使用裝置的且已的設定先條件存取Configure On-Premises Conditional Access using registered devices

適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

下列文件將引導您進行安裝及的裝置且已設定條件場所上的存取。The following document will guide you through installing and configuring on-premises conditional access with registered devices.

條件存取

基礎結構必要條件Infrastructure pre-requisites

您可以先條件存取開始下列每一位必要條件所需的。The following per-requisites are required before you can begin with on-premises conditional access.

需求Requirement 描述Description
使用 Azure AD Premium Azure AD 裝機費An Azure AD subscription with Azure AD Premium 若要讓裝置寫入回復為前提條件存取-在免費試用版很好To enable device write back for on premises conditional access - a free trial is fine
Intune 裝機費Intune subscription 只需 MDM 整合裝置 compliance 案例-免費試用版很好only required for MDM integration for device compliance scenarios -a free trial is fine
Azure AD 連接Azure AD Connect 年 11 月 2015 QFE 或更新版本。November 2015 QFE or later. 取得最新的版本在此Get the latest version here.
Windows Server 2016Windows Server 2016 組建 10586 或較新的 AD FSBuild 10586 or newer for AD FS
Windows Server 2016 Active Directory 架構Windows Server 2016 Active Directory schema 需要架構層級 85 或更高版本。Schema level 85 or higher is required.
Windows Server 2016 網域控制站Windows Server 2016 domain controller 這只是必要的 Hello 適用於企業鍵信任部署。This is only required for Hello For Business key-trust deployments. 在找到的其他資訊在此Additional information can be found at here.
Windows 10 clientWindows 10 client 組建 10586,或在較新、 連接到上述網域工作案例僅適用於 Windows 10 加入網域和 Microsoft Passport 需要Build 10586 or newer, joined to the above domain is required for Windows 10 Domain Join and Microsoft Passport for Work scenarios only
使用 Azure AD Premium 授權指派 azure AD 帳號Azure AD user account with Azure AD Premium license assigned 適用於登記裝置For registering the device

升級您的 Active Directory 結構描述Upgrade your Active Directory Schema

為了使用先條件存取的且已裝置時,您必須先升級您的廣告結構描述。In order to use on-premises conditional access with registered devices, you must first upgrade your AD schema. 必須符合下列條件:The following conditions must be met:

  • 架構應該 85 或更高版本The schema should be version 85 or later
  • 這只是必要的樹系 AD FS 加入This is only required for the forest that AD FS is joined to

注意

如果您安裝 Azure AD 連接之前升級到 Windows Server 2016 中的架構版本(層級 85 或大),您將需要重新執行 Azure AD 連接安裝並重新整理上場所 AD 架構 msDS-KeyCredentialLink 設定為確保同步規則。If you installed Azure AD Connect prior to upgrading to the schema version (level 85 or greater) in Windows Server 2016, you will need to re-run the Azure AD Connect installation and refresh the on-premises AD schema to ensure the synchronization rule for msDS-KeyCredentialLink is configured.

確認您的架構層級Verify your schema level

若要確認您的架構層級,請執行下列動作:To verify your schema level, do the following:

  1. 您可以使用 ADSIEdit 或 LDP,並連接到架構命名操作。You can use ADSIEdit or LDP and connect to the Schema Naming Context.
  2. 使用 ADSIEdit,以滑鼠右鍵按一下「DATA-CN = 區結構描述 DATA-CN = 設定,俠 =,DC =,然後選取 [屬性。Using ADSIEdit, right-click on "CN=Schema,CN=Configuration,DC=,DC= and select properties. Relpace 網域和 com 部分的樹系資訊。Relpace domain and the com portions with your forest information.
  3. 在屬性編輯器尋找係屬性,它將會通知您,您的版本。Under the Attribute Editor locate the objectVersion attribute and it will tell you, your version.

編輯 ADSI

您也可以使用下列 PowerShell cmdlet(取代您架構命名操作資訊物件):You can also use the following PowerShell cmdlet (replace the object with your schema naming context information):

Get-ADObject "cn=schema,cn=configuration,dc=domain,dc=local" -Property objectVersion

PowerShell

為升級的詳細資訊,請查看升級到 Windows Server 2016 的網域控制站For additional information on upgrading, see Upgrade Domain Controllers to Windows Server 2016.

讓登記 Azure AD 的裝置Enable Azure AD Device Registration

若要設定此案例,您必須設定 Azure AD 的裝置登記功能。To configure this scenario, you must configure the device registration capability in Azure AD.

