From 31f83a8b38378616d018de7e341ca2fec1de6d41 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Tue, 7 Jun 2022 02:40:46 +0530 Subject: [PATCH 01/11] Updated-6038482 Bulk metadata update. --- windows/deployment/add-store-apps-to-image.md | 5 ----- .../configure-a-pxe-server-to-load-windows-pe.md | 5 ----- windows/deployment/deploy-enterprise-licenses.md | 6 ------ windows/deployment/deploy-m365.md | 5 ----- windows/deployment/deploy-whats-new.md | 5 ----- ...0-operating-system-image-using-configuration-manager.md | 5 ----- ...ployment-with-windows-pe-using-configuration-manager.md | 5 ----- ...tom-windows-pe-boot-image-with-configuration-manager.md | 5 ----- ...e-a-task-sequence-with-configuration-manager-and-mdt.md | 6 ------ ...o-deploy-with-windows-10-using-configuration-manager.md | 5 ----- ...eploy-windows-10-using-pxe-and-configuration-manager.md | 5 ----- ...for-windows-10-deployment-with-configuration-manager.md | 5 ----- ...nstallation-of-windows-10-with-configuration-manager.md | 5 ----- ...7-client-with-windows-10-using-configuration-manager.md | 5 ----- ...7-client-with-windows-10-using-configuration-manager.md | 5 ----- .../upgrade-to-windows-10-with-configuration-manager.md | 4 ---- .../assign-applications-using-roles-in-mdt.md | 6 ------ ...-a-distributed-environment-for-windows-10-deployment.md | 6 ------ .../configure-mdt-deployment-share-rules.md | 6 ------ .../configure-mdt-for-userexit-scripts.md | 6 ------ .../deploy-windows-mdt/configure-mdt-settings.md | 6 ------ .../create-a-windows-10-reference-image.md | 6 ------ .../deploy-a-windows-10-image-using-mdt.md | 6 ------ .../get-started-with-the-microsoft-deployment-toolkit.md | 6 ------ .../prepare-for-windows-deployment-with-mdt.md | 6 ------ .../refresh-a-windows-7-computer-with-windows-10.md | 6 ------ ...lace-a-windows-7-computer-with-a-windows-10-computer.md | 6 ------ .../deploy-windows-mdt/set-up-mdt-for-bitlocker.md | 6 ------ ...mulate-a-windows-10-deployment-in-a-test-environment.md | 6 ------ ...-to-windows-10-with-the-microsoft-deployment-toolkit.md | 6 ------ .../use-orchestrator-runbooks-with-mdt.md | 6 ------ ...-database-to-stage-windows-10-deployment-information.md | 6 ------ .../deploy-windows-mdt/use-web-services-in-mdt.md | 6 ------ windows/deployment/deploy-windows-to-go.md | 7 ------- windows/deployment/deploy.md | 5 ----- windows/deployment/do/delivery-optimization-proxy.md | 3 --- windows/deployment/do/delivery-optimization-workflow.md | 3 --- .../do/includes/waas-delivery-optimization-monitor.md | 2 -- windows/deployment/do/mcc-enterprise.md | 3 --- .../deployment/do/waas-delivery-optimization-reference.md | 3 --- windows/deployment/do/waas-delivery-optimization-setup.md | 3 --- windows/deployment/do/waas-delivery-optimization.md | 3 --- windows/deployment/do/waas-microsoft-connected-cache.md | 3 --- windows/deployment/do/waas-optimize-windows-10-updates.md | 2 -- windows/deployment/do/whats-new-do.md | 3 --- windows/deployment/mbr-to-gpt.md | 6 ------ windows/deployment/planning/act-technical-reference.md | 5 ----- .../planning/applying-filters-to-data-in-the-sua-tool.md | 5 ----- ...a-types-and-operators-in-compatibility-administrator.md | 5 ----- .../best-practice-recommendations-for-windows-to-go.md | 6 ------ .../planning/compatibility-administrator-users-guide.md | 5 ----- ...ty-fix-database-management-strategies-and-deployment.md | 5 ----- ...lity-fixes-for-windows-8-windows-7-and-windows-vista.md | 5 ----- ...tom-compatibility-fix-in-compatibility-administrator.md | 5 ----- ...om-compatibility-mode-in-compatibility-administrator.md | 5 ----- ...ng-an-apphelp-message-in-compatibility-administrator.md | 5 ----- .../deployment-considerations-for-windows-to-go.md | 6 ------ ...g-compatibility-fixes-in-compatibility-administrator.md | 5 ----- windows/deployment/planning/features-lifecycle.md | 3 --- .../planning/fixing-applications-by-using-the-sua-tool.md | 5 ----- windows/deployment/planning/index.md | 4 ---- ...mpatibility-databases-in-compatibility-administrator.md | 5 ----- ...ication-compatibility-fixes-and-custom-fix-databases.md | 5 ----- .../prepare-your-organization-for-windows-to-go.md | 6 ------ ...or-fixed-applications-in-compatibility-administrator.md | 5 ----- ...s-with-the-query-tool-in-compatibility-administrator.md | 5 ----- ...and-data-protection-considerations-for-windows-to-go.md | 6 ------ .../planning/showing-messages-generated-by-the-sua-tool.md | 5 ----- windows/deployment/planning/sua-users-guide.md | 5 ----- .../deployment/planning/tabs-on-the-sua-tool-interface.md | 5 ----- .../testing-your-application-mitigation-packages.md | 5 ----- .../understanding-and-using-compatibility-fixes.md | 5 ----- .../planning/using-the-compatibility-administrator-tool.md | 5 ----- .../planning/using-the-sdbinstexe-command-line-tool.md | 5 ----- windows/deployment/planning/using-the-sua-tool.md | 5 ----- windows/deployment/planning/using-the-sua-wizard.md | 5 ----- ...ing-the-events-screen-in-compatibility-administrator.md | 5 ----- windows/deployment/planning/windows-10-compatibility.md | 6 ------ .../planning/windows-10-deployment-considerations.md | 5 ----- .../planning/windows-10-infrastructure-requirements.md | 5 ----- windows/deployment/planning/windows-10-removed-features.md | 3 --- windows/deployment/planning/windows-to-go-overview.md | 6 ------ windows/deployment/s-mode.md | 6 ------ windows/deployment/upgrade/log-files.md | 5 ----- windows/deployment/upgrade/quick-fixes.md | 5 ----- windows/deployment/upgrade/resolution-procedures.md | 5 ----- .../upgrade/resolve-windows-10-upgrade-errors.md | 5 ----- windows/deployment/upgrade/setupdiag.md | 5 ----- windows/deployment/upgrade/submit-errors.md | 5 ----- windows/deployment/upgrade/troubleshoot-upgrade-errors.md | 5 ----- windows/deployment/upgrade/upgrade-error-codes.md | 5 ----- windows/deployment/upgrade/windows-10-edition-upgrades.md | 5 ----- windows/deployment/upgrade/windows-10-upgrade-paths.md | 4 ---- windows/deployment/upgrade/windows-error-reporting.md | 5 ----- .../windows-upgrade-and-migration-considerations.md | 4 ---- windows/deployment/vda-subscription-activation.md | 6 ------ windows/deployment/wds-boot-support.md | 3 --- windows/deployment/windows-10-deployment-posters.md | 5 ----- windows/deployment/windows-10-deployment-scenarios.md | 6 ------ 99 files changed, 494 deletions(-) diff --git a/windows/deployment/add-store-apps-to-image.md b/windows/deployment/add-store-apps-to-image.md index def6469305..ba83569cc0 100644 --- a/windows/deployment/add-store-apps-to-image.md +++ b/windows/deployment/add-store-apps-to-image.md @@ -1,13 +1,8 @@ --- title: Add Microsoft Store for Business applications to a Windows 10 image description: This article describes the correct way to add Microsoft Store for Business applications to a Windows 10 image. -keywords: upgrade, update, windows, windows 10, deploy, store, image, wim ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: aczechowski ms.author: aaroncz ms.reviewer: diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md index 129bdcec47..a841cb6907 100644 --- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md @@ -1,13 +1,8 @@ --- title: Configure a PXE server to load Windows PE (Windows 10) description: This topic describes how to configure a PXE server to load Windows PE so that it can be used with an image file to install Windows 10 from the network. -keywords: upgrade, update, windows, windows 10, pxe, WinPE, image, wim ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: aczechowski manager: dougeby ms.author: aaroncz diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 409ecf66ed..5889d56de0 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -1,16 +1,10 @@ --- title: Deploy Windows 10/11 Enterprise licenses manager: dougeby -ms.audience: itpro ms.author: aaroncz description: Steps to deploy Windows 10 Enterprise or Windows 11 Enterprise licenses for Windows 10/11 Enterprise E3 or E5 Subscription Activation, or for Windows 10/11 Enterprise E3 in CSP -keywords: upgrade, update, task sequence, deploy ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: aczechowski ms.topic: article ms.collection: highpri diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index d5c45465ba..8a8d38b3f6 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -5,12 +5,7 @@ manager: dougeby ms.author: aaroncz description: Learn about deploying Windows 10 with Microsoft 365 and how to use a free 90-day trial account to review some of the benefits of Microsoft 365. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -keywords: deployment, automate, tools, configure, mdt, sccm, M365 ms.localizationpriority: medium -audience: itpro author: aczechowski ms.topic: article ms.collection: M365-modern-desktop diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index e534cf8937..6f43fb16f4 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -3,13 +3,8 @@ title: What's new in Windows client deployment manager: dougeby ms.author: aaroncz description: Use this article to learn about new solutions and online content related to deploying Windows in your organization. -keywords: deployment, automate, tools, configure, news -ms.mktglfcycl: deploy ms.localizationpriority: medium ms.prod: w10 -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: aczechowski ms.topic: article ms.custom: seo-marvel-apr2020 diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md index 54ab2b9cb1..1e4ef75b50 100644 --- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -1,16 +1,11 @@ --- title: Add a Windows 10 operating system image using Configuration Manager description: Operating system images are typically the production image used for deployment throughout the organization. -ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: image, deploy, distribute ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article ms.custom: seo-marvel-apr2020 diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index b007f111f0..4dad48dc9d 100644 --- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -1,16 +1,11 @@ --- title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager description: Learn how to configure the Windows Preinstallation Environment (Windows PE) to include required network and storage drivers. -ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: deploy, task sequence ms.prod: w10 ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article ms.custom: seo-marvel-apr2020 diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index 75682905f1..e925ac8f45 100644 --- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -1,16 +1,11 @@ --- title: Create a custom Windows PE boot image with Configuration Manager (Windows 10) description: Learn how to create custom Windows Preinstallation Environment (Windows PE) boot images in Microsoft Endpoint Configuration Manager. -ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809 ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: tool, customize, deploy, boot image ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article ms.custom: seo-marvel-apr2020 diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md index 98787c6771..260b79eadd 100644 --- a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -1,17 +1,11 @@ --- title: Create a task sequence with Configuration Manager (Windows 10) description: Create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. -ms.assetid: 0b069bec-5be8-47c6-bf64-7a630f41ac98 ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: deploy, upgrade, task sequence, install ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.pagetype: mdt -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index 7aaa9cb56d..caae9de1b6 100644 --- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -1,16 +1,11 @@ --- title: Create an app to deploy with Windows 10 using Configuration Manager description: Microsoft Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. -ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: deployment, task sequence, custom, customize ms.prod: w10 ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md index 0851a5ac05..55d9928a01 100644 --- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -1,15 +1,10 @@ --- title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10) description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. -ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa manager: dougeby ms.author: aaroncz -keywords: deployment, image, UEFI, task sequence ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article ms.collection: highpri diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 4222c890b9..15ccee4085 100644 --- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -1,16 +1,11 @@ --- title: Finalize operating system configuration for Windows 10 deployment description: This article provides a walk-through to finalize the configuration of your Windows 10 operating deployment. -ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: configure, deploy, upgrade ms.prod: w10 ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article ms.custom: seo-marvel-apr2020 diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index 0f6b99c4e4..75efdc9ba8 100644 --- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -1,16 +1,11 @@ --- title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager description: Learn how to prepare a Zero Touch Installation of Windows 10 with Configuration Manager, by integrating Configuration Manager with Microsoft Deployment Toolkit. -ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08 ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: install, configure, deploy, deployment ms.prod: w10 ms.localizationpriority: medium -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article ms.custom: seo-marvel-apr2020 diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 511ddc7920..117dedd018 100644 --- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -1,16 +1,11 @@ --- title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager description: Learn how to use Configuration Manager and Microsoft Deployment Toolkit (MDT) to refresh a Windows 7 SP1 client with Windows 10. -ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7 ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: upgrade, install, installation, computer refresh ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article ms.custom: seo-marvel-apr2020 diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index 0f06e2c3b6..242bcd70ee 100644 --- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -1,16 +1,11 @@ --- title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. -ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36 ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: upgrade, install, installation, replace computer, setup ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article ms.custom: seo-marvel-apr2020 diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md index 7b65bb7a4d..dd7097e837 100644 --- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md @@ -1,15 +1,11 @@ --- title: Perform in-place upgrade to Windows 10 via Configuration Manager description: Learn how to perform an in-place upgrade to Windows 10 by automating the process with a Microsoft Endpoint Manager task sequence. -ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: upgrade, update, task sequence, deploy ms.prod: w10 ms.localizationpriority: medium -ms.mktglfcycl: deploy -audience: itpro author: aczechowski ms.topic: article ms.custom: seo-marvel-apr2020 diff --git a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md index f7703a6713..15fb8922d8 100644 --- a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md @@ -1,17 +1,11 @@ --- title: Assign applications using roles in MDT (Windows 10) description: This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. -ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7 ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: settings, database, deploy ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index 267f99374a..3300697ddc 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -1,17 +1,11 @@ --- title: Build a distributed environment for Windows 10 deployment (Windows 10) description: In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. -ms.assetid: a6cd5657-6a16-4fff-bfb4-44760902d00c ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: replication, replicate, deploy, configure, remote ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md index ae5d2449b7..078bb06ca8 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md @@ -1,17 +1,11 @@ --- title: Configure MDT deployment share rules (Windows 10) description: Learn how to configure the MDT rules engine to reach out to other resources for additional information instead of storing settings directly in the rules engine. -ms.assetid: b5ce2360-33cc-4b14-b291-16f75797391b ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: rules, configuration, automate, deploy ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md index 416567fdcd..821329ba18 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md @@ -1,17 +1,11 @@ --- title: Configure MDT for UserExit scripts (Windows 10) description: In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. -ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7 ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: rules, script ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md index bc3c0f86ea..c4bbe93743 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md @@ -1,17 +1,11 @@ --- title: Configure MDT settings (Windows 10) description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. -ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122 ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: customize, customization, deploy, features, tools ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index 6d697f6d10..e9d1c48603 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -1,17 +1,11 @@ --- title: Create a Windows 10 reference image (Windows 10) description: Creating a reference image is important because that image serves as the foundation for the devices in your organization. -ms.assetid: 9da2fb57-f2ff-4fce-a858-4ae4c237b5aa ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: deploy, deployment, configure, customize, install, installation ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index e1650926b3..0d89ad7be7 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -1,17 +1,11 @@ --- title: Deploy a Windows 10 image using MDT (Windows 10) description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). -ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: deployment, automate, tools, configure ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md index 613c9a5f72..031d70b47f 100644 --- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md @@ -1,17 +1,11 @@ --- title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. -ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: deploy, image, feature, install, tools ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 207071b157..e691b3677b 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -1,17 +1,11 @@ --- title: Prepare for deployment with MDT (Windows 10) description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT). -ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226 ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: deploy, system requirements ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md index 1fe4b7457c..838b5508db 100644 --- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md +++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md @@ -1,17 +1,11 @@ --- title: Refresh a Windows 7 computer with Windows 10 (Windows 10) description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. -ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: reinstallation, customize, template, script, restore ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md index 98bf1c01e1..fd32026678 100644 --- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -2,17 +2,11 @@ title: Replace a Windows 7 computer with a Windows 10 computer (Windows 10) description: In this article, you will learn how to replace a Windows 7 device with a Windows 10 device. ms.custom: seo-marvel-apr2020 -ms.assetid: acf091c9-f8f4-4131-9845-625691c09a2a ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: deploy, deployment, replace ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index e0cce7674c..e2976790e7 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -1,17 +1,11 @@ --- title: Set up MDT for BitLocker (Windows 10) -ms.assetid: 386e6713-5c20-4d2a-a220-a38d94671a38 ms.reviewer: manager: dougeby ms.author: aaroncz description: Learn how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. -keywords: disk, encryption, TPM, configure, secure, script ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: aczechowski ms.topic: article ms.custom: seo-marvel-mar2020 diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md index c22c41830d..07f52f4978 100644 --- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md +++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md @@ -1,17 +1,11 @@ --- title: Simulate a Windows 10 deployment in a test environment (Windows 10) description: This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. -ms.assetid: 2de86c55-ced9-4078-b280-35e0329aea9c ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: deploy, script ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index 78849e6f4b..4f1b8456b8 100644 --- a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -1,17 +1,11 @@ --- title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10) description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. -ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460 ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: upgrade, update, task sequence, deploy ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md index e6409ee3f9..12cf171f4d 100644 --- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md @@ -1,17 +1,11 @@ --- title: Use Orchestrator runbooks with MDT (Windows 10) description: Learn how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. -ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: web services, database ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md index bbe74794a9..33cc3b4d4b 100644 --- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md +++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md @@ -1,17 +1,11 @@ --- title: Use MDT database to stage Windows 10 deployment info (Windows 10) description: Learn how to use the MDT database to pre-stage information on your Windows 10 deployment in a Microsoft SQL Server 2012 SP1 Express database. -ms.assetid: 8956ab54-90ba-45d3-a384-4fdec72c4d46 ms.reviewer: manager: dougeby ms.author: aaroncz -ms.pagetype: mdt -keywords: database, permissions, settings, configure, deploy ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md index 6f6b6c785e..0dfbb9978a 100644 --- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md @@ -1,17 +1,11 @@ --- title: Use web services in MDT (Windows 10) description: Learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. -ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522 ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: deploy, web apps ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.pagetype: mdt -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index 9846a41bcf..7645fc5c05 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -1,18 +1,11 @@ --- title: Deploy Windows To Go in your organization (Windows 10) description: Learn how to deploy Windows To Go in your organization through a wizard in the user interface as well as programatically with Windows PowerShell. -ms.assetid: cfe550be-ffbd-42d1-ab4d-80efae49b07f ms.reviewer: manager: dougeby -ms.audience: itpro author: aczechowski ms.author: aaroncz -keywords: deployment, USB, device, BitLocker, workspace, security, data ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: mobility -audience: itpro ms.topic: article ms.custom: seo-marvel-apr2020 --- diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index afc608a502..8463fd9abd 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -1,17 +1,12 @@ --- title: Deploy Windows 10 (Windows 10) description: Learn about Windows 10 upgrade options for planning, testing, and managing your production deployment. -ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C ms.reviewer: manager: dougeby -ms.audience: itpro author: aczechowski ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library ms.localizationpriority: medium -audience: itpro ms.topic: article ms.custom: seo-marvel-apr2020 --- diff --git a/windows/deployment/do/delivery-optimization-proxy.md b/windows/deployment/do/delivery-optimization-proxy.md index d2a8c14908..5afb66f3f6 100644 --- a/windows/deployment/do/delivery-optimization-proxy.md +++ b/windows/deployment/do/delivery-optimization-proxy.md @@ -2,10 +2,7 @@ title: Using a proxy with Delivery Optimization manager: dansimp description: Settings to use with various proxy configurations to allow Delivery Optimization to work -keywords: updates, downloads, network, bandwidth ms.prod: w10 -ms.mktglfcycl: deploy -audience: itpro author: carmenf ms.localizationpriority: medium ms.author: carmenf diff --git a/windows/deployment/do/delivery-optimization-workflow.md b/windows/deployment/do/delivery-optimization-workflow.md index f3c6ba9095..0edb9f9ba1 100644 --- a/windows/deployment/do/delivery-optimization-workflow.md +++ b/windows/deployment/do/delivery-optimization-workflow.md @@ -2,10 +2,7 @@ title: Delivery Optimization client-service communication explained manager: dougeby description: Details of how Delivery Optimization communicates with the server when content is requested to download. -keywords: updates, downloads, network, bandwidth ms.prod: w10 -ms.mktglfcycl: deploy -audience: itpro author: carmenf ms.localizationpriority: medium ms.author: carmenf diff --git a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md index 811b6b5a0c..2828da9932 100644 --- a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md +++ b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md @@ -4,8 +4,6 @@ ms.author: mstewart manager: dougeby ms.prod: w10 ms.collection: M365-modern-desktop -ms.mktglfcycl: deploy -audience: itpro ms.topic: include ms.date: 04/06/2022 ms.localizationpriority: medium diff --git a/windows/deployment/do/mcc-enterprise.md b/windows/deployment/do/mcc-enterprise.md index 2622d23564..96b99ceefe 100644 --- a/windows/deployment/do/mcc-enterprise.md +++ b/windows/deployment/do/mcc-enterprise.md @@ -2,10 +2,7 @@ title: Microsoft Connected Cache for Enterprise and Education (private preview) manager: dougeby description: Details on Microsoft Connected Cache (MCC) for Enterprise and Education. -keywords: updates, downloads, network, bandwidth ms.prod: w10 -ms.mktglfcycl: deploy -audience: itpro author: carmenf ms.localizationpriority: medium ms.author: carmenf diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index ce7b9f9219..f1babe4d8a 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -3,10 +3,7 @@ title: Delivery Optimization reference ms.reviewer: manager: dougeby description: This article provides a summary of references and descriptions for all of the Delivery Optimization settings. -keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 -ms.mktglfcycl: deploy -audience: itpro author: carmenf ms.localizationpriority: medium ms.author: carmenf diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 19d12f832c..fd6f82f98c 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -3,10 +3,7 @@ title: Set up Delivery Optimization ms.reviewer: manager: dougeby description: In this article, learn how to set up Delivery Optimization. -keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 -ms.mktglfcycl: deploy -audience: itpro author: carmenf ms.localizationpriority: medium ms.author: carmenf diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index 25a9c49bfe..2a4f15d921 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -2,10 +2,7 @@ title: What is Delivery Optimization? manager: dougeby description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11. -keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 -ms.mktglfcycl: deploy -audience: itpro author: carmenf ms.localizationpriority: medium ms.author: carmenf diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md index 9126dea4e9..22076d8f9a 100644 --- a/windows/deployment/do/waas-microsoft-connected-cache.md +++ b/windows/deployment/do/waas-microsoft-connected-cache.md @@ -2,10 +2,7 @@ title: Microsoft Connected Cache overview manager: dougeby description: This article provides information about Microsoft Connected Cache (MCC), a software-only caching solution. -keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 -ms.mktglfcycl: deploy -audience: itpro author: carmenf ms.localizationpriority: medium ms.author: carmenf diff --git a/windows/deployment/do/waas-optimize-windows-10-updates.md b/windows/deployment/do/waas-optimize-windows-10-updates.md index 794b51ee2b..e2e98fe19a 100644 --- a/windows/deployment/do/waas-optimize-windows-10-updates.md +++ b/windows/deployment/do/waas-optimize-windows-10-updates.md @@ -2,8 +2,6 @@ title: Optimize Windows update delivery description: Two methods of peer-to-peer content distribution are available, Delivery Optimization and BranchCache. ms.prod: w10 -ms.mktglfcycl: manage -author: aczechowski ms.localizationpriority: medium ms.author: aaroncz ms.reviewer: diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md index f1cd1edb98..3643b5fea8 100644 --- a/windows/deployment/do/whats-new-do.md +++ b/windows/deployment/do/whats-new-do.md @@ -2,10 +2,7 @@ title: What's new in Delivery Optimization manager: dougeby description: What's new in Delivery Optimization, a peer-to-peer distribution method in Windows 10 and Windows 11. -keywords: oms, operations management suite, wdav, updates, downloads, log analytics, mcc, do, delivery, connected cache ms.prod: w10 -ms.mktglfcycl: deploy -audience: itpro author: carmenf ms.localizationpriority: medium ms.author: carmenf diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index d3f1d72f64..112c4d3436 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -1,17 +1,11 @@ --- title: MBR2GPT description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. -keywords: deploy, troubleshoot, windows, 10, upgrade, partition, mbr, gpt ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: aczechowski ms.author: aaroncz ms.date: 02/13/2018 manager: dougeby -ms.audience: itpro ms.localizationpriority: high ms.topic: article ms.custom: seo-marvel-apr2020 diff --git a/windows/deployment/planning/act-technical-reference.md b/windows/deployment/planning/act-technical-reference.md index 65ab59f764..8faeb00aab 100644 --- a/windows/deployment/planning/act-technical-reference.md +++ b/windows/deployment/planning/act-technical-reference.md @@ -1,15 +1,10 @@ --- title: Application Compatibility Toolkit (ACT) Technical Reference (Windows 10) description: The Microsoft Application Compatibility Toolkit (ACT) helps you see if the apps and devices in your org are compatible with different versions of Windows. -ms.assetid: d90d38b2-2718-4481-90eb-4480719627ba ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md b/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md index 44652ad790..d6cc26188b 100644 --- a/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md +++ b/windows/deployment/planning/applying-filters-to-data-in-the-sua-tool.md @@ -1,15 +1,10 @@ --- title: Applying Filters to Data in the SUA Tool (Windows 10) description: Learn how to apply filters to results from the Standard User Analyzer (SUA) tool while testing your application. -ms.assetid: 48c39919-3501-405d-bcf5-d2784cbb011f ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.date: 04/19/2017 ms.topic: article diff --git a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md index a18ef827ca..1db5157b5e 100644 --- a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md +++ b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md @@ -1,15 +1,10 @@ --- title: Available Data Types and Operators in Compatibility Administrator (Windows 10) description: The Compatibility Administrator tool provides a way to query your custom-compatibility databases. -ms.assetid: 67d9c03e-ab9d-4fda-8a55-8c5b90266d3b ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.date: 04/19/2017 ms.topic: article diff --git a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md index 0794a35f0b..fead1005e4 100644 --- a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md +++ b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md @@ -1,16 +1,10 @@ --- title: Best practice recommendations for Windows To Go (Windows 10) description: Learn about best practice recommendations for using Windows To Go, like using a USB 3.0 port with Windows to Go if it's available. -ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86 ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: best practices, USB, device, boot ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: mobility -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/planning/compatibility-administrator-users-guide.md b/windows/deployment/planning/compatibility-administrator-users-guide.md index 7b81a26b48..a3a1f27a04 100644 --- a/windows/deployment/planning/compatibility-administrator-users-guide.md +++ b/windows/deployment/planning/compatibility-administrator-users-guide.md @@ -1,15 +1,10 @@ --- title: Compatibility Administrator User's Guide (Windows 10) -ms.assetid: 0ce05f66-9009-4739-a789-60f3ce380e76 ms.reviewer: manager: dougeby ms.author: aaroncz description: The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows. ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article ms.custom: seo-marvel-mar2020 diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md index 6ca2e8566d..6ace821889 100644 --- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md +++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md @@ -1,15 +1,10 @@ --- title: Compatibility Fix Database Management Strategies and Deployment (Windows 10) -ms.assetid: fdfbf02f-c4c4-4739-a400-782204fd3c6c ms.reviewer: manager: dougeby ms.author: aaroncz description: Learn how to deploy your compatibility fixes into an application-installation package or through a centralized compatibility-fix database. ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.date: 04/19/2017 ms.topic: article diff --git a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md index 57b2e00924..905b52b295 100644 --- a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md +++ b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md @@ -1,15 +1,10 @@ --- title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, & Windows Vista description: Find compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10. -ms.assetid: cd51c824-557f-462a-83bb-54b0771b7dff ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.date: 04/19/2017 ms.topic: article diff --git a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md index c1b28533d4..fe0d8b09c8 100644 --- a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md @@ -1,15 +1,10 @@ --- title: Creating a Custom Compatibility Fix in Compatibility Administrator (Windows 10) description: The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. -ms.assetid: e4f2853a-0e46-49c5-afd7-0ed12f1fe0c2 ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md index bfa50f5280..2f0793108b 100644 --- a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md @@ -1,15 +1,10 @@ --- title: Create a Custom Compatibility Mode (Windows 10) description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. -ms.assetid: 661a1c0d-267f-4a79-8445-62a9a98d09b0 ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.date: 04/19/2017 ms.topic: article diff --git a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md index 3640a3801b..55551f08fc 100644 --- a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md @@ -1,15 +1,10 @@ --- title: Create AppHelp Message in Compatibility Administrator (Windows 10) description: Create an AppHelp text message with Compatibility Administrator; a message that appears upon starting an app with major issues on the Windows® operating system. -ms.assetid: 5c6e89f5-1942-4aa4-8439-ccf0ecd02848 ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.date: 04/19/2017 ms.topic: article diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md index 397f230051..b6874c0cde 100644 --- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md @@ -1,16 +1,10 @@ --- title: Deployment considerations for Windows To Go (Windows 10) description: Learn about deployment considerations for Windows To Go, such as the boot experience, deployment methods, and tools that you can use with Windows To Go. -ms.assetid: dcfc5d96-b96b-44cd-ab65-416b5611c65e ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: deploy, mobile, device, USB, boot, image, workspace, driver ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: mobility -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article ms.custom: seo-marvel-apr2020 diff --git a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md index bcad4a3136..9e64ab8e0b 100644 --- a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md +++ b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md @@ -1,15 +1,10 @@ --- title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes. -ms.assetid: 6bd4a7c5-0ed9-4a35-948c-c438aa4d6cb6 ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article ms.custom: seo-marvel-apr2020 diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/deployment/planning/features-lifecycle.md index df0e93d341..0bb13ccd0f 100644 --- a/windows/deployment/planning/features-lifecycle.md +++ b/windows/deployment/planning/features-lifecycle.md @@ -2,10 +2,7 @@ title: Windows client features lifecycle description: Learn about the lifecycle of Windows 10 features, as well as features that are no longer developed, removed features, and terminology assigned to a feature. ms.prod: w10 -ms.mktglfcycl: plan ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: aczechowski manager: dougeby ms.author: aaroncz diff --git a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md index 1f81b6a7ea..54b85fbaa4 100644 --- a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md +++ b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md @@ -1,15 +1,10 @@ --- title: Fixing Applications by Using the SUA Tool (Windows 10) description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application. -ms.assetid: 7f5947b1-977b-4d7e-bb52-fbe8e76f6b8b ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.date: 04/19/2017 ms.topic: article diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md index 9e06b64d91..72b7ebe705 100644 --- a/windows/deployment/planning/index.md +++ b/windows/deployment/planning/index.md @@ -1,11 +1,7 @@ --- title: Plan for Windows 10 deployment (Windows 10) description: Find resources for your Windows 10 deployment. Windows 10 provides new deployment capabilities and tools, and introduces new ways to keep the OS up to date. -ms.assetid: 002F9B79-B50F-40C5-A7A5-0B4770E6EC15 -keywords: deploy, upgrade, update, configure ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library ms.localizationpriority: medium author: aczechowski ms.author: aaroncz diff --git a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md index 75bd75782f..cdd078d772 100644 --- a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md +++ b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md @@ -1,15 +1,10 @@ --- title: Install/Uninstall Custom Databases (Windows 10) description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. -ms.assetid: 659c9d62-5f32-433d-94aa-12141c01368f ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.date: 04/19/2017 ms.topic: article diff --git a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md index 242674d390..9e24aa3ddf 100644 --- a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md +++ b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md @@ -1,15 +1,10 @@ --- title: Managing Application-Compatibility Fixes and Custom Fix Databases (Windows 10) description: Learn why you should use compatibility fixes, and how to deploy and manage custom-compatibility fix databases. -ms.assetid: 9c2e9396-908e-4a36-ad67-2e40452ce017 ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.date: 04/19/2017 ms.topic: article diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md index 4e1df0cd04..78f1404be6 100644 --- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md +++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md @@ -1,16 +1,10 @@ --- title: Prepare your organization for Windows To Go (Windows 10) description: Though Windows To Go is no longer being developed, you can find info here about the the “what”, “why”, and “when” of deployment. -ms.assetid: f3f3c160-90ad-40a8-aeba-2aedee18f7ff ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: ["mobile, device, USB, deploy"] ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: mobility -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article ms.custom: seo-marvel-apr2020 diff --git a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md index b350133316..53d51c7ea4 100644 --- a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md +++ b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md @@ -1,15 +1,10 @@ --- title: Searching for Fixed Applications in Compatibility Administrator (Windows 10) description: Compatibility Administrator can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. -ms.assetid: 1051a2dc-0362-43a4-8ae8-07dae39b1cb8 ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.date: 04/19/2017 ms.topic: article diff --git a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md index 62b098d6e5..496856bf9f 100644 --- a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md +++ b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md @@ -1,15 +1,10 @@ --- title: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator (Windows 10) description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature. -ms.assetid: dd213b55-c71c-407a-ad49-33db54f82f22 ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md index f2d306f5bd..cbb62f87be 100644 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md @@ -1,16 +1,10 @@ --- title: Security and data protection considerations for Windows To Go (Windows 10) description: Ensure that the data, content, and resources you work with in the Windows To Go workspace are protected and secure. -ms.assetid: 5f27339f-6761-44f4-8c29-9a25cf8e75fe ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: mobile, device, USB, secure, BitLocker ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: mobility, security -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md index 550c1b7cb8..f6e9d05353 100644 --- a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md +++ b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md @@ -1,15 +1,10 @@ --- title: Showing Messages Generated by the SUA Tool (Windows 10) description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated. -ms.assetid: 767eb7f2-d6c4-414c-a7b3-a997337d904a ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.date: 04/19/2017 ms.topic: article diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md index 2936429060..50bae4c447 100644 --- a/windows/deployment/planning/sua-users-guide.md +++ b/windows/deployment/planning/sua-users-guide.md @@ -2,15 +2,10 @@ title: SUA User's Guide (Windows 10) description: Learn how to use Standard User Analyzer (SUA). SUA can test your apps and monitor API calls to detect compatibility issues related to the Windows User Account Control (UAC) feature. ms.custom: seo-marvel-apr2020 -ms.assetid: ea525c25-b557-4ed4-b042-3e4d0e543e10 ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.date: 04/19/2017 ms.topic: article diff --git a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md index 247dae8ef3..ab6c4e83a7 100644 --- a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md +++ b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md @@ -1,15 +1,10 @@ --- title: Tabs on the SUA Tool Interface (Windows 10) description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze. -ms.assetid: 