Windows Autopilot 用户驱动模式Windows Autopilot user-driven mode

适用于Applies to

  • Windows 10 版本 1809 或更高版本Windows 10, version 1809 or later

Windows Autopilot 用户驱动模式允许配置新的 Windows 10 设备,以自动将其从工厂状态转换为随时可用状态。Windows Autopilot user-driven mode lets you configure new Windows 10 devices to automatically transform them from their factory state to a ready-to-use state. 此过程不需要 IT 人员触摸设备。This process doesn't require that IT personnel touch the device.

此过程很简单,因此任何人都可以完成此过程。The process is simple so that anyone can complete it. 可以通过简单的说明直接将设备交付或分发给最终用户:Devices can be shipped or distributed to the end user directly with simple instructions:

  1. 取消装箱设备,将其插入,然后将其打开。Unbox the device, plug it in, and turn it on.
  2. 仅当安装了多种语言) 、区域设置和键盘时,才 (需要选择语言。Choose a language (only required when multiple languages are installed), locale, and keyboard.
  3. 将其连接到具有 internet 访问权限的无线或有线网络。Connect it to a wireless or wired network with internet access. 如果使用无线,用户必须建立 Wi-Fi 链接。If using wireless, the user must establish the Wi-Fi link.
  4. 指定你的组织帐户的电子邮件地址和密码。Specify your e-mail address and password for your organization account.

此过程的其余部分将自动执行,作为设备:The rest of the process is automated, as the device:

  1. 加入组织。Joins the organization.
  2. 在 Intune 中注册 (或另一个 MDM 服务) Enrolls in Intune (or another MDM service)
  3. 按组织定义的方式进行配置。Is configured as defined by the organization.

在全新体验 (OOBE) 的任何其他提示都可以取消;有关可用选项,请参阅 配置 Autopilot 配置文件Any additional prompts during the Out-of-Box Experience (OOBE) can be suppressed; see Configuring Autopilot Profiles for options that are available.

Windows Autopilot 用户驱动模式 Azure Active Directory 和混合 Azure Active Directory 连接的设备支持。Windows Autopilot user-driven mode supports Azure Active Directory and Hybrid Azure Active Directory joined devices. 有关这两个联接选项的详细信息,请参阅 什么是设备标识For more information about these two join options, see What is a device identity.

用户驱动过程中完成的流程如下所示:The process flow completed during the user-driven process are as follows:

  1. 连接到网络后,设备会下载 Windows Autopilot 配置文件。After connecting to a network, the device downloads a Windows Autopilot profile. 配置文件定义用于设备的设置。The profile defines the settings used for the device. 例如,定义在 OOBE 期间禁止显示的提示。For example, define the prompts suppressed during OOBE.
  2. Windows 10 检查是否存在关键的 OOBE 更新。Windows 10 checks for critical OOBE updates. 如果有可用更新,它们会自动安装 (重新启动(如有必要)) 。If updates are available, they're automatically installed (rebooting if necessary).
  3. 系统将提示用户输入 Azure Active Directory 凭据。The user is prompted for Azure Active Directory credentials. 此自定义的用户体验显示 Azure AD 租户名称、徽标和登录文本。This customized user experience shows the Azure AD tenant name, logo, and sign-in text.
  4. 设备根据 Windows Autopilot 配置文件设置,加入 Azure Active Directory 或 Active Directory。The device joins Azure Active Directory or Active Directory, depending on the Windows Autopilot profile settings.
  5. 设备在 Intune 中注册 (或其他配置的 MDM 服务) 。The device enrolls in Intune (or other configured MDM services). 根据组织的需要,将发生此注册:Depending on your organizational needs, this enrollment occurs:
    • 在使用 MDM 自动注册的 Azure Active Directory 联接过程中during the Azure Active Directory join process using MDM auto-enrollment
    • 或在 Active Directory 联接过程之前。or before the Active Directory join process.
  6. 如果已配置,将显示 (ESP) 的 " 注册状态" 页If configured, the enrollment status page (ESP) will be displayed.
  7. 设备配置任务完成后,用户将使用之前提供的凭据登录到 Windows 10。After the device configuration tasks complete, the user is signed into Windows 10 using the credentials they previously provided. (如果设备在设备 ESP 过程中重启,用户必须重新输入其凭据,因为这些详细信息不会在重新启动后保留。 ) (If the device reboots during the device ESP process, the user must reenter their credentials as these details aren't persisted across reboots.)
  8. 登录后,将为用户目标配置任务显示 "注册状态" 页。After sign-in, the enrollment status page displays for user-targeted configuration tasks.

