deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-20240702-suspcs

Browse Source
This commit is contained in:
Paolo Matarazzo 2024-07-09 13:00:13 -04:00
commit 0da4235b51
102 changed files with 333 additions and 408 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.openpublishing.redirection.windows-whats-new.json
View File

@ -164,6 +164,16 @@
"source_path":"windows/whats-new/whats-new-windows-10-version-21H1.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-21H1",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/whats-new-windows-10-version-21H2.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-21H2",
"redirect_document_id":false
},
{
"source_path":"windows/whats-new/ltsc/index.yml",
"redirect_url":"/windows/whats-new/",
"redirect_document_id":false
}
]
}

2
education/windows/index.yml
View File

@ -137,4 +137,4 @@ additionalContent:
- text: Microsoft Intune community
url: https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune
- text: Microsoft Support community
url: https://answers.microsoft.com/windows/forum
url: https://answers.microsoft.com/

44
windows/client-management/azure-active-directory-integration-with-mdm.md
View File

@ -5,18 +5,18 @@ ms.topic: conceptual
ms.collection:
- highpri
- tier2
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Microsoft Entra integration with MDM
Microsoft Entra ID is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Microsoft Entra ID as the underlying identity infrastructure. Windows integrates with Microsoft Entra ID, allowing devices to be registered in Microsoft Entra ID and enrolled into MDM in an integrated flow.
Microsoft Entra ID is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Microsoft Entra ID as the underlying identity infrastructure. Windows integrates with Microsoft Entra ID, allowing devices to be registered in Microsoft Entra ID and enrolled into Mobile Device Management (MDM) in an integrated flow.
Once a device is enrolled in MDM, the MDM:
- Can enforce compliance with organization policies, add or remove apps, and more.
- Can report a device's compliance in Microsoft Entra ID.
- Microsoft Entra ID can allow access to organization resources or applications secured by Microsoft Entra ID to devices that comply with policies.
- Can allow access to organization resources or applications secured by Microsoft Entra ID to devices that comply with policies.
To support these rich experiences with their MDM product, MDM vendors can integrate with Microsoft Entra ID.
@ -24,23 +24,21 @@ To support these rich experiences with their MDM product, MDM vendors can integr
There are several ways to connect your devices to Microsoft Entra ID:
- [Join device to Microsoft Entra ID](/azure/active-directory/devices/concept-azure-ad-join)
- [Join device to on-premises AD and Microsoft Entra ID](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- [Add a Microsoft work account to Windows](/azure/active-directory/devices/concept-azure-ad-register)
- [Join device to Microsoft Entra ID](/entra/identity/devices/concept-directory-join)
- [Join device to on-premises AD and Microsoft Entra ID](/entra/identity/devices/concept-hybrid-join)
- [Add a Microsoft work account to Windows](/entra/identity/devices/concept-device-registration)
In each scenario, Microsoft Entra authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment. The enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and bring-your-own-device (BYOD) devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN.
In Windows 10, the web view during the out-of-the-box scenario is displayed as full-screen by default, providing MDM vendors with the capability to create a seamless edge-to-edge user experience. However, in Windows 11 the web view is rendered within an iframe. It's important that MDM vendors who integrate with Microsoft Entra ID respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article.
For Microsoft Entra enrollment to work for an Active Directory Federated Services (AD FS) backed Microsoft Entra account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
For Microsoft Entra enrollment to work for an Active Directory Federated Services (AD FS) backed Microsoft Entra account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Microsoft Entra multifactor authentication as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
Once a user has a Microsoft Entra account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Access work or school**. Device management of either Microsoft Entra join for organization scenarios or BYOD scenarios is similar.
> [!NOTE]
> Users can't remove the device enrollment through the **Access work or school** user interface because management is tied to the Microsoft Entra ID or work account.
<a name='mdm-endpoints-involved-in-azure-ad-integrated-enrollment'></a>
### MDM endpoints involved in Microsoft Entra integrated enrollment
Microsoft Entra MDM enrollment is a two-step process:
@ -64,17 +62,15 @@ To support Microsoft Entra enrollment, MDM vendors must host and expose a **Term
The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Microsoft Entra ID using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article.
<a name='make-mdm-a-reliable-party-of-azure-ad'></a>
## Make MDM a reliable party of Microsoft Entra ID
To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Microsoft Entra ID. To report compliance with Microsoft Entra ID, the MDM must authenticate itself to Microsoft Entra ID and obtain authorization in the form of an access token that allows it to invoke the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api).
### Cloud-based MDM
A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Microsoft Entra ID in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multitenant application. This application is registered with Microsoft Entra ID in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. For more information about how to add multi-tenant applications to Microsoft Entra ID, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multi-tenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub.
The MDM vendor must first register the application in their home tenant and mark it as a multitenant application. For more information about how to add multitenant applications to Microsoft Entra ID, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multitenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub.
> [!NOTE]
> For the MDM provider, if you don't have an existing Microsoft Entra tenant with a Microsoft Entra subscription that you manage, follow these step-by-step guides:
@ -82,7 +78,7 @@ The MDM vendor must first register the application in their home tenant and mark
> - [Quickstart: Create a new tenant in Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to set up a tenant.
> - [Associate or add an Azure subscription to your Microsoft Entra tenant](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to add a subscription, and manage it via the Azure Portal.
The MDM application uses keys to request access tokens from Microsoft Entra ID. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Microsoft Entra ID, in the customer tenant where the managed device belongs.
The MDM application uses keys to request access tokens from Microsoft Entra ID. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multitenant MDM application to authenticate itself with Microsoft Entra ID, in the customer tenant where the managed device belongs.
> [!NOTE]
> All MDM apps must implement Microsoft Entra v2 tokens before we certify that integration works. Due to changes in the Microsoft Entra app platform, using Microsoft Entra v2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats).
@ -107,8 +103,6 @@ For cloud-based MDM, you can roll over the application keys without requiring a
For the on-premises MDM, the Microsoft Entra authentication keys are within the customer tenant and the customer's administrator must roll over the keys. To improve security, provide guidance to customers about rolling over and protecting the keys.
<a name='publish-your-mdm-app-to-azure-ad-app-gallery'></a>
## Publish your MDM app to Microsoft Entra app gallery
IT administrators use the Microsoft Entra app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Microsoft Entra ID.
@ -124,7 +118,7 @@ The following table shows the required information to create an entry in the Mic
| Item | Description |
|---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Application ID** | The client ID of your MDM app that is configured within your tenant. This ID is the unique identifier for your multi-tenant app. |
| **Application ID** | The client ID of your MDM app that is configured within your tenant. This ID is the unique identifier for your multitenant app. |
| **Publisher** | A string that identifies the publisher of the app. |
| **Application URL** | A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL isn't used for the actual enrollment. |
| **Description** | A brief description of your MDM app, which must be under 255 characters. |
@ -191,7 +185,7 @@ The following claims are expected in the access token passed by Windows to the T
|-----------|----------------------------------------------------------------------------------------------|
| Object ID | Identifier of the user object corresponding to the authenticated user. |
| UPN | A claim containing the user principal name (UPN) of the authenticated user. |
| TID | A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam. |
| TID | A claim representing the tenant ID of the tenant. In the previous example, it's Fabrikam. |
| Resource | A sanitized URL representing the MDM application. Example: `https://fabrikam.contosomdm.com` |
> [!NOTE]
@ -206,7 +200,7 @@ https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm
Authorization: Bearer eyJ0eXAiOi
```
The MDM is expected to validate the signature of the access token to ensure it is issued by Microsoft Entra ID and that the recipient is appropriate.
The MDM is expected to validate the signature of the access token to ensure it's issued by Microsoft Entra ID and that the recipient is appropriate.
### Terms of Use content
@ -260,8 +254,6 @@ The following table shows the error codes.
| Microsoft Entra token validation failed | 302 | unauthorized_client | unauthorized_client |
| internal service error | 302 | server_error | internal service error |
<a name='enrollment-protocol-with-azure-ad'></a>
## Enrollment protocol with Microsoft Entra ID
With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments.
@ -284,8 +276,6 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove
|EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL|Not supported|Supported|Supported|
|CSPs accessible during enrollment|Windows 10 support: <br/>- DMClient <br/>- CertificateStore <br/>- RootCATrustedCertificates <br/> - ClientCertificateInstall <br/>- EnterpriseModernAppManagement <br/> - PassportForWork <br/> - Policy <br/> - w7 APPLICATION|||
<a name='management-protocol-with-azure-ad'></a>
## Management protocol with Microsoft Entra ID
There are two different MDM enrollment types that integrate with Microsoft Entra ID, and use Microsoft Entra user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
@ -318,8 +308,6 @@ There are two different MDM enrollment types that integrate with Microsoft Entra
- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
- Refer to the Microsoft Entra authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
<a name='device-alert-1224-for-azure-ad-user-token'></a>
## Device Alert 1224 for Microsoft Entra user token
An alert is sent when the DM session starts and there's a Microsoft Entra user logged in. The alert is sent in OMA DM package #1. Here's an example:
@ -372,15 +360,13 @@ Here's an example.
</SyncBody>
```
<a name='report-device-compliance-to-azure-ad'></a>
## Report device compliance to Microsoft Entra ID
Once a device is enrolled with the MDM for management, organization policies configured by the IT administrator are enforced on the device. MDM evaluates the device compliance with configured policies and then reports it to Microsoft Entra ID. This section covers the Graph API call you can use to report a device compliance status to Microsoft Entra ID.
For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822).
- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Microsoft Entra ID.
- **Cloud-based MDM** - If your product is a cloud-based multitenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Microsoft Entra ID.
- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Microsoft Entra ID. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Microsoft Entra ID.
### Use Microsoft Graph API
@ -415,8 +401,6 @@ Response:
- Success - HTTP 204 with No Content.
- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found.
<a name='data-loss-during-unenrollment-from-azure-active-directory-join'></a>
## Data loss during unenrollment from Microsoft Entra join
When a user is enrolled into MDM through Microsoft Entra join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data.