0d705321-1d85-4217-bf2c-0ca231ca303b ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.date: 04/19/2017 ms.topic: article diff --git a/windows/deployment/planning/testing-your-application-mitigation-packages.md b/windows/deployment/planning/testing-your-application-mitigation-packages.md index 375609958a..4ab4be6a19 100644 --- a/windows/deployment/planning/testing-your-application-mitigation-packages.md +++ b/windows/deployment/planning/testing-your-application-mitigation-packages.md @@ -1,15 +1,10 @@ --- title: Testing Your Application Mitigation Packages (Windows 10) description: Learn how to test your application-mitigation packages, including how to report your information and how to resolve any outstanding issues. -ms.assetid: ae946f27-d377-4db9-b179-e8875d454ccf ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.date: 04/19/2017 ms.topic: article diff --git a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md index 755b66cf80..d91279a5d5 100644 --- a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md +++ b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md @@ -1,15 +1,10 @@ --- title: Understanding and Using Compatibility Fixes (Windows 10) description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. -ms.assetid: 84bf663d-3e0b-4168-99d6-a26e054821b7 ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/planning/using-the-compatibility-administrator-tool.md b/windows/deployment/planning/using-the-compatibility-administrator-tool.md index 991cc5eabc..2e1dbd9ead 100644 --- a/windows/deployment/planning/using-the-compatibility-administrator-tool.md +++ b/windows/deployment/planning/using-the-compatibility-administrator-tool.md @@ -1,15 +1,10 @@ --- title: Using the Compatibility Administrator Tool (Windows 10) description: This section provides information about using the Compatibility Administrator tool. -ms.assetid: 57271e47-b9b9-4018-a0b5-7115a533166d ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.date: 04/19/2017 ms.topic: article diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md index 498a0d4424..e4196523e8 100644 --- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md +++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md @@ -1,15 +1,10 @@ --- title: Using the Sdbinst.exe Command-Line Tool (Windows 10) description: Learn how to deploy customized database (.sdb) files using the Sdbinst.exe Command-Line Tool. Review a list of command-line options. -ms.assetid: c1945425-3f8d-4de8-9d2d-59f801f07034 ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.date: 04/19/2017 ms.topic: article diff --git a/windows/deployment/planning/using-the-sua-tool.md b/windows/deployment/planning/using-the-sua-tool.md index 7dd26dfa38..f4de4f8ae5 100644 --- a/windows/deployment/planning/using-the-sua-tool.md +++ b/windows/deployment/planning/using-the-sua-tool.md @@ -1,15 +1,10 @@ --- title: Using the SUA Tool (Windows 10) description: The Standard User Analyzer (SUA) tool can test applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature. -ms.assetid: ebe52061-3816-47f7-a865-07bc5f405f03 ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.date: 04/19/2017 ms.topic: article diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md index 408504f26c..e0a506b5ca 100644 --- a/windows/deployment/planning/using-the-sua-wizard.md +++ b/windows/deployment/planning/using-the-sua-wizard.md @@ -1,15 +1,10 @@ --- title: Using the SUA wizard (Windows 10) description: The Standard User Analyzer (SUA) wizard, although it doesn't offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues. -ms.assetid: 29d07074-3de7-4ace-9a54-678af7255d6c ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.date: 04/19/2017 ms.topic: article diff --git a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md index 9a7abdef9a..3d363d0db4 100644 --- a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md +++ b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md @@ -1,15 +1,10 @@ --- title: Viewing the Events Screen in Compatibility Administrator (Windows 10) description: You can use the Events screen to record and view activities in the Compatibility Administrator tool. -ms.assetid: f2b2ada4-1b7b-4558-989d-5b52b40454b3 ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md index a1b074a935..790592964c 100644 --- a/windows/deployment/planning/windows-10-compatibility.md +++ b/windows/deployment/planning/windows-10-compatibility.md @@ -1,17 +1,11 @@ --- title: Windows 10 compatibility (Windows 10) description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. -ms.assetid: 829BE5B5-330A-4702-807A-8908B4FC94E8 ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: deploy, upgrade, update, appcompat ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md index 6d2b053310..a9fb6d7c33 100644 --- a/windows/deployment/planning/windows-10-deployment-considerations.md +++ b/windows/deployment/planning/windows-10-deployment-considerations.md @@ -1,16 +1,11 @@ --- title: Windows 10 deployment considerations (Windows 10) description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. -ms.assetid: A8DD6B37-1E11-4CD6-B588-92C2404219FE ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: deploy, upgrade, update, in-place ms.prod: w10 ms.localizationpriority: medium -ms.mktglfcycl: plan -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md index bfe6fbc509..4bde7474f4 100644 --- a/windows/deployment/planning/windows-10-infrastructure-requirements.md +++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md @@ -1,16 +1,11 @@ --- title: Windows 10 infrastructure requirements (Windows 10) description: Review the infrastructure requirements for deployment and management of Windows 10, prior to significant Windows 10 deployments within your organization. -ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64 ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: deploy, upgrade, update, hardware ms.prod: w10 -ms.mktglfcycl: plan ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md index 9df0d61488..baa2e8882e 100644 --- a/windows/deployment/planning/windows-10-removed-features.md +++ b/windows/deployment/planning/windows-10-removed-features.md @@ -2,10 +2,7 @@ title: Windows 10 - Features that have been removed description: In this article, learn about the features and functionality that has been removed or replaced in Windows 10. ms.prod: w10 -ms.mktglfcycl: plan ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md index 79b583332b..483767ebfe 100644 --- a/windows/deployment/planning/windows-to-go-overview.md +++ b/windows/deployment/planning/windows-to-go-overview.md @@ -1,16 +1,10 @@ --- title: Windows To Go feature overview (Windows 10) description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that lets you create a workspace that can be booted from a USB-connected drive. -ms.assetid: 9df82b03-acba-442c-801d-56db241f8d42 ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: workspace, mobile, installation, image, USB, device, image, edu ms.prod: w10 -ms.mktglfcycl: deploy -ms.pagetype: mobility, edu -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index cc1cf8f69d..59ec7c3e89 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -1,17 +1,11 @@ --- title: Windows 10 Pro in S mode description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers? -keywords: Windows 10 S, S mode, Windows S mode, Windows 10 S mode, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Enterprise in S mode, Windows 10 Pro/Enterprise in S mode -ms.mktglfcycl: deploy ms.localizationpriority: high ms.prod: w10 -ms.sitesec: library -ms.pagetype: deploy manager: dougeby -ms.audience: itpro author: aczechowski ms.author: aaroncz -audience: itpro ms.topic: article ms.custom: seo-marvel-apr2020 ms.collection: highpri diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index daf7fb1e1a..cb6e0cf046 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -3,13 +3,8 @@ title: Log files and resolving upgrade errors manager: dougeby ms.author: aaroncz description: Learn how to interpret and analyze the log files that are generated during the Windows 10 upgrade process. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro ms.custom: seo-marvel-apr2020 ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: aczechowski ms.localizationpriority: medium ms.topic: article diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md index 76ea88816f..9976bc228d 100644 --- a/windows/deployment/upgrade/quick-fixes.md +++ b/windows/deployment/upgrade/quick-fixes.md @@ -4,13 +4,8 @@ ms.reviewer: manager: dougeby ms.author: aaroncz description: Learn how to quickly resolve many problems, which may come up during a Windows 10 upgrade. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro ms.custom: seo-marvel-apr2020 ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: aczechowski ms.localizationpriority: medium ms.topic: article diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index d2bec5e3f1..44d5400854 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -3,12 +3,7 @@ title: Resolution procedures - Windows IT Pro manager: dougeby ms.author: aaroncz description: Discover general troubleshooting procedures for dealing with 0xC1900101, the generic rollback code thrown when something goes wrong during a Windows 10 upgrade. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: aczechowski ms.localizationpriority: medium ms.topic: article diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md index 57df118f87..059f0801cb 100644 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md @@ -3,12 +3,7 @@ title: Resolve Windows 10 upgrade errors - Windows IT Pro manager: dougeby ms.author: aaroncz description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: aczechowski ms.localizationpriority: medium ms.topic: article diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 505f23ab18..c6161cdc2d 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -3,13 +3,8 @@ title: SetupDiag manager: dougeby ms.author: aaroncz description: SetupDiag works by examining Windows Setup log files. This article shows how to use the SetupDiag tool to diagnose Windows Setup errors. -keywords: deploy, troubleshoot, windows, 10, upgrade, update, setup, diagnose ms.custom: seo-marvel-apr2020 ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: aczechowski ms.localizationpriority: medium ms.topic: article diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md index 17692fe281..78530d857f 100644 --- a/windows/deployment/upgrade/submit-errors.md +++ b/windows/deployment/upgrade/submit-errors.md @@ -4,12 +4,7 @@ ms.reviewer: manager: dougeby ms.author: aaroncz description: Download the Feedback Hub app, and then submit Windows 10 upgrade errors for diagnosis using feedback hub. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, feedback ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: aczechowski ms.localizationpriority: medium ms.topic: article diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index 736fd59813..5b8cff866c 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -3,12 +3,7 @@ title: Troubleshoot Windows 10 upgrade errors - Windows IT Pro manager: dougeby ms.author: aaroncz description: Understanding the Windows 10 upgrade process can help you troubleshoot errors when something goes wrong. Find out more with this guide. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: aczechowski ms.localizationpriority: medium ms.topic: article diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md index 3b0ef7d8df..6d09c5829a 100644 --- a/windows/deployment/upgrade/upgrade-error-codes.md +++ b/windows/deployment/upgrade/upgrade-error-codes.md @@ -3,12 +3,7 @@ title: Upgrade error codes - Windows IT Pro manager: dougeby ms.author: aaroncz description: Understand the error codes that may come up if something goes wrong during the Windows 10 upgrade process. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: aczechowski ms.localizationpriority: medium ms.topic: article diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index 959bb7e649..18488633f6 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -1,15 +1,10 @@ --- title: Windows 10 edition upgrade (Windows 10) description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. -ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mobile -audience: itpro author: aczechowski ms.topic: article ms.collection: highpri diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 46541e996a..bf02d1b890 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -4,11 +4,7 @@ manager: dougeby ms.author: aaroncz description: You can upgrade to Windows 10 from a previous version of Windows if the upgrade path is supported. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library ms.localizationpriority: medium -ms.pagetype: mobile -audience: itpro author: aczechowski ms.topic: article ms.collection: highpri diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index 74939a1ac1..c8f3986ed2 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -4,12 +4,7 @@ ms.reviewer: manager: dougeby ms.author: aaroncz description: Learn how to review the events generated by Windows Error Reporting when something goes wrong during Windows 10 setup. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: aczechowski ms.localizationpriority: medium ms.topic: article diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index f18c6db530..d07d93a95c 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -1,14 +1,10 @@ --- title: Windows Upgrade and Migration Considerations (Windows 10) description: Discover the Microsoft tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration. -ms.assetid: 7f85095c-5922-45e9-b28e-91b1263c7281 ms.reviewer: manager: dougeby ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.topic: article --- diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index fbae4bcd47..3ec4c5a2de 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -2,18 +2,12 @@ title: Configure VDA for Windows 10/11 Subscription Activation ms.reviewer: manager: dougeby -ms.audience: itpro ms.author: aaroncz author: aczechowski description: Learn how to configure virtual machines (VMs) to enable Windows 10 Subscription Activation in a Windows Virtual Desktop Access (VDA) scenario. -keywords: upgrade, update, task sequence, deploy ms.custom: seo-marvel-apr2020 ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: mdt -audience: itpro ms.topic: article ms.collection: M365-modern-desktop --- diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index 374b78e022..3476d250c5 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -2,10 +2,7 @@ title: Windows Deployment Services (WDS) boot.wim support description: This article provides details on the support capabilities of WDS for end to end operating system deployment. ms.prod: w11 -ms.mktglfcycl: plan ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md index 00b17c1196..18021d5a5d 100644 --- a/windows/deployment/windows-10-deployment-posters.md +++ b/windows/deployment/windows-10-deployment-posters.md @@ -3,15 +3,10 @@ title: Windows 10 deployment process posters description: View and download Windows 10 deployment process flows for Microsoft Endpoint Manager and Windows Autopilot. ms.reviewer: manager: dougeby -ms.audience: itpro author: aczechowski ms.author: aaroncz -keywords: upgrade, in-place, configuration, deploy ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -audience: itpro ms.topic: article --- diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index 09bd64cb23..a1d13f7d3e 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -1,17 +1,11 @@ --- title: Windows 10 deployment scenarios (Windows 10) description: Understand the different ways Windows 10 operating system can be deployed in your organization. Explore several Windows 10 deployment scenarios. -ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 manager: dougeby -ms.audience: itpro ms.author: aaroncz author: aczechowski -keywords: upgrade, in-place, configuration, deploy ms.prod: w10 -ms.mktglfcycl: deploy ms.localizationpriority: medium -ms.sitesec: library -audience: itpro ms.topic: article ms.collection: highpri --- From de1733184a92ae2a24d40930925b18487c345fa4 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Tue, 7 Jun 2022 03:02:38 +0530 Subject: [PATCH 02/11] Updated-6038482 Articles updated to resolve Warning and address Acrolinx errors. --- ...fresh-a-windows-7-computer-with-windows-10.md | 16 ++++++++-------- ...dows-7-computer-with-a-windows-10-computer.md | 16 ++++++++-------- .../do/waas-optimize-windows-10-updates.md | 1 + 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md index 838b5508db..356ba70dcc 100644 --- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md +++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md @@ -17,12 +17,12 @@ ms.topic: article This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](/mem/configmgr/mdt/). -For the purposes of this topic, we will use three computers: DC01, MDT01, and PC0001. +For the purposes of this topic, we'll use three computers: DC01, MDT01, and PC0001. - DC01 is a domain controller for the contoso.com domain. - MDT01 is domain member server that hosts your deployment share. - PC0001 is a domain member computer running a previous version of Windows that is going to be refreshed to a new version of Windows 10, with data and settings restored. The example used here is a computer running Windows 7 SP1. -Both DC01 and MDT01 are running Windows Server 2019; however any supported version of Windows Server can be used. For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). +Both DC01 and MDT01 are running Windows Server 2019; however any supported version of Windows Server can be used. For more details on the setup for this topic, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). ![computers.](../images/mdt-04-fig01.png "Computers used in this topic") @@ -30,9 +30,9 @@ The computers used in this topic. ## The computer refresh process -A computer refresh is not the same as an in-place upgrade because a computer refresh involves exporting user data and settings then wiping the device before installing a fresh OS and restoring the user's data and settings. +A computer refresh isn't the same as an in-place upgrade because a computer refresh involves exporting user data and settings then wiping the device before installing a fresh OS and restoring the user's data and settings. -For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh you will: +For a computer refresh with MDT, you use the User State Migration Tool (USMT), which is part of the Windows Assessment and Deployment Kit (ADK) for Windows 10, to migrate user data and settings. To complete a computer refresh, you will: 1. Back up data and settings locally, in a backup folder. 2. Wipe the partition, except for the backup folder. @@ -40,7 +40,7 @@ For a computer refresh with MDT, you use the User State Migration Tool (USMT), w 4. Install other applications. 5. Restore data and settings. -During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are simply linked in the file system, which allows for fast migration, even when there is a lot of data. +During the computer refresh, USMT uses a feature called Hard-Link Migration Store. When you use this feature, the files are linked in the file system, which allows for fast migration, even when there's a lot of data. >[!NOTE] >In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file contains the entire volume from the computer and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire computer is not a supported scenario. @@ -60,17 +60,17 @@ In addition to the command-line switches that control which profiles to migrate, ### Multicast -Multicast is a technology designed to optimize simultaneous deployment to multiple devices. If you have a limited number of simultaneous deployments, you should disable multicast which was [configured in a previous procedure](deploy-a-windows-10-image-using-mdt.md#set-up-mdt-for-multicast) in this guide. Disabling multicast will speed up deployment for a small number of computers. You will need to update the deployment share after changing this setting. +Multicast is a technology designed to optimize simultaneous deployment to multiple devices. If you have a limited number of simultaneous deployments, you should disable multicast which was [configured in a previous procedure](deploy-a-windows-10-image-using-mdt.md#set-up-mdt-for-multicast) in this guide. Disabling multicast will speed up deployment for a small number of computers. You'll need to update the deployment share after changing this setting. ## Refresh a Windows 7 SP1 client -In these section, we assume that you have already performed the prerequisite procedures in the following topics, so that you have a deployment share named **MDTProduction$** on MDT01: +In this section, we assume that you've already performed the prerequisite procedures in the following topics, so that you have a deployment share named **MDTProduction$** on MDT01: - [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) - [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) - [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) -It is also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to the latest version of Windows 10. For demonstration purposes, we will refreshing a Windows 7 SP1 PC to Windows 10, version 1909. +It is also assumed that you have a domain member client computer named PC0001 in your environment running Windows 7, 8.1 or 10 that is ready for a refresh to the latest version of Windows 10. For demonstration purposes, we'll be refreshing a Windows 7 SP1 PC to Windows 10, version 1909. ### Upgrade (refresh) a Windows 7 SP1 client diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md index fd32026678..30ca655b46 100644 --- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -1,6 +1,6 @@ --- title: Replace a Windows 7 computer with a Windows 10 computer (Windows 10) -description: In this article, you will learn how to replace a Windows 7 device with a Windows 10 device. +description: In this article, you'll learn how to replace a Windows 7 device with a Windows 10 device. ms.custom: seo-marvel-apr2020 ms.reviewer: manager: dougeby @@ -16,15 +16,15 @@ ms.topic: article **Applies to** - Windows 10 -A computer replace scenario for Windows 10 is quite similar to a computer refresh for Windows 10. However, because you are replacing a device, you cannot store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings. +A computer replace scenario for Windows 10 is similar to a computer refresh for Windows 10. However, because you're replacing a device, you can't store the backup on the old computer. Instead you need to store the backup to a location where the new computer can read it. The User State Migration Tool (USMT) will be used to back up and restore data and settings. -For the purposes of this topic, we will use four computers: DC01, MDT01, PC0002, and PC0007. +For the purposes of this topic, we'll use four computers: DC01, MDT01, PC0002, and PC0007. - DC01 is a domain controller for the contoso.com domain. - MDT01 is domain member server that hosts your deployment share. - PC0002 is an old computer running Windows 7 SP1 that will be replaced by PC0007. - PC0007 is a new computer will have the Windows 10 OS installed prior to data from PC0002 being migrated. Both PC0002 and PC0007 are members of the contoso.com domain. -For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). +For more details on the setup for this topic, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). ![The computers used in this topic.](../images/mdt-03-fig01.png) @@ -40,9 +40,9 @@ The computers used in this topic. On **MDT01**: -1. Open the Deployment Workbench, under **Deployment Shares** right-click **MDT Production**, click **Properties**, and then click the **Rules** tab. -2. Change the **SkipUserData=YES** option to **NO**, and click **OK**. -3. Right-click **MDT Production** and click **Update Deployment Share**. Click **Next**, **Next**, and **Finish** to complete the Update Deployment Share Wizard with the default settings. +1. Open the Deployment Workbench, under **Deployment Shares** right-click **MDT Production**, select **Properties**, and then select the **Rules** tab. +2. Change the **SkipUserData=YES** option to **NO**, and select **OK**. +3. Right-click on **MDT Production** and select **Update Deployment Share**. Then select **Next**, **Next**, and **Finish** to complete the Update Deployment Share Wizard with the default settings. ### Create and share the MigData folder @@ -75,7 +75,7 @@ On **MDT01**: During a computer replace, these are the high-level steps that occur: -1. On the computer you are replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Windows Imaging (WIM) backup. +1. On the computer you're replacing, a special replace task sequence runs the USMT backup and, if you configured it, runs the optional full Windows Imaging (WIM) backup. 