Windows 10 Update Ring configuration

Copper Contributor

Hi there

 

I configured the policy, assigned it to a AAD group (members are Windows 10 devices) but still after a few days the deployment status is unassigned (Windows 10 Pro 1803):

 

2018-07-23_11-40-22.png

What did I wrong?

 

This device is also mentioned as "conflict" with a profile with device restrictions. Didn't work out yet how to solve this.

 

Other devices are pending, but they are not running right now, so that's fine.

 

On one device (Windows 10 Enterprise 1803), I was able to activate the Insider Program in the control panel, choose an account, did a restart and the insider build is downloading now. That machine is also in the AAD group.

 

Thanks and best
Udo

17 Replies

Hi Udo,

 

first of all a device configuration conflict will have the result, that the policy will not be applied at all. That's different in regards to compliance policies, there it evaluates to the most restrictive value and that's applied in the end.

Normally device restrictions do not have configurations which are in conflict to software update ring policies. Are you sure you are not conflicting with e.g. a custom OMA-URI policy?

 

best,

Oliver

I have one OMA-URI configured:

2018-07-23_13-06-54.png

It's assigned, but pending for all machines, but I synced them (company portal)- hm I think I missed some understanding with policies here…

 

The above setting is for "MDM wins over GP", but as I'm not using any on-prem config I un-assigned the policy. Perhaps that helps already.

 

The policy with the conflict looks like this:

 

2018-07-23_13-13-29.png

So all other devices are assigned, just not the last one.

 

 

 

 

What exactly do you mean by conflict. The UI tells us "not assigned". It looks like the device does not see the policy at the moment... the MDM html report on the device with not assigned is listing a conflict? Where do you see the "conflict" exactly?

Sorry for the confusion - I'm at the beginning with the Intune stuff.

 

Here I see the conflict:

2018-07-23_13-24-37.png

 

 

No problem! What does the UI tell you if you dig deeper to the device itself. There you can see all the applied configs listed and the ones which are in conflict:

 

IntuneConfigConflict.png

2018-07-23_13-38-27.png

 

Seeing this… I have to check the "Computersettings" policy because I remember that I configured Update settings there as well… so that might be the conflict.

 

But them I'm wondering why with another machine I was able to click on "Get started" in "Windows Insider Program" in the control panel.

Hm, cannot find any Update settings in this policy:

 

2018-07-23_13-43-38.png

And just saw this within the device:

 

2018-07-23_13-52-16.png

The conflict status does not describes an actual conflict. It describes the behavior how to resolve conflicts if there is a setting set by GPO and MDM.  In your case the GPO would win. So this is not a conflict itself it is the way to resolve conflict when both ways are utilized to configure something.

What does the MDM report tell you on the client itself?

 

Settings > Accounts > Access work or school > click on your account > Info > Scroll down > Create report

which section I should focus on? 

The managed policies section is from interest. Keep an eye on the config source there you will always find the configured values for the particular setting. That's important as the value is not always listed in the column "Current Value":

MDMReportManagedPolicies.png

So regarding Update settings I see this:

 

2018-07-23_14-48-16.png

Maybe the conflict is due to a setting set by GPO. Are you using an Insider build?

 

What does the command:

gpresult /H %temp%\test.html & %temp%\test.html

 

reports you? Are there any settings applied?

Nope, build is 17.134.165, Version 1803

 

 

Are there any settings under:

 

HKLM\Software\Policies\Microsoft\Windows\Windowsupdate\AU

 

if yes try to delete them (export before for backup) and Sync again.

Hi Oliver

 

Sorry for the late reply. As it was working fine with other machines, I removed that one and enrolled it new. It's working now.

 

There was only one key under the Regkey, and it didn't help to delete it.

 

Thanks for you help!!!