From e72ed9d9f220d1167b5419aabce58651e28fcfb2 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Wed, 18 Jan 2023 18:31:06 -0500 Subject: [PATCH 01/13] first draft --- .../mdm/diagnose-provisioning-packages.md | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 windows/client-management/mdm/diagnose-provisioning-packages.md diff --git a/windows/client-management/mdm/diagnose-provisioning-packages.md b/windows/client-management/mdm/diagnose-provisioning-packages.md new file mode 100644 index 0000000000..f185f84356 --- /dev/null +++ b/windows/client-management/mdm/diagnose-provisioning-packages.md @@ -0,0 +1,60 @@ +--- +title: Diagnose Provisioning Packages +description: Diagnose general failures in provisioning. +ms.reviewer: +manager: aaroncz +ms.author: lizlong +ms.topic: article +ms.prod: windows-client +ms.technology: itpro-manage +author: lizgt2000 +ms.date: 01/18/2023 +ms.collection: highpri +--- + +# Diagnose Provisioning Packages + +## Unable to apply Power Settings +When applying certain provisioning packages containing power settings ([Configure power settings | Microsoft Learn](/windows-hardware/customize/power-settings/configure-power-settings?view=windows-11)) they require elevated permissions which are not applied when applying PPKGs after the initial setup as seen [Apply a provisioning package (Windows 10/11) - Configure Windows | Microsoft Learn](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup). An error of STATUS_PRIVILEGE_NOT_HELD (HRESULT=0xc0000061) is given when applying these packages with the incorrect security context. + +Simply placing the PPKG into %WINDIR%/Provisioning/Packages and rebooting the machine will apply the packages with the correct security context (NT Authority\SYSTEM - [LocalSystem Account - Win32 apps | Microsoft Learn](/windows/win32/services/localsystem-account)) as stated in the note in [Configure power settings | Microsoft Learn](/windows-hardware/customize/power-settings/configure-power-settings?view=windows-11) + +## Unable to perform Bulk Enrollment in Azure AD +Provisioning packages allow enrollment into Azure AD as seen in [(Bulk join a Windows device to Azure AD and Microsoft Endpoint Manager using a provisioning package - Microsoft Community Hub)](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400). A few issues can occur: + + + + +## Unable to apply a multivariant provisioning package +If creating a multivariant package [(Create a provisioning package with multivariant settings (Windows 10/11) - Configure Windows | Microsoft Learn)](/windows/configuration/provisioning-packages/provisioning-multivariant). It may be difficult to diagnose why a certain target did not get applied. There may be conditions improperly authored which, when applied to the target device may not be evaluated as expected. + + +Tooling has been included to surface these conditions in the event a certain target did not get applied. + +## Diagnosing general failures in provisioning +To help diagnose common problems, you can run the mdmdiagnosticstool and capture multivariant condition values, see [Diagnose MDM failures in Windows 10 - Windows Client Management | Microsoft Learn.](/windows/client-management/diagnose-mdm-failures-in-windows-10) + +## Diagnosing multivariant problems +When applying multivariant packages it may be difficult to see why a target was not applied. The MdmDiagnosticsTool [(Diagnose MDM failures in Windows 10 - Windows Client Management | Microsoft Learn)](/windows/client-management/diagnose-mdm-failures-in-windows-10) includes the multivariant condition values on the target system. + +(Zinc semester addition - Deliverable 41742231: [Hydra] [Tooling] Add MultiVariant handler values to MdmdiagnosticsTool diagnostics) which can be helpful when diagnosing why the PPKG was not applied in the target system. + +The MDMDiagReport.xml will contain the Multivariant Conditions in the report. Using powershell, we can get the values like so: +([XML](Get-Content MDMDiagReport.xml)).SelectNodes('//Multivariant') | Select -ExpandProperty Condition \ No newline at end of file From 2e35c04faa81b3539d1c80d2fa46df11d1c18dca Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Wed, 18 Jan 2023 19:03:40 -0500 Subject: [PATCH 02/13] draft provision --- .../client-management/mdm/diagnose-provisioning-packages.