若要這樣做,請依照下設定在組織中 Azure AD JoinTo do this, follow the steps under Setting up Azure AD Join in your organization

AD FS 設定Setup AD FS

  1. 建立新 AD FS 2016 發電廠Create the a new AD FS 2016 farm.
  2. 或者移轉ad FS 2016 發電廠從 AD FS 2012 R2Or migrate a farm to AD FS 2016 from AD FS 2012 R2
  3. 部署Azure AD 連接連接 Azure AD AD FS 使用的自訂路徑。Deploy Azure AD Connect using the Custom path to connect AD FS to Azure AD.

設定裝置寫入回和裝置驗證Configure Device Write Back and Device Authentication

注意

如果您在使用快速設定 Azure AD 連接,已為您建立正確 AD 物件。If you ran Azure AD Connect using Express Settings, the correct AD objects have been created for you. 但是,在大部分案例中 AD FS,Azure AD 連接執行自訂設定] 來設定,AD FS 使用,以下步驟會需要。However, in most AD FS scenarios, Azure AD Connect was run with Custom Settings to configure AD FS, so the below steps are necessary.

AD FS 裝置驗證建立廣告物件Create AD objects for AD FS Device Authentication

如果您 AD FS 發電廠不已設定為裝置驗證 (您可以看到這個在 AD FS 管理主控台中,在 [服務]-> [裝置登記),請使用下列步驟來建立正確 AD DS 物件和設定。If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.

裝置登記

注意: 下列命令需要 Active Directory 系統管理工具,因此如果您聯盟伺服器也不是網域控制站,第一次安裝的工具,使用下列步驟 1。Note: The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. 或者跳過步驟 1。Otherwise you can skip step 1.

  1. 執行新增角色與功能功能精靈,並選取遠端伺服器管理工具 -> 角色管理工具 -> AD DS 與廣告 LDS 工具這兩個選擇]-> [ Active Directory Windows PowerShell 模組AD DS 工具Run the Add Roles & Features wizard and select feature Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools -> Choose both the Active Directory module for Windows PowerShell and the AD DS Tools.

裝置登記

  1. AD FS 主要伺服器,請確定您以企業系統管理員 (EA) 權限 AD DS 使用者登入並開放提升權限的 powershell 命令提示字元。On your AD FS primary server, ensure you are logged in as AD DS user with Enterprise Admin (EA ) privileges and open an elevated powershell prompt. 然後執行下列命令 PowerShell:Then, execute the following PowerShell commands:

    Import-module activedirectory
    PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "<your service account>"

  2. 在快顯視窗按下 [是]。On the pop-up window hit Yes.

注意: 如果您 AD FS 服務設定要使用 GMSA 帳號,account 中輸入名稱的格式 」 domain\accountname$ 」Note: If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$"

裝置登記

上述 PSH 建立下列物件:The above PSH creates the following objects:

  • 在 AD 網域磁碟分割 RegisteredDevices 容器RegisteredDevices container under the AD domain partition
  • 裝置登記服務容器和設定中的物件--> 服務--> [裝置登記設定Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
  • 裝置登記服務 DKM 容器和設定中的物件--> 服務--> [裝置登記設定Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration

裝置登記

  1. 完成之後,您會看到完成成功的訊息。Once this is done, you will see a successful completion message.

裝置登記

建立廣告服務連接點 (SCP)Create Service Connection Point (SCP) in AD

如果您打算所述以下使用 Windows 10 (使用自動的登記 Azure ad) 加入網域,,執行下列命令來建立服務連接點 AD DSIf you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS

  1. 打開 Windows PowerShell,執行下列動作:Open Windows PowerShell and execute the following:

    PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"

注意: 若有需要,AdSyncPrep.psm1 將檔案複製從您的 Azure AD 連接伺服器。Note: if necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. 此檔案位於程式必要 Azure Active Directory Connect\AdPrepThis file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep

裝置登記

  1. 提供您 Azure AD 的全域管理員認證Provide your Azure AD global administrator credentials

    PS C:>$aadAdminCred = Get-Credential

裝置登記

  1. 執行下列 PowerShell 命令Run the following PowerShell command

    PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred

廣告連接器 account 姓名所在帳號,您設定 Azure AD 連接時,將您先新增名稱 AD DS directory。Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory.

上述的命令可讓 Windows 10 戶端尋找正確建立 serviceConnectionpoint 物件 AD DS 在加入 Azure AD 網域。The above commands enable Windows 10 clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS.

