Upcoming event: Windows Office Hours - May 18, 2023
If you have any questions about the following: Windows device and update management, Microsoft Intune, Windows 365, Windows Autopilot, managing Windows in the public sector, and security tips and tricks... Visit this live Q&A for IT professionals this Thursday, May 18th, 2023 - 8:00–9:00 a.m. Pacific Time. Just post your questions now or the day of, and a broad group of product experts, servicing experts, and engineers will be standing by -- in chat -- to answer your questions. You can click here to add this event to your calendar. Bookmark this blog to check for upcoming events. Here's some simple steps on how to post your questions to current or any future Windows Office Hours sessions: Visit the event page. Select RSVP. Post away! You can even post questions early for the next event so we can dive right in at the top of the hour! See you there!
Join Devices using a provisioning package (.ppkg) in Azure AD - how does it work in detail?
For a project, we are checking whether there is a way to join the devices into AAD using a provisioning package. When creating a project with the Windows Configuration Designer under "Account Management" is the task for "Enroll in Azure AD" and "Get Bulk Token". Here are my questions about it: Which account do I normally used to register the token? Which rights and licenses must the account have? An enterprise app is being created, but I still must do something with the permissions? Something else needs to be done with the user that is created in AAD (package_)? Are there hurdles in sight regarding conditional access? I ask myself the questions because I tried it and failed with the following message (from the event log of the client which I wanted to integrate into AAD) Client: Windows 10 Pro 21H2, Windows 10 Enterprise 1909 (same Error) ProvXML category 'DeviceAADJoin' failed with '0x80180014' at CSP node 'AADJ/BPRT'. Provisioning failedWindows office hours: June 17, 2021
Post your questions for our next office hours session, which will take place here in the Windows servicing community on Thursday, June 17th from 9:00-10:00 a.m. Pacific Time. Join us to get answers to any questions you may have around managing updates for the remote and onsite devices in your organization, help with specific issues, and tips on how to increase update velocity. We'll have members of the Windows and Microsoft Endpoint Manager product and engineering teams on hand, as well as the FastTrack team. Save the date and see the Windows IT Pro Blog for full details. Let's get started!Windows office hours are closed: June 17, 2021
Thanks for joining today's session of office hours! We'll continue to host these events through the end of 2021 (and beyond) so bookmark https://aka.ms/Windows/OfficeHours for the latest dates and times. We hope we were able to answer any questions you may have around managing Windows 10 updates, deployments, and devices (remote or on-premises)—and to provide help with specific issues as well as tips on how to increase update velocity. Here is a list of who was in the virtual office today: Windows servicing strategies, tactics, best practices: Dave Backman All things Windows servicing: Sudhagar Thirumoolan Windows update monitoring and reporting: Charles Inglis Windows app development (+ update monitoring and strategies): George Nelson Windows setup: Steve DiAcetis Expediting updates in Microsoft Endpoint Manager: David Guyer Windows 10 deployment: Steve Thomas Cloud-based update management, Windows Update for Business: Aria Carley, Kay Toma Microsoft Endpoint Manager (public sector, CMG, tenant attach, etc.): Danny Guillory, Joe Lurie Configuration Manager: Bruno Yoshioka Windows commercial experiences: Kevin Mineweaser Security: Rick Munck From all of us to all of you - here's to keeping devices updated, protected, and productive!Windows office hours are open: March 18, 2021
Welcome to office hours! To submit a question, click "Start a New Discussion" here in the Windows servicing space--and do this for each new question. We are here for the next hour to answer any questions you may have around managing Windows 10 updates, deployments, and devices (remote or on-prem)—and to provide help with specific issues as well as tips on how to increase update velocity. Here is a list of who is in the virtual office today: Windows as a service strategies, tactics, best practices: Dave Backman, Namrata Bachwani Windows management and servicing: Joe Lurie Windows update monitoring and reporting: Charles Inglis Windows setup: Steve DiAcetis Expediting updates in Microsoft Endpoint Manager: David Guyer Windows 10 deployment: Steve Thomas Cloud-based update management, Windows Update for Business: Aria Carley Microsoft Endpoint Manager: Jason Sandys Microsoft Endpoint Manager (public sector, CMG, tenant attach, etc.): Danny Guillory Configuration Manager: Rob York Windows Autopilot: Heena Macwan Security: Rick Munck Expediting updates in Microsoft Intune: David Guyer If you have an issue or question you'd prefer not to discuss publicly, simply click on the name of the person you'd like to speak with, then select Message in the top-right corner to send a direct message. Let's get started! Save the date for future events Our next, regularly scheduled office hours event will take place on Thursday, April 15th, 9:00-10:00 a.m. Pacific Time. Add it to your calendara. For an up-to-date list of future events, see the Windows IT Pro Blog.AutoPilot Hybrid Join with White Glove - Issue at first login (MFA we think)
