inCOREporation

Monday, January 23, 2023

Azure AD Connect sync: Understanding the architecture

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/concept-azure-ad-connect-sync-architecture#relationships-between-staging-objects-and-metaverse-objects

Azure AD Connect sync: Understanding the architecture

Article

08/26/2022

21 minutes to read

7 contributors

In this article

Architecture

Sync engine identity objects

Sync engine identity management process

Next steps

This topic covers the basic architecture for Azure AD Connect sync. In many aspects, it is similar to its predecessors MIIS 2003, ILM 2007, and FIM 2010. Azure AD Connect sync is the evolution of these technologies. If you are familiar with any of these earlier technologies, the content of this topic will be familiar to you as well. If you are new to synchronization, then this topic is for you. It is however not a requirement to know the details of this topic to be successful in making customizations to Azure AD Connect sync (called sync engine in this topic).

Architecture

The sync engine creates an integrated view of objects that are stored in multiple connected data sources and manages identity information in those data sources. This integrated view is determined by the identity information retrieved from connected data sources and a set of rules that determine how to process this information.

Connected Data Sources and Connectors

The sync engine processes identity information from different data repositories, such as Active Directory or a SQL Server database. Every data repository that organizes its data in a database-like format and that provides standard data-access methods is a potential data source candidate for the sync engine. The data repositories that are synchronized by sync engine are called connected data sources or connected directories (CD).

The sync engine encapsulates interaction with a connected data source within a module called a Connector. Each type of connected data source has a specific Connector. The Connector translates a required operation into the format that the connected data source understands.

Connectors make API calls to exchange identity information (both read and write) with a connected data source. It is also possible to add a custom Connector using the extensible connectivity framework. The following illustration shows how a Connector connects a connected data source to the sync engine.

Diagram shows a connected data source and a sync engine associated by a line called Connector.

Data can flow in either direction, but it cannot flow in both directions simultaneously. In other words, a Connector can be configured to allow data to flow from the connected data source to sync engine or from sync engine to the connected data source, but only one of those operations can occur at any one time for one object and attribute. The direction can be different for different objects and for different attributes.

To configure a Connector, you specify the object types that you want to synchronize. Specifying the object types defines the scope of objects that are included in the synchronization process. The next step is to select the attributes to synchronize, which is known as an attribute inclusion list. These settings can be changed any time in response to changes to your business rules. When you use the Azure AD Connect installation wizard, these settings are configured for you.

To export objects to a connected data source, the attribute inclusion list must include at least the minimum attributes required to create a specific object type in a connected data source. For example, the sAMAccountName attribute must be included in the attribute inclusion list to export a user object to Active Directory because all user objects in Active Directory must have a sAMAccountName attribute defined. Again, the installation wizard does this configuration for you.

If the connected data source uses structural components, such as partitions or containers to organize objects, you can limit the areas in the connected data source that are used for a given solution.

Internal structure of the sync engine namespace

The entire sync engine namespace consists of two namespaces that store the identity information. The two namespaces are:

The connector space (CS)

The metaverse (MV)

The connector space is a staging area that contains representations of the designated objects from a connected data source and the attributes specified in the attribute inclusion list. The sync engine uses the connector space to determine what has changed in the connected data source and to stage incoming changes. The sync engine also uses the connector space to stage outgoing changes for export to the connected data source. The sync engine maintains a distinct connector space as a staging area for each Connector.

By using a staging area, the sync engine remains independent of the connected data sources and is not affected by their availability and accessibility. As a result, you can process identity information at any time by using the data in the staging area. The sync engine can request only the changes made inside the connected data source since the last communication session terminated or push out only the changes to identity information that the connected data source has not yet received, which reduces the network traffic between the sync engine and the connected data source.

In addition, sync engine stores status information about all objects that it stages in the connector space. When new data is received, sync engine always evaluates whether the data has already been synchronized.

The metaverse is a storage area that contains the aggregated identity information from multiple connected data sources, providing a single global, integrated view of all combined objects. Metaverse objects are created based on the identity information that is retrieved from the connected data sources and a set of rules that allow you to customize the synchronization process.

The following illustration shows the connector space namespace and the metaverse namespace within the sync engine.

Diagram shows a connected data source and a sync engine, which is separated into connector space and metaverse namespaces, associated by a line called Connector.

Sync engine identity objects

The objects in the sync engine are representations of either objects in the connected data source or the integrated view that sync engine has of those objects. Every sync engine object must have a globally unique identifier (GUID). GUIDs provide data integrity and express relationships between objects.

Connector space objects

When sync engine communicates with a connected data source, it reads the identity information in the connected data source and uses that information to create a representation of the identity object in the connector space. You cannot create or delete these objects individually. However, you can manually delete all objects in a connector space.

All objects in the connector space have two attributes:

A globally unique identifier (GUID)

A distinguished name (also known as DN)

If the connected data source assigns a unique attribute to the object, then objects in the connector space can also have an anchor attribute. The anchor attribute uniquely identifies an object in the connected data source. The sync engine uses the anchor to locate the corresponding representation of this object in the connected data source. Sync engine assumes that the anchor of an object never changes over the lifetime of the object.

Many of the Connectors use a known unique identifier to generate an anchor automatically for each object when it is imported. For example, the Active Directory Connector uses the objectGUID attribute for an anchor. For connected data sources that do not provide a clearly defined unique identifier, you can specify anchor generation as part of the Connector configuration.

In that case, the anchor is built from one or more unique attributes of an object type, neither of which changes, and that uniquely identifies the object in the connector space (for example, an employee number or a user ID).

A connector space object can be one of the following:

A staging object

A placeholder

Staging Objects

A staging object represents an instance of the designated object types from the connected data source. In addition to the GUID and the distinguished name, a staging object always has a value that indicates the object type.

Staging objects that have been imported always have a value for the anchor attribute. Staging objects that have been newly provisioned by sync engine and are in the process of being created in the connected data source do not have a value for the anchor attribute.

Staging objects also carry current values of business attributes, and operational information needed by sync engine to perform the synchronization process. Operational information includes flags that indicate the type of updates that are staged on the staging object. If a staging object has received new identity information from the connected data source that has not yet been processed, the object is flagged as pending import. If a staging object has new identity information that has not yet been exported to the connected data source, it is flagged as pending export.

A staging object can be an import object or an export object. The sync engine creates an import object by using object information received from the connected data source. When sync engine receives information about the existence of a new object that matches one of the object types selected in the Connector, it creates an import object in the connector space as a representation of the object in the connected data source.

The following illustration shows an import object that represents an object in the connected data source.

Diagram shows an import object brought from the connected data source to the connector space namespace in the sync engine.

The sync engine creates an export object by using object information in the metaverse. Export objects are exported to the connected data source during the next communication session. From the perspective of the sync engine, export objects do not exist in the connected data source yet. Therefore, the anchor attribute for an export object is not available. After it receives the object from sync engine, the connected data source creates a unique value for the anchor attribute of the object.

The following illustration shows how an export object is created by using identity information in the metaverse.

Diagram shows an export object brought from the metaverse to the connector space namespace, then to the connected data source.

The sync engine confirms the export of the object by reimporting the object from the connected data source. Export objects become import objects when sync engine receives them during the next import from that connected data source.

Placeholders

The sync engine uses a flat namespace to store objects. However, some connected data sources such as Active Directory use a hierarchical namespace. To transform information from a hierarchical namespace into a flat namespace, sync engine uses placeholders to preserve the hierarchy.

Each placeholder represents a component (for example, an organizational unit) of an object's hierarchical name that has not been imported into sync engine but is required to construct the hierarchical name. They fill gaps created by references in the connected data source to objects that are not staging objects in the connector space.

The sync engine also uses placeholders to store referenced objects that have not yet been imported. For example, if sync is configured to include the manager attribute for the Abbie Spencer object and the received value is an object that has not been imported yet, such as CN=Lee Sperry,CN=Users,DC=fabrikam,DC=com, the manager information is stored as placeholders in the connector space. If the manager object is later imported, the placeholder object is overwritten by the staging object that represents the manager.

