From 93a34f80f4fb7727ae94f957dca4581aa87f7e0d Mon Sep 17 00:00:00 2001 From: brianreidc7 <31985319+brianreidc7@users.noreply.github.com> Date: Fri, 4 Oct 2019 19:47:30 +0100 Subject: [PATCH 01/24] GPO Names and Behaviour Has Changed "Enable automatic MDM enrollment using default Azure AD credentials" is the GPO name and it has two sub options. Not sure if Device Certificate is working at the moment, but the pictures are wrong, but User Certificate is working and so the docs should at least say to use that for now --- ...-device-automatically-using-group-policy.md | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index ad48fe1e75..d0f4e9527f 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -106,7 +106,7 @@ Requirements: ![MDM policies](images/autoenrollment-mdm-policies.png) -4. Double-click **Auto MDM Enrollment with AAD Token**. +4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in version 1709 of Windows 10). For ADMX files from version 1903 and later select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to Use. User Credential enrolls Windows 10 1709 and later once an Intune licenced user logs into the device. Device Credential will enroll the device and then assign a user later once support for this is available. ![MDM autoenrollment policy](images/autoenrollment-policy.png) @@ -153,18 +153,16 @@ Requirements: - Enterprise AD must be integrated with Azure AD. - Ensure that PCs belong to same computer group. -> [!IMPORTANT] -> If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1803 or version 1809. To fix the issue, follow these steps: +>[!IMPORTANT] +>If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1803 or version 1809. To fix the issue, follow these steps: > 1. Download: > 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or -> 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or -> 1903 --> [Administrative Templates for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) +> 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576). > 2. Install the package on the Primary Domain Controller (PDC). > 3. Navigate, depending on the version to the folder: -> 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or -> 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** or -> 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3** -> 4. Copy policy definitions folder to **C:\Windows\SYSVOL\domain\Policies** . +> 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or +> 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** +> 4. Copy policy definitions folder to **C:\Windows\SYSVOL\domain\Policies**. > 5. Restart the Primary Domain Controller for the policy to be available. > This procedure will work for any future version as well. @@ -175,7 +173,6 @@ Requirements: 5. Enforce a GPO link. ## Troubleshoot auto-enrollment of devices - Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. To collect Event Viewer logs: @@ -232,6 +229,5 @@ To collect Event Viewer logs: ### Useful Links -- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495) - [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576) - [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880) From 22fe43ded8c3b4d28e229db518de30e8e9d8aaef Mon Sep 17 00:00:00 2001 From: brianreidc7 <31985319+brianreidc7@users.noreply.github.com> Date: Mon, 7 Oct 2019 09:28:02 +0100 Subject: [PATCH 02/24] Update windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index d0f4e9527f..55a221ebed 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -106,7 +106,7 @@ Requirements: ![MDM policies](images/autoenrollment-mdm-policies.png) -4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in version 1709 of Windows 10). For ADMX files from version 1903 and later select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to Use. User Credential enrolls Windows 10 1709 and later once an Intune licenced user logs into the device. Device Credential will enroll the device and then assign a user later once support for this is available. +4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in version 1709 of Windows 10). For ADMX files from version 1903 and later, select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to use. User Credential enrolls Windows 10 1709 and later, once an Intune licensed user logs into the device. Device Credential will enroll the device and then assign a user later, once support for this is available. ![MDM autoenrollment policy](images/autoenrollment-policy.png) From 62190b32ae0029e68f5f4430a6cf102ede3c589e Mon Sep 17 00:00:00 2001 From: brianreidc7 <31985319+brianreidc7@users.noreply.github.com> Date: Mon, 7 Oct 2019 09:45:19 +0100 Subject: [PATCH 03/24] Updated GPO names to match the current version of Windows Updated GPO name and links to files. Edited instructions to include new options in GPO and removed hyperlinks to older version of ADMX files (1803) and added links to newest version (1903) --- ...10-device-automatically-using-group-policy.