Event banner
Event details
31 Comments
- Trevor_Rusher
Community Manager
Thanks for joining us today for an AMA on Deploying and managing Windows devices in education. We appreciate your questions and feedback—and look forward to continuing the discussion on the Windows community!
- Hello. I have a question regarding Intune Enrollment via GPO: Is it possible to enroll Windows 10 devices using a GPO configured using Device Credentials instead of User Credentials? We don't want to wait for users to have to sign in to begin deploying applications/settings, and we are converting existing AD bound workstations in our users' absence into Intune management. All of our efforts to enroll devices with this configuration have met with failure, throwing error 0x80180001 with Event ID 76 in the DeviceManagement-Enterprise-Diagnostics-Provider logs. The article here https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy states that Device Credentials are not supported for environments without Configuration Manager, or Azure Virtual Desktop. Is this in fact the case? There is lots of conflicting/confusing information out there, such as in these threads: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4828 https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5543
- Haven't been able to figure this out for years myself.
- EricOrman
Microsoft
Device credential is not supported when performing GPO enrollments into MEM/Intune, it is actually blocked at the Intune service. Only user credential is supported when perform GPO enrollments, which also means you need to assign Intune license to your users also. https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy, see the big bold purple comment on step #5.
- Trevor_Rusher
Welcome to the Deploying and managing Windows devices in education Ask Microsoft Anything (AMA)! This live hour gives you the opportunity to ask questions and provide feedback to the engineering and product teams building Windows. Introduce yourself by replying to this thread. Post each question in the Comment on this event… box above.
Here's who's on deck today to answer questions about preparing for Windows Autopilot:
T. Robert Nishi, Ravi Ashok, Becky King, Christopher Urban, Chris Kunze, Liz Cox, and Andre Mitchell
- Some questions were asked earlier if you can look at those.
- Becky KingHi there! Becky from the EDU Customer Experience Team, based in Redmond. Looking forward to hearing from you all!
- Ravi_AshokHey everyone, Ravi here from the education device management team. Looking forward to hearing from you!
- Are there any plans to improve the Web Content Filtering feature of Windows Defender ATP? We are rolling out a device for every one of our students, of which they will be able to take home to complete homework etc, having a more education-suitable version of the content filtering feature would be very beneficial to education and save a lot of money on traditional web filters.
- Chris_Urban
Thanks Rhys Williams for your great question! Institutions around the world have brought this up over the years. Historically, we've leaned on our Partner ecosystem to provide these capabilities. However, we've heard loud and clear the statement, "...we'd like something from Microsoft". To that end, we have Web content filtering in public preview today as part of Microsoft Defender for Endpoint. Since this is still in preview, there are licensing Prerequisites which are outlined currently. As we move to General Availability, I would recommend you reaching out to your Microsoft Account Team or you Microsoft reseller to license appropriately.
- According to the pre-reqs it is only available to E5. Is that a standard oversight of Microsoft docs forgetting A5 exists or is A5 truly excluded from preview?
- Any updates on the ability for students to use Windows Hello for Business on devices such as Surface Pro for facial recognition login without having to enroll in MFA due to a lack of device? Any way to bulk enroll accounts yet to enable this?
- Robert_NishiTo my knowledge (and take that with a grain of salt), we still require the MFA for biometrics setup for Windows Hello. It's a fair request and as I'm sure you're aware, we've continued to hear this as a request, but unfortunately there's no "news" I can report. That said, I'd LOVE to get more details on use cases, any challenges you may have heard with regards to privacy and/or otherwise.
- I am happy to point you to the years worth of forum posts, feedback posts, twitter threads and other discussions on this topic. I just keep asking as the people who are working on it evolve all the time. Don't want the ask to get forgotten.
- With the announcement today of the discontinuation of the Store for Edu I want to understand if in fact there will be "NO" way to distribute paid apps via MEM / Intune or buy licenses for those on behalf of users / students?
- Liz_CoxHey Brian, that is correct. Paid applications that are already deployed will still be there. For a handful of other paid apps there might be other methods. Is Minecraft one of the ones you're wondering about?
- No, I got Minecraft all set via M365. We have some other apps that we purchased through store. Not huge investment but something. It seems like the thinking here is there will be no apps for sale any longer directly through store? Only free apps with in app purchasing or other login base licensing? If as a school we can't bulk buy apps then we can't buy apps. This just means no app sales to schools (or enterprises).
