deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-26 15:53:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #5873 from MicrosoftDocs/master

Browse Source 
Publish 10/22/2021, 10:30 AM
This commit is contained in:
Thomas Raya
2021-10-22 10:39:19 -07:00
committed by GitHub
parent 7a1bbec376 ee08af9bdb
commit 23dcbbe323
7 changed files with 35 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -10,6 +10,7 @@ Tools/NuGet/
*.ini
_themes*/
common/
.vscode/
.openpublishing.build.mdproj
.openpublishing.buildcore.ps1
packages.config

8
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -226,7 +226,7 @@ However, key management is different for on-premises MDM. You must obtain the cl
## Themes
The pages rendered by the MDM as part of the integrated enrollment process must use Windows 10 templates ([Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared Windows 10 templates ensure a seamless experience for the customers.
The pages rendered by the MDM as part of the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared templates ensure a seamless experience for the customers.
There are 3 distinct scenarios:
@ -236,7 +236,11 @@ There are 3 distinct scenarios:
Scenarios 1, 2, and 3 are available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. Scenarios 1 and 3 are available in Windows 10 Mobile. Support for scenario 1 was added in Windows 10 Mobile, version 1511.
The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip).
The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip).
- For Windows 10, use **oobe-desktop.css**
- For Windows 11, use **oobe-light.css**
### Using themes

2
windows/client-management/mdm/config-lock.md
View File

@ -21,6 +21,8 @@ In an enterprise organization, IT administrators enforce policies on their corpo
Secured-Core Configuration Lock (Config Lock) is a new [Secured-Core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from Secured-Core PC features (shown below) caused by unintentional misconfiguration. In short, it ensures a device intended to be a Secured-Core PC remains a Secured-Core PC.
:::image type="content" source="images/config-lock-mdsl.png" alt-text="modern device security levels for config lock.":::
To summarize, Config Lock:
- Enables IT to “lock” Secured-Core PC features when managed through MDM

2
windows/client-management/mdm/devdetail-csp.md
View File

@ -179,7 +179,7 @@ Value type is string. Supported operations are Get and Replace.
> [!NOTE]
> We recommend using `%SERIAL%` or `%RAND:x%` with a high character limit to reduce the chance of name collision when generating a random name. This feature doesn't check if a particular name is already present in the environment.
On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the computer's serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
<a href="" id="ext-microsoft-totalstorage"></a>**Ext/Microsoft/TotalStorage**
Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).

BIN
windows/client-management/mdm/images/config-lock-mdsl.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
windows/client-management/mdm/images/faq-max-devices.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 6.0 KiB

After

Width:  |  Height:  |  Size: 5.4 KiB

44
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -43,7 +43,7 @@ Applications installed using WMI classes are not removed when the MDM account is
### Passing CDATA in SyncML does not work
Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windows 10 and Windows 11
Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windows 10 and Windows 11.
### SSL settings in IIS server for SCEP must be set to "Ignore"
@ -85,25 +85,25 @@ EAP XML must be updated with relevant information for your environment This can
- For Wi-Fi, look for the &lt;EAPConfig&gt; section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under &lt;EAPConfig&gt; with your updated XML and update your Wi-Fi profile. You might need to refer to your MDMs guidance on how to deploy a new Wi-Fi profile.
- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field.
For information about EAP Settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>
For information about EAP Settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>.
For information about generating an EAP XML, see [EAP configuration](eap-configuration.md)
For information about generating an EAP XML, see [EAP configuration](eap-configuration.md).
For more information about extended key usage, see <http://tools.ietf.org/html/rfc5280#section-4.2.1.12>
For more information about extended key usage, see <http://tools.ietf.org/html/rfc5280#section-4.2.1.12>.
For information about adding extended key usage (EKU) to a certificate, see <https://technet.microsoft.com/library/cc731792.aspx>
For information about adding extended key usage (EKU) to a certificate, see <https://technet.microsoft.com/library/cc731792.aspx>.
The following list describes the prerequisites for a certificate to be used with EAP:
- The certificate must have at least one of the following EKU (Extended Key Usage) properties:
- Client Authentication
- As defined by RFC 5280, this is a well-defined OID with Value 1.3.6.1.5.5.7.3.2
- Any Purpose
- Client Authentication.
- As defined by RFC 5280, this is a well-defined OID with Value 1.3.6.1.5.5.7.3.2.
- Any Purpose.
- An EKU Defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that additional non-critical or custom EKUs can still be added to the certificate for effective filtering.
- All Purpose
- All Purpose.
- As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but does not want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes.
- The user or the computer certificate on the client chains to a trusted root CA
- The user or the computer certificate on the client chains to a trusted root CA.
- The user or the computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
- The user or the computer certificate does not fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.
@ -217,24 +217,30 @@ The following XML sample explains the properties for the EAP TLS XML including c
Alternatively you can use the following procedure to create an EAP Configuration XML.
1. Follow steps 1 through 7 in the [EAP configuration](eap-configuration.md) article.
1. Follow steps 1 through 7 in [EAP configuration](eap-configuration.md).
2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.)
![vpn selfhost properties window.](images/certfiltering1.png)
:::image type="content" alt-text="vpn selfhost properties window." source="images/certfiltering1.png":::
> [!NOTE]
> For PEAP or TTLS, select the appropriate method and continue following this procedure.
3. Click the **Properties** button underneath the drop down menu.
4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
![smart card or other certificate properties window.](images/certfiltering2.png)
:::image type="content" alt-text="smart card or other certificate properties window." source="images/certfiltering2.png":::
5. In the **Configure Certificate Selection** menu, adjust the filters as needed.
![configure certificate selection window.](images/certfiltering3.png)
:::image type="content" alt-text="configure certificate selection window." source="images/certfiltering3.png":::
6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box.
7. Close the rasphone dialog box.
8. Continue following the procedure in the [EAP configuration](eap-configuration.md) article from Step 9 to get an EAP TLS profile with appropriate filtering.
8. Continue following the procedure in [EAP configuration](eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering.
> [!NOTE]
> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)).
@ -260,20 +266,20 @@ The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-
## Frequently Asked Questions
### **Can there be more than one MDM server to enroll and manage devices in Windows 10 or 11?**
### Can there be more than one MDM server to enroll and manage devices in Windows 10 or 11?
No. Only one MDM is allowed.
### **How do I set the maximum number of Azure Active Directory joined devices per user?**
### How do I set the maximum number of Azure Active Directory joined devices per user?
1. Login to the portal as tenant admin: https://manage.windowsazure.com.
2. Click Active Directory on the left pane.
3. Choose your tenant.
4. Click **Configure**.
5. Set quota to unlimited.
![aad maximum joined devices.](images/faq-max-devices.png)
:::image type="content" alt-text="aad maximum joined devices." source="images/faq-max-devices.png":::
### **What is dmwappushsvc?**
### What is dmwappushsvc?
Entry | Description
--------------- | --------------------