Microsoft Exam MD:100 Windows 10 Certification Guide
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Managing devices

Windows 10 was designed to be managed using cloud-based tools such as Microsoft Intune and Microsoft Endpoint Manager. Nowadays, more businesses are moving away from on-premises domain environments to the cloud.

In this section, you will learn how to register a device in Azure AD with a work or school account using cloud-based services. We will also look at how to enable device registration and the process of joining devices to Azure AD.

Azure AD is Microsoft's cloud-based identity authentication and access management authorization service that enables your users to benefit from Single Sign-On (SSO) for cloud-based applications, such as Microsoft Office 365 and many other Software as a Service (SaaS) applications. Azure AD join also enables Windows Hello, as well as access to the Microsoft Store for Business. Users can easily join their devices to your organization's Azure AD tenant.

When joining devices to an on-premises domain environment, the types of devices that you can join are quite restrictive; for example, devices must be running a supported Operating System (OS). However, Azure AD is less restrictive. With Azure AD, you can join different device types such as tablets, laptops, smartphones, and desktop computers to Azure AD.

Devices can be managed by Azure AD using two methods:

  • Joining a device to Azure AD
  • Registering a device to Azure AD

We'll look at these methods in detail in the next section.

Joining a device to Azure AD

Joining a device to Azure AD is intended for organizations that want to be cloud-first or cloud-only. Azure AD join works well in a hybrid environment that enables the user to have access to both cloud and on-premises resources. Organizations of any size can deploy Azure AD join devices. Azure AD joined devices are signed into using an organizational Azure AD account.

IT Administrators can secure and further control Azure AD joined devices using Mobile Device Management (MDM) tools such as Microsoft Intune or in co-management using System Center Configuration Manager. With these tools, you can provide organizations with the required configurations, such as encrypted storage, password complexity, software installations, and software updates. You can also make applications available using Microsoft Intune, System Center Configuration Manager, and the Microsoft Store for Business.

Registering a device to Azure AD

Registering a device to Azure AD is a method that's used to provide your users with support for Bring Your Own Device (BYOD) or mobile scenarios. The user can access your organization's Azure AD resources using a personal device such as Windows 10, Android, iOS, or macOS.

All corporate data and apps will be kept separate from personal data and apps on the user's device. If the user's device does not meet your corporate security standards and compliances (for example, the device is jailbroken or has an unsupported OS version), then access to the resource will be denied.

The main reasons to implement device registration are as follows:

  • To enable access to corporate resources from non-domain joined or personally owned devices
  • To enable SSO for specific resources that are managed by Azure AD

Configuring device management

The Azure portal provides a cloud-based location where you can manage your devices. Device management requires configuration to ensure that your users can register their device to Azure AD. By default, this setting is enabled and allows all supported Windows 10 devices (or other devices that provide a valid credential) to be managed by Azure AD.

To allow devices to be registered to Azure AD, follow these steps:

  1. Go to the Azure portal at https://portal.azure.com.
  2. Sign in as an administrator.
  3. On the left navigation bar, click Azure Active Directory.
  4. In the Manage section, click Devices.
  5. Click Device Settings.
  6. Make sure that the Users may join devices to Azure AD setting is configured to All.
  7. Click Save.

In the following screenshot, you can see part of the Azure portal where you can configure this setting:

Figure 4.8 - Azure AD device registration settings

As you can see, you have two more options regarding how and which users can join devices: Selected and None.

If you select None, then nobody can join their device to your Azure AD. With the Selected option, you can define a group of users or individual users who are able to join their devices to your Azure AD.

Managing device tasks

Once devices have been registered or joined to Azure AD, they will appear in a list within the All Devices section of the Azure AD blade, as shown in the following screenshot:

Figure 4.9 - List of all registered and joined devices in Azure AD

You can also see that devices managed by Microsoft Intune are also listed in this view. To locate a device, you can search using the device's name or by device ID. Once you have located a device and double-clicked on it, you can perform some device management tasks, such as the following:

  • Managing the device
  • Enabling the device
  • Disabling the device
  • Deleting the device

In this overview, you will see the properties of the selected device and also see the BitLocker Key ID, as shown in the following screenshot:

Figure 4.10 - The Azure AD Device Properties blade

Figure 4.10 - The Azure AD Device Properties blade

As you can see, you will find a lot information about a specific device, such as the name of the device, registration date, last activity date, owner name, OS and OS version, and the method by which they joined Azure AD.

Connecting devices to Azure AD

After you have configured the prerequisites to allow device registration, you will be able to connect devices to Azure AD. There are three ways to do this:

  • Joining a new Windows 10 device to Azure AD
  • Joining an existing Windows 10 device to Azure AD
  • Registering a Windows 10 device to Azure AD

In this section, you will learn about the required steps for each method in order to connect a Windows 10 device to Azure AD.

