" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" />" /> Windows 10 MDM Enrollment

Windows 10 MDM Enrollment

June 2020

To configure a corporate end-user device without installing an agent on the device, Windows provisioning is one of the best ways to enroll a Windows 10 device. Using ZENworks you can enroll Windows 10 devices that are available in your zone.

Windows 10 devices can be enrolled in multiple ways, but in ZENworks 2020, only Bulk Enrollment is supported. Bulk enrollment is one of the easiest ways to enroll large number of Windows devices without installing an agent or re-imaging the devices. This can be achieved using the provisioning packages. The provisioning packages can be deployed on the targeted Windows 10 devices to enroll with minimal user intervention. The Microsoft Imaging and Configuration Designer tool enables you to create provisioning packages to easily configure and enroll multiple Windows 10 devices.

1.0 Creating Provisioning Package

To bulk enroll Windows devices, you need to create a provisioning package using the Windows Imaging and Configuration Designer tool and then enroll other Windows 10 device.

1.1 What is a Provisioning Package?

A provisioning package contains a collection of configuration settings. This file can be created using a Windows 10 device.

1.2 Prerequisites for Creating the Provisioning Package

The prerequisites to create a Provisioning Package can be gathered from the ZENworks Configuration page.

To go to the Configuration page:

  1. In ZCC, click Configuration.

  2. In the Configuration page, in the Management Zone Settings panel, click Windows 10 MDM.

  3. Click Configure Windows 10 MDM.

The Prerequisites for Provisioning Package Creation page lists all the prerequisites that are required to create a Provisioning Package.

Following are some of the prerequisites that should be met before creating the provisioning package:

  1. Create or view Registration Key

    Create or use an existing registration key to set rules for enrolling Windows 10 devices to ZENworks. The registration key can also be used to restrict the number of devices that gets registered with the Provisioning Package. Ensure that you have zone Configure Registration rights to create the registration key.

  2. Primary Server

    Select the Primary Server to which the Windows 10 devices should be enrolled. Based on the selected server, the MDM Enrollment URL will be populated. Ensure that you have device Modify Settings rights to select Primary Servers.

  3. MDM Enrollment URL

    Copy and use the MDM enrollment URL while creating the provisioning package.

  4. Server Root Certificate

    Download the server root certificate for secured communication between the Windows 10 devices and the ZENworks server. Ensure that you have the zone Modify settings rights to download the server root certificate.

1.3 Advantages of Enrolling With Provisioning Package

Advantages of enrolling Windows devices using provisioning packages (PPKG) are:

  • One click enrollment: By double clicking the provisioning package, a Windows 10 device can be enrolled with ZENworks.

  • Bulk enrollment: Using the PPKG file, you can enroll large number of windows devices.

1.4 Creating a Project

To create a project in Windows Configuration Designer, perform the following steps:

  1. Open Windows Configuration Designer.

  2. Click File and then select New project.

  3. Perform the following steps, and then click Next:

    • Specify a name for the provisioning package.

    • Select a folder path for the package to be saved.

    • Specify a suitable description for the package.

  4. Select project workflow as Provisioning package, and then click Next.

  5. Select the type of Windows edition and then click Next.

  6. If required, you can import an existing provisional package to your project, or click Finish to create the project.

1.5 Customizing the Provisioning Package

After creating the project, perform the following steps to create a customized provisioning package:

  1. Open Windows Configuration Designer.

  2. Click File, select Open project and then select the project that you have created.

    Based on requirements, you can customize the provisioning package by using the Available customizations section.

  3. Expand Runtime settings, select Workplace and then click Enrollments.

  4. In the UPN field, specify a name to identify the enrollment.

  5. Click the UPN that was created and perform the following:

    1. AuthPolicy Select On-Premise.

    2. DiscoveryServiceFullUrl: Provide the complete URL of the ZENworks in the format as shown below.

      https://<ZEN_Server>/zenworks-win-mdm/registration/discoveryservice

      Where ZEN_Server is the IP or hostname of ZENworks server.

    3. Secret: This is the ZENworks Registration key. Using this registration key, you can restrict the number of Windows 10 devices that should be enrolled to your Management Zone.

  6. In the Runtime settings, select Certificates.

  7. In Certificates, perform the following:

    1. Root Certificate: Specify a name for the root certificate.

    2. Certificate Path: Select the certificate that should be used for the enrollment. The certificate should be in the CER format.

  8. Click File, and click Save the project.

    To create the provisioning package, see the Building the Provisioning Package section.

1.6 Building the Provisioning Package

After customizing the provisioning package, perform the following steps to build and create the provisioning package (PPKG) file:

  1. Click Export, and then select Provisioning package.

  2. Specify the following details, and then click Next:

    1. Name: Displays the Project Name. If required, you can rename the file.

    2. Version: Displays the default package version. If required, you can modify the version of the provisioning package.

    3. Owner: Select the package owner type.

    4. Rank: Select any value between 0 to 99. The default value is 0.

  3. Select the security details for the provisioning package. If the provisioning package has to be encrypted, then select any one of the following:

    1. Encrypt package: If you want to encrypt the provisioning package with a password, then select this option and specify a password.

    2. Sign package: If you want to sign the provisioning package with a certificate, then select this option, and then upload a valid certificate by clicking Browse.

  4. Select a folder in which the provisioning package should be saved, and then click Next.

  5. Review the displayed information, and then click Build.

    If the build is successful, then the location of the provisioning package is displayed.

  6. Click Finish.

2.0 Enrolling a Windows Device with the Provisioning Package

After creating the PPKG file, you can use this file to enroll Windows 10 devices with minimal user intervention.

2.1 To enroll a Windows 10 device, perform the following steps:

  1. Go to Settings > Accounts > Access work or school > Add or remove a provisioning package and click on Add a package.

  2. Browse and select the provisioning package.

    NOTE:You can also double-click the provisioning package to start the device enrollment.

  3. The device gets enrolled with ZENworks.

2.2 To verify whether the device is enrolled to ZENworks, perform the following:

  1. Log into ZCC.

  2. Click Devices > Workstations.

    If the device is successfully enrolled, then it either be listed in the Workstations list or in the Pending Enrollment Devices folder.

  3. Click the enrolled device and in the device summary page, check the MDM Enrolled status.

NOTE:The PPKG file can be shared by any means. If the device is enrolled to ZENworks, then you can create a bundle to distribute the provisioning package, or you can use a removable media to share the provisioning package.

3.0 Removing or Uninstalling a Provisioning Package

To remove or uninstall a provisioning package on a Windows 10 device, perform the following steps:

  1. Log into the device using the local administrator credentials.

    NOTE:The provisioning package cannot be removed by domain users.

  2. Go Settings > Accounts > Access work or school > Add or remove a provisioning package.

    Remove the provisioning package.