mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 18:33:43 +00:00
update admx link
This commit is contained in:
Aaron Czechowski
@ -19,7 +19,7 @@ The enrollment into Intune is triggered by a group policy created on your local
|
||||
- The Active Directory joined device must be running a [supported version of Windows](/windows/release-health/supported-versions-windows-client).
|
||||
- The enterprise has configured a Mobile Device Management (MDM) service.
|
||||
- The on-premises Active Directory must be [integrated with Microsoft Entra ID (via Microsoft Entra Connect)](/azure/architecture/reference-architectures/identity/azure-ad).
|
||||
- Service connection point (SCP) configuration. For more information see [configuring the SCP using Microsoft Entra Connect](/azure/active-directory/devices/how-to-hybrid-join). For environments not publishing SCP data to AD, see [Microsoft Entra hybrid join targeted deployment](/azure/active-directory/devices/hybrid-join-control#targeted-deployment-of-microsoft-entra-hybrid-join-on-windows-current-devices).
|
||||
- Service connection point (SCP) configuration. For more information, see [configuring the SCP using Microsoft Entra Connect](/azure/active-directory/devices/how-to-hybrid-join). For environments not publishing SCP data to AD, see [Microsoft Entra hybrid join targeted deployment](/azure/active-directory/devices/hybrid-join-control#targeted-deployment-of-microsoft-entra-hybrid-join-on-windows-current-devices).
|
||||
- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents fail enrollment with `error 0x80180026`).
|
||||
- The minimum Windows Server version requirement is based on the Microsoft Entra hybrid join requirement. For more information, see [How to plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan).
|
||||
|
||||
@ -36,7 +36,7 @@ The autoenrollment relies on the presence of an MDM service and the Microsoft En
|
||||
> [!NOTE]
|
||||
> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
|
||||
|
||||
When the autoenrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task uses the existing MDM service configuration from the Microsoft Entra information of the user. If multi-factor authentication is required, the user gets prompted to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
|
||||
When the autoenrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task uses the existing MDM service configuration from the Microsoft Entra information of the user. If multifactor authentication is required, the user gets prompted to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
|
||||
|
||||
- Starting in Windows 10, version 1709, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM.
|
||||
- Starting in Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins).
|
||||
@ -52,20 +52,13 @@ To configure autoenrollment using a group policy, use the following steps:
|
||||
1. Link the GPO.
|
||||
1. Filter using Security Groups.
|
||||
|
||||
If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803 or later installed. To fix the issue, use the following procedures. The latest MDM.admx is backwards compatible.
|
||||
If you don't see the policy, get the latest ADMX for your Windows version. To fix the issue, use the following procedures. The latest MDM.admx is backwards compatible.
|
||||
|
||||
1. Download the administrative templates for the desired version:
|
||||
|
||||
- [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880)
|
||||
- [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576)
|
||||
- [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495)
|
||||
- [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591)
|
||||
- [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445)
|
||||
- [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
|
||||
- [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124)
|
||||
- [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042)
|
||||
- [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677)
|
||||
- [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593)
|
||||
- [Windows 11, version 23H2](https://www.microsoft.com/download/details.aspx?id=105667)
|
||||
- [Windows 11, version 22H2](https://www.microsoft.com/download/details.aspx?id=104593)
|
||||
- [Windows 10, version 22H2](https://www.microsoft.com/download/details.aspx?id=104677)
|
||||
|
||||
1. Install the package on the Domain Controller.
|
||||
|
||||
@ -96,9 +89,9 @@ This procedure is only for illustration purposes to show how the new autoenrollm
|
||||
>
|
||||
> **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop).
|
||||
|
||||
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
|
||||
When a group policy refresh occurs on the client, a task is created and scheduled to run every five minutes for one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
|
||||
|
||||
If two-factor authentication is required, you are prompted to complete the process. Here's an example screenshot.
|
||||
If two-factor authentication is required, you're prompted to complete the process. Here's an example screenshot.
|
||||
|
||||
:::image type="content" source="images/autoenrollment-2-factor-auth.png" alt-text="Screenshot of Two-factor authentication notification.":::
|
||||
|
||||
@ -124,10 +117,10 @@ In **Task Scheduler Library**, open **Microsoft > Windows** , then select **Ente
|
||||
|
||||
To see the result of the task, move the scroll bar to see the **Last Run Result**. You can see the logs in the **History** tab.
|
||||
|
||||
The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy.
|
||||
The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`), which can be caused by enabling the **Disable MDM Enrollment** policy.
|
||||
|
||||
> [!NOTE]
|
||||
> The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies.
|
||||
> The GPEdit console doesn't reflect the status of policies set by your organization on your device. It's only used by the user to set policies.
|
||||
|
||||
## Related articles
|
||||
|
||||
|
||||
@ -11,22 +11,22 @@ ms.localizationpriority: medium
|
||||
appliesto:
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
|
||||
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
|
||||
ms.date: 12/31/2017
|
||||
ms.date: 10/31/2023
|
||||
---
|
||||
|
||||
# Evaluate infrastructure and tools
|
||||
|
||||
Before you deploy an update, it's best to assess your deployment infrastructure (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness.
