Deep dive ingesting third-party ADMX-files

A bit more than a week ago I got the suggestion to do a blog post about the ingestion of custom and/or third-party ADMX-files. Not without a reason. The suggestion was triggered by the latest Spectre and Meltdown vulnerabilities and the ability to manage site isolation via policies for Google Chrome. That was enough motivation for me to look into it. In this post I’ll provide an introduction to ingesting ADMX-files, followed by a step-by-step overview of how to ingest custom and/or third-party ADMX-files and how to configure the related settings. As a configuration example I’ll use the manage site isolation setting for Google Chrome. I’ll end this post with showing the configuration result.

Introduction

Starting with Windows 10, version 1703, it’s possible to ingest ADMX-files and to set those ADMX-backed policies for Win32 apps and Desktop Bridge apps, by using Windows 10 MDM. The ADMX-files that define policy information, can be ingested to the device by using OMA-URI. The ingested ADMX-files are then processed into MDM policies. When the ADMX policy settings are ingested, the registry keys, to which each policy is written, are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the System, Software\Microsoft, and Software\Policies\Microsoft keys, except for the locations documented here.

Configuration

Now let’s have a look at the configuration. The configuration contains two important steps. The first step is to ingest the ADMX-file and the second step is to configure the required setting. I will configure both settings on the device level.

Step 1: Ingest the ADMX-file

The first step is to ingest the ADMX-file. As this post is using Google Chrome as an example, make sure to download the Chrome policies here. Before starting with ingesting this ADMX-file, it’s important to first construct the OMA-URI setting and value.

Setting

The OMA-URI should look like this ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{FileUid or AdmxFileName}. In this URI the following variables should be provided:

AppName: This should be the name of the app that will be configured, but can theoretically be anything. In this example I’ll use Chrome;
SettingType: This should always be policy with ingesting ADMX-files. So, in this example I’ll use Policy;
FileUid or AdmxFileName: This should be the name of the ADMX-file, but can theoretically be anything. In this example I’ll use ChromeADMX.

Value

The value is a lot easier. That’s simply the content of the downloaded chrome.admx, which is available in the folder policy_templates\windows\admx. So, to make this really simple, open chrome.admx in an editor and press Ctrl+A, followed by Ctrl+C.

Configuration

Now let’s put the OMA-URI setting and value together, in Microsoft Intune, in a Device configuration profile. To do this, simply follow the three steps below and keep in mind that the OMA-URI setting (step 3b) is nothing more than just putting together the variables as mentioned in the Setting section.

1 Open the Azure portal and navigate to Intune > Device configuration > Profiles;;
2 On the Devices configuration – Profiles blade, click Create profile to open the Create profile blade;
3a

MSI_DC_CreateProfileOn the Create profile blade, provide the following information and click Create;

  • Name: Windows 10 – Chrome configuration;
  • Description: (Optional);
  • Platform: Select Windows 10 and later;
  • Profile type: Select Custom;
  • Settings: See step 3b;
3b

MSI_DC_AddRowOn the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK in the Custom OMA-URI blade);

  • Name: Chrome ADMX Ingestion;
  • Description: (Optional);
  • OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx;
  • Data type: Select String;
  • Value: [Complete content of the chrome.admx];

Step 2: Configure the required setting

The second step is to configure the required setting. Finding the correct values for configuring the required setting, is similar to finding the correct values for any other ADMX-backed policy. So, make sure to be familiar with my post about Deep dive configuring Windows 10 ADMX-backed policies. Before starting with the configuration, it’s important to first construct the OMA-URI setting and value.

Setting

The OMA-URI should look like this ./Device/Vendor/MSFT/Policy/Config/{AppName}~{SettingType}~{CategoryPathFromADMX}/{SettingFromADMX}. Make sure to pay attention to the use of tildes in this URI. In this URI the following variables should be provided:

AppName: This should be the name of the app, as configured with the ingestion of the ADMX-file. In this example I used Chrome;
SettingType: This should be the same as configured with the ingestion of the ADMX-file. In this example I used Policy;
Chrome_CatCategoryPathFromADMX: This should be the complete category path, which actually starts with number 3 in the picture below. That shows googlechrome as the parent category. That category should be followed until the category definition of the ADMX-file, as shown with number 1 in the picture on the right. Number 2 in that same picture, shows that there is no additional parent category;
Chrome_SettingSettingFromADMX: This should be the name of the setting, which is shown with number 2 in the picture on the right. That shows SitePerProcess as the actual name of the setting. Number 2 in that same picture shows the actual registry that will be configured and which we can use to verify the result.

Value

The value is again a lot easier. In this example I simply want to enable the policy, which can be done by using <enabled/>. For more complicated settings, refer to my earlier mentioned post.

Configuration

Now let’s put the OMA-URI setting and value together, in Microsoft Intune, in the previously created Device configuration profile. To do this, simply follow the four steps below and assign the profile to an user group. Just like with ingesting the ADMX-file, keep in mind that the OMA-URI setting (step 4) is nothing more than just putting together the variables as mentioned in the Setting section.

1 Open the Azure portal and navigate to Intune > Device configuration > Profiles;;
2 On the Devices configuration – Profiles blade, select the earlier created Windows 10 – Chrome configuration profile to open the Windows 10 – Chrome configuration blade;
3 On the Windows 10 – Chrome configuration blade, select Properties > Settings to open the Custom OMA-URI Settings blade;
4

MSI_DC_AddRow1On the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK on the Custom OMA-URI blade and Save on the Windows 10 – Chrome configuration blade);

  • Name: Chrome – ADMX – SitePerProcess;
  • Description: (Optional);
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/SitePerProcess;
  • Data type: Select String;
  • Value: <enabled/>;

Result

Let’s end this post with the result of the device configuration. The easiest location to look for a success would be Google Chrome itself, but instead I would like to show that the configuration actually arrived on the device. Below on the left is a screenshot of the Settings panel (Accounts > Access work or school > {tenant} > Info). That screenshot clearly shows the custom policy of Chrome~Policy~googlechrome. The applied custom policy doesn’t get any clearer than that. Below on the right is a screenshot of the Registry Editor. That screenshot clearly show the applied configuration, which can be matched with the registry setting in the ADMX-file (see number 2 in the picture with SettingFromADMX).

