Windows Desktop and Tablet

To manage Windows 10 Desktop and Tablet devices in Endpoint Management, you must configure the Citrix AutoDiscovery Service. See Prepare to enroll devices and deliver resources.

Endpoint Management enrolls Windows 10 Desktop and Tablet devices into MDM mode. Endpoint Management supports the following authentication types for Windows Desktop and Tablet devices in MDM+MAM mode. For information, see the articles in the section, Certificates and authentication.

  • Domain
  • Domain plus security token
  • Client certificate
  • Client certificate plus domain
  • Identity providers:
    • Azure Active Directory
    • Citrix Identity provider

A general workflow for starting Windows 10 Desktop and Tablet device management is as follows:

  1. Complete the onboarding process. See Onboarding and resource setup and Prepare to enroll devices and deliver resources.

  2. Choose and configure an enrollment method. See Supported enrollment methods.

  3. Configure Windows Desktop and Tablet device policies.

  4. Enroll Windows Desktop and Tablet devices by using Azure Active Directory.

  5. Set up device and app security actions. See Security actions.

For supported operating systems, see Supported device operating systems.

Supported enrollment methods

The following table lists the enrollment methods that Endpoint Management supports for Windows Desktop and Tablet devices:

Method Supported
Azure Active Directory enrollment Yes
Windows bulk enrollment Yes
Manual enrollment Yes
Enrollment invitations No

Azure enrollment

Devices running Windows 10 Enterprise can enroll with Azure as a federated means of Active Directory authentication. This setup requires an Azure Active Directory Premium subscription.

You can join Windows 10 devices to Microsoft Azure AD in any of the following ways:

  • Enroll in MDM as part of Azure AD Join setup the first time the device is powered on.
  • Enroll in MDM as part of Azure AD Join from the Windows Settings page after configuring the device.
  • Enroll in MDM as part of Azure AD Join when you add a work account on a personal device.

Before Windows device users can enroll by using Azure, you must configure the Microsoft Azure server settings in Endpoint Management. For details, see Single sign in with Azure Active Directory.

For Windows devices that you enroll with Azure, you can use Windows AutoPilot to set up and pre-configure the devices. See Use Windows AutoPilot to set up and configure devices.

Windows bulk enrollment

With Windows bulk enrollment, you can set up many devices for an MDM server to manage without the need to reimage devices. You use a provisioning package for bulk enrollment for Windows 10 Desktop and Laptop devices. For information, see Bulk enrollment of Windows devices.

Device management when integrated with Workspace Environment Management

With Workspace Environment Management (WEM) alone, MDM deployments aren’t possible. With Endpoint Management alone, you’re limited to managing Windows 10 devices. By integrating the two, WEM has access to MDM features and you can manage a wider spectrum of Windows operating systems through Endpoint Management. That management takes the form of configuring Windows GPOs. Currently, administrators import an ADMX file to Citrix Endpoint Management and push it to Windows 10 desktops and tablets to configure specific applications. Using the Windows GPO Configuration device policy, you can configure GPOs and push changes to the WEM service. The WEM Agent then applies the GPOs to devices and their apps.

MDM management isn’t a requirement for WEM integration. Any device that WEM supports can have GPO configurations pushed to it, even if Endpoint Management doesn’t support that device natively.

For a list of the devices supported, see Operating System requirements.

Devices which receive the Windows GPO Configuration device policy run in a new Endpoint Management mode called WEM. In the Manage > Devices list of enrolled devices, the Mode column for WEM-managed devices lists WEM.

For more information, see Windows GPO Configuration device policy.

Configure Windows Desktop and Tablet device policies

Use these policies to configure how Endpoint Management interacts with desktop and tablet devices running Windows 10. This table lists all device policies available for Windows desktop and tablet devices.