Metaverse objects

A metaverse object contains the aggregated view that sync engine has of the staging objects in the connector space. Sync engine creates metaverse objects by using the information in import objects. Several connector space objects can be linked to a single metaverse object, but a connector space object cannot be linked to more than one metaverse object.

Metaverse objects cannot be manually created or deleted. The sync engine automatically deletes metaverse objects that do not have a link to any connector space object in the connector space.

To map objects within a connected data source to a corresponding object type within the metaverse, sync engine provides an extensible schema with a predefined set of object types and associated attributes. You can create new object types and attributes for metaverse objects. Attributes can be single-valued or multivalued, and the attribute types can be strings, references, numbers, and Boolean values.

Relationships between staging objects and metaverse objects

Within the sync engine namespace, the data flow is enabled by the link relationship between staging objects and metaverse objects. A staging object that is linked to a metaverse object is called a joined object (or connector object). A staging object that is not linked to a metaverse object is called a disjoined object (or disconnector object). The terms joined and disjoined are preferred to not confuse with the Connectors responsible for importing and exporting data from a connected directory.

Placeholders are never linked to a metaverse object

A joined object comprises a staging object and its linked relationship to a single metaverse object. Joined objects are used to synchronize attribute values between a connector space object and a metaverse object.

When a staging object becomes a joined object during synchronization, attributes can flow between the staging object and the metaverse object. Attribute flow is bidirectional and is configured by using import attribute rules and export attribute rules.

A single connector space object can be linked to only one metaverse object. However, each metaverse object can be linked to multiple connector space objects in the same or in different connector spaces, as shown in the following illustration.

Diagram shows two connected data objects associated by connectors to a sync engine, which has joined objects and a disjoined object.

The linked relationship between the staging object and a metaverse object is persistent and can be removed only by rules that you specify.

A disjoined object is a staging object that is not linked to any metaverse object. The attribute values of a disjoined object are not processed any further within the metaverse. The attribute values of the corresponding object in the connected data source are not updated by sync engine.

By using disjoined objects, you can store identity information in sync engine and process it later. Keeping a staging object as a disjoined object in the connector space has many advantages. Because the system has already staged the required information about this object, it is not necessary to create a representation of this object again during the next import from the connected data source. This way, sync engine always has a complete snapshot of the connected data source, even if there is no current connection to the connected data source. Disjoined objects can be converted into joined objects, and vice versa, depending on the rules that you specify.

An import object is created as a disjoined object. An export object must be a joined object. The system logic enforces this rule and deletes every export object that is not a joined object.

Sync engine identity management process

The identity management process controls how identity information is updated between different connected data sources. Identity management occurs in three processes:

Import

Synchronization

Export

During the import process, sync engine evaluates the incoming identity information from a connected data source. When changes are detected, it either creates new staging objects or updates existing staging objects in the connector space for synchronization.

During the synchronization process, sync engine updates the metaverse to reflect changes that have occurred in the connector space and updates the connector space to reflect changes that have occurred in the metaverse.

During the export process, sync engine pushes out changes that are staged on staging objects and that are flagged as pending export.

The following illustration shows where each of the processes occurs as identity information flows from one connected data source to another.

Diagram shows the flow of identity information from connected data to connector space (import) to metaverse to connector space (synchonization) to connected data (export).

Import process

During the import process, sync engine evaluates updates to identity information. Sync engine compares the identity information received from the connected data source with the identity information about a staging object and determines whether the staging object requires updates. If it is necessary to update the staging object with new data, the staging object is flagged as pending import.

By staging objects in the connector space before synchronization, sync engine can process only the identity information that has changed. This process provides the following benefits:

Efficient synchronization. The amount of data processed during synchronization is minimized.

Efficient resynchronization. You can change how sync engine processes identity information without reconnecting the sync engine to the data source.

Opportunity to preview synchronization. You can preview synchronization to verify that your assumptions about the identity management process are correct.

For each object specified in the Connector, the sync engine first tries to locate a representation of the object in the connector space of the Connector. Sync engine examines all staging objects in the connector space and tries to find a corresponding staging object that has a matching anchor attribute. If no existing staging object has a matching anchor attribute, sync engine tries to find a corresponding staging object with the same distinguished name.

When sync engine finds a staging object that matches by distinguished name but not by anchor, the following special behavior occurs:

If the object located in the connector space has no anchor, then sync engine removes this object from the connector space and marks the metaverse object it is linked to as retry provisioning on next synchronization run. Then it creates the new import object.

If the object located in the connector space has an anchor, then sync engine assumes that this object has either been renamed or deleted in the connected directory. It assigns a temporary, new distinguished name for the connector space object so that it can stage the incoming object. The old object then becomes transient, waiting for the Connector to import the rename or deletion to resolve the situation.

Transient objects are not always a problem, and you might see them even in a healthy environment. With Azure AD Connect sync V2 endpoint API, transient objects should auto-resolve in subsequent delta synchronization cycles. A common example where you might find transient objects being generated occurs on Azure AD Connect servers installed in staging mode, when an admin permanently deletes an object directly in Azure AD using PowerShell and later synchronizes the object again.

If sync engine locates a staging object that corresponds to the object specified in the Connector, it determines what kind of changes to apply. For example, sync engine might rename or delete the object in the connected data source, or it might only update the object’s attribute values.

Staging objects with updated data are marked as pending import. Different types of pending imports are available. Depending on the result of the import process, a staging object in the connector space has one of the following pending import types:

None. No changes to any of the attributes of the staging object are available. Sync engine does not flag this type as pending import.

Add. The staging object is a new import object in the connector space. Sync engine flags this type as pending import for additional processing in the metaverse.

Update. Sync engine finds a corresponding staging object in the connector space and flags this type as pending import so that updates to the attributes can be processed in the metaverse. Updates include object renaming.

Delete. Sync engine finds a corresponding staging object in the connector space and flags this type as pending import so that the joined object can be deleted.

Delete/Add. Sync engine finds a corresponding staging object in the connector space, but the object types do not match. In this case, a delete-add modification is staged. A delete-add modification indicates to the sync engine that a complete resynchronization of this object must occur because different sets of rules apply to this object when the object type changes.

By setting the pending import status of a staging object, it is possible to reduce significantly the amount of data processed during synchronization because doing so allows the system to process only those objects that have updated data.

Synchronization process

Synchronization consists of two related processes:

Inbound synchronization, when the content of the metaverse is updated by using the data in the connector space.

Outbound synchronization, when the content of the connector space is updated by using data in the metaverse.

By using the information staged in the connector space, the inbound synchronization process creates an integrated view of the data in the metaverse that is stored in the connected data sources. Either all staging objects or only those with a pending import information are aggregated, depending on how the rules are configured.

The outbound synchronization process updates export objects when metaverse objects change.

Inbound synchronization creates the integrated view in the metaverse of the identity information that is received from the connected data sources. Sync engine can process identity information at any time by using the latest identity information that it has from the connected data source.

Inbound synchronization

Inbound synchronization includes the following processes:

Provision (also called Projection if it is important to distinguish this process from outbound synchronization provisioning). The Sync engine creates a new metaverse object based on a staging object and links them. Provision is an object-level operation.

Join. The Sync engine links a staging object to an existing metaverse object. A join is an object-level operation.

Import attribute flow. Sync engine updates the attribute values, called attribute flow, of the object in the metaverse. Import attribute flow is an attribute-level operation that requires a link between a staging object and a metaverse object.

Provision is the only process that creates objects in the metaverse. Provision affects only import objects that are disjoined objects. During provision, sync engine creates a metaverse object that corresponds to the object type of the import object and establishes a link between both objects, thus creating a joined object.

The join process also establishes a link between import objects and a metaverse object. The difference between join and provision is that the join process requires that the import object are linked to an existing metaverse object, where the provision process creates a new metaverse object.

Sync engine tries to join an import object to a metaverse object by using criteria that is specified in the Synchronization Rule configuration.

During the provision and join processes, sync engine links a disjoined object to a metaverse object, making them joined. After these object-level operations are completed, sync engine can update the attribute values of the associated metaverse object. This process is called import attribute flow.

Import attribute flow occurs on all import objects that carry new data and are linked to a metaverse object.

Outbound synchronization

Outbound synchronization updates export objects when a metaverse object change but is not deleted. The objective of outbound synchronization is to evaluate whether changes to metaverse objects require updates to staging objects in the connector spaces. In some cases, the changes can require that staging objects in all connector spaces be updated. Staging objects that are changed are flagged as pending export, making them export objects. These export objects are later pushed out to the connected data source during the export process.

Outbound synchronization has three processes:

Provisioning

Deprovisioning

Export attribute flow

Provisioning and deprovisioning are both object-level operations. Deprovisioning depends on provisioning because only provisioning can initiate it. Deprovisioning is triggered when provisioning removes the link between a metaverse object and an export object.

Provisioning is always triggered when changes are applied to objects in the metaverse. When changes are made to metaverse objects, sync engine can perform any of the following tasks as part of the provisioning process:

Create joined objects, where a metaverse object is linked to a newly created export object.

Rename a joined object.

Disjoin links between a metaverse object and staging objects, creating a disjoined object.

If provisioning requires sync engine to create a new connector object, the staging object to which the metaverse object is linked is always an export object, because the object does not yet exist in the connected data source.

If provisioning requires sync engine to disjoin a joined object, creating a disjoined object, deprovisioning is triggered. The deprovisioning process deletes the object.

During deprovisioning, deleting an export object does not physically delete the object. The object is flagged as deleted, which means that the delete operation is staged on the object.

Export attribute flow also occurs during the outbound synchronization process, similar to the way that import attribute flow occurs during inbound synchronization. Export attribute flow occurs only between metaverse and export objects that are joined.

Export process

During the export process, sync engine examines all export objects that are flagged as pending export in the connector space, and then sends updates to the connected data source.

The sync engine can determine the success of an export but it cannot sufficiently determine that the identity management process is complete. Objects in the connected data source can always be changed by other processes. Because sync engine does not have a persistent connection to the connected data source, it is not sufficient to make assumptions about the properties of an object in the connected data source based only on a successful export notification.

For example, a process in the connected data source could change the object’s attributes back to their original values (that is, the connected data source could overwrite the values immediately after the data is pushed out by sync engine and successfully applied in the connected data source).

The sync engine stores export and import status information about each staging object. If values of the attributes that are specified in the attribute inclusion list have changed since the last export, the storage of import and export status enables sync engine to react appropriately. Sync engine uses the import process to confirm attribute values that have been exported to the connected data source. A comparison between the imported and exported information, as shown in the following illustration, enables sync engine to determine whether the export was successful or if it needs to be repeated.

Diagram shows the synchronization of an object between connector space and connected data over the connector.

For example, if sync engine exports attribute C, which has a value of 5, to a connected data source, it stores C=5 in its export status memory. Each additional export on this object results in an attempt to export C=5 to the connected data source again because sync engine assumes that this value has not been persistently applied to the object (that is, unless a different value was imported recently from the connected data source). The export memory is cleared when C=5 is received during an import operation on the object.

Next steps

Learn more about the Azure AD Connect sync configuration.

Learn more about Integrating your on-premises identities with Azure Active Directory.

Verify that the device is hybrid Azure AD joined, run dsregcmd /status

Verify that the device is hybrid Azure AD joined, run dsregcmd /status from the command line.

You can confirm that the device is properly hybrid-joined if both AzureAdJoined and DomainJoined are set to YES.

Enroll a Windows 10 device automatically using Group Policy

https://learn.microsoft.com/en-us/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy

Enroll a Windows 10 device automatically using Group Policy

Article

01/05/2023

12 minutes to read

4 contributors

Applies to:

Windows 10

Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices.

The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.

Requirements:

Active Directory-joined PC running Windows 10, version 1709 or later

The enterprise has configured a mobile device management (MDM) service

The on-premises Active Directory must be integrated with Azure AD (via Azure AD Connect)

The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with error 0x80180026)

The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. For more information, see How to plan your hybrid Azure Active Directory join implementation.

Tip

For more information, see the following topics:

How to configure automatic registration of Windows domain-joined devices with Azure Active Directory

How to plan your hybrid Azure Active Directory join implementation

Azure Active Directory integration with MDM

The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD–registered.

Note

In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [MS-MDE2]: Mobile Device Enrollment Protocol Version 2. For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.

When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.

In Windows 10, version 1709 or later, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM. Since Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see Windows 10 Group Policy vs. Intune MDM Policy who wins?.

For this policy to work, you must verify that the MDM service provider allows Group Policy initiated MDM enrollment for domain-joined devices.

Verify auto-enrollment requirements and settings

To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service:

Verify that the user who is going to enroll the device has a valid Intune license.

Intune license verification.

Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal.

Auto-enrollment activation verification.

Important

For bring-your-own devices (BYOD devices), the Mobile Application Management (MAM) user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.

For corporate-owned devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.

Verify that the device OS version is Windows 10, version 1709 or later.

Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run dsregcmd /status from the command line.

You can confirm that the device is properly hybrid-joined if both AzureAdJoined and DomainJoined are set to YES.

Auto-enrollment device status result.

Additionally, verify that the SSO State section displays AzureAdPrt as YES.

Auto-enrollment Azure AD prt verification.

This information can also be found on the Azure AD device list.

Azure AD device list.

Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc

MDM discovery URL.

Some tenants might have both Microsoft Intune and Microsoft Intune Enrollment under Mobility. Make sure that your auto-enrollment settings are configured under Microsoft Intune instead of Microsoft Intune Enrollment.

Mobility setting MDM intune.

Verify that the Enable Automatic MDM enrollment using default Azure AD credentials group policy (Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is properly deployed to all devices that should be enrolled into Intune.

You may contact your domain administrators to verify if the group policy has been deployed successfully.

Verify that the device isn't enrolled with the old Intune client used on the Intune Silverlight Portal (the Intune portal used before the Azure portal).

Verify that Microsoft Intune should allow enrollment of Windows devices.

Enrollment of Windows devices.

Configure the auto-enrollment Group Policy for a single PC

This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise. For bulk deployment, you should use the Group Policy Management Console process.

Requirements:

AD-joined PC running Windows 10, version 1709 or later

Enterprise has MDM service already configured

Enterprise AD must be registered with Azure AD

Run GPEdit.msc. Choose Start, then in the text box type gpedit.

GPEdit desktop app search result.

Under Best match, select Edit group policy to launch it.

In Local Computer Policy, select Administrative Templates > Windows Components > MDM.

MDM policies.

Double-click Enable automatic MDM enrollment using default Azure AD credentials (previously called Auto MDM Enrollment with AAD Token in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select User Credential as the Selected Credential Type to use.

MDM autoenrollment policy.

Select Enable, select User Credential from the dropdown Select Credential Type to Use, then select OK.

Note

In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. Device Credential is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. The default behavior for older releases is to revert to User Credential. Device Credential is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop multi-session host pools because the Intune subscription is user centric. User credentials are supported for Azure Virtual Desktop personal host pools.

When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called "Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory."

To see the scheduled task, launch the Task Scheduler app.

If two-factor authentication is required, you'll be prompted to complete the process. Here's an example screenshot.

Two-factor authentication notification.

Tip

You can avoid this behavior by using Conditional Access Policies in Azure AD. Learn more by reading What is Conditional Access?.

To verify successful enrollment to MDM, go to Start > Settings > Accounts > Access work or school, then select your domain account.

Select Info to see the MDM enrollment information.

Work School Settings.

If you don't see the Info button or the enrollment information, enrollment might have failed. Check the status in Task Scheduler app.

Task Scheduler app

Select Start, then in the text box type task scheduler.

Task Scheduler search result.

Under Best match, select Task Scheduler to launch it.

In Task Scheduler Library, open Microsoft > Windows , then select EnterpriseMgmt.

Auto-enrollment scheduled task.

To see the result of the task, move the scroll bar to the right to see the Last Run Result. The message 0x80180026 is a failure message (MENROLL_E_DEVICE_MANAGEMENT_BLOCKED). You can see the logs in the History tab.

If the device enrollment is blocked, your IT admin might have enabled the Disable MDM Enrollment policy.

Note

The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies.

