This week a new challenge for a new blog post, managing Windows 10 IoT Core devices. The nice thing about Windows 10, even Windows 10 IoT Core, is the availability of MDM. The availability of MDM is what will help me with managing Windows 10 IoT Core devices. In this post I’ll go through the steps to create an enrollment profile to enroll Windows 10 IoT Core devices in Microsoft Intune hybrid. I’ll end this post with an overview of the end result in Configuration Manager
Configuration
Let’s start by looking at the configuration in Configuration Manager. To create an enrollment profile, for Windows 10 IoT Core devices, it’s required to provide a certificate profile and it’s optionally to provide a Wi-Fi profile.
Create certificate profile
The required component of the enrollment profile is, as mentioned before, a certificate profile. The certificate profile is used to automatically provision a trusted root certificate to the enrolled device. As part of preparing for the certificate profile, export a root certificate.
(Optional) Create Wi-Fi profile
The optional component of the enrollment profile is, as mentioned before, a Wi-Fi profile. In some scenarios this might be a required component, but it’s not required for the creation of an enrollment profile. Including a Wi-Fi profile in the enrollment profile can be useful when the Windows 10 IoT Core device needs the Wi-Fi profile for connecting with the Internet.
Create enrollment profile
After creating the required and optional components for the enrollment profile, it’s time to create the enrollment profile. The enrollment profile specifies settings that are required for the Windows 10 IoT Core device enrollment, including a certificate profile that will dynamically provision a trusted root certificate to the device and a Wi-Fi profile that will provision network settings if required.
Enrollment
After creating the enrollment profile and its required components, it’s time to look at delivering the enrollment profile to the Windows 10 IoT Core device. A Windows 10 IoT Core device doesn’t have the full-blown Windows 10 capabilities to perform a MDM enrollment. However, that doesn’t mean that they’re not capable. That’s were the enrollment package comes into the picture.
Export enrollment package
The first step in bringing the enrollment profile to the Windows 10 IoT Core device, is exporting the enrollment profile as an enrollment package.
1 | Open the Configuration Manager administration console and navigate to Assets and Compliance > All Corporate-owned Devices > Windows > Enrollment Profile; |
2 | Select the earlier created enrollment profile and on the Home tab, in the Enrollment Profile group, click Export to open the Export Enrollment Package dialog box; |
3 |
On the Export Enrollment Package dialog box, provide the following information and click Export; |
4 | On the Export Enrollment Package dialog box, click OK; |
Deploy enrollment package
The second step in bringing the enrollment profile to the Windows 10 IoT Core device, is copying the exported enrollment package to the Windows 10 IoT Core device. An alternative could be adding the enrollment package as a provisioning package to a Windows 10 IoT Core image.
1 | Open File Explorer and remotely connect to the Windows 10 IoT Core device; |
2 | Copy the earlier created enrollment package to C:\Windows\Provisioning\Package; |
3 | Restart the Windows 10 IoT Core device. |
End result
Now let’s end this post by looking at some of the information that will flow through the MDM channel into Configuration Manager. After restarting the Windows 10 IoT Core device it can take a couple of minutes before the device appears in Configuration Manager. The Windows 10 IoT Core device will show as a mobile device with the operating system IoTUAP (as shown below).
After the first inventory of the Windows 10 IoT Core device, the information of the deivce will populate in the Resource Explorer. In my case, I used a Raspberry Pi 3 (as shown below on the left) and I installed a custom app (as shown below on the right).
The nice thing is that, as Windows 10 MDM is used in combination with Configuration Manager, I can extend the inventory (see the PTCLOUD entry above) and I can configure settings. For this I can use the available configuration service providers (CSP).
More information
For more about managing Windows 10 IoT Core devices and enrollment profiles (documentation for on-premises MDM), please refer to:
- Managing Windows 10 IoT Core Devices: https://developer.microsoft.com/en-us/windows/iot/docs/management
- How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager: https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm
- Create certificate profiles: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-certificate-profiles
- Create Wi-Fi profiles: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-wifi-profiles
- Configuration service provider reference: https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Peter, thank you for such a thorough and detailed guide. We don’t manage any IoT devices yet, but it is coming and we need a plan how to manage and support them.
I have two questions:
1. Do copying the provisioning package to “C:\Windows\Provisioning\Package” and restarting the device result in a silent installation of the package?
2. This might call for another blogpost of yours, but how would you silently deploy the provisioning package to IoT devices already running Windows 10 Core IoT delivered with both software and image from the manufacturer?
Hi Anders,
1. Yes, that will result in a silent installation.
2. There isn’t a pretty method for that yet. You can look at automating the activities by using PowerShell.
Regards,
Peter
How to uninstall the package which is already installed ?
Haven’t tried to uninstall the package, yet, but I can imagine that you can simply “wipe” the device from the console.
We have just had delivered 75 “Skype Meeting Room Systems”. These are logitech devices that run Win10 IoT on a Surface Pro 4.
We were thinking we could manage these just like a Win10 pro/enterprise laptop but are you saying that is not the case and we have to use MDM?
That makes me wonder if we should just use Intune instead?
Hi Thom,
I’m not saying that you have to use MDM for managing Windows 10 IoT. I’m just showing MDM as a method to manage specific settings on Windows 10 IoT.
Regards, Peter