|
||||
Before you deploy an update, assess your deployment infrastructure. For example, management systems like Configuration Manager, Microsoft Intune, or similar. Also assess current configurations such as security baselines, administrative templates, and policies that affect updates. Then set some criteria to define your operational readiness.
|
||||
|
||||
## Infrastructure
|
||||
|
||||
Do your deployment tools need updates?
|
||||
|
||||
- If you use Configuration Manager, is it on the Current Branch with the latest release installed.? Being on this branch ensures that it supports the next Windows client feature update. Configuration Manager releases are supported for 18 months.
|
||||
- If you use Configuration Manager, is it on the current branch with the latest release installed? Being on this branch ensures that it supports the next Windows client feature update. Configuration Manager releases are supported for 18 months.
|
||||
- Using a cloud-based management tool like Microsoft Intune reduces support challenges, since no related products need to be updated.
|
||||
- If you use a non-Microsoft tool, check with its product support to make sure you're using the current version and that it supports the next Windows client feature update.
|
||||
|
||||
Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered while doing so.
|
||||
Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered.
|
||||
|
||||
## Device settings
|
||||
|
||||
@ -36,25 +36,25 @@ Make sure your security baseline, administrative templates, and policies have th
|
||||
|
||||
Keep security baselines current to help ensure that your environment is secure and that new security feature in the coming Windows client update are set properly.
|
||||
|
||||
- **Microsoft security baselines**: You should implement security baselines from Microsoft. They are included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them.
|
||||
- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows client you are about to deploy.
|
||||
- **Microsoft security baselines**: You should implement security baselines from Microsoft. They're included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them.
|
||||
- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows client you're about to deploy.
|
||||
|
||||
### Configuration updates
|
||||
|
||||
There are a number of Windows policies (set by Group Policy, Intune, or other methods) that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. Check these policies to make sure they are set appropriately.
|
||||
There are several Windows policies that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. For example, policies set by group policy, Intune, or other methods. Check these policies to make sure they're set appropriately.
|
||||
|
||||
- **Windows Administrative templates**: Each Windows client feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 11, version 22H2](https://www.microsoft.com/download/details.aspx?id=104593).
|
||||
- **Policies for update compliance and end-user experience**: A number of settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones.
|
||||
- **Windows Administrative templates**: Each Windows client feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 11, version 23H2](https://www.microsoft.com/download/details.aspx?id=105667).
|
||||
|
||||
- **Policies for update compliance and end-user experience**: Several settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones.
|
||||
|
||||
## Define operational readiness criteria
|
||||
|
||||
When you’ve deployed an update, you’ll need to make sure the update isn’t introducing new operational issues. And you’ll also ensure that if incidents arise, the needed documentation and processes are available. Work with your operations and support team to define acceptable trends and what documents or processes require updating:
|
||||
When you deploy an update, you need to make sure the update isn't introducing new operational issues. If incidents arise, make sure the needed documentation and processes are available. Work with your operations and support team to define acceptable trends and what documents or processes require updating:
|
||||
|
||||
- **Call trend**: Define what percentage increase in calls relating to Windows client feature updates are acceptable or can be supported.
|
||||
- **Incident trend**: Define what percentage of increase in calls asking for support relating to Windows client feature updates are acceptable or can be supported.
|
||||
- **Support documentation**: Review supporting documentation that requires an update to support new infrastructure tooling or configuration as part of the Windows client feature update.
|
||||
- **Process changes:** Define and update any processes that will change as a result of the Windows 10 feature update.
|
||||
- **Process changes:** Define and update any processes that will change as a result of the Windows feature update.
|
||||
|
||||
Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get this information so you can gain the right insight.
|
||||
|
||||
@ -62,9 +62,9 @@ Your operations and support staff can help you determine if the appropriate info
|
||||
|
||||
Finally, you can begin to carry out the work needed to ensure your infrastructure and configuration can support the update. To help you keep track, you can classify the work into the following overarching tasks:
|
||||
|
||||
- **Review infrastructure requirements**: Go over the details of requirements to support the update, and ensure they’ve all been defined.
|
||||
- **Validate infrastructure against requirements**: Compare your infrastructure against the requirements that have been identified for the update.
|
||||
- **Review infrastructure requirements**: Go over the details of requirements to support the update, and ensure they've all been defined.
|
||||
- **Validate infrastructure against requirements**: Compare your infrastructure against the requirements that you identified for the update.
|
||||
- **Define infrastructure update plan**: Detail how your infrastructure must change to support the update.
|
||||
- **Review current support volume**: Understand the current support volume to understand how much of an effect the update has when it’s been deployed.
|
||||
- **Identify gaps that require attention**: Identify issues that will need to be addressed to successfully deploy the update. For example, will your infrastructure engineer have to research how a new feature that comes with the update might affect the infrastructure?
|
||||
- **Review current support volume**: Understand the current support volume to understand how much of an effect the update has when you deploy it.
|
||||
- **Identify gaps that require attention**: Identify issues that you'll need to address to successfully deploy the update. For example, will your infrastructure engineer have to research how a new feature that comes with the update might affect the infrastructure?
|
||||
- **Define operational update plan**: Detail how your operational services and processes must change to support the update.
|
||||
|
||||
Reference in New Issue
Block a user