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/diagnose-provisioning-packages.md b/windows/client-management/mdm/diagnose-provisioning-packages.md index f185f84356..bdae0a320d 100644 --- a/windows/client-management/mdm/diagnose-provisioning-packages.md +++ b/windows/client-management/mdm/diagnose-provisioning-packages.md @@ -15,7 +15,8 @@ ms.collection: highpri # Diagnose Provisioning Packages ## Unable to apply Power Settings @@ -51,7 +52,7 @@ To help diagnose common problems, you can run the mdmdiagnosticstool and capture When applying multivariant packages it may be difficult to see why a target was not applied. The MdmDiagnosticsTool [(Diagnose MDM failures in Windows 10 - Windows Client Management | Microsoft Learn)](/windows/client-management/diagnose-mdm-failures-in-windows-10) includes the multivariant condition values on the target system. (Zinc semester addition - Deliverable 41742231: [Hydra] [Tooling] Add MultiVariant handler values to MdmdiagnosticsTool diagnostics) which can be helpful when diagnosing why the PPKG was not applied in the target system. From 6a9d6d7f79e3eee80e21d73258cdd69c9ddf5d73 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 19 Jan 2023 10:50:16 -0500 Subject: [PATCH 03/13] vinay review --- .../mdm/diagnose-provisioning-packages.md | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/windows/client-management/mdm/diagnose-provisioning-packages.md b/windows/client-management/mdm/diagnose-provisioning-packages.md index bdae0a320d..3450b93e86 100644 --- a/windows/client-management/mdm/diagnose-provisioning-packages.md +++ b/windows/client-management/mdm/diagnose-provisioning-packages.md @@ -13,21 +13,15 @@ ms.collection: highpri --- # Diagnose Provisioning Packages - ## Unable to apply Power Settings -When applying certain provisioning packages containing power settings ([Configure power settings | Microsoft Learn](/windows-hardware/customize/power-settings/configure-power-settings?view=windows-11)) they require elevated permissions which are not applied when applying PPKGs after the initial setup as seen [Apply a provisioning package (Windows 10/11) - Configure Windows | Microsoft Learn](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup). An error of STATUS_PRIVILEGE_NOT_HELD (HRESULT=0xc0000061) is given when applying these packages with the incorrect security context. +When applying certain provisioning packages containing power settings ([Configure power settings | Microsoft Learn](/windows-hardware/customize/power-settings/configure-power-settings?view=windows-11)) they require elevated permissions which are not applied when applying PPKGs [after the initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup). An error of STATUS_PRIVILEGE_NOT_HELD (HRESULT=0xc0000061) is given when applying these packages with the incorrect security context. Simply placing the PPKG into %WINDIR%/Provisioning/Packages and rebooting the machine will apply the packages with the correct security context (NT Authority\SYSTEM - [LocalSystem Account - Win32 apps | Microsoft Learn](/windows/win32/services/localsystem-account)) as stated in the note in [Configure power settings | Microsoft Learn](/windows-hardware/customize/power-settings/configure-power-settings?view=windows-11) ## Unable to perform Bulk Enrollment in Azure AD Provisioning packages allow enrollment into Azure AD as seen in [(Bulk join a Windows device to Azure AD and Microsoft Endpoint Manager using a provisioning package - Microsoft Community Hub)](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400). A few issues can occur: - ## Unable to apply a multivariant provisioning package -If creating a multivariant package [(Create a provisioning package with multivariant settings (Windows 10/11) - Configure Windows | Microsoft Learn)](/windows/configuration/provisioning-packages/provisioning-multivariant). It may be difficult to diagnose why a certain target did not get applied. There may be conditions improperly authored which, when applied to the target device may not be evaluated as expected. +If creating a [multivariant package](../windows/configuration/provisioning-packages/provisioning-multivariant). It may be difficult to diagnose why a certain target did not get applied. There may be conditions improperly authored which when applied to the target device may not be evaluated as expected. - -## Unable to apply a multivariant provisioning package -If creating a [multivariant package](../windows/configuration/provisioning-packages/provisioning-multivariant). It may be difficult to diagnose why a certain target did not get applied. There may be conditions improperly authored which when applied to the target device may not be evaluated as