註冊 Windows 裝置Enroll Windows devices

適用於︰Azure 上的 IntuneApplies to: Intune on Azure
您需要傳統主控台中之 Intune 的相關文件嗎?Looking for documentation about Intune in the classic console? 請移至這裡Go to here.

本主題將協助 IT 系統管理員為其使用者簡化 Windows 註冊。This topic helps IT administrators simplify Windows enrollment for their users. 一旦您設定 Intune,使用者以其工作或學校帳戶登入即可註冊 Windows 裝置。Once you've set up Intune, users enroll Windows devices by signing in with their work or school account.

身為 Intune 系統管理員,您可以用下列方式來簡化註冊:As an Intune admin, you can simplify enrollment in the following ways:

  • 啟用自動註冊 (需要 Azure AD Premium)Enable automatic enrollment (Azure AD premium required)
  • CNAME 註冊CNAME registration
  • 啟用大量註冊 (需要 Azure AD Premium 與 Windows 設定設計工具)Enable bulk enrollment (Azure AD premium and Windows Configuration Designer required)

有兩個因素會決定如何簡化 Windows 裝置註冊:Two factors determine how you can simplify Windows device enrollment:

  • 您是否使用 Azure Active Directory Premium?Do you use Azure Active Directory Premium?
    Azure AD Premium 隨附於企業行動力 + 安全性和其他授權計劃內。Azure AD Premium is included with Enterprise Mobility + Security and other licensing plans.
  • 使用者會註冊哪些版本的 Windows 用戶端?What versions of Windows clients will users enroll?
    加入工作或學校帳戶即可自動註冊 Windows 10 裝置。Windows 10 devices can automatically enroll by adding a work or school account. 較舊版本則必須使用公司入口網站應用程式進行註冊。Earlier versions must enroll using the Company Portal app.
Azure AD PremiumAzure AD Premium 其他 ADOther AD
Windows 10Windows 10 自動註冊Automatic enrollment 使用者註冊User enrollment
舊版 WindowsEarlier Windows versions 使用者註冊User enrollment 使用者註冊User enrollment

可以使用自動註冊的組織,也可以使用 Windows 設定設計工具應用程式來設定大量註冊裝置Organizations that can use automatic enrollment can also configure bulk enroll devices by using the Windows Configuration Designer app.

多重使用者的支援Multi-user support
Intune 的多使用者管理現在支援執行 Windows 10 Creators Update 並加入 Azure Active Directory 網域的裝置。Devices that run the Windows 10 Creators Update, and are Azure Active Directory domain-joined, are now supported for multi-user management by Intune. 當標準使用者使用他們的 Azure AD 認證登入時,他們會收到指派給他們的使用者名稱的應用程式和原則。When standard users log on with their Azure AD credentials, they receive apps and policies assigned to their user name. 針對安裝應用程式等自助式案例,使用者目前無法使用公司入口網站來進行。Users cannot currently use the Company Portal for self-service scenarios like installing apps.

啟用 Windows 10 自動註冊Enable Windows 10 automatic enrollment

自動註冊可讓使用者在將工作帳戶新增到其個人擁有的裝置,或是將其公司擁有的裝置加入 Azure Active Directory 時,在 Intune 中註冊他們的 Windows 10 裝置。Automatic enrollment lets users enroll their Windows 10 devices in Intune when adding their work account to their personally-owned devices or joining their corporate-owned devices to your Azure Active Directory. 在背景中,使用者的裝置註冊並加入 Azure Active Directory。In the background, the user's device registers and joins Azure Active Directory. 註冊後,就會使用 Intune 管理裝置。Once registered, the device is managed with Intune.

先決條件Prerequisites

  • Azure Active Directory Premium 訂閱 (試用訂閱)Azure Active Directory Premium subscription (trial subscription)
  • Microsoft Intune 訂閱Microsoft Intune subscription

設定自動 MDM 註冊Configure automatic MDM enrollment

  1. 登入 Azure 管理入口網站 (https://manage.windowsazure.com) ,然後選取 [Azure Active Directory]。Sign in to the Azure management portal (https://manage.windowsazure.com), and select Azure Active Directory.

