Windows 10 MDM for the Group Policy Gurus


If you’re an old-school group policy admin, you may be finding that the world of Mobile Device Management (MDM) in Windows 10 doesn’t offer quite the same level of reporting and troubleshooting tools as you are used to. I’ll keep this page as up-to-date as possible with tips and tricks for settings/policy management, reporting and troubleshooting for Windows 10 desktop devices and how the they relate to traditional group policy management. If you have any additions, please let me know!

Update: 28th December 2016 – Updated the “Getting Resultant Settings” section to include a better (more accurate) way of generating a settings report. Also updated the “Settings Sync Interval” with information on customizing this. Thanks to Janani and the rest of the Windows 10 MDM feature team for sharing this!

Getting Resultant Settings (aka GPResult)

In Group Policy we use:

GPResult /h file.html or rsop.msc

In MDM we use:

You can export a “MDM Result” XML Report containing really useful information about all aspects of your MDM policy that are applying to a machine You can then use a tool created by the Windows 10 MDM team to convert the XML into a nice HTML report for troubleshooting.

To start, Just go to Settings>Accounts >Access work or school, and click on the ‘Export your management log files’ link under ‘Related Settings’.

Take a look at the XML file. You can see all the configured policy settings, and there are also sections for important MDM settings like SCEP and Wi-fi profiles!

Now if you want a HTML report, Just go grab the tool (Device Management Log XML to HTML Converter) from the technet Script Center, extract and run it against your XML file:

.\mdmReportGenerator.ps1 MDMDiagReport.xml MDMDiagReport.html

Now open MDMDiagReport.html

Notice that this report gives you the Default value to compare against and also something called “ConfigSource”. The configSource can be useful in figuring out where the setting came from (eg: Was the setting configured via your MDM server or from ActiveSync? or perhaps it was from a provisioning package that was applied at some stage. To figure out what source the GUID maps to, just search for the GUID in the first section of the report.)

To find out what the policy settings values mean, go to Windows 10 URI Settings reference here: https://docs.microsoft.com/en-au/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune

Tip: When you download the convertor tool, make sure you unblock the zip file before extracting the contents. Otherwise the conversion will fail.

 

 

Option 2: the quick and dirty way to check if your policy was downloaded by windows 10 – run powershell:

get-item ‘HKLM:\Software\Microsoft\PolicyManager\current\device\*’

Troubleshooting Policy Application Events (Event Logging)

In Group Policy we use:

Microsoft-Windows-GroupPolicy/Operational, or Advanced Logging

In MDM we use:

Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin

Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug

Forcing a Policy Update (Aka GPUPDATE)

In Group Policy we use:

Gpupdate /Force

In MDM we use:

Settings>Access Work or School>Info>Sync

Settings Synchronization interval

In Group Policy we use:

A default value of 90 minutes with a 30 minute random offset (can be customized)

In MDM we use:

Every 3 minutes for 30 minutes after enrollment, and then every 8 hours (This can also be customized using the DMClient CSP)


Comments (1)

  1. Guntrum Riesling says:

    This is great info, thank you.

    Looking forward to any updates that you have in the future!

Skip to main content