Chrome_Settings Chrome_Registry

More information

For more information about ingesting ADMX-files, refer to this article Win32 and Desktop Bridge app policy configuration.

Manage Windows AutoPilot via Microsoft Intune

This week I’m going through the required steps for configuring Windows AutoPilot. I know that a lot has been written already about this subject, but I have the feeling that this subject needs a place on my blog. Also, the attentive reader might have noticed that I’m specifically using Microsoft Intune in the title of my blog, for the first time in over a year. That’s with a reason. This post is focused on configuring Windows AutoPilot via Microsoft Intune and will show that, at this moment, the Microsoft Store for Business is also required to complete the Microsoft Intune configuration.

In this post I’ll provide a short introduction about Windows AutoPilot, followed by walking through the required configurations. I’ll end this post by quickly looking at the result, from the end-user perspective and from the administrator perspective.

Introduction

Before looking at the configuration, let’s start with a short introduction about Windows AutoPilot. The Windows AutoPilot deployment program simplifies device provisioning. With Microsoft Intune and Windows AutoPilot, it’s possible to give new devices to end-users without the need to build, maintain, and apply custom operating system images to the devices. Windows AutoPilot covers the provisioning of the devices and Microsoft Intune makes it possible to manage policies, profiles, apps, etc. on the devices after they are enrolled. Once devices are registered for Windows AutoPilot, the following OOBE customization options are available for Windows 10, starting with version 1703:

  • Skip the Work or Home usage selection page (default behavior);
  • Skip Cortana, OneDrive and OEM registration setup pages (default behavior);
  • Skip privacy settings page (optional configuration);
  • Skip EULA page (optional configuration, staring with Windows 10, version 1709);
  • Add sign-in experience with company or school brand (optional configuration);
  • Prevent the account used to set-up the device from getting local administrator permissions (optional configuration).

Configuration

Now let’s have a look at the required configurations to create the full Windows AutoPilot experience. That includes looking at the prerequisites, adding devices and adding a company branding. To get this full experience, simply walk through the six steps below.

Prerequisites

Before walking through the required configuration steps, make sure that the following prerequisites are in-place. Everything else will be covered in this post.

  • Devices have to be pre-installed with Windows 10, version 1703 or later;
  • Devices must have access to the Internet;
  • Azure AD Premium subscription;
  • Automatic enrollment is enabled.

Step 1: Get device information

The first step is to get the device information, as the devices must be registered to the organization. At this moment, it’s still required to acquire the device serial number, the Windows product ID and the hardware ID of the devices and to register the devices. Microsoft is actively working with various hardware vendors to enable them to provide the required information to organizations, or upload it on their behalf. To capture the required information, use the Get-WindowsAutoPilotInfo PowerShell script, by performing steps similar to the following four steps.

1 Open Windows PowerShell as an Administrator;
2 Run Save-Script -Name Get-WindowsAutoPilotInfo -Path C:\Windows\Temp to inspect the PowerShell script ;
3 Run Install-Script -Name Get-WindowsAutoPilotInfo to install the PowerShell script;
4 Run Get-WindowsAutoPilotInfo.ps1 -OutputFile C:\Windows\Temp\MyComputer.csv to get the required device information;
WA_DeviceInformation

Step 2: Add devices

The second step is to add the gathered device information. This cannot be achieved by using Microsoft Intune, at this moment, but can be achieved by using the Microsoft Store for Business or by using the Partner Center. To use the Microsoft Store for Business, perform the following three steps.

1 Open the Microsoft Store for Business and navigate to Manage > Devices;
2 Click Add devices and browse to the just created CSV file;
3 WA_MSfB_AddOn the Add devices to an AutoPilot deployment group, select No, thanks as I want to use Microsoft Intune for assigning a deployment profile.
WA_MSfB_Devices

Step 3: Synchronize devices

The third step is to synchronize the added device information into Microsoft Intune. That will enable me to use Microsoft Intune for assigning a deployment profile to those devices. To synchronize the devices into Microsoft Intune, perform the following three steps.

1 Open the Azure portal and navigate to Intune > Device enrollment > Windows Enrollment;
2 On the Devices enrollment – Windows enrollment blade, click Devices below Windows AutoPilot devices (Preview) to open the Windows AutoPilot devices (Preview) blade;
3 On the Windows AutoPilot devices (Preview) blade, click Sync to synchronize the devices to Microsoft Intune.
WA_MSIntune_Devices

Step 4: Create deployment profile

The fourth steps is to create a deployment profile in Microsoft Intune. The deployment profiles are used to configure the AutoPilot devices. To create a deployment profile in Microsoft Intune, perform the following four steps.

1 Open the Azure portal and navigate to Intune > Device enrollment > Windows Enrollment;
2 On the Devices enrollment – Windows enrollment blade, click Deployment Profiles below Windows AutoPilot devices (Preview) to open the Windows AutoPilot deployment profiles (Preview) blade;
3 On the Windows AutoPilot deployment profiles (Preview) blade, click Create profile to open the Create profile blade;
4a

WA_MSIntune_CPOn the Create profile blade, provide the following information and click Create;

  • Name: Provide a valid name;
  • Description: (Optional) Provide a valid description;
  • Join to Azure AD as: Select Azure AD joined;
  • Out-of-box experience (OOBE): (See step 4b).
4b

WA_MSIntune_OOBEOn the Out-of-box experience (OOBE) blade, provide the following information and click Save;

  • Privacy Settings: Select Hide to hide the Privacy Settings page during the OOBE;
  • End user license agreement (EULA): Select Hide to hide the EULA page during the OOBE;
  • User account type: Select Standard to make the user a standard user on the device.

Note: The last setting does not apply to global administrators or company administrators. These users cannot be standard users as they have access to all administrative features in Azure AD.

WA_MSIntune_WADP

Step 5: Assign deployment profile

The fifth step is to assign the just created deployment profile to the just synchronized devices in Microsoft Intune. This can be achieved by performing the following four steps.

1 Open the Azure portal and navigate to Intune > Device enrollment > Windows Enrollment;
2 On the Devices enrollment – Windows enrollment blade, click Devices below Windows AutoPilot devices (Preview) to open the Windows AutoPilot devices (Preview) blade;
3 On the Windows AutoPilot devices (Preview) blade, select the just imported device and click Assign profile to open the Assign profile blade.
4 WA_MSIntune_APOn the Assign profile blade, select the just created deployment profile and click Assign;
WA_MSIntune_APS

Step 6: Add company branding

The sixth step is the finishing touch, by making the company branding appear during the OOBE. This cannot be achieved by using Microsoft Intune, at this moment, but can be achieved by using the Azure AD. To configure the company branding, perform the following steps.