Configure the auto-enrollment for a group of devices

Requirements:

AD-joined PC running Windows 10, version 1709 or later

Enterprise has MDM service already configured (with Intune or a third-party service provider)

Enterprise AD must be integrated with Azure AD.

Ensure that PCs belong to same computer group.

Important

If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible.

Download:

1803 --> Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)

1809 --> Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)

1903 --> Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)

1909 --> Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)

2004 --> Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)

20H2 --> Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)

21H1 --> Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)

21H2 --> Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0

Install the package on the Domain Controller.

Navigate, depending on the version to the folder:

1803 --> C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2

1809 --> C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2

1903 --> C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3

1909 --> C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)

2004 --> C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)

20H2 --> C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)

21H1 --> C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)

21H2 --> C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update V2 (21H2)

Rename the extracted Policy Definitions folder to PolicyDefinitions.

Copy the PolicyDefinitions folder to \\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions.

If this folder doesn't exist, then you'll be switching to a central policy store for your entire domain.

Wait for the SYSVOL DFSR replication to be completed for the policy to be available.

This procedure will work for any future version as well.

Create a Group Policy Object (GPO) and enable the Group Policy Computer Configuration > Policies > Administrative Templates > Windows Components > MDM > Enable automatic MDM enrollment using default Azure AD credentials.

Create a Security Group for the PCs.

Link the GPO.

Filter using Security Groups.

Troubleshoot auto-enrollment of devices

Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device.

To collect Event Viewer logs:

Open Event Viewer.

Navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin.

Tip

For guidance on how to collect event logs for Intune, see Collect MDM Event Viewer Log YouTube video.

Search for event ID 75, which represents a successful auto-enrollment. Here's an example screenshot that shows the auto-enrollment completed successfully:

Event ID 75.

If you can't find event ID 75 in the logs, it indicates that the auto-enrollment failed. This failure can happen because of the following reasons:

The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here's an example screenshot that shows that the auto-enrollment failed:

Event ID 76.

To troubleshoot, check the error code that appears in the event. For more information, see Troubleshooting Windows device enrollment problems in Microsoft Intune.

The auto-enrollment didn't trigger at all. In this case, you'll not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section.

The auto-enrollment process is triggered by a task (Microsoft > Windows > EnterpriseMgmt) within the task-scheduler. This task appears if the Enable automatic MDM enrollment using default Azure AD credentials group policy (Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is successfully deployed to the target machine as shown in the following screenshot:

Task scheduler.

Note

This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task.

This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs: Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Azure Active Directory is triggered by event ID 107.

Event ID 107.

When the task is completed, a new event ID 102 is logged.

Event ID 102.

The task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It doesn't indicate the success or failure of auto-enrollment.

If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Azure AD is initiated, there's possibly an issue with the group policy. Immediately run the command gpupdate /force in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required. One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (HKLM > Software > Microsoft > Enrollments). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:

Outdated enrollment entries.

By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, gpupdate /force fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational event log file under event ID 7016.

A resolution to this issue is to remove the registry key manually. If you don't know which registry key to remove, go for the key that displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot:

Manually deleted entries.

Recommended content

Enrollment for hybrid Azure AD-joined devices - Windows Autopilot

Use Windows Autopilot to enroll hybrid Azure AD-joined devices in Microsoft Intune.

Troubleshooting Windows device enrollment problems in Intune - Intune

Suggestions for troubleshooting some of the most common error messages when you enroll Windows devices in Microsoft Intune.

Troubleshoot Windows 10 Group Policy auto-enrollment in Microsoft Intune - Intune

Learn how to troubleshoot auto-enrollment.

Set up enrollment for Windows devices by using Microsoft Intune

Set up enrollment for Windows devices.

Prevent members of a group from applying a GPO

https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo

Assign Security Group Filters to the GPO

Article

12/09/2022

2 minutes to read

9 contributors

Applies to:

✅ Windows 10, ✅ Windows 11, ✅ Windows Server 2016, ✅ Windows Server 2019, ✅ Windows Server 2022

To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.

Important

This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones.

Administrative credentials

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the relevant GPOs.

In this topic:

Allow members of a group to apply a GPO

Prevent members of a group from applying a GPO

To allow members of a group to apply a GPO

Use the following procedure to add a group to the security filter on the GPO that allows group members to apply the GPO.

Open the Group Policy Management console.

In the navigation pane, find and then click the GPO that you want to modify.

In the details pane, under Security Filtering, click Authenticated Users, and then click Remove.

Note

You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify. If the GPO contains User settings, and the Authenticated Users group is removed, and new security filtering is added using a security group that only contains user accounts, the GPO can fail to apply. Details and various workarounds are mentioned in this Microsoft blog.

Click Add.

In the Select User, Computer, or Group dialog box, type the name of the group whose members are to apply the GPO, and then click OK. If you do not know the name, you can click Advanced to browse the list of groups available in the domain.

To prevent members of a group from applying a GPO

Use the following procedure to add a group to the security filter on the GPO that prevents group members from applying the GPO. This is typically used to prevent members of the boundary and encryption zones from applying the GPOs for the isolated domain.

Open the Group Policy Management console.

In the navigation pane, find and then click the GPO that you want to modify.

In the details pane, click the Delegation tab.

Click Advanced.

Under the Group or user names list, click Add.

In the Select User, Computer, or Group dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then click OK. If you do not know the name, you can click Advanced to browse the list of groups available in the domain.

Select the group in the Group or user names list, and then select the box in the Deny column for both Read and Apply group policy.

Click OK, and then in the Windows Security dialog box, click Yes.

The group appears in the list with Custom permissions.

Recommended content

Loopback processing of Group Policy - Windows Server

This article describes why you need to enable loopback processing for Group Policy.

Copy a GPO to Create a New GPO (Windows)

Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices.

Permissions for this GPO are inconsistent - Windows Server

Describes a permissions issue that occurs when you run Group Policy Management Console in a Windows 2008 or Windows Server 2003 domain. A resolution is provided.

Create a Group Policy Object (Windows)

Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group.

Robocopy to replicate SQL backups

robocopyFullBackups.bat

ROBOCOPY \\192.168.1.10\SQLSRV01 D:\Backups\SQLSRV01\SQLSRV01 *.bak /S /XO /MT:16 /log:"C:\Robocopy\robocopyLogs\theFullLog.log"

ROBOCOPY \\192.168.1.10\SQLSRV01-other D:\Backups\SQLSRV01\SQLSRV01 *.bak /S /XO /MT:16 /log:"C:\Robocopy\robocopyLogs\theFullLog.log"

robocopyDiffBackups.bat

ROBOCOPY \\192.168.1.10\SQLSRV01 D:\Backups\SQLSRV01\SQLSRV01 *.dif /S /XO /MT:16 /log:"C:\Robocopy\robocopyLogs\theDiferentialLog.log"

ROBOCOPY \\192.168.1.10\SQLSRV01-other D:\Backups\SQLSRV01\SQLSRV01 *.dif /S /XO /MT:16 /log:"C:\Robocopy\robocopyLogs\theDifLog.log"

robocopyTrnBackups.bat

ROBOCOPY \\192.168.1.10\SQLSRV01 D:\Backups\SQLSRV01\SQLSRV01 *.trn /S /XO /MT:16 /log:"C:\Robocopy\robocopyLogs\theTransLog.log"

ROBOCOPY \\192.168.1.10\SQLSRV01-other D:\Backups\SQLSRV01\SQLSRV01 *.trn /S /XO /MT:16 /log:"C:\Robocopy\robocopyLogs\theTransLog.log"

robocopy

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/robocopy

robocopy

Article

10/04/2022

9 minutes to read

18 contributors

Copies file data from one location to another.

Syntax

cmd

Copy

robocopy <source> <destination> [<file>[ ...]] [<options>]

For example, to copy a file named yearly-report.mov from c:\reports to a file share \\marketing\videos while enabling multi-threading for higher performance (with the /mt parameter) and the ability to restart the transfer in case it's interrupted (with the /z parameter), type:

dos

Copy

robocopy c:\reports '\\marketing\videos' yearly-report.mov /mt /z

Parameters

Parameter Description

<source> Specifies the path to the source directory.

<destination> Specifies the path to the destination directory.

