deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into FromPrivateRepo

Browse Source
This commit is contained in:
huaping yu 2019-01-03 15:38:02 -08:00
commit bde2c861d6
4 changed files with 48 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/client-management/mdm/TOC.md
View File

@ -6,7 +6,7 @@
### [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)
### [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
### [On-premises authentication device enrollment](on-premise-authentication-device-enrollment.md)
## [Understanding ADMX-backed policies](understanding-admx-backed-policies.md)
## [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)
## [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)

35
windows/client-management/mdm/on-premise-authentication-device-enrollment.md
View File

@ -1,6 +1,6 @@
---
title: On-premise authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using on-premise authentication policy.
title: On-premises authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy.
ms.assetid: 626AC8B4-7575-4C41-8D59-185D607E3A47
ms.author: maricia
ms.topic: article
@ -10,13 +10,14 @@ author: MariciaAlforque
ms.date: 06/26/2017
---
# On-premise authentication device enrollment
# On-premises authentication device enrollment
This section provides an example of the mobile device enrollment protocol using on-premise authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
## In this topic
- [On-premises authentication device enrollment](#on-premises-authentication-device-enrollment)
- [In this topic](#in-this-topic)
- [Discovery service](#discovery-service)
- [Enrollment policy web service](#enrollment-policy-web-service)
- [Enrollment web service](#enrollment-web-service)
@ -27,9 +28,9 @@ For the list of enrollment scenarios not supported in Windows 10, see [Enrollme
The discovery web service provides the configuration information necessary for a user to enroll a device with a management service. The service is a restful web service over HTTPS (server authentication only).
> **Note**  The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
>[!NOTE]
>The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
 
The devices automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http:<span></span>//enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc
The first request is a standard HTTP GET request.
@ -126,9 +127,9 @@ The discovery response is in the XML format and includes the following fields:
- Authentication policy (AuthPolicy) Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
- Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
>[!NOTE]
>The HTTP server response must not be chunked; it must be sent as one message.
 
The following example shows a response received from the discovery web service for OnPremise authentication:
``` syntax
@ -211,9 +212,9 @@ After the user is authenticated, the web service retrieves the certificate templ
MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. We will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms.
> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
>[!NOTE]
>The HTTP server response must not be chunked; it must be sent as one message.
 
The following snippet shows the policy web service response.
``` syntax
@ -303,9 +304,9 @@ The RequestSecurityToken will use a custom TokenType (http:<span></span>//schema
The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration.
> **Note**  The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
>[!NOTE]
>The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
 
The following example shows the enrollment web service request for OnPremise authentication.
``` syntax
@ -515,11 +516,3 @@ The following example shows the encoded provisioning XML.
protocol. This configuration service provider is being deprecated for Windows 10. -->
</wap-provisioningdoc>
```
 

2
windows/deployment/deploy-whats-new.md
View File

@ -155,5 +155,3 @@ The following topics provide a change history for Windows 10 ITPro TechNet libra
<BR>[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications)
<BR>[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
<BR>[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)