如果在此过程中发现任何问题,请参阅 Windows Autopilot 故障排除 文档。If any issues are found during this process, see the Windows Autopilot Troubleshooting documentation.

有关可用联接选项的详细信息,请参阅以下部分:For more information on the available join options, see the following sections:

Azure Active Directory 联接的用户驱动模式User-driven mode for Azure Active Directory join

若要使用 Windows Autopilot 完成用户驱动的部署,请执行以下准备步骤:To complete a user-driven deployment using Windows Autopilot, follow these preparation steps:

  1. 请确保将执行用户驱动模式部署的用户可以将设备加入到 Azure Active Directory。Make sure that the users who will be performing user-driven mode deployments can join devices to Azure Active Directory. 有关详细信息,请参阅 Azure Active Directory 文档中的 " 配置设备设置 "。For more information, see Configure device settings in the Azure Active Directory documentation.
  2. 使用所需设置为用户驱动模式创建 Autopilot 配置文件。Create an Autopilot profile for user-driven mode with the desired settings. 在 Microsoft Intune 中,将在创建配置文件时显式选择此模式。In Microsoft Intune, this mode is explicitly chosen when creating the profile. 对于业务和合作伙伴中心的 Microsoft Store,用户驱动模式是默认模式,无需选择。With Microsoft Store for Business and Partner Center, user-driven mode is the default and doesn't need to be selected.
  3. 如果使用 Intune,请在 Azure Active Directory 中创建一个设备组,并将 Autopilot 配置文件分配给该组。If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group.

对于将使用用户驱动的部署进行部署的每个设备,需要执行以下附加步骤:For each device that will be deployed using user-driven deployment, these additional steps are needed:

  • 请确保设备已添加到 Windows Autopilot。Make sure that the device has been added to Windows Autopilot. 可以通过两种方式将设备添加到 Windows Autopilot:Adding a device to Windows Autopilot can be done in two ways:
  • 确保已向设备分配 Autopilot 配置文件:Ensure an Autopilot profile has been assigned to the device:
  • 如果使用 Intune 并 Azure Active Directory 动态设备组,则可以自动执行此分配。If using Intune and Azure Active Directory dynamic device groups, this assignment can be done automatically.
  • 如果使用 Intune 并 Azure Active Directory 静态设备组,请将设备手动添加到设备组。If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
  • 如果使用其他方法 (例如,Microsoft Store 适用于企业或合作伙伴中心) ,请手动将 Autopilot 配置文件分配到设备。If using other methods (for example, Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.

混合 Azure Active Directory 联接的用户驱动模式User-driven mode for hybrid Azure Active Directory join

Windows Autopilot 要求 Azure Active Directory 连接设备。Windows Autopilot requires that devices be Azure Active Directory joined. 如果你有本地 Active Directory 环境,则可以将设备加入你的本地域。If you have an on-premises Active Directory environment, you can join devices to your on-premises domain. 要加入设备,你必须将 Autopilot 设备配置为 混合联接到 Azure Active Directory (Azure AD) To join the devices, you must configure Autopilot devices to be hybrid-joined to Azure Active Directory (Azure AD).