2
windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
View File

@ -2,7 +2,7 @@
title: Automatic MDM enrollment in the Intune admin center
description: Automatic MDM enrollment in the Intune admin center
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Automatic MDM enrollment in the Intune admin center

12
windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
View File

@ -1,13 +1,13 @@
---
title: Bulk enrollment
description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices.
description: Bulk enrollment is an efficient way to set up an MDM server to manage a large number of devices without the need to reimage the devices.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Bulk enrollment using Windows Configuration Designer
Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Microsoft Entra join enrollment scenario.
Bulk enrollment is an efficient way to set up an MDM server to manage a large number of devices without the need to reimage the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Microsoft Entra join enrollment scenario.
## Typical use cases
@ -68,7 +68,7 @@ Using the WCD, create a provisioning package using the enrollment information re
![bulk enrollment screenshot.](images/bulk-enrollment.png)
1. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
1. When you're done adding all the settings, on the **File** menu, select **Save**.
1. After adding all the settings, select **Save** on the **File** menu.
1. On the main menu, select **Export** > **Provisioning package**.
![icd menu for export.](images/bulk-enrollment2.png)
@ -120,7 +120,7 @@ Using the WCD, create a provisioning package using the enrollment information re
For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md).
1. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
1. When you're done adding all the settings, on the **File** menu, select **Save**.
1. After adding all the settings, select **Save** on the **File** menu.
1. Export and build the package (steps 10-13 in previous section).
1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
1. Apply the package to your devices.
@ -142,7 +142,7 @@ Using the WCD, create a provisioning package using the enrollment information re
- If the provisioning engine receives a failure from a CSP, it retries provisioning three times in a row.
- If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts are run from the SYSTEM context.
- It also retries the provisioning each time it's launched, if started from somewhere else as well.
- In addition, provisioning will be restarted in the SYSTEM context after a sign in and the [system has been idle](/windows/win32/taskschd/task-idle-conditions).
- In addition, provisioning will be restarted in the SYSTEM context after a sign in and the [system is idle](/windows/win32/taskschd/task-idle-conditions).
## Related articles

2
windows/client-management/certificate-authentication-device-enrollment.md
View File

@ -2,7 +2,7 @@
title: Certificate authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Certificate authentication device enrollment

8
windows/client-management/certificate-renewal-windows-mdm.md
View File

@ -2,7 +2,7 @@
title: Certificate Renewal
description: Learn how to find all the resources that you need to provide continuous access to client certificates.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Certificate Renewal
@ -19,7 +19,7 @@ Windows supports automatic certificate renewal, also known as Renew On Behalf Of
> [!NOTE]
> Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate.
Auto certificate renewal is the only supported MDM client certificate renewal method for a device enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate.
For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP's](mdm/certificatestore-csp.md) ROBOSupport node under `CertificateStore/My/WSTEP/Renew` URL.
@ -89,7 +89,7 @@ In Windows, the renewal period can only be set during the MDM enrollment phase.
For more information about the parameters, see the [CertificateStore configuration service provider](mdm/certificatestore-csp.md).
Unlike manual certificate renewal, the device doesn't perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead of every seven days (weekly). This change increases the chance that the device will try to connect at different days of the week.
Unlike manual certificate renewal, the device doesn't perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead of every seven days (weekly). This change increases the chance that the device tries to connect at different days of the week.
## Certificate renewal response
@ -99,7 +99,7 @@ When RequestType is set to Renew, the web service verifies the following (in add
- The client's certificate is in the renewal period
- The certificate is issued by the enrollment service
- The requester is the same as the requester for initial enrollment
- For standard client's request, the client hasn't been blocked
- For standard client's request, the client isn't blocked
After validation is completed, the web service retrieves the PKCS#10 content from the PKCS#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA.

4
windows/client-management/config-lock.md
View File

@ -2,7 +2,7 @@
title: Secured-core configuration lock
description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
---
@ -63,7 +63,7 @@ The steps to turn on config lock using Microsoft Intune are as follows:
Config lock is designed to ensure that a secured-core PC isn't unintentionally misconfigured. You keep the ability to enable or disable SCPC features, for example, firmware protection. You can make these changes with group policies or MDM services like Microsoft Intune.
:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off.":::
:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of System Guard protects your device from compromised firmware. The setting is set to Off.":::
## FAQ

6
windows/client-management/declared-configuration-extensibility.md
View File

@ -1,13 +1,13 @@
---
title: Declared configuration extensibility
description: Learn more about declared configuration extensibility through native WMI providers.
ms.date: 09/26/2023
ms.date: 07/08/2024
ms.topic: how-to
---
# Declared configuration extensibility providers
The declared configuration enrollment, which supports the declared configuration client stack, offers extensibility through native WMI providers. This feature instantiates and interfaces with a Windows Management Instrumentation (WMI) provider that has implemented a management infrastructure (MI) interface. The interface must implement GetTargetResource, TestTargetResource, and SetTargetResource methods, and may implement any number of string properties.
The declared configuration enrollment, which supports the declared configuration client stack, offers extensibility through native WMI providers. This feature instantiates and interfaces with a Windows Management Instrumentation (WMI) provider that implements a management infrastructure (MI) interface. The interface must implement GetTargetResource, TestTargetResource, and SetTargetResource methods, and can implement any number of string properties.
> [!NOTE]
> Only string properties are currently supported by extensibility providers.
@ -51,7 +51,7 @@ uint32 SetTargetResource(
To create a native WMI provider, follow the steps outlined in [How to implement an MI provider](/previous-versions/windows/desktop/wmi_v2/how-to-implement-an-mi-provider). These steps include how to generate the source code for an MI interface using the `Convert-MofToProvider.exe` tool to generate the DLL and prepare it for placement.
1. Create a MOF file that defines the schema for the desired state configuration resource including parameters and methods. This file includes the required parameters for the resource.
1. Create a Managed Object Format (MOF) file that defines the schema for the desired state configuration resource including parameters and methods. This file includes the required parameters for the resource.
2. Copy the schema MOF file along with any required files into the provider tools directory, for example: ProviderGenerationTool.
3. Edit the required files and include the correct file names and class names.
4. Invoke the provider generator tool to generate the provider's project files.

2
windows/client-management/declared-configuration.md
View File

@ -1,7 +1,7 @@
---
title: Declared configuration protocol
description: Learn more about using declared configuration protocol for desired state management of Windows devices.
ms.date: 09/26/2023
ms.date: 07/08/2024
ms.topic: overview
---

8
windows/client-management/device-update-management.md
View File

@ -2,7 +2,7 @@
title: Mobile device management MDM for device updates
description: Windows provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
ms.collection:
- highpri
- tier2
@ -25,7 +25,7 @@ In particular, Windows provides APIs to enable MDMs to:
- Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
- Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs.
This article provides independent software vendors (ISV) with the information they need to implement update management in Windows. For more information, see [Policy CSP - Update](mdm/policy-csp-update.md).
This article provides independent software publishers (ISV) with the information they need to implement update management in Windows. For more information, see [Policy CSP - Update](mdm/policy-csp-update.md).
> [!NOTE]
> The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update's title, description, KB, update type, like a security update or service pack. For more information, see [[MS-WSUSSS]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
@ -88,7 +88,7 @@ This section describes a possible algorithm for using the server-server sync pro
First some background:
- If you have a multi-tenant MDM, the update metadata can be kept in a shared partition, since it's common to all tenants.
- If you have a multitenant MDM, the update metadata can be kept in a shared partition, since it's common to all tenants.
- A metadata sync service can then be implemented. The service periodically calls server-server sync to pull in metadata for the updates IT cares about.
- The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client, if those updates aren't already known to the device.
@ -130,7 +130,7 @@ The following screenshots of the administrator console show the list of update t
### SyncML example
Set auto update to notify and defer.
Set Microsoft AutoUpdate to notify and defer.
```xml
<SyncML xmlns="SYNCML:SYNCML1.1">

10
windows/client-management/disconnecting-from-mdm-unenrollment.md
View File

@ -2,7 +2,7 @@
title: Disconnecting from the management infrastructure (unenrollment)
description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Disconnecting from the management infrastructure (unenrollment)
@ -22,14 +22,14 @@ During disconnection, the client executes the following tasks:
In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This notification is a best-effort action as no retry is built in to ensure the notification is successfully sent to the device.
This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work.
This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment can succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work.
> [!NOTE]
> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).
The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**.
After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DM client starts a DM session, including a user unenroll generic alert in the first package that it sends to the server.
After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DMClient starts a DM session, including a user unenroll generic alert in the first package that it sends to the server.
The following sample shows an OMA DM first package that contains a generic alert message. For more information on WP OMA DM support, see the [OMA DM protocol support](oma-dm-protocol-support.md) article.
@ -107,15 +107,13 @@ You can only use the Work Access page to unenroll under the following conditions
- Enrollment was done using bulk enrollment.
- Enrollment was created using the Work Access page.
<a name='unenrollment-from-azure-active-directory-join'></a>
## Unenrollment from Microsoft Entra join
When a user is enrolled into MDM through Microsoft Entra join and later, the enrollment disconnects, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data.
![aadj unenerollment.](images/azure-ad-unenrollment.png)
During the process in which a device is enrolled into MDM through Microsoft Entra join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Microsoft Entra association is also removed. This safeguard is in place to avoid leaving the corporate devices in unmanaged state.
During the process in which a device is enrolled into MDM through Microsoft Entra join and then remotely unenrolled, the device can get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Microsoft Entra association is also removed. This safeguard is in place to avoid leaving the corporate devices in unmanaged state.
Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that isn't part of Microsoft Entra ID, otherwise the device won't have any admin user after the operation.

2
windows/client-management/enable-admx-backed-policies-in-mdm.md
View File

@ -3,7 +3,7 @@ title: Enable ADMX policies in MDM
description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM).
ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Enable ADMX policies in MDM

4
windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -2,7 +2,7 @@
title: Enroll a Windows device automatically using Group Policy
description: Learn how to use a Group Policy to trigger autoenrollment to MDM for Active Directory (AD) domain-joined devices.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
ms.collection:
- highpri
- tier2
@ -12,7 +12,7 @@ ms.collection:
You can use a Group Policy to trigger autoenrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices.
The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Microsoft Entra account.
The group policy created on your local AD triggers enrollment into Intune without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Microsoft Entra account.
**Requirements**:

8
windows/client-management/enterprise-app-management.md
View File

@ -2,7 +2,7 @@
title: Enterprise app management
description: This article covers one of the key mobile device management (MDM) features for managing the lifecycle of apps across Windows devices.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Enterprise app management
@ -116,7 +116,7 @@ There are two basic types of apps you can deploy:
- Store apps.
- Enterprise signed apps.
To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment.
To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for nonstore app deployment.
### Unlock the device for non-Store apps
@ -154,7 +154,7 @@ Here's an example:
### Unlock the device for developer mode
Development of apps on Windows devices no longer requires a special license. You can enable debugging and deployment of non-packaged apps using [ApplicationManagement/AllowDeveloperUnlock](mdm/policy-csp-applicationmanagement.md) policy in Policy CSP.
Development of apps on Windows devices no longer requires a special license. You can enable debugging and deployment of nonpackaged apps using [ApplicationManagement/AllowDeveloperUnlock](mdm/policy-csp-applicationmanagement.md) policy in Policy CSP.
AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock isn't configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
@ -469,7 +469,7 @@ When an app installation is completed, a Windows notification is sent. You can a
- NOT\_INSTALLED (0) - The node was added, but the execution wasn't completed.
- INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, then this value is updated.
- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
- INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean up action hasn't completed, then this state may briefly appear.
- INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean-up action hasn't completed, then this state may briefly appear.
- LastError - The last error reported by the app deployment server.
- LastErrorDescription - Describes the last error reported by the app deployment server.
- Status - An integer that indicates the progress of the app installation. In cases of an HTTPS location, this status shows the estimated download progress. Status isn't available for provisioning and only used for user-based installations. For provisioning, the value is always 0.

4
windows/client-management/esim-enterprise-management.md
View File

@ -3,7 +3,7 @@ title: eSIM Enterprise Management
description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows.
ms.localizationpriority: medium
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# How Mobile Device Management Providers support eSIM Management on Windows
@ -28,7 +28,7 @@ If you're a Mobile Device Management (MDM) Provider and want to support eSIM Man
- Assess solution type that you would like to provide your customers
- Batch/offline solution
- IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices.
- Operator doesn't have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to
- Operator doesn't have visibility over status of the eSIM profiles
- Real-time solution
- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via SIM vendor solution component. IT Admin can view subscription pool and provision eSIM in real time.
- Operator is notified of the status of each eSIM profile and has visibility on which devices are being used

12
windows/client-management/federated-authentication-device-enrollment.md
View File

@ -2,7 +2,7 @@
title: Federated authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using federated authentication policy.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Federated authentication device enrollment
@ -183,7 +183,7 @@ Content-Length: 556
</html>
```
The server has to send a POST to a redirect URL of the form `ms-app://string` (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary` contained in the `<wsse:BinarySecurityToken>` EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form its just HTML encoded. This string is opaque to the enrollment client; the client doesn't interpret the string.
The server has to send a POST to a redirect URL of the form `ms-app://string` (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string `http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary` contained in the `<wsse:BinarySecurityToken>` EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form it's just HTML encoded. This string is opaque to the enrollment client; the client doesn't interpret the string.
The following example shows a response received from the discovery web service that requires authentication via WAB.
@ -367,7 +367,7 @@ The following snippet shows the policy web service response.
## Enrollment web service
This web service implements the MS-WSTEP protocol. It processes the RequestSecurityToken (RST) message from the client, authenticates the client, requests the certificate from the CA, and returns it in the RequestSecurityTokenResponse (RSTR) to the client. Besides the issued certificate, the response also contains configurations needed to provision the DM client.
This web service implements the MS-WSTEP protocol. It processes the RequestSecurityToken (RST) message from the client, authenticates the client, requests the certificate from the CA, and returns it in the RequestSecurityTokenResponse (RSTR) to the client. Besides the issued certificate, the response also contains configurations needed to provision the DMClient.
The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on, match the certificate template), the client can enroll successfully.
@ -471,15 +471,15 @@ Similar to the TokenType in the RST, the RSTR uses a custom ValueType in the Bin
The provisioning XML contains:
- The requested certificates (required)
- The DM client configuration (required)
- The DMClient configuration (required)
The client installs the client certificate, the enterprise root certificate, and intermediate CA certificate if there's one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DM client calls back to the server.
The client installs the client certificate, the enterprise root certificate, and intermediate CA certificate if there's one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DMClient calls back to the server.
Enrollment provisioning XML should contain a maximum of one root certificate and one intermediate CA certificate that is needed to chain up the MDM client certificate. More root and intermediate CA certificates could be provisioned during an OMA DM session.
When root and intermediate CA certificates are being provisioned, the supported CSP node path is: CertificateStore/Root/System for root certificate provisioning, CertificateStore/My/User for intermediate CA certificate provisioning.
Here's a sample RSTR message and a sample of OMA client provisioning XML within RSTR. For more information about the configuration service providers (CSPs) used in provisioning XML, see the Enterprise settings, policies and app management section.
Here's a sample RSTR message and a sample of OMA client provisioning XML within RSTR. For more information about the configuration service providers (CSPs) used in provisioning XML, see the Enterprise settings, policies, and app management section.
The following example shows the enrollment web service response.