Joining a new Windows 10 device

In this section, we will take a new Windows 10 device and join it to Azure AD during the first-run experience. If the device is running Windows 10 Professional edition or Windows 10 Enterprise edition, then the first-run experience will present the setup process. To join a new Windows 10 device to Azure AD during this first-run experience, follow these steps:

  1. Start the new device and start the setup process.
  2. On the Let's start with region. Is this right? page, choose your region and click Yes.
  3. On the Is this the right keyboard layout? page, choose your preferred keyboard layout and click Yes.
  4. On the Want to add a second keyboard layout? page, click Skip.
  5. On the Sign in with Microsoft page, enter your work or school account and click Next.
  6. On the Enter your password page, enter your password and click Next.
  7. This step is optional and depends on the configuration of your Azure AD tenant. On the Help us protect your account page, confirm the Authenticator notification.
  8. On the Do more with your voice page, select the option of your choice and select Accept.
  9. On the Let Microsoft and apps use your location page, select the option of your choice and select Accept.
  10. On the Find my device page, select the option of your choice and select Accept.
  11. On the Send diagnostic data to Microsoft page, select the option of your choice and select Accept.
  12. On the Improve inking & typing page, select the option of your choice and select Accept.
  13. On the Get tailored experiences with diagnostic data page, select the option of your choice and select Accept.
  14. On the Let apps use advertising ID page, select the option of your choice and select Accept.

    Important Note

    Step 15 and 16 are optional steps and depend on the configuration of your Azure AD tenant.

  15. On the Your organization requires Windows Hello page, click on Set up PIN.
  16. In the Windows Security popup, add a new PIN code (you'll need to do this twice for verification purposes) and click OK.
  17. On the All set! page, click OK.

Now, you will be logged in to an Azure AD joined Windows 10 device. To verify that the device is registered in organization's Azure AD, follow these steps:

  1. Open the Azure portal at https://portal.azure.com.
  2. Sign in as an administrator.
  3. On the left navigation bar, click Azure Active Directory.
  4. In the Manage section, click Devices.
  5. Under All devices, you will see the Azure AD joined device in the right pane, as shown in the following screenshot:
Figure 4.11 - Device is Azure AD joined

Figure 4.11 - Device is Azure AD joined

With that, you have successfully joined a new Windows 10 device to Azure AD. In the next section, we are going to join an existing Windows 10 device to Azure AD.

Joining an existing Windows 10 device

In this section, we are going to take an existing Windows 10 device and join it to Azure AD. You can join a Windows 10 device to Azure AD at any time. Just follow these steps to join Azure AD:

  1. Open the Settings app.
  2. Click Accounts.
  3. Click Access work or school.
  4. Click on Connect.
  5. Under Alternate actions, click Join this device to Azure Active Directory.
  6. Log in with your work or school account and follow the wizard.
  7. In the Make sure this is your organization window, review it and click Join.
  8. If everything goes well, you will see your email address, as shown in the following screenshot:
Figure 4.12 - Connecting an existing Windows 10 device to Azure AD

Figure 4.12 - Connecting an existing Windows 10 device to Azure AD

To verify that the device is registered in the organization's Azure AD, follow these steps:

  1. Open the Azure portal.
  2. Sign in as an administrator.
  3. On the left navigation bar, click Azure Active Directory.
  4. In the Manage section, click Devices.
  5. Under All devices, you will see the Azure AD joined device in the right pane, as shown in the following screenshot:
Figure 4.13 - Device is Azure AD joined

Figure 4.13 - Device is Azure AD joined

With that, you have successfully joined an existing Windows 10 device to Azure AD. In the next section, we are going to register a Windows 10 device to Azure AD.

Registering a Windows 10 device

Personally owned devices, such as a mobile phone or a personal Windows 10 laptop, can connect you to Azure AD using the Add Work or School Account feature in the Settings app. Device registration is used to allow devices to be known by Azure AD and Microsoft Intune. In this section, we will take an existing Windows 10 device and register it to Azure AD. To do this, follow these steps:

  1. Open the Settings app.
  2. Click Accounts.
  3. Click Access work or school.
  4. Click on Connect.
  5. In the Microsoft account window, fill in your work or school account email address and click Next.
  6. Follow the wizard to complete this process.
  7. If everything goes well, you will see your email address, as shown in the following screenshot:
Figure 4.14 - Registering a Windows 10 device to Azure AD

Figure 4.14 - Registering a Windows 10 device to Azure AD

To verify that the device is registered in the organization's Azure AD, follow these steps:

  1. Open the Azure portal.
  2. Sign in as an administrator.
  3. On the left navigation bar, click Azure Active Directory.
  4. In the Manage section, click Devices.
  5. Under All devices, you will see the Azure AD device you just registered in the right pane, as shown in the following screenshot:
Figure 4.15 - Device is Azure AD joined

Figure 4.15 - Device is Azure AD joined

With that, you have successfully registered a Windows 10 device in Azure AD.

Important Note

You can register personally owned devices with Azure AD using the preceding steps. Personal devices are then known in Azure AD but are not fully managed by your organization.

上一章目录下一章