     
App Configuration App Inventory App Lock
App Uninstall Application Guard BitLocker
Control OS Update Credentials Custom XML
Defender Device Guard Device Health Attestation
Exchange Firewall Kiosk
Office Passcode Restrictions
Store Terms and Conditions VPN
Webclip WiFi Windows Agent
Windows Hello for Business Windows GPO configuration Windows Information Protection

Enroll Windows desktop and tablet devices by using Azure Active Directory

  1. Sign on to a Windows Enterprise edition computer. Open Settings > Accounts > Access work or school and then click Connect.

  2. From Set up a work or school account, under Alternative actions, click Join this device to Azure Active Directory.

  3. Provide your Azure Active Directory credentials and then click Sign in.

  4. Accept the Terms and Conditions set by your organization.

  5. Click Join to proceed with the enrollment process.

  6. Click Done to complete the enrollment process.

Enroll Windows devices by using the AutoDiscovery service

Note:

For Windows devices to enroll, the SSL listener certificate must be a public certificate. Enrollment fails for self-signed SSL certificates.

  1. On the device, check for and install all available Windows Updates.

  2. In the charms menu, tap Settings and then tap Accounts > Access work or school > Connect to work or school.

  3. Enter your corporate email address and then tap Continue.

    To enroll as a local user, enter a nonexistent email address with the correct domain name (for example, foo@mydomain.com). That step lets you bypass a known Microsoft limitation where the built-in Device Management on Windows performs enrollment. In the Connecting to a service dialog box, enter the user name and password associated with the local user. The device then discovers an Endpoint Management server and starts the enrollment process.

  4. Enter your password. Use the password associated with an account that is part of a user group in Endpoint Management.

  5. In the Terms of use dialog box, indicate that you agree to have your device managed and then tap Accept.

To enroll Windows devices without self-discovery (for test environments only)

A best practice for production deployments is to enroll Windows devices by using the AutoDiscovery service. Citrix recommends enrolling Windows devices without self-discovery only in test environments and proof of concept deployments. Enrollment without the AutoDiscovery service results in a call to port 80 when connecting.

  1. On the device, check for and install all available Windows Updates.

  2. In the charms menu, tap Settings and then tap Accounts > Access work or school > Connect to work or school.

  3. Enter your corporate email address.

  4. In the Enter server address field, type the address:

    • For commercial: https://url.cm.cloud.com:8443/zdm/wpe
    • For government: https://url.cem.cloud.us:8443/zdm/wpe

    If a port other than 8443 is used for unauthenticated SSL connections, use that port number in place of 8443 in this address.

  5. Type your password.

  6. In the Terms of use dialog box, indicate that you agree to have your device managed and then tap Accept.

Security actions

Windows 10 Desktops and Tablets support the following security actions. For a description of each security action, see Security actions.

     
Locate Lock Reboot
Revoke Selective Wipe Wipe

BitLocker recovery key

Encrypting disks using BitLocker is a useful security feature, but unlocking devices can be a challenge if the user loses their BitLocker recovery key. Endpoint Management can now automatically, securely save BitLocker recovery keys for users. Users can find their BitLocker recovery key on the Self-Help Portal. To enable and find the BitLocker recovery key:

  1. In the Endpoint Management console, navigate to Settings > Server Properties.
  2. Search for shp and enable the shp.console.enable feature. Ensure that enable.new.shp remains disabled. For more information on enabling the Self-Help Portal, see Configure Enrollment Modes.
  3. Navigate to Configure > Device policies. Find your BitLocker policy or create one and enable the BitLocker Recovery backup to Endpoint Management setting.

When unlocking their device, end users see a message asking them to enter their key. The message displays the Recovery key ID as well.

BitLocker recovery message

To find their BitLocker recovery key, users navigate to the Self-Help Portal.

  1. Under the General details, see the BitLocker Recovery Data.
    • Recovery key ID: The identifier for the BitLocker recovery key used to encrypt the disk. This ID must match the key ID given in the previous message.
    • Recovery key: The key the user must enter to unlock their disk. Enter this key at the unlock prompt. BitLocker Recovery Key on the Self-Help Portal

For more information about the BitLocker device policy, see BitLocker device policy.