The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator. | 80180007 |
- **Namespace**: `s:` In Windows 10, version 1507, `deviceenrollmentserviceerror` element was added. Here's an example:
- **Subcode**: Authentication
- **Error**: MENROLL_E_DEVICE_AUTHENTICATION_ERROR
- **Description**: The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator.
- **HRESULT**: 80180002
- **Namespace**: `s:`
- **Subcode**: Authorization
- **Error**: MENROLL_E_DEVICE_AUTHORIZATION_ERROR
- **Description**: The user isn't authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator.
- **HRESULT**: 80180003
- **Namespace**: `s:`
- **Subcode**: CertificateRequest
- **Error**: MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR
- **Description**: The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator.
- **HRESULT**: 80180004
- **Namespace**: `s:`
- **Subcode**: EnrollmentServer
- **Error**: MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR
- **Description**: The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator.
- **HRESULT**: 80180005
- **Namespace**: `a:`
- **Subcode**: InternalServiceFault
- **Error**: MENROLL_E_DEVICE_INTERNALSERVICE_ERROR
- **Description**: There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator.
- **HRESULT**: 80180006
- **Namespace**: `a:`
- **Subcode**: InvalidSecurity
- **Error**: MENROLL_E_DEVICE_INVALIDSECURITY_ERROR
- **Description**: The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator.
- **HRESULT**: 80180007
In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here's an example:
```xml ```xml
<s:envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"> <s:envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
@ -198,40 +160,15 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element.
**Sample error messages**: **Sample error messages**:
- **Subcode**: DeviceCapReached | Subcode | Error | Description | HRESULT |
- **Error**: MENROLL_E_DEVICECAPREACHED |-----------------------|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
- **Description**: The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error. | DeviceCapReached | MENROLL_E_DEVICECAPREACHED | The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error. | 80180013 |
- **HRESULT**: 80180013 | DeviceNotSupported | MENROLL_E_DEVICENOTSUPPORTED | The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device. | 80180014 |
| NotSupported | MENROLL_E_NOT_SUPPORTED | Mobile Device Management (MDM) is generally not supported for this device. | 80180015 |
- **Subcode**: DeviceNotSupported | NotEligibleToRenew | MENROLL_E_NOTELIGIBLETORENEW | The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device. | 80180016 |
- **Error**: MENROLL_E_DEVICENOTSUPPORTED | InMaintenance | MENROLL_E_INMAINTENANCE | The Mobile Device Management (MDM) server states your account is in maintenance, try again later. | 80180017 |
- **Description**: The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device. | UserLicense | MENROLL_E_USER_LICENSE | There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator. | 80180018 |
- **HRESULT**: 80180014 | InvalidEnrollmentData | MENROLL_E_ENROLLMENTDATAINVALID | The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly. | 80180019 |
- **Subcode**: NotSupported
- **Error**: MENROLL_E_NOT_SUPPORTED
- **Description**: Mobile Device Management (MDM) is generally not supported for this device.
- **HRESULT**: 80180015
- **Subcode**: NotEligibleToRenew
- **Error**: MENROLL_E_NOTELIGIBLETORENEW
- **Description**: The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device.
- **HRESULT**: 80180016
- **Subcode**: InMaintenance
- **Error**: MENROLL_E_INMAINTENANCE
- **Description**: The Mobile Device Management (MDM) server states your account is in maintenance, try again later.
- **HRESULT**: 80180017
- **Subcode**: UserLicense
- **Error**: MENROLL_E_USER_LICENSE
- **Description**: There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator.
- **HRESULT**: 80180018
- **Subcode**: InvalidEnrollmentData
- **Error**: MENROLL_E_ENROLLMENTDATAINVALID
- **Description**: The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly.
- **HRESULT**: 80180019
TraceID is a freeform text node that is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment. TraceID is a freeform text node that is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment.