From fcd24af2b082e0201169dd0e16db922b592fb058 Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Thu, 1 Apr 2021 11:22:21 +0530
Subject: [PATCH 1/4] Updated
---
.../mdm/policy-csp-experience.md | 62 +++++++++++++++++++
1 file changed, 62 insertions(+)
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index 4cf594449d..c1d07bfa0a 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -37,6 +37,9 @@ manager: dansimp
Experience/AllowManualMDMUnenrollment
+
+ Experience/AllowNewsAndInterestsOnTheTaskbar
+
Experience/AllowSaveAsOfOfficeFiles
@@ -436,6 +439,65 @@ The following list shows the supported values:
+
+
+**Experience/AllowNewsAndInterestsOnTheTaskbar**
+
+
+
+
+ | Windows Edition |
+ Supported? |
+
+
+ | Home |
+  |
+
+
+ | Pro |
+  |
+
+
+ | Business |
+ |
+
+
+ | Enterprise |
+ |
+
+
+ | Education |
+ |
+
+
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+
+
+
+
+Specifies whether to allow "News and interests" on the Taskbar.
+
+
+
+The values for this policy are 1 and 0. This policy defaults to 1.
+
+- 1 - Default - News and interests feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode.
+
+- 0 - News and interests feature will be turned off completely, and the settings UI in Taskbar context menu will be removed.
+
+
+
+
+
**Experience/AllowSaveAsOfOfficeFiles**
From 8a2e120cf09596b12dd4f22f2d47c5b5fc291e0e Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Wed, 14 Apr 2021 13:24:52 +0500
Subject: [PATCH 2/4] Modification in Steps
There were few steps recommended by the user to fit in the document and make the document more clear. I have added a few of the recommendations based on the tests.
Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8557
---
...-a-windows-10-device-automatically-using-group-policy.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 45373ce3f7..66f5549e6a 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -203,11 +203,11 @@ Requirements:
4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
-5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**.
+5. Copy PolicyDefinitions folder to **\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions**.
If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain.
-6. Restart the Domain Controller for the policy to be available.
+6. Wait for the SYSVOL DFSR replication to be completed and then restart the Domain Controller for the policy to be available.
This procedure will work for any future version as well.
@@ -279,4 +279,4 @@ To collect Event Viewer logs:
- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)
-- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
\ No newline at end of file
+- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
From 4cd601517cc624dc703c85194f962cd1b6f3c795 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Fri, 16 Apr 2021 22:12:18 +0500
Subject: [PATCH 3/4] Update policy-configuration-service-provider.md
---
.../policy-configuration-service-provider.md | 22 +++++++++----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 97803c60b7..64caa2be1e 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -57,12 +57,12 @@ The following diagram shows the Policy configuration service provider in tree fo
Supported operation is Get.
-**Policy/Config/***AreaName*
+**Policy/Config/_AreaName_**
The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value.
Supported operations are Add, Get, and Delete.
-**Policy/Config/***AreaName/PolicyName*
+**Policy/Config/_AreaName/PolicyName_**
Specifies the name/value pair used in the policy.
The following list shows some tips to help you when configuring policies:
@@ -81,12 +81,12 @@ The following diagram shows the Policy configuration service provider in tree fo
Supported operation is Get.
-**Policy/Result/***AreaName*
+**Policy/Result/_AreaName_**
The area group that can be configured by a single technology independent of the providers.
Supported operation is Get.
-**Policy/Result/***AreaName/PolicyName*
+**Policy/Result/_AreaName/PolicyName_**
Specifies the name/value pair used in the policy.
Supported operation is Get.
@@ -102,31 +102,31 @@ The following diagram shows the Policy configuration service provider in tree fo
> [!NOTE]
> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](/previous-versions/office/office-2013-resource-kit/cc179097(v=office.15)).
-
ADMX files that have been installed by using ConfigOperations/ADMXInstall can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
+
ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
Supported operations are Add, Get, and Delete.
-**Policy/ConfigOperations/ADMXInstall/***AppName*
+**Policy/ConfigOperations/ADMXInstall/_AppName_**
Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file.
Supported operations are Add, Get, and Delete.
-**Policy/ConfigOperations/ADMXInstall/***AppName*/Policy
+**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy**
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported.
Supported operations are Add, Get, and Delete.
-**Policy/ConfigOperations/ADMXInstall/***AppName*/Policy/*UniqueID*
+**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy/_UniqueID_**
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import.
Supported operations are Add and Get. Does not support Delete.
-**Policy/ConfigOperations/ADMXInstall/***AppName*/Preference
+**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference**
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported.
Supported operations are Add, Get, and Delete.
-**Policy/ConfigOperations/ADMXInstall/***AppName*/Preference/*UniqueID*
+**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference/_UniqueID_**
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import.
Supported operations are Add and Get. Does not support Delete.
@@ -8611,4 +8611,4 @@ The following diagram shows the Policy configuration service provider in tree fo
## Related topics
-[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
+[Configuration service provider reference](configuration-service-provider-reference.md)
From e3888d913f8d1894bad4181f710bbd4171c99477 Mon Sep 17 00:00:00 2001
From: Gary Moore
Date: Thu, 22 Apr 2021 14:54:56 -0700
Subject: [PATCH 4/4] Corrections to layout
---
...device-automatically-using-group-policy.md | 30 +++++++++++++++----
1 file changed, 24 insertions(+), 6 deletions(-)
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 45373ce3f7..622d2739af 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -84,9 +84,13 @@ The following steps demonstrate required settings using the Intune service:
You may contact your domain administrators to verify if the group policy has been deployed successfully.
8. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal (this is the Intune portal used before the Azure portal).
+
9. Verify that Azure AD allows the logon user to enroll devices.
+
+
10. Verify that Microsoft Intune should allow enrollment of Windows devices.
+
## Configure the auto-enrollment Group Policy for a single PC
@@ -108,18 +112,21 @@ Requirements:
3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**.
- 
+ > [!div class="mx-imgBorder"]
+ > 
4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use.
> [!NOTE]
> **Device Credential** Credential Type may work, however, it is not yet supported by Intune. We don't recommend using this option until it's supported.
+
5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**.
> [!NOTE]
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later.
+ >
> The default behavior for older releases is to revert to **User Credential**.
> **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device.
@@ -158,7 +165,10 @@ Requirements:
To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab.
- If the device enrollment is blocked, your IT admin may have enabled the **Disable MDM Enrollment** policy. Note that the GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies.
+ If the device enrollment is blocked, your IT admin may have enabled the **Disable MDM Enrollment** policy.
+
+ > [!NOTE]
+ > The GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies.
## Configure the auto-enrollment for a group of devices
@@ -231,16 +241,22 @@ To collect Event Viewer logs:
> For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc).
3. Search for event ID 75, which represents a successful auto-enrollment. Here is an example screenshot that shows the auto-enrollment completed successfully:
+
If you cannot find event ID 75 in the logs, it indicates that the auto-enrollment failed. This can happen because of the following reasons:
+
- The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here is an example screenshot that shows that the auto-enrollment failed:
- 
- To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](https://support.microsoft.com/en-ph/help/4469913/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for more information.
+
+ 
+
+ To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](https://support.microsoft.com/en-ph/help/4469913/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for more information.
+
- The auto-enrollment did not trigger at all. In this case, you will not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section.
- The auto-enrollment process is triggered by a task (**Microsoft > Windows > EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is successfully deployed to the target machine as shown in the following screenshot:
- 
+ The auto-enrollment process is triggered by a task (**Microsoft > Windows > EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is successfully deployed to the target machine as shown in the following screenshot:
+
+ 
> [!Note]
> This task isn't visible to standard users - run Scheduled Tasks with administrative credentials to find the task.
@@ -252,6 +268,7 @@ To collect Event Viewer logs:
When the task is completed, a new event ID 102 is logged.
+
Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment.
@@ -262,6 +279,7 @@ To collect Event Viewer logs:
By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016.
+
A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot:
