My previous blog post described how to deploy an On Premise MDM solution with Configuration Manager Current Branch (1511 for now). It's a pretty cool solution. You can find that blog post here
There is one drawback though. It's a bit of a pain having to install a client certificate and the Trusted Root certificate on each Windows device before then having to enrol the device manually through Work Access. We're in luck. Configuration Manager has a very slick way to automate this process through provisioning packages. You can read about this process in the official Microsoft TechNet documentation .
This process could not be simpler. What does it look like?
There are a couple of prerequisites.
1. You must have installed Windows Image and Configuration Designer (WICD) from the Windows 10 ADK before you can create an enrollment package.
2. You must have already configured the solution for On-Premise MDM. During that process you would have created a Certificate Profile containing the Trusted Root Certificate.
Navigate to "Assets and Compliance" > "All Corporate-owned Devices > Windows > Enrolment Profile. Right click to create a new profile.
Enter a suitable name. See that you can choose On-Premises or Cloud as the Management Authority. We're interested in On-Premises for now.
Choose the Site Code.
Select "Intranet Only" and choose the Enrolment Point.
Choose the certificate profile.
You can optionally choose to configure a WiFi profile for network connectivity during enrolment.
Confirm the settings to configure the profile.
Profile has been created.
Right click the profile. You can view the properties or export.
See that you can still make changes in the properties. You can change the Management Authority.....
.....or add a WiFi profile, for example.
Now choose to export. Accept the validity period (the package will expire) and enter a location. You can choose to encrypt the package.
The enrollment package has been created. See there are two files.
Now let's go to our test client. It is not enrolled.
I removed the client certificate....
...and Trusted Root Certificate that I previously installed.
Copy the Enrollment Package to the Windows 10 client (the method is up to you). Launch the package.
Accept the UAC warning.
You are given information on what a provisioning package could do. You must accept this.
That's all you have to do. Almost instantly you will see that the device is enrolled (Settings > Accounts > Work Access). Note that it has been enrolled as a Corporate Owned device rather than by a specific user.
The first sync has started.
The device appears in the ConfigMgr console as is under On Premise Management. This is seriously cool.
Until next time....
Until next time....
Great post Gerry. Very informative!
ReplyDeleteThanks Colin. Appreciate it.
ReplyDeletehei Gerry, Do you know how to add certificate to the provisioing package while creating it??? I am stuck at it, as after creation of a self signed certificate too it is not appearing
ReplyDeleteI'm not quite with you. You need to create the Certificate Profile before you launch the wizard to create the provisioning package.
DeleteHi Gerry,
ReplyDeleteYour blogs always help me, Thank you for that first of all.
I am having issues with the Featured Apps(Candy Crush Soda, Minecraft, Twitter, Picsart and Cortana), can't get rid of them.
When Win 10 is deployed to test machine, these apps shows up from nowhere.
Can't find a suitable solution for this on the blogs and Technet.
Is there any way to remove/block these apps to show up, this is holding up a huge deployment :(
Any suggestions, will be much appreciated.
Thanks,
Ambar
Thanks Ambar. This is a known issue with Windows 10 1607. See here for full details and workarounds.
Deletehttps://blogs.technet.microsoft.com/mniehaus/2016/08/23/windows-10-1607-keeping-apps-from-coming-back-when-deploying-the-feature-update/