<file> Specifies the file or files to be copied. Wildcard characters (* or ?) are supported. If you don't specify this parameter, *.* is used as the default value.

<options> Specifies the options to use with the robocopy command, including copy, file, retry, logging, and job options.

Copy options

Option Description

/s Copies subdirectories. This option automatically excludes empty directories.

/e Copies subdirectories. This option automatically includes empty directories.

/lev:<n> Copies only the top n levels of the source directory tree.

/z Copies files in restartable mode. In restartable mode, should a file copy be interrupted, Robocopy can pick up where it left off rather than recopying the entire file.

/b Copies files in backup mode. Backup mode allows Robocopy to override file and folder permission settings (ACLs). This allows you to copy files you might otherwise not have access to, assuming it's being run under an account with sufficient privileges.

/zb Copies files in restartable mode. If file access is denied, switches to backup mode.

/j Copies using unbuffered I/O (recommended for large files).

/efsraw Copies all encrypted files in EFS RAW mode.

/copy:<copyflags> Specifies which file properties to copy. The valid values for this option are:

D - Data

A - Attributes

T - Time stamps

S - NTFS access control list (ACL)

O - Owner information

U - Auditing information

The default value for this option is DAT (data, attributes, and time stamps).

/dcopy:<copyflags> Specifies what to copy in directories. The valid values for this option are:

D - Data

A - Attributes

T - Time stamps

The default value for this option is DA (data and attributes).

/sec Copies files with security (equivalent to /copy:DATS).

/copyall Copies all file information (equivalent to /copy:DATSOU).

/nocopy Copies no file information (useful with /purge).

/secfix Fixes file security on all files, even skipped ones.

/timfix Fixes file times on all files, even skipped ones.

/purge Deletes destination files and directories that no longer exist in the source. Using this option with the /e option and a destination directory, allows the destination directory security settings to not be overwritten.

/mir Mirrors a directory tree (equivalent to /e plus /purge). Using this option with the /e option and a destination directory, overwrites the destination directory security settings.

/mov Moves files, and deletes them from the source after they are copied.

/move Moves files and directories, and deletes them from the source after they are copied.

/a+:[RASHCNET] Adds the specified attributes to copied files. The valid values for this option are:

R - Read only

A - Archive

S - System

H - Hidden

C - Compressed

N - Not content indexed

E - Encrypted

T - Temporary

/a-:[RASHCNET] Removes the specified attributes from copied files. The valid values for this option are:

R - Read only

A - Archive

S - System

H - Hidden

C - Compressed

N - Not content indexed

E - Encrypted

T - Temporary

/create Creates a directory tree and zero-length files only.

/fat Creates destination files by using 8.3 character-length FAT file names only.

/256 Turns off support for paths longer than 256 characters.

/mon:<n> Monitors the source, and runs again when more than n changes are detected.

/mot:<m> Monitors the source, and runs again in m minutes, if changes are detected.

/mt[:n] Creates multi-threaded copies with n threads. n must be an integer between 1 and 128. The default value for n is 8. For better performance, redirect your output using /log option.

The /mt parameter can't be used with the /ipg and /efsraw parameters.

/rh:hhmm-hhmm Specifies run times when new copies may be started.

/pf Checks run times on a per-file (not per-pass) basis.

/ipg:n Specifies the inter-packet gap to free bandwidth on slow lines.

/sj Copies junctions (soft-links) to the destination path instead of link targets.

/sl Don't follow symbolic links and instead create a copy of the link.

/nodcopy Copies no directory info (the default /dcopy:DA is done).

/nooffload Copies files without using the Windows Copy Offload mechanism.

/compress Requests network compression during file transfer, if applicable.

Note

The /mt parameter was introduced in Windows Server 2008 R2 and its functionality applies to current versions of Windows Server.

Important

When using the /secfix copy option, specify the type of security information you want to copy, using one of these additional copy options:

/copyall

/copy:o

/copy:s

/copy:u

/sec

File selection options

Option Description

/a Copies only files for which the Archive attribute is set.

/m Copies only files for which the Archive attribute is set, and resets the Archive attribute.

/ia:[RASHCNETO] Includes only files for which any of the specified attributes are set. The valid values for this option are:

R - Read only

A - Archive

S - System

H - Hidden

C - Compressed

N - Not content indexed

E - Encrypted

T - Temporary

O - Offline

/xa:[RASHCNETO] Excludes files for which any of the specified attributes are set. The valid values for this option are:

R - Read only

A - Archive

S - System

H - Hidden

C - Compressed

N - Not content indexed

E - Encrypted

T - Temporary

O - Offline

/xf <filename>[ ...] Excludes files that match the specified names or paths. Wildcard characters (* and ?) are supported.

/xd <directory>[ ...] Excludes directories that match the specified names and paths.

/xc Excludes existing files with the same timestamp, but different file sizes.

/xn Source directory files newer than the destination are excluded from the copy.

/xo Source directory files older than the destination are excluded from the copy.

/xx Excludes extra files and directories present in the destination but not the source. Excluding extra files will not delete files from the destination.

/xl Excludes "lonely" files and directories present in the source but not the destination. Excluding lonely files prevents any new files from being added to the destination.

/im Include modified files (differing change times).

/is Includes the same files. Same files are identical in name, size, times, and all attributes.

/it Includes "tweaked" files. Tweaked files have the same name, size, and times, but different attributes.

/max:<n> Specifies the maximum file size (to exclude files bigger than n bytes).

/min:<n> Specifies the minimum file size (to exclude files smaller than n bytes).

/maxage:<n> Specifies the maximum file age (to exclude files older than n days or date).

/minage:<n> Specifies the minimum file age (exclude files newer than n days or date).

/maxlad:<n> Specifies the maximum last access date (excludes files unused since n).

/minlad:<n> Specifies the minimum last access date (excludes files used since n) If n is less than 1900, n specifies the number of days. Otherwise, n specifies a date in the format YYYYMMDD.

/xj Excludes junction points, which are normally included by default.

/fft Assumes FAT file times (two-second precision).

/dst Compensates for one-hour DST time differences.

/xjd Excludes junction points for directories.

/xjf Excludes junction points for files.

Retry options

Option Description

/r:<n> Specifies the number of retries on failed copies. The default value of n is 1,000,000 (one million retries).

/w:<n> Specifies the wait time between retries, in seconds. The default value of n is 30 (wait time 30 seconds).

/reg Saves the values specified in the /r and /w options as default settings in the registry.

/tbd Specifies that the system will wait for share names to be defined (retry error 67).

Logging options

Option Description

/l Specifies that files are to be listed only (and not copied, deleted, or time stamped).

/x Reports all extra files, not just those that are selected.

/v Produces verbose output, and shows all skipped files.

/ts Includes source file time stamps in the output.

/fp Includes the full path names of the files in the output.

/bytes Prints sizes, as bytes.

/ns Specifies that file sizes are not to be logged.

/nc Specifies that file classes are not to be logged.

/nfl Specifies that file names are not to be logged.

/ndl Specifies that directory names are not to be logged.

/np Specifies that the progress of the copying operation (the number of files or directories copied so far) will not be displayed.

/eta Shows the estimated time of arrival (ETA) of the copied files.

/log:<logfile> Writes the status output to the log file (overwrites the existing log file).

/log+:<logfile> Writes the status output to the log file (appends the output to the existing log file).

/unicode Displays the status output as Unicode text.

/unilog:<logfile> Writes the status output to the log file as Unicode text (overwrites the existing log file).

/unilog+:<logfile> Writes the status output to the log file as Unicode text (appends the output to the existing log file).

/tee Writes the status output to the console window, and to the log file.

/njh Specifies that there is no job header.

/njs Specifies that there is no job summary.

Job options

Option Description

/job:<jobname> Specifies that parameters are to be derived from the named job file. To run /job:jobname, you must first run the /save:jobname parameter to create the job file.

/save:<jobname> Specifies that parameters are to be saved to the named job file. This must be ran before running /job:jobname. All copy, retry, and logging options must be specified before this parameter.

/quit Quits after processing command line (to view parameters).

/nosd Indicates that no source directory is specified.

/nodd Indicates that no destination directory is specified.

/if Includes the specified files.