6
windows/client-management/implement-server-side-mobile-application-management.md
View File

@ -2,7 +2,7 @@
title: Support for Windows Information Protection (WIP) on Windows
description: Learn about implementing the Windows version of Windows Information Protection (WIP), which is a lightweight solution for managing company data access and security on personal devices.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Support for Windows Information Protection (WIP) on Windows
@ -11,8 +11,6 @@ Windows Information Protection (WIP) is a lightweight solution for managing comp
[!INCLUDE [Deprecate Windows Information Protection](../security/information-protection/windows-information-protection/includes/wip-deprecation.md)]
<a name='integration-with-azure-ad'></a>
## Integration with Microsoft Entra ID
WIP is integrated with Microsoft Entra identity service. The WIP service supports Microsoft Entra integrated authentication for the user and the device during enrollment and the downloading of WIP policies. WIP integration with Microsoft Entra ID is similar to mobile device management (MDM) integration. See [Microsoft Entra integration with MDM](azure-active-directory-integration-with-mdm.md).
@ -78,7 +76,7 @@ Since the [Poll](mdm/dmclient-csp.md#deviceproviderprovideridpoll) node isn't pr
## Supported CSPs
WIP supports the following configuration service providers (CSPs). All other CSPs are blocked. Note the list may change later based on customer feedback:
WIP supports the following configuration service providers (CSPs). All other CSPs are blocked. Note the list can change later based on customer feedback:
- [AppLocker CSP](mdm/applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps.
- [ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.

2
windows/client-management/index.yml
View File

@ -13,7 +13,7 @@ metadata:
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.date: 01/18/2024
ms.date: 07/08/2024
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new

12
windows/client-management/manage-windows-10-in-your-organization-modern-management.md
View File

@ -2,13 +2,13 @@
title: Manage Windows devices in your organization - transitioning to modern management
description: This article offers strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment.
ms.localizationpriority: medium
ms.date: 08/10/2023
ms.date: 07/08/2024
ms.topic: conceptual
---
# Manage Windows devices in your organization - transitioning to modern management
Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows devices gradually, following the normal upgrade schedules used in your organization.
Use of personal devices for work, and users working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows devices gradually, following the normal upgrade schedules used in your organization.
Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows faster.
@ -45,13 +45,13 @@ You can use Windows and services like [Microsoft Entra ID](/azure/active-directo
You can envision user and device management as falling into these two categories:
- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows, your employees can self-provision their devices:
- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows, your users can self-provision their devices:
- For corporate devices, they can set up corporate access with [Microsoft Entra join](/azure/active-directory/devices/overview). When you offer them Microsoft Entra join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
Microsoft Entra join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
Microsoft Entra join is also a great solution for temporary staff, partners, or other part-time users. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
- Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device.
- Likewise, for personal devices, users can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device.
- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises.
@ -71,7 +71,7 @@ As you review the roles in your organization, you can use the following generali
## Settings and configuration
Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. You can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.
Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, users are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. You can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.
- **MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, group policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using group policy that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go.

4
windows/client-management/mdm-collect-logs.md
View File

@ -2,7 +2,7 @@
title: Collect MDM logs
description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows devices managed by an MDM server.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
ms.collection:
- highpri
- tier2
@ -40,7 +40,7 @@ mdmdiagnosticstool.exe -area "DeviceEnrollment;DeviceProvisioning;Autopilot" -zi
### Understanding zip structure
The zip file has logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning and Autopilot areas. It applies to the zip files collected via command line or Feedback Hub
The zip file has logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning, and Autopilot areas. It applies to the zip files collected via command line or Feedback Hub
- DiagnosticLogCSP_Collector_Autopilot_*: Autopilot etls
- DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider)

2
windows/client-management/mdm-diagnose-enrollment.md
View File

@ -2,7 +2,7 @@
title: Diagnose MDM enrollment failures
description: Learn how to diagnose enrollment failures for Windows devices
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Diagnose MDM enrollment

6
windows/client-management/mdm-enrollment-of-windows-devices.md
View File

@ -5,12 +5,12 @@ ms.topic: conceptual
ms.collection:
- highpri
- tier2
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# MDM enrollment of Windows devices
In today's cloud-first world, enterprise IT departments increasingly want to let employees use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organization's resources, such as apps, the corporate network, and email.
In today's cloud-first world, enterprise IT departments increasingly want to let users use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organization's resources, such as apps, the corporate network, and email.
> [!NOTE]
> When you connect your device using mobile device management (MDM) enrollment, your organization may enforce certain policies on your device.
@ -24,8 +24,6 @@ You can connect corporate-owned devices to work by either joining the device to
> [!NOTE]
> For devices joined to on-premises Active Directory, see [Group policy enrollment](enroll-a-windows-10-device-automatically-using-group-policy.md).
<a name='connect-your-device-to-an-azure-ad-domain-join-azure-ad'></a>
### Connect your device to a Microsoft Entra domain (join Microsoft Entra ID)
All Windows devices can be connected to a Microsoft Entra domain. These devices can be connected during OOBE. Additionally, desktop devices can be connected to a Microsoft Entra domain using the Settings app.

10
windows/client-management/mdm-known-issues.md
View File

@ -2,7 +2,7 @@
title: Known issues in MDM
description: Learn about known issues for Windows devices in MDM
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Known issues
@ -11,11 +11,11 @@ ms.date: 08/10/2023
A Get command inside an atomic command isn't supported.
## Apps installed using WMI classes are not removed
## Apps installed using WMI classes aren't removed
Applications installed using WMI classes aren't removed when the MDM account is removed from device.
## Passing CDATA in SyncML does not work
## Passing CDATA in SyncML doesn't work
Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work.
@ -222,8 +222,6 @@ Alternatively you can use the following procedure to create an EAP Configuration
After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary.
<a name='user-provisioning-failure-in-azure-active-directory-joined-devices'></a>
## User provisioning failure in Microsoft Entra joined devices
For Microsoft Entra joined devices, provisioning `.\User` resources fails when the user isn't logged in as a Microsoft Entra user. If you attempt to join Microsoft Entra ID from **Settings** &gt; **System** &gt; **About** user interface, ensure to sign out and sign in with Microsoft Entra credentials to get your organizational configuration from your MDM server. This behavior is by design.
@ -232,6 +230,6 @@ For Microsoft Entra joined devices, provisioning `.\User` resources fails when t
If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that don't meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication.
## Device management agent for the push-button reset is not working
## Device management agent for the push-button reset isn't working
The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service.

4
windows/client-management/mdm-overview.md
View File

@ -1,7 +1,7 @@
---
title: Mobile Device Management overview
description: Windows provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy.
ms.date: 08/10/2023
ms.date: 07/08/2024
ms.topic: conceptual
ms.localizationpriority: medium
ms.collection:
@ -56,8 +56,6 @@ For information about the MDM policies defined in the Intune security baseline,
No. Only one MDM is allowed.
<a name='how-do-i-set-the-maximum-number-of-azure-active-directory-joined-devices-per-user'></a>
### How do I set the maximum number of Microsoft Entra joined devices per user?
1. Sign in to the portal as tenant admin: <https://portal.azure.com>.