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 55a221ebed..9160c8b88e 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -153,17 +153,16 @@ Requirements: - Enterprise AD must be integrated with Azure AD. - Ensure that PCs belong to same computer group. ->[!IMPORTANT] ->If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1803 or version 1809. To fix the issue, follow these steps: +> [!IMPORTANT] +> If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1903 or version 1809. To fix the issue, follow these steps: > 1. Download: -> 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or +> 1903 -->[Administrative Templates for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) or > 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576). -> 2. Install the package on the Primary Domain Controller (PDC). +> 2. Install the package. > 3. Navigate, depending on the version to the folder: -> 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or +> 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**, or > 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** -> 4. Copy policy definitions folder to **C:\Windows\SYSVOL\domain\Policies**. -> 5. Restart the Primary Domain Controller for the policy to be available. +> 4. Copy policy definitions folder to **C:\Windows\SYSVOL\domain\Policies** or **%windir%\sysvol\domain_name\policies\PolicyDefinitions** if an Group Policy Central Store exists. > This procedure will work for any future version as well. 1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. @@ -226,8 +225,9 @@ To collect Event Viewer logs: - [Link a Group Policy Object](https://technet.microsoft.com/library/cc732979(v=ws.11).aspx) - [Filter Using Security Groups](https://technet.microsoft.com/library/cc752992(v=ws.11).aspx) - [Enforce a Group Policy Object Link](https://technet.microsoft.com/library/cc753909(v=ws.11).aspx) +- [Group Policy Central Store](https://support.microsoft.com/en-gb/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) ### Useful Links -- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576) +- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495) - [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880) From 909f55ab308f20690191e21d81a95c7f4ffd85e9 Mon Sep 17 00:00:00 2001 From: brianreidc7 <31985319+brianreidc7@users.noreply.github.com> Date: Mon, 7 Oct 2019 09:48:14 +0100 Subject: [PATCH 04/24] 1709 or later References to 1709 updated (apart from one) to "1709 or later" to be correct --- ...-a-windows-10-device-automatically-using-group-policy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 9160c8b88e..4c9e0ec81a 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -37,7 +37,7 @@ The auto-enrollment relies on the presence of an MDM service and the Azure Activ When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. -In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/). +In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/). For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices. @@ -90,7 +90,7 @@ You may contact your domain administrators to verify if the group policy has bee This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices). Requirements: -- AD-joined PC running Windows 10, version 1709 +- AD-joined PC running Windows 10, version 1709 or later - Enterprise has MDM service already configured - Enterprise AD must be registered with Azure AD @@ -148,7 +148,7 @@ Requirements: ## Configure the auto-enrollment for a group of devices Requirements: -- AD-joined PC running Windows 10, version 1709 +- AD-joined PC running Windows 10, version 1709 or later - Enterprise has MDM service already configured (with Intune or a third party service provider) - Enterprise AD must be integrated with Azure AD. - Ensure that PCs belong to same computer group. From 79e500a3914918ce871172270791440086cef4f9 Mon Sep 17 00:00:00 2001 From: brianreidc7 <31985319+brianreidc7@users.noreply.github.com> Date: Mon, 7 Oct 2019 17:43:56 +0100 Subject: [PATCH 05/24] Update enroll-a-windows-10-device-automatically-using-group-policy.md --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 4c9e0ec81a..ee37cbf744 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -230,4 +230,4 @@ To collect Event Viewer logs: ### Useful Links - [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495) -- [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880) +- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576) From 764463f940765e76f604eb330456bd8d4f01700b Mon Sep 17 00:00:00 2001 From: brianreidc7 <31985319+brianreidc7@users.noreply.github.com> Date: Mon, 7 Oct 2019 18:01:50 +0100 Subject: [PATCH 06/24] Update windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index ee37cbf744..7459beee1f 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -162,7 +162,7 @@ Requirements: > 3. Navigate, depending on the version to the folder: > 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**, or > 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** -> 4. Copy policy definitions folder to **C:\Windows\SYSVOL\domain\Policies** or **%windir%\sysvol\domain_name\policies\PolicyDefinitions** if an Group Policy Central Store exists. +> 4. Copy the policy definitions folder to **C:\Windows\SYSVOL\domain\Policies** or **%windir%\sysvol\domain_name\policies\PolicyDefinitions** if a Group Policy Central Store exists. > This procedure will work for any future version as well. 1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. From 229b88c69e457baca35468ae5bb4c55aee87ed50 Mon Sep 17 00:00:00 2001 From: brianreidc7 <31985319+brianreidc7@users.noreply.github.com> Date: Tue, 22 Oct 2019 09:02:28 +0100 Subject: [PATCH 07/24] Update windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 30f5348c1a..e7ceb4f502 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -235,7 +235,7 @@ To collect Event Viewer logs: - [Link a Group Policy Object](https://technet.microsoft.com/library/cc732979(v=ws.11).aspx) - [Filter Using Security Groups](https://technet.microsoft.com/library/cc752992(v=ws.11).aspx) - [Enforce a Group Policy Object Link](https://technet.microsoft.com/library/cc753909(v=ws.11).aspx) -- [Group Policy Central Store](https://support.microsoft.com/en-gb/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) +- [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) ### Useful Links From 70582898fb5bfae15799a98d6a4042dff384b45a Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sun, 15 Dec 2019 17:49:59 +0530 Subject: [PATCH 08/24] added new policy changes in 1903 added the group policy settings changes from 1809 to may 1903 , under system and windows components --- .../new-policies-for-windows-10.md | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index da5cc3e5c8..12fc040cdd 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -25,6 +25,33 @@ ms.topic: reference Windows 10 includes the following new policies for management. [Download the complete set of Administrative Template (.admx) files for Windows 10](https://www.microsoft.com/download/100591). +## New Group Policy settings in Windows 10, version 1903 + +The following Group Policy settings were added in Windows 10, version 1903: + +**System** + +- System\Service Control Manager Access\Security Securty\Enable svchost.exe migitation options +- System\Storage Sense\Allow Storage Sense +- System\Storage Sense\Allow Storage Sense Temporary Files cleanup +- System\Storage Sense\Configure Storage Sense +- System\Storage Sense\Configure Storage Sense Cloud content dehydration threshold +- System\Storage Sense\Configure Storage Sense Recycle Bin cleanup threshold +- System\Storage Sense\Configure Storage Sense Downloads cleanup threshold +- System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Troubleshooting:Allow users to access recommended troubleshooting for known problems + + +**Windows Components** + +- Windows Components\App Privacy\Let Windows apps activate with voice +- Windows Components\App Privacy\Let Windows apps activate with voice while the system is locked +- Windows Components\Data Collection and Preview Builds\Allow commercial data pipeline +- Windows Components\Data Collection and Preview Builds\Configure collection of browsing data for Desktop Analytics +- Windows Components\Data Collection and Preview Builds\Configure diagnostic data upload endpoint for Desktop Analytics +- Windows Components\Delivery Optimization\Delay background download Cache Server fallback (in seconds) +- Windows Components\Delivery Optimization\Delay Foreground download Cache Server fallback (in seconds) +- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use WDDM graphics display driver for Remote Desktop Connections +- Windows Components\Windows Logon Options\Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot ## New Group Policy settings in Windows 10, version 1809 From fe0b76895cd40694645086ccd32fe733d8aeb027 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 16 Dec 2019 07:37:29 +0530 Subject: [PATCH 09/24] Update windows/client-management/new-policies-for-windows-10.md accepted Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/client-management/new-policies-for-windows-10.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index 12fc040cdd..8b4d14515d 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -31,7 +31,7 @@ The following Group Policy settings were added in Windows 10, version 1903: **System** -- System\Service Control Manager Access\Security Securty\Enable svchost.exe migitation options +- System\Service Control Manager Settings\Security Settings\Enable svchost.exe mitigation options - System\Storage Sense\Allow Storage Sense - System\Storage Sense\Allow Storage Sense Temporary Files cleanup - System\Storage Sense\Configure Storage Sense @@ -523,4 +523,3 @@ No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId= - From c61d125833622c011b3e83a73eced39c0a841e7b Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sat, 11 Jan 2020 20:05:06 +0530 Subject: [PATCH 10/24] added two titles with corresponding links and location of tools i added the following tools **Recovery Drive with website link*& **Registry Editor with website link** added the sentences **Below tools are located under C:\Windows\Sytem32\** --- .../client-management/administrative-tools-in-windows-10.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 35c0f225b0..883afe3b41 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -29,7 +29,7 @@ The tools in the folder might vary depending on which edition of Windows you are ![Screenshot of folder of admin tools](images/admin-tools-folder.png) -These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list links to documentation for each tool. +These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list links to documentation for each tool.Below tools are located under C:\Windows\Sytem32\ @@ -43,6 +43,8 @@ These tools were included in previous versions of Windows and the associated doc - [ODBC Data Sources]( https://go.microsoft.com/fwlink/p/?LinkId=708494) - [Performance Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708495) - [Print Management](https://go.microsoft.com/fwlink/p/?LinkId=708496) +- [Recovery Drive](https://support.microsoft.com/en-us/help/4026852/windows-create-a-recovery-drive) +- [Registry Editor](https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry) - [Resource Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708497) - [Services](https://go.microsoft.com/fwlink/p/?LinkId=708498) - [System Configuration](https://go.microsoft.com/fwlink/p/?LinkId=708499) From 8eab7420a97e7a8e5bedd0cd15f8da5a89b6c3b8 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sat, 11 Jan 2020 22:39:27 +0530 Subject: [PATCH 11/24] Update windows/client-management/administrative-tools-in-windows-10.md Thanks sir . I accepted Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../client-management/administrative-tools-in-windows-10.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 883afe3b41..d4caf190cb 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -29,7 +29,7 @@ The tools in the folder might vary depending on which edition of Windows you are ![Screenshot of folder of admin tools](images/admin-tools-folder.png) -These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list links to documentation for each tool.Below tools are located under C:\Windows\Sytem32\ +These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders. @@ -65,4 +65,3 @@ These tools were included in previous versions of Windows and the associated doc - From 391ff06cfa8ccc1896220078377d566f6c44cf7b Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sun, 12 Jan 2020 15:17:01 +0530 Subject: [PATCH 12/24] Update windows/client-management/administrative-tools-in-windows-10.md ok accepted Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../client-management/administrative-tools-in-windows-10.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index d4caf190cb..0ecc65a84f 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -44,7 +44,7 @@ These tools were included in previous versions of Windows and the associated doc - [Performance Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708495) - [Print Management](https://go.microsoft.com/fwlink/p/?LinkId=708496) - [Recovery Drive](https://support.microsoft.com/en-us/help/4026852/windows-create-a-recovery-drive) -- [Registry Editor](https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry) +- [Registry Editor](https://docs.microsoft.com/windows/win32/sysinfo/registry) - [Resource Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708497) - [Services](https://go.microsoft.com/fwlink/p/?LinkId=708498) - [System Configuration](https://go.microsoft.com/fwlink/p/?LinkId=708499) @@ -64,4 +64,3 @@ These tools were included in previous versions of Windows and the associated doc - From 90252b31f7ac8b1654b056bd4d8d27213ea10b06 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sun, 12 Jan 2020 15:18:15 +0530 Subject: [PATCH 13/24] Update windows/client-management/administrative-tools-in-windows-10.md I tested on my laptop. so the files are under system32 , not in sub folder Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../client-management/administrative-tools-in-windows-10.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 0ecc65a84f..6320e35cdf 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -29,7 +29,7 @@ The tools in the folder might vary depending on which edition of Windows you are ![Screenshot of folder of admin tools](images/admin-tools-folder.png) -These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders. +These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders. @@ -63,4 +63,3 @@ These tools were included in previous versions of Windows and the associated doc - From a2a9672a248a3a8a2b53ad04aa97d5c53a0858d8 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 13 Jan 2020 01:20:03 +0530 Subject: [PATCH 14/24] Update windows/client-management/administrative-tools-in-windows-10.md accepted Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../client-management/administrative-tools-in-windows-10.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 6320e35cdf..91bc510d5f 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -43,7 +43,7 @@ These tools were included in previous versions of Windows and the associated doc - [ODBC Data Sources]( https://go.microsoft.com/fwlink/p/?LinkId=708494) - [Performance Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708495) - [Print Management](https://go.microsoft.com/fwlink/p/?LinkId=708496) -- [Recovery Drive](https://support.microsoft.com/en-us/help/4026852/windows-create-a-recovery-drive) +- [Recovery Drive](https://support.microsoft.com/help/4026852/windows-create-a-recovery-drive) - [Registry Editor](https://docs.microsoft.com/windows/win32/sysinfo/registry) - [Resource Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708497) - [Services](https://go.microsoft.com/fwlink/p/?LinkId=708498) @@ -62,4 +62,3 @@ These tools were included in previous versions of Windows and the associated doc - From 3bcacc95afa83a3dc958710d720e0c6816882843 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 25 Jan 2020 21:57:26 +0500 Subject: [PATCH 15/24] Update hello-hybrid-aadj-sso-base.md --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 54e4021adc..e9b63900ff 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -290,6 +290,8 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted 5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**. ![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png) 6. Sign out of the Microsoft Azure Portal. +> [!NOTE] +> After the creation, the **supported platform** parameter of the profile will have value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same. ## Configure Windows Hello for Business Device Enrollment From e03af423faf9b650141e6d2692881766db8354de Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 27 Jan 2020 11:14:20 +0500 Subject: [PATCH 16/24] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index e9b63900ff..7c5404142f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -291,7 +291,7 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted ![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png) 6. Sign out of the Microsoft Azure Portal. > [!NOTE] -> After the creation, the **supported platform** parameter of the profile will have value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same. +> After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same. ## Configure Windows Hello for Business Device Enrollment From 2a5b0d5c0696e674daac125255dbb747f38ac5ba Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 20 May 2020 01:55:31 +0200 Subject: [PATCH 17/24] #6744 follow-up: convert Note text to Note blob Description: In PR #6744, a Note text line was added to the page, but without the common Note blob used in the default MS Docs code style. This PR updates the Note to follow the MS Docs code style by adding the MarkDown Note blob indent markers and the [!NOTE] tag or header. The text content itself remains unchanged. Changes proposed: - Convert the Note text line to a standard MS Docs Note blob - Remove redundant end-of-line whitespace (blanks) throughout the page Ticket closure or reference: Ref. PR #6744 --- .../hello-hybrid-cert-whfb-settings-dir-sync.