expected. - - -Tooling has been included to surface these conditions in the event a certain target did not get applied. - -## Diagnosing general failures in provisioning -To help diagnose common problems, you can run the [MdmDiagnosticsTool](../windows/client-management/diagnose-mdm-failures-in-windows-10) and capture multivariant condition values. - -## Diagnosing multivariant problems -When applying multivariant packages it may be difficult to see why a target was not applied. The [MdmDiagnosticsTool](../windows/client-management/diagnose-mdm-failures-in-windows-10) includes the multivariant condition values on the target system. - -(Zinc semester addition - Deliverable 41742231: [Hydra] [Tooling] Add MultiVariant handler values to MdmdiagnosticsTool diagnostics) which can be helpful when diagnosing why the PPKG was not applied in the target system. - -The MDMDiagReport.xml will contain the Multivariant Conditions in the report. Using powershell, we can get the values like so: -([XML](Get-Content MDMDiagReport.xml)).SelectNodes('//Multivariant') | Select -ExpandProperty Condition \ No newline at end of file diff --git a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md new file mode 100644 index 0000000000..55773531a2 --- /dev/null +++ b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md @@ -0,0 +1,43 @@ +--- +title: Diagnose Provisioning Packages +description: Diagnose general failures in provisioning. +ms.reviewer: +manager: aaroncz +ms.author: lizlong +ms.topic: article +ms.prod: windows-client +ms.technology: itpro-manage +author: lizgt2000 +ms.date: 01/18/2023 +ms.collection: highpri +--- + +# Diagnose Provisioning Packages + +This article helps diagnose common issues with applying provisioning packages. You can use the [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) to diagnose general provisioning failures. + +## Unable to apply power settings + +When applying a provisioning package (PPKG) containing [power settings](/windows-hardware/customize/power-settings/update-power-settings), elevated permissions are required. Power settings applied using the user context after the [initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup), results in the error `STATUS_PRIVILEGE_NOT_HELD (HRESULT=0xc0000061)` because an incorrect security context was used. + +To apply the power settings successfully with the [correct security context](/windows/win32/services/localsystem-account), place the PPKG in `%WINDIR%/Provisioning/Packages` directory, and reboot the device. For more information, see [Configure power settings](/windows-hardware/customize/power-settings/configure-power-settings). + +## Unable to perform bulk enrollment in Azure AD + +See [allow enrollment into Azure AD for provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400). + + + +## Unable to apply a multivariant provisioning package + +When applying a [multivariant package](/windows/configuration/provisioning-packages/provisioning-multivariant), it may be difficult to diagnose why a certain target did not get applied. There may have been improperly authored conditions that did not evaluate as expected. + +To diagnose problems with multivariant packages, [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) (in Windows 11 version 22H2) includes multivariant condition values which can be helpful to determine why the PPKG was not applied. + +You can use the following PowerShell example to review the multivariant conditions in the `MDMDiagReport.xml` report: + +```powershell +([XML](Get-Content MDMDiagReport.xml)).SelectNodes('//Multivariant') | Select -ExpandProperty Condition +``` From b6e835f6b6320eaccfe5fc3235e3f8268792b3ed Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 25 Jan 2023 11:01:10 -0500 Subject: [PATCH 09/13] Update TOC.yml --- windows/configuration/TOC.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml index 979f7648a6..b3887ade44 100644 --- a/windows/configuration/TOC.yml +++ b/windows/configuration/TOC.yml @@ -126,6 +126,8 @@ href: provisioning-packages/provisioning-multivariant.md - name: PowerShell cmdlets for provisioning Windows client (reference) href: provisioning-packages/provisioning-powershell.md + - name: Diagnose provisioning packages + href: provisioning-packages/diagnose-provisioning-packages.md - name: Windows Configuration Designer command-line interface (reference) href: provisioning-packages/provisioning-command-line.md From 5b17f1172a4f8b2f98e4dd0d1d9749e8a4db8075 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 25 Jan 2023 11:26:20 -0500 Subject: [PATCH 10/13] Update diagnose-mdm-failures-in-windows-10.md --- .../client-management/diagnose-mdm-failures-in-windows-10.