回到裝置寫入準備廣告Prepare AD for Device Write Back

若要確保 AD DS 物件與容器寫入背面 Azure AD 的裝置是正確的狀態,請執行下列項目。To ensure AD DS objects and containers are in the correct state for write back of devices from Azure AD, do the following.

  1. 打開 Windows PowerShell,執行下列動作:Open Windows PowerShell and execute the following:

    PS C:>Initialize-ADSyncDeviceWriteBack -DomainName <AD DS domain name> -AdConnectorAccount [AD connector account name]

廣告連接器 account 姓名所在帳號,您設定 Azure AD 連接時,將您先新增名稱 AD DS directory domain\accountname 格式Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format

建立下列物件裝置寫入到 AD DS,它們不存在,如果上述命令,並允許存取指定 AD 連接器 account 名稱The above command creates the following objects for device write back to AD DS, if they do not exist already, and allows access to the specified AD connector account name

  • AD 網域磁碟分割中 RegisteredDevices 容器RegisteredDevices container in the AD domain partition
  • 裝置登記服務容器和設定中的物件--> 服務--> [裝置登記設定Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration

讓裝置寫入入 Azure AD 連接Enable Device Write Back in Azure AD Connect

如果您進行之前,請讓裝置寫入入 Azure AD 連接滑鼠第二次執行精靈,並選取 [ [自訂同步選項],然後回裝置寫的核取方塊,然後選取您在其中執行上述 cmdlet 樹系If you have not done so before, enable device write back in Azure AD Connect by running the wizard a second time and selecting "Customize Synchronization Options", then checking the box for device write back and selecting the forest in which you have run the above cmdlets

設定裝置驗證,AD FS 中Configure Device Authentication in AD FS

使用較高的 PowerShell 命令視窗中,執行下列命令設定 AD FS 原則Using an elevated PowerShell command window, configure AD FS policy by executing the following command

PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod All

檢查您的設定Check your configuration

供您參考,以下是 AD DS 裝置、 容器和運作所需裝置回寫與驗證的權限的完整清單For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work

  • 物件的類型 ms-DS-DeviceContainer 在 DATA-CN = RegisteredDevices 特區 =<網域>object of type ms-DS-DeviceContainer at CN=RegisteredDevices,DC=<domain>

    • AD FS 服務 account 讀取權限read access to the AD FS service account
    • 讀取/寫入 Azure AD 連接同步 AD 連接器 accountread/write access to the Azure AD Connect sync AD connector account
  • 容器 DATA-CN = 裝置登記組態 DATA-CN = 服務 DATA-CN = 設定,俠 =<網域>Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain>

  • 容器裝置登記服務 DKM 在上面容器Container Device Registration Service DKM under the above container

裝置登記

  • 物件的類型 serviceConnectionpoint 在 DATA-CN =<guid>,DATA-CN = 裝置登記object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration

  • 設定、 DATA-CN = 服務 DATA-CN = 設定,俠 =<網域>Configuration,CN=Services,CN=Configuration,DC=<domain>

    • 讀取/寫入存取指定新物件 AD 連接器 account 名稱read/write access to the specified AD connector account name on the new object
  • 物件的類型 msDS-DeviceRegistrationServiceContainer 在 DATA-CN = 裝置登記服務 DATA-CN = 裝置登記組態 DATA-CN = 服務 DATA-CN = 設定,俠 = 與 ltdomain >object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&ltdomain>

  • 輸入 msDS-DeviceRegistrationService 上述容器中的物件object of type msDS-DeviceRegistrationService in the above container

查看工作See it work

評估新宣告和原則,第一次登記裝置。To evaluate the new claims and policies, first register a device. 例如,您可以 Azure AD Join Windows 10 的電腦使用 「 設定 」 app 在 [系統]-> [關於,或您可以設定 Windows 10 加入網域自動裝置登記下列額外步驟以在此For example, you can Azure AD Join a Windows 10 computer using the Settings app under System -> About, or you can setup Windows 10 domain join with automatic device registration following the additional steps here. 有關加入 Windows 10 行動裝置版裝置時,會看到文件在此For information on joining Windows 10 mobile devices, see the document here.

適用於簡單評估版,登入 AD FS 使用的測試應用程式,會顯示索賠項目清單。For easiest evaluation, sign on to AD FS using a test application that shows a list of claims. 您將會看到新宣告包括 isManaged、 isCompliant,以及 trusttype。You will be able to see new claims including isManaged, isCompliant, and trusttype. 如果您的工作讓 Microsoft Passport,您也會看到 prt 取得。If you enable Microsoft Passport for work, you will also see the prt claim.