2. On the new computer, you perform a standard bare-metal deployment. At the end of the bare-metal deployment, the USMT backup from the old computer is restored. ### Run the replace task sequence diff --git a/windows/deployment/do/waas-optimize-windows-10-updates.md b/windows/deployment/do/waas-optimize-windows-10-updates.md index e2e98fe19a..6bf560ab5a 100644 --- a/windows/deployment/do/waas-optimize-windows-10-updates.md +++ b/windows/deployment/do/waas-optimize-windows-10-updates.md @@ -3,6 +3,7 @@ title: Optimize Windows update delivery description: Two methods of peer-to-peer content distribution are available, Delivery Optimization and BranchCache. ms.prod: w10 ms.localizationpriority: medium +author: aaroncz ms.author: aaroncz ms.reviewer: manager: dougeby From 829d8da98c18fc1be9ff8ea4b2cd18b4d080f75b Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Thu, 9 Jun 2022 13:45:16 +0530 Subject: [PATCH 03/11] Improper acronyms review update-05 The updates here are made for acronym :AAD, Azure AD-joined, AAD-joined as per the task 6027362. Thanks! --- education/windows/change-to-pro-education.md | 10 ++++---- .../set-up-school-pcs-azure-ad-join.md | 2 +- .../windows/set-up-school-pcs-whats-new.md | 4 ++-- .../connect-to-remote-aadj-pc.md | 2 +- ...e-active-directory-integration-with-mdm.md | 2 +- .../client-management/mdm/bitlocker-csp.md | 4 ++-- .../mdm/bitlocker-ddf-file.md | 12 +++++----- .../mdm/clientcertificateinstall-csp.md | 2 +- .../mdm/clientcertificateinstall-ddf-file.md | 2 +- .../disconnecting-from-mdm-unenrollment.md | 2 +- windows/client-management/mdm/dmclient-csp.md | 4 ++-- .../mdm/dmclient-ddf-file.md | 2 +- ...device-automatically-using-group-policy.md | 4 ++-- .../mdm/healthattestation-csp.md | 4 ++-- ...ew-in-windows-mdm-enrollment-management.md | 4 ++-- .../mdm/policy-csp-admx-terminalserver.md | 4 ++-- .../mdm/policy-csp-authentication.md | 2 +- .../mdm/policy-csp-deliveryoptimization.md | 6 ++--- .../mdm/policy-csp-experience.md | 2 +- .../mdm/policy-csp-kerberos.md | 2 +- .../mdm/policy-csp-localusersandgroups.md | 12 +++++----- .../mdm/policy-csp-mixedreality.md | 2 +- .../mdm/policy-csp-restrictedgroups.md | 2 +- .../mdm/policy-csp-search.md | 2 +- .../mdm/policy-csp-system.md | 6 ++--- .../mdm/secureassessment-csp.md | 2 +- .../mdm/secureassessment-ddf-file.md | 2 +- windows/client-management/mdm/vpnv2-csp.md | 4 ++-- .../client-management/mdm/vpnv2-ddf-file.md | 8 +++---- .../new-policies-for-windows-10.md | 4 ++-- .../set-up-and-test-cortana-in-windows-10.md | 2 +- .../deployment/deploy-enterprise-licenses.md | 8 +++---- .../waas-delivery-optimization-reference.md | 2 +- windows/deployment/update/WIP4Biz-intro.md | 2 +- .../olympia/olympia-enrollment-guidelines.md | 4 ++-- .../update/update-compliance-v2-overview.md | 4 ++-- .../update-compliance-v2-prerequisites.md | 4 ++-- .../deployment/vda-subscription-activation.md | 4 ++-- .../windows-10-deployment-scenarios.md | 2 +- .../windows-10-subscription-activation.md | 4 ++-- ...ndows-diagnostic-events-and-fields-1709.md | 2 +- ...ndows-diagnostic-events-and-fields-1803.md | 2 +- ...ndows-diagnostic-events-and-fields-1809.md | 4 ++-- ...ndows-diagnostic-events-and-fields-1903.md | 6 ++--- ...s-to-windows-diagnostic-data-collection.md | 2 +- ...-diagnostic-data-events-and-fields-2004.md | 6 ++--- .../windows-10-and-privacy-compliance.md | 4 ++-- .../hello-aad-join-cloud-only-deploy.md | 4 ++-- .../hello-deployment-issues.md | 8 +++---- .../hello-deployment-rdp-certs.md | 6 ++--- .../hello-errors-during-pin-creation.md | 4 ++-- .../hello-for-business/hello-faq.yml | 2 +- .../hello-feature-pin-reset.md | 10 ++++---- .../hello-how-it-works-authentication.md | 4 ++-- .../hello-how-it-works-provisioning.md | 4 ++-- .../hello-how-it-works-technology.md | 4 ++-- .../hello-for-business/hello-how-it-works.md | 2 +- .../hello-hybrid-aadj-sso-base.md | 22 ++++++++--------- .../hello-hybrid-aadj-sso-cert.md | 24 +++++++++---------- .../hello-hybrid-aadj-sso.md | 12 +++++----- .../hello-hybrid-cert-trust-devreg.md | 10 ++++---- .../hello-hybrid-cert-whfb-provision.md | 4 ++-- .../hello-hybrid-cert-whfb-settings-pki.md | 2 +- .../hello-hybrid-cloud-trust.md | 10 ++++---- .../hello-hybrid-key-new-install.md | 2 +- .../hello-hybrid-key-trust-devreg.md | 6 ++--- .../hello-hybrid-key-trust-prereqs.md | 2 +- .../hello-hybrid-key-whfb-provision.md | 2 +- .../hello-hybrid-key-whfb-settings-pki.md | 2 +- .../hello-hybrid-key-whfb-settings-policy.md | 2 +- .../hello-planning-guide.md | 12 +++++----- ...n-on-sso-over-vpn-and-wi-fi-connections.md | 2 +- .../bitlocker-deployment-comparison.md | 2 +- .../bitlocker/ts-bitlocker-tpm-issues.md | 2 +- ...-this-computer-to-use-online-identities.md | 2 +- .../zero-trust-windows-device-health.md | 2 +- .../ltsc/whats-new-windows-10-2019.md | 4 ++-- .../ltsc/whats-new-windows-10-2021.md | 2 +- .../whats-new-windows-10-version-1703.md | 2 +- .../whats-new-windows-10-version-1709.md | 2 +- .../whats-new-windows-10-version-1809.md | 8 +++---- .../whats-new-windows-10-version-1909.md | 2 +- 82 files changed, 186 insertions(+), 186 deletions(-) diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index 9d165c8892..d1ed1e7192 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -28,7 +28,7 @@ To take advantage of this offering, make sure you meet the [requirements for cha ## Requirements for changing Before you change to Windows 10 Pro Education, make sure you meet these requirements: - Devices must be running Windows 10 Pro, version 1607 or higher. -- Devices must be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices). +- Devices must be Azure Active Directory-joined, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices). If you haven't domain joined your devices already, [prepare for deployment of Windows 10 Pro Education licenses](#preparing-for-deployment-of-windows-10-pro-education-licenses). @@ -47,7 +47,7 @@ For schools that want to standardize all their Windows 10 Pro devices to Windows In this scenario: -- The IT admin of the tenant chooses to turn on the change for all Azure AD joined devices. +- The IT admin of the tenant chooses to turn on the change for all Azure AD-joined devices. - Any device that joins the Azure AD will change automatically to Windows 10 Pro Education. - The IT admin has the option to automatically roll back to Windows 10 Pro, if desired. See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro). @@ -92,7 +92,7 @@ You can use Windows Configuration Designer to create a provisioning package that 3. In the **Enter a product key** window, enter the MAK key for Windows 10 Pro Education and click **Next**. -## Education customers with Azure AD joined devices +## Education customers with Azure AD-joined devices Academic institutions can easily move from Windows 10 Pro to Windows 10 Pro Education without using activation keys or reboots. When one of your users enters their Azure AD credentials associated with a Windows 10 Pro Education license, the operating system changes to Windows 10 Pro Education and all the appropriate Windows 10 Pro Education features are unlocked. Previously, only schools or organizations purchasing devices as part of the Shape the Future K-12 program or with a Microsoft Volume Licensing Agreement could deploy Windows 10 Pro Education to their users. Now, if you have an Azure AD for your organization, you can take advantage of the Windows 10 Pro Education features. @@ -145,7 +145,7 @@ Enabling the automatic change also triggers an email message notifying all globa So what will users experience? How will they change their devices? -### For existing Azure AD joined devices +### For existing Azure AD-joined devices Existing Azure AD domain joined devices will be changed to Windows 10 Pro Education the next time the user logs in. That's it! No other steps are needed. ### For new devices that are not Azure AD joined @@ -251,7 +251,7 @@ Devices must be running Windows 10 Pro, version 1607 or higher, or domain joined dsregcmd /status ``` -2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined. +2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory-joined. **To determine the version of Windows 10** diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md index f1a4be1df2..a04a034238 100644 --- a/education/windows/set-up-school-pcs-azure-ad-join.md +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -59,7 +59,7 @@ The following table describes each setting within **Device Settings**. | Setting | Description | |------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Users may join devices to Azure AD | Choose the scope of people in your organization that are allowed to join devices to Azure AD. **All** allows all users and groups within your tenant to join devices. **Selected** prompts you to choose specific users or groups to allow. **None** allows no one in your tenant to join devices to Azure AD. | -| More local administrators on Azure AD joined devices | Only applicable to Azure AD Premium tenants. Grant extra local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default. | +| More local administrators on Azure AD-joined devices | Only applicable to Azure AD Premium tenants. Grant extra local administrator rights on devices, to selected users. Global administrators and the device owner are granted local administrator rights by default. | | Users may register their devices with Azure AD | Allow all or none of your users to register their devices with Azure AD (Workplace Join). If you're enrolled in Microsoft Intune or Mobile Device Management for Office 365, your devices are required to be registered. In this case, **All** is automatically selected for you. | | Require Multi-Factor Authentication to join devices | Recommended when adding devices to Azure AD. When set to **Yes**, users that are setting up devices must enter a second method of authentication. | | Maximum number of devices per user | Set the maximum number of devices a user is allowed to have in Azure AD. If the maximum is exceeded, the user must remove one or more existing devices before more devices are added. | diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md index 72bea22625..29c5d1cc71 100644 --- a/education/windows/set-up-school-pcs-whats-new.md +++ b/education/windows/set-up-school-pcs-whats-new.md @@ -34,7 +34,7 @@ You can now give devices running Windows 10, version 2004 and later a name that' ### Resumed support for Windows 10, version 1903 and later The previously mentioned provisioning problem was resolved, so the Set up School PCs app once again supports Windows 10, version 1903 and later. The Windows 10 settings that were removed are now back in the app. -### Device rename made optional for Azure AD joined devices +### Device rename made optional for Azure AD-joined devices When you set up your Azure AD join devices in the app, you no longer need to rename your devices. You can keep existing device names. ## Week of May 23, 2019 @@ -42,7 +42,7 @@ When you set up your Azure AD join devices in the app, you no longer need to ren ### Suspended support for Windows 10, version 1903 and later Due to a provisioning problem, Set up School PCs has temporarily stopped support for Windows 10, version 1903 and later. All settings in the app that were for Windows 10, version 1903 and later have been removed. When the problem is resolved, support will resume again. -### Mandatory device rename for Azure AD joined devices +### Mandatory device rename for Azure AD-joined devices If you configure Azure AD Join, you're now required to rename your devices during setup. You can't keep existing device names. ## Week of April 15, 2019 diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index cf0c18ee1d..d309a90777 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -66,7 +66,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu - Adding users using policy - Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). + Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). > [!TIP] > When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com. diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index a0a4883d44..16ba07745d 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -359,7 +359,7 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove There are two different MDM enrollment types that integrate with Azure AD, and use Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users. -**Multiple user management for Azure AD joined devices** +**Multiple user management for Azure AD-joined devices** In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device. **Adding a work account and MDM enrollment to a device** diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 8370601e1d..ae39baf60c 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1178,7 +1178,7 @@ If you don't configure this policy setting, users can use BitLocker on removable Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is set to 1. > [!IMPORTANT] -> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](/windows/device-security/bitlocker/bitlocker-overview). +> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory-joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](/windows/device-security/bitlocker/bitlocker-overview). > [!Warning] > When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows. @@ -1197,7 +1197,7 @@ Allows the admin to disable the warning prompt for other disk encryption on the The following list shows the supported values: -- 0 – Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0. +- 0 – Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory-joined devices. Windows will attempt to silently enable BitLocker for value 0. - 1 (default) – Warning prompt allowed. ```xml diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index db4049e60e..b40819c5e8 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -646,7 +646,7 @@ The XML below is the current version for this CSP. 1 = This is the default, when the policy is not set. Warning prompt and encryption notification is allowed. 0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, - the value 0 only takes affect on Azure Active Directory joined devices. + the value 0 only takes affect on Azure Active Directory-joined devices. Windows will attempt to silently enable BitLocker for value 0. If you want to disable this policy use the following SyncML: @@ -744,15 +744,15 @@ The XML below is the current version for this CSP. - Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices. - When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when + Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Azure Active Directory and Hybrid domain joined devices. + When not configured, Rotation is turned on by default for Azure AD only and off on Hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required. For OS drive: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for operating system drives" For Fixed drives: Turn on "Do not enable Bitlocker until recovery information is stored to AD DS for fixed data drives" Supported Values: 0 - Numeric Recovery Passwords rotation OFF. - 1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value - 2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices + 1 - Numeric Recovery Passwords Rotation upon use ON for Azure Active Directory-joined devices. Default value + 2 - Numeric Recovery Passwords Rotation upon use ON for both Azure AD and Hybrid devices If you want to disable this policy use the following SyncML: @@ -783,7 +783,7 @@ The XML below is the current version for this CSP. - + diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index b667bfa46b..960bccb9ed 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -377,7 +377,7 @@ The date type format is Null, meaning this node doesn’t contain a value. The only supported operation is Execute. **ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList** -Optional. Specify the Azure AD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the Azure AD Key present on the device. If no match is found, enrollment will fail. +Optional. Specify the Azure Active Directory Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the Azure AD Key present on the device. If no match is found, enrollment will fail. Data type is string. diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index 492a95c621..3b3d11550e 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -931,7 +931,7 @@ Supported operation is Exec. - Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail. + Optional. Specify the Azure Active Directory Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the Azure AD Key present on the device. If no match is found, enrollment will fail. diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index f3e3c24cf9..d7c8ad7e7b 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -125,7 +125,7 @@ When the server initiates disconnection, all undergoing sessions for the enrollm ## Unenrollment from Work Access settings page -If the user is enrolled into MDM using an Azure Active Directory (AAD Join or by adding a Microsoft work account), the MDM account will show up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the AAD association to the device. +If the user is enrolled into MDM using an Azure Active Directory (AAD Join or by adding a Microsoft work account), the MDM account will show up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the Azure AD association to the device. You can only use the Work Access page to unenroll under the following conditions: diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 187e71bdb1..7e6ac79ac7 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -346,7 +346,7 @@ Value type is bool. **Provider/*ProviderID*/ForceAadToken** The value type is integer/enum. -The value is "1" and it means client should always send AAD device token during check-in/sync. +The value is "1" and it means client should always send Azure Active Directory device token during check-in/sync. **Provider/*ProviderID*/Poll** Optional. Polling schedules must use the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated. @@ -517,7 +517,7 @@ This node tracks the status of a Recovery request from the InitiateRecovery node 1 - Recovery is in Process. 2 - Recovery has finished successfully. 3 - Recovery has failed to start because TPM is not available. -4 - Recovery has failed to start because AAD keys are not protected by the TPM. +4 - Recovery has failed to start because Azure Active Directory keys are not protected by the TPM. 5 - Recovery has failed to start because the MDM keys are already protected by the TPM. 6 - Recovery has failed to start because the TPM is not ready for attestation. 