使用 Intune 和 Windows Autopilot 部署加入混合 Azure AD 的设备Deploy hybrid Azure AD-joined devices by using Intune and Windows Autopilot

适用于Applies to

  • Windows 10Windows 10

可以使用 Intune 和 Windows Autopilot 设置加入混合 Azure Active Directory (Azure AD) 的设备。You can use Intune and Windows Autopilot to set up hybrid Azure Active Directory (Azure AD)-joined devices. 为此,请执行本文中的步骤。To do so, follow the steps in this article.

必备条件Prerequisites

成功配置加入混合 Azure AD 的设备Successfully configure your hybrid Azure AD-joined devices. 请确保使用 Get-MsolDevice cmdlet 验证注册Be sure to verify your device registration by using the Get-MsolDevice cmdlet.

要注册的设备必须满足以下要求:The device to be enrolled must follow these requirements:

  • 使用 Windows 10 v1809 或更高版本。Use Windows 10 v1809 or greater.
  • 按照 Windows Autopilot 网络要求访问 internet。Have access to the internet following Windows Autopilot network requirements.
  • 有权访问 Active Directory 域控制器。Have access to an Active Directory domain controller. 设备必须连接到组织的网络,以便能够:The device must be connected to the organization's network so that it can:
    • 解析 AD 域和 AD 域控制器的 DNS 记录。Resolve the DNS records for the AD domain and the AD domain controller.
    • 与域控制器通信以对用户进行身份验证。Communicate with the domain controller to authenticate the user.
  • 已成功对你尝试加入的域的域控制器进行 ping 操作。Successfully ping the domain controller of the domain you're trying to join.
  • 如果使用代理,必须启用并配置 WPAD 代理设置选项。If using Proxy, WPAD Proxy settings option must be enabled and configured.
  • 体验全新体验 (OOBE)。Undergo the out-of-box experience (OOBE).
  • 使用在 OOBE 中 Azure Active Directory 支持的身份验证类型。Use an authorization type that Azure Active Directory supports in OOBE.

设置 Windows 10 自动注册Set up Windows 10 automatic enrollment

  1. 登录到 Azure,在左侧窗格中,选择 " Azure Active Directory > 移动性 (MDM 和 MAM)" > Microsoft Intune"。Sign in to Azure, in the left pane, select Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune.

  2. 确保使用 Intune 和 Windows 部署 Azure AD 联接设备的用户是 MDM 用户作用域 中包含的组的成员。Make sure users who deploy Azure AD-joined devices by using Intune and Windows are members of a group included in MDM User scope.

    “移动性(MDM 和 MAM)配置”窗格

  3. 在“MDM 使用条款 URL”、“MDM 发现 URL”和“MDM 符合性 URL”框中使用默认值,然后选择“保存” 。Use the default values in the MDM Terms of use URL, MDM Discovery URL, and MDM Compliance URL boxes, and then select Save.

增加组织单位中的计算机帐户限制Increase the computer account limit in the Organizational Unit

可使用适用于 Active Directory 的 Intune Connector 在本地 Active 目录域中创建 Autopilot 注册计算机。The Intune Connector for your Active Directory creates autopilot-enrolled computers in the on-premises Active Directory domain. 托管 Intune Connector 的计算机必须有权在域中创建计算机对象。The computer that hosts the Intune Connector must have the rights to create the computer objects within the domain.

在某些域中,计算机不会被授予创建计算机的权限。In some domains, computers aren't granted the rights to create computers. 此外,域内置有一个限制(默认值为 10),未获得创建计算机对象的委托权限的所有用户和计算机都要遵循此限制。Additionally, domains have a built-in limit (default of 10) that applies to all users and computers that aren't delegated rights to create computer objects. 必须将权限委派给在其中创建了混合 Azure AD 联接设备的组织单位上托管 Intune 连接器的计算机。The rights must be delegated to computers that host the Intune Connector on the organizational unit where hybrid Azure AD-joined devices are created.

授予创建计算机权限的组织单位必须与以下内容匹配:The organizational unit that's granted the rights to create computers must match:

  • 在域加入配置文件中输入的组织单位。The organizational unit that's entered in the Domain Join profile.
  • 计算机域的域名(如果未选择配置文件)。If no profile is selected, the computer's domain name for your domain.
  1. 打开“Active Directory 用户和计算机(DSA.msc)”。Open Active Directory Users and Computers (DSA.msc).

  2. 右键单击要用于创建混合 Azure AD 联接的计算机 > 委派控制 的组织单位。Right-click the organizational unit to use to create hybrid Azure AD-joined computers > Delegate Control.

