設定 Windows 裝置的註冊Set up enrollment for Windows devices

本文將協助 IT 管理員為其使用者簡化 Windows 註冊。This article helps IT administrators simplify Windows enrollment for their users. 一旦您設定 Intune,使用者以其工作或學校帳戶登入即可註冊 Windows 裝置。Once you've set up Intune, users enroll Windows devices by signing in with their work or school account.

身為 Intune 系統管理員,您可以用下列方式來簡化註冊:As an Intune admin, you can simplify enrollment in the following ways:

有兩個因素會決定如何簡化 Windows 裝置註冊:Two factors determine how you can simplify Windows device enrollment:

  • 您是否有使用 Azure Active Directory Premium?Do you use Azure Active Directory Premium?
    Azure AD Premium 包含在企業行動力 + 安全性和其他授權計劃中。Azure AD Premium is included with Enterprise Mobility + Security and other licensing plans.
  • 使用者會註冊哪些版本的 Windows 用戶端?What versions of Windows clients will users enroll?
    加入工作或學校帳戶即可自動註冊 Windows 10 裝置。Windows 10 devices can automatically enroll by adding a work or school account. 較舊版本則必須使用公司入口網站應用程式進行註冊。Earlier versions must enroll using the Company Portal app.
Azure AD PremiumAzure AD Premium 其他 ADOther AD
Windows 10Windows 10 自動註冊Automatic enrollment 使用者註冊User enrollment
舊版 WindowsEarlier Windows versions 使用者註冊User enrollment 使用者註冊User enrollment

可以使用自動註冊的組織,也可以使用 Windows 設定設計工具應用程式來設定大量註冊裝置Organizations that can use automatic enrollment can also configure bulk enroll devices by using the Windows Configuration Designer app.

裝置註冊先決條件Device enrollment prerequisites

您必須先將授權指派給系統管理員的帳戶,該系統管理員才能向 Intune 註冊裝置以進行管理。Before an administrator can enroll devices to Intune for management, licenses should have already been assigned to the administrator's account. 閱讀如何指派裝置註冊的授權Read about assigning licenses for device enrollment

多重使用者的支援Multi-user support

Intune 在下列兩種裝置上可支援多個使用者:Intune supports multiple users on devices that both:

  • 執行 Windows 10 Creator 的更新run the Windows 10 Creator's update
  • 已加入 Azure Active Directory 網域。are Azure Active Directory domain-joined.

當標準使用者使用其 Azure AD 認證登入時,他們會收到指派給其使用者名稱的應用程式和原則。When standard users sign in with their Azure AD credentials, they receive apps and policies assigned to their user name. 只有裝置的主要使用者可以針對自助服務案例使用公司入口網站,例如安裝應用程式及執行裝置動作 (移除、重設)。Only the device's Primary user can use the Company Portal for self-service scenarios like installing apps and performing device actions (Remove, Reset). 針對未獲指派主要使用者的共用 Windows 10 裝置,公司入口網站仍可用來安裝可用的應用程式。For shared Windows 10 devices that do not have a primary user assigned, the Company Portal can still be used to install Available apps.

啟用 Windows 10 自動註冊Enable Windows 10 automatic enrollment

使用者可利用自動註冊,在 Intune 中註冊其 Windows 10 裝置。Automatic enrollment lets users enroll their Windows 10 devices in Intune. 若要註冊,使用者必須將其公司帳戶新增至個人擁有的裝置,或將公司擁有的裝置加入 Azure Active Directory。To enroll, users add their work account to their personally owned devices or join corporate-owned devices to Azure Active Directory. 裝置會於背景註冊及加入 Azure Active Directory。In the background, the device registers and joins Azure Active Directory. 註冊之後,會使用 Intune 來管理裝置。Once registered, the device is managed with Intune.

先決條件Prerequisites

  • Azure Active Directory Premium 訂閱 (試用訂閱)Azure Active Directory Premium subscription (trial subscription)
  • Microsoft Intune 訂閱Microsoft Intune subscription

設定自動執行 MDM 註冊Configure automatic MDM enrollment

  1. 登入 Azure 入口網站,然後選取 [Azure Active Directory] 。Sign in to the Azure portal, and select Azure Active Directory.

    Azure 入口網站的螢幕擷取畫面

  2. 選取 [行動性 (MDM 與 MAM)] 。Select Mobility (MDM and MAM).

    Azure 入口網站的螢幕擷取畫面

  3. 選取 [Microsoft Intune] 。Select Microsoft Intune.

