There are some breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices that you should be aware of.
In this article, you will find a list of what are known to be the breaking changes and issues Dated 05/14/2019, with mobile device enrollment and management. A few are highlighted below.
Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10
During an upgrade from Windows 8.1 to Windows 10, the notification channel URI information is not preserved. In addition, the MDM client loses the PFN, AppID, and client secret.
After upgrading to Windows 10, you should call MDM_WNSConfiguration class to recreate the notification channel URI.
Apps installed using WMI classes are not removed
Applications installed using WMI classes are not removed when the MDM account is removed from the device.
SSL settings in IIS server for SCEP must be set to “Ignore”
The certificate setting under “SSL Settings” in the IIS server for SCEP must be set to “Ignore” in Windows 10. In Windows Phone 8.1, when you set the client certificate to “Accept,” it works fine.
MDM enrollment fails on the mobile device when traffic is going through proxy
When the mobile device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that does not require authentication or remove the proxy setting from the connected network.
Server-initiated unenrollment failure
Server-initiated unenrollment for a device enrolled by adding a work account silently fails leaving the MDM account active. MDM policies and resources are still in place and the client can continue to sync with the server.
Remote server unenrollment is disabled for mobile devices enrolled via Azure Active Directory Join. It returns an error message to the server. The only way to remove enrollment for a mobile device that is Azure AD joined is by remotely wiping the device.
Certificates causing issues with Wi-Fi and VPN
Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
Breaking Changes & Known Issues List
- Get command inside an atomic command is not supported
- Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10
- Apps installed using WMI classes are not removed
- Passing CDATA in SyncML does not work
- SSL settings in IIS server for SCEP must be set to “Ignore”
- MDM enrollment fails on the mobile device when traffic is going through proxy
- Server-initiated unenrollment failure
- Certificates causing issues with Wi-Fi and VPN
- Version information for mobile devices
- Upgrading Windows Phone 8.1 devices with app whitelisting using ApplicationRestriction policy has issues
- Apps dependent on Microsoft Frameworks may get blocked in phones prior to build 10586.218
- Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile
- Remote PIN reset not supported in Azure Active Directory joined mobile devices
- MDM client will immediately check-in with the MDM server after client renews WNS channel URI
- User provisioning failure in Azure Active Directory joined Windows 10 PC
- Requirements to note for VPN certificates also used for Kerberos Authentication
- Device management agent for the push-button reset is not working