1 Open the Azure portal and navigate to Azure Active Directory > Company branding;
2 On the Company branding blade, click Configure to open the Configure company branding blade;
3

WA_CustomBrandingOn the Configure company branding blade, provide the following information and click Create.

  • Sign-in page background image: Specify a background image that meets the specified format;
  • Banner logo: Specify a banner logo that meets the specified format;
  • User name hint: Provide a user name hint;
  • Sign-in page text: Provide a sign-in page text;
  • Sign-in page background color: Provide a background color that will be used for slow connections;
  • Square logo image: Specify a square logo image that meets the specified format;
  • Square logo image, dark theme: Specify a square logo image that meets the specified format;
  • Show option to maintain signed in: Select Yes.

Note: I’ve only configured a couple of items that will clearly show that the Windows AutoPilot deployment is part of my company.

Result

Now let’s end this post by looking at the result of the configurations. Let’s start by looking at the end-user experience. Yes, I can show the remaining screens during the OOBE, but I thought that was not that exciting. Instead, I’ve got the main enrollment screen that includes the company branding. 

WA_MSIntune_Experience

WA_MSIntune_EnrolledFrom an administrator perspective, the most interesting place, to look for the end result, is the Azure portal. When navigating Intune > Device enrollment > Windows Enrollment > Devices, the overview of devices won’t show any difference. However, the administrator can filter on Enrolled devices to get a list of devices that are successfully enrolled via the Windows AutoPilot deployment. Also, when selecting a device, it provides a list of interesting information. The most important one of that is the Enrollment State. As shown on the right, this will be set to Enrolled after the device is successfully enrolled via the Windows AutoPilot deployment.

More information

Fore more information about Windows AutoPilot, in combination with Microsoft Intune and the different configuration options, please refer to:

Using the Intune Management Extension, on a 64-bit platform, for a very happy New Year!

Let’s start the New Year with a quick tip about the Intune Management Extension, which is used for running PowerShell scripts, in combination with a 64-bit platform. The Intune Management Extension is 32-bit and will run PowerShell scripts in a 32-bit environment. This is not always the desired behavior. Actually, many activities and/or cmdlets, require a 64-bit environment. In this blog post I’ll provide a simple workaround, to run the PowerShell scripts in a 64-bit environment, and I’ll show the behavior of that simple workaround.

The (example) script

Now let’s start by looking at that simple workaround. That workaround is actually a simple addition to a script that starts the same script, by using the 64-bit environment of PowerShell. This is achieved by starting with the following assumptions:

  • The script  doesn’t have to deal with parameters – This saves me from doing difficult with providing parameters to it;
  • The script should only switch on a 64-bit platform running a 32-bit process – This makes sure that it won’t break on a 32-bit platform. That can be achieved by using $ENV:PROCESSOR_ARCHITEW643. That environment variable is set when running a 32-bit process on a 64-bit platform;
  • The script needs the right location of PowerShell – This makes sure that this time the 64-bit environment of PowerShell will be started. That can be achieved by using SysNative. That alias is used to point a 32-bit process to C:\Windows\System32;
  • The script needs the right location of the script – This makes sure that the same script is started again. That can be achieved by using $PSCOMMANDPATH. That automatic variable contains the full path and file name of the script that is being run.

These four assumptions bring me to the following small script snippet that can be added to the top of any script. For looking at the results, I’ve added an additional line at the beginning and the ending of the script snippet. Those additional lines write the environment of the process to a file.

Begin: $ENV:PROCESSOR_ARCHITECTURE” >> “C:\Windows\Temp\Test.txt”
If ($ENV:PROCESSOR_ARCHITEW6432 -eq “AMD64”) {
     Try {
         &”$ENV:WINDIR\SysNative\WindowsPowershell\v1.0\PowerShell.exe” -File $PSCOMMANDPATH
     }
     Catch {
         Throw “Failed to start $PSCOMMANDPATH”
     }
     Exit
}

“End: $ENV:PROCESSOR_ARCHITECTURE” >> “C:\Windows\Temp\Test.txt”

Important: The Intune Management Extension will only report over the initial script. To also report over the newly started script, you might want to look into building something smart that will monitor the newly start script before exiting the initial script. The example above simply exits the initial script.

The (example) results

Let’s end this post by looking at the example script, mentioned above, when deployed via Microsoft Intune. The example script writes, at the beginning and the ending, an entry to a file named Test.txt. After a successful execution, it contains the following three entries:

  1. 64-resultThe first entry is related to the beginning of the initial script, which is triggered by the Intune Management Extension. At that moment it’s started as a 32-bit process;
  2. The second entry is related to the beginning of the newly started version of the script, which is triggered by the initial script. At that moment it’s started as a 64-bit process;
  3. The third entry is related to the ending of the newly started version of the script. At that moment it successfully went through the complete script as a 64-bit process.

More information

For more information about automatic variables in PowerShell, refer to the documentation About Automatic Variables.

Running scripts on Christmas day (and any other day)

My last blog post of this year will also be about a new (pre-release) feature of Configuration Manager, version 1710. This post will be all about the ability to create and run scripts from the Configuration Manager administration console. To be correct, the ability to create and run scripts was added in Configuration Manager, version 1706, and Configuration Manager, version 1710, added the ability to use parameters with those scripts. It completed the functionality.  My Christmas day present for the community is a walkthrough through this functionality and how it runs on the client device. After reading this post you should be able to understand how your script can create the output and how you can find the correct GUIDs to follow the activity on the client device.

Introduction

Starting with Configuration Manager, version 1706, it’s possible to run PowerShell scripts, via the Configuration Manager console, directly on client devices. Configuration Manager, version 1710, completed this functionality by adding the use of parameters. The ability to run PowerShell scripts on client devices is available in the Configuration Manager administration console, via the Run Scripts option. This makes it easier to automate tasks and, in general, the scripts are understood by a large population. It really simplifies building custom tools. Think about all the custom right-click actions that can now be integrated in this functionality. The biggest advantages of using the Run Script option, are the usage of the notification channel and getting good monitoring information. That means, quick results shown in the Configuration Manager administration console. In this post I’ll show the Run Script option by using a simple PowerShell script that will restart a service on the client device. That service is provided to the script via a script parameter.

Script

Now let’s have a look at the Run Script option in the Configuration Manager administration console. I’ll start by looking at a couple of important prerequisites, followed by how to create, approve and run scripts. I’ll end this section by following the script action to the client device.

Prerequisites

Before looking into the possibilities of the Run Script option, the following prerequisites should be in place to take full advantage of the available possibilities:

  • The client device must be running PowerShell version 3.0, or later;
  • The Configuration Manager clients must be running client version 1706, or later;

Create script

Let;s start by looking at the required steps to create a PowerShell script that can become available via the Run Script option. I’ll do that by using a simple script that can restart a service on a client device, based on the provided script parameter. Based on the result, of the script, a specific script output will be returned. The administrative user, creating the script, must have at least the Create permission for SMS Scripts object class.The following six steps walk through the creation of a PowerShell script (step 3 contains the used script):

1 Open the Configuration Manager administration console and navigate to Software Library > Overview > Scripts;
2 On the Home tab, in the Create group, click Create Script to open the Create Script wizard;
3

CS_ScriptOn the Script page, provide the following information and click Next;

  • Script name: Provide a name for the script;
  • Script language: Select PowerShell, as it’s currently the only option;
  • Script: Click Import to browse to a script file and to display it in the wizard. It’s also still possible to edit the imported script;

Note: Declaring variables, as shown with number 1 on the right, will enable an additional page in the wizard for configuring script parameters. The output shown with number 2, can be returned by the client device.

4a

CS_ScriptParametersOn the Script Parameters page, an overview is shown of the provided parameters with the script and it provides the option to set a Default Value. Select the variable and click Edit to adjust the parameter properties (see step 4b). After that, click Next.

Note: This page should provide an overview of the variables as declared in step 3.

4b

CS_ScriptParameterPropertiesOn the Script Parameter Properties dialog box, the information about the name, required status, hidden status and data type is prepopulated based on the declaration of the variable (see step 3). Use this dialog box to configure the following validation properties and click OK:

  • Minimum Length: Specify the minimum number of characters;
  • Maximum Length: Specify the maximum number of characters;
  • RegEx: Specify a regular expression validation;
  • Custom Error: Specify a custom error message.
5 On the Summary page, verify the configuration and click Next;
6 On the Completion page, verify the result and click Close.

Approve script

Before the just created PowerShell script becomes available via the Run Script option, it must be approved by another administrative user with at least the Approve permission for SMS Scripts object class. That will prevent unverified scripts from running on client devices, which should decrease the possibility of running faulty scripts on client devices. The following seven steps walk through the approval of a PowerShell script:

HierarchySettings_GeneralBy default it’s not possible for a script author to approve and/or deny their own scripts. To enable script authors to approve and/or deny their own scripts, open the Configuration Manager administration console and navigate to Administration > Overview > Site Configuration > Site. Now open the Hierarchy Settings and remove the checkbox with Do not allow script authors to approve their own scripts.

Important: It’s strongly advised to only do this in test and/or lab environments.

1 Open the Configuration Manager administration console and navigate to Software Library > Overview > Scripts;
2 Select the just created script and click Approve/Deny, in the Scripts group, on the Home tab, in the Create group, to open the Approve or deny script wizard;
3

ADS_ScriptOn the Script page, verify the script and click Next;

4

ADS_ScriptParametersOn the Script Parameters page, verify the parameters and click Next;

Note: To verify the details of a parameter, select a parameter and click Details. That will show the script parameter properties, as configured during the creation of the script.

5

ADS_ApproveScriptOn the Approve or deny script page, select Approve, provide an Approver Comment (optional) and click Next;

Note: I know this is stating the obvious, but only approve scripts once you’re certain about their behavior. The ability to run scripts on client devices is just really strong and once the script is triggered it will run almost instantly.

6 On the Summary page, verify the configuration and click Next;
7 On the Completion page, verify the result and click Close.

Run script

After approving the just created PowerShell script, it becomes available via the Run Script option. The administrative user, that will run the script, must have at least the Run permission for SMS Scripts object class and the script will be executed in SYSTEM context on the client device. The following six steps walk through running a PowerShell script:

1 Open the Configuration Manager administration console and navigate to Assets and Compliance > Overview > Device Collections;
2

Open a device collection and right-click a client device and select Run Script to open the Run Script wizard;

Note: It’s also possible to start the Run Script wizard by right-clicking a device collection.

3

RS_ScriptOn the Script page, select the just created script and click Next;

Note: The script GUID is interesting for monitoring the script execution.

4

RS_ScriptParametersOn the Script Parameters page, provide a value for the available parameters and click Next.

5 On the Summary page, verify the details and click Next;
6

RS_MonitoringOn the Monitoring page, verify the script output and click Close.

The script output, on the Summary tab, shows the output as provided in the initial script. Within this summary it’s also possible to look at the exit codes and to look at different chart forms. The Script Details tab shows the general information about the script, like the name, version and parameters and the Run Details tab shows the details about the results, like the device name, execution status, exit code and script output.

Monitor script

Now let’s end this post by looking at the monitoring options for the initiated script. This can be done in real-time, as shown in the step 6, and this can be done by looking at the Script Status node in the Monitoring workspace. Below is on overview of the just triggered script and I’ve included the following highlighted numbers:

  • Number 1 highlights the Show Status button that can be used
    to get the script details, as shown in step 6 of the Run script
    section;
  • Number 2 highlights the Client Task ID that can be used to
    follow the script through the server log files (bgbserver.log) and the client
    log files (ccmnotification.log and script.log), as shown below;
  • Number 3 highlights the Script Guid, as also shown in step
    3 of the Run script section, that can be used to follow the script
    activity in the client log files (script.log), as shown below;
  • Number 4 highlights the Script Output that can be used to
    verify the results. It should refer to the scripted output, as shown in step 3
    of the Create script section.

ConfigMgrConsole_ScriptMonitoring

Let’s continue by following the initiated script through the log files. At least the three log files below are related to this action and together those log files provide a lot of information. As there is some overlap with the log files of last week, I won’t provide the generic information about the log files this time.