Exit (return) codes

Value Description

0 No files were copied. No failure was encountered. No files were mismatched. The files already exist in the destination directory; therefore, the copy operation was skipped.

1 All files were copied successfully.

2 There are some additional files in the destination directory that are not present in the source directory. No files were copied.

3 Some files were copied. Additional files were present. No failure was encountered.

5 Some files were copied. Some files were mismatched. No failure was encountered.

6 Additional files and mismatched files exist. No files were copied and no failures were encountered. This means that the files already exist in the destination directory.

7 Files were copied, a file mismatch was present, and additional files were present.

8 Several files did not copy.

Note

Any value equal to or greater than 8 indicates that there was at least one failure during the copy operation.

Additional References

Command-Line Syntax Key

Recommended content

icacls

Reference article for the icacls command, which displays or modifies discretionary access control lists (DACL) on specified files, and applies stored DACLs to files in specified directories.

takeown

Reference article for the takeown command, which enables an administrator to recover access to a file that was previously denied.

Get-SmbConnection (SmbShare)

Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell.

Close-SmbSession (SmbShare)

Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell.

How to Force Delete a Folder on Windows 10 and 11

Reference:

https://www.howtogeek.com/811409/force-delete-folder-windows/

How to Force Delete a Folder on Windows 10 and 11

MAHESH MAKVANA

@maheshhari

JUN 28, 2022, 1:00 PM EST | 3 MIN READ

Windows 11 and 10 desktop backgrounds.

Are you having trouble deleting a folder from your Windows 10 or Windows 11 PC? If so, that may be a system folder or a folder being used by other apps. We’ll show you how to successfully delete “undeletable” folders on your computer.

RELATED: How to Delete, Move, or Rename Locked Files in Windows

Table of Contents

Reasons You Can't Delete a Folder on Windows

Method 1: Use Command Prompt

Method 2: Boot in Windows Safe Mode

Method 3: Use Third-Party Software

Method 4: Use WinRAR to Force Remove Folders

Reasons You Can’t Delete a Folder on Windows

The most common reason you can’t delete a folder is that your folder is a Windows system folder. In this case, the system prevents you from removing the folder as it can make your PC unstable.

What Is A Windows System File?

If you’re sure yours is not a system folder, then your “undeletable” folder may be in use by your installed apps. When a folder is being used by an app, Windows prevents you from making changes to that folder. In this case, you can close the app using your folder and then try to delete the folder.

If your case doesn’t match either of the above scenarios, you may want to use one of the following methods to force remove your folder.

Method 1: Use Command Prompt

One quick way to force delete a folder is to use Command Prompt. You can run a command from this tool that deletes your selected folder.

To do that, first, open your “Start” menu and search for “Command Prompt”. Then, on the right pane, click “Run as Administrator.”

Select "Run as Administrator" on the right.

You’ll see a “User Account Control” prompt. Select “Yes.”

When Command Prompt opens, type the following command and press Enter. In this command, replace PATH with the path to the folder you want to delete.

Tip: If your path has spaces in it, enclose the path with double quotes.

rmdir /s /q PATH

For example, to delete a folder named Unwanted in the Documents folder on your C drive, you’d use the following command.

Warning: The command permanently deletes your folder, so make sure you really want to do that.

rmdir /s /q C:\Documents\Unwanted

Type the command and press Enter.

The specified folder is now removed from your Windows PC, and you’re all set.

THE BEST TECH NEWSLETTER ANYWHERE

Join 425,000 subscribers and get a daily digest of features, articles, news, and trivia.

e-mail address

Sign Me Up!

By submitting your email, you agree to the Terms of Use and Privacy Policy.

Method 2: Boot in Windows Safe Mode

If you aren’t sure what app has hijacked your folder so you can’t delete it, reboot your PC in safe mode and then try to delete the folder. In safe mode, your PC only loads the essential Windows files, preventing any third-party apps from automatically launching.

To use this method, first, boot your Windows 10 or Windows 11 PC in safe mode using our guide.

Once you’re in safe mode, launch File Explorer and locate the folder to delete. Then, right-click this folder and choose “Delete.”

Your folder is now deleted.

You may want to remove the folder from Recycle Bin as well, which you can do by opening the Recycle Bin, right-clicking your folder, and choosing “Delete.”

And that’s all there is to getting rid of stubborn folders on your PC. Enjoy!

Method 3: Use Third-Party Software

If your folder still won’t delete, there’s a free third-party app called Unlocker that can help you remove your folders. This app basically unlocks your folder from any locks due to which it can’t be deleted, and then allows you to finally get rid of the folder.

To use this method, first, download and install the free Unlocker app on your PC. Then launch the newly installed app.

On Unlocker’s main window, choose the folder to delete. Then, at the bottom, click “OK.”

On the screen that follows, click the drop-down menu and select “Delete.” Then click “OK.”

Unlocker will unlock your folder and delete it from your PC. You’re all done.

Method 4: Use WinRAR to Force Remove Folders

This might sound strange but you can use WinRAR (a file compression app) to delete your stubborn folders. The way this works is that you create an archive out of your “undeletable” folder and then ask the app to delete the original folder after the archive is made.

That way, when WinRAR has created an archive from your folder, it deletes the original folder. You can then delete the newly-created archive as well.

To do that, first, grab the free version of WinRAR and install it on your PC. Then restart your Windows 10 or Windows 11 PC so WinRAR integrates with your context menu.

When your PC turns back on, open File Explorer and find the folder to delete. Then right-click this folder and choose “Add to Archive.”

On the “Archive Name and Parameters” window, in the “Archiving Options” section, enable the “Delete Files After Archiving” option. Then, at the bottom of the window, select “OK.”

Let WinRAR make an archive from your selected folder. When that’s done, WinRAR will remove the original folder. At this point, you may now delete your newly created archive.

And that’s how you go about ridding your Windows PC of any unwanted and stubborn folders. Very useful!

While you’re at it, consider clearing your Windows PC’s cache to get rid of unwanted files from your storage.

RELATED: How to Clear Your Cache on Windows 11

------------------

cmd Delete Folder – How to Remove Files and Folders in Windows

https://www.freecodecamp.org/news/cmd-delete-folder-how-to-remove-files-and-folders-in-windows/

cmd Delete Folder – How to Remove Files and Folders in Windows

Kris Koishigawa

cmd Delete Folder – How to Remove Files and Folders in Windows

Sometimes it's just faster to do things with the command line.

In this quick tutorial we'll go over how to open Command Prompt, some basic commands and flags, and how to delete files and folders in Command Prompt.

If you're already familiar with basic DOS commands, feel free to skip ahead.

How to open Command Prompt

To open Command Prompt, press the Windows key, and type in "cmd".

Then, click on "Run as Administrator":

Screenshot showing how to open Command Prompt as an administrator

After that, you'll see a Command Prompt window with administrative privileges:

command-prompt-new-window

Screenshot of Command Prompt window

If you can't open Command Prompt as an administrator, no worries. You can open a normal Command Prompt window by clicking "Open" instead of "Run as Administrator".

The only difference is that you may not be able to delete some protected files, which shouldn't be a problem in most cases.

How to delete files with the del command

Now that Command Prompt is open, use cd to change directories to where your files are.

I've prepared a directory on the desktop called Test Folder. You can use the command tree /f to see a, well, tree, of all the nested files and folders:

Screenshot after running tree /f in target directory

To delete a file, use the following command: del "<filename>".

For example, to delete Test file.txt, just run del "Test File.txt".

There may be a prompt asking if you want to delete the file. If so, type "y" and hit enter.

Note: Any files deleted with the del command cannot be recovered. Be very careful where and how you use this command.

After that, you can run tree /f to confirm that your file was deleted:

Screenshot after deleting file with del command

Also, bonus tip – Command Prompt has basic autocompletion. So you could just type in del test, press the tab key, and Command Prompt will change it to del "Test File.txt".

How to force delete files with the del command

Sometimes files are marked as read only, and you'll see the following error when you try to use the del command:

Screenshot of error after trying to delete a read only file

To get around this, use the /f flag to force delete the file. For example, del /f "Read Only Test File.txt":

Screenshot after deleting file with the force flag

How to delete folders with the rmdir command

To delete directories/folders, you'll need to use the rmdir or rd command. Both commands work the same way, but let's stick with rmdir since it's a bit more expressive.