    “委派控制”命令

  3. 在“委派控制”向导中,选择“下一步” > “添加” > “对象类型” 。In the Delegation of Control wizard, select Next > Add > Object Types.

  4. 在 "对象类型" 窗格中,选择 "计算机 > "In the Object Types pane, select the Computers > OK.

    “对象类型”窗格

  5. 在“选择用户、计算机或组”窗格的“输入要选择的对象名称”框中,输入安装连接器的计算机的名称 。In the Select Users, Computers, or Groups pane, in the Enter the object names to select box, enter the name of the computer where the Connector is installed.

    “选择用户、计算机或组”窗格

  6. 选择“检查名称”以验证输入,然后单击“确定” > “下一步”。Select Check Names to validate your entry > OK > Next.

  7. 选择“创建要委派的自定义任务” > “下一步” 。Select Create a custom task to delegate > Next.

  8. 仅选择 "文件夹计算机" 对象中的以下对象 > 。Select Only the following objects in the folder > Computer objects.

  9. 选择 "在此文件夹中创建选定的对象" ,并 删除此文件夹中的选定对象Select Create selected objects in this folder and Delete selected objects in this folder.

    “Active Directory 对象类型”窗格

  10. 选择“下一步” 。Select Next.

  11. 在“权限”下,选择“完全控制”复选框 。Under Permissions, select the Full Control check box. 此操作将选择所有其他选项。This action selects all the other options.

    “权限”窗格

  12. 选择“下一步” > “完成”。Select Next > Finish.

安装 Intune ConnectorInstall the Intune Connector

用于 Active Directory 的 Intune 连接器必须安装在运行 Windows Server 2016 或更高版本的计算机上。The Intune Connector for Active Directory must be installed on a computer that's running Windows Server 2016 or later. 计算机还必须能够访问 Internet 和 Active Directory。The computer must also have access to the internet and your Active Directory. 若要增加规模并提高可用性,可在环境中安装多个连接器。To increase scale and availability, you can install multiple connectors in your environment. 建议在未运行任何其他 Intune 连接器的服务器上安装连接器。We recommend installing the Connector on a server that's not running any other Intune connectors. 每个连接器都必须能够在要支持的任何域中创建计算机对象。Each connector must be able to create computer objects in any domain that you want to support.

备注

如果你的组织有多个域,但你安装了多个 Intune 连接器,则必须使用能够在所有域中创建计算机对象的服务帐户,即使你计划仅为特定域实现混合 Azure AD 联接也是如此。If your organization has multiple domains and you install multiple Intune Connectors, you must use a service account that's able to create computer objects in all domains, even if you plan to implement hybrid Azure AD join only for a specific domain. 如果这些是不受信任的域,则必须从不希望使用 Windows Autopilot 的域中卸载连接器。If these are untrusted domains, you must uninstall the connectors from domains in which you don't want to use Windows Autopilot. 否则,在多个域中具有多个连接器,所有连接器都必须能够在所有域中创建计算机对象。Otherwise, with multiple connectors across multiple domains, all connectors must be able to create computer objects in all domains.

Intune 连接器需要与 Intune 相同的终结点The Intune Connector requires the same endpoints as Intune.

  1. 关闭 IE 增强的安全配置。Turn off IE Enhanced Security Configuration. 默认情况下,Windows Server 已打开 Internet Explorer 增强的安全配置。By default Windows Server has Internet Explorer Enhanced Security Configuration turned on. 如果你无法登录到 Active Directory 的 Intune 连接器,请关闭适用于管理员的 IE 增强的安全配置。If you're unable to sign in to the Intune Connector for Active Directory, then turn off IE Enhanced Security Configuration for the Administrator. 如何关闭 Internet Explorer 增强的安全配置How To Turn Off Internet Explorer Enhanced Security Configuration.
  2. Microsoft Endpoint Manager 管理中心中,选择“设备” > “Windows” > “Windows 注册” > “适用于 Active Directory 的 Intune 连接器” > “添加”。In the Microsoft Endpoint Manager admin center, select Devices > Windows > Windows enrollment > Intune Connector for Active Directory > Add.
  3. 按照说明下载连接器。Follow the instructions to download the Connector.
  4. 打开下载的连接器安装文件 ODJConnectorBootstrapper.exe,安装连接器。Open the downloaded Connector setup file, ODJConnectorBootstrapper.exe, to install the Connector.
  5. 设置结束时,选择“配置”。At the end of the setup, select Configure.
  6. 选择“登录”。Select Sign In.
  7. 输入用户全局管理员或 Intune 管理员角色凭据。Enter the user Global Administrator or Intune Administrator role credentials. 必须为用户帐户分配 Intune 许可证。The user account must have an assigned Intune license.
  8. 转到“设备” > “Windows” > “Windows 注册” > “适用于 Active Directory 的 Intune 连接器”,然后确认连接状态为“活动” 。Go to Devices > Windows > Windows enrollment > Intune Connector for Active Directory, and then confirm that the connection status is Active.