BgbServer.log: When initiating a script to run on a client device, this log file shows the information about pushing the script action to the client device, followed by information about the generation of the BGB task status report (.BTS) in the bgb.box inbox (see below). The processing of the BGB task status report can be followed through the bgbmgr.log.

Script_bgbserver

CcmNotificationAgent.log: When initiating a script to run on a client device, this log file shows the arrival of the script action on the client device (see below).

Script_ccmnotification

Script.log: When initiating a script to run on a client device, this log file will show the details about the script that will be executed. That includes the earlier mentioned IDs and the command line that will be used.

Script_script

Let’s end this section by looking at the executed command line in more detail. Below is the highlighted version of the executed command line. That command line clearly shows that the script on the client device is signed, that it uses parameters and that it’s stored locally. The script is stored in C:\Windows\CCM\ScriptStore, which is a hidden folder on the client device. By default only the SYSTEM account has permissions on the script files in that folder.

Executing command line: “C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe” -NoProfile -ExecutionPolicy RemoteSigned -File “C:\Windows\CCM\ScriptStore\D5FF9FBE-D25B-45DB-9771-946076A9FFAD_EB1AA60AF73737F0B342AEED2C5ECB15A9956654BDA4D30263178B3A79E79DD4.ps1” -ServiceName “Group Policy Client”

More information

For more information about the Run Script option, please refer to this article about creating and running PowerShell scripts from the Configuration Manager console.

Restarting a computer couldn’t be easier!

This week I’m still staying in the new features of Configuration Manager, version 1710. This time it’s all about how easy it became to restart a client device. Restarting a client device became a right-click action! It simply couldn’t be easier! This opens up a whole new world for managing client devices with a pending restart. In this blog post, I’ll start with a short introduction about restarting a client device, followed by the simple actions to trigger a restart for a client device. I’ll end this post by following the activity through the log files.

Introduction

Starting with Configuration Manager, version 1710, it’s possible to use the Configuration Manager console to identify client devices that require a restart, and then use a client notification action to restart those client devices. When the restart notification is received by a client device, a notification window opens to inform the user about the restart. By default, the restart occurs after 90 minutes. That might sound like a long period, but that’s related to the configuration of the Client Settings. The restart simply honors the restart behavior, as configured in the Computer Restart tab of the Client Settings.

Trigger a restart

Now let’s have a look at triggering a restart of a client device. The easiest method to trigger a restart, of a client device, is to first identify client devices that are pending a restart, followed by right-clicking those devices and selecting restart. To perform these activities, simply follow the next steps:

1 Open the Configuration Manager administration console and navigate to Assets and Compliance > Overview > Devices;
2

Open a device collection and add the new Pending Restart column (see below);

PendingRestart_All

3

RC_RestartRight-click a client device, with a pending restart, and select Client Notification > Restart;

Note: Of course it’s not required for a client device to have a pending restart, before the restart option becomes available. The restart option is available for every client device.

4

PendingRestart_NotificationOn the Configuration Manager dialog box, select OK to confirm the restart action for the client device.

5

SC_RestartOn the client device, a Software Center notification window opens to inform the user about the restart. This notification can not be ignored. It provides a countdown and the option to RESTART or HIDE.

Follow the restart

The best method to follow the restart, of the client device, is by using the log files. At least the following three log files are related to this action and together those log files provide a lot of information:

BgbServer.log: This log file records the activities of the notification server, such as client-server communication and pushing tasks to clients. It also records information about the generation of online and task status files to be sent to the site server. When triggering a restart of the client device, this log file shows the information about pushing the restart task to the client device, followed by information about the generation of the BGB task status report (.BTS) in the bgb.box inbox (see below).

bgbserver

CcmNotificationAgent.log: This log file records the activities of the notification agent, such as client-server communication and information about tasks received and dispatched to other client agents. When triggering a restart of the client device, this log file shows the arrival of the restart task on the client device (see below).

ccmnotificationagent

bgbmgr.log: This log file records details about site server activities related to client notification tasks and processing online and task status files. When triggering a restart of the client device, this log file will show information about processing the created BGB task status report (.BTS) from the bgb.box inbox.

bgbmgr

Note: The log snippets above show how quick the notification arrives on the client device. In my test environment that was within the same second.

More information

For more information about the restart client device option, please refer to this article about How to manage clients.

The awesome world of child task sequences

Like last week I’m staying in the world of new features of Configuration Manager, version 1710. This time it’s all about the awesome world of child task sequences. Awesome. To be a bit more specific, the awesome world of child task sequences, which refers to the newly introduced task sequence step Run Task Sequence. This opens up a whole lot of options, from using specific standards throughout all deployments until enabling different administrators from maintaining their own child task sequence. In this post I’ll go through a short introduction about the Run Task Sequence step, followed by the configuration options for the Run Task Sequence step. I’ll end this post with the end result of running a child task sequence, by showing how it’s logged.

Introduction

Starting with Configuration Manager, version 1710, it’s possible to add a new task sequence step that runs another task sequence. That is the Run Task Sequence step. This creates a parent-child relationship between the task sequences. Child task sequences are enablers for creating modular and re-usable task sequences. Before starting with using child task sequences, make sure to be familiar with the following:

  • The parent and child task sequences are combined into a single policy;
  • The task sequence environment is global;
  • The status messages are sent for a single task sequence operation;
  • The child task sequence writes entries to the same smsts.log file (like a group);

Note: Make sure to go through the information mentioned in the More information section, as the second link provides useful information about the abilities.

Configuration

Now let’s have a look at the available configuration options for using the Run Task Sequence step. The four steps below walk through those configuration options. After that, the parent task sequence can be deployed like any other task sequence. However, when deploying a parent task sequence, be aware that the criteria for showing the “high-impact” warning is not detected in Software Center when the child task sequence contains the “high-impact” steps. In that case, use the User Notification properties of the parent task sequence to force the “high-impact” warning.

1 Open the Configuration Manager administration console and navigate to Software Library > Overview > Operating Systems > Task Sequences;
2 Now either create a new task sequence by using Home > Create > Create Task Sequence, or select an existing task sequence and select Home > Task Sequence > Edit to open the Task Sequence Editor;
3 In the Task Sequence Editor, select Add > General > Run Task Sequence;
4

TS_RunTaskSequenceIn the Run Task Sequence step, it’s as simple as browsing to the task sequence and selecting it.