若要使用 Windows Autopilot 执行用户驱动的混合 Azure AD 联接的部署:To perform a user-driven hybrid Azure AD joined deployment using Windows Autopilot:

  • 必须创建用户驱动模式的 Windows Autopilot 配置文件,并A Windows Autopilot profile for user-driven mode must be created and
    • 在 Autopilot 配置文件中,必须将 混合 Azure AD 联接 指定为 "联接到 Azure AD " 下的所选选项。Hybrid Azure AD joined must be specified as the selected option under Join to Azure AD as in the Autopilot profile.
  • 如果使用 Intune,Azure Active Directory 中的设备组必须与分配给该组的 Windows Autopilot 配置文件存在。If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group.
  • 如果使用 Intune,请创建并分配域加入配置文件。If using Intune, create and assign a Domain Join profile. 域加入配置文件包括本地 Active Directory 域信息A Domain Join configuration profile includes on-premises Active Directory domain information
  • 设备必须能够访问 Internet。The device must be able to access the Internet. 有关详细信息,请参阅 Windows Autopilot 网络要求For more information, see the Windows Autopilot networking requirements.
  • 必须安装 Active Directory 的 Intune 连接器。The Intune Connector for Active Directory must be installed.
    • 注意: Intune 连接器将执行本地 AD join。Note: The Intune Connector will perform an on-prem AD join. 因此,用户不需要本地 AD 联接权限。Therefore, users don't need on-prem AD-join permission. 这假设将连接器 配置为代表用户执行此操作This assumes the Connector is configured to perform this action on the user's behalf.
  • 如果使用代理,必须启用并配置 WPAD 代理设置选项。If using Proxy, WPAD Proxy settings option must be enabled and configured.

除了上面提到的用户驱动混合 Azure AD 联接的核心要求之外,以下附加要求适用于本地方案:In addition to the core requirements for user driven Hybrid Azure AD Join mentioned above, the following additional requirements apply to an on-prem scenario:

  • 设备必须运行 Windows 10 版本1809或更高版本。The device must be running Windows 10, version 1809 or later.
  • 设备必须有权访问 Active Directory 域控制器。The device must have access to an Active Directory domain controller. 它必须连接到组织的网络。It must be connected to the organization's network. 它必须能够解析 AD 域和 AD 域控制器的 DNS 记录。It must be able to resolve the DNS records for the AD domain and the AD domain controller. 它必须能够与域控制器进行通信,以便对用户进行身份验证。It must be able to communicate with the domain controller to authenticate the user.

具有 VPN 支持的混合 Azure Active Directory 联接的用户驱动模式User-driven mode for hybrid Azure Active Directory join with VPN support

加入到 Active Directory 的设备需要连接到 Active Directory 域控制器进行许多活动。Devices joined to Active Directory require connectivity to an Active Directory domain controller for many activities. 这些活动包括用户登录 (验证用户的凭据) 和组策略应用程序。These activities include user sign-in (validating the user's credentials) and Group Policy application. 因此,Windows Autopilot 用户驱动混合 Azure AD 联接过程将验证设备是否能够通过 ping 域控制器与 Active Directory 域控制器联系。As a result, the Windows Autopilot user-driven Hybrid Azure AD Join process would validate that the device is able to contact an Active Directory domain controller by pinging that domain controller.

在此方案中添加 VPN 支持后,可以将混合 Azure AD 联接进程配置为跳过连接性检查。With the addition of VPN support for this scenario, you can configure the Hybrid Azure AD Join process to skip the connectivity check. 这样就不需要与 Active Directory 域控制器进行通信。This doesn't eliminate the need for communicating with an Active Directory domain controller. 若要允许连接到组织的网络,Intune 会在用户尝试登录 Windows 之前提供所需的 VPN 配置。Instead, to allow connection to the organization's network, Intune delivers the needed VPN configuration before the user attempts to sign in to Windows.


