啟用已加入網域的 Windows 10 裝置以由 Microsoft 365 商務版 Premium 管理Enable domain-joined Windows 10 devices to be managed by Microsoft 365 Business Premium

如果您的組織使用 Windows Server Active Directory 內部部署,您可以設定 Microsoft 365 商務版 Premium 來保護您的 Windows 10 裝置,同時仍維持對需要本機驗證的內部部署資源的存取。If your organization uses Windows Server Active Directory on-premises, you can set up Microsoft 365 Business Premium to protect your Windows 10 devices, while still maintaining access to on-premises resources that require local authentication. 若要設定此保護,您可以執行混合式 AZURE AD 聯結裝置To set up this protection, you can implement Hybrid Azure AD joined devices. 這些裝置會同時加入您的內部部署 Active Directory 和您的 Azure Active Directory。These devices are joined to both your on-premises Active Directory and your Azure Active Directory.

這段影片說明如何針對最常見的案例設定此功能的步驟,在後續步驟中也會詳細說明。This video describes the steps for how to set this up for the most common scenario, which is also detailed in the steps that follow.

開始之前,請先確定您已完成下列步驟:Before you get started, make sure you complete these steps:

  • 使用 Azure AD Connect 將使用者同步處理至 Azure AD。Synchronize users to Azure AD with Azure AD Connect.
  • 完成 Azure AD Connect 組織單位 (OU) sync。Complete Azure AD Connect Organizational Unit (OU) sync.
  • 請確定您同步處理的所有網域使用者都具有 Microsoft 365 商務版的授權。Make sure all the domain users you sync have licenses to Microsoft 365 Business Premium.

如需步驟,請參閱同步處理網域使用者至 MicrosoftSee Synchronize domain users to Microsoft for the steps.

1. 驗證 Intune 中的 MDM 授權1. Verify MDM Authority in Intune

移至端點管理員,然後在 Microsoft Intune 頁面上,選取 [裝置註冊],然後在 [一覽] 頁面上,確定 [ MDM 授權Intune]。Go to Endpoint Manager and on the Microsoft Intune page, select Device enrollment, then on the Overview page, make sure MDM authority is Intune.

  • 如果mdm 授權單位為None,請按一下MDM 授權單位將其設定為IntuneIf MDM authority is None, click the MDM authority to set it to Intune.
  • 如果mdm 授權Microsoft Office 365,請移至 [裝置] > [註冊裝置],並使用右側的 [新增 mdm 授權機構] 對話方塊,以加入Intune MDM授權 (只有當MDM 機關設定為 [Microsoft Office 365) 時,才可使用 [新增 mdm 授權] 對話方塊。If MDM authority is Microsoft Office 365,go to Devices > Enroll devices and use the Add MDM authority dialog on the right to add Intune MDM authority (the Add MDM Authority dialog is only available if the MDM Authority is set to Microsoft Office 365).

2. 確認已針對加入的電腦啟用 Azure AD2. Verify Azure AD is enabled for joining computers

  • 移至系統管理中心 https://admin.microsoft.com ,然後選取 [ Azure active directory (],在 [系統管理中心] 清單中看不到 [azure active directory]) 的 [全部顯示]。Go to the admin center at https://admin.microsoft.com and select Azure Active Directory (select Show all if Azure Active Directory is not visible) in the Admin centers list.
  • Azure Active directory 系統管理中心中,移至 [ azure active directory ],選擇 [裝置],然後選擇 [裝置設定]。In the Azure Active Directory admin center, go to Azure Active Directory , choose Devices and then Device settings.
  • 確認使用者可以將裝置加入至 AZURE AD已啟用VerifyUsers may join devices to Azure AD is enabled
    1. 若要啟用所有使用者,請將設定為 [全部]。To enable all users, set to All.
    2. 若要啟用特定使用者,請將設定為 [已選擇],以啟用特定的使用者群組。To enable specific users, set to Selected to enable a specific group of users.
      • 將 Azure AD 中已同步處理的所需網域使用者新增至安全性群組Add the desired domain users synced in Azure AD to a security group.
      • 選擇 [選取群組],以啟用該安全性群組的 MDM 使用者範圍。Choose Select groups to enable MDM user scope for that security group.

3. 確認已為 MDM 啟用 Azure AD3. Verify Azure AD is enabled for MDM

  • 移至系統管理中心 https://admin.microsoft.com ,然後選取 [Select endpoint Management (選取 [顯示所有if端點管理員] 不可見) Go to the admin center at https://admin.microsoft.com and select select Endpoint Management (select Show all if Endpoint Manager is not visible)

  • Microsoft 端點管理員系統管理中心中,移至 [裝置] [windows > Windows > windows 註冊] > 自動註冊In the Microsoft Endpoint Manager admin center, go to Devices > Windows > Windows Enrollment > Automatic Enrollment.

  • 確認已啟用 MDM 使用者範圍。Verify MDM user scope is enabled.