10
windows/client-management/mdm/policy-csp-admx-windowsstore.md
View File

@ -1,7 +1,7 @@
---
title: ADMX_WindowsStore Policy CSP
description: Learn more about the ADMX_WindowsStore Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 07/08/2024
---
<!-- Auto-Generated CSP Document -->
@ -200,7 +200,7 @@ Enables or disables the Store offer to update to the latest version of Windows.
<!-- RemoveWindowsStore_1-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
| ❌ Device <br> ✅ User | Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- RemoveWindowsStore_1-Applicability-End -->
<!-- RemoveWindowsStore_1-OmaUri-Begin -->
@ -220,8 +220,6 @@ Denies or allows access to the Store application.
<!-- RemoveWindowsStore_1-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> This policy is not supported on Windows Professional edition, and requires Windows Enterprise or Windows Education to function. For more information, see [Can't disable Microsoft Store in Windows Pro through Group Policy](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store).
<!-- RemoveWindowsStore_1-Editable-End -->
<!-- RemoveWindowsStore_1-DFProperties-Begin -->
@ -261,7 +259,7 @@ Denies or allows access to the Store application.
<!-- RemoveWindowsStore_2-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
| ✅ Device <br> ❌ User | Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.1202] and later <br> ✅ Windows 10, version 2009 [10.0.19042.1202] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.1202] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
<!-- RemoveWindowsStore_2-Applicability-End -->
<!-- RemoveWindowsStore_2-OmaUri-Begin -->
@ -281,8 +279,6 @@ Denies or allows access to the Store application.
<!-- RemoveWindowsStore_2-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> This policy is not supported on Windows Professional edition, and requires Windows Enterprise or Windows Education to function. For more information, see [Can't disable Microsoft Store in Windows Pro through Group Policy](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store).
<!-- RemoveWindowsStore_2-Editable-End -->
<!-- RemoveWindowsStore_2-DFProperties-Begin -->

4
windows/client-management/mdm/policy-csp-search.md
View File

@ -1,7 +1,7 @@
---
title: Search Policy CSP
description: Learn more about the Search Area in Policy CSP.
ms.date: 04/10/2024
ms.date: 07/08/2024
---
<!-- Auto-Generated CSP Document -->
@ -919,7 +919,7 @@ This policy setting configures whether or not locations on removable drives can
<!-- DoNotUseWebResults-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
| ✅ Device <br> ❌ User | Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
<!-- DoNotUseWebResults-Applicability-End -->
<!-- DoNotUseWebResults-OmaUri-Begin -->

8
windows/client-management/mobile-device-enrollment.md
View File

@ -2,7 +2,7 @@
title: Mobile device enrollment
description: Learn how mobile device enrollment verifies that only authenticated and authorized devices are managed by the enterprise.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
ms.collection:
- highpri
- tier2
@ -43,13 +43,13 @@ The certificate enrollment is an implementation of the MS-WSTEP protocol.
### Management configuration
The server sends provisioning XML that contains a server certificate (for TLS/SSL server authentication), a client certificate issued by enterprise CA, DM client bootstrap information (for the client to communicate with the management server), an enterprise application token (for the user to install enterprise applications), and the link to download the Company Hub application.
The server sends provisioning XML that contains a server certificate (for TLS/SSL server authentication), a client certificate issued by enterprise CA, DMClient bootstrap information (for the client to communicate with the management server), an enterprise application token (for the user to install enterprise applications), and the link to download the Company Hub application.
The following articles describe the end-to-end enrollment process using various authentication methods:
- [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
- [On-premises authentication device enrollment](on-premise-authentication-device-enrollment.md)
> [!NOTE]
> As a best practice, don't use hardcoded server-side checks on values such as:
@ -168,4 +168,4 @@ TraceID is a freeform text node that is logged. It should identify the server si
- [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)
- [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
- [On-premises authentication device enrollment](on-premise-authentication-device-enrollment.md)

2
windows/client-management/new-in-windows-mdm-enrollment-management.md
View File

@ -3,7 +3,7 @@ title: What's new in MDM enrollment and management
description: Discover what's new and breaking changes in mobile device management (MDM) enrollment and management experience across all Windows devices.
ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# What's new in mobile device enrollment and management

2
windows/client-management/oma-dm-protocol-support.md
View File

@ -2,7 +2,7 @@
title: OMA DM protocol support
description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# OMA DM protocol support

2
windows/client-management/on-premise-authentication-device-enrollment.md
View File

@ -2,7 +2,7 @@
title: On-premises authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# On-premises authentication device enrollment

2
windows/client-management/push-notification-windows-mdm.md
View File

@ -2,7 +2,7 @@
title: Push notification support for device management
description: The DMClient CSP supports the ability to configure push-initiated device management sessions.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Push notification support for device management

6
windows/client-management/server-requirements-windows-mdm.md
View File

@ -2,7 +2,7 @@
title: Server requirements for using OMA DM to manage Windows devices
description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Server requirements for using OMA DM to manage Windows devices
@ -11,11 +11,11 @@ The following list shows the general server requirements for using OMA DM to man
- The OMA DM server must support the OMA DM v1.1.2 or later protocol.
- Secure Sockets Layer (TLS/SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate isn't issued by a commercial Certification Authority whose root certificate is preinstalled in the device, you must provision the enterprise root certificate in the device's Root store.
- Secure Sockets Layer (TLS/SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate isn't issued by a public Certification Authority whose root certificate is preinstalled in the device, you must provision the enterprise root certificate in the device's Root store.
- To authenticate the client at the application level, you must use either Basic or MD5 client authentication.
- The server MD5 nonce must be renewed in each DM session. The DM client sends the new server nonce for the next session to the server over the Status element in every DM session.
- The server MD5 nonce must be renewed in each DM session. The DMClient sends the new server nonce for the next session to the server over the Status element in every DM session.
- The MD5 binary nonce is sent over XML B64 encoded format, but the octal form of the binary data should be used when the service calculates the hash.

2
windows/client-management/structure-of-oma-dm-provisioning-files.md
View File

@ -2,7 +2,7 @@
title: Structure of OMA DM provisioning files
description: Learn about the structure of OMA DM provisioning files, for example how each message is composed of a header, specified by the SyncHdr element, and a message body.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Structure of OMA DM provisioning files

2
windows/client-management/understanding-admx-backed-policies.md
View File

@ -2,7 +2,7 @@
title: Understanding ADMX policies
description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Understanding ADMX policies

2
windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md
View File

@ -2,7 +2,7 @@
title: Using PowerShell scripting with the WMI Bridge Provider
description: This article covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Using PowerShell scripting with the WMI Bridge Provider

2
windows/client-management/win32-and-centennial-app-policy-configuration.md
View File

@ -2,7 +2,7 @@
title: Win32 and Desktop Bridge app ADMX policy Ingestion
description: Ingest ADMX files and set ADMX policies for Win32 and Desktop Bridge apps.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Win32 and Desktop Bridge app ADMX policy Ingestion

14
windows/client-management/windows-mdm-enterprise-settings.md
View File

@ -1,17 +1,17 @@
---
title: Enterprise settings and policy management
description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow.
description: The DMClient manages the interaction between a device and a server. Learn more about the client-server management workflow.
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# Enterprise settings and policy management
The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://technical.openmobilealliance.org/).
The actual management interaction between the device and server is done via the DMClient. The DMClient communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://technical.openmobilealliance.org/).
Enterprise MDM settings are exposed via various configuration service providers to the DM client. For the list of available configuration service providers, see [Configuration service provider reference](mdm/index.yml).
Enterprise MDM settings are exposed via various configuration service providers to the DMClient. For the list of available configuration service providers, see [Configuration service provider reference](mdm/index.yml).
Windows currently supports one MDM server. The DM client that is configured via the enrollment process is granted access to enterprise related settings. During the enrollment process, the task scheduler is configured to invoke the DM client to periodically poll the MDM server.
Windows currently supports one MDM server. The DMClient that is configured via the enrollment process is granted access to enterprise related settings. During the enrollment process, the task scheduler is configured to invoke the DMClient to periodically poll the MDM server.
The following diagram shows the work flow between server and client.
@ -21,9 +21,9 @@ The following diagram shows the work flow between server and client.
This protocol defines an HTTPS-based client/server communication with DM SyncML XML as the package payload that carries management requests and execution results. The configuration request is addressed via a managed object (MO). The settings supported by the managed object are represented in a conceptual tree structure. This logical view of configurable device settings simplifies the way the server addresses the device settings by isolating the implementation details from the conceptual tree structure.
To facilitate security-enhanced communication with the remote server for enterprise management, Windows supports certificate-based mutual authentication over an encrypted TLS/SSL HTTP channel between the DM client and management service. The server and client certificates are provisioned during the enrollment process.
To facilitate security-enhanced communication with the remote server for enterprise management, Windows supports certificate-based mutual authentication over an encrypted TLS/SSL HTTP channel between the DMClient and management service. The server and client certificates are provisioned during the enrollment process.
The DM client configuration, company policy enforcement, business application management, and device inventory are all exposed or expressed via configuration service providers (CSPs). CSPs are the Windows term for managed objects. The DM client communicates with the server and sends configuration request to CSPs. The server only needs to know the logical local URIs defined by those CSP nodes in order to use the DM protocol XML to manage the device.
The DMClient configuration, company policy enforcement, business application management, and device inventory are all exposed or expressed via configuration service providers (CSPs). CSPs are the Windows term for managed objects. The DMClient communicates with the server and sends configuration request to CSPs. The server only needs to know the logical local URIs defined by those CSP nodes in order to use the DM protocol XML to manage the device.
Here's a summary of the DM tasks supported for enterprise management:

2
windows/client-management/wmi-providers-supported-in-windows.md
View File

@ -2,7 +2,7 @@
title: WMI providers supported in Windows
description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI).
ms.topic: conceptual
ms.date: 08/10/2023
ms.date: 07/08/2024
---
# WMI providers supported in Windows

2
windows/deployment/update/wufb-reports-configuration-manual.md
View File

@ -12,7 +12,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/15/2023
ms.date: 07/09/2024
---
# Manually configure devices for Windows Update for Business reports

10
windows/deployment/update/wufb-reports-configuration-script.md
View File

@ -12,7 +12,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 07/11/2023
ms.date: 07/09/2024
---
# Configuring devices through the Windows Update for Business reports configuration script
@ -22,9 +22,9 @@ The Windows Update for Business reports configuration script is the recommended
## About the script
The configuration script configures registry keys directly. Be aware that registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script doesn't reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md), device data might not appear in Windows Update for Business reports correctly.
The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script doesn't reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md), device data might not appear in Windows Update for Business reports correctly.
You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086).
## How this script is organized
@ -39,8 +39,8 @@ Edit the `RunConfig.bat` file to configure the following variables, then run the
| Variable | Allowed values and description | Example |
|---|---|---|
| runMode | **Pilot** (default): Verbose mode with additional diagnostics with additional logging. Pilot mode is best for a testing run of the script or for troubleshooting. <br> **Deployment**: Doesn't run any additional diagnostics or add extra logging | `runMode=Pilot` |
| logPath | Path where the logs will be saved. The default location of the logs is `.\UCLogs`. | `logPath=C:\temp\logs` |
| runMode | **Pilot** (default): Verbose mode with additional diagnostics and logging. Pilot mode is best for a testing run of the script or for troubleshooting. <br> **Deployment**: Doesn't run any additional diagnostics or add extra logging | `runMode=Pilot` |
| logPath | Path where the logs are saved. The default location of the logs is `.\UCLogs`.| `logPath=C:\temp\logs` |
| logMode | **0**: Log to the console only </br> **1** (default): Log to file and console.</br> **2**: Log to file only. | `logMode=2` |
| DeviceNameOptIn | **true** (default): Device name is sent to Microsoft.</br> **false**: Device name isn't sent to Microsoft. | `DeviceNameOptIn=true` |
| ClientProxy | **Direct** (default): No proxy is used. The connection to the endpoints is direct.</br> **System**: The system proxy, without authentication, is used. This type of proxy is typically configured with [netsh](/windows-server/networking/technologies/netsh/netsh-contexts) and can be verified using `netsh winhttp show proxy`. </br> **User**: The proxy is configured through IE and it might or might not require user authentication. </br> </br> For more information, see [How the Windows Update client determines which proxy server to use to connect to the Windows Update website](https://support.microsoft.com/en-us/topic/how-the-windows-update-client-determines-which-proxy-server-to-use-to-connect-to-the-windows-update-website-08612ae5-3722-886c-f1e1-d012516c22a1) | `ClientProxy=Direct` |

6
windows/deployment/update/wufb-reports-enable.md
View File

@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 07/11/2023
ms.date: 07/09/2024
---
# Enable Windows Update for Business reports
@ -34,7 +34,7 @@ After verifying the [prerequisites](wufb-reports-prerequisites.md) are met, you
## <a name="bkmk_add"></a> Add Windows Update for Business reports to your Azure subscription
Before you configure clients to send data, you'll need to add Windows Update for Business reports to your Azure subscription so the data can be received. First, you'll select or create a new Log Analytics workspace to use. Second, you'll enroll Windows Update for Business reports to the workspace.
Before you configure clients to send data, you need to add Windows Update for Business reports to your Azure subscription so the data can be received. First, you select or create a new Log Analytics workspace to use. Second, you enroll Windows Update for Business reports to the workspace.
## <a name="bkmk_workspace"></a> Select or create a new Log Analytics workspace for Windows Update for Business reports
@ -69,7 +69,7 @@ Enroll into Windows Update for Business reports by configuring its settings thro
> [!Tip]
> If a `403 Forbidden` error occurs, verify the account you're using has [permissions](wufb-reports-prerequisites.md#permissions) to enroll into Windows Update for Business reports.
1. The initial setup can take up to 24 hours. During this time, the workbook will display that it's **Waiting for Windows Update for Business reports data**.
- Enrolling into Windows Update for Business reports doesn't influence the rate that required data is uploaded from devices. Device connectivity to the internet and how active the device is influences how long it will take before the device appears in reporting. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available.
- Enrolling into Windows Update for Business reports doesn't influence the rate that required data is uploaded from devices. Device connectivity to the internet and how active the device is influences how long it takes before the device appears in reporting. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available.
##### <a name="bkmk_admin-center"></a> Enroll through the Microsoft 365 admin center
<!--Using include for onboarding Windows Update for Business reports through the Microsoft 365 admin center-->

4
windows/deployment/update/wufb-reports-help.md
View File

@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 02/10/2023
ms.date: 07/09/2024
---
# Windows Update for Business reports feedback, support, and troubleshooting
@ -52,7 +52,7 @@ You can open support requests directly from the Azure portal. If the **Help + S
- **Service type** - Select ***Windows Update for Business reports*** under ***Monitoring and Management***
1. Based on the information you provided, you'll be shown some **Recommended solutions** you can use to try to resolve the problem.
1. Based on the information you provided, you are shown some **Recommended solutions** you can use to try to resolve the problem.
1. Complete the **Additional details** tab and then create the request on the **Review + create** tab.
## Documentation feedback

2
windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
View File

@ -1,7 +1,7 @@
---
title: Add and verify admin contacts
description: This article explains how to add and verify admin contacts
ms.date: 09/15/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
View File

@ -1,7 +1,7 @@
---
title: Manage Windows Autopatch groups
description: This article explains how to manage Autopatch groups
ms.date: 12/13/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
View File

@ -1,7 +1,7 @@
---
title: Windows Autopatch groups overview
description: This article explains what Autopatch groups are
ms.date: 07/20/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
View File

@ -1,7 +1,7 @@
---
title: Post-device registration readiness checks
description: This article details how post-device registration readiness checks are performed in Windows Autopatch
ms.date: 09/16/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/operate/windows-autopatch-customize-windows-update-settings.md
View File

@ -1,7 +1,7 @@
---
title: Customize Windows Update settings Autopatch groups experience
description: How to customize Windows Updates with Autopatch groups
ms.date: 07/25/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
View File

@ -1,7 +1,7 @@
---
title: Device alerts
description: Provide notifications and information about the necessary steps to keep your devices up to date.
ms.date: 08/01/2023
ms.date: 07/08/2023
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md
View File

@ -1,7 +1,7 @@
---
title: Exclude a device
description: This article explains how to exclude a device from the Windows Autopatch service
ms.date: 08/08/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
View File

@ -1,7 +1,7 @@
---
title: Software update management for Autopatch groups
description: This article provides an overview of how updates are handled with Autopatch groups
ms.date: 07/25/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: overview

2
windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
View File

@ -1,7 +1,7 @@
---
title: Manage driver and firmware updates
description: This article explains how you can manage driver and firmware updates with Windows Autopatch
ms.date: 08/22/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/operate/windows-autopatch-manage-windows-feature-update-releases.md
View File

@ -1,7 +1,7 @@
---
title: Manage Windows feature update releases
description: This article explains how you can manage Windows feature updates with Autopatch groups
ms.date: 07/25/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md
View File

@ -1,7 +1,7 @@
---
title: policy health and remediation
description: Describes what Autopatch does it detects policies in the tenant are either missing or modified to states that affect the service
ms.date: 07/25/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
View File

@ -1,7 +1,7 @@
---
title: Unenroll your tenant
description: This article explains what unenrollment means for your organization and what actions you must take.
ms.date: 08/08/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
View File

@ -1,7 +1,7 @@
---
title: Windows feature updates overview
description: This article explains how Windows feature updates are managed with Autopatch groups
ms.date: 07/25/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-status-report.md
View File

@ -1,7 +1,7 @@
---
title: Feature update status report
description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
ms.date: 07/25/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-trending-report.md
View File

@ -1,7 +1,7 @@
---
title: Feature update trending report
description: Provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days.
ms.date: 07/25/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

6
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
View File

@ -1,7 +1,7 @@
---
title: Windows quality update communications for Autopatch groups
description: This article explains Windows quality update communications for Autopatch groups
ms.date: 07/25/2023
title: Windows quality update communications
description: This article explains Windows quality update communications
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

6
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md
View File

@ -1,7 +1,7 @@
---
title: Windows quality update end user experience for Autopatch groups
description: This article explains the Windows quality update end user experience using the Autopatch groups exp
ms.date: 07/25/2023
title: Windows quality update end user experience
description: This article explains the Windows quality update end user experience
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
View File

@ -1,6 +1,6 @@
---
title: Windows quality updates overview with Autopatch groups experience
description: This article explains how Windows quality updates are managed with Autopatch groups
description: This article explains how Windows quality updates are managed with Autopatch
ms.date: 05/24/2024
ms.service: windows-client
ms.subservice: itpro-updates

6
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
View File

@ -1,7 +1,7 @@
---
title: Windows quality update release signals with Autopatch groups
description: This article explains the Windows quality update release signals with Autopatch groups
ms.date: 07/25/2023
title: Windows quality update release signals
description: This article explains the Windows quality update release signals
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

4
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-status-report.md
View File

@ -1,7 +1,7 @@
---
title: Quality update status report
description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices with Autopatch groups.
ms.date: 07/25/2023
description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices.
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
View File

@ -1,6 +1,6 @@
---
title: Windows quality update summary dashboard
description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch with Autopatch groups
description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch
ms.date: 01/22/2024
ms.service: windows-client
ms.subservice: itpro-updates

4
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-trending-report.md
View File

@ -1,7 +1,7 @@
---
title: Quality update trending report
description: Provides a visual representation of the update status trend for all devices over the last 90 days with Autopatch groups.
ms.date: 09/01/2023
description: Provides a visual representation of the update status trend for all devices over the last 90 days.
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md
View File

@ -1,7 +1,7 @@
---
title: Windows Autopatch deployment guide
description: This guide explains how to successfully deploy Windows Autopatch in your environment
ms.date: 08/24/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
View File

@ -4,7 +4,7 @@ metadata:
description: Answers to frequently asked questions about Windows Autopatch.
ms.service: windows-client
ms.topic: faq
ms.date: 12/04/2023
ms.date: 07/08/2024
audience: itpro
ms.localizationpriority: medium
manager: aaroncz

2
windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
View File

@ -1,7 +1,7 @@
---
title: What is Windows Autopatch?
description: Details what the service is and shortcuts to articles.
ms.date: 08/08/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
View File

@ -1,7 +1,7 @@
---
title: Privacy
description: This article provides details about the data platform and privacy compliance for Autopatch
ms.date: 09/13/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: reference

2
windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
View File

@ -1,7 +1,7 @@
---
title: Roles and responsibilities
description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do
ms.date: 08/31/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
View File

@ -1,7 +1,7 @@
---
title: Configure your network
description: This article details the network configurations needed for Windows Autopatch
ms.date: 09/15/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
View File

@ -1,7 +1,7 @@
---
title: Enroll your tenant
description: This article details how to enroll your tenant
ms.date: 09/15/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
View File

@ -1,7 +1,7 @@
---
title: Submit a tenant enrollment support request
description: This article details how to submit a tenant enrollment support request
ms.date: 09/13/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
View File

@ -1,7 +1,7 @@
---
title: Fix issues found by the Readiness assessment tool
description: This article details how to fix issues found by the Readiness assessment tool.
ms.date: 09/12/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to

2
windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md
View File

@ -1,7 +1,7 @@
---
title: Conflicting configurations
description: This article explains how to remediate conflicting configurations affecting the Windows Autopatch service.
ms.date: 09/05/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
View File

@ -1,7 +1,7 @@
---
title: Driver and firmware updates for Windows Autopatch Public Preview Addendum
description: This article explains how driver and firmware updates are managed in Autopatch
ms.date: 06/26/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft 365 Apps for enterprise update policies
description: This article explains the Microsoft 365 Apps for enterprise policies in Windows Autopatch
ms.date: 06/23/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
View File

@ -1,7 +1,7 @@
---
title: Windows update policies
description: This article explains Windows update policies in Windows Autopatch
ms.date: 09/02/2023
ms.date: 07/08/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual

2
windows/deployment/windows-subscription-activation.md
View File

@ -135,7 +135,7 @@ With Windows Enterprise or Education editions, an organization can benefit from
To compare Windows editions and review pricing, see the following sites:
- [Compare Windows editions](https://www.microsoft.com/en-us/windows/business/windows-10-pro-vs-windows-11-pro) <!-- Leaving in language reference in URL because URL without it doesn't redirect properly>
- [Compare Windows editions](https://www.microsoft.com/en-us/windows/business/windows-10-pro-vs-windows-11-pro) <!-- Leaving in language reference in URL because URL without it doesn't redirect properly-->
- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing)
Benefits of moving to Windows as an online service include:

2
windows/hub/index.yml
View File

@ -197,4 +197,4 @@ additionalContent:
- text: Microsoft Intune community
url: https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune
- text: Microsoft Support community
url: https://answers.microsoft.com/windows/forum
url: https://answers.microsoft.com/

4
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
View File

@ -37,7 +37,7 @@ Use the following instructions to configure your devices using either Microsoft
Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business *authentication certificate* template.
The process requires no user interaction, provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires.
The process requires no user interaction, provided the user signs in using Windows Hello for Business. The certificate is renewed in the background before it expires.
[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
@ -135,6 +135,6 @@ To better understand the authentication flows, review the following sequence dia
<!--links-->
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[AZ-4]: /entra/identity/devices/troubleshoot-device-dsregcmd
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[MEM-1]: /mem/intune/configuration/custom-settings-configure