备注

登录到连接器之后,可能需要几分钟才能显示在 Microsoft Endpoint Manager 管理中心中。After you sign in to the Connector, it might take a couple of minutes to appear in the Microsoft Endpoint Manager admin center. 它只有在能够成功与 Intune 服务通信时才会显示。It appears only if it can successfully communicate with the Intune service.

配置 Web 代理设置Configure web proxy settings

如果网络环境中有 Web 代理,请参阅使用现有的本地代理服务器,确保适用于 Active Directory 的 Intune 连接器正常工作。If you have a web proxy in your networking environment, ensure that the Intune Connector for Active Directory works properly by referring to Work with existing on-premises proxy servers.

创建设备组Create a device group

  1. Microsoft Endpoint Manager 管理中心中,选择“组” > “新建组”。In the Microsoft Endpoint Manager admin center, select Groups > New group.

  2. 在 " " 窗格中,选择以下选项:In the Group pane, choose the following options:

    1. 对于“组类型”,选择“安全组” 。For Group type, select Security.
    2. 输入“组名称”和“组说明” 。Enter a Group name and Group description.
    3. 选择“成员身份类型”。Select a Membership type.
  3. 如果为成员资格类型选择了 动态设备 ,请在 " " 窗格中选择 " 动态设备成员"。If you selected Dynamic Devices for the membership type, in the Group pane, select Dynamic device members.

  4. 在 " 高级规则 " 框中,输入以下代码行之一:In the Advanced rule box, enter one of the following code lines:

    • 若要创建包括所有 Autopilot 设备的组,请输入:(device.devicePhysicalIDs -any _ -contains "[ZTDId]")To create a group that includes all your Autopilot devices, enter (device.devicePhysicalIDs -any _ -contains "[ZTDId]").
    • Intune 的“组标记”字段映射到 Azure AD 设备上的 OrderID 属性。Intune's Group Tag field maps to the OrderID attribute on Azure AD devices. 如果要创建包含 Autopilot 设备的所有设备的组, (订单) 的特定组标记,请键入: (device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")If you want to create a group that includes all of your Autopilot devices with a specific Group Tag(OrderID), type: (device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")
    • 若要创建包括所有具有特定购买订单 ID 的 Autopilot 设备的组,请输入:(device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")To create a group that includes all your Autopilot devices with a specific Purchase Order ID, enter (device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342").
  5. 选择 "保存 > 创建"。Select Save > Create.

注册 Autopilot 设备Register your Autopilot devices

选择以下方法之一注册 Autopilot 设备。Select one of the following ways to enroll your Autopilot devices.

注册已注册的 Autopilot 设备Register Autopilot devices that are already enrolled

  1. 创建 Autopilot 部署配置文件,将“将所有目标设备转换为 Autopilot”设置为“是” 。Create an Autopilot deployment profile with Convert all targeted devices to Autopilot set to Yes.
  2. 将配置文件分配给包含要自动注册 Autopilot 的成员的组。Assign the profile to a group that contains the members that you want to automatically register with Autopilot.

有关详细信息,请参阅创建 Autopilot 部署配置文件For more information, see Create an Autopilot deployment profile.

注册未注册的 Autopilot 设备Register Autopilot devices that aren't enrolled

如果设备尚未注册,可以自行注册。If your devices aren't yet enrolled, you can register them yourself. 有关详细信息,请参阅 手动注册For more information, see Manual registration.

从 OEM 注册设备Register devices from an OEM

如果要购买新设备,某些 OEM 可以为你注册设备。If you're buying new devices, some OEMs can register the devices for you. 有关详细信息,请参阅 OEM 注册For more information, see OEM registration.

在 Intune 中注册注册的 Autopilot 设备之前,将在三个位置显示 已注册 的设备, (名称设置为其序列号) :Before they're enrolled in Intune, registered Autopilot devices are displayed in three places (with names set to their serial numbers):

  • Azure 门户中 Intune 中的“Autopilot 设备”窗格。The Autopilot Devices pane in the Intune in the Azure portal. 选择“设备注册” > “Windows 注册” > “设备” 。Select Device enrollment > Windows enrollment > Devices.
  • Azure 门户中 Intune 中的“Azure AD设备”窗格。The Azure AD devices pane in the Intune in the Azure portal. 选择“设备” > “Azure AD 设备” 。Select Devices > Azure AD Devices.
  • Azure 门户中 Azure Active Directory 中的“Azure AD 所有设备”窗格,通过选择“设备” > “所有设备” 。The Azure AD All Devices pane in Azure Active Directory in the Azure portal by selecting Devices > All Devices.