    1. 若要註冊所有電腦,設定為 [全部] 可在使用者將工作帳戶新增至 Windows 時,自動註冊所有加入 Azure AD 的使用者電腦和新電腦。To enroll all computers, set to All to automatically enroll all user computers that are joined to Azure AD and new computers when the users add a work account to Windows.
    2. 設定為 [部分],以註冊特定使用者群組的電腦。Set to Some to enroll the computers of a specific group of users.
      • 將 Azure AD 中已同步處理的所需網域使用者新增至安全性群組Add the desired domain users synced in Azure AD to a security group.
      • 選擇 [選取群組],以啟用該安全性群組的 MDM 使用者範圍。Choose Select groups to enable MDM user scope for that security group.

4. 建立必要的資源4. Create the required resources

使用SecMgmt PowerShell 模組中的Initialize-SecMgmtHybirdDeviceEnrollment 指令程式,執行設定混合式 Azure AD 聯結所需的工作已得到簡化。Performing the required tasks to configure hybrid Azure AD join has been simplified through the use of the Initialize-SecMgmtHybirdDeviceEnrollment cmdlet found in the SecMgmt PowerShell module. 當您呼叫此 Cmdlet 時,它會建立並設定所需的服務連線點和群組原則。When you invoke this cmdlet it will create and configure the required service connection point and group policy.

您可以從 PowerShell: 實例中喚醒呼叫下列各項,以安裝此模組。You can install this module by invoking the following from an instance of PowerShell:

Install-Module SecMgmt

重要

建議您在執行 Azure AD Connect 的 Windows Server 上安裝此模組。It is recommended that you install this module on the Windows Server running Azure AD Connect.

若要建立所需的服務連線點和群組原則,您將會呼叫SecMgmtHybirdDeviceEnrollment Cmdlet。To create the required service connection point and group policy, you will invoke the Initialize-SecMgmtHybirdDeviceEnrollment cmdlet. 當您執行此工作時,您將需要 Microsoft 365 商務版通用的系統管理員認證。You will need your Microsoft 365 Business Premium global admin credentials when performing this task. 當您準備好建立資源時,請呼叫下列專案:When you are ready to create the resources, invoke the following:

PS C:\> Connect-SecMgmtAccount
PS C:\> Initialize-SecMgmtHybirdDeviceEnrollment -GroupPolicyDisplayName 'Device Management'

第一個命令會建立與 Microsoft 雲端的連線,當系統提示時,請指定您的 Microsoft 365 商務版通用系統管理員認證。The first command will establish a connection with the Microsoft cloud, and when you are prompted, specify your Microsoft 365 Business Premium global admin credentials.

  1. 在 [群組原則管理主控台 (GPMC) 中,以滑鼠右鍵按一下您要連結原則的位置,然後從快顯功能表中選取 [連結現有的 GPO ... ]。In the Group Policy Management Console (GPMC), right-click on the location where you want to link the policy and select Link an existing GPO... from the context menu.
  2. 選取上一個步驟中建立的原則,然後按一下 [確定]Select the policy created in the above step, then click OK.

取得最新的系統管理範本Get the latest Administrative Templates

如果您看不到原則使用預設 AZURE AD 認證來啟用自動 MDM 註冊,可能是因為您沒有為 Windows 10、版本1803、版本1809或版本1903安裝 ADMX。If you do not see the policy Enable automatic MDM enrollment using default Azure AD credentials, it may be because you don’t have the ADMX installed for Windows 10, version 1803, version 1809, or version 1903. 若要修正此問題,請遵循下列步驟 (附注:最新的 MDM 會向後相容) :To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):

  1. 下載: Windows 10 的系統管理範本 ( admx) 可能2019更新 (1903) Download: Administrative Templates (.admx) for Windows 10 May 2019 Update (1903).
  2. 在網域主控站 (PDC) 上安裝套件。Install the package on the Primary Domain Controller (PDC).
  3. 根據資料夾的版本來流覽: C:\Program 檔案 (x86) \Microsoft Group Policy\Windows 10 可能 2019 Update (1903) v3Navigate, depending on the version to the folder: C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3.
  4. 將上述路徑中的原則定義資料夾重新命名為PolicyDefinitionsRename the Policy Definitions folder in the above path to PolicyDefinitions.
  5. PolicyDefinitions資料夾複製到C:\Windows\SYSVOL\domain\PoliciesCopy PolicyDefinitions folder to C:\Windows\SYSVOL\domain\Policies.
    • 如果您打算使用整個網域的中央原則存放區,請在那裡新增 PolicyDefinitions 的內容。If you plan to use a central policy store for your entire domain, add the contents of PolicyDefinitions there.
  6. 重新開機網域主控站以供原則使用。Restart the Primary Domain Controller for the policy to be available. 此程式也適用于未來的任何版本。This procedure will work for any future version as well.

此時,您應該可以查看原則使用預設 AZURE AD 認證啟用自動 MDM 註冊At this point you should be able to see the policy Enable automatic MDM enrollment using default Azure AD credentials available.