7 - Recovery has failed because the client cannot authenticate to the server. diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index 9121cdc2b4..ed49a1f115 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -981,7 +981,7 @@ The XML below is for Windows 10, version 1803. - Send the device AAD token, if the user one can't be returned + Send the device Azure Active Directory token, if the user one can't be returned diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 767c141d9a..8076b0a504 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -127,7 +127,7 @@ Requirements: > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. The default behavior for older releases is to revert to **User Credential**. > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop because the Intune subscription is user centric. - When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called "Schedule created by enrollment client for automatically enrolling in MDM from AAD." + When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called "Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory." To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). @@ -270,7 +270,7 @@ To collect Event Viewer logs: > This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task. This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs: - **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from AAD is triggered by event ID 107. + **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Azure Active Directory is triggered by event ID 107. :::image type="content" alt-text="Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png"::: diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 4b0d882361..02f0a9e059 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -139,7 +139,7 @@ Data fields: - rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller. - serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation. - nonce: This field contains an arbitrary number that can be used only once in a cryptographic communication. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in replay attacks. -- aadToken: The AAD token to be used for authentication against the Microsoft Azure Attestation service. +- aadToken: The Azure Active Directory token to be used for authentication against the Microsoft Azure Attestation service. - cv: This field contains an identifier(Correlation Vector) that will be passed in to the service call, and that can be used for diagnostics purposes. Sample Data: @@ -408,7 +408,7 @@ calls between client and MAA and for each call the GUID is separated by semicolo }; ``` -3. Call TriggerAttestation with your rpid, AAD token and the attestURI: Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. For more information about the api version, see [Attestation - Attest Tpm - REST API](/rest/api/attestation/attestation/attest-tpm). +3. Call TriggerAttestation with your rpid, Azure Active Directory token and the attestURI: Use the Attestation URL generated in step 1, and append the appropriate api version you want to hit. For more information about the api version, see [Attestation - Attest Tpm - REST API](/rest/api/attestation/attestation/attest-tpm). 4. Call GetAttestReport and decode and parse the report to ensure the attested report contains the required properties: GetAttestReport return the signed attestation token as a JWT. The JWT can be decoded to parse the information per the attestation policy. diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 90157cf9e6..310a9310ac 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -250,7 +250,7 @@ Alternatively you can use the following procedure to create an EAP Configuration After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check-in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary. -### User provisioning failure in Azure Active Directory joined Windows 10 and Windows 11 devices +### User provisioning failure in Azure Active Directory-joined Windows 10 and Windows 11 devices In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design. @@ -270,7 +270,7 @@ The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push- No. Only one MDM is allowed. -### How do I set the maximum number of Azure Active Directory joined devices per user? +### How do I set the maximum number of Azure Active Directory-joined devices per user? 1. Sign in to the portal as tenant admin: https://portal.azure.com. 2. Select Active Directory on the left pane. diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 448f4d16bd..08bade1383 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -2305,10 +2305,10 @@ ADMX Info: This policy setting allows you to specify the type of Remote Desktop Services client access license (RDS CAL) that is required to connect to this RD Session Host server. -You can use this policy setting to select one of three licensing modes: Per User, Per Device, and AAD Per User. +You can use this policy setting to select one of three licensing modes: Per User, Per Device, and Azure Active Directory Per User. - Per User licensing mode requires that each user account connecting to this RD Session Host server have an RDS Per User CAL issued from an RD Licensing server. - Per Device licensing mode requires that each device connecting to this RD Session Host server have an RDS Per Device CAL issued from an RD Licensing server. -- AAD Per User licensing mode requires that each user account connecting to this RD Session Host server have a service plan that supports RDS licenses assigned in AAD. +- Azure AD Per User licensing mode requires that each user account connecting to this RD Session Host server have a service plan that supports RDS licenses assigned in Azure AD. If you enable this policy setting, the Remote Desktop licensing mode that you specify is honored by the Remote Desktop license server and RD Session Host. diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index e14b58d4da..a643d8f9bd 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -312,7 +312,7 @@ The following list shows the supported values: -Specifies the list of domains that are allowed to be navigated to in AAD PIN reset and Web Sign-in Windows device scenarios where authentication is handled by AD FS or a third-party federated identity provider. Note this policy is required in federated environments as a mitigation to the vulnerability described in [CVE-2021-27092](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27092). +Specifies the list of domains that are allowed to be navigated to in Azure Active Directory PIN reset and Web Sign-in Windows device scenarios where authentication is handled by AD FS or a third-party federated identity provider. Note this policy is required in federated environments as a mitigation to the vulnerability described in [CVE-2021-27092](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27092). **Example**: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com". diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 56963703d1..0020d963a4 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -702,7 +702,7 @@ ADMX Info: -Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. +Set this policy to restrict peer selection to a specific source. Available options are: 1 = Active Directory Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Azure Active Directory. When set, the Group ID will be assigned automatically from the selected source. @@ -727,11 +727,11 @@ ADMX Info: The following list shows the supported values: -- 1 - AD site +- 1 - Active Directory site - 2 - Authenticated domain SID - 3 - DHCP user option - 4 - DNS suffix -- 5 - AAD +- 5 - Azure Active Directory diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 1b295a8323..8e01e881e1 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -340,7 +340,7 @@ The following list shows the supported values: -Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (for example, auto-enrolled), then disabling the MDM unenrollment has no effect. +Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory-joined and MDM enrolled (for example, auto-enrolled), then disabling the MDM unenrollment has no effect. > [!NOTE] > The MDM server can always remotely delete the account. diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 2a8bcb33cc..3b50247d62 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -436,7 +436,7 @@ ADMX Info: -Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it can't resolve a UPN to a principal. +Adds a list of domains that an Azure Active Directory-joined device can attempt to contact when it can't resolve a UPN to a principal. Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This limitation can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures. diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index 6180d6da7e..ac23f93418 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -59,7 +59,7 @@ manager: dansimp This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device. > [!NOTE] -> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or AAD groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove. +> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or Azure Active Directory groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove. > > Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results. @@ -104,9 +104,9 @@ See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configura **Examples** -Example 1: AAD focused. +Example 1: Azure Active Directory focused. -The following example updates the built-in administrators group with AAD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine. +The following example updates the built-in administrators group with Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine. ```xml @@ -118,7 +118,7 @@ The following example updates the built-in administrators group with AAD account ``` -Example 2: Replace / Restrict the built-in administrators group with an AAD user account. +Example 2: Replace / Restrict the built-in administrators group with an Azure AD user account. > [!NOTE] > When using ‘R’ replace option to configure the built-in ‘Administrators’ group, it is required to always specify the administrator as a member + any other custom members. This is because the built-in administrator must always be a member of the administrators group. @@ -135,7 +135,7 @@ Example: ``` Example 3: Update action for adding and removing group members on a hybrid joined machine. -The following example shows how you can update a local group (**Administrators**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a AAD group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists. +The following example shows how you can update a local group (**Administrators**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists. ```xml @@ -158,7 +158,7 @@ The following example shows how you can update a local group (**Administrators** > [!NOTE] > -> When AAD group SID’s are added to local groups, during AAD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device: +> When Azure Active Directory group SID’s are added to local groups, during Azure AD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device: > > - Administrators > - Users diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 420f8eb0b1..91dc86b449 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -106,7 +106,7 @@ On a device where this policy is configured, the user specified in the policy wi > [!NOTE] > > - Some events such as major OS updates may require the specified user to logon to the device again to resume auto-logon behavior. -> - Auto-logon is only supported for Microsoft account and AAD users. +> - Auto-logon is only supported for Microsoft account and Azure Active Directory users.
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index d002c4045a..bf1b9dc0c3 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -15,7 +15,7 @@ manager: dansimp # Policy CSP - RestrictedGroups > [!IMPORTANT] -> Starting from Windows 10, version 20H2, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy to configure members (users or AAD groups) to a Windows 10 local group. Applying both the policies to the same device is unsupported and may yield unpredictable results. +> Starting from Windows 10, version 20H2, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy to configure members (users or Azure Active Directory groups) to a Windows 10 local group. Applying both the policies to the same device is unsupported and may yield unpredictable results.
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index a3d05d9196..247e529832 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -162,7 +162,7 @@ ADMX Info: -This value is a simple boolean value, default false, that can be set by MDM policy to allow the Cortana Page in OOBE when logged in with an AAD account. +This value is a simple boolean value, default false, that can be set by MDM policy to allow the Cortana Page in OOBE when logged in with an Azure Active Directory account. diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 32e38be2da..988ec769c7 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -194,7 +194,7 @@ The following list shows the supported values: -This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering). +This policy setting configures an Azure Active Directory-joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering). To enable this behavior, you must complete two steps: @@ -534,7 +534,7 @@ The following list shows the supported values: -This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data. +This policy setting configures an Azure Active Directory-joined device so that Microsoft is the processor of the Windows diagnostic data. For customers who enroll into the Microsoft Managed Desktop service, this policy will be enabled by default to allow Microsoft to process data for operational and analytic needs. For more information, see [Privacy and personal data](/microsoft-365/managed-desktop/service-description/privacy-personal-data). @@ -772,7 +772,7 @@ The following list shows the supported values: -This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering). +This policy setting configures an Azure Active Directory-joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering). To enable this behavior, you must complete three steps: diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md index 06af135189..3d0fe5ca42 100644 --- a/windows/client-management/mdm/secureassessment-csp.md +++ b/windows/client-management/mdm/secureassessment-csp.md @@ -48,7 +48,7 @@ The supported operations are Add, Delete, Get, and Replace. The user name of the test taking account. - To specify a domain account, use domain\\user. -- To specify an AAD account, use username@tenant.com. +- To specify an Azure Active Directory account, use username@tenant.com. - To specify a local account, use the username. The supported operations are Add, Delete, Get, and Replace. diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md index 4aff84bd1d..aa6c74c939 100644 --- a/windows/client-management/mdm/secureassessment-ddf-file.md +++ b/windows/client-management/mdm/secureassessment-ddf-file.md @@ -84,7 +84,7 @@ The XML below is the current version for this CSP. - The user name of the test taking account. To specify a domain account, use domain\user. To specify an AAD account, use username@tenant.com. To specify a local account, use the username. + The user name of the test taking account. To specify a domain account, use domain\user. To specify an Azure Active Directory account, use username@tenant.com. To specify a local account, use the username. diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index ce1fdf95ec..155761430f 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -659,10 +659,10 @@ Reserved for future use. Reserved for future use. **VPNv2/**ProfileName**/DeviceCompliance** -Added in Windows 10, version 1607. Nodes under DeviceCompliance can be used to enable AAD-based Conditional Access for VPN. +Added in Windows 10, version 1607. Nodes under DeviceCompliance can be used to enable Azure Active Directory-based Conditional Access for VPN. **VPNv2/**ProfileName**/DeviceCompliance/Enabled** -Added in Windows 10, version 1607. Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory. +Added in Windows 10, version 1607. Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Azure Active Directory to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory. Value type is bool. Supported operations include Get, Add, Replace, and Delete. diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md index 7ac4734a65..fce3776165 100644 --- a/windows/client-management/mdm/vpnv2-ddf-file.md +++ b/windows/client-management/mdm/vpnv2-ddf-file.md @@ -1403,7 +1403,7 @@ The XML below is for Windows 10, version 2004. - Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN + Nodes under DeviceCompliance can be used to enable Azure Active Directory based Conditional Access for VPN @@ -1426,7 +1426,7 @@ The XML below is for Windows 10, version 2004. - Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory + Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Azure Active Directory to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory @@ -3593,7 +3593,7 @@ The XML below is for Windows 10, version 2004. - Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN + Nodes under DeviceCompliance can be used to enable Azure Active Directory based Conditional Access for VPN @@ -3616,7 +3616,7 @@ The XML below is for Windows 10, version 2004. - Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory + Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Azure Active Directory to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index 79a75c3f90..41b9a56882 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -270,7 +270,7 @@ The following Group Policy settings were added in Windows 10, version 1803: - Windows Components\IME\Turn on Live Sticker - Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow video capture redirection - Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use hardware graphics adapters for all Remote Desktop Services sessions -- Windows Components\Search\Allow Cortana Page in OOBE on an AAD account +- Windows Components\Search\Allow Cortana Page in OOBE on an Azure Active Directory account - Windows Components\Store\Disable all apps from Microsoft Store - Windows Components\Text Input\Allow Uninstallation of Language Features - Windows Components\Text Input\Improve inking and typing recognition @@ -311,7 +311,7 @@ The following Group Policy settings were added in Windows 10, version 1709: - Windows Components\Data Collection and Preview Builds\Limit Enhanced diagnostic data to the minimum required by Windows Analytics - Windows Components\Handwriting\Handwriting Panel Default Mode Docked - Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing\Hide the button (next to the New Tab button) that opens Microsoft Edge -- Windows Components\MDM\Auto MDM Enrollment with AAD Token +- Windows Components\MDM\Auto MDM Enrollment with Azure Active Directory Token - Windows Components\Messaging\Allow Message Service Cloud Sync - Windows Components\Microsoft Edge\Always show the Books Library in Microsoft Edge - Windows Components\Microsoft Edge\Provision Favorites diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md index 5af920f5f7..b2a351551c 100644 --- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -44,4 +44,4 @@ When a user enters a search query (by speech or text), Cortana evaluates if the Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users and user groups in their organization. ## How the Bing Answer policy configuration is applied -Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an AAD group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes. +Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an Azure Active Directory group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes. diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 409ecf66ed..7109cff744 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -89,7 +89,7 @@ For more information about integrating on-premises AD DS domains with Azure AD, ## Preparing for deployment: reviewing requirements -Devices must be running Windows 10 Pro, version 1703, or later and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. +Devices must be running Windows 10 Pro, version 1703, or later and be Azure Active Directory-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. ## Assigning licenses to users @@ -241,12 +241,12 @@ Use the following figures to help you troubleshoot when users experience these c ### Review requirements on devices -Devices must be running Windows 10 Pro, version 1703 (or later), and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. +Devices must be running Windows 10 Pro, version 1703 (or later), and be Azure Active Directory-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. -**To determine if a device is Azure Active Directory joined:** +**To determine if a device is Azure Active Directory-joined:** 1. Open a command prompt and type **dsregcmd /status**. -2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined. +2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory-joined. **To determine the version of Windows 10:** diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md index ce7b9f9219..18422c3d31 100644 --- a/windows/deployment/do/waas-delivery-optimization-reference.md +++ b/windows/deployment/do/waas-delivery-optimization-reference.md @@ -124,7 +124,7 @@ Download mode dictates which download sources clients are allowed to use when do > Starting in Windows 11, the Bypass option of Download Mode is no longer used. > > [!NOTE] -> When you use AAD tenant, AD Site, or AD Domain as the source of group IDs, the association of devices participating in the group should not be relied on for an authentication of identity of those devices. +> When you use Azure Active Directory tenant, AD Site, or AD Domain as the source of group IDs, the association of devices participating in the group should not be relied on for an authentication of identity of those devices. ### Group ID diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md index aedd92040e..0fa1fd23e9 100644 --- a/windows/deployment/update/WIP4Biz-intro.md +++ b/windows/deployment/update/WIP4Biz-intro.md @@ -48,7 +48,7 @@ Windows 10 Insider Preview builds offer organizations a valuable and exciting op |Release channel |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.| |Users | Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices. | |Tasks | - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices)
- Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications
- Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features. | -|Feedback | - This helps us make adjustments to features as quickly as possible.
- Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
- [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/how-to-feedback/) | +|Feedback | - This helps us make adjustments to features as quickly as possible.
