Managing Windows 10 IoT Core devices via MDM

This week a new challenge for a new blog post, managing Windows 10 IoT Core devices. The nice thing about Windows 10, even Windows 10 IoT Core, is the availability of MDM. The availability of MDM is what will help me with managing Windows 10 IoT Core devices. In this post I’ll go through the steps to create an enrollment profile to enroll Windows 10 IoT Core devices in Microsoft Intune hybrid. I’ll end this post with an overview of the end result in Configuration Manager

Configuration

Let’s start by looking at the configuration in Configuration Manager. To create an enrollment profile, for Windows 10 IoT Core devices, it’s required to provide a certificate profile and it’s optionally to provide a Wi-Fi profile.

Create certificate profile

The required component of the enrollment profile is, as mentioned before, a certificate profile. The certificate profile is used to automatically provision a trusted root certificate to the enrolled device. As part of preparing for the certificate profile, export a root certificate.

1 Open the Configuration Manager administration console and navigate to Assets and Compliance > Compliance Settings > Company Resources > Certificate Profiles;
2 On the Home tab, in the Create group, click Create Certificate Profile to open the Create Certificate Profile Wizard;
3

CCPW_GeneralOn the General page, provide the following information and click Next;

  • Name: Provide a unique name for the certificate profile (max. 256 characters);
  • Description: (Optional) Provide a description about the certificate profile;
  • Select Trusted CA certificate.
4

CCP_TCACOn the Trusted CA Certificate page, provide the following information and click Next;

  • Browse to and select the Certificate file;
  • Select Computer certificate store – Root;
  • Certificate thumbprint will automatically populate.
5

CCPW_SPOn the Supported Platforms page, select Windows 10 and click Next;

Note: Windows 10 IoT Core doesn’t have it’s own platform option, which means that the generic Windows 10 should be used to make it applicable to all Windows 10 devices.

6 On the Summary page, click Next;
7 On the Completion page, click Close.

(Optional) Create Wi-Fi profile

The optional component of the enrollment profile is, as mentioned before, a Wi-Fi profile. In some scenarios this might be a required component, but it’s not required for the creation of an enrollment profile. Including a Wi-Fi profile in the enrollment profile can be useful when the Windows 10 IoT Core device needs the Wi-Fi profile for connecting with the Internet.

Create enrollment profile

After creating the required and optional components for the enrollment profile, it’s time to create the enrollment profile. The enrollment profile specifies settings that are required for the Windows 10 IoT Core device enrollment, including a certificate profile that will dynamically provision a trusted root certificate to the device and a Wi-Fi profile that will provision network settings if required.

1 Open the Configuration Manager administration console and navigate to Assets and Compliance > All Corporate-owned Devices > Windows > Enrollment Profile;
2 On the Home tab, in the Create group, click Create Enrollment Profile to open the Create Enrollment Profile wizard;
3

CEPW_GeneralOn the General page, provide the following information and click Next;

  • Name: Provide a unique name for the enrollment profile (max. 256 characters);
  • Description: (Optional) Provide a description about the enrollment profile;
  • Select as management authority Cloud.
4

CEPW_TrustedRootCertificateOn the Select Trusted Root Certificate page, select the earlier created certificate profile and click Next

5 On the Wi-Fi profiles page, optionally select the earlier created Wi-Fi profile and click Next;
6 On the Summary page, click Next;
7 On the Completion page, click Close.

Enrollment

After creating the enrollment profile and its required components, it’s time to look at delivering the enrollment profile to the Windows 10 IoT Core device. A Windows 10 IoT Core device doesn’t have the full-blown Windows 10 capabilities to perform a MDM enrollment. However, that doesn’t mean that they’re not capable. That’s were the enrollment package comes into the picture.

Export enrollment package

The first step in bringing the enrollment profile to the Windows 10 IoT Core device, is exporting the enrollment profile as an enrollment package.

1 Open the Configuration Manager administration console and navigate to Assets and Compliance > All Corporate-owned Devices > Windows > Enrollment Profile;
2 Select the earlier created enrollment profile and on the Home tab, in the Enrollment Profile group, click Export to open the Export Enrollment Package dialog box;
3

On the Export Enrollment Package dialog box, provide the following information and click Export;

  • EEP_GeneralValidity Period (days): Select the number of days that this package is valid;
  • Package File: Provide a unique name for the enrollment package;
  • Do not select the checkbox with Encrypt Package.
4 On the Export Enrollment Package dialog box, click OK;

Deploy enrollment package

The second step in bringing the enrollment profile to the Windows 10 IoT Core device, is copying the exported enrollment package to the Windows 10 IoT Core device. An alternative could be adding the enrollment package as a provisioning package to a Windows 10 IoT Core image.

1 Open File Explorer and remotely connect to the Windows 10 IoT Core device;
2 Copy the earlier created enrollment package to C:\Windows\Provisioning\Package;
3 Restart the Windows 10 IoT Core device.

End result

Now let’s end this post by looking at some of the information that will flow through the MDM channel into Configuration Manager. After restarting the Windows 10 IoT Core device it can take a couple of minutes before the device appears in Configuration Manager. The Windows 10 IoT Core device will show as a mobile device with the operating system IoTUAP (as shown below).

ConsoleOverview

After the first inventory of the Windows 10 IoT Core device, the information of the deivce will populate in the Resource Explorer. In my case, I used a Raspberry Pi 3 (as shown below on the left) and I installed a custom app (as shown below on the right).

RBP_DeviceInformation RBP_InstalledApps

The nice thing is that, as Windows 10 MDM is used in combination with Configuration Manager, I can extend the inventory (see the PTCLOUD entry above) and I can configure settings. For this I can use the available configuration service providers (CSP).

More information

For more about managing Windows 10 IoT Core devices and enrollment profiles (documentation for on-premises MDM), please refer to:

6 thoughts on “Managing Windows 10 IoT Core devices via MDM”

  1. Peter, thank you for such a thorough and detailed guide. We don’t manage any IoT devices yet, but it is coming and we need a plan how to manage and support them.

    I have two questions:
    1. Do copying the provisioning package to “C:\Windows\Provisioning\Package” and restarting the device result in a silent installation of the package?

    2. This might call for another blogpost of yours, but how would you silently deploy the provisioning package to IoT devices already running Windows 10 Core IoT delivered with both software and image from the manufacturer?

    Reply
  2. We have just had delivered 75 “Skype Meeting Room Systems”. These are logitech devices that run Win10 IoT on a Surface Pro 4.

    We were thinking we could manage these just like a Win10 pro/enterprise laptop but are you saying that is not the case and we have to use MDM?

    That makes me wonder if we should just use Intune instead?

    Reply

Leave a Reply to Peter van der Woude Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.