    Azure 入口網站的螢幕擷取畫面

  4. 設定 [MDM 使用者範圍] 。Configure MDM User scope. 指定哪些使用者的裝置應該由 Microsoft Intune 管理。Specify which users' devices should be managed by Microsoft Intune. 這些 Windows 10 裝置將會自動註冊,而由 Microsoft Intune 管理。These Windows 10 devices can automatically enroll for management with Microsoft Intune.

    • :停用 MDM 自動註冊None - MDM automatic enrollment disabled

    • 部分:選取可以自動註冊其 Windows 10 裝置的「群組」 Some - Select the Groups that can automatically enroll their Windows 10 devices

    • 全部:所有使用者都可以自動註冊其 Windows 10 裝置All - All users can automatically enroll their Windows 10 devices

      重要

      針對 Windows BYOD 裝置,若為所有使用者 (或相同的使用者群組) 同時啟用了 MAM 使用者範圍和 MDM 使用者範圍 (自動 MDM 註冊),則 MAM 使用者範圍優先順序會較高。For Windows BYOD devices, the MAM user scope takes precedence if both the MAM user scope and the MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). 若有進行設定,裝置便不會註冊 MDM,且會套用 Windows 資訊保護 (WIP) 原則。The device will not be MDM enrolled, and Windows Information Protection (WIP) Policies will be applied if you have configured them.

      若您的目的是為 Windows BYOD 裝置啟用 MDM 自動註冊:請將 MDM 使用者範圍設為 [全部] (或 [部分] ,然後指定群組),並將 MAM 使用者範圍設為 [無] (或 [部分] ,然後指定群組。請確認使用者並非同時是 MDM 和 MAM 使用者範圍所瞄準群組的成員)。If your intent is to enable automatic enrollment for Windows BYOD devices to an MDM: configure the MDM user scope to All (or Some, and specify a group) and configure the MAM user scope to None (or Some, and specify a group – ensuring that users are not members of a group targeted by both MDM and MAM user scopes).

      針對企業裝置,若同時啟用了 MDM 和 MAM 使用者範圍,則 MDM 使用者範圍的優先順序會較高。For corporate devices, the MDM user scope takes precedence if both MDM and MAM user scopes are enabled. 裝置將會自動在設定的 MDM 中註冊。The device will get automatically enrolled in the configured MDM.

    注意

    MDM 使用者範圍必須設定為包含使用者物件的 Azure AD 群組。MDM user scope must be set to an Azure AD group that contains user objects.

    Azure 入口網站的螢幕擷取畫面

  5. 使用下列 URL 的預設值:Use the default values for the following URLs:

    • MDM 使用條款 URLMDM Terms of use URL
    • MDM 探索 URLMDM Discovery URL
    • MDM 合規性 URLMDM Compliance URL
  6. 選取 [儲存] 。Select Save.

根據預設,並未對服務啟用雙因素驗證。By default, two-factor authentication is not enabled for the service. 不過,於註冊裝置時,會建議使用雙因素驗證。However, two-factor authentication is recommended when registering a device. 若要啟用雙重要素驗證,請在 Azure AD 中設定雙重要素驗證提供者,並將您的使用者帳戶設定為進行雙重要素驗證。To enable two-factor authentication, configure a two-factor authentication provider in Azure AD and configure your user accounts for multi-factor authentication. 請參閱開始使用 Azure Multi-Factor Authentication ServerSee Getting started with the Azure Multi-Factor Authentication Server.

在沒有 Azure AD Premium 的情況下簡化 Windows 註冊Simplify Windows enrollment without Azure AD Premium

若要簡化註冊,請建立網域名稱伺服器 (DNS) 別名 (CNAME 記錄類型),將註冊要求重新導向至 Intune 伺服器。To simplify enrollment, create a domain name server (DNS) alias (CNAME record type) that redirects enrollment requests to Intune servers. 否則,嘗試連線至 Intune 的使用者必須在註冊期間輸入 Intune 伺服器名稱。Otherwise, users trying to connect to Intune must enter the Intune server name during enrollment.

步驟 1:建立 CNAME (選用)Step 1: Create CNAME (optional)
建立公司網域的 CNAME DNS 資源記錄。Create CNAME DNS resource records for your company's domain. 例如,假設公司網站為 contoso.com,則必須在 DNS 中建立 CNAME,將 EnterpriseEnrollment.contoso.com 重新導向 enterpriseenrollment-s.manage.microsoft.com。For example, if your company's website is contoso.com, you would create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to enterpriseenrollment-s.manage.microsoft.com.

