diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 24d475d6e4..413f6d9c1e 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -9,7 +9,6 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: lomayor -ms.date: 09/05/2017 --- # Azure Active Directory integration with MDM @@ -37,7 +36,8 @@ Windows 10 introduces a new way to configure and deploy corporate owned Windows Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device will not be joined to Azure AD. -> **Important**  Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license. +> [!IMPORTANT] +> Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license. ### BYOD scenario @@ -60,7 +60,8 @@ For Azure AD enrollment to work for an Active Directory Federated Services (AD F Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar. -> **Note**  Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. +> [!NOTE] +> Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. ### MDM endpoints involved in Azure AD integrated enrollment @@ -80,7 +81,7 @@ To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use **Terms of Use endpoint** Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user’s consent before the actual enrollment phase begins. -It’s important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g. users in certain geographies may be subject to stricter device management policies). +It’s important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g., users in certain geographies may be subject to stricter device management policies). The Terms of Use endpoint can be used to implement additional business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which could lead to a highly degraded user experience. It’s not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD. @@ -103,7 +104,8 @@ A cloud-based MDM is a SaaS application that provides device management capabili The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661). -> **Note**  For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. +> [!NOTE] +> For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. The keys used by the MDM application to request access tokens from Azure AD are managed within the tenant of the MDM vendor and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, regardless of the customer tenent to which the device being managed belongs. @@ -136,7 +138,7 @@ For more information about how to register a sample application with Azure AD, s An on-premises MDM application is inherently different that a cloud MDM. It is a single-tenant application that is present uniquely within the tenant of the customer. Therefore, customers must add the application directly within their own tenant. Additionally, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD. -The customer experience for adding an on-premises MDM to their tenant is similar to that as the cloud-based MDM. There is an entry in the Azure AD app gallery to add an on-premises MDN to the tenant and administrators can configure the required URLs for enrollment and Terms of Use. +To add an on-premises MDM application to the tenant, there is an entry under the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application**. Administrators can configure the required URLs for enrollment and Terms of Use. Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance. @@ -236,7 +238,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is CXH-HOST (HTTP HEADER) -Senario +Scenario Background Theme WinJS Scenario CSS @@ -343,14 +345,14 @@ The following claims are expected in the access token passed by Windows to the T -> Note There is no device ID claim in the access token because the device may not yet be enrolled at this time. +> [!NOTE] +> There is no device ID claim in the access token because the device may not yet be enrolled at this time. - To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](https://go.microsoft.com/fwlink/p/?LinkID=613654). Here's an example URL. -``` syntax +```console https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0 Authorization: Bearer eyJ0eXAiOi ``` @@ -390,7 +392,7 @@ If an error was encountered during the terms of use processing, the MDM can retu Here is the URL format: -``` syntax +```console HTTP/1.1 302 Location: ?error=access_denied&error_description=Access%20is%20denied%2E @@ -426,7 +428,7 @@ The following table shows the error codes.

unsupported version

-

Tenant or user data are missingor other required prerequisites for device enrollment are not met

+

Tenant or user data are missing or other required prerequisites for device enrollment are not met

