Windows Desktop and Tablet

Note:

If you use Microsoft Intune/EMS, this article doesn’t apply to your setup. See Citrix Endpoint Management integration with Microsoft Intune/EMS.

To manage Windows 10 Desktop and Tablet devices in Endpoint Management, you must configure the Citrix AutoDiscovery Service. See Prepare to enroll devices and deliver resources.

Endpoint Management enrolls Windows 10 Desktop and Tablet devices into MDM mode. Endpoint Management supports the following authentication types for Windows Desktop and Tablet devices in MDM+MAM mode. For information, see the articles in the section Certificates and authentication.

  • Domain
  • Domain plus security token
  • Client certificate
  • Client certificate plus domain
  • Identity providers:
    • Azure Active Directory
    • Citrix Identity provider

A general workflow for starting Windows 10 Desktop and Tablet device management is as follows:

  1. Complete the onboarding process. See Onboarding and resource setup and Prepare to enroll devices and deliver resources.

  2. Choose and configure an enrollment method. See Supported enrollment methods.

  3. Configure Windows Desktop and Tablet device policies.

  4. Enroll Windows Desktop and Tablet devices by using Azure Active Directory.

  5. Set up device and app security actions. See Security actions.

For supported operating systems, see Supported device operating systems.

Supported enrollment methods

The following table lists the enrollment methods that Endpoint Management supports for Windows Desktop and Tablet devices:

Method Supported
Azure Active Directory enrollment Yes
Windows bulk enrollment Yes
Manual enrollment Yes
Enrollment invitations No

Azure enrollment

Devices running Windows 10 Enterprise can enroll with Azure as a federated means of Active Directory authentication. This setup requires an Azure Active Directory Premium subscription.

You can join Windows 10 devices to Microsoft Azure AD in any of the following ways:

  • Enroll in MDM as part of Azure AD Join setup the first time the device is powered on.
  • Enroll in MDM as part of Azure AD Join from the Windows Settings page after configuring the device.
  • Enroll in MDM as part of Azure AD Join when you add a work account on a personal device.

Before Windows device users can enroll by using Azure, you must configure the Microsoft Azure server settings in Endpoint Management. For details, see Single sign in with Azure Active Directory.

For Windows devices that you enroll with Azure, you can use Windows AutoPilot to set up and pre-configure the devices. See Use Windows AutoPilot to set up and configure devices.

Windows bulk enrollment

With Windows bulk enrollment, you can set up many devices for an MDM server to manage without the need to reimage devices. You use a provisioning package for bulk enrollment for Windows 10 Desktop and Laptop devices. For information, see Bulk enrollment of Windows devices.

Configure Windows Desktop and Tablet device policies

Use these policies to configure how Endpoint Management interacts with desktop and tablet devices running Windows 10. This table lists all device policies available for Windows Desktop and Tablet devices.

     
App Configuration App Inventory App Lock
App Uninstall Application Guard BitLocker
Control OS Update Credentials Custom XML
Defender Device Guard Device Health Attestation
Exchange Firewall Kiosk
Office Passcode Restrictions
Store Terms and Conditions VPN
Webclip WiFi Windows Hello for Business
Windows Information Protection    

Enroll Windows Desktop and Tablet devices by using Azure Active Directory

  1. Sign on to a Windows Enterprise edition computer. Open Settings > Accounts > Access work or school and then click Connect.

  2. From Set up a work or school account, under Alternative actions, click Join this device to Azure Active Directory.

  3. Provide your Azure Active Directory credentials and then click Sign in.

  4. Accept the Terms and Conditions set by your organization.

  5. Click Join to proceed with the enrollment process.

  6. Click Done to complete the enrollment process.

Enroll Windows devices by using the AutoDiscovery Service

Note:

For Windows devices to enroll, the SSL listener certificate must be a public certificate. Enrollment fails for self-signed SSL certificates.

  1. On the device, check for and install all available Windows Updates.

  2. In the charms menu, tap Settings and then tap Accounts > Access work or school > Connect to work or school.

  3. Enter your corporate email address and then tap Continue.

    To enroll as a local user, enter a nonexistent email address with the correct domain name (for example, foo@mydomain.com). Using a nonexistent email address lets you bypass a known Microsoft limitation where the built-in Device Management on Windows performs enrollment. In the Connecting to a service dialog box, enter the user name and password associated with the local user. The device automatically discovers an Endpoint Management server and starts the enrollment process.

  4. Enter your password. Use the password associated with an account that is part of a user group in Endpoint Management.

  5. In the Terms of use dialog box, indicate that you agree to have your device managed and then tap Accept.

To enroll Windows devices without self-discovery (for test environments only)

A best practice for production deployments is to enroll Windows devices by using the AutoDiscovery Service. Citrix recommends enrolling Windows devices without self-discovery only in test environments and proof of concept deployments. Enrollment without the AutoDiscovery Service results in a call to port 80 when connecting.

  1. On the device, check for and install all available Windows Updates.

  2. In the charms menu, tap Settings and then tap Accounts > Access work or school > Connect to work or school.

  3. Enter your corporate email address.

  4. In the Enter server address field, type the address: https://serverfqdn:8443/serverInstance/wpe.

    If a port other than 8443 is used for unauthenticated SSL connections, use that port number in place of 8443 in this address.

  5. Type your password.

  6. In the Terms of use dialog box, indicate that you agree to have your device managed and then tap Accept.

Security actions

Windows 10 Desktops and Tablets support the following security actions. For a description of each security action, see Security actions.

     
Locate Lock Reboot
Revoke Selective Wipe