- Encourage users to sign into the Feedback Hub using their Azure Active Directory work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
- [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/how-to-feedback/) | ## Validate Insider Preview builds Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. Early validation has several benefits: diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index 363891d8a9..cb8a3216e5 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -47,7 +47,7 @@ As part of Windows Insider Lab for Enterprise, you can upgrade to Windows client Choose one of the following two enrollment options: -- To set up an AAD-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account. +- To set up an Azure Active Directory-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account. - If you are running Windows client Pro, we recommend that you upgrade to Windows client Enterprise by following these steps to [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account. @@ -91,7 +91,7 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi ### Set up Azure Active Directory-JOINED Windows client device -- This method will upgrade your Windows client Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](/azure/active-directory/device-management-azuread-joined-devices-setup) for more information. +- This method will upgrade your Windows client Pro license to Enterprise and create a new account. See [Set up Azure Active Directory-joined devices](/azure/active-directory/device-management-azuread-joined-devices-setup) for more information. > [!NOTE] > Make sure that you save your Pro license key before upgrading to the Enterprise edition. If the device gets disconnected from Olympia, you can use the Pro key to reactivate the license manually in the unlikely event that the license fails to downgrade back to Pro automatically. To reactivate manually, see [Upgrade by manually entering a product key](../../upgrade/windows-10-edition-upgrades.md#upgrade-by-manually-entering-a-product-key). diff --git a/windows/deployment/update/update-compliance-v2-overview.md b/windows/deployment/update/update-compliance-v2-overview.md index a3c3967aee..9996bf1d47 100644 --- a/windows/deployment/update/update-compliance-v2-overview.md +++ b/windows/deployment/update/update-compliance-v2-overview.md @@ -21,7 +21,7 @@ ms.date: 06/06/2022 > [!Important] > This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. -Update Compliance is a cloud-based solution that provides information about the compliance of your Azure Active Directory joined devices with Windows updates. Update Compliance is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Update Compliance helps you: +Update Compliance is a cloud-based solution that provides information about the compliance of your Azure Active Directory-joined devices with Windows updates. Update Compliance is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Update Compliance helps you: - Monitor security, quality, and feature updates for Windows 11 and Windows 10 devices - Report on devices with update compliance issues @@ -53,7 +53,7 @@ Currently, the technical preview contains the following features: ## How Update Compliance works -You'll set up Update Compliance by enrolling into the solution from the Azure portal. Then you'll configure your Azure AD joined devices to send Windows client diagnostic data to the solution. Update Compliance uses [Log Analytics in Azure Monitor](/azure/azure-monitor/logs/log-analytics-overview) to store the diagnostic data the clients send. You can use this data for reporting on updates for your devices. Update Compliance collects system data such as: +You'll set up Update Compliance by enrolling into the solution from the Azure portal. Then you'll configure your Azure AD-joined devices to send Windows client diagnostic data to the solution. Update Compliance uses [Log Analytics in Azure Monitor](/azure/azure-monitor/logs/log-analytics-overview) to store the diagnostic data the clients send. You can use this data for reporting on updates for your devices. Update Compliance collects system data such as: - Update deployment progress - Delivery Optimization usage data diff --git a/windows/deployment/update/update-compliance-v2-prerequisites.md b/windows/deployment/update/update-compliance-v2-prerequisites.md index c4aa6213d1..05b179a33c 100644 --- a/windows/deployment/update/update-compliance-v2-prerequisites.md +++ b/windows/deployment/update/update-compliance-v2-prerequisites.md @@ -30,8 +30,8 @@ Before you begin the process of adding Update Compliance to your Azure subscript - An Azure subscription with [Azure Active Directory](/azure/active-directory/) - You must have either an Owner or Contributor [Azure role](/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-roles) as a minimum in order to add the Update Compliance solution. -- Devices must be Azure Active Directory joined and meet the below OS, diagnostic, and endpoint access requirements - - Devices that are Workplace joined only (Azure AD registered) aren't supported with Update Compliance +- Devices must be Azure Active Directory-joined and meet the below OS, diagnostic, and endpoint access requirements. +- Devices that are Workplace joined only (Azure AD registered) aren't supported with Update Compliance. ### Operating systems and editions diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index fbae4bcd47..a0255dd78a 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -45,7 +45,7 @@ Deployment instructions are provided for the following scenarios: - The VM is running Windows 10, version 1803 or later (ex: Windows 11). - The VM is hosted in Azure or another Qualified Multitenant Hoster (QMTH). - When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10/11 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. + When a user with VDA rights signs in to the VM using their Azure Active Directory credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10/11 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. ### Scenario 2 @@ -101,7 +101,7 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl >Azure Active Directory (Azure AD) provisioning packages have a 180 day limit on bulk token usage. You will need to update the provisioning package and re-inject it into the image after 180 days. Existing virtual machines that are Azure AD-joined and deployed will not need to be recreated. For Azure AD-joined VMs, follow the same instructions (above) as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions: -- In step 9, during setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it is not for Active Directory joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**. +- In step 9, during setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it is not for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**. - In step 11, during setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in and add the bulk token using your organization's credentials. - In step 15, sub-step 2, when entering the PackagePath, use the project name you entered in step 9 (ex: **Desktop Bulk Enrollment Token Pro GVLK.ppkg**) - When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rdp-settings-for-azure). diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index 09bd64cb23..98a270cd8d 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -49,7 +49,7 @@ The following tables summarize various Windows 10 deployment scenarios. The scen |Scenario|Description|More information| |--- |--- |--- | |[Subscription Activation](#windows-10-subscription-activation)|Switch from Windows 10 Pro to Enterprise when a subscribed user signs in.|[Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)| -|[AAD / MDM](#dynamic-provisioning)|The device is automatically joined to AAD and configured by MDM.|[Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm)| +|[AAD / MDM](#dynamic-provisioning)|The device is automatically joined to Azure Active Directory and configured by MDM.|[Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm)| |[Provisioning packages](#dynamic-provisioning)|Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.|[Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)| ### Traditional diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 2b534e585f..83e543db35 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -109,7 +109,7 @@ If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade ben #### Multifactor authentication -An issue has been identified with Hybrid Azure AD joined devices that have enabled [multifactor authentication](/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. +An issue has been identified with Hybrid Azure AD-joined devices that have enabled [multifactor authentication](/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. To resolve this issue: @@ -162,7 +162,7 @@ You can benefit by moving to Windows as an online service in the following ways: > [!NOTE] > The following Windows 10 examples and scenarios also apply to Windows 11. -The device is AAD joined from **Settings > Accounts > Access work or school**. +The device is Azure Active Directory-joined from **Settings > Accounts > Access work or school**. The IT administrator assigns Windows 10 Enterprise to a user. See the following figure. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 8df5ccd434..1afd929119 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -3732,7 +3732,7 @@ Activity for deletion of a user account for devices set up for Shared PC mode as The following fields are available: -- **accountType** The type of account that was deleted. Example: AD, AAD, or Local +- **accountType** The type of account that was deleted. Example: AD, Azure Active Directory (AAD), or Local - **deleteState** Whether the attempted deletion of the user account was successful. - **userSid** The security identifier of the account. - **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager. See [wilActivity](#wilactivity). diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 14bed98da4..4ecc2c6fea 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -4989,7 +4989,7 @@ Activity for deletion of a user account for devices set up for Shared PC mode as The following fields are available: -- **accountType** The type of account that was deleted. Example: AD, AAD, or Local +- **accountType** The type of account that was deleted. Example: AD, Azure Active Directory (AAD), or Local. - **deleteState** Whether the attempted deletion of the user account was successful. - **userSid** The security identifier of the account. - **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager. See [wilActivity](#wilactivity). diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 406fa55f82..8cd8286d21 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -9567,7 +9567,7 @@ The following fields are available: - **CV** The correlation vector. - **GlobalEventCounter** Counts the events at the global level for telemetry. - **PackageVersion** The package version for currency tools. -- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is AAD joined. +- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is Azure Active Directoryjoined. - **UnifiedInstallerDeviceInDssPolicy** Boolean indicating whether the device is found to be in a DSS policy. - **UnifiedInstallerDeviceInDssPolicyHresult** The result code for checking whether the device is found to be in a DSS policy. - **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is AADJ. @@ -9652,7 +9652,7 @@ The following fields are available: ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin -This event is sent when the device is not joined to AAD. The data collected with this event is used to help keep Windows up to date and secure. +This event is sent when the device is not joined to Azure Active Directory. The data collected with this event is used to help keep Windows up to date and secure. The following fields are available: diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index fc4d236e62..a2dca9dc34 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -6239,7 +6239,7 @@ The following fields are available: - **CV** The correlation vector. - **GlobalEventCounter** Counts the events at the global level for telemetry. - **PackageVersion** The package version for currency tools. -- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is AAD joined. +- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is Azure Active Directory-joined. - **UnifiedInstallerDeviceInDssPolicy** Boolean indicating whether the device is found to be in a DSS policy. - **UnifiedInstallerDeviceInDssPolicyHresult** The result code for checking whether the device is found to be in a DSS policy. - **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is AADJ. @@ -6358,7 +6358,7 @@ The following fields are available: - **PackageVersion** The package version of the label. - **UpdateHealthToolsDevicePolicyFileName** The default name of the policy blob file. - **UpdateHealthToolsDssDeviceApiSegment** The URI segment for reading the DSS device pointer. -- **UpdateHealthToolsDssDeviceId** The AAD ID of the device used to create the device ID hash. +- **UpdateHealthToolsDssDeviceId** The Azure Active Directory ID of the device used to create the device ID hash. - **UpdateHealthToolsDssDevicePolicyApiSegment** The segment of the device policy API pointer. - **UpdateHealthToolsDssTenantId** The tenant id of the device used to create the tenant id hash. - **UpdateHealthToolsHashedDeviceId** The SHA256 hash of the device id. @@ -6367,7 +6367,7 @@ The following fields are available: ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin -The event is sent when the device is not joined to AAD. The data collected with this event is used to help keep Windows up to date and secure. +The event is sent when the device is not joined to Azure Active Directory. The data collected with this event is used to help keep Windows up to date and secure. The following fields are available: diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 50f081e04a..e00f0e9479 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -81,7 +81,7 @@ The following provides information on the current configurations: ## New Windows diagnostic data processor configuration -Enterprise customers have an option for controlling their Windows diagnostic data for their Azure Active Directory joined devices. This configuration option is supported on the following versions of Windows: +Enterprise customers have an option for controlling their Windows diagnostic data for their Azure Active Directory-joined devices. This configuration option is supported on the following versions of Windows: - Windows 11 Enterprise, Professional, and Education - Windows 10, Enterprise, Professional, and Education, version 1809 with at least the July 2021 update. diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index d075c45196..b80ee20106 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -5771,7 +5771,7 @@ The following fields are available: - **CV** The correlation vector. - **GlobalEventCounter** Counts the events at the global level for telemetry. - **PackageVersion** The package version for currency tools. -- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is AAD joined. +- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is Azure Active Directory-joined. - **UnifiedInstallerDeviceInDssPolicy** Boolean indicating whether the device is found to be in a DSS policy. - **UnifiedInstallerDeviceInDssPolicyHresult** The result code for checking whether the device is found to be in a DSS policy. - **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is AADJ. @@ -5901,7 +5901,7 @@ The following fields are available: - **PackageVersion** The package version of the label. - **UpdateHealthToolsDevicePolicyFileName** The default name of the policy blob file. - **UpdateHealthToolsDssDeviceApiSegment** The URI segment for reading the DSS device pointer. -- **UpdateHealthToolsDssDeviceId** The AAD ID of the device used to create the device ID hash. +- **UpdateHealthToolsDssDeviceId** The Azure Active Directory ID of the device used to create the device ID hash. - **UpdateHealthToolsDssDevicePolicyApiSegment** The segment of the device policy API pointer. - **UpdateHealthToolsDssTenantId** The tenant id of the device used to create the tenant id hash. - **UpdateHealthToolsHashedDeviceId** The SHA256 hash of the device id. @@ -5910,7 +5910,7 @@ The following fields are available: ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin -This event is sent when the device is not joined to AAD. The data collected with this event is used to help keep Windows up to date and secure. +This event is sent when the device is not joined to Azure Active Directory. The data collected with this event is used to help keep Windows up to date and secure. The following fields are available: diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 0e97842d03..3bdd705db6 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -156,9 +156,9 @@ An administrator can disable a user’s ability to delete their device’s diagn - Windows 11 Enterprise, Professional, and Education editions - Windows 10 Enterprise, Professional, and Education, version 1809 with July 2021 update and newer -The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that are Azure Active Directory (AAD) joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities. +The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that are Azure Active Directory (AAD)-joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities. -The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific AAD User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific AAD User ID. Additionally, you’re able to execute an export DSR for diagnostic data related to a specific AAD User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer. +The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific Azure Active Directory User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific Azure AD User ID. Additionally, you’re able to execute an export DSR for diagnostic data related to a specific Azure AD User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer. We recommend that IT administrators who have enabled the Windows diagnostic data processor configuration consider the following: diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index 9afeccfdbd..0ea88cb07e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -91,9 +91,9 @@ If there's a conflicting Device policy and User policy, the User policy would ta ## Related reference documents for Azure AD join scenarios -- [Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join) +- [Azure AD-joined devices](/azure/active-directory/devices/concept-azure-ad-join) - [Plan your Azure Active Directory device deployment](/azure/active-directory/devices/plan-device-deployment) - [How to: Plan your Azure AD join implementation](/azure/active-directory/devices/azureadjoin-plan) -- [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin) +- [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin) - [Manage device identities using the Azure portal](/azure/active-directory/devices/device-management-azure-portal) - [Azure AD Join Single Sign-on Deployment](hello-hybrid-aadj-sso.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index b8c2e0c3b8..0b7c8c940f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -29,7 +29,7 @@ Applies to: - Windows 10, version 1803 and later - Windows 11 -PIN reset on Azure AD joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will show a page with the error message "We can't open that page right now". +PIN reset on Azure AD-joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will show a page with the error message "We can't open that page right now". ### Identifying Azure AD joined PIN Reset Allowed Domains Issue @@ -124,7 +124,7 @@ Domain controllers running early versions of Windows Server 2019 have an issue t On the client, authentication with Windows Hello for Business will fail with the error message, *"That option is temporarily unavailable. For now, please use a different method to sign in."* -This error is usually presented on hybrid Azure AD joined devices in key trust deployments after Windows Hello for Business has been provisioned but before a user's key has synced from Azure AD to AD. If a user's key has been synced from Azure AD and the msDS-keycredentiallink attribute on the user object in AD has been populated for NGC, then it is possible that this error case is occurring. +This error is usually presented on hybrid Azure AD-joined devices in key trust deployments after Windows Hello for Business has been provisioned but before a user's key has synced from Azure AD to AD. If a user's key has been synced from Azure AD and the msDS-keycredentiallink attribute on the user object in AD has been populated for NGC, then it is possible that this error case is occurring. The other indicator of this failure case can be identified using network traces. If network traces are captured for a key trust sign-in event, the traces will show kerberos failing with the error KDC_ERR_CLIENT_NAME_MISMATCH. @@ -158,8 +158,8 @@ User: Computer: Description: Windows Hello for Business provisioning will not be launched. -Device is AAD joined ( AADJ or DJ++ ): Yes -User has logged on with AAD credentials: Yes +Device is Azure Active Directory-joined ( AADJ or DJ++ ): Yes +User has logged on with Azure Active Directory credentials: Yes Windows Hello for Business policy is enabled: Yes Windows Hello for Business post-logon provisioning is enabled: Yes Local computer meets Windows hello for business hardware requirements: Yes diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index 741371c28d..2ce62675f6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -34,7 +34,7 @@ Three approaches are documented here: 1. Deploying a certificate to hybrid joined devices using an on-premises Active Directory certificate enrollment policy. -1. Deploying a certificate to hybrid or Azure AD joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune. +1. Deploying a certificate to hybrid or Azure AD-joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune. 1. Working with non-Microsoft enterprise certificate authorities. @@ -191,7 +191,7 @@ Once the configuration profile has been created, targeted clients will receive t 1. In the right-hand pane of the MMC, check for the new certificate > [!NOTE] -> This infrastructure may also deploy the same certificates to co-managed or modern-managed Hybrid AAD-Joined devices using Intune Policies. +> This infrastructure may also deploy the same certificates to co-managed or modern-managed Hybrid Azure Active Directory-Joined devices using Intune Policies. ## Using non-Microsoft Enterprise Certificate Authorities @@ -205,6 +205,6 @@ The Generate-CertificateRequest commandlet will generate an .inf file for a pre- After adding the certificate using an approach from any of the previous sections, you should be able to RDP to any Windows device or server in the same Forest as the user’s on-premises Active Directory account, provided the PKI certificate chain for the issuing certificate authority is deployed to that target server. -1. Open the Remote Desktop Client (%windir%\system32\mstsc.exe) on the Hybrid AAD-Joined client where the authentication certificate has been deployed. +1. Open the Remote Desktop Client (%windir%\system32\mstsc.exe) on the Hybrid Azure Active Directory-Joined client where the authentication certificate has been deployed. 1. Attempt an RDP session to a target server. 1. Use the certificate credential protected by your Windows Hello for Business gesture. diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 4753b3c6f4..194607bd44 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -72,7 +72,7 @@ If the error occurs again, check the error code against the following table to s | 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed.

-or-

Token was not found in the Authorization header.

-or-

Failed to read one or more objects.

-or-

The request sent to the server was invalid.

-or-

User does not have permissions to join to Azure AD. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure AD and rejoin.