302

unauthorized_client

unauthorized user or tenant

@@ -601,7 +603,7 @@ In this scenario, the MDM enrollment applies to a single user who initially adde **Evaluating Azure AD user tokens** The Azure AD token is in the HTTP Authorization header in the following format: -``` syntax +```console Authorization:Bearer ``` @@ -621,7 +623,7 @@ Access token issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is An alert is sent when the DM session starts and there is an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example: -``` syntax +```xml Alert Type: com.microsoft/MDM/AADUserToken Alert sample: @@ -636,7 +638,7 @@ Alert sample: UserToken inserted here - … other xml tags … + … other XML tags … ``` @@ -665,7 +667,7 @@ Here's an example. user - … other xml tags … + … other XML tags … ``` @@ -682,9 +684,10 @@ For a sample that illustrates how an MDM can obtain an access token using OAuth The following sample REST API call illustrates how an MDM can use the Azure AD Graph API to report compliance status of a device currently being managed by it. -> **Note**  This is only applicable for approved MDM apps on Windows 10 devices. +> [!NOTE] +> This is only applicable for approved MDM apps on Windows 10 devices. -``` syntax +```console Sample Graph API Request: PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1 @@ -713,7 +716,7 @@ Response: When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. -![aadj unenerollment](images/azure-ad-unenrollment.png) +![aadj unenrollment](images/azure-ad-unenrollment.png) ## Error codes @@ -921,4 +924,3 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di - diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 55408f3c78..9e8f6964b8 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -33,7 +33,7 @@ Update Compliance enables organizations to: Update Compliance is offered through the Azure portal, and is included as part of Windows 10 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). -Update Compliance uses Windows 10 and Windows Defender Antivirus diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, Windows Defender Antivirus data, and Delivery Optimization usage data, and then sends this data to a secure cloud to be stored for analysis and usage in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal). +Update Compliance uses Windows 10 diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, and Delivery Optimization usage data, and then sends this data to a customer-owned [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace to power the experience. See the following topics in this guide for detailed information about configuring and using the Update Compliance solution: diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index e7d8d21550..de0d1957dc 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -135,7 +135,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection - 4 = DNS Suffix - 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. -When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-4, the policy is ignored. +When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored. ### Minimum RAM (inclusive) allowed to use Peer Caching diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index fa6196d4f9..4c1c3fa279 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -34,16 +34,17 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for - [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied - [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) -- [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) -- alternatively any full SQL instance e.g. SQL Server 2014 or newer incl. CU / SP +- Any supported [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) version, the latest is recommended +- Alternatively, any supported **full** SQL instance -### Install SQL Server 2017 Express / alternatively use any Full SQL instance e.g. SQL Server 2014 or newer +### Install SQL Server Express / alternatively use any full SQL instance -1. Download and open the [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package. +1. Download and open the [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package. 2. Select **Basic**. 3. Accept the license terms. 4. Enter an install location or use the default path, and then select **Install**. 5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. + ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png) ### Install VAMT using the ADK @@ -56,7 +57,7 @@ Reminder: There won't be new ADK release for 1909. 5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.) 6. On the completion page, select **Close**. -### Configure VAMT to connect to SQL Server 2017 Express or full SQL Server +### Configure VAMT to connect to SQL Server Express or full SQL Server 1. Open **Volume Active Management Tool 3.1** from the Start menu. 2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL. diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index fa3c7b97b9..317cac63d6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -13,7 +13,7 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: troubleshooting --- @@ -68,7 +68,7 @@ If the script fails and the event is an error, you can check the event ID in the Event ID | Error Type | Resolution steps :---|:---|:--- 5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. -10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
Verify that the script was ran as an administrator. +10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
Verify that the script has been run as an administrator. 15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).

If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again. 15 | Failed to start SENSE service | If the message of the error is: System error 577 or error 1058 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions. 30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md). @@ -79,7 +79,7 @@ Event ID | Error Type | Resolution steps ### Troubleshoot onboarding issues using Microsoft Intune You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue. -If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. +If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. Use the following tables to understand the possible causes of issues while onboarding: @@ -87,7 +87,7 @@ Use the following tables to understand the possible causes of issues while onboa - Known issues with non-compliance table - Mobile Device Management (MDM) event logs table -If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt. +If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt. **Microsoft Intune error codes and OMA-URIs**: @@ -140,7 +140,7 @@ If the deployment tools used does not indicate an error in the onboarding proces 2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**. > [!NOTE] - > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP. + > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP. 3. Select **Operational** to load the log. @@ -282,15 +282,15 @@ You might also need to check the following: - Check **Event Viewer** > **Applications and Services Logs** > **Operation Manager** to see if there are any errors. -- In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example, +- In **Services**, check if the **Microsoft Monitoring Agent** is running on the server. For example, ![Image of Services](images/atp-services.png) -- In **Microsoft Monitoring Agent** > **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running. +- In **Microsoft Monitoring Agent** > **Azure Log Analytics (OMS)**, check the Workspaces and verify that the status is running. ![Image of Microsoft Monitoring Agent Properties](images/atp-mma-properties.png) -- Check to see that machines are reflected in the **Machines list** in the portal. +- Check to see that machines are reflected in the **Machines list** in the portal. ## Confirming onboarding of newly built machines There may be instances when onboarding is deployed on a newly built machine but not completed.