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/diagnose-mdm-failures-in-windows-10.md index 67b61ceb3c..088c0df06a 100644 --- a/windows/client-management/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/diagnose-mdm-failures-in-windows-10.md @@ -46,9 +46,9 @@ The zip file will have logs according to the areas that were used in the command - DiagnosticLogCSP_Collector_Autopilot_*: Autopilot etls - DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider) -- MDMDiagHtmlReport.html: Summary snapshot of MDM space configurations and policies. Includes, management url, MDM server device ID, certificates, policies. +- MDMDiagHtmlReport.html: Summary snapshot of MDM configurations and policies. Includes, management url, MDM server device ID, certificates, policies. - MdmDiagLogMetadata, json: mdmdiagnosticstool metadata file, contains command-line arguments used to run the tool -- MDMDiagReport.xml: contains a more detail view into the MDM space configurations, e.g enrollment variables +- MDMDiagReport.xml: contains a more detailed view into the MDM configurations, e.g enrollment variables, provisioning packages, multivariant conditions, etc. For more information about diagnosing provisioning packages, see [Diagnose provisioning packages](/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md). - MdmDiagReport_RegistryDump.reg: contains dumps from common MDM registry locations - MdmLogCollectorFootPrint.txt: mdmdiagnosticslog tool logs from running the command - *.evtx: Common event viewer logs microsoft-windows-devicemanagement-enterprise-diagnostics-provider-admin.evtx main one that contains MDM events. From 15bf8559b1af6f2a6ad34bc38146208db6b127a5 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 3 Mar 2023 15:32:00 -0500 Subject: [PATCH 11/13] Update diagnose-provisioning-packages.md --- .../diagnose-provisioning-packages.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md index 55773531a2..b3207522a4 100644 --- a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md +++ b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md @@ -18,23 +18,22 @@ This article helps diagnose common issues with applying provisioning packages. Y ## Unable to apply power settings -When applying a provisioning package (PPKG) containing [power settings](/windows-hardware/customize/power-settings/update-power-settings), elevated permissions are required. Power settings applied using the user context after the [initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup), results in the error `STATUS_PRIVILEGE_NOT_HELD (HRESULT=0xc0000061)` because an incorrect security context was used. +When applying a provisioning package (PPKG) containing power settings, elevated permissions are required. Because elevated permissions are required, power settings applied using the user context after the [initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup) results in the error `STATUS_PRIVILEGE_NOT_HELD (HRESULT=0xc0000061)` because an incorrect security context was used. To apply the power settings successfully with the [correct security context](/windows/win32/services/localsystem-account), place the PPKG in `%WINDIR%/Provisioning/Packages` directory, and reboot the device. For more information, see [Configure power settings](/windows-hardware/customize/power-settings/configure-power-settings). ## Unable to perform bulk enrollment in Azure AD -See [allow enrollment into Azure AD for provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400). +When [enrolling devices into Azure AD using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request will be rejected, if the user requesting a bulk token is not authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent). - +> [!NOTE] +> When obtaining the bulk token, you should select "No, sign in to this app only" when prompted for authentication. If you select "OK" instead without also selecting "Allow my organization to manage my device", the bulk token request may be rejected. ## Unable to apply a multivariant provisioning package When applying a [multivariant package](/windows/configuration/provisioning-packages/provisioning-multivariant), it may be difficult to diagnose why a certain target did not get applied. There may have been improperly authored conditions that did not evaluate as expected. -To diagnose problems with multivariant