Device Registration

The Windows Media Format SDK provides access to the device registration database. This database is secured on the client computer and is used to register devices that support Windows Media DRM 10 for Network Devices.

When a device is added to a network to which the client computer is connected, the device attempts to contact a Windows Media DRM 10 for Network Devices transmitter application. After establishing communications, the device sends a registration request message.

Your application should perform the following steps when it receives a registration request message:

1. Parse the message by calling the IWMDRMMessageParser::ParseRegistrationReqMsg method. This method retrieves the device certificate and the device serial number, both of which are needed to identify the device.
2. Call the IWMDeviceRegistration::GetRegisteredDeviceByID method, passing in the certificate and device serial number retrieved in step 1. If the device is found, it is already registered and you can skip the next step.
3. Call the IWMDeviceRegistration::RegisterDevice method to add the device to the device registration database.

You can access information about any device in the registration database by retrieving the registered device object associated with it. There are two ways to get a registered device object. If you have the certificate and serial number of the device, you can call the IWMDeviceRegistration::GetRegisteredDeviceByID method. If you do not have the certificate and serial number of the device, you can enumerate all the devices in the database by calling IWMDeviceRegistration::GetFirstRegisteredDevice followed by repeated calls to IWMDeviceRegistration::GetNextRegisteredDevice until a call returns S_FALSE.

Before your application can send data to a device, you must ensure that the device is approved, validated, and open.

Device approval should involve interaction with the user. When a device sends a registration message, your application can prompt the user to decide whether the device is one that should receive that user’s data. Then update the device registration database by calling the IWMRegisteredDevice::Approve method, passing TRUE or FALSE as appropriate.

Validation is also called proximity detection. This is a process by which the internal DRM objects of the Windows Media Format SDK determine whether the device is «near» enough to the computer running your application to securely transmit media. Nearness is determined by the time it takes to get a response to a message. This feature is intended to prevent unauthorized users from accessing your network and obtaining your secured media. For more information, see Performing Proximity Detection.

DRM is not supported by the x64-based version of this SDK.

Краткое руководство. Регистрация устройства Windows 10 Quickstart: Enroll your Windows 10 device

В этом кратком руководстве вы возьмете на себя роль пользователя Intune и зарегистрируете устройство Windows 10 в Microsoft Intune. In this quickstart, you’ll first take the role of an Intune user and enroll your Windows 10 device into Microsoft Intune. Затем вы вернетесь в Intune и подтвердите зарегистрированное устройство. Then, you’ll return to Intune and confirm the device enrolled.

Регистрация устройств в Microsoft Intune позволяет устройствам Windows 10 получить доступ к защищенным данным организации, включая электронную почту, файлы и другие ресурсы. Enrolling your devices into Microsoft Intune allows your Windows 10 devices to get access to your organization’s secure data, including email, files, and other resources. Это справедливо как для устройств с ОС Windows 10 Desktop, так и для устройств с ОС Windows 10 Mobile. This is true for both Windows 10 desktop and Windows 10 Mobile devices. Регистрация устройств позволяет защитить доступ как для вас, так и для вашей организации, и помогает отделить рабочие данные от персональных. Enrolling your devices helps secure this access for both you and your organization, and helps keep your work data separate from your personal data.

Узнайте, что происходит при регистрации устройства в Intune и что это означает для сведений на устройстве. Find out what happens when you enroll your device in Intune and what that means for the information on your device.

Предварительные условия Prerequisites

• Подписка Microsoft Intune: зарегистрируйтесь для получения бесплатной пробной учетной записи. Microsoft Intune subscription — sign up for a free trial account
• Для выполнения этого краткого руководства необходимо выполнить процедуру настройки автоматической регистрации в Intune. To complete this quickstart, you must complete the steps to setup automatic enrollment in Intune.

Проверка версии Windows 10 Desktop Confirm your Windows 10 Desktop version

Перед регистрацией устройства Windows 10 Desktop необходимо проверить версию Windows. Before enrolling your Windows 10 Desktop, you must confirm the version of Windows that you have installed.

Щелкните правой кнопкой мыши значок Пуск Windows и выберите Параметры, чтобы просмотреть параметры Windows. Right-click the Windows Start icon and select Settings to display Windows Settings options.

Выберите Система > О системе. Select System > About.

Также можно ввести фразу «О компьютере» в строке поиска, а затем выбрать О компьютере. You can also type the phrase «About your PC» into the search bar, then select About your PC.

В окне Параметры вы увидите список Характеристики Windows. In the Settings window you will see a list of Windows specifications for your PC. В этом списке найдите пункт Версия. Within this list, locate the Version.

Убедитесь, что значение версии Windows 10 — 1607 или выше. Confirm that the Windows 10 Version is 1607 or higher.

Действия, описанные в этом кратком руководстве, предназначены для версии Windows 10 1607 или более поздней. Если ваша версия — 1511 или ниже, перейдите к этой процедуре. The steps presented in this quickstart are for Windows 10 version 1607 or higher, if your version is 1511 or less, continue with these steps.

Регистрация Windows 10 Desktop Enroll Windows 10 Desktop

Перейдите в раздел «Параметры Windows» и выберите Учетные записи. Return to Windows Settings and select Accounts.

Выберите Доступ к рабочей или учебной учетной записи > Подключить. Select Access work or school > Connect.