Also, I'll use the terms directory and folder interchangeably for the rest of the tutorial. "Folder" is a newer term that became popular with early desktop GUIs, but folder and directory basically mean the same thing.

To remove a directory, just use the command rmdir <directory name>.

Note: Any directories deleted with the rmdir command cannot be recovered. Be very careful where and how you use this command.

In this case I want to remove a directory named Subfolder, so I'll use the command rmdir Subfolder:

Screenshot of a directory not empty error

But, if you remember earlier, Subfolder has a file in it named Nested Test File.

You could cd into the Subfolder directory and remove the file, then come back with cd .. and run the rmdir Subfolder command again, but that would get tedious. And just imagine if there were a bunch of other nested files and directories!

Like with the del command, there's a helpful flag we can use to make things much faster and easier.

How to use the /s flag with rmdir

To remove a directory, including all nested files and subdirectories, just use the /s flag:

Screenshot after running rmdir with the /s flag

There will probably be a prompt asking if you want to remove that directory. If so, just type "y" and hit enter.

And that's it! That should be everything you need to know to remove files and folders in the Windows Command Prompt.

All of these commands should work in PowerShell, which is basically Command Prompt version 2.0. Also, PowerShell has a bunch of cool aliases like ls and clear that should feel right at home if you're familiar with the Mac/Linux command line.

Did these commands help you? Are there any other commands that you find useful? Either way, let me know over on Twitter.

-------------

del

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/del

Article

06/22/2022

2 minutes to read

10 contributors

Deletes one or more files. This command performs the same actions as the erase command.

The del command can also run from the Windows Recovery Console, using different parameters. For more information, see Windows Recovery Environment (WinRE).

Warning

If you use del to delete a file from your disk, you can't retrieve it.

Syntax

Copy

del [/p] [/f] [/s] [/q] [/a[:]<attributes>] <names>

erase [/p] [/f] [/s] [/q] [/a[:]<attributes>] <names>

Parameters

Parameter Description

<names> Specifies a list of one or more files or directories. Wildcards may be used to delete multiple files. If a directory is specified, all files within the directory will be deleted.

/p Prompts for confirmation before deleting the specified file.

/f Forces deletion of read-only files.

/s Deletes specified files from the current directory and all subdirectories. Displays the names of the files as they are being deleted.

/q Specifies quiet mode. You are not prompted for delete confirmation.

/a[:]<attributes> Deletes files based on the following file attributes:

r Read-only files

h Hidden files

i Not content indexed files

s System files

a Files ready for archiving

l Reparse points

- Used as a prefix meaning 'not'

/? Displays help at the command prompt.

Remarks

If you use the del /p command, you'll see the following message:

FileName, Delete (Y/N)?

To confirm the deletion, press Y. To cancel the deletion and to display the next file name (if you specified a group of files), press N. To stop the del command, press CTRL+C.

If you disable command extension, the /s parameter will display the names of any files that weren't found ,instead of displaying the names of files that are being deleted.

If you specify specific folders in the <names> parameter, all of the included files will also be deleted. For example, if you want to delete all of the files in the \work folder, type:

Copy

del \work

You can use wildcards (* and ?) to delete more than one file at a time. However, to avoid deleting files unintentionally, you should use wildcards cautiously. For example, if you type the following command:

Copy

del *.*

The del command displays the following prompt:

Are you sure (Y/N)?

To delete all of the files in the current directory, press Y and then press ENTER. To cancel the deletion, press N and then press ENTER.

Note

Before you use wildcard characters with the del command, use the same wildcard characters with the dir command to list all the files that will be deleted.

Examples

To delete all the files in a folder named Test on drive C, type either of the following:

Copy

del c:\test

del c:\test\*.*

To delete all the files in a folder where the folder has a space in its name, the full path needs to be wrapped in double quotes. Type either of the following:

Copy

del "c:\test folder\"

del "c:\test folder\*.*"

To delete all files with the .bat file name extension from the current directory, type:

Copy

del *.bat

To delete all read-only files in the current directory, type:

Copy

del /a:r *.*

Additional References

Command-Line Syntax Key

Windows Recovery Environment (WinRE)

Recommended content

Reference article for the rd command, which deletes a directory.

goto

Reference article for the goto command, which directs cmd.exe to a labeled line in a batch program.

Reference article for the if command, which performs conditional processing in batch programs.

for

Reference article for the for command, which runs a specified command for each file, within a set of files.

examples:

rmdir /s /q F:\shared\users\username\WINDOWS

Access is denied. (Why is there a windows os in there? anyways)

takeown /a /r /d N /f F:\shared\users\username\WINDOWS

SUCCESS: The file (or folder): "F:\shared\users\username\WINDOWS" now owned by the administrators group.

Je garde ici en note les essaies échoués:

icacls F:\shared\users\username\WINDOWS /grant administrators:(F) /t

processed file: F:\shared\users\doriannef\WINDOWS

F:\shared\users\username\WINDOWS\system: Access is denied.

Successfully processed 1 files; Failed processing 1 files

rd /s /q F:\shared\users\username\WINDOWS

F:\shared\users\username\WINDOWS\system - Access is denied.

www.inCOREporation.com

Chrome keyboard shortcuts

Reference

https://support.google.com/chrome/answer/157179?hl=en&co=GENIE.Platform%3DDesktop#zippy=%2Ctab-window-shortcuts%2Cgoogle-chrome-feature-shortcuts

Chrome keyboard shortcuts

Learn keyboard shortcuts and become a pro at using Chrome.

Computer AndroidiPhone & iPad

Windows & Linux

Tab & window shortcuts

Action Shortcut

Open a new window Ctrl + n

Open a new window in Incognito mode Ctrl + Shift + n

Open a new tab, and jump to it Ctrl + t

Reopen previously closed tabs in the order they were closed Ctrl + Shift + t

Jump to the next open tab Ctrl + Tab or Ctrl + PgDn

Jump to the previous open tab Ctrl + Shift + Tab or Ctrl + PgUp

Jump to a specific tab Ctrl + 1 through Ctrl + 8

Jump to the rightmost tab Ctrl + 9

Open your home page in the current tab Alt + Home

Open the previous page from your browsing history in the current tab Alt + Left arrow

Open the next page from your browsing history in the current tab Alt + Right arrow

Close the current tab Ctrl + w or Ctrl + F4

Close the current window Ctrl + Shift + w or Alt + F4

Minimize the current window Alt + Space then n

Maximize the current window Alt + Space then x

Quit Google Chrome Alt + f then x

Move tabs right or left

Ctrl + Shift + PgUp or Ctrl + Shift + PgDn

Google Chrome feature shortcuts

Action Shortcut

Open the Chrome menu Alt + f or Alt + e

Show or hide the Bookmarks bar Ctrl + Shift + b

Open the Bookmarks Manager Ctrl + Shift + o

Open the History page in a new tab Ctrl + h

Open the Downloads page in a new tab Ctrl + j

Open the Chrome Task Manager Shift + Esc

Set focus on the first item in the Chrome toolbar Shift + Alt + t

Set focus on the rightmost item in the Chrome toolbar F10

Switch focus to unfocused dialog (if showing) and all toolbars F6

Open the Find Bar to search the current page Ctrl + f or F3

Jump to the next match to your Find Bar search Ctrl + g

Jump to the previous match to your Find Bar search Ctrl + Shift + g

Open Developer Tools Ctrl + Shift + j or F12

Open the Clear Browsing Data options Ctrl + Shift + Delete

Open the Chrome Help Center in a new tab F1

Open a feedback form Alt + Shift + i

Turn on caret browsing F7

Skip to web contents Ctrl + F6

Focus on inactive dialogs Alt + Shift + a

Address bar shortcuts

Use the following shortcuts in the address bar:

Action Shortcut

Search with your default search engine Type a search term + Enter

Search using a different search engine Type a search engine name and press Tab

Add www. and .com to a site name, and open it in the current tab Type a site name + Ctrl + Enter

Add www. and .com to a site name, and open it in a new window Type a site name + Ctrl + Shift + Enter

