设置 Windows 设备管理Set up Windows device management

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

此主题可帮助 IT 管理员为用户简化 Windows 注册过程。This topic helps IT administrators simplify Windows enrollment for their users. 无需任何其他步骤即可注册 Windows 设备,但你还可为用户简化注册过程。Windows devices can be enrolled without any additional steps, but you can make enrollment easier for users.

两个因素决定你简化 Windows 设备注册的方式:Two factors determine how you can simplify Windows device enrollment:

  • 是否使用 Azure Active Directory Premium?Do you use Azure Active Directory Premium?
    Azure AD Premium 随附企业移动性 + 安全性和其他许可计划。Azure AD Premium is included with Enterprise Mobility + Security and other licensing plans.
  • 将注册什么版本的 Windows?What versions of Windows clients will enroll?
    可通过添加工作或学校帐户自动注册 Windows 10 设备。Windows 10 devices can automatically enroll by adding a work or school account. 早期版本必须使用公司门户应用进行注册。Earlier versions must enroll using the Company Portal app.
Azure AD PremiumAzure AD Premium 其他 ADOther AD
Windows 10Windows 10 自动注册Automatic enrollment 用户注册User enrollment
早期 Windows 版本Earlier Windows versions 用户注册User enrollment 用户注册User enrollment

启用 Windows 10 自动注册Enable Windows 10 automatic enrollment

通过自动注册,用户能够在将其工作帐户添加到个人所有的设备或将其企业所有的设备加入到 Azure Active Directory 时在 Intune 中注册其 Windows 10 设备。Automatic enrollment lets users enroll their Windows 10 devices in Intune when adding their work account to their personally-owned devices or joining their corporate-owned devices to your Azure Active Directory. 在后台,该用户的设备进行注册并加入 Azure Active Directory。In the background, the user's device registers and joins Azure Active Directory. 注册后,使用 Intune 管理设备。Once registered, the device is managed with Intune.

必备条件Prerequisites

  • Azure Active Directory Premium 订阅(试用订阅Azure Active Directory Premium subscription (trial subscription)
  • Microsoft Intune 订阅Microsoft Intune subscription

配置自动 MDM 注册Configure automatic MDM enrollment

  1. 登录到 Azure 管理门户 (https://manage.windowsazure.com) ,然后选择“Azure Active Directory”。Sign in to the Azure management portal (https://manage.windowsazure.com), and select Azure Active Directory.

    Azure 门户的屏幕截图

  2. 选择“移动性(MDM 和 MAM)”。Select Mobility (MDM and MAM).

    Azure 门户的屏幕截图

  3. 选择“Microsoft Intune”。Select Microsoft Intune.

    Azure 门户的屏幕截图

  4. 配置“MDM 用户作用域”。Configure MDM User scope. 指定应由 Microsoft Intune 管理的用户的设备。Specify which users’ devices should be managed by Microsoft Intune. 这些用户的 Windows 10 设备将自动注册,以使用 Microsoft Intune 进行管理。These users’ Windows 10 devices will be automatically enrolled for management with Microsoft Intune.

    • None
    • 一些Some
    • 所有All

    Azure 门户的屏幕截图

  5. 对以下 URL 使用默认值:Use the default values for the following URLs:

    • MDM 使用条款 URLMDM Terms of use URL
    • MDM 发现 URLMDM Discovery URL
    • MDM 符合性 URLMDM Compliance URL
  6. 选择“保存”。Select Save.

默认情况下,不会为该服务启用双因素身份验证。By default, two-factor authentication is not enabled for the service. 但是,在注册设备时,建议启用双重身份验证。However, two-factor authentication is recommended when registering a device. 在为该服务请求双重身份验证之前,必须在 Azure Active Directory 中配置一个双重身份验证提供程序并为你的用户帐户配置多重身份验证。Before requiring two-factor authentication for this service, you must configure a two-factor authentication provider in Azure Active Directory and configure your user accounts for multi-factor authentication. 请参阅Azure 多重身份验证服务器入门See Getting started with the Azure Multi-Factor Authentication Server.

启用 Windows 注册(不使用自动注册)Enable Windows enrollment without automatic enrollment

无需 Azure AD Premium 自动注册即可让用户注册其设备。You can let users enroll their devices without Azure AD Premium automatic enrollment. 分配许可证后,用户即可在将他们的工作帐户添加到其个人拥有的设备后或在将其企业拥有的设备加入到你的 Azure AD 后进行注册。Once you assign licenses, users can enroll after adding their work account to their personally-owned devices or joining their corporate-owned devices to your Azure AD. 创建 DNS 别名(CNAME 记录类型)使用户能更轻松地注册其设备。Creating a DNS alias (CNAME record type) makes it easier for users to enroll their devices. 如果创建 DNS CNAME 资源记录,用户即可连接 Intune 并在其中进行注册,而无需输入 Intune 服务器名称。If you create DNS CNAME resource records, users connect and enroll in Intune without having to enter the Intune server name.