Autopilot 设备“已注册”后,会在四个地方显示:After your Autopilot devices are enrolled, they're displayed in four places:

  • Azure 门户中 Intune 中的“Autopilot 设备”窗格。The Autopilot Devices pane in the Intune in the Azure portal. 选择“设备注册” > “Windows 注册” > “设备” 。Select Device enrollment > Windows enrollment > Devices.
  • Azure 门户中 Intune 中的“Azure AD设备”窗格。The Azure AD devices pane in the Intune in the Azure portal. 选择“设备” > “Azure AD 设备” 。Select Devices > Azure AD Devices.
  • Azure 门户中 Azure Active Directory 中的“Azure AD 所有设备”窗格。The Azure AD All Devices pane in Azure Active Directory in the Azure portal. 选择“设备” > “所有设备” 。Select Devices > All Devices.
  • Azure 门户中 Intune 中的“所有设备”窗格。The All Devices pane in the Intune in the Azure portal. 选择“设备” > “所有设备” 。Select Devices > All Devices.

Autopilot 设备已注册后,其设备名称成为设备的主机名。After your Autopilot devices are enrolled, their names become the hostname of the device. 默认情况下,主机名开头为 DESKTOP-。By default, the hostname begins with DESKTOP-.

创建并分配 AutoPilot 部署配置文件Create and assign an Autopilot deployment profile

Autopilot 部署配置文件用于配置 Autopilot 设备。Autopilot deployment profiles are used to configure the Autopilot devices.

  1. Microsoft Endpoint Manager 管理中心中,选择“设备” > “Windows” > “Windows 注册” > “部署配置文件” > “创建配置文件”。In the Microsoft Endpoint Manager admin center, select Devices > Windows > Windows enrollment > Deployment Profiles > Create Profile.
  2. 在“基本信息”页上,键入名称和可选说明 。On the Basics page, type a Name and optional Description.
  3. 如果希望已分配组中的所有设备自动转换为 Autopilot,请把“将所有目标设备转换为 Autopilot”设置为“是” 。If you want all devices in the assigned groups to automatically convert to Autopilot, set Convert all targeted devices to Autopilot to Yes. 已分配组中的所有公司拥有的非 Autopilot 设备都将注册 Autopilot 部署服务。All corporate owned, non-Autopilot devices in assigned groups will register with the Autopilot deployment service. 个人拥有的设备不会转换为 Autopilot。Personally owned devices won't be converted to Autopilot. 等待 48 小时来处理注册。Allow 48 hours for the registration to be processed. 取消注册设备并重置后,Autopilot 将对其进行注册。When the device is unenrolled and reset, Autopilot will enroll it. 以这种方式注册设备后,禁用此选项或删除配置文件分配将不会从 Autopilot 部署服务中删除该设备。After a device is registered in this way, disabling this option or removing the profile assignment won't remove the device from the Autopilot deployment service. 必须改为直接删除该设备You must instead remove the device directly.
  4. 选择“下一步” 。Select Next.
  5. 在“全新体验 (OOBE)”页上,对于“部署模式”,选择“用户驱动”。On the Out-of-box experience (OOBE) page, for Deployment mode, select User-driven.
  6. 在“加入到 Azure AD 时的身份”框中,选择“已加入混合 Azure AD” 。In the Join to Azure AD as box, select Hybrid Azure AD joined.
  7. 如果要使用 VPN 支持从组织的网络中部署设备,请将 " 跳过域连接" 复选 选项设置为 "是"If you're deploying devices off of the organization's network using VPN support, set the Skip Domain Connectivity Check option to Yes. 有关详细信息,请参阅 具有 VPN 支持的混合 Azure Active Directory 联接的用户驱动模式For more information, see User-driven mode for hybrid Azure Active Directory join with VPN support.
  8. 根据需要,在“全新体验 (OOBE)”上配置剩余选项。Configure the remaining options on the Out-of-box experience (OOBE) page as needed.
  9. 选择“下一步” 。Select Next.
  10. 在 " 作用域标记 " 页上,为此配置文件选择 " 作用域标记 "。On the Scope tags page, select scope tags for this profile.
  11. 选择“下一步” 。Select Next.
  12. 在“分配”页上,选择“要包括的组”> 搜索并选择“设备组”>“选择”。On the Assignments page, select Select groups to include > search for and select the device group > Select.
  13. 选择“下一步” > “创建”。Select Next > Create.