Hello, Project: Configure Auto-Pilot Hybrid Join for new users and laptops (with White Glove from Dell) Process works and pre-provisioning is successful, a VPN (Cisco AnyConnect) that auto-starts at the login screen via a certificate. At this stage the user is being targeted with Azure MFA via Conditional Access Once the user logs in, non of the Microsoft Endpoint Manager policies get picked up, Teams does not Automatically sign in (But prompts the user to sign in) If we leave it 30 mins (Waiting for Azure AD Connect to Sync the device. We reboot and we get the same, none of the policies get picked up, bit locker does not encrypt, teams doesn't auto sign in etc. If we do a dsregcmd /status on a CMD window, it shows as Domain Joined but not Azure AD joined. Then we look inside of "Work and School Account" we see the info button, we click this, and under "Sync" button has an error, with something on the lines of "Cannot authenticate your credentials" etc etc. - I then click sync and it pops up with the Microsoft Loin Box, I select my account (connected to windows) and sign in - it then throws an MFA prompt to MS Authenticator. If I approve, it syncs and the device starts to get all the policies it requires. ============= So, I decided to do another test, this time excluding the user from Azure MFA (CA Policy) and ran a new deployment. - Pre-provisions OK - Can login with AD credentials at login - Teams automatically signs in - dsregcmd /status shows everything is correct, it is Azure AD Joined and Local AD Joined - wait 30 min for Hybrid AD Join to happen from the DC through AD Connect sync - Reboot the machine, at next login, everything works, bit locker encrypts, oneDrive auto-signs in. - The world is a good place. It would therefore lead me to believe that with MFA enabled on the user that is signing into the machine, it blocks the initial Azure AD join process tied to that user and stops policies from pulling down to the machine. However, I cannot find any reference material surrounding MFA being the catalyst as to why the Hybrid Azure AD Join over VPN just does not work properly. Or how we can bypass it on AutoPilot deployments 'Hybrid' deployments. Note: In Azure AD > Devices > Device Settings - the option for "Devices to be Azure AD joined or Azure AD registered require Multi-Factor Authentication" is set to NO (Thought worth a mention, even though I think it does not apply to Hybrid AD join devices) Another note, is if the user is enabled for MFA and we then deploy inside the corp network (which is bypassing/excluded from MFA) then this works without a problem too. The CA Policy for MFA targets All Cloud Apps. We even tried to exclude "Intune Enrollment / Intune / Azure Management" - without success. So we're super stumped as what to do - Does anyone have any info on MFA being a problem with AutoPilot Hybrid Join over VPN?Windows office hours at Microsoft Ignite
We're holding 4 special editions of Windows office hours on Tech Community! Select Start a New Discussion anytime throughout the event and our experts will answer when they are "in the office." Join us to get answers about the latest capabilities we unwrapped this week, troubleshooting guidance to unblock your rollouts, and tips to help you more easily manage Windows 10 updates and your Windows device estate. Select any and all of the desired times below and join us! March 2 – 1:00-2:00 p.m. Pacific Time March 3 – 8:00-9:00 a.m. Pacific Time March 3 – 5:00-6:00 p.m. Pacific Time March 4 – 8:00-9:00 a.m. Pacific TimeOffice hours are closed: February 18, 2021
Office hours are now closed. We hope we were able to answer your questions and provide tips and resources to help you more easily manage Windows 10 updates and your Windows device estate. The experts and engineers who supported today's session were: Windows as a service strategies, tactics, best practices: Dave Backman Windows 10 servicing tech: Namrata Bachwani Windows setup: Steve DiAcetis Windows 10 deployment: Steve Thomas Cloud-based update management, Windows Update for Business: Aria Carley and David Mebane Microsoft Endpoint Manager: Joe Lurie and Jason Sandys Microsoft Endpoint Manager (public sector, CMG, etc.): Danny Guillory Configuration Manager: Rob York Security: Rick Munck and Roy Barton Product feedback: Kevin Mineweaser FastTrack: Sean McLaren Office hours at Microsoft Ignite in March To ensure there is plenty of time for Q&A at Microsoft Ignite, March 2-4, we'll be holding four special editions of office hours during the conference. Select any and all of the desired times below to join us! March 2 – 1:00-2:00 p.m. Pacific Time March 3 – 8:00-9:00 a.m. Pacific Time March 3 – 5:00-6:00 p.m. Pacific Time March 4 – 8:00-9:00 a.m. Pacific Time Save the date for future events Our next, regularly scheduled office hours event will take place on Thursday, March 18th, 9:00-10:00 a.m. Pacific Time. Add it to your calendar. For an up-to-date list of future events, see the Windows IT Pro Blog. See you next time!Windows 10 office hours will be back in 2021!
Our team of Windows, Microsoft Endpoint Manager, public sector, and FastTrack experts will be in the office and ready to help you manage and update your Windows 10 device estate every third Thursday. Learn more about office hours, then save the date! Thursday, January 21st, 9:00-10:00 a.m. Pacific Time - ADD TO CALENDAR Thursday, February 18th, 9:00-10:00 a.m. Pacific Time - ADD TO CALENDAR Thursday, March 18th, 9:00-10:00 a.m. Pacific Time - ADD TO CALENDAR Thursday, April 15th, 9:00-10:00 a.m. Pacific Time - ADD TO CALENDAR Thursday, May 20th, 9:00-10:00 a.m. Pacific Time - ADD TO CALENDAR Thursday, June 17th, 9:00-10:00 a.m. Pacific Time - ADD TO CALENDAROffice hours are closed: November 19, 2020
Office hours are now closed. We hope we were able to answer your questions and provide tips and resources to help you more easily manage Windows 10 updates and your Windows device estate. The experts and engineers who supported today's session were: Windows as a service strategies, tactics, best practices: Dave Backman and James Bell Windows 10 deployment: Steve Thomas Cloud-based update management, Windows Update for Business: Aria Carley Dynamic Update: Steve DiAcetis Microsoft Endpoint Manager: Joe Lurie Microsoft Endpoint Manager (public sector, CMG, etc.): Danny Guillory Product feedback: Kevin Mineweaser FastTrack: Sean McLaren Save the date for future events Our next office hours event will take place on Thursday, December 17th, 9:00-10:00 a.m. Pacific Time. Add it to your calendar. For an up-to-date list of future events, see the Windows IT Pro Blog. See you next time!