8
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
View File

@ -34,7 +34,7 @@ ms.topic: tutorial
## Federated authentication to Microsoft Entra ID
Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. You must also configure the AD FS farm to support Azure registered devices.
Windows Hello for Business hybrid certificate trust requires Active Directory to be federated with Microsoft Entra ID using AD FS. You must also configure the AD FS farm to support Microsoft Entra registered devices.
If you're new to AD FS and federation services:
@ -82,9 +82,9 @@ During Windows Hello for Business provisioning, users receive a sign-in certific
> [Next: configure and validate the Public Key Infrastructure >](hybrid-cert-trust-pki.md)
<!--links-->
[AZ-8]: /azure/active-directory/devices/hybrid-azuread-join-plan
[AZ-10]: /azure/active-directory/devices/howto-hybrid-azure-ad-join#federated-domains
[AZ-11]: /azure/active-directory/devices/hybrid-azuread-join-manual
[AZ-8]: /entra/identity/devices/hybrid-join-plan
[AZ-10]: /entra/identity/devices/how-to-hybrid-join#federated-domains
[AZ-11]: /entra/identity/devices/hybrid-join-manual
[SER-2]: /windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm
[SER-3]: /windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts

2
windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
View File

@ -202,7 +202,7 @@ The following scenarios aren't supported using Windows Hello for Business cloud
<!--Links-->
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[AZ-4]: /entra/identity/devices/troubleshoot-device-dsregcmd
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[ENTRA-1]: /entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azureadhybridauthenticationmanagement-module
[MEM-1]: /mem/intune/configuration/custom-settings-configure

4
windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
View File

@ -108,7 +108,7 @@ To better understand the authentication flows, review the following sequence dia
- [Microsoft Entra join authentication to Active Directory using a key](../how-it-works-authentication.md#microsoft-entra-join-authentication-to-active-directory-using-a-key)
<!--links-->
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[AZ-5]: /azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler
[AZ-4]: /entra/identity/devices/troubleshoot-device-dsregcmd
[AZ-5]: /entra/identity/hybrid/connect/how-to-connect-sync-feature-scheduler
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[MEM-1]: /mem/intune/configuration/custom-settings-configure

13
windows/security/identity-protection/hello-for-business/deploy/index.md
View File

@ -146,7 +146,9 @@ The goal of Windows Hello for Business is to move organizations away from passwo
- On-premises deployments must use a multifactor option that can integrate as an AD FS multifactor adapter. Organizations can choose from non-Microsoft options that offer an AD FS MFA adapter. For more information, see [Microsoft and non-Microsoft additional authentication methods][SER-2]
> [!IMPORTANT]
> As of July 1, 2019, Microsoft doesn't offer MFA Server for new deployments. New deployments that require multifactor authentication should use cloud-based Microsoft Entra multifactor authentication. Existing deployment where the MFA Server was activated prior to July 1, 2019 can download the latest version, future updates, and generate activation credentials. For more information, see [Getting started with the Azure Multi-Factor Authentication Server][ENTRA-2].
> Beginning July 1, 2019, Microsoft doesn't offer MFA Server for new deployments. New deployments that require multifactor authentication should use cloud-based Microsoft Entra multifactor authentication.
>
>Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service MFA requests. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users' authentication data](/entra/identity/authentication/how-to-migrate-mfa-server-to-mfa-user-authentication) to the cloud-based Azure MFA.
|| Deployment model | MFA options |
|--|--|--|
@ -159,7 +161,6 @@ The goal of Windows Hello for Business is to move organizations away from passwo
For more information:
- [Configure Microsoft Entra multifactor authentication settings][ENTRA-4]
- [Configure Azure MFA as authentication provider with AD FS][SER-1]
- [Manage an external authentication method in Microsoft Entra ID][ENTRA-11]
#### MFA and federated authentication
@ -205,6 +206,9 @@ Hybrid and on-premises deployments use directory synchronization, however, each
| **Hybrid** | Microsoft Entra Connect Sync|
| **On-premises** | Azure MFA server |
> [!IMPORTANT]
>Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service MFA requests. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users' authentication data](/entra/identity/authentication/how-to-migrate-mfa-server-to-mfa-user-authentication) to the cloud-based Azure MFA.
## Device configuration options
Windows Hello for Business provides a rich set of granular policy settings. There are two main options to configure Windows Hello for Business: configuration service provider (CSP) and group policy (GPO).
@ -240,6 +244,9 @@ Here are some considerations regarding licensing requirements for cloud services
| **🔲** | **On-premises** | Key | Azure MFA, if used as MFA solution |
| **🔲** | **On-premises** | Certificate | Azure MFA, if used as MFA solution |
> [!IMPORTANT]
>Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service MFA requests. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users' authentication data](/entra/identity/authentication/how-to-migrate-mfa-server-to-mfa-user-authentication) to the cloud-based Azure MFA.
## Operating System requirements
### Windows requirements
@ -291,7 +298,6 @@ Now that you've read about the different deployment options and requirements, yo
<!--links-->
[ENTRA-1]: /entra/identity/authentication/concept-mfa-howitworks
[ENTRA-2]: /entra/identity/authentication/howto-mfaserver-deploy
[ENTRA-3]: /entra/identity/hybrid/connect/how-to-connect-sync-whatis
[ENTRA-4]: /entra/identity/authentication/howto-mfa-mfasettings
[ENTRA-5]: /entra/identity/devices/hybrid-join-plan
@ -302,7 +308,6 @@ Now that you've read about the different deployment options and requirements, yo
[ENTRA-10]: /entra/identity/hybrid/connect/whatis-fed
[ENTRA-11]: /entra/identity/authentication/how-to-authentication-external-method-manage
[SER-1]: /windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa
[SER-2]: /windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods
[KB-1]: https://support.microsoft.com/topic/5010415

4
windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md
View File

@ -37,7 +37,7 @@ Follow the instructions below to configure your devices using either Microsoft I
Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business *authentication certificate* template.
The process requires no user interaction, provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires.
The process requires no user interaction, provided the user signs in using Windows Hello for Business. The certificate is renewed in the background before it expires.
[!INCLUDE [gpo-settings-1](../../../../../includes/configure/gpo-settings-1.md)]
@ -86,4 +86,4 @@ To better understand the provisioning flows, review the following sequence diagr
- [Provisioning in an on-premises certificate trust deployment model](../how-it-works-provisioning.md#provisioning-in-an-on-premises-certificate-trust-deployment-model)
<!--links-->
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[AZ-4]: /entra/identity/devices/troubleshoot-device-dsregcmd

2
windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
View File

@ -62,4 +62,4 @@ To better understand the provisioning flows, review the following sequence diagr
- [Provisioning in an on-premises key trust deployment model](../how-it-works-provisioning.md#provisioning-in-an-on-premises-key-trust-deployment-model)
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[AZ-4]: /entra/identity/devices/troubleshoot-device-dsregcmd

8
windows/security/identity-protection/hello-for-business/faq.yml
View File

@ -150,7 +150,7 @@ sections:
It's possible to Microsoft Entra register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business.
For more information, see [Microsoft Entra registered devices](/azure/active-directory/devices/concept-azure-ad-register).
For more information, see [Microsoft Entra registered devices](/entra/identity/devices/concept-device-registration).
- question: Does Windows Hello for Business work with non-Windows operating systems?
answer: |
Windows Hello for Business is a feature of the Windows platform.
@ -162,7 +162,7 @@ sections:
Windows Hello for Business is two-factor authentication based on the observed authentication factors of: *something you have*, *something you know*, and *something that's part of you*. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
> [!NOTE]
> The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
> The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/entra/identity/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
- question: Which is a better or more secure for of authentication, key or certificate?
answer: |
Both types of authentication provide the same security; one is not more secure than the other.
@ -203,7 +203,7 @@ sections:
questions:
- question: What is Windows Hello for Business cloud Kerberos trust?
answer: |
Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/deploy).
Windows Hello for Business *cloud Kerberos trust* is a *trust model* that enables Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Microsoft Entra hybrid joined devices and on-premises resource access on Microsoft Entra joined devices](/entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [cloud Kerberos trust deployment](/windows/security/identity-protection/hello-for-business/deploy).
- question: Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment?
answer: |
This feature doesn't work in a pure on-premises AD domain services environment.
@ -213,7 +213,7 @@ sections:
- question: Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?
answer: |
Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller when:
- a user signs-in for the first time or unlocks with Windows Hello for Business after provisioning
- a user signs in for the first time or unlocks with Windows Hello for Business after provisioning
- attempting to access on-premises resources secured by Active Directory
- question: Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?
answer: |

4
windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
View File

@ -15,7 +15,7 @@ PIN reset on Microsoft Entra joined devices uses a flow called *web sign-in* to
### Identify PIN Reset allowed domains issue
The user can launch the PIN reset flow from the lock screen using the *I forgot my PIN* link in the PIN credential provider. Selecting the link launches a full screen UI for the PIN experience on Microsoft Entra join devices. Typically, the UI displays an Azure authentication page, where the user authenticates using Microsoft Entra credentials and completes MFA.
The user can launch the PIN reset flow from the lock screen using the *I forgot my PIN* link in the PIN credential provider. Selecting the link launches a full screen UI for the PIN experience on Microsoft Entra join devices. Typically, the UI displays an authentication page, where the user authenticates using Microsoft Entra credentials and completes MFA.
In federated environments, authentication may be configured to route to AD FS or a non-Microsoft identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it fails and displays the *We can't open that page right now* error, if the domain for the server page isn't included in an allowlist.
@ -23,7 +23,7 @@ If you're a customer of *Azure US Government* cloud, PIN reset also attempts to
### Resolve PIN Reset allowed domains issue
To resolve the error, you can configure a list of allowed domains for PIN reset using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [Configure allowed URLs for federated identity providers on Microsoft Entra joined devices](hello-feature-pin-reset.md#configure-allowed-urls-for-federated-identity-providers-on-azure-ad-joined-devices).
To resolve the error, you can configure a list of allowed domains for PIN reset using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [Configure allowed URLs for federated identity providers on Microsoft Entra joined devices](hello-feature-pin-reset.md#configure-allowed-urls-for-federated-identity-providers-on-microsoft-entra-joined-devices).
## Hybrid key trust sign in broken due to user public key deletion

4
windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
View File

@ -40,7 +40,7 @@ If the error occurs again, check the error code against the following table to s
| 0x80090035 | Policy requires TPM and the device doesn't have TPM. | Change the Windows Hello for Business policy to not require a TPM. |
| 0x80090036 | User canceled an interactive dialog. | User is asked to try again. |
| 0x801C0003 | User isn't authorized to enroll. | Check if the user has permission to perform the operation. |
| 0x801C000E | Registration quota reached. | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](/azure/active-directory/devices/device-management-azure-portal). |
| 0x801C000E | Registration quota reached. | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](/entra/identity/devices/manage-device-identities). |
| 0x801C000F | Operation successful, but the device requires a reboot. | Reboot the device. |
| 0x801C0010 | The AIK certificate isn't valid or trusted. | Sign out and then sign in again. |
| 0x801C0011 | The attestation statement of the transport key is invalid. | Sign out and then sign in again. |
@ -53,7 +53,7 @@ If the error occurs again, check the error code against the following table to s
| 0x801C03EA | Server failed to authorize user or device. | Check if the token is valid and user has permission to register Windows Hello for Business keys. |
| 0x801C03EB | Server response http status isn't valid | Sign out and then sign in again. |
| 0x801C03EC | Unhandled exception from server. | sign out and then sign in again. |
| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but wasn't performed. <br><br> -or- <br><br> Token wasn't found in the Authorization header. <br><br> -or- <br><br> Failed to read one or more objects. <br><br> -or- <br><br> The request sent to the server was invalid. <br><br> -or- <br><br> User doesn't have permissions to join to Microsoft Entra ID. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure AD and rejoin. <br> Allow user(s) to join to Microsoft Entra ID under Microsoft Entra Device settings. |
| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but wasn't performed. <br><br> -or- <br><br> Token wasn't found in the Authorization header. <br><br> -or- <br><br> Failed to read one or more objects. <br><br> -or- <br><br> The request sent to the server was invalid. <br><br> -or- <br><br> User doesn't have permissions to join to Microsoft Entra ID. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Microsoft Entra ID and rejoin. <br> Allow user(s) to join to Microsoft Entra ID under Microsoft Entra Device settings. |
| 0x801C03EE | Attestation failed. | Sign out and then sign in again. |
| 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. |
| 0x801C03F2 | Windows Hello key registration failed. | ERROR_BAD_DIRECTORY_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Microsoft Entra ID and the Primary SMTP address are the same in the proxy address. |