    Azure 入口網站的螢幕擷取畫面

  2. 選取 [行動性 (MDM 與 MAM)]。Select Mobility (MDM and MAM).

    Azure 入口網站的螢幕擷取畫面

  3. 選取 [Microsoft Intune]。Select Microsoft Intune.

    Azure 入口網站的螢幕擷取畫面

  4. 設定 MDM 使用者範圍Configure MDM User scope. 指定哪些使用者的裝置應該由 Microsoft Intune 管理。Specify which users’ devices should be managed by Microsoft Intune. 這些使用者的 Windows 10 裝置將會自動註冊,以便使用 Microsoft Intune 管理。These users’ Windows 10 devices will be automatically enrolled for management with Microsoft Intune.

    • None
    • 部分Some
    • 全部All

    Azure 入口網站的螢幕擷取畫面

  5. 使用下列 URL 的預設值:Use the default values for the following URLs:

    • MDM 使用條款 URLMDM Terms of use URL
    • MDM 探索 URLMDM Discovery URL
    • MDM 合規性 URLMDM Compliance URL

      重要

      如果使用者是同時自動註冊 MDM 和啟用 MAM 的群組成員,而且使用者嘗試將其個人裝置加入工作場所,則只會啟用 MAM。If a user is a member of a group that has both automatic MDM enrollment and MAM enabled, and the user tries to workplace join their personal device, then only MAM is enabled.

  6. 選取 [儲存]。Select Save.

根據預設,不會對此服務啟用雙因素驗證。By default, two-factor authentication is not enabled for the service. 不過,於註冊裝置時,會建議使用雙因素驗證。However, two-factor authentication is recommended when registering a device. 您必須先在 Azure Active Directory 中設定雙因素驗證提供者,並針對多重要素驗證來設定您的使用者帳戶之後,才會需要此服務的雙因素驗證。Before requiring two-factor authentication for this service, you must configure a two-factor authentication provider in Azure Active Directory and configure your user accounts for multi-factor authentication. 請參閱開始使用 Azure Multi-Factor Authentication ServerSee Getting started with the Azure Multi-Factor Authentication Server.

不使用 Azure AD Premium 啟用 Windows 註冊Enable Windows enrollment without Azure AD Premium

您可以建立 DNS 別名 (CNAME 記錄類型),自動將註冊要求重新導向至 Intune 伺服器,來簡化使用者的註冊。You can simplify enrollment for your users by creating a DNS alias (CNAME record type) that automatically redirects enrollment requests to Intune servers. 如果您不建立 DNS CNAME 資源記錄,嘗試連線至 Intune 的使用者必須在註冊期間輸入 Intune 伺服器名稱。If you don't create a DNS CNAME resource record, users attempting to connect to Intune must enter the Intune server name during enrollment.

步驟 1:建立 CNAME (選用)Step 1: Create CNAME (optional)
建立公司網域的 CNAME DNS 資源記錄。Create CNAME DNS resource records for your company’s domain. 例如,假設公司網站為 contoso.com,您就必須在 DNS 中建立 CNAME,將 EnterpriseEnrollment.contoso.com 重新導向 enterpriseenrollment-s.manage.microsoft.com。For example, if your company’s website is contoso.com, you would create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to enterpriseenrollment-s.manage.microsoft.com.

雖然建立 CNAME DNS 項目並非必要,但 CNAME 記錄可以方便使用者進行註冊。Although creating CNAME DNS entries is optional, CNAME records make enrollment easier for users. 若找不到任何 CNAME 記錄,將會提示使用者手動輸入 MDM 伺服器名稱 enrollment.manage.microsoft.com。If no enrollment CNAME record is found, users are prompted to manually enter the MDM server name, enrollment.manage.microsoft.com.

