啟用已加入網域的 Windows 10 裝置以由 Microsoft 365 商務版 Premium 管理Enable domain-joined Windows 10 devices to be managed by Microsoft 365 Business Premium

如果您的組織使用 Windows Server Active Directory 內部部署,您可以設定 Microsoft 365 商務版 Premium 來保護您的 Windows 10 裝置,同時仍維持對需要本機驗證的內部部署資源的存取。If your organization uses Windows Server Active Directory on-premises, you can set up Microsoft 365 Business Premium to protect your Windows 10 devices, while still maintaining access to on-premises resources that require local authentication. 若要設定此保護,您可以執行 混合式 AZURE AD 聯結裝置To set up this protection, you can implement Hybrid Azure AD joined devices. 這些裝置會同時加入您的內部部署 Active Directory 和您的 Azure Active Directory。These devices are joined to both your on-premises Active Directory and your Azure Active Directory.

這段影片說明如何針對最常見的案例設定此功能的步驟,在後續步驟中也會詳細說明。This video describes the steps for how to set this up for the most common scenario, which is also detailed in the steps that follow.

開始之前,請先確定您已完成下列步驟:Before you get started, make sure you complete these steps:

  • 使用 Azure AD Connect 將使用者同步處理至 Azure AD。Synchronize users to Azure AD with Azure AD Connect.
  • 完成 Azure AD Connect 組織單位 (OU) sync。Complete Azure AD Connect Organizational Unit (OU) sync.
  • 請確定您同步處理的所有網域使用者都具有 Microsoft 365 商務版的授權。Make sure all the domain users you sync have licenses to Microsoft 365 Business Premium.

如需步驟,請參閱 同步處理網域使用者至 MicrosoftSee Synchronize domain users to Microsoft for the steps.

1. 驗證 Intune 中的 MDM 授權1. Verify MDM Authority in Intune

移至 端點管理員 ,然後在 Microsoft Intune 頁面上,選取 [ 裝置註冊],然後在 [一覽] 頁面上,確定 [ MDM 授權Intune]。Go to Endpoint Manager and on the Microsoft Intune page, select Device enrollment, then on the Overview page, make sure MDM authority is Intune.

  • 如果 mdm 授權 單位為 None,請按一下 MDM 授權 單位將其設定為 IntuneIf MDM authority is None, click the MDM authority to set it to Intune.
  • 如果 mdm 授權Microsoft Office 365,請移至 [裝置] > [註冊裝置],並使用右側的 [新增 mdm 授權機構] 對話方塊,以加入 Intune MDM 授權 (只有當 MDM 機關 設定為 [Microsoft Office 365) 時,才可使用 [新增 mdm 授權] 對話方塊。If MDM authority is Microsoft Office 365,go to Devices > Enroll devices and use the Add MDM authority dialog on the right to add Intune MDM authority (the Add MDM Authority dialog is only available if the MDM Authority is set to Microsoft Office 365).

2. 確認已針對加入的電腦啟用 Azure AD2. Verify Azure AD is enabled for joining computers

  • 移至系統管理中心 https://admin.microsoft.com ,然後選取 [ Azure active directory (],在 [系統 管理中心 ] 清單中看不到 [azure active directory]) 的 [全部顯示]。Go to the admin center at https://admin.microsoft.com and select Azure Active Directory (select Show all if Azure Active Directory is not visible) in the Admin centers list.
  • Azure Active directory 系統管理中心 中,移至 [ azure active directory ],選擇 [ 裝置 ],然後選擇 [ 裝置設定]。In the Azure Active Directory admin center, go to Azure Active Directory , choose Devices and then Device settings.
  • 確認 使用者可以將裝置加入至 AZURE AD 已啟用Verify Users may join devices to Azure AD is enabled
    1. 若要啟用所有使用者,請將設定為 [ 全部]。To enable all users, set to All.
    2. 若要啟用特定使用者,請將設定為 [已 選擇 ],以啟用特定的使用者群組。To enable specific users, set to Selected to enable a specific group of users.
      • 將 Azure AD 中已同步處理的所需網域使用者新增至 安全性群組Add the desired domain users synced in Azure AD to a security group.
      • 選擇 [ 選取群組 ],以啟用該安全性群組的 MDM 使用者範圍。Choose Select groups to enable MDM user scope for that security group.

3. 確認已為 MDM 啟用 Azure AD3. Verify Azure AD is enabled for MDM

  • 移至系統管理中心 https://admin.microsoft.com ,然後選取 [Select endpoint Managemen t (選取 [ 顯示所有 if 端點管理員 ] 不可見) Go to the admin center at https://admin.microsoft.com and select select Endpoint Managemen t (select Show all if Endpoint Manager is not visible)

  • Microsoft 端點 管理員系統管理中心中,移至 [裝置] [windows > > windows 註冊] > 自動註冊In the Microsoft Endpoint Manager admin center, go to Devices > Windows > Windows Enrollment > Automatic Enrollment.

  • 確認已啟用 MDM 使用者範圍。Verify MDM user scope is enabled.