Note: It’s not possible to select a task sequence that contains a boot image reference. The boot image reference has to be on the parent task sequence.

Note: Keep in mind that any chain containing a disabled task sequence will fail and that the Continue on error won’t work for that step containing the disabled task sequence.

Result

Let’s end this post by having a look at the end result. I’ll do that by looking at the smsts.log file and by looking at the deployment status in the Configuration Manager administrator console. When looking at the deployment status, see screenshot below, the first section shows the start of the parent task sequence and the second section shows the start of the child task sequence, like a group within a normal task sequence.

TS_StatusMessage

When looking at the smsts.log, something similar is shown, see screenshot below. The start of the child task sequence is shown like the start of a group within the parent task sequence.

TS_SMSTSLOG

More information

For more information about the Run Task Sequence step, please refer to the following articles:

Super easy customizing Software Center

This week it’s time for a short blog post about customizing Software Center. And not without reason. About two years ago I did a post about setting the company logo in the new Software Center. I received many reactions on that post about why a Microsoft Intune subscription configuration was required to set a company logo in Software Center. I had no answer. Now that time is over! Starting with Configuration Manager, version 1710, it’s super easy to customize Software Center with Client Settings. Including the company logo! In this post I’ll walk through the available configuration options and I’ll show the end-user experience. Including an additional bonus about the Software Center icons.

Configuration

Starting with Configuration Manager, version 1710, it’s super easy to add company branding elements to Software Center and it’s super easy to specify the visibility of tabs in Software Center. An administrator can now add a Software Center specific company name, set a Software Center configuration color theme, set a company logo in Software Center, and set the visible tabs in Software Center. The following three steps walk through the available easy configuration options.

1 Open the Configuration Manager administration console and navigate to Administration > Overview > Client Settings;
2 Now either open/create a new Custom Client Device Settings and select the Software Center section, or open open the Default Client Settings and select the Software Center section;
3 In the Software Center section, it’s possible to configure the following settings;

  • Select these new settings to specify company information: Set to Yes to enable the Software Center customization settings;
  • Company name: Provide a valid company name;
  • Color scheme for Software Center: Select a valid color;
  • Select a logo for Software Center: Browse to the company logo;
  • Enable Applications tab: Set to Yes to enable the Application tab;
  • Enable Updates tab: Set to Yes to enable the Updates tab;
  • Enable Operating Systems tab: Set to Yes to enable the Operating Systems tab;
  • Enable Installation Status tab: Set to Yes to enable the Installation Status tab;
  • Enable Options tab: Set to Yes to enable the Options tab;

SC_ClientSettings

Note: The logo must be a JPEG or PNG of 400×100 pixels with a maximum size of 750 KB.

End-user experience

Now let’s have a look at the end-user experience. To show how the Software Center configuration relates to the actual look-and-feel, I would like to highlights the three sections as shown below.

1 The first section shows the configured Company name, the configured Color scheme and the configured Logo. This relates to the first section of the Client Settings shown above;
2 The second section shows the enabled tabs. This relates to the second section of the Client Settings shown above;
3 BONUS: The third section shows the updated Software Center icons experience. Software Center will no longer distort icons that are larger than 250×250. Administrators can now set an icon with a pixel dimensions of up to 512×512, and it displays without distortion.

SC_Custom

Combining the powers of the Intune Management Extension and Chocolatey

A bit more than a week ago the Intune Management Extension was added to Microsoft Intune to facilitate the ability to run PowerShell scripts on Windows 10 devices that are managed via MDM. That addition opens a whole new world for managing Windows 10 devices via MDM. Looking at app deployment specifically, this enables the administrator to look at something like Chocolatey for deploying packages. That would make the app deployment via Microsoft Intune suddenly flexible. In this blog post I’ll start with a little introduction about the Intune Management Extension and Chocolatey, followed by the configuration of a PowerShell script to install Chocolatey packages. I’ll end this post by looking at the end result.

Introduction

Let’s start with a short introduction about the awesome Intune Management Extension. The Intune Management Extension supplements the out-of-the-box MDM capabilities of Windows 10. It will be installed automatically on Windows 10 devices, that are managed via MDM, and it simply enables administrators to run PowerShell scripts on Windows 10 devices. Those PowerShell scripts can be used to provide additional capabilities that are missing from the out-of-the-box MDM functionality. The first scenario that the Intune Management Extension enabled, for me, is super easy app deployment via Chocolatey.

Chocolatey is a global PowerShell execution engine using the NuGet packaging infrastructure. Think of it as the ultimate automation tool for Windows. Chocolatey is a package manager that can also embed/wrap native installers and has functions for downloading and check-summing resources from the Internet. Super easy for installing application packages on Windows 10 devices.

Configuration

Now let’s have a look at the configuration. The configuration contains 3 steps. The first step is to create the required PowerShell script, the second step is to upload the PowerShell script to Intune and the third step is to assign the PowerShell script to an Azure AD group.

Step 1: Create PowerShell script

The first step is to create a PowerShell script that will check for the installation of Chocolatey, and that will install Chocolatey if it’s not yet installed. Once Chocolatey is installed the PowerShell script will install the required Chocolatey packages. Now let’s walk through the PowerShell script that I’ll use to do exactly that. The first thing that the script uses, are 2 variables. The first variable $ChocoPackages contains an array with the required Chocolatey packages and the second variable, $ChocoInstall, contains the default installation directory of Chocolatey (see below).

$ChocoPackages = @(“googlechrome”,”adobereader”,”notepadplusplus.install”,”7zip.install”)

$ChocoInstall = Join-Path ([System.Environment]::GetFolderPath(“CommonApplicationData”)) “Chocolatey\bin\choco.exe”

The second thing that the PowerShell script does is verifying the existence of the installation of Chocolatey. This is done by simply testing for the existence of choco.exe by using the $ChocoInstall variable. When choco.exe is not found, the online installation of Chocolatey will be triggered (see below).

if(!(Test-Path $ChocoInstall)) {
     try {

         Invoke-Expression ((New-Object net.webclient).DownloadString(‘https://chocolatey.org/install.ps1’)) -ErrorAction Stop
     }
     catch {
         Throw “Failed to install Chocolatey”
     }      
}

The third and last thing that the PowerShell script does is triggering the installation of the Chocolatey packages. This is done by running through the Chocolatey packages in the $ChocoPackages variable. For every package the installation will be triggered by using Chocolatey (see below).

foreach($Package in $ChocoPackages) {
     try {
         Invoke-Expression “cmd.exe /c $ChocoInstall Install $Package -y” -ErrorAction Stop
     }
     catch {
         Throw “Failed to install $Package”
     }
}

Now put these three pieces together in one script and save it as a PowerShell script (.ps1).