類型Type 主機名稱Host name 指向Points to TTLTTL
CNAMECNAME EnterpriseEnrollment.company_domain.comEnterpriseEnrollment.company_domain.com EnterpriseEnrollment-s.manage.microsoft.comEnterpriseEnrollment-s.manage.microsoft.com 1 小時1 hour

如果您有多個 UPN 尾碼,您需要為每個網域名稱建立一個 CNAME,並將其一一指向至 EnterpriseEnrollment-s.manage.microsoft.com。If you have more than one UPN suffix, you need to create one CNAME for each domain name and point each one to EnterpriseEnrollment-s.manage.microsoft.com. 如果 Contoso 上的使用者使用 name@contoso.com,但也使用 name@us.contoso.com 和 name@eu.constoso.com 作為他們的電子郵件/UPN,Contoso DNS 系統管理員應該建立下列 CNAME:If users at Contoso use name@contoso.com, but also use name@us.contoso.com, and name@eu.constoso.com as their email/UPN, the Contoso DNS admin should create the following CNAMEs:

類型Type 主機名稱Host name 指向Points to TTLTTL
CNAMECNAME EnterpriseEnrollment.contoso.comEnterpriseEnrollment.contoso.com EnterpriseEnrollment-s.manage.microsoft.comEnterpriseEnrollment-s.manage.microsoft.com 1 小時1 hour
CNAMECNAME EnterpriseEnrollment.us.contoso.comEnterpriseEnrollment.us.contoso.com EnterpriseEnrollment-s.manage.microsoft.comEnterpriseEnrollment-s.manage.microsoft.com 1 小時1 hour
CNAMECNAME EnterpriseEnrollment.eu.contoso.comEnterpriseEnrollment.eu.contoso.com EnterpriseEnrollment-s.manage.microsoft.comEnterpriseEnrollment-s.manage.microsoft.com 1 小時1 hour

EnterpriseEnrollment-s.manage.microsoft.com – 支援從電子郵件的網域名稱辨識網域,重新導向至 Intune 服務EnterpriseEnrollment-s.manage.microsoft.com – Supports a redirect to the Intune service with domain recognition from the email’s domain name

DNS 記錄變更可能需要 72 小時才會傳播完成。Changes to DNS records might take up to 72 hours to propagate. 在 DNS 記錄傳播完成之前,您無法在 Intune 中驗證 DNS 變更。You cannot verify the DNS change in Intune until the DNS record propagates.

步驟 2:驗證 CNAME (選用)Step 2: Verify CNAME (optional)
在 Azure Intune 入口網站中,選擇 [更多服務] > [監視 + 管理] > [Intune]。In the Azure Intune portal, choose More Services > Monitoring + Management > Intune. 在 [Intune] 刀鋒視窗中,選擇 [註冊裝置] > [Windows 註冊]。On the Intune blade, choose Enroll devices > Windows Enrollment. 在 [指定已驗證的網域名稱] 方塊中輸入公司網站 URL,然後選擇 [測試自動偵測]。Enter the company website URL in the Specify a verified domain name box, and then choose Test Auto-Detection.

告訴使用者如何註冊 Windows 裝置Tell users how to enroll Windows devices

告訴使用者如何註冊其 Windows 裝置,以及開始管理之後會發生的情況。Tell your users how to enroll their Windows devices and what to expect after they're brought into management. 如需使用者註冊指示,請參閱在 Intune 註冊 Windows 裝置For end-user enrollment instructions, see Enroll your Windows device in Intune. 您也可以告訴使用者檢閱我的 IT 系統管理員可以在我的裝置上看到哪些資訊You can also tell users to review What can my IT admin see on my device.

如需終端使用者工作的詳細資訊,請參閱使用 Microsoft Intune 之使用者體驗的相關資源For more information about end-user tasks, see Resources about the end-user experience with Microsoft Intune.

若要提交意見反應,請前往 Intune Feedback