除了上面提到的用户驱动的混合 Azure AD 核心要求之外,以下附加要求适用于具有 VPN 支持混合 Azure AD 联接的远程方案:In addition to the core requirements for user driven hybrid Azure AD join mentioned above, the following additional requirements apply to a remote scenario of Hybrid Azure AD Join with VPN support:

  • 受支持的 Windows 10 版本:A supported version of Windows 10:
    • Windows 10 1903 + 12 月10日累积更新 (KB4530684、OS build 18362.535) 或更高版本Windows 10 1903 + December 10 Cumulative update (KB4530684, OS build 18362.535) or higher
    • Windows 10 1909 + 12 月10日累积更新 (KB4530684、OS build 18363.535) 或更高版本Windows 10 1909 + December 10 Cumulative update (KB4530684, OS build 18363.535) or higher
    • Windows 10 2004 或更高版本Windows 10 2004 or later
  • 启用混合 Azure AD 联接 Autopilot 配置文件中的 "跳过域连接检查" 切换。Enable the “Skip domain connectivity check” toggle in the Hybrid Azure AD Join Autopilot profile.
  • VPN 配置:A VPN configuration that:
    • 可以使用 Intune 进行部署,并允许用户通过 Windows 登录屏幕手动建立 VPN 连接,或can be deployed with Intune and lets the user manually establish a VPN connection from the Windows logon screen, or
    • 一个根据需要自动建立 VPN 连接。one that automatically establishes a VPN connection as needed.

所需的特定 VPN 配置取决于所使用的 VPN 软件和身份验证。The specific VPN configuration required depends on the VPN software and authentication being used. 对于第三方 (非 Microsoft) VPN 解决方案,这通常涉及到部署包含 VPN 客户端软件本身的 Win32 应用 (和任何特定的连接信息,例如: VPN 终结点主机名称) 通过 Intune 管理扩展。For third-party (non-Microsoft) VPN solutions, this typically would involve deploying a Win32 app (containing the VPN client software itself and any specific connection information, for example: VPN endpoint host names) via Intune Management Extensions. 有关特定于提供程序的配置详细信息,请参阅 VPN 提供程序的文档。Consult your VPN provider's documentation for configuration details specific to that provider.


VPN 要求并不特定于 Windows Autopilot。The VPN requirements aren't specific to Windows Autopilot. 例如,如果你已经实现了 VPN 配置来启用远程密码重置,而用户需要在不在组织网络中使用新密码登录到 Windows,则可以在 Windows Autopilot 中使用相同的配置。For example, if you have already implemented a VPN configuration to enable remote password resets, where a user needs to log on to Windows with a new password when not on the organization's network, that same configuration can be used with Windows Autopilot. 用户登录以缓存其凭据后,后续登录尝试不需要连接,因为可以使用缓存的凭据。Once the user has signed in to cache their credentials, subsequent log-on attempts don't need connectivity since the cached credentials can be used.

如果 VPN 软件需要证书身份验证,则还应通过 Intune 部署所需的计算机证书。In cases where certificate authentication is required by the VPN software, the needed machine certificate should also be deployed via Intune. 可以使用 Intune 证书注册功能完成此部署,将证书配置文件定向到设备。This deployment can be done using the Intune certificate enrollment capabilities, targeting the certificate profiles to the device.

用户证书不受支持,因为在用户登录之前无法部署它们。User certificates aren't supported because they can't be deployed until the user logs in. 此外,由于在用户登录后它们不会安装,因此不支持从 Windows 应用商店提供的非 Microsoft UWP VPN 插件。Also, because they aren't installed until after the user signs in, non-Microsoft UWP VPN plug-ins delivered from the Windows Store aren't supported.


尝试使用 VPN 进行混合 Azure AD 联接之前,请务必确认是否可以在组织的网络上执行用户驱动的混合 Azure AD 联接进程。Before you attempt a hybrid Azure AD Join using VPN, it's important to confirm that a user-driven Hybrid Azure AD Join process can be performed on the organization's network. 此确认可在添加所需的其他 VPN 配置之前确保核心过程正常运行,从而简化了故障排除。This confirmation simplifies troubleshooting by making sure the core process works before adding the additional VPN configuration required.