Выполните вход в Intune через рабочую или учебную учетную запись и выберите Далее. Sign in to Intune with your work or school account, and then select Next. Если вы выполнили краткое руководство по созданию пользователя и назначению лицензии, вы можете войти с помощью созданной вами учетной записи пользователя. If you followed the create a user and assign a license quickstart, you can sign in with the user account that you created.

Если вы настроили имя домена «.onmicrosoft.com», в адресе учетной записи будет часть .onmicrosoft.com. If you setting up an «.onmicrosoft.com», the user account will have .onmicrosoft.com as part of the account address.

Появится сообщение о том, что устройство регистрируется в вашей компании или учебном заведении. You’ll see a message indicating that your company or school is registering your device.

При появлении страницы Новые функции готовы к использованию! When you see the You’re all set! нажмите кнопку Готово. screen, select Done. Все готово. You’re done.

Добавленная учетная запись будет отображаться в разделе параметров Доступ к рабочей или учебной записи на устройстве Windows Desktop. You will now see the added account as part of the Access work or school settings on your Windows Desktop.

Если вы выполнили описанные выше действия, но по-прежнему не можете получить доступ к учетной записи и файлам рабочего или учебного электронного адреса, выполните инструкции из раздела Устранение проблем при регистрации устройств c Windows 10. If you followed the previous steps, but still can’t access your work or school email account and files, follow the steps in Troubleshoot Windows 10 device access.

Проверка регистрации устройства в Intune Confirm your device enrollment in Intune

Войдите в Центр администрирования Microsoft Endpoint Manager с учетной записью глобального администратора. Sign in to the Microsoft Endpoint Manager admin center as a Global Administrator.

Выберите Устройства > Все устройства, чтобы просмотреть зарегистрированные устройства в Intune. Select Devices > All devices to view the enrolled devices in Intune.

Убедитесь, что появилось дополнительное устройство, зарегистрированное в Intune. Verify that you have an additional device enrolled within Intune.

Очистка ресурсов Clean up resources

Сведения об отмене регистрации устройства Windows см. в разделе Удаление устройства Windows из системы управления. To unenroll your Windows device, see Remove your Windows device from management.

Дальнейшие действия Next steps

В этом кратком руководстве вы узнали, как зарегистрировать устройство Windows 10 в Intune. In this quickstart, you learned how to enroll a Windows 10 device into Intune. Вы также можете изучить другие способы регистрации устройств на всех платформах. You can learn about other ways to enroll devices across all platforms. Дополнительные сведения об использовании устройств с помощью Intune см. в разделе Использование управляемых устройств для выполнения задач. For more information about using devices with Intune, see Use managed devices to get work done.

Чтобы выполнить эту серию кратких руководств по Intune, переходите к следующему руководству. To follow this series of Intune quickstarts, continue to the next quickstart.

Configure a federation server with Device Registration Service

You can enable Device Registration Service (DRS) on your federation server after you complete the procedures in Step 4: Configure a Federation Server. The Device Registration Service provides an onboarding mechanism for seamless second factor authentication, persistent single sign-on (SSO), and conditional access to consumers that require access to company resources. For more information about DRS, see Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications

Prepare your Active Directory forest to support devices

This is a one-time operation that you must run to prepare your Active Directory forest to support devices. You must be logged on with enterprise administrator permissions and your Active Directory forest must have the Windows Server 2012 R2 schema to complete this procedure.

Additionally, DRS requires that you have at least one global catalog server in your forest root domain. The global catalog server is required in order to run Initialize-ADDeviceRegistration and during AD FS authentication. AD FS initializes an in-memory representation of the DRS config object on each authentication request and if the DRS config object cannot be found on a DC in the current domain, the request is attempted against the GC on which the DRS objects were provisioned during Initialize-ADDeviceRegistration.

To prepare the Active Directory forest

On your federation server, open a Windows PowerShell command window and type:

When prompted for ServiceAccountName, enter the name of the service account you selected as the service account for AD FS. If it is a gMSA account, enter the account in the domain\accountname$ format. For a domain account, use the format domain\accountname.

Enable Device Registration Service on a federation server farm node

You must be logged on with domain administrator permissions to complete this procedure.

To enable Device Registration Service

On your federation server, open a Windows PowerShell command window and type:

Repeat this step on each federation farm node in your AD FS farm..

Enable seamless second factor authentication

Seamless second factor authentication is an enhancement in AD FS that provides an added level of access protection to corporate resources and applications from external devices that are trying to access them. When a personal device is Workplace Joined, it becomes a ‘known’ device and administrators can use this information to drive conditional access and gate access to resources.

To enable seamless second factor authentication, persistent single sign-on (SSO) and conditional access for Workplace Joined devices

1. In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication, and then click OK.

Update the Web Application Proxy configuration

You do not need to publish the Device Registration Service to the Web Application Proxy. The Device Registration Service will be available through the Web Application Proxy once it is enabled on a federation server. You may need to complete this procedure to update the Web Application Proxy configuration if it was deployed prior to enabling the Device Registration Service.

To update the Web Application Proxy Configuration

On your Web Application Proxy server, open a Windows PowerShell command window and type

When prompted for credentials, enter the credentials of an account that has administrative rights to your federation servers.