雖然建立 CNAME DNS 項目並非必要,但 CNAME 記錄可以方便使用者進行註冊。Although creating CNAME DNS entries is optional, CNAME records make enrollment easier for users. 若找不到任何 CNAME 記錄,將會提示使用者手動輸入 MDM 伺服器名稱 enrollment.manage.microsoft.com。If no enrollment CNAME record is found, users are prompted to manually enter the MDM server name, enrollment.manage.microsoft.com.

類型Type 主機名稱Host name 指向Points to TTLTTL
CNAMECNAME EnterpriseEnrollment.company_domain.comEnterpriseEnrollment.company_domain.com EnterpriseEnrollment-s.manage.microsoft.comEnterpriseEnrollment-s.manage.microsoft.com 1 小時1 hour
CNAMECNAME EnterpriseRegistration.company_domain.comEnterpriseRegistration.company_domain.com EnterpriseRegistration.windows.netEnterpriseRegistration.windows.net 1 小時1 hour

如果公司使用多個 UPN 尾碼,您需要為每個網域名稱建立一個 CNAME,並將其一一指向至 EnterpriseEnrollment-s.manage.microsoft.com。If the company uses more than one UPN suffix, you need to create one CNAME for each domain name and point each one to EnterpriseEnrollment-s.manage.microsoft.com. 例如,Contoso 上的使用者使用下列格式作為其電子郵件/UPN:For example, users at Contoso use the following formats as their email/UPN:

  • name@contoso.com
  • name@us.contoso.com
  • name@eu.contoso.com

Contoso DNS 系統管理員應該建立下列 CNAME:The Contoso DNS admin should create the following CNAMEs:

類型Type 主機名稱Host name 指向Points to TTLTTL
CNAMECNAME EnterpriseEnrollment.contoso.comEnterpriseEnrollment.contoso.com EnterpriseEnrollment-s.manage.microsoft.comEnterpriseEnrollment-s.manage.microsoft.com 1 小時1 hour
CNAMECNAME EnterpriseEnrollment.us.contoso.comEnterpriseEnrollment.us.contoso.com EnterpriseEnrollment-s.manage.microsoft.comEnterpriseEnrollment-s.manage.microsoft.com 1 小時1 hour
CNAMECNAME EnterpriseEnrollment.eu.contoso.comEnterpriseEnrollment.eu.contoso.com EnterpriseEnrollment-s.manage.microsoft.comEnterpriseEnrollment-s.manage.microsoft.com 1 小時1 hour

EnterpriseEnrollment-s.manage.microsoft.com – 支援從電子郵件的網域名稱辨識網域重新導向至 Intune 服務EnterpriseEnrollment-s.manage.microsoft.com – Supports a redirect to the Intune service with domain recognition from the email's domain name

DNS 記錄變更可能需要 72 小時才會傳播完成。Changes to DNS records might take up to 72 hours to propagate. 在 DNS 記錄傳播完成之前,您無法在 Intune 中驗證 DNS 變更。You can't verify the DNS change in Intune until the DNS record propagates.

使用其他端點,但不再支援Additional endpoints are used but no longer supported

EnterpriseEnrollment-s.manage.microsoft.com 是註冊慣用的 FQDN。EnterpriseEnrollment-s.manage.microsoft.com is the preferred FQDN for enrollment. 客戶曾經用過其他兩個端點,仍在使用中,但已不再支援。There are two other endpoints that have been used by customers in the past and still work, but they are no longer supported. EnterpriseEnrollment.manage.microsoft.com (沒有 -s) 和 manage.microsoft.com 會作為自動探索伺服器的目標,但使用者必須在確認訊息上觸控 [確定]。EnterpriseEnrollment.manage.microsoft.com (without the -s) and manage.microsoft.com both work as the target for the auto-discovery server, but the user will have to touch OK on a confirmation message. 如果您指向 EnterpriseEnrollment-s.manage.microsoft.com,使用者就不必執行其他確認步驟,因此這是建議的設定If you point to EnterpriseEnrollment-s.manage.microsoft.com, the user won't have to do the additional confirmation step, so this is the recommended configuration

不支援重新導向的替代方法Alternate Methods of Redirection Are Not Supported

不支援使用 CNAME 設定以外的方法。Using a method other than the CNAME configuration is not supported. 例如,不支援使用 Proxy 伺服器將 enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc 重新導向至 enterpriseenrollment-s.manage.microsoft.com/EnrollmentServer/Discovery.svc 或 manage.microsoft.com/EnrollmentServer/Discovery.svc。For example, using a proxy server to redirect enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc to either enterpriseenrollment-s.manage.microsoft.com/EnrollmentServer/Discovery.svc or manage.microsoft.com/EnrollmentServer/Discovery.svc is not supported.