步骤 1:创建 CNAME(可选)Step 1: Create CNAMEs (optional)
为公司的域创建 CNAME DNS 资源记录。Create CNAME DNS resource records for your company’s domain. 例如,如果你的公司网站为 contoso.com,则你将在 DNS 中创建将 EnterpriseEnrollment.contoso.com 重定向到 enterpriseenrollment-s.manage.microsoft.com 的 CNAME。For example, if your company’s website is contoso.com, you would create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to enterpriseenrollment-s.manage.microsoft.com.

尽管创建 CNAME DNS 条目是可选的,但 CNAME 记录能够使用户注册更加简便。Although creating CNAME DNS entries is optional, CNAME records make enrollment easier for users. 如果未找到注册 CNAME 记录,系统会提示用户手动输入 MDM 服务器名称 enrollment.manage.microsoft.com。If no enrollment CNAME record is found, users are prompted to manually enter the MDM server name, enrollment.manage.microsoft.com.

如果存在多个经过验证的域,则为每个域创建一个 CNAME 记录。If there is more than one verified domain, create a CNAME record for each domain. CNAME 资源记录必须包含以下信息:The CNAME resource records must contain the following information:

CNAME 资源记录必须具有以下信息:CNAME resource records must have the following information:

类型:TYPE 主机名Host name 指向Points to TTLTTL
CNAMECNAME EnterpriseEnrollment.company_domain.comEnterpriseEnrollment.company_domain.com EnterpriseEnrollment-s.manage.microsoft.comEnterpriseEnrollment-s.manage.microsoft.com 1 小时1 Hour
CNAMECNAME EnterpriseRegistration.company_domain.comEnterpriseRegistration.company_domain.com EnterpriseRegistration.windows.netEnterpriseRegistration.windows.net 1 小时1 Hour

EnterpriseEnrollment-s.manage.microsoft.com – 支持从电子邮件的域名重定向到具有域识别的 Intune 服务EnterpriseEnrollment-s.manage.microsoft.com – Supports a redirect to the Intune service with domain recognition from the email’s domain name

如果你的公司对用户凭据使用多个域,则为每个域创建 CNAME 记录。If your company uses multiple domains for user credentials, create CNAME records for each domain.

例如,如果你的公司网站为 contoso.com,则你将在 DNS 中创建将 EnterpriseEnrollment.contoso.com 重定向到 EnterpriseEnrollment-s.manage.microsoft.com 的 CNAME。对 DNS 记录所做的更改可能最多需要 72 小时才能进行传播。For example, if your company’s website is contoso.com, you would create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to EnterpriseEnrollment-s.manage.microsoft.com. Changes to DNS records might take up to 72 hours to propagate. 你无法在 Intune 中验证 DNS 更改,直到 DNS 记录开始进行传播。You cannot verify the DNS change in Intune until the DNS record propagates.

步骤 2:验证 CNAME(可选)Step 2: Verify CNAME (optional)
Intune 管理员控制台中,选择“管理员”>“移动设备管理”>“Windows”。In the Intune administration console, choose Admin > Mobile Device Management > Windows. 在“指定一个已验证的域名”框中输入公司网站经过验证的域的 URL,然后选择“测试自动检测”。Enter the URL of the verified domain of the company website in the Specify a verified domain name box, and then choose Test Auto-Detection.

告知用户如何注册 Windows 设备Tell users how to enroll Windows devices

告诉用户如何注册其 Windows 设备以及在纳入管理之后会出现的情况。Tell your users how to enroll their Windows devices and what to expect after they're brought into management. 有关最终用户注册说明,请参阅在 Intune 中注册 Windows 设备For end-user enrollment instructions, see Enroll your Windows device in Intune. 还可以将用户发送到 IT 管理员可以在我的设备上看到什么You can also send users to What can my IT admin see on my device.

有关最终用户任务的详细信息,请参阅有关 Microsoft Intune 最终用户体验的资源For more information about end-user tasks, see Resources about the end-user experience with Microsoft Intune.

另请参阅See also

在 Microsoft Intune 中注册设备的先决条件Prerequisites for enrolling devices in Microsoft Intune