Jul 23 2018 02:47 AM
Hi there
I configured the policy, assigned it to a AAD group (members are Windows 10 devices) but still after a few days the deployment status is unassigned (Windows 10 Pro 1803):
What did I wrong?
This device is also mentioned as "conflict" with a profile with device restrictions. Didn't work out yet how to solve this.
Other devices are pending, but they are not running right now, so that's fine.
On one device (Windows 10 Enterprise 1803), I was able to activate the Insider Program in the control panel, choose an account, did a restart and the insider build is downloading now. That machine is also in the AAD group.
Thanks and best
Udo
Jul 23 2018 03:52 AM
Hi Udo,
first of all a device configuration conflict will have the result, that the policy will not be applied at all. That's different in regards to compliance policies, there it evaluates to the most restrictive value and that's applied in the end.
Normally device restrictions do not have configurations which are in conflict to software update ring policies. Are you sure you are not conflicting with e.g. a custom OMA-URI policy?
best,
Oliver
Jul 23 2018 04:14 AM
I have one OMA-URI configured:
It's assigned, but pending for all machines, but I synced them (company portal)- hm I think I missed some understanding with policies here…
The above setting is for "MDM wins over GP", but as I'm not using any on-prem config I un-assigned the policy. Perhaps that helps already.
The policy with the conflict looks like this:
So all other devices are assigned, just not the last one.
Jul 23 2018 04:22 AM
What exactly do you mean by conflict. The UI tells us "not assigned". It looks like the device does not see the policy at the moment... the MDM html report on the device with not assigned is listing a conflict? Where do you see the "conflict" exactly?
Jul 23 2018 04:26 AM
Sorry for the confusion - I'm at the beginning with the Intune stuff.
Here I see the conflict:
Jul 23 2018 04:35 AM
No problem! What does the UI tell you if you dig deeper to the device itself. There you can see all the applied configs listed and the ones which are in conflict:
Jul 23 2018 04:41 AM
Seeing this… I have to check the "Computersettings" policy because I remember that I configured Update settings there as well… so that might be the conflict.
But them I'm wondering why with another machine I was able to click on "Get started" in "Windows Insider Program" in the control panel.
Jul 23 2018 04:44 AM
Hm, cannot find any Update settings in this policy:
Jul 23 2018 04:57 AM
The conflict status does not describes an actual conflict. It describes the behavior how to resolve conflicts if there is a setting set by GPO and MDM. In your case the GPO would win. So this is not a conflict itself it is the way to resolve conflict when both ways are utilized to configure something.
Jul 23 2018 05:02 AM
What does the MDM report tell you on the client itself?
Settings > Accounts > Access work or school > click on your account > Info > Scroll down > Create report
Jul 23 2018 05:34 AM
The managed policies section is from interest. Keep an eye on the config source there you will always find the configured values for the particular setting. That's important as the value is not always listed in the column "Current Value":
Jul 23 2018 05:49 AM
So regarding Update settings I see this:
Jul 23 2018 05:58 AM
Maybe the conflict is due to a setting set by GPO. Are you using an Insider build?
What does the command:
gpresult /H %temp%\test.html & %temp%\test.html
reports you? Are there any settings applied?
Jul 23 2018 06:11 AM
Nope, build is 17.134.165, Version 1803
Jul 23 2018 06:44 AM
Are there any settings under:
HKLM\Software\Policies\Microsoft\Windows\Windowsupdate\AU
if yes try to delete them (export before for backup) and Sync again.
Jul 25 2018 12:39 AM
Hi Oliver
Sorry for the late reply. As it was working fine with other machines, I removed that one and enrolled it new. It's working now.
There was only one key under the Regkey, and it didn't help to delete it.
Thanks for you help!!!