Step 2: Upload PowerShell script

The second step is to upload the created PowerShell script in Intune. To upload the PowerShell script, follow the next 5 steps.

1 Open the Azure portal and navigate to Intune > Device configuration > PowerShell scripts;
2 On the Device configuration – PowerShell scripts blade, click Add script to open the Script Settings blade;
3

Intune_AddPowerShellScriptOn the Add PowerShell script blade, provide the following information and click Settings to open the Script Settings blade;

  • Name: Provide a valid name for the PowerShell script policy;
  • Description: (Optional) Provide a description for the PowerShell script policy;
  • Script location: Browse to the PowerShell script.

Note: The script must be less than 10 KB (ASCII) or 5 KB (Unicode).

4

Intune_ScriptSettingsOn the Script Settings blade, provide the following configuration and click OK to return to the PowerShell script blade;

  • Run the script using the logged on credentials: No;
  • Enforce script signature check: No;

Note: Configure Run the script using the logged on credentials to No means that the PowerShell script will run in SYSTEM context;

5 Back on the Add PowerShell script blade, click Create.

Step 3: Assign PowerShell script

The third and last step is to assign the PowerShell script to an Azure AD group. To assign the PowerShell script, follow the next 5 steps.

1 Open the Azure portal and navigate to Intune > Device configuration > PowerShell scripts;
2 On the Device configuration – PowerShell scripts blade, select the uploaded PowerShell script and click Assignments to open the {ScriptName} – Assignments blade;
3 On the {ScriptName} – Assignments blade, select the required Azure AD group and click Save.

Note: Keep in mind that the Intune Management Extension synchronizes to Intune once every hour.

Result

Now let’s end this post by looking at the end result. Yes, I can show the installed applications, but it’s better for understanding the process to look at some log files. From an Intune Management Extension perspective, the most interesting log file is IntuneManagementExtension.log. That log file is located at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs. Below is an example, in which I would like to highlight 2 sections:

  1. The first section shows that the first time a PowerShell script arrives on a device, as a policy, the complete script is shown in the log file;
  2. The second section clearly shows the configuration of the PowerShell script, by showing the configuration of the signature check and the context (as configured in step 2.4);

IME_Chocolatey_Result

From a Chocolatey perspective, the most interesting log files are choco.log and choco.summary.log. These log files are located at C:\ProgramData\chocolatey\logs. To show the most interesting information, I would like to highlight 2 sections from the choco.summary.log below:

  1. The first section shows the detection of a Chocolatey packages that is already installed;
  2. The second section shows the installation of a Chocolatey package;

Choco_Chocolatey_Result

The nice thing about Chocolatey is that it already contains a lot of intelligence. A simple example of that is that it checks for the installation of the packages, before starting the installation. That enables me to use one script for installing the packages by simply adding new packages to the $ChocoPackages variable. When the script runs on the client, only the newly added packages will be installed.

Note: Keep in mind that you can also use Chocolatey for updating the installed packages.

More information

For more information about the Intune Management Extension and Chocolatey, please refer to the following articles:

Notify end-user about non-compliant device

This week is all about device compliance policies. Well, actually it’s all about what actions can be triggered for non-compliant devices. Since recently it’s possible to configure actions for non-compliance. Previously the action for non-compliant devices was that the device would be marked as non-compliant. That action is still configured by default, but it’s now also possible to configure additional end-user notifications. In this blog post I’ll provide a short introduction to the actions for non-compliant devices, followed by the required configurations. I’ll end this post with the end-user experience.

Introduction

Let’s start with a short introduction. Device compliance policies now contains configuration properties for the configuration of Actions for noncompliance. The Actions for noncompliance allows administrators to configure a time-ordered sequence of actions that are applied to devices that don’t meet the device compliance policy criteria. By default, when a device does not meet the device compliance policy, Intune immediately marks it as non-compliant. The Actions for noncompliance gives administrators more flexibility to decide what to do when a device is non-compliant. There are two types of actions:

  • Send email to end user: Administrators can customize an email notification that can be sent to the end-users. Intune provides customization of the subject, message body, company logo, company name and contact information. A schedule can be defined to determine how many days after non-compliance the e-mail notification should be sent;
  • Mark device noncompliant: Administrators can define a schedule to determine how many days after non-compliance the device should actually be marked as non-compliant.

This combination enables the IT organization to decide not to block the device immediately. Instead, immediately sent the end-user a notification via e-mail and give the end-user a grace period to become compliant. A good use case for that configuration would be to force end-users to upgrade to the latest version of the platform.

Configuration

Now let’s continue by looking at the configuration. The configuration contains two required steps. The first step is to configure the actual notification and the second step is to configure the device compliance policy to actually use the created notification.

Step 1: Configure notification

The first step is to create the device compliance notification. That notification will contain the message that will be sent to the end-users. To create the notification, follow the next three steps.

1 Open the Azure portal and navigate to Intune > Device compliance > Notifications;
2 On the Device compliance – Notifications blade, click Create notification to open the Create Notification blade;
3

Intune_DevComNotificationOn the Create notification blade, provide the following information and click Create.

  • Name: Provide a name for the policy;
  • Subject: Provide a subject for the notification email;
  • Message: Provide a message that is part of the notification email;
  • Select Enable with Email header – Include company logo;
  • Select Enable with Email footer – Include company name;
  • Select Enable with Email footer – Include contact information.

Note: The last three settings use the information as configured with Intune > Mobile apps > Company Portal branding.

Step 2: Configure device compliance policy

The second step is to configure the actual Actions for noncompliance for a device compliance policy. Let’s do that by looking at an existing device compliance policy. To configure a notification for non-compliant devices, in an existing device compliance policy, follow the next 5 steps.