Open a new tab and perform a Google search Type a search term + Alt + Enter

Jump to the address bar Ctrl + l or Alt + d or F6

Search from anywhere on the page Ctrl + k or Ctrl + e

Remove predictions from your address bar Down arrow to highlight + Shift + Delete

Move cursor to the address bar Ctrl + F5

Webpage shortcuts

Action Shortcut

Open options to print the current page Ctrl + p

Open options to save the current page Ctrl + s

Reload the current page F5 or Ctrl + r

Reload the current page, ignoring cached content Shift + F5 or Ctrl + Shift + r

Stop the page loading Esc

Browse clickable items moving forward Tab

Browse clickable items moving backward Shift + Tab

Open a file from your computer in Chrome Ctrl + o + Select a file

Display non-editable HTML source code for the current page Ctrl + u

Save your current webpage as a bookmark Ctrl + d

Save all open tabs as bookmarks in a new folder Ctrl + Shift + d

Turn full-screen mode on or off F11

Make everything on the page bigger Ctrl and +

Make everything on the page smaller Ctrl and -

Return everything on the page to default size Ctrl + 0

Scroll down a webpage, a screen at a time Space or PgDn

Scroll up a webpage, a screen at a time Shift + Space or PgUp

Go to the top of the page Home

Go to the bottom of the page End

Scroll horizontally on the page Shift + Scroll your mousewheel

Move your cursor to the beginning of the previous word in a text field Ctrl + Left arrow

Move your cursor to the next word Ctrl + Right arrow

Delete the previous word in a text field Ctrl + Backspace

Open the Home page in the current tab Alt + Home

Mouse shortcuts

The following shortcuts require you to use your mouse:

Action Shortcut

Open a link in a current tab (mouse only) Drag a link to a tab

Open a link in new background tab Ctrl + Click a link

Open a link, and jump to it Ctrl + Shift + Click a link

Open a link, and jump to it (mouse only) Drag a link to a blank area of the tab strip

Open a link in a new window Shift + Click a link

Open a tab in a new window (mouse only) Drag the tab out of the tab strip

Move a tab to a current window (mouse only) Drag the tab into an existing window

Return a tab to its original position Press Esc while dragging

Save the current webpage as a bookmark Drag the web address to the Bookmarks Bar

Scroll horizontally on the page Shift + Scroll your mousewheel

Download the target of a link Alt + Click a link

Display your browsing history

Right-click Back Back or click & hold Back Back

Right-click Next Next or click & hold Next Next

Switch between maximized and windowed modes Double-click a blank area of the tab strip

Make everything on the page bigger Ctrl + Scroll your mousewheel up

Make everything on the page smaller Ctrl + Scroll your mousewheel down

Mac

If you're on Mac Catalina and up, keyboard navigation is turned on by default in your system preferences.

Tip: To focus your keyboard on text boxes or list items, press ⌘ + F7.

Tab & window shortcuts

Action Shortcut

Open a new window ⌘ + n

Open a new window in Incognito mode ⌘ + Shift + n

Open a new tab, and jump to it ⌘ + t

Reopen previously closed tabs in the order they were closed ⌘ + Shift + t

Jump to the next open tab ⌘ + Option + Right arrow

Jump to the previous open tab ⌘ + Option + Left arrow

Jump to a specific tab ⌘ + 1 through ⌘ + 8

Jump to the last tab ⌘ + 9

Open the previous page in your browsing history for the current tab ⌘ + [ or ⌘ + Left arrow

Open the next page in your browsing history for the current tab ⌘ + ] or ⌘ + Right arrow

Close the current tab or pop-up ⌘ + w

Close the current window ⌘ + Shift + w

Minimize the window ⌘ + m

Hide Google Chrome ⌘ + h

Quit Google Chrome ⌘ + q

Move tabs right or left

Ctrl + Shift + PgUp or Ctrl + Shift + PgDn

Google Chrome feature shortcuts

Action Shortcut

Show or hide the Bookmarks Bar ⌘ + Shift + b

Open the Bookmark Manager ⌘ + Option + b

Open the Settings page in a new tab ⌘ + ,

Open the History page in a new tab ⌘ + y

Open the Downloads page in a new tab ⌘ + Shift + j

Open the Find Bar to search the current page ⌘ + f

Jump to the next match to your Find Bar search ⌘ + g

Jump to the previous match to your Find Bar search ⌘ + Shift + g

When Find Bar is open, search for selected text ⌘ + e

Open Developer Tools ⌘ + Option + i

Open the Clear Browsing Data options ⌘ + Shift + Delete

Jump to the main menu bar Control + F2

Cycle focus to unfocused dialog (if showing) and all toolbars ⌘ + Option + Up arrow or Down arrow

Open a feedback form ⌘ + Option + Shift + i

Turn on caret browsing F7

Focus on inactive dialogs ⌘ + Option + Shift + a

Address bar shortcuts

Use the following shortcuts in the address bar:

Action Shortcut

Search with your default search engine Type a search term + Return

Search using a different search engine Type a search engine name and press Tab

Add www. and .com to a site name, and open it in the current tab Type a site name + Ctrl + Return

Add www. and .com to a site name, and open it in a new window Type a site name + Ctrl + Shift + Return

Open the website in a new background tab Type a web address + ⌘ + Return

Jump to the address bar ⌘ + l

Remove predictions from your address bar

Down arrow to highlight + Shift + fn + Delete

Forward Delete or fn-Delete on a laptop

Move cursor to the address bar Ctrl + F5

Webpage shortcuts

Action Shortcut

Compose a new email message with a link to the current page ⌘ + Shift + i

Open options to print the current page ⌘ + p

Open options to save the current page ⌘ + s

Open the Page Setup dialog ⌘ + Option + p

Reload your current page, ignoring cached content ⌘ + Shift + r

Stop the page loading Esc

Browse clickable items moving forward Tab

Browse clickable items moving backward Shift + Tab

Open a file from your computer in Google Chrome ⌘ + o + Select a file

Display non-editable HTML source code for the current page ⌘ + Option + u

Open the JavaScript Console ⌘ + Option + j

Save your current webpage as a bookmark ⌘ + d

Save all open tabs as bookmarks in a new folder ⌘ + Shift + d

Turn full-screen mode on or off ⌘ + Ctrl + f

Make everything on the page bigger ⌘ and +

Make everything on the page smaller ⌘ and -

Return everything on the page to the default size ⌘ + 0

Scroll down a webpage, a screen at a time Space

Scroll up a webpage, a screen at a time Shift + Space

Search the web ⌘ + Option + f

Move your cursor to the beginning of the previous word in a text field Option + Left arrow

Move your cursor to the back of the next word in a text field Option + Right arrow

Delete the previous word in a text field Option + Delete

Open your home page in the current tab ⌘ + Shift + h

Mouse shortcuts

The following shortcuts require you to use your mouse:

Action Shortcut

Open a link in a current tab (mouse only) Drag a link to a tab

Open a link in new background tab ⌘ + Click a link

Open a link, and jump to it ⌘ + Shift + Click a link

Open a link, and jump to it (mouse only) Drag a link to a blank area of the tab strip

Open a link in a new window Shift + Click a link

Open a tab in a new window (mouse only) Drag the tab out of the tab strip

Move a tab to a current window (mouse only) Drag the tab into an existing window

Return a tab to its original position Press Esc while dragging

Save the current webpage as a bookmark Drag the web address to the Bookmarks Bar

Download the target of a link Option + Click a link

Display your browsing history

Right-click Back Back or click & hold Back Back

Right-click Next Next or click & hold Next Next

Increase the window to full height Double-click a blank area of the tab strip

Related resources

Learn more tips and shortcuts at Chrome.com.

www.inCOREporation.com

inCOREporation

Monday, January 23, 2023

Azure AD Connect sync: Understanding the architecture

Verify that the device is hybrid Azure AD joined, run dsregcmd /status

Enroll a Windows 10 device automatically using Group Policy

Prevent members of a group from applying a GPO

Robocopy to replicate SQL backups

How to Force Delete a Folder on Windows 10 and 11

Chrome keyboard shortcuts

Featured Posts

Exchange Online Limits - Office 365 Distribution group limits