设备配置文件的状态从“未分配”更改为“正在分配”,最后更改为“已分配”,此过程大约用时 15 分钟 。It takes about 15 minutes for the device profile status to change from Not assigned to Assigning and, finally, to Assigned.

(可选)打开注册状态页(Optional) Turn on the enrollment status page

  1. Microsoft Endpoint Manager 管理中心中,选择“设备” > “Windows” > “Windows 注册” > “注册状态页”。In the Microsoft Endpoint Manager admin center, select Devices > Windows > Windows enrollment > Enrollment Status Page.
  2. 在“注册状态页”窗格中,选择“默认” > “设置” 。In the Enrollment Status Page pane, select Default > Settings.
  3. 在“显示应用和配置文件安装进度”中,选择“确定” 。In the Show app and profile installation progress box, select Yes.
  4. 根据需要配置其他选项。Configure the other options as needed.
  5. 选择“保存”。Select Save.

创建并分配域加入配置文件Create and assign a Domain Join profile

  1. Microsoft Endpoint Manager 管理中心中,选择“设备” > “配置文件” > “创建配置文件” 。In the Microsoft Endpoint Manager admin center, select Devices > Configuration profiles > Create Profile.

  2. 输入以下属性:Enter the following properties:

    • 名称:输入新配置文件的描述性名称。Name: Enter a descriptive name for the new profile.
    • 描述:输入配置文件的说明。Description: Enter a description for the profile.
    • 平台:选择“Windows 10 及更高版本”。Platform: Select Windows 10 and later.
    • 配置文件类型:选择“域加入(预览版)”。Profile type: Select Domain Join (Preview).
  3. 选择“设置”,然后提供“计算机名前缀”、“域名”。Select Settings, and then provide a Computer name prefix, Domain name.

  4. (可选)提供 DN 格式的“组织单位”(OU)。(Optional) Provide an Organizational unit (OU) in DN format. 您的选择包括:Your options include:

    • 提供一个 OU,在其中已将控制权委派给运行 Intune Connector 的 Windows 2016 设备。Provide an OU in which you've delegated control to your Windows 2016 device that is running the Intune Connector.
    • 提供一个 OU,在其中已将控制权委派给本地 Active Directory 中的根计算机。Provide an OU in which you've delegated control to the root computers in your on-prem Active Directory.
    • 如果将此项保留为空白,将在 Active Directory 默认容器中创建计算机对象(如果从未更改,则 CN=Computers)。If you leave this blank, the computer object will be created in the Active Directory default container (CN=Computers if you never changed it).

    下面是一些有效示例:Here are some valid examples:

    • OU=Level 1,OU=Level2,DC=contoso,DC=comOU=Level 1,OU=Level2,DC=contoso,DC=com
    • OU=Mine,DC=contoso,DC=comOU=Mine,DC=contoso,DC=com

    下面是一些无效示例:Here are some examples that aren't valid:

    • CN = 计算机,DC = contoso,DC = com (你不能指定容器,而是将值保留为空以使用域的默认值) CN=Computers,DC=contoso,DC=com (you can't specify a container, instead leave the value blank to use the default for the domain)
    • OU = (必须通过 DC = 属性指定域) OU=Mine (you must specify the domain via the DC= attributes)

    备注

    请勿在组织单位中的值两边使用引号。Don't use quotation marks around the value in Organizational unit.

  5. 选择“确定” > “创建” 。Select OK > Create. 此时,配置文件创建完成,并显示在列表中。The profile is created and displayed in the list.

  6. 将设备配置文件分配 给在步骤 创建设备组时使用的同一组。Assign a device profile to the same group used at the step Create a device group. 如果需要将设备加入不同的域或 Ou,则可以使用不同的组。Different groups can be used if there's a need to join devices to different domains or OUs.

备注

对于混合 Azure AD 联接而言,Windows Autopilot 的命名功能不支持 %SERIAL% 等变量,仅支持使用计算机名称前缀。The naming capabilities for Windows Autopilot for Hybrid Azure AD Join do not support variables such as %SERIAL% and only support prefixes for the computer name.

后续步骤Next steps

配置 Windows Autopilot 后,了解如何管理这些设备。After you configure Windows Autopilot, learn how to manage those devices. 有关详细信息,请参阅什么是 Microsoft Intune 设备管理?For more information, see What is Microsoft Intune device management?.