Allow user(s) to join to Azure AD under Azure AD Device settings. | 0x801C03EE | Attestation failed. | Sign out and then sign in again. | | 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. | -| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in AAD and the Primary SMTP address are the same in the proxy address. +| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Azure Active Directory and the Primary SMTP address are the same in the proxy address. | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | @@ -104,7 +104,7 @@ For errors listed in this table, contact Microsoft Support for assistance. | 0x801C03F0 | ​There is no key registered for the user. | | 0x801C03F1 | ​There is no UPN in the token. | | ​0x801C044C | There is no core window for the current thread. | -| 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request AAD token for provisioning. Unable to enroll a device to use a PIN for login. | +| 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request Azure Active Directory token for provisioning. Unable to enroll a device to use a PIN for login. | ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 8135aa6650..12d4f1203e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -29,7 +29,7 @@ sections: - question: What is Windows Hello for Business cloud trust? answer: | - Windows Hello for Business cloud trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid Cloud Trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust). + Windows Hello for Business cloud trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid Cloud Trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust). - question: What about virtual smart cards? answer: | diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 3ab6494347..4158e8838a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -39,7 +39,7 @@ There are two forms of PIN reset called destructive and non-destructive. Destruc Destructive and non-destructive PIN reset use the same entry points for initiating a PIN reset. If a user has forgotten their PIN, but has an alternate logon method, they can navigate to Sign-in options in Settings and initiate a PIN reset from the PIN options. If they do not have an alternate way to sign into their device, PIN reset can also be initiated from above the lock screen in the PIN credential provider. >[!IMPORTANT] ->For hybrid Azure AD joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN. +>For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN. ### Reset PIN from Settings @@ -49,7 +49,7 @@ Destructive and non-destructive PIN reset use the same entry points for initiati ### Reset PIN above the Lock Screen -For Azure AD joined devices: +For Azure AD-joined devices: 1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon. 1. Click **I forgot my PIN** from the PIN credential provider. @@ -57,7 +57,7 @@ For Azure AD joined devices: 1. Follow the instructions provided by the provisioning process. 1. When finished, unlock your desktop using your newly created PIN. -For Hybrid Azure AD joined devices: +For Hybrid Azure AD-joined devices: 1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon. 1. Click **I forgot my PIN** from the PIN credential provider. @@ -66,7 +66,7 @@ For Hybrid Azure AD joined devices: 1. When finished, unlock your desktop using your newly created PIN. > [!NOTE] -> Key trust on hybrid Azure AD joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work. +> Key trust on hybrid Azure AD-joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work. You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations). @@ -193,7 +193,7 @@ The PIN reset configuration for a user can be viewed by running [**dsregcmd /sta - Windows 11 - Azure AD joined -The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that are allowed to be navigated to during PIN reset flows on Azure AD joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset. +The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that are allowed to be navigated to during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset. ### Configuring Policy Using Intune diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index 69d3ba639e..e1421172c1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -24,7 +24,7 @@ ms.reviewer: Windows Hello for Business authentication is passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources. -Azure Active Directory joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background. +Azure Active Directory-joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background. - [Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory) - [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-trust-preview) @@ -39,7 +39,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c ![Azure AD join authentication to Azure Active Directory.](images/howitworks/auth-aadj-cloud.png) > [!NOTE] -> All Azure AD joined devices authenticate with Windows Hello for Business to Azure AD the same way. The Windows Hello for Business trust type only impacts how the device authenticates to on-premises AD. +> All Azure AD-joined devices authenticate with Windows Hello for Business to Azure AD the same way. The Windows Hello for Business trust type only impacts how the device authenticates to on-premises AD. | Phase | Description | | :----: | :----------- | diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 91e6db25cf..96b5a3b434 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -80,7 +80,7 @@ List of provisioning flows: | C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits. | > [!NOTE] -> Windows Hello for Business Cloud Trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to AAD and AD after provisioning their credential. +> Windows Hello for Business Cloud Trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to Azure Active Directory and AD after provisioning their credential. [Return to top](#windows-hello-for-business-provisioning) @@ -94,7 +94,7 @@ List of provisioning flows: | A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. | | B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). | | C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits. | -| D | Azure AD Connect requests updates on its next synchronization cycle. Azure Active Directory sends the user's public key that was securely registered through provisioning. AAD Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory. | +| D | Azure AD Connect requests updates on its next synchronization cycle. Azure Active Directory sends the user's public key that was securely registered through provisioning. Azure Active Directory Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory. | > [!IMPORTANT] > The newly provisioned user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 86edd45c86..a7e607516e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -166,7 +166,7 @@ For more than a decade, many organizations have used the domain join to their on - Users to sign in to their devices with their Active Directory work or school accounts. Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use or group policy (GP) to manage them. -If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory. +If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD-joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory. ### Related topics [Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Deployment](#hybrid-deployment) @@ -252,7 +252,7 @@ The simplest way to enable authentication for on-premises directory objects in A ## Primary Refresh Token SSO relies on special tokens obtained for each of the types of applications above. These are in turn used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Azure AD and AD FS applications we call this a Primary Refresh Token (PRT). This is a [JSON Web Token](http://openid.net/specs/draft-jones-json-web-token-07.html) containing claims about both the user and the device. -The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a similar way the Kerberos TGT is obtained. This is true for both Azure AD joined and hybrid Azure AD joined devices. In personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account (in a personal device the account to unlock the device is not the work account but a consumer account e.g. hotmail.com, live.com, outlook.com, etc.). +The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a similar way the Kerberos TGT is obtained. This is true for both Azure AD joined and hybrid Azure AD-joined devices. In personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account (in a personal device the account to unlock the device is not the work account but a consumer account e.g. hotmail.com, live.com, outlook.com, etc.). The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. Please also note that the PRT contains information about the device. This means that if you have any [device-based conditional access](/azure/active-directory/active-directory-conditional-access-policy-connected-applications) policy set on an application, without the PRT, access will be denied. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 0b25b65df8..23efa578c0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -22,7 +22,7 @@ ms.reviewer: - Windows 10 - Windows 11 -Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices. +Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory-joined, Hybrid Azure Active Directory-joined, or Azure AD registered devices. Windows Hello for Business also works for domain joined devices. Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features. > [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 9496bd8da6..2029789901 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -1,5 +1,5 @@ --- -title: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business +title: Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them. keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, ms.prod: m365-security @@ -17,19 +17,19 @@ ms.topic: article localizationpriority: medium ms.date: 01/14/2021 --- -# Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business +# Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business **Applies to** - Windows 10 - Windows 11 -- Azure Active Directory joined +- Azure Active Directory-joined - Hybrid Deployment - Key trust model ## Prerequisites -Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD joined devices. Unlike hybrid Azure AD joined devices, Azure AD joined devices do not have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD joined devices. +Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices. Unlike hybrid Azure AD-joined devices, Azure AD-joined devices do not have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices. - Azure Active Directory Connect synchronization - Device Registration @@ -56,9 +56,9 @@ Certificates issued by a certificate authority can be revoked. When a certifica ![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png) -The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory. You can determine this because the value in the URL begins with **ldap**. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Azure Active Directory joined devices and users on Azure Active Directory joined devices cannot read data from Active Directory, and certificate validation does not provide an opportunity to authenticate prior to reading the certificate revocation list. This becomes a circular problem as the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user cannot read Active Directory because they have not authenticated. +The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory. You can determine this because the value in the URL begins with **ldap**. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Azure Active Directory-joined devices and users on Azure Active Directory-joined devices cannot read data from Active Directory, and certificate validation does not provide an opportunity to authenticate prior to reading the certificate revocation list. This becomes a circular problem as the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user cannot read Active Directory because they have not authenticated. -To resolve this issue, the CRL distribution point must be a location that is accessible by Azure Active Directory joined devices that does not require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS). +To resolve this issue, the CRL distribution point must be a location that is accessible by Azure Active Directory-joined devices that does not require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS). If your CRL distribution point does not list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first in the list of distribution points. @@ -73,7 +73,7 @@ If you are interested in configuring your environment to use the Windows Hello f ### Domain Controller Certificates -Certificate authorities write CRL distribution points in certificates as they are issued. If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CRL distribution point. The domain controller certificate is one the critical components of Azure AD joined devices authenticating to Active Directory +Certificate authorities write CRL distribution points in certificates as they are issued. If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CRL distribution point. The domain controller certificate is one the critical components of Azure AD-joined devices authenticating to Active Directory #### Why does Windows need to validate the domain controller certificate? @@ -87,7 +87,7 @@ Windows Hello for Business enforces the strict KDC validation security feature w - The domain controller's certificate's signature hash algorithm is **sha256**. - The domain controller's certificate's public key is **RSA (2048 Bits)**. -Authenticating from a Hybrid Azure AD joined device to a domain using Windows Hello for Business does not enforce that the domain controller certificate includes the **KDC Authentication** EKU. If you are adding Azure AD joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the **KDC Authentication** EKU. If you need to update your domain controller certificate to include the **KDC Authentication** EKU, follow the instructions in [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md) +Authenticating from a Hybrid Azure AD joined device to a domain using Windows Hello for Business does not enforce that the domain controller certificate includes the **KDC Authentication** EKU. If you are adding Azure AD-joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the **KDC Authentication** EKU. If you need to update your domain controller certificate to include the **KDC Authentication** EKU, follow the instructions in [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md) > [!Tip] > If you are using Windows Server 2008, **Kerberos Authentication** is not the default template, so make sure to use the correct template when issuing or re-issuing the certificate. @@ -107,7 +107,7 @@ Steps you will perform include: ### Configure Internet Information Services to host CRL distribution point -You need to host your new certificate revocation list of a web server so Azure AD joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps is just one and may be useful for those unfamiliar with adding a new CRL distribution point. +You need to host your new certificate revocation list of a web server so Azure AD-joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps is just one and may be useful for those unfamiliar with adding a new CRL distribution point. > [!IMPORTANT] > Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate. Clients should access the distribution point using http. @@ -265,7 +265,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point, ## Configure and Assign a Trusted Certificate Device Configuration Profile -Your domain controllers have new certificate that include the new CRL distribution point. Next, you need your enterprise root certificate so you can deploy it to Azure AD joined devices. Deploying the enterprise root certificates to the device, ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD joined devices do not trust domain controller certificates and authentication fails. +Your domain controllers have new certificate that include the new CRL distribution point. Next, you need your enterprise root certificate so you can deploy it to Azure AD-joined devices. Deploying the enterprise root certificates to the device, ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD-joined devices do not trust domain controller certificates and authentication fails. Steps you will perform include: - [Export Enterprise Root certificate](#export-enterprise-root-certificate) @@ -288,7 +288,7 @@ Steps you will perform include: ### Create and Assign a Trust Certificate Device Configuration Profile -A **Trusted Certificate** device configuration profile is how you deploy trusted certificates to Azure AD joined devices. +A **Trusted Certificate** device configuration profile is how you deploy trusted certificates to Azure AD-joined devices. 1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**. 2. Click **Device configuration**. In the **Device Configuration** blade, click **Create profile**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index ebad63fce7..807592de85 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -1,6 +1,6 @@ --- title: Using Certificates for AADJ On-premises Single-sign On single sign-on -description: If you want to use certificates for on-premises single-sign on for Azure Active Directory joined devices, then follow these additional steps. +description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps. keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, ms.prod: m365-security ms.mktglfcycl: deploy @@ -23,14 +23,14 @@ ms.reviewer: - Windows 10 - Windows 11 -- Azure Active Directory joined +- Azure Active Directory-joined - Hybrid Deployment - Certificate trust -If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD joined devices. +If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices. > [!IMPORTANT] -> Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue. +> Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue. Steps you will perform include: @@ -44,7 +44,7 @@ Steps you will perform include: ## Requirements -You need to install and configure additional infrastructure to provide Azure AD joined devices with on-premises single-sign on. +You need to install and configure additional infrastructure to provide Azure AD-joined devices with on-premises single-sign on. - An existing Windows Server 2012 R2 or later Enterprise Certificate Authority - A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role @@ -75,7 +75,7 @@ Most environments change the user principal name suffix to match the organizatio To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules needed for these attributes. -### Verify AAD Connect version +### Verify Azure Active Directory Connect version Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_. @@ -471,13 +471,13 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_. 5. Click **Add**. -6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **HOST**. Click **OK**. +6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD-joined devices. From the **Available services** list, select **HOST**. Click **OK**. ![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png) 7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**. -8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**. +8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD-joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**. 9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates. @@ -550,7 +550,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials. 1. Open an elevated command prompt. -2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices. +2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD-joined devices. 3. Type the following command: @@ -558,7 +558,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials. reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName] ``` - where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example: + where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD-joined devices. Example: ```console reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication @@ -573,7 +573,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials. ### Create a Web Application Proxy for the internal NDES URL. -Certificate enrollment for Azure AD joined devices occurs over the Internet. As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy. Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services. +Certificate enrollment for Azure AD-joined devices occurs over the Internet. As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy. Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services. Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies. @@ -697,7 +697,7 @@ Sign-in the NDES server with access equivalent to _local administrators_. 10. Click **Enroll** -11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices. +11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD-joined devices. ### Configure the Web Server Role diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md index ddff708e26..6d2ac37a80 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md @@ -1,6 +1,6 @@ --- title: Azure AD Join Single Sign-on Deployment -description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory joined devices, using Windows Hello for Business. +description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory-joined devices, using Windows Hello for Business. keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, ms.prod: m365-security ms.mktglfcycl: deploy @@ -22,10 +22,10 @@ ms.reviewer: - Windows 10 - Windows 11 -- Azure Active Directory joined +- Azure Active Directory-joined - Hybrid deployment -Windows Hello for Business combined with Azure Active Directory joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD joined devices may need to access these resources. With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory joined devices using Windows Hello for Business, using a key or a certificate. +Windows Hello for Business combined with Azure Active Directory-joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD-joined devices may need to access these resources. With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory-joined devices using Windows Hello for Business, using a key or a certificate. ## Key vs. Certificate @@ -33,10 +33,10 @@ Enterprises can use either a key or a certificate to provide single-sign on for When using a key, the on-premises environment needs an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. -When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement. However, single-sign on using a certificate requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business. Azure AD joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM). Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector. +When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement. However, single-sign on using a certificate requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business. Azure AD-joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM). Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector. -To deploy single sign-on for Azure AD joined devices using keys, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md). -To deploy single sign-on for Azure AD joined devices using certificates, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). +To deploy single sign-on for Azure AD-joined devices using keys, read and follow [Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md). +To deploy single sign-on for Azure AD-joined devices using certificates, read and follow [Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for Azure Active Directory-joined On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index e1fac8d907..c45b19aa4d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -43,8 +43,8 @@ Use this three-phased approach for configuring device registration. > Before proceeding, you should familiarize yourself with device registration concepts such as: > > - Azure AD registered devices -> - Azure AD joined devices -> - Hybrid Azure AD joined devices +> - Azure AD-joined devices +> - Hybrid Azure AD-joined devices > > You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](/azure/active-directory/device-management-introduction) @@ -55,7 +55,7 @@ Use this three-phased approach for configuring device registration. To support hybrid Windows Hello for Business, configure hybrid Azure AD join. -Follow the guidance on [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **Federated environment**) and perform only the steps applicable to your environment. +Follow the guidance on [How to configure hybrid Azure Active Directory-joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **Federated environment**) and perform only the steps applicable to your environment. If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps: @@ -69,11 +69,11 @@ You can learn more about this scenario by reading [Review on-premises UPN suppor ## Configure Active Directory to support Azure device synchronization -Azure Active Directory is now configured for device registration. Next, you need to configure the on-premises Active Directory to support synchronizing hybrid Azure AD joined devices. Begin with upgrading the Active Directory Schema +Azure Active Directory is now configured for device registration. Next, you need to configure the on-premises Active Directory to support synchronizing hybrid Azure AD-joined devices. Begin with upgrading the Active Directory Schema ### Upgrading Active Directory to the Windows Server 2016 or later Schema -To use Windows Hello for Business with Hybrid Azure AD joined devices, you must first upgrade your Active Directory schema to Windows Server 2016 or later. +To use Windows Hello for Business with Hybrid Azure AD-joined devices, you must first upgrade your Active Directory schema to Windows Server 2016 or later. > [!IMPORTANT] > If you already have a Windows Server 2016 or later domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 or later Schema** (this section). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 04926dd580..f3d6ed1281 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -31,7 +31,7 @@ The Windows Hello for Business provisioning begins immediately after the user ha ![Event358 from User Device Registration log showing Windows Hello for Business prerequisite check result.](images/Event358.png) -The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**. +The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is Azure Active Directory-joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**. Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**. @@ -52,7 +52,7 @@ The provisioning flow has all the information it needs to complete the Windows H - A fresh, successful multi-factor authentication - A validated PIN that meets the PIN complexity requirements -The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect synchronizes the user's key to the on-premises Active Directory. +The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. Azure Active Directory Connect synchronizes the user's key to the on-premises Active Directory. > [!IMPORTANT] > The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index bc3b32a38e..e6408a1ce4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -38,7 +38,7 @@ This section has you configure certificate templates on your Windows Server 2012 Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain - namely the enterprise certificate authority. -Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Inclusion of the **KDC Authentication** OID in domain controller certificate is not required for key trust authentication from Hybrid Azure AD joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD joined devices. The steps below to *Create a Domain Controller Authentication (Kerberos) Certificate Template* and *Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template* to include the **KDC Authentication** OID in the domain controller certificate may be skipped if you only have Hybrid Azure AD Joined devices in your environment, but we recommend completing these steps if you are considering adding Azure AD joined devices to your environment in the future. +Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Inclusion of the **KDC Authentication** OID in domain controller certificate is not required for key trust authentication from Hybrid Azure AD-joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD-joined devices. The steps below to *Create a Domain Controller Authentication (Kerberos) Certificate Template* and *Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template* to include the **KDC Authentication** OID in the domain controller certificate may be skipped if you only have Hybrid Azure AD Joined devices in your environment, but we recommend completing these steps if you are considering adding Azure AD-joined devices to your environment in the future. By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template as a baseline to create an updated domain controller certificate template. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md index a86fb2633a..796769153f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md @@ -40,7 +40,7 @@ Windows Hello for Business cloud trust uses Azure Active Directory (AD) Kerberos ## Azure Active Directory Kerberos and Cloud Trust Authentication -Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. Cloud trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT. +Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD-joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. Cloud trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT. With Azure AD Kerberos, Azure AD can issue TGTs for one or more of your AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by your on-premises AD DCs. @@ -53,7 +53,7 @@ More details on how Azure AD Kerberos enables access to on-premises resources ar | Requirement | Notes | | --- | --- | | Multi-factor Authentication | This requirement can be met using [Azure AD multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted), multi-factor authentication provided through AD FS, or a comparable solution. | -| Patched Windows 10 version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD joined devices. | +| Patched Windows 10 version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. | | Fully patched Windows Server 2016 or later Domain Controllers | Domain controllers should be fully patched to support updates needed for Azure AD Kerberos. If you're using Windows Server 2016, [KB3534307](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e) must be installed. If you're using Server 2019, [KB4534321](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f) must be installed. | | Azure AD Kerberos PowerShell module | This module is used for enabling and managing Azure AD Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).| | Device management | Windows Hello for Business cloud trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. | @@ -83,7 +83,7 @@ If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enabl ### Configure Windows Hello for Business Policy -After setting up the Azure AD Kerberos Object, Windows Hello for business cloud trust must be enabled using policy. By default, cloud trust won't be used by Hybrid Azure AD joined or Azure AD joined devices. +After setting up the Azure AD Kerberos Object, Windows Hello for business cloud trust must be enabled using policy. By default, cloud trust won't be used by Hybrid Azure AD joined or Azure AD-joined devices. #### Configure Using Group Policy @@ -202,7 +202,7 @@ To configure the cloud trust policy, follow the steps below: ## Provisioning -The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business cloud trust adds a prerequisite check for Hybrid Azure AD joined devices when cloud trust is enabled by policy. +The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business cloud trust adds a prerequisite check for Hybrid Azure AD-joined devices when cloud trust is enabled by policy. You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs\Microsoft\Windows**. This information is also available using the [**dsregcmd /status**](/azure/active-directory/devices/troubleshoot-device-dsregcmd) command from a console. @@ -210,7 +210,7 @@ You can determine the status of the prerequisite check by viewing the **User Dev The cloud trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud trust is not being enforced by policy or if the device is Azure AD joined. -This prerequisite check isn't done for provisioning on Azure AD joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in. +This prerequisite check isn't done for provisioning on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in. ### PIN Setup diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index ea3e5ae8d1..4f8c8153c4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -85,7 +85,7 @@ If you do not have an existing public key infrastructure, please review [Certifi > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: > * Install the root certificate authority certificate for your organization in the user's trusted root certificate store. -> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based URL. +> * Publish your certificate revocation list to a location that is available to Azure AD-joined devices, such as a web-based URL. ### Section Review diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index 04d4d3b8b1..90cbd52d95 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -31,8 +31,8 @@ You're ready to configure device registration for your hybrid environment. Hybri > [!NOTE] > Before proceeding, you should familiarize yourself with device registration concepts such as: > * Azure AD registered devices -> * Azure AD joined devices -> * Hybrid Azure AD joined devices +> * Azure AD-joined devices +> * Hybrid Azure AD-joined devices > > You can learn about this and more by reading [What is a device identity](/azure/active-directory/devices/overview) @@ -40,7 +40,7 @@ You're ready to configure device registration for your hybrid environment. Hybri Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. -Follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **Federated environment**) and perform only the steps applicable to your environment. +Follow the guidance on the [How to configure hybrid Azure Active Directory-joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **Federated environment**) and perform only the steps applicable to your environment. If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps: diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index f32954e088..90aaa2b968 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -83,7 +83,7 @@ The minimum required Enterprise certificate authority that can be used with Wind > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: > * Install the root certificate authority certificate for your organization in the user's trusted root certificate store. -> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url. +> * Publish your certificate revocation list to a location that is available to Azure AD-joined devices, such as a web-based url. ### Section Review > [!div class="checklist"] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index d2c8eb0585..c7dd159a00 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -31,7 +31,7 @@ The Windows Hello for Business provisioning begins immediately after the user ha ![Event358.](images/Event358-2.png) -The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**. +The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is Azure Active Directory-joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**. Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index de67cd6dd3..418298f89e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -38,7 +38,7 @@ This section has you configure certificate templates on your Windows Server 2012 Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain - namely the enterprise certificate authority. -Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Inclusion of the **KDC Authentication** OID in domain controller certificate is not required for key trust authentication from Hybrid Azure AD joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD joined devices. The steps below to update the domain controller certificate to include the **KDC Authentication** OID may be skipped if you only have Hybrid Azure AD Joined devices in your environment, but we recommend completing these steps if you are considering adding Azure AD joined devices to your environment in the future. +Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Inclusion of the **KDC Authentication** OID in domain controller certificate is not required for key trust authentication from Hybrid Azure AD-joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD-joined devices. The steps below to update the domain controller certificate to include the **KDC Authentication** OID may be skipped if you only have Hybrid Azure AD Joined devices in your environment, but we recommend completing these steps if you are considering adding Azure AD-joined devices to your environment in the future. By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template a baseline to create an updated domain controller certificate template. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md index 6ea84e8f0d..d98732f5c2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md @@ -34,7 +34,7 @@ Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 C Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) automatically request and renew the correct domain controller certificate. -Hybrid Azure AD joined devices needs one Group Policy setting: +Hybrid Azure AD-joined devices needs one Group Policy setting: * Enable Windows Hello for Business ### Configure Domain Controllers for Automatic Certificate Enrollment diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 65b58ef1a0..7436890316 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -99,7 +99,7 @@ It's fundamentally important to understand which deployment model to use for a s A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. > [!NOTE] -> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. +> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. @@ -191,7 +191,7 @@ If your organization does not have cloud resources, write **On-Premises** in box ### Trust type -Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. +Hybrid Azure AD-joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD-joined devices and Azure AD-joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers. @@ -259,10 +259,10 @@ If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Windows Hello for Business provides organizations with many policy settings and granular control on how these settings may be applied to both computers and users. The type of policy management you can use depends on your selected deployment and trust models. -If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **2a** on your planning worksheet. You have the option to manage non-domain joined devices. If you choose to manage Azure Active Directory joined devices, write **modern management** in box **2b** on your planning worksheet. Otherwise, write** N/A** in box **2b**. +If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **2a** on your planning worksheet. You have the option to manage non-domain joined devices. If you choose to manage Azure Active Directory-joined devices, write **modern management** in box **2b** on your planning worksheet. Otherwise, write** N/A** in box **2b**. > [!NOTE] -> Azure Active Directory joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings. Use modern management to adjust policy settings to match the business needs of your organization. +> Azure Active Directory-joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings. Use modern management to adjust policy settings to match the business needs of your organization. If box **1a** on your planning worksheet reads **on-prem**, write **GP** in box **2a** on your planning worksheet. Write **N/A** in box **2b** on your worksheet. @@ -278,7 +278,7 @@ Windows Hello for Business is a feature exclusive to Windows 10 and Windows 11. If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **3a** on your planning worksheet. Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices. > [!NOTE] -> Azure Active Directory joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings. Use modern management to adjust policy settings to match the business needs of your organization. +> Azure Active Directory-joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings. Use modern management to adjust policy settings to match the business needs of your organization. Write **1511 or later** in box **3a** on your planning worksheet if any of the following are true. * Box **2a** on your planning worksheet read **modern management**. @@ -306,7 +306,7 @@ If box **1a** on your planning worksheet reads **cloud only**, ignore the public If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet. Key trust doesn't require any change in public key infrastructure, skip this part and go to **Cloud** section. -The registration authority only relates to certificate trust deployments and the management used for domain and non-domain joined devices. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. +The registration authority only relates to certificate trust deployments and the management used for domain and non-domain joined devices. Hybrid Azure AD-joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD-joined devices and Azure AD-joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. If box **2a** reads **GP** and box **2b** reads **modern management**, write **AD FS RA and NDES** in box **5b** on your planning worksheet. In box **5c**, write the following certificate templates names and issuances: diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index f4e8cb2358..a3e52561e5 100644 --- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -80,7 +80,7 @@ If the credentials are certificate-based, then the elements in the following tab | SubjectName | The user’s distinguished name (DN) where the domain components of the distinguished name reflect the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller.
This requirement is relevant in multi-forest environments as it ensures a domain controller can be located. | | SubjectAlternativeName | The user’s fully qualified UPN where a domain name component of the user’s UPN matches the organizations internal domain’s DNS namespace.
This requirement is relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. | | Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. | -| EnhancedKeyUsage | One or more of the following EKUs is required:
- Client Authentication (for the VPN)
- EAP Filtering OID (for Windows Hello for Business)
- SmartCardLogon (for Azure AD joined devices)
If the domain controllers require smart card EKU either:
- SmartCardLogon
- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)
Otherwise:
- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) | +| EnhancedKeyUsage | One or more of the following EKUs is required:
- Client Authentication (for the VPN)
- EAP Filtering OID (for Windows Hello for Business)
- SmartCardLogon (for Azure AD-joined devices)
If the domain controllers require smart card EKU either:
- SmartCardLogon
- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)
Otherwise:
- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) | ## NDES server configuration diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index 2db35d51b3..df216aa4e3 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -33,7 +33,7 @@ This article depicts the BitLocker deployment comparison chart. |Minimum client operating system version |Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 | |Supported Windows SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise | |Minimum Windows version |1909 | None | None | -|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined | +|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory-joined, hybrid Azure AD joined | Active Directory-joined | |Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access | |Cloud or on premises | Cloud | On premises | On premises | |Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md index 680cbb7c42..3a677030de 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md @@ -110,5 +110,5 @@ This issue may occur when the Windows operating system is not the owner of the T For more information about TPM issues, see the following articles: - [TPM fundamentals: Anti-hammering](../tpm/tpm-fundamentals.md#anti-hammering) -- [Troubleshooting hybrid Azure Active Directory joined devices](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current) +- [Troubleshooting hybrid Azure Active Directory-joined devices](/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current) - [Troubleshoot the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md) \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 3463eceedc..1c229713a8 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -75,7 +75,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or an Azure AD account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is not only beneficial, but required for Azure AD joined devices, where they are signed in with an online identity and are issued certificates by Azure AD. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it does not pose any threats in a hybrid environment where Azure AD is used as it relies on the user's online identity and Azure AD to authenticate. +Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or an Azure AD account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is not only beneficial, but required for Azure AD-joined devices, where they are signed in with an online identity and are issued certificates by Azure AD. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it does not pose any threats in a hybrid environment where Azure AD is used as it relies on the user's online identity and Azure AD to authenticate. ### Countermeasure diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md index 6953ab042b..a9fa1d579f 100644 --- a/windows/security/zero-trust-windows-device-health.md +++ b/windows/security/zero-trust-windows-device-health.md @@ -50,7 +50,7 @@ A summary of the steps involved in attestation and Zero Trust on the device side 3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation). -4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger (MEM) integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with AAD conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device. +4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger (MEM) integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with Azure Active Directory conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device. 5. The attestation service does the following: diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 034ffc1f83..61ce4d8540 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -213,7 +213,7 @@ For more information, see: [Windows Hello and FIDO2 Security Keys enable secure Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. -Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. +Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory-joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. > [!NOTE] > Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. @@ -471,7 +471,7 @@ Some of the other new CSPs are: For more information, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management). -MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). +MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group policy can be used with Active Directory-joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management). diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index 6faf817654..b12832e871 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -187,7 +187,7 @@ Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a perf #### Key-rolling and Key-rotation -This release also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM-managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users. +This release also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM-managed Azure Active Directory devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users. ## Deployment diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index df0bb338ac..081dcc19a7 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -181,7 +181,7 @@ Windows Update for Business managed devices are now able to defer feature update ### Windows Insider for Business -We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows-insider/business/register). +We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows-insider/business/register). ### Optimize update delivery diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index ad9ebb3782..71bb8bbb6a 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -57,7 +57,7 @@ You can now register your Azure AD domains to the Windows Insider Program. For m ### Mobile Device Management (MDM) -MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). +MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory-joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709). diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index d14888637d..d587dd6af5 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -31,7 +31,7 @@ Windows Autopilot self-deploying mode enables a zero touch device provisioning e This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. -You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. +You can utilize Windows Autopilot self-deploying mode to register the device to an Azure Active Directory tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](/windows/deployment/windows-autopilot/self-deploying). @@ -60,7 +60,7 @@ This also means you’ll see more links to other security apps within **Windows #### Silent enforcement on fixed drives -Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. +Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD)-joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard Azure AD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. This is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. @@ -138,11 +138,11 @@ You can add specific rules for a WSL process in Windows Defender Firewall, just We introduced new group policies and Modern Device Management settings to manage Microsoft Edge. The new policies include enabling and disabling full-screen mode, printing, favorites bar, and saving history; preventing certificate error overrides; configuring the Home button and startup options; setting the New Tab page and Home button URL, and managing extensions. Learn more about the [new Microsoft Edge policies](/microsoft-edge/deploy/change-history-for-microsoft-edge). -### Windows Defender Credential Guard is supported by default on 10S devices that are AAD Joined +### Windows Defender Credential Guard is supported by default on 10S devices that are Azure Active Directory-joined Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. -Windows Defender Credential Guard has always been an optional feature, but Windows 10-S turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on 10-S devices. Please note that Windows Defender Credential Guard is available only to S-Mode devices or Enterprise and Education Editions. +Windows Defender Credential Guard has always been an optional feature, but Windows 10-S turns this functionality on by default when the machine has been Azure Active Directory-joined. This provides an added level of security when connecting to domain resources not normally present on 10-S devices. Please note that Windows Defender Credential Guard is available only to S-Mode devices or Enterprise and Education Editions. ### Windows 10 Pro S Mode requires a network connection diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index 7f89949678..8f1b6a4c3c 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -49,7 +49,7 @@ BitLocker and Mobile Device Management (MDM) with Azure Active Directory work to ### Key-rolling and Key-rotation -Windows 10, version 1909 also includes two new features called **Key-rolling** and **Key-rotation** enables secure rolling of Recovery passwords on MDM managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users. +Windows 10, version 1909 also includes two new features called **Key-rolling** and **Key-rotation** enables secure rolling of Recovery passwords on MDM managed Azure Active Directory devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users. ### Transport Layer Security (TLS) From 859211bf86b4d79146336a1cdd522f04d4110f60 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Thu, 9 Jun 2022 13:52:24 +0530 Subject: [PATCH 04/11] Fixing suggestions --- .../hello-for-business/hello-how-it-works-authentication.md | 2 +- .../hello-for-business/hello-hybrid-cloud-trust.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index e1421172c1..443d3adc15 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -51,7 +51,7 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c ## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview) -![Azure AD join authentication to Azure Active Directory.](images/howitworks/auth-aadj-cloudtrust-kerb.png) +![Azure Active Directory join authentication to Azure AD.](images/howitworks/auth-aadj-cloudtrust-kerb.png) | Phase | Description | | :----: | :----------- | diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md index 796769153f..f8d135a315 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md @@ -189,7 +189,7 @@ To configure the cloud trust policy, follow the steps below: - Data type: Boolean - Value: True - [![Intune custom device configuration policy creation](./images/hello-cloud-trust-intune.png)](./images/hello-cloud-trust-intune-large.png#lightbox) + [![Intune custom-device configuration policy creation](./images/hello-cloud-trust-intune.png)](./images/hello-cloud-trust-intune-large.png#lightbox) 1. Select Next to navigate to **Assignments**. 1. Under Included groups, select **Add groups**. From d9b883546cb82132c6ada0238317ad68138b3139 Mon Sep 17 00:00:00 2001 From: Jake Stoker <94176328+JASTOKER@users.noreply.github.com> Date: Mon, 13 Jun 2022 14:31:20 +0100 Subject: [PATCH 05/11] Update FAQ Pre-requisites question Changed ConfigMgr 2010 to Supported version (2010 is now out of support). Added text to show that ConfigMgr and Co-Management is only required when devices are managed by ConfigMgr. If devices are Intune only, Co-management and Configmgr are not pre-requisites for Autopatch. --- .../windows-autopatch/overview/windows-autopatch-faq.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 2c496594e3..5a0aafff96 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -42,8 +42,9 @@ sections: - [Azure Active Directory (Azure AD) Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) - [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) + Additional pre-requisites for devices managed by Configuration Manager: - [Co-management](/prepare/windows-autopatch-prerequisites.md#co-management-requirements) - - [Configuration Manager version 2010 or later](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2010) + - [A supported version of Configuration Manager](/mem/configmgr/core/servers/manage/updates#supported-versions) - [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune) - question: What are the licensing requirements for Windows Autopatch? answer: | @@ -103,4 +104,4 @@ sections: Programmatic access to Autopatch isn't currently available. additionalContent: | ## Additional Content - [Provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch \ No newline at end of file + [Provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch From 536b5c06e6ca9a371c7a1691206a86d809c824aa Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Mon, 13 Jun 2022 08:06:13 -0700 Subject: [PATCH 06/11] Update windows-autopatch-faq.yml --- .../windows-autopatch/overview/windows-autopatch-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 5a0aafff96..756b5a205e 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -104,4 +104,4 @@ sections: Programmatic access to Autopatch isn't currently available. additionalContent: | ## Additional Content - [Provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch + [Provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch) From 4f9a3f7e187fb338704f778b7a154108381aff7e Mon Sep 17 00:00:00 2001 From: Jake Stoker <94176328+JASTOKER@users.noreply.github.com> Date: Mon, 13 Jun 2022 16:44:52 +0100 Subject: [PATCH 07/11] Updated Autopatch FAQ added missing bullet point. Also added clarity that co-management pilot workloads must include the devices in the pilot collection specified that are to be registered in Autopatch. @tiaraquan --- .../windows-autopatch/overview/windows-autopatch-faq.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 756b5a205e..f56dfdd794 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -42,10 +42,10 @@ sections: - [Azure Active Directory (Azure AD) Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) - [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) - Additional pre-requisites for devices managed by Configuration Manager: + - Additional pre-requisites for devices managed by Configuration Manager: - [Co-management](/prepare/windows-autopatch-prerequisites.md#co-management-requirements) - [A supported version of Configuration Manager](/mem/configmgr/core/servers/manