From 93a34f80f4fb7727ae94f957dca4581aa87f7e0d Mon Sep 17 00:00:00 2001 From: brianreidc7 <31985319+brianreidc7@users.noreply.github.com> Date: Fri, 4 Oct 2019 19:47:30 +0100 Subject: [PATCH 1/7] GPO Names and Behaviour Has Changed "Enable automatic MDM enrollment using default Azure AD credentials" is the GPO name and it has two sub options. Not sure if Device Certificate is working at the moment, but the pictures are wrong, but User Certificate is working and so the docs should at least say to use that for now --- ...-device-automatically-using-group-policy.md | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index ad48fe1e75..d0f4e9527f 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -106,7 +106,7 @@ Requirements: ![MDM policies](images/autoenrollment-mdm-policies.png) -4. Double-click **Auto MDM Enrollment with AAD Token**. +4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in version 1709 of Windows 10). For ADMX files from version 1903 and later select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to Use. User Credential enrolls Windows 10 1709 and later once an Intune licenced user logs into the device. Device Credential will enroll the device and then assign a user later once support for this is available. ![MDM autoenrollment policy](images/autoenrollment-policy.png) @@ -153,18 +153,16 @@ Requirements: - Enterprise AD must be integrated with Azure AD. - Ensure that PCs belong to same computer group. -> [!IMPORTANT] -> If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1803 or version 1809. To fix the issue, follow these steps: +>[!IMPORTANT] +>If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1803 or version 1809. To fix the issue, follow these steps: > 1. Download: > 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or -> 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or -> 1903 --> [Administrative Templates for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) +> 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576). > 2. Install the package on the Primary Domain Controller (PDC). > 3. Navigate, depending on the version to the folder: -> 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or -> 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** or -> 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3** -> 4. Copy policy definitions folder to **C:\Windows\SYSVOL\domain\Policies** . +> 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or +> 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** +> 4. Copy policy definitions folder to **C:\Windows\SYSVOL\domain\Policies**. > 5. Restart the Primary Domain Controller for the policy to be available. > This procedure will work for any future version as well. @@ -175,7 +173,6 @@ Requirements: 5. Enforce a GPO link. ## Troubleshoot auto-enrollment of devices - Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. To collect Event Viewer logs: @@ -232,6 +229,5 @@ To collect Event Viewer logs: ### Useful Links -- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495) - [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576) - [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880) From 22fe43ded8c3b4d28e229db518de30e8e9d8aaef Mon Sep 17 00:00:00 2001 From: brianreidc7 <31985319+brianreidc7@users.noreply.github.com> Date: Mon, 7 Oct 2019 09:28:02 +0100 Subject: [PATCH 2/7] Update windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index d0f4e9527f..55a221ebed 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -106,7 +106,7 @@ Requirements: ![MDM policies](images/autoenrollment-mdm-policies.png) -4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in version 1709 of Windows 10). For ADMX files from version 1903 and later select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to Use. User Credential enrolls Windows 10 1709 and later once an Intune licenced user logs into the device. Device Credential will enroll the device and then assign a user later once support for this is available. +4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in version 1709 of Windows 10). For ADMX files from version 1903 and later, select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to use. User Credential enrolls Windows 10 1709 and later, once an Intune licensed user logs into the device. Device Credential will enroll the device and then assign a user later, once support for this is available. ![MDM autoenrollment policy](images/autoenrollment-policy.png) From 62190b32ae0029e68f5f4430a6cf102ede3c589e Mon Sep 17 00:00:00 2001 From: brianreidc7 <31985319+brianreidc7@users.noreply.github.com> Date: Mon, 7 Oct 2019 09:45:19 +0100 Subject: [PATCH 3/7] Updated GPO names to match the current version of Windows Updated GPO name and links to files. Edited instructions to include new options in GPO and removed hyperlinks to older version of ADMX files (1803) and added links to newest version (1903) --- ...10-device-automatically-using-group-policy.