    1. 若要註冊所有電腦,設定為 [ 全部 ] 可在使用者將工作帳戶新增至 Windows 時,自動註冊所有加入 Azure AD 的使用者電腦和新電腦。To enroll all computers, set to All to automatically enroll all user computers that are joined to Azure AD and new computers when the users add a work account to Windows.
    2. 設定為 [ 部分 ],以註冊特定使用者群組的電腦。Set to Some to enroll the computers of a specific group of users.
      • 將 Azure AD 中已同步處理的所需網域使用者新增至 安全性群組Add the desired domain users synced in Azure AD to a security group.
      • 選擇 [ 選取群組 ],以啟用該安全性群組的 MDM 使用者範圍。Choose Select groups to enable MDM user scope for that security group.

4. 建立必要的資源4. Create the required resources

使用SecMgmt PowerShell 模組中的Initialize-SecMgmtHybirdDeviceEnrollment 指令程式,執行設定混合式 Azure AD 聯結所需的工作已得到簡化。Performing the required tasks to configure hybrid Azure AD join has been simplified through the use of the Initialize-SecMgmtHybirdDeviceEnrollment cmdlet found in the SecMgmt PowerShell module. 當您呼叫此 Cmdlet 時,它會建立並設定所需的服務連線點和群組原則。When you invoke this cmdlet it will create and configure the required service connection point and group policy.

您可以從 PowerShell: 實例中喚醒呼叫下列各項,以安裝此模組。You can install this module by invoking the following from an instance of PowerShell:

Install-Module SecMgmt

重要

建議您在執行 Azure AD Connect 的 Windows Server 上安裝此模組。It is recommended that you install this module on the Windows Server running Azure AD Connect.

若要建立所需的服務連線點和群組原則,您將會呼叫 SecMgmtHybirdDeviceEnrollment Cmdlet。To create the required service connection point and group policy, you will invoke the Initialize-SecMgmtHybirdDeviceEnrollment cmdlet. 當您執行此工作時,您將需要 Microsoft 365 商務版通用的系統管理員認證。You will need your Microsoft 365 Business Premium global admin credentials when performing this task. 當您準備好建立資源時,請呼叫下列專案:When you are ready to create the resources, invoke the following:

PS C:\> Connect-SecMgmtAccount
PS C:\> Initialize-SecMgmtHybirdDeviceEnrollment -GroupPolicyDisplayName 'Device Management'

第一個命令會建立與 Microsoft 雲端的連線,當系統提示時,請指定您的 Microsoft 365 商務版通用系統管理員認證。The first command will establish a connection with the Microsoft cloud, and when you are prompted, specify your Microsoft 365 Business Premium global admin credentials.

  1. 在 [群組原則管理主控台 (GPMC) 中,以滑鼠右鍵按一下您要連結原則的位置,然後從快顯功能表中選取 [ 連結現有的 GPO ... ]。In the Group Policy Management Console (GPMC), right-click on the location where you want to link the policy and select Link an existing GPO... from the context menu.
  2. 選取上一個步驟中建立的原則,然後按一下 [確定]Select the policy created in the above step, then click OK.

取得最新的系統管理範本Get the latest Administrative Templates

如果您看不到原則 使用預設 AZURE AD 認證來啟用自動 MDM 註冊,可能是因為您沒有為 Windows 10、版本1803或更新版本安裝 ADMX。If you do not see the policy Enable automatic MDM enrollment using default Azure AD credentials, it may be because you don’t have the ADMX installed for Windows 10, version 1803, or later. 若要修正此問題,請遵循下列步驟 (附注:最新的 MDM 會向後相容) :To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):

  1. 下載: Windows 10 十月 2020 Update (20H2) 的系統管理範本 ( admx) Download: Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2).
  2. 在網域控制站上安裝套件。Install the package on a Domain Controller.
  3. 根據系統管理範本的版本,流覽至資料夾: C:\Program 檔案 (x86) \Microsoft Group Policy\Windows 10 十月 2020 Update (20H2)Navigate, depending on the Administrative Templates version to the folder: C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2).
  4. 將上述路徑中的 原則定義 資料夾重新命名為 PolicyDefinitionsRename the Policy Definitions folder in the above path to PolicyDefinitions.
  5. PolicyDefinitions 資料夾複製到 SYSVOL 共用(預設位於 C:\Windows\SYSVOL\domain\Policies 中)。Copy the PolicyDefinitions folder to your SYSVOL share, by default located at C:\Windows\SYSVOL\domain\Policies.
    • 如果您打算使用整個網域的中央原則存放區,請在那裡新增 PolicyDefinitions 的內容。If you plan to use a central policy store for your entire domain, add the contents of PolicyDefinitions there.
  6. 如果您有多個網域控制站,請等候 SYSVOL 進行複製,以供使用原則。In case you have several Domain Controllers, wait for SYSVOL to replicate for the policies to be available. 此程式適用于任何未來版本的系統管理範本。This procedure will work for any future version of the Administrative Templates as well.

此時,您應該可以查看原則 使用預設 AZURE AD 認證啟用自動 MDM 註冊At this point you should be able to see the policy Enable automatic MDM enrollment using default Azure AD credentials available.