4
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -71,7 +71,7 @@ Sign-in to computer running Microsoft Entra Connect with access equivalent to *l
The easiest way to verify that the onPremisesDistingushedNamne attribute is synchronized is to use the Graph Explorer for Microsoft Graph.
1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer)
1. Select **Sign in to Graph Explorer** and provide Azure credentials
1. Select **Sign in to Graph Explorer** and provide Microsoft Entra ID credentials
> [!NOTE]
> To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted
@ -487,7 +487,7 @@ Certificate enrollment for Microsoft Entra joined devices occurs over the Intern
Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Microsoft Entra Application Proxies.
Microsoft Entra Application proxies are serviced by lightweight Application Proxy Connector agents. See [What is Application Proxy](/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Microsoft Entra Application Proxies. You can create connector groups in Microsoft Entra ID to assign specific connectors to service specific applications.
Microsoft Entra Application proxies are serviced by lightweight Application Proxy Connector agents. See [What is Application Proxy](/entra/identity/app-proxy/#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Microsoft Entra Application Proxies. You can create connector groups in Microsoft Entra ID to assign specific connectors to service specific applications.
Connector group automatically round-robin, load balance the Microsoft Entra application proxy requests to the connectors within the assigned connector group. This ensures Windows Hello for Business certificate requests have multiple dedicated Microsoft Entra application proxy connectors exclusively available to satisfy enrollment requests. Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner.

26
windows/security/identity-protection/hello-for-business/pin-reset.md
View File