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 55a221ebed..9160c8b88e 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -153,17 +153,16 @@ Requirements: - Enterprise AD must be integrated with Azure AD. - Ensure that PCs belong to same computer group. ->[!IMPORTANT] ->If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1803 or version 1809. To fix the issue, follow these steps: +> [!IMPORTANT] +> If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1903 or version 1809. To fix the issue, follow these steps: > 1. Download: -> 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or +> 1903 -->[Administrative Templates for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) or > 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576). -> 2. Install the package on the Primary Domain Controller (PDC). +> 2. Install the package. > 3. Navigate, depending on the version to the folder: -> 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or +> 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**, or > 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** -> 4. Copy policy definitions folder to **C:\Windows\SYSVOL\domain\Policies**. -> 5. Restart the Primary Domain Controller for the policy to be available. +> 4. Copy policy definitions folder to **C:\Windows\SYSVOL\domain\Policies** or **%windir%\sysvol\domain_name\policies\PolicyDefinitions** if an Group Policy Central Store exists. > This procedure will work for any future version as well. 1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. @@ -226,8 +225,9 @@ To collect Event Viewer logs: - [Link a Group Policy Object](https://technet.microsoft.com/library/cc732979(v=ws.11).aspx) - [Filter Using Security Groups](https://technet.microsoft.com/library/cc752992(v=ws.11).aspx) - [Enforce a Group Policy Object Link](https://technet.microsoft.com/library/cc753909(v=ws.11).aspx) +- [Group Policy Central Store](https://support.microsoft.com/en-gb/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) ### Useful Links -- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576) +- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495) - [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880) From 909f55ab308f20690191e21d81a95c7f4ffd85e9 Mon Sep 17 00:00:00 2001 From: brianreidc7 <31985319+brianreidc7@users.noreply.github.com> Date: Mon, 7 Oct 2019 09:48:14 +0100 Subject: [PATCH 4/7] 1709 or later References to 1709 updated (apart from one) to "1709 or later" to be correct --- ...-a-windows-10-device-automatically-using-group-policy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 9160c8b88e..4c9e0ec81a 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -37,7 +37,7 @@ The auto-enrollment relies on the presence of an MDM service and the Azure Activ When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. -In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/). +In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/). For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices. @@ -90,7 +90,7 @@ You may contact your domain administrators to verify if the group policy has bee This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices). Requirements: -- AD-joined PC running Windows 10, version 1709 +- AD-joined PC running Windows 10, version 1709 or later - Enterprise has MDM service already configured - Enterprise AD must be registered with Azure AD @@ -148,7 +148,7 @@ Requirements: ## Configure the auto-enrollment for a group of devices Requirements: -- AD-joined PC running Windows 10, version 1709 +- AD-joined PC running Windows 10, version 1709 or later - Enterprise has MDM service already configured (with Intune or a third party service provider) - Enterprise AD must be integrated with Azure AD. - Ensure that PCs belong to same computer group. From 79e500a3914918ce871172270791440086cef4f9 Mon Sep 17 00:00:00 2001 From: brianreidc7 <31985319+brianreidc7@users.noreply.github.com> Date: Mon, 7 Oct 2019 17:43:56 +0100 Subject: [PATCH 5/7] Update enroll-a-windows-10-device-automatically-using-group-policy.md --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 4c9e0ec81a..ee37cbf744 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -230,4 +230,4 @@ To collect Event Viewer logs: ### Useful Links - [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495) -- [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880) +- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576) From 764463f940765e76f604eb330456bd8d4f01700b Mon Sep 17 00:00:00 2001 From: brianreidc7 <31985319+brianreidc7@users.noreply.github.com> Date: Mon, 7 Oct 2019 18:01:50 +0100 Subject: [PATCH 6/7] Update windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index ee37cbf744..7459beee1f 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -162,7 +162,7 @@ Requirements: > 3. Navigate, depending on the version to the folder: > 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**, or > 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** -> 4. Copy policy definitions folder to **C:\Windows\SYSVOL\domain\Policies** or **%windir%\sysvol\domain_name\policies\PolicyDefinitions** if an Group Policy Central Store exists. +> 4. Copy the policy definitions folder to **C:\Windows\SYSVOL\domain\Policies** or **%windir%\sysvol\domain_name\policies\PolicyDefinitions** if a Group Policy Central Store exists. > This procedure will work for any future version as well. 1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. From 229b88c69e457baca35468ae5bb4c55aee87ed50 Mon Sep 17 00:00:00 2001 From: brianreidc7 <31985319+brianreidc7@users.noreply.github.com> Date: Tue, 22 Oct 2019 09:02:28 +0100 Subject: [PATCH 7/7] Update windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 30f5348c1a..e7ceb4f502 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -235,7 +235,7 @@ To collect Event Viewer logs: - [Link a Group Policy Object](https://technet.microsoft.com/library/cc732979(v=ws.11).aspx) - [Filter Using Security Groups](https://technet.microsoft.com/library/cc752992(v=ws.11).aspx) - [Enforce a Group Policy Object Link](https://technet.microsoft.com/library/cc753909(v=ws.11).aspx) -- [Group Policy Central Store](https://support.microsoft.com/en-gb/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) +- [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) ### Useful Links