138
windows/deployment/windows-autopilot/windows-autopilot.md
View File

@ -9,16 +9,16 @@ ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greg-lindsay
ms.date: 10/02/2018
ms.date: 01/03/2018
---
# Overview of Windows Autopilot
**Applies to**
- Windows 10
- Windows 10
Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows Autopilot to reset, repurpose and recover devices.</br>
Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices.</br>
This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple.
Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users.
@ -34,121 +34,41 @@ Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intu
The following video shows the process of setting up Windows Autopilot:
</br>
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
<iframe width="560" height="315" src="https://www.youtube.com/embed/4K4hC5NchbE" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
## Benefits of Windows Autopilot
Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows Autopilot introduces a new approach.
Traditionally, IT pros spend a lot of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach.
From the users' perspective, it only takes a few simple operations to make their device ready to use.
From the user's perspective, it only takes a few simple operations to make their device ready to use.
From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated.
From the IT pro's perspective, the only interaction required from the end user is to connect to a network and to verify their credentials. Everything past that is automated.
## Requirements
Windows 10 version 1703 or higher is required to use Windows Autopilot. The following editions are supported:
- Pro
- Pro Education
- Pro for Workstations
- Enterprise
- Education
See [Windows Autopilot requirements](windows-autopilot-requirements.md) for detailed information on configuration, network, and licensing requirements.
## Windows Autopilot Scenarios
### Cloud-Driven
Windows Autopilot enables you to pre-register devices to your organization so that they will be fully configured with no additional intervention required by the user.
The Cloud-Driven scenario enables you to pre-register devices through the Windows Autopilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side.
Windows Autopilot enables you to:
* Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options.
* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)).
* Restrict the Administrator account creation.
* Create and auto-assign devices to configuration groups based on a device's profile.
* Customize OOBE content specific to the organization.
#### The Windows Autopilot Deployment Program experience
See [Windows Autopilot scenarios](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-scenarios) for more information about scenarios for using Windows Autopilot.
The Windows Autopilot Deployment Program enables you to:
* Automatically join devices to Azure Active Directory (Azure AD)
* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites))
* Restrict the Administrator account creation
* Create and auto-assign devices to configuration groups based on a device's profile
* Customize OOBE content specific to the organization
##### Prerequisites
>[!NOTE]
>Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options.
* [Devices must be registered to the organization](#device-registration-and-oobe-customization)
* [Company branding needs to be configured](#configure-company-branding-for-oobe)
* [Network connectivity to cloud services used by Windows Autopilot](#network-connectivity-requirements)
* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later
* Devices must have access to the internet
* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features)
* [Users must be allowed to join devices into Azure AD](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal)
* Microsoft Intune or other MDM services to manage your devices
The end-user unboxes and turns on a new device. What follows are a few simple configuration steps:
* Select a language and keyboard layout
* Connect to the network
* Provide email address (the email address of the user's Azure AD account) and password
Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure AD, enrolled in Microsoft Intune (or any other MDM service).
MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date.
</br>
<iframe width="560" height="315" align="center" src="https://www.youtube-nocookie.com/embed/4K4hC5NchbE" frameborder="0" allowfullscreen></iframe>
#### Device registration and OOBE customization
To register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf.
If you would like to capture that information by yourself, you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo), which will generate a .csv file with the device's hardware ID.
Once devices are registered, these are the OOBE customization options available for Windows 10, starting with version 1703:
* Skipping Work or Home usage selection (*Automatic*)
* Skipping OEM registration, OneDrive and Cortana (*Automatic*)
* Skipping privacy settings
* Skipping EULA (*starting with Windows 10, version 1709*)
* Preventing the account used to set-up the device from getting local administrator permissions
For guidance on how to register devices, configure and apply deployment profiles, follow one of the available administration options:
* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
##### Configure company branding for OOBE
In order for your company branding to appear during the OOBE, you'll need to configure it in Azure Active Directory first.
See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory), to configure these settings.
##### Configure MDM auto-enrollment in Microsoft Intune
In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Microsoft Intune, please see [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details.
>[!NOTE]
>MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription.
#### Network connectivity requirements
The Windows Autopilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices.
To manage devices behind firewalls and proxy servers, the following URLs need to be accessible:
* https://go.microsoft.com
* https://login.microsoftonline.com
* https://login.live.com
* https://account.live.com
* https://signup.live.com
* https://licensing.mp.microsoft.com
* https://licensing.md.mp.microsoft.com
* ctldl.windowsupdate.com
* download.windowsupdate.com
>[!NOTE]
>Where not explicitly specified, both HTTPS (443) and HTTP (80) need to be accessible.
>[!TIP]
>If you're auto-enrolling your devices into Microsoft Intune, or deploying Microsoft Office, make sure you follow the networking guidelines for [Microsoft Intune](https://docs.microsoft.com/intune/network-bandwidth-use#network-communication-requirements) and [Office 365](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2).
### IT-Driven
If you are planning to configure devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package).
### Self-Deploying
Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot fully configure the device. No additional user interaction is required. see [Windows Autopilot Self-Deploying mode (Preview)] (/windows/deployment/windows-autopilot/self-deploying).
### Teacher-Driven
If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details.
## Related topics
[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/en-us/intune/enrollment-autopilot)