@ -49,7 +49,7 @@ To register the applications, follow these steps:
:::row:::
:::column span="3":::
1. Go to the [Microsoft PIN Reset Service Production website][APP-1], and sign in as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator). Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to give consent to the application to access your organization
1. Go to the [Microsoft PIN Reset Service Production website][APP-1], and sign in as at least an [Application Administrator][ENT-2]. Review the permissions requested by the *Microsoft Pin Reset Service Production* application and select **Accept** to give consent to the application to access your organization
:::column-end:::
:::column span="1":::
:::image type="content" alt-text="Screenshot showing the PIN reset service permissions page." source="images/pin-reset/pin-reset-service-prompt.png" lightbox="images/pin-reset/pin-reset-service-prompt.png" border="true":::
@ -57,7 +57,7 @@ To register the applications, follow these steps:
:::row-end:::
:::row:::
:::column span="3":::
2. Go to the [Microsoft PIN Reset Client Production website][APP-2], and sign as at least an [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator). Review the permissions requested by the *Microsoft Pin Reset Client Production* application, and select **Next**.
2. Go to the [Microsoft PIN Reset Client Production website][APP-2], and sign as at least an [Application Administrator][ENT-2]. Review the permissions requested by the *Microsoft Pin Reset Client Production* application, and select **Next**.
:::column-end:::
:::column span="1":::
:::image type="content" alt-text="Screenshot showing the PIN reset client permissions page." source="images/pin-reset/pin-reset-client-prompt.png" lightbox="images/pin-reset/pin-reset-client-prompt.png" border="true":::
@ -76,7 +76,7 @@ To register the applications, follow these steps:
### Confirm that the two PIN Reset service principals are registered in your tenant
1. Sign in to the [Microsoft Entra Manager admin center](https://entra.microsoft.com)
1. Sign in to the [Microsoft Entra Manager admin center][ENTRA]
1. Select **Microsoft Entra ID > Applications > Enterprise applications**
1. Search by application name "Microsoft PIN" and verify that both **Microsoft Pin Reset Service Production** and **Microsoft Pin Reset Client Production** are in the list
:::image type="content" alt-text="PIN reset service permissions page." source="images/pin-reset/pin-reset-applications.png" lightbox="images/pin-reset/pin-reset-applications-expanded.png":::
@ -103,7 +103,7 @@ The following instructions provide details how to configure your devices. Select
>[!NOTE]
> You can also configure PIN recovery from the **Endpoint security** blade:
>
> 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
> 1. Sign in to the [Microsoft Intune admin center][INTUNE]
> 1. Select **Endpoint security > Account protection > Create Policy**
Alternatively, you can configure devices using a [custom policy][INT-1] with the [PassportForWork CSP][CSP-1].
@ -113,7 +113,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
| `./Vendor/MSFT/Policy/PassportForWork/`*TenantId*`/Policies/EnablePinRecovery`| Boolean | True |
>[!NOTE]
> You must replace `TenantId` with the identifier of your Microsoft Entra tenant. To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account::
> You must replace `TenantId` with the identifier of your Microsoft Entra tenant. To look up your Tenant ID, see [How to find your Microsoft Entra tenant ID][ENT-3] or try the following, ensuring to sign-in with your organization's account::
```msgraph-interactive
GET https://graph.microsoft.com/v1.0/organization?$select=id
@ -133,7 +133,7 @@ GET https://graph.microsoft.com/v1.0/organization?$select=id
#### Confirm that PIN Recovery policy is enforced on the devices
The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/azure/active-directory/devices/troubleshoot-device-dsregcmd) from the command line. This state can be found under the output in the user state section as the **CanReset** line item. If **CanReset** reports as DestructiveOnly, then only destructive PIN reset is enabled. If **CanReset** reports DestructiveAndNonDestructive, then nondestructive PIN reset is enabled.
The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**][ENT-4] from the command line. This state can be found under the output in the user state section as the **CanReset** line item. If **CanReset** reports as DestructiveOnly, then only destructive PIN reset is enabled. If **CanReset** reports DestructiveAndNonDestructive, then nondestructive PIN reset is enabled.
**Sample User state Output for Destructive PIN Reset**
@ -233,12 +233,18 @@ For Microsoft Entra hybrid joined devices:
> [!NOTE]
> Key trust on Microsoft Entra hybrid joined devices doesn't support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.
You may find that PIN reset from Settings only works post sign in. Also, the lock screen PIN reset function doesn't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Microsoft Entra self-service password reset at the Windows sign-in screen](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
You may find that PIN reset from Settings only works post sign in. Also, the lock screen PIN reset function doesn't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Microsoft Entra self-service password reset at the Windows sign-in screen][ENT-1].
<!--links-->
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[CSP-2]: /windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls
[INT-1]: /mem/intune/configuration/settings-catalog
[APP-1]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent
[APP-2]: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent
[CSP-1]: /windows/client-management/mdm/passportforwork-csp
[CSP-2]: /windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls
[ENT-1]: /entra/identity/authentication/howto-sspr-windows#general-limitations
[ENT-2]: /entra/identity/role-based-access-control/permissions-reference#application-administrator
[ENT-3]: /entra/fundamentals/how-to-find-tenant
[ENT-4]: /entra/identity/devices/troubleshoot-device-dsregcmd
[ENTRA]: https://entra.microsoft.com
[INT-1]: /mem/intune/configuration/settings-catalog
[INTUNE]: https://go.microsoft.com/fwlink/?linkid=2109431

25
windows/security/identity-protection/hello-for-business/webauthn-apis.md
View File

@ -14,7 +14,7 @@ Starting in **Windows 11, version 22H2**, WebAuthn APIs support ECC algorithms.
## What does this mean?
By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.md) or [FIDO2 Security Keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to implement passwordless multi-factor authentication for their applications on Windows devices.
By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.md) or [FIDO2 Security Keys][ENT-1] to implement passwordless multi-factor authentication for their applications on Windows devices.
Users of these apps or sites can use any browser that supports WebAuthn APIs for passwordless authentication. Users will have a familiar and consistent experience on Windows, no matter which browser they use.
@ -69,7 +69,7 @@ FIDO2 authenticators have already been implemented and WebAuthn relying parties
- Keys for multiple accounts (keys can be stored per relying party)
- Client PIN
- Location (the authenticator returns a location)
- [Hash-based Message Authentication Code (HMAC)-secret](/dotnet/api/system.security.cryptography.hmac) (enables offline scenarios)
- [Hash-based Message Authentication Code (HMAC)-secret][NET-1] (enables offline scenarios)
The following options might be useful in the future, but haven't been observed in the wild yet:
@ -100,15 +100,26 @@ Here's an approximate layout of where the Microsoft bits go:
- **WebAuthn client: Microsoft Edge**. Microsoft Edge can handle the user interface for the WebAuthn and CTAP2 features that this article describes. It also supports the AppID extension. Microsoft Edge can interact with both CTAP1 and CTAP2 authenticators. This scope for interaction means that it can create and use both U2F and FIDO2 credentials. However, Microsoft Edge doesn't speak the U2F protocol. Therefore, relying parties must use only the WebAuthn specification. Microsoft Edge on Android doesn't support WebAuthn.
> [!NOTE]
> For authoritative information about Microsoft Edge support for WebAuthn and CTAP, see [Legacy Microsoft Edge developer documentation](/microsoft-edge/dev-guide/windows-integration/web-authentication).
> For authoritative information about Microsoft Edge support for WebAuthn and CTAP, see [Legacy Microsoft Edge developer documentation][EDGE-1].
- **Platform: Windows 10, Windows 11**. Windows 10 and Windows 11 host the Win32 Platform WebAuthn APIs.
- **Roaming Authenticators**. You might notice that there's no *Microsoft* roaming authenticator. The reason is because there's already a strong ecosystem of products that specialize in strong authentication, and every customer (whether corporations or individuals) has different requirements for security, ease of use, distribution, and account recovery. For more information on the ever-growing list of FIDO2-certified authenticators, see [FIDO Certified Products](https://fidoalliance.org/certification/fido-certified-products/). The list includes built-in authenticators, roaming authenticators, and even chip manufacturers who have certified designs.
- **Roaming Authenticators**. You might notice that there's no *Microsoft* roaming authenticator. The reason is because there's already a strong ecosystem of products that specialize in strong authentication, and every customer (whether corporations or individuals) has different requirements for security, ease of use, distribution, and account recovery. For more information on the ever-growing list of FIDO2-certified authenticators, see [FIDO Certified Products][EXT-1]. The list includes built-in authenticators, roaming authenticators, and even chip manufacturers who have certified designs.
## Developer references
The WebAuthn APIs are documented in the [Microsoft/webauthn](https://github.com/Microsoft/webauthn) GitHub repo. To understand how FIDO2 authenticators work, review the following two specifications:
The WebAuthn APIs are documented in the [Microsoft/webauthn][EXT-2] GitHub repo. To understand how FIDO2 authenticators work, review the following two specifications:
- [Web Authentication: An API for accessing Public Key Credentials](https://www.w3.org/TR/webauthn/) (available on the W3C site). This document is known as the WebAuthn spec.
- [Client to Authenticator Protocol (CTAP)](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html). This document is available at the [FIDO Alliance](http://fidoalliance.org/) site, on which hardware and platform teams are working together to solve the problem of FIDO authentication.
- [Web Authentication: An API for accessing Public Key Credentials][EXT-3] (available on the W3C site). This document is known as the WebAuthn spec.
- [Client to Authenticator Protocol (CTAP)][EXT-4]. This document is available at the [FIDO Alliance][EXT-5] site, on which hardware and platform teams are working together to solve the problem of FIDO authentication.
<!--links-->
[ENT-1]: /entra/identity/authentication/how-to-enable-passkey-fido2
[NET-1]: /dotnet/api/system.security.cryptography.hmac
[EDGE-1]: /microsoft-edge/dev-guide/windows-integration/web-authentication
[EXT-1]: https://fidoalliance.org/certification/fido-certified-products/
[EXT-2]: https://github.com/Microsoft/webauthn
[EXT-3]: https://www.w3.org/TR/webauthn/
[EXT-4]: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html
[EXT-5]: http://fidoalliance.org

30
windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
View File

@ -610,7 +610,37 @@ Once decryption is complete, the drive updates its status in the Control Panel a
---
## Unlock a drive
If you connect a drive as a secondary drive to a device, and you have your BitLocker recovery key, you can unlock a BitLocker-enabled drive by using the following instructions.
In the next example, the `D` drive is the one to unlock. Select the option that best suits your needs.
#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
```powershell
Unlock-BitLocker -MountPoint D -RecoveryPassword xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx
```
For more information, see [Unlock-BitLocker][PS-2]
#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
```cmd
manage-bde.exe -unlock D: -recoverypassword xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx
```
For more information, see [manage-bde unlock][WINS-1]
#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
You can unlock the drive from the Control Panel or from Explorer. After opening the BitLocker Control Panel applet, select the **Unlock drive** option to begin the process. When prompted, enter the 48-digit recovery key.
---
<!--links-->
[PREV-1]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)
[PS-1]: /powershell/module/bitlocker
[PS-2]: /powershell/module/bitlocker/unlock-bitlocker
[WINS-1]: /windows-server/administration/windows-commands/manage-bde-unlock

9
windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
View File

@ -2,7 +2,7 @@
title: BitLocker recovery process
description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive.
ms.topic: how-to
ms.date: 06/18/2024
ms.date: 07/08/2024
---
# BitLocker recovery process
@ -26,6 +26,13 @@ A recovery key can't be stored in any of the following locations:
- The root directory of a nonremovable drive
- An encrypted volume
### Self-recovery with recovery password
If you have access to the recovery key, enter the 48-digits in the preboot recovery screen.
- If you are having issues entering the recovery password in the preboot recovery screen, or you can no longer boot your device, you can connect the drive to another device as a secondary drive. For more information about the unlock process, see [Unlock a drive](operations-guide.md#unlock-a-drive)
- If unlocking with recovery password doesn't work you can use the [BitLocker Repair tool](#bitlocker-repair-tool) to regain access yo your drive
### Self-recovery in Microsoft Entra ID
If BitLocker recovery keys are stored in Microsoft Entra ID, users can access them using the following URL: https://myaccount.microsoft.com. From the **Devices** tab, users can select a Windows device that they own, and select the option **View BitLocker Keys**.

17
windows/whats-new/TOC.yml
View File

@ -18,14 +18,25 @@
- name: What's new in Windows 11, version 22H2
href: whats-new-windows-11-version-22h2.md
- name: Windows 10
expanded: true
expanded: false
items:
- name: Extended Security Updates (ESU) program for Windows 10
href: extended-security-updates.md
- name: What's new in Windows 10, version 22H2
href: whats-new-windows-10-version-22H2.md
- name: What's new in Windows 10, version 21H2
href: whats-new-windows-10-version-21H2.md
- name: Windows 10 Enterprise LTSC
expanded: false
items:
- name: Windows 10 Enterprise LTSC overview
href: ltsc/overview.md
- name: What's new in Windows 10 Enterprise LTSC 2021
href: ltsc/whats-new-windows-10-2021.md
- name: What's new in Windows 10 Enterprise LTSC 2019
href: ltsc/whats-new-windows-10-2019.md
- name: What's new in Windows 10 Enterprise LTSC 2016
href: ltsc/whats-new-windows-10-2016.md
- name: What's new in Windows 10 Enterprise LTSC 2015
href: ltsc/whats-new-windows-10-2015.md
- name: Windows commercial licensing overview
href: windows-licensing.md
- name: Deprecated and removed Windows features

4
windows/whats-new/deprecated-features.md
View File

@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
ms.date: 06/11/2024
ms.date: 07/09/2024
ms.service: windows-client
ms.subservice: itpro-fundamentals
ms.localizationpriority: medium
@ -54,7 +54,7 @@ The features in this article are no longer being actively developed, and might b
| TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits <!--8644149-->| Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. </br></br> TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
| Test Base <!--8790681--> | [Test Base for Microsoft 365](/microsoft-365/test-base/overview), an Azure cloud service for application testing, is deprecated. The service will be retired in the future and will be no longer available for use after retirement. | March 2024 |
| Windows Mixed Reality <!--8412877--> | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in Windows 11, version 24H2. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality), and Steam VR Beta.Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11, version 23H2. After November 2026, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates.</br> </br>This deprecation doesn't affect HoloLens. We remain committed to HoloLens and our enterprise customers. | December 2023 |
| Microsoft Defender Application Guard for Edge <!--8591267-->| [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). Please download the [Microsoft Edge For Business Security Whitepaper](https://edgestatic.azureedge.net/shared/cms/pdfs/Microsoft_Edge_Security_Whitepaper_v2.pdf) to learn more about Edge for Business security capabilities. </br></br> **[Update - April 2024]**: Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding extensions and associated [Windows Store app](https://apps.microsoft.com/detail/9N8GNLC8Z9C8) will not be available after May 2024. This affects the following browsers: [*Application Guard Extension - Chrome*](https://chromewebstore.google.com/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj) and [*Application Guard Extension - Firefox*](https://addons.mozilla.org/firefox/addon/application-guard-extension/). If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard). <!--8932292-->| December 2023 |
| Microsoft Defender Application Guard for Edge <!--8591267-->| [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). Please download the [Microsoft Edge For Business Security Whitepaper](https://edgestatic.azureedge.net/shared/cms/pdfs/Microsoft_Edge_Security_Whitepaper_v2.pdf) to learn more about Edge for Business security capabilities. </br></br> **[Update - April 2024]**: Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding extensions and associated Windows Store app will not be available after May 2024. This affects the following browsers: *Application Guard Extension - Chrome* and *Application Guard Extension - Firefox*. If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard). <!--8932292-->| December 2023 |
| Legacy console mode <!-- 8577271 -->| The [legacy console mode](/windows/console/legacymode) is deprecated and no longer being updated. In future Windows releases, it will be available as an optional [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). This feature won't be installed by default. | December 2023 |
| Windows speech recognition <!--8396142-->| [Windows speech recognition](https://support.microsoft.com/windows/83ff75bd-63eb-0b6c-18d4-6fae94050571) is deprecated and is no longer being developed. This feature is being replaced with [voice access](https://support.microsoft.com/topic/4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). Voice access is available for Windows 11, version 22H2, or later devices. Currently, voice access supports five English locales: English - US, English - UK, English - India, English - New Zealand, English - Canada, and English - Australia. For more information, see [Setup voice access](https://support.microsoft.com/topic/set-up-voice-access-9fc44e29-12bf-4d86-bc4e-e9bb69df9a0e). | December 2023 |
| Microsoft Defender Application Guard for Office <!--8396036-->| [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/app-guard-for-office-install), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated and will no longer be updated. We recommend transitioning to Microsoft Defender for Endpoint [attack surface reduction rules](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) along with [Protected View](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365#global-settings-for-safe-attachments) and [Windows Defender Application Control](/windows/security/application-security/application-control/windows-defender-application-control/wdac). | November 2023 |

1
windows/whats-new/docfx.json
View File

@ -49,7 +49,6 @@
"folder_relative_path_in_docset": "./"
}
},
"titleSuffix": "What's new in Windows",
"contributors_to_exclude": [
"dstrome2",
"rjagiewich",

41
windows/whats-new/index.yml
View File

@ -15,11 +15,13 @@ metadata:
author: aczechowski
ms.author: aaroncz
manager: aaroncz
ms.date: 10/31/2023
ms.date: 07/01/2024
localization_priority: medium
landingContent:
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | tutorial | overview | quickstart | reference | sample | tutorial | video | whats-new
- title: Windows 11 planning
linkLists:
- linkListType: overview
@ -52,9 +54,32 @@ landingContent:
url: extended-security-updates.md
- text: What's new in Windows 10, version 22H2
url: whats-new-windows-10-version-22h2.md
- text: What's new in Windows 10, version 21H2
url: whats-new-windows-10-version-21h2.md
- title: Windows 10 Enterprise LTSC
linkLists:
- linkListType: whats-new
links:
- text: Windows 10 Enterprise LTSC overview
url: ltsc/overview.md
- text: What's new in Windows 10 Enterprise LTSC 2021
url: ltsc/whats-new-windows-10-2021.md
- text: What's new in Windows 10 Enterprise LTSC 2019
url: ltsc/whats-new-windows-10-2019.md
- text: What's new in Windows 10 Enterprise LTSC 2016
url: ltsc/whats-new-windows-10-2016.md
- text: What's new in Windows 10 Enterprise LTSC 2015
url: ltsc/whats-new-windows-10-2015.md
- title: Deprecated features
linkLists:
- linkListType: reference
links:
- text: Windows features we're no longer developing
url: deprecated-features.md
- text: Features and functionality removed in Windows
url: removed-features.md
- text: Lifecycle terminology
url: feature-lifecycle.md#terminology
- title: Learn more
linkLists:
@ -64,15 +89,5 @@ landingContent:
url: /windows/release-health/windows11-release-information
- text: Windows release health dashboard
url: /windows/release-health/
- text: Windows 11 update history
url: https://support.microsoft.com/topic/windows-11-version-22h2-update-history-ec4229c3-9c5f-4e75-9d6d-9025ab70fcce
- text: Windows 10 update history
url: https://support.microsoft.com/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb
- text: Windows features we're no longer developing
url: deprecated-features.md
- text: Features and functionality removed in Windows
url: removed-features.md
- text: Compare Windows 11 Editions
url: https://www.microsoft.com/windows/business/compare-windows-11
- text: Windows 10 Enterprise LTSC
url: ltsc/overview.md

13
windows/whats-new/ltsc/TOC.yml
View File

@ -1,13 +0,0 @@
- name: Windows 10 Enterprise LTSC
href: index.yml
items:
- name: Windows 10 Enterprise LTSC overview
href: overview.md
- name: What's new in Windows 10 Enterprise LTSC 2021
href: whats-new-windows-10-2021.md
- name: What's new in Windows 10 Enterprise LTSC 2019
href: whats-new-windows-10-2019.md
- name: What's new in Windows 10 Enterprise LTSC 2016
href: whats-new-windows-10-2016.md
- name: What's new in Windows 10 Enterprise LTSC 2015
href: whats-new-windows-10-2015.md

Some files were not shown because too many files have changed in this diff Show More