接下来,验证是否可以使用 Intune 向已加入混合 Azure AD 的现有设备部署 VPN 配置 (Win32 应用、证书和其他任何要求) 。Next, validate that the VPN configuration (Win32 app, certs, and any other requirements) can be deployed using Intune to an existing device that has already been hybrid Azure AD joined. 例如,某些 VPN 客户端会在安装过程中创建每台计算机的 VPN 连接。For example, some VPN clients create a per-machine VPN connection as part of the installation process. 因此,你可以使用以下步骤验证配置:So, you can validate the configuration using steps like these:

  • 在 PowerShell 中,验证是否已使用 "VpnConnection-AllUserConnection" 命令创建了至少一台每台计算机 VPN 连接。From PowerShell, verify that at least one per-machine VPN connection has been created using the "Get-VpnConnection -AllUserConnection" command.
  • 尝试使用以下命令手动启动 VPN 连接: RASDIAL.EXE "ConnectionName"Attempt to manually start the VPN connection using the command: RASDIAL.EXE "ConnectionName"
  • 注销并验证是否可以在 Windows 登录页上查看 "VPN 连接" 图标。Log out and verify that the "VPN connection" icon can be seen on the Windows logon page.
  • 将设备移出公司网络,尝试使用 Windows 登录页上的图标建立连接。Move the device off the corporate network and try to establish the connection using the icon on the Windows logon page. 登录到没有缓存的凭据的帐户。Sign into an account that doesn't have cached credentials.

对于自动连接的 VPN 配置,验证步骤可能会有所不同。For VPN configurations that automatically connect, the validation steps may be different.


Always On VPN 可用于此方案。Always On VPN can be used for this scenario. 有关详细信息,请参阅 部署 ALWAYS ON VPN 文档。For more information, see the Deploy Always On VPN documentation. 请注意,Intune 尚未部署所需的每个计算机 VPN 配置文件。Note that Intune can't yet deploy the needed per-machine VPN profile.

若要验证该过程,请确保在 Windows 10 1903 或 Windows 10 1909 上安装了所需的 Windows 10 累积更新。To validate the process, ensure the needed Windows 10 cumulative update has been installed on Windows 10 1903 or Windows 10 1909. 您可以通过先从下载最新的累积性,在 OOBE 期间手动安装更新 can manually install the update during OOBE by first downloading the latest cumulative from 执行以下步骤:Follow these steps:

  1. 按 Shift-F10 打开命令提示符。Press Shift-F10 to open a command prompt.
  2. 插入包含已下载更新的 USB 密钥。Insert a USB key containing the downloaded update.
  3. 使用命令安装更新 (替换真实文件名) : WUSA.EXE msu/quietInstall the update using the command (substituting the real file name): WUSA.EXE .msu /quiet
  4. 使用以下命令重新启动计算机: shutdown.exe/r/t 0Reboot the computer using the command: shutdown.exe /r /t 0

或者,你可以开始 Windows 更新来安装最新的更新:Or, you can start Windows Update to install the latest updates:

  1. 按 Shift-F10 打开命令提示符。Press Shift-F10 to open a command prompt.
  2. 运行命令 "start ms-settings:"Run the command "start ms-settings:"
  3. 导航到 "更新 & 安全" 节点并检查更新。Navigate to the "Update & Security" node and check for updates.
  4. 安装更新后重新启动。Reboot after the updates are installed.

分步说明Step-by-step instructions

请参阅 使用 Intune 和 Windows Autopilot 部署混合 Azure AD 加入的设备See Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot.

在 Azure 实验室中通过 VPN 试用 Autopilot 混合加入Trying Out Autopilot Hybrid Join Over VPN In Your Azure Lab