步驟 2:驗證 CNAME (選用)Step 2: Verify CNAME (optional)

  1. Microsoft 端點管理員系統管理中心內,選擇 [裝置] > [Windows] > [Windows 註冊] > [CNAME 驗證]。In the Microsoft Endpoint Manager admin center, choose Devices > Windows > Windows enrollment > CNAME Validation.
  2. 在 [網域] 方塊中輸入公司網站,然後選擇 [測試]。In the Domain box, enter the company website and then choose Test.

告訴使用者如何註冊 Windows 裝置Tell users how to enroll Windows devices

告訴使用者如何註冊其 Windows 裝置,以及開始管理之後會發生的情況。Tell your users how to enroll their Windows devices and what to expect after they're brought into management.

注意

使用者必須透過 Microsoft Edge 存取公司入口網站,檢視針對特定 Windows 版本指派的 Windows 應用程式。End users must access the Company Portal website through Microsoft Edge to view Windows apps that you've assigned for specific versions of Windows. 其他瀏覽器,包括 Google Chrome、Mozilla Firefox 和 Internet Explorer 均不支援這種篩選。Other browsers, including Google Chrome, Mozilla Firefox, and Internet Explorer do not support this type of filtering.

如需使用者註冊指示,請參閱在 Intune 註冊 Windows 裝置For end-user enrollment instructions, see Enroll your Windows device in Intune. 您也可以告訴使用者檢閱我的 IT 系統管理員可以在我的裝置上看到哪些資訊You can also tell users to review What can my IT admin see on my device.

重要

如果您未啟用 Auto-MDM 註冊,但您的 Windows 10 裝置已加入至 Azure AD,則會在註冊之後於 Intune 主控台中顯示兩筆記錄。If you do not have Auto-MDM enrollment enabled, but you have Windows 10 devices that have been joined to Azure AD, two records will be visible in the Intune console after enrollment. 停止方式是使用相同的帳戶確定具有加入 Azure AD 之裝置的使用者移至 [帳戶] > [Access work or school] (存取工作或學校) 和 [連線]。You can stop this by making sure that users with Azure AD joined devices go to Accounts > Access work or school and Connect using the same account.

如需終端使用者工作的詳細資訊,請參閱使用 Microsoft Intune 之使用者體驗的相關資源For more information about end-user tasks, see Resources about the end-user experience with Microsoft Intune.

登錄和註冊 CNAMERegistration and Enrollment CNAMEs

Azure Active Directory 使用不同的 CNAME 註冊 iOS/iPadOS、Android 和 Windows 裝置。Azure Active Directory has a different CNAME that it uses for device registration for iOS/iPadOS, Android, and Windows devices. Intune 條件式存取要求裝置必須註冊,也稱為「已加入工作場所」。Intune conditional access requires devices to be registered, also called "workplace joined". 如果打算使用條件式存取,您也應該為所擁有的每個公司名稱設定 EnterpriseRegistration CNAME。If you plan to use conditional access, you should also configure the EnterpriseRegistration CNAME for each company name you have.

類型Type 主機名稱Host name 指向Points to TTLTTL
CNAMECNAME EnterpriseRegistration.EnterpriseRegistration. company_domain.comcompany_domain.com EnterpriseRegistration.windows.netEnterpriseRegistration.windows.net 1 小時1 hour

如需裝置註冊的詳細資訊,請參閱 Manage device identities using the Azure portal (使用 Azure 入口網站管理裝置身分識別)For more information about device registration, see Manage device identities using the Azure portal

Windows 10 自動註冊和裝置註冊Windows 10 auto enrollment and device registration

此節適用於美國政府雲端客戶。This section applies to US government cloud customers.

雖然建立 CNAME DNS 項目並非必要,但 CNAME 記錄可以方便使用者進行註冊。Although creating CNAME DNS entries is optional, CNAME records make enrollment easier for users. 若找不到任何註冊 CNAME 記錄,將會提示使用者手動輸入 MDM 伺服器名稱 enrollment.manage.microsoft.tw。If no enrollment CNAME record is found, users are prompted to manually enter the MDM server name, enrollment.manage.microsoft.us.

類型Type 主機名稱Host name 指向Points to TTLTTL
CNAMECNAME EnterpriseEnrollment.company_domain.comEnterpriseEnrollment.company_domain.com EnterpriseEnrollment-s.manage.microsoft.twEnterpriseEnrollment-s.manage.microsoft.us 1 小時1 hour
CNAMECNAME EnterpriseRegistration.company_domain.comEnterpriseRegistration.company_domain.com EnterpriseRegistration.windows.netEnterpriseRegistration.windows.net 1 小時1 hour

後續步驟Next steps