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index b9c99d4bae..98e4ceb61e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -16,6 +16,7 @@ localizationpriority: medium ms.date: 10/23/2017 ms.reviewer: --- + # Configure Hybrid Windows Hello for Business: Directory Synchronization **Applies to** @@ -26,7 +27,7 @@ ms.reviewer: ## Directory Synchronization -In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. +In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. @@ -45,12 +46,12 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv 6. In the **Applies to** list box, select **Descendant User objects**. 7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. 8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCredentialLink**. -9. Click **OK** three times to complete the task. +9. Click **OK** three times to complete the task. ### Group Memberships for the Azure AD Connect Service Account -The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory. +The KeyAdmins or KeyCredential Admins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory. Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. @@ -61,14 +62,15 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 5. In the **Enter the object names to select** text box, type the name of the Azure AD Connect service account. Click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. -Note: if your AD forest has multiple domains. Please make sure you add the ADConnect sync service account (ie. MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest. +> [!NOTE] +> if your AD forest has multiple domains. Please make sure you add the ADConnect sync service account (ie. MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest. ### Section Review > [!div class="checklist"] > * Configure Permissions for Key Synchronization > * Configure group membership for Azure AD Connect -> +> > [!div class="step-by-step"] > [< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md) > [Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md) From 6c6a89b9f73f346c41305a528c155ff1f13afc6e Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 20 May 2020 19:18:35 +0200 Subject: [PATCH 18/24] Add grammar correction - by mapalko Co-authored-by: mapalko --- .../hello-hybrid-cert-whfb-settings-dir-sync.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 98e4ceb61e..78b43b43e2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -63,7 +63,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 6. Click **OK** to return to **Active Directory Users and Computers**. > [!NOTE] -> if your AD forest has multiple domains. Please make sure you add the ADConnect sync service account (ie. MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest. +> If your AD forest has multiple domains, make sure you add the ADConnect sync service account (ie. MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest. ### Section Review From 404588ea2a60c67404d06a5f56f4899f1290fe22 Mon Sep 17 00:00:00 2001 From: Kannan B <59028488+kannanb-github@users.noreply.github.com> Date: Tue, 26 May 2020 09:00:20 +0530 Subject: [PATCH 19/24] LocURI locator is denoted with [\] The LocURI has to be denoted with [/] a wrong separate was used in the URI, the file has been changed with correct separator. --- .../client-management/mdm/understanding-admx-backed-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index ab3a46a409..14cd5810b2 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -260,7 +260,7 @@ Note that the data payload of the SyncML needs to be encoded so that it does not The **LocURI** for the above GP policy is: -`.\Device\Vendor\MSFT\Policy\Config\AppVirtualization\PublishingAllowServer2` +`./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2` To construct SyncML for your area/policy using the samples below, you need to update the **data id** and the **value** in the `` section of the SyncML. The items prefixed with an '&' character are the escape characters needed and can be retained as shown. From 4dcc5c370d5e72d359259f4177902bb1eab9f372 Mon Sep 17 00:00:00 2001 From: stmulq <65617435+stmulq@users.noreply.github.com> Date: Tue, 26 May 2020 16:28:29 -0700 Subject: [PATCH 20/24] Fixed typo There is a typo in step 2 of "If the supported language you are looking for is not in the menu, follow these steps:". I changed "Locater" to "Locate". --- devices/hololens/hololens2-language-support.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/hololens2-language-support.md b/devices/hololens/hololens2-language-support.md index 955eec82e6..e97e9dd065 100644 --- a/devices/hololens/hololens2-language-support.md +++ b/devices/hololens/hololens2-language-support.md @@ -62,7 +62,7 @@ The setup process configures your HoloLens for a specific region and language. Y If the supported language that you're looking for is not in the menu, follow these steps: 1. Under **Preferred languages**, select **Add a language**. -2. Locater and add the language. +2. Locate and add the language. 3. Select the **Windows display language** menu again, and then select the language that you added in the previous step. ### To change the keyboard layout From 68e7e12b240fb133d9cadb3cf2fd49f2833934ba Mon Sep 17 00:00:00 2001 From: Tina McNaboe <53281468+TinaMcN@users.noreply.github.com> Date: Fri, 29 May 2020 09:20:06 -0700 Subject: [PATCH 21/24] Update hello-hybrid-cert-whfb-settings-adfs.md Space missing between "Windows" and "10" --- .../hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index be3bc06968..82a0da01bf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -19,7 +19,7 @@ ms.reviewer: # Configure Windows Hello for Business: Active Directory Federation Services **Applies to** -- Windows10, version 1703 or later +- Windows 10, version 1703 or later - Hybrid deployment - Certificate trust From 67a000280eaeb04853dac601c5e4368ade0ad97a Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 29 May 2020 14:43:05 -0700 Subject: [PATCH 22/24] Various minor fixes --- .../hello-hybrid-cert-whfb-settings-adfs.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 82a0da01bf..7de95a29e9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -36,15 +36,15 @@ The Windows Hello for Business Authentication certificate template is configured Sign-in the AD FS server with *Domain Admin* equivalent credentials. 1. Open a **Windows PowerShell** prompt. -2. Type the following command +2. Enter the following command : ```PowerShell Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true ``` ->[!NOTE] -> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. + >[!NOTE] + > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the preceding command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. ### Group Memberships for the AD FS Service Account @@ -66,8 +66,8 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva ### Section Review > [!div class="checklist"] -> * Configure the registration authority -> * Update group memberships for the AD FS service account +> * Configure the registration authority. +> * Update group memberships for the AD FS service account. > > > [!div class="step-by-step"] From eae1ee0b237bc6f98dd950ba6d732d25080422bb Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 29 May 2020 14:56:27 -0700 Subject: [PATCH 23/24] Corrections to layout and punctuation --- ...device-automatically-using-group-policy.md | 29 ++++++++++--------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index e68f5f4025..b03d28832e 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -37,7 +37,7 @@ The auto-enrollment relies on the presence of an MDM service and the Azure Activ When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. -In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/). +In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/) For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices. @@ -52,9 +52,10 @@ The following steps demonstrate required settings using the Intune service: ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png) -> [!IMPORTANT] -> For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled. -> For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled. + > [!IMPORTANT] + > For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled. + > + > For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled. 3. Verify that the device OS version is Windows 10, version 1709 or later. 4. Auto-enrollment into Intune via Group Policy is valid only for devices which are hybrid Azure AD joined. This means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line. @@ -115,21 +116,21 @@ Requirements: 5. Click **Enable**, then click **OK**. -> [!NOTE] -> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. -The default behavior for older releases is to revert to **User Credential**. + > [!NOTE] + > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. + > The default behavior for older releases is to revert to **User Credential**. -When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." + When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." -To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). + To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). -If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot. + If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot. -![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png) + ![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png) -> [!Tip] -> You can avoid this behavior by using Conditional Access Policies in Azure AD. -Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview). + > [!Tip] + > You can avoid this behavior by using Conditional Access Policies in Azure AD. + Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview). 6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account. From 70a0bb25fb08e532a163b8a1818801130a0bbc83 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 29 May 2020 15:00:50 -0700 Subject: [PATCH 24/24] Removed extraneous space --- .../hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 7de95a29e9..328c9513bf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -36,13 +36,12 @@ The Windows Hello for Business Authentication certificate template is configured Sign-in the AD FS server with *Domain Admin* equivalent credentials. 1. Open a **Windows PowerShell** prompt. -2. Enter the following command : +2. Enter the following command: ```PowerShell Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true ``` - >[!NOTE] > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the preceding command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.