packages, [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) (in Windows 11 version 22H2) includes multivariant condition values which can be helpful to determine why the PPKG was not applied. +Starting in Windows 11, version 22H2, [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) includes multivariant condition values to diagnose problems with multivariant packages to determine why the package was not applied. You can use the following PowerShell example to review the multivariant conditions in the `MDMDiagReport.xml` report: From 86af5a7ecb4d434aee6d74de19ee0d38cbb6912a Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 3 Mar 2023 15:47:16 -0700 Subject: [PATCH 12/13] Apply suggestions from code review Replace Latin abbreviations with English words and remove the slash before the URL. --- .../client-management/diagnose-mdm-failures-in-windows-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/diagnose-mdm-failures-in-windows-10.md index f9829a3514..98dca55229 100644 --- a/windows/client-management/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/diagnose-mdm-failures-in-windows-10.md @@ -50,7 +50,7 @@ The zip file will have logs according to the areas that were used in the command - DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider) - MDMDiagHtmlReport.html: Summary snapshot of MDM configurations and policies. Includes, management url, MDM server device ID, certificates, policies. - MdmDiagLogMetadata, json: mdmdiagnosticstool metadata file, contains command-line arguments used to run the tool -- MDMDiagReport.xml: contains a more detailed view into the MDM configurations, e.g enrollment variables, provisioning packages, multivariant conditions, etc. For more information about diagnosing provisioning packages, see [Diagnose provisioning packages](/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md). +- MDMDiagReport.xml: contains a more detailed view into the MDM configurations, such as enrollment variables, provisioning packages, multivariant conditions, and others. For more information about diagnosing provisioning packages, see [Diagnose provisioning packages](windows/configuration/provisioning-packages/diagnose-provisioning-packages.md). - MdmDiagReport_RegistryDump.reg: contains dumps from common MDM registry locations - MdmLogCollectorFootPrint.txt: mdmdiagnosticslog tool logs from running the command - *.evtx: Common event viewer logs microsoft-windows-devicemanagement-enterprise-diagnostics-provider-admin.evtx main one that contains MDM events. From 6be0928995a550ca8121ab95951d6106538eb3f6 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 3 Mar 2023 15:53:37 -0700 Subject: [PATCH 13/13] Update windows/client-management/diagnose-mdm-failures-in-windows-10.md Line 53: Change link to site-relative link. --- .../client-management/diagnose-mdm-failures-in-windows-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/diagnose-mdm-failures-in-windows-10.md index 98dca55229..246e8babc9 100644 --- a/windows/client-management/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/diagnose-mdm-failures-in-windows-10.md @@ -50,7 +50,7 @@ The zip file will have logs according to the areas that were used in the command - DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider) - MDMDiagHtmlReport.html: Summary snapshot of MDM configurations and policies. Includes, management url, MDM server device ID, certificates, policies. - MdmDiagLogMetadata, json: mdmdiagnosticstool metadata file, contains command-line arguments used to run the tool -- MDMDiagReport.xml: contains a more detailed view into the MDM configurations, such as enrollment variables, provisioning packages, multivariant conditions, and others. For more information about diagnosing provisioning packages, see [Diagnose provisioning packages](windows/configuration/provisioning-packages/diagnose-provisioning-packages.md). +- MDMDiagReport.xml: contains a more detailed view into the MDM configurations, such as enrollment variables, provisioning packages, multivariant conditions, and others. For more information about diagnosing provisioning packages, see [Diagnose provisioning packages](/windows/configuration/provisioning-packages/diagnose-provisioning-packages). - MdmDiagReport_RegistryDump.reg: contains dumps from common MDM registry locations - MdmLogCollectorFootPrint.txt: mdmdiagnosticslog tool logs from running the command - *.evtx: Common event viewer logs microsoft-windows-devicemanagement-enterprise-diagnostics-provider-admin.evtx main one that contains MDM events.