設定其他案例Configure Additional Scenarios

自動登記適用於 Windows 10 加入網域的電腦Automatic Registration for Windows 10 Domain Joined computers

若要讓 Windows 10 網域自動裝置登記加入電腦,請依照下列步驟 1 到 2在此To enable automatic device registration for Windows 10 domain joined computers, follow steps 1 and 2 here.
這將會幫助您達到下列動作:This will help you achieve the following:

  1. 確定您的服務連接點 AD ds 存在,且具有的適當權限 (我們建立了這個物件上述,但它不會傷害點檢查)。Ensure your service connection point in AD DS exists and has the proper permissions (we created this object above, but it does not hurt to double check).
  2. 確定已正確 AD FSEnsure AD FS is configured properly
  3. 確保您的系統 AD FS 已正確結束支援,以及取得設定規則Ensure your AD FS system has the correct endpoints enabled and claim rules configured
  4. 設定所需的自動裝置登記加入網域的電腦的群組原則設定Configure the group policy settings required for automatic device registration of domain joined computers

Microsoft Passport 工作Microsoft Passport for Work

讓工作 Microsoft Passport 與 Windows 10 上的資訊,請查看您在組織中工作讓 Microsoft Passport。For information on enabling Windows 10 with Microsoft Passport for Work, see Enable Microsoft Passport for Work in your organization.

自動 MDM 註冊Automatic MDM enrollment

若要自動 MDM 註冊的且已裝置,您可以使用您存取控制原則 isCompliant 宣告,請依照下列步驟執行在此。To enable automatic MDM enrollment of registered devices so that you can use the isCompliant claim in your access control policy, follow the steps here.

疑難排解Troubleshooting

  1. 如果您收到錯誤,Initialize-ADDeviceRegistration的抱怨相關的物件現有錯誤的狀態,例如 「 drs 服務物件找到不需要的所有屬性 」,您執行 Azure AD 連接 powershell 命令先前和 AD DS 中有部分的設定。if you get an error on Initialize-ADDeviceRegistration that complains about an object already existing in the wrong state, such as "The drs service object has been found without all the required attributes", you may have executed Azure AD Connect powershell commands previously and have a partial configuration in AD DS. 請嘗試手動刪除下的物件DATA-CN = 裝置登記組態 DATA-CN = 服務 DATA-CN = 設定,俠 =<網域> ,然後再試一次。Try deleting manually the objects under CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain> and trying again.
  2. 適用於 Windows 10 網域加入戶端For Windows 10 domain joined clients
    1. 確認該裝置驗證正常運作,請登入網域結合 client 成為測試使用者 account。To verify that device authentication is working, sign on to the domain joined client as a test user account. 觸發提供快速、 鎖定和解除鎖定桌面至少一次。To trigger provisioning quickly, lock and unlock the desktop at least one time.
    2. 連結 AD DS 物件上的指示來檢查是否有 stk 金鑰 credential (會同步仍然可以執行兩次?)Instructions to check for stk key credential link on AD DS object (does sync still have to run twice?)
  3. 如果您收到錯誤嘗試登記 Windows 電腦已經已退出裝置,但您無法或已經有 unenrolled 裝置時,您可能會有裝置註冊設定的片段登錄中。If you get an error upon trying to register a Windows computer that the device was already enrolled, but you are unable or have already unenrolled the device, you may have a fragment of device enrollment configuration in the registry. 檢查並移除此項,請使用下列步驟:To investigate and remove this, use the following steps:
    1. 在 Windows 電腦上,開放 Regedit 並瀏覽至HKLM\Software\Microsoft\EnrollmentsOn the Windows computer, open Regedit and navigate to HKLM\Software\Microsoft\Enrollments
    2. 此機碼,將會有許多子 GUID 表單。Under this key, there will be many subkeys in the GUID form. 瀏覽至子有 ~ 17 值,並具有 「 EnrollmentType 」 的 「 6 「 [加入 MDM] 或 [13 」 (加入 Azure AD)Navigate to the subkey which has ~17 values in it and has "EnrollmentType" of "6" [MDM joined] or "13" (Azure AD joined)
    3. 修改EnrollmentType0Modify EnrollmentType to 0
    4. 再試一次裝置註冊或登記Try the device enrollment or registration again