1 Open the Azure portal and navigate to Intune > Device compliance > Policies;
2 On the Device compliance – Policies blade, select an existing device compliance policy and click Properties to open the {PolicyName} – Properties blade;
3 On the {PolicyName} – Properties blade, click Actions for noncompliance to open the Actions blade;
4

On the Actions blade, click Add to open the Action parameters blade;

Note: By default this blade also shows the standard action named Mark device noncompliant. This action can not be deleted, but the schedule when it’s triggered can be configured (in days).

5

Intune_DevComActionOn the Action parameters blade, provide the following information and click Add.

  • Action: Select Send email to end user;
  • Message template: Select the just create notification;
  • Schedule (days after noncompliance): Specify how many days after non-compliance this notification should be send.

Note: Make sure that the notification message matches with the configured schedule for marking the device as noncompliant.

End-user experience

Now let’s end this post by looking at the end-user experience. Below is an example of an non-compliant iOS device and the notification e-mail that was received. The different section of the notification e-mail can be matched with the configuration (step 1.3), by looking at the numbers below.

  1. Email header – Include company logo;
  2. Message;
  3. Email footer – Include company name;
  4. Email footer – Include contact information;
  5. Subject.

IMG_0120

More information

For more information about notifying end-users about non-compliant devices, please refer to this article Automate actions for noncompliance.

Note: While I was writing this blog post, my colleague Arjan Vroege posted his version about this same subject. For his version, please have a look at this blog post.

Auto-enroll Windows 10 devices using Group Policy

This week is all about creating awareness for the automatic MDM enrollment feature, using ‘Group Policy, that is introduced in Windows 10, version 1709. In some scenarios that might not sounds very interesting. Especially when looking at cloud only scenarios. However, this feature is very interesting in scenarios when organizations want to move to the cloud. Think about co-management. Co-management helps organizations to slowly move their device management capabilities to the cloud, by allowing multiple device management agents on a single device. Microsoft just released co-management in Microsoft Intune and co-management is also available in the latest Technical Preview releases of Configuration Manager. So, imagine a scenario in which a currently Configuration Manager managed device can receive a Group Policy setting to also auto-enroll the device in Microsoft Intune. Very helpful in the transition to the cloud.

In this post I’ll provide a short introduction to auto-enrollment for Windows 10 devices, followed by an overview of the requirements to enable auto-enrollment for Windows 10 devices. I’ll end this post with how to verify the results of a successful auto-enrollment.

Introduction

Let’s start by looking at an introduction to automatic MDM enrollment of Windows 10 devices. Well, actually more describing what will happen when configuring automatic enrollment. Automatic enrollment relies on the presence of an MDM service in Azure Active Directory and the Azure Active Directory registration of a Windows 10 device. Starting with Windows 10, version 1607, once an organization has registered its Active Directory with Azure Active Directory, a Windows 10 device that is Active Directory domain joined is automatically Azure Active Directory registered.

SchedTask_AutoMDMWhen the auto-enroll Group Policy is enabled, a scheduled task is created that initiates the MDM enrollment. That scheduled task will start deviceenroller.exe with the AutoEnrollMDM parameter, which will use the existing MDM service configuration, from the Azure Active Directory information of the user, to auto-enroll the Windows 10 device. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is completed, the scheduled task will be removed and a folder will be created with the “standard” MDM-related tasks.

Note: In Windows 10, version 1709, when the same setting is configured via Group Policy and via MDM, the Group Policy setting wins. This might change in future releases of Windows 10.

Requirements

Before starting with the configuration, let’s start by having a look at the list of requirements that must be in place to facilitate the auto-enroll configuration.

  • Active Directory is integrated with Azure Active Directory;
  • MDM service is configured in Azure Active
    Directory;
  • Device is running Windows 10, version 1709, or later;
  • Device is Active Directory joined;
  • Device is Azure Active Directory registered.

As in my posts the main focus is at the management of the devices, let’s highlight the configuration requirement of the MDM service in Azure Active Directory.

1 Open the Azure portal and navigate to Azure Active Directory > Mobility (MDM and MAM);
2 On the Mobility (MDM and MAM) blade, click Add application to add the applicable MDM app. As I’m using Microsoft Intune, the MDM app was already added and preconfigured;
3 IntuneMDMConfigSelect the MDM app, in my case Microsoft Intune, and make sure the settings are configured.

Configuration

Now let’s have a look at the main configuration of this post, the configuration of the required Group Policy setting. It’s actually quite simple, but it’s all about being aware. Simply install the latest ADMX-files for Windows 10, version 1709, or later and perform at least the following 3 steps.

1 Create a new GPO, or open an existing GPO, in the Group Policy Management Editor and navigate to Administrative Templates > Windows Components > MDM;
2

GPO_AutoMDMOpen the Auto MDM Enrollment with AAD Token setting, select Enabled and click OK;

3 Make sure the GPO is linked to the correct OU.

Result

Once the configuration of the Group Policy is done, and the policy is enabled and linked, it’s time to look at the results. The following 3 locations, are the easiest locations, on the local Windows 10 device, to look for a success of the auto-enrollment.

EventView_AutoMDMEvent Viewer – The first place to look for a success is the Event Viewer. The Event Viewer contains a specific location for device management related events. That location can be found at Microsoft > Windows > DeviceManagement-Enterprise > Diagnostics > Provider > Admin. That location should show Event ID: 75, with the message “Auto MDM Enroll: Succeeded”.
TaskSched_AutoMDMTask Scheduler – The next place to look for a success is the Task Scheduler. The Task Scheduler contains a specific location for device management tasks. That location can be found at Microsoft > Windows > EnterpriseMgmt. That location previously contained a task named “Schedule created by enrollment client for automatically enrolling in MDM from AAD Properties”. After a successful auto-enrollment, that task should be gone and a folder with a guid name should show.
Settings_AutoMDMSettings – Another place to look for a success is the Settings panel.  The Settings panel contains a location that provides information about the connected work and school environments. That location can be found via Start > Settings > Accounts > Access work or school. Without a successful auto-enrollment it simply shows a connected Active Directory domain. Once the auto-enrollment is successful, the connected Active Directory domain can be selected and the Info button can be used to see the MDM enrollment information.

Note: The Windows 10 device can also be located in the Azure Active Directory. However, I thought that providing the information above provides more insights in what’s actually happens. Besides that, a screenshot of a Windows 10 device in Azure Active Directory, is simply boring.

More information

For more information about automatically enrolling Windows 10 devices using GPO, please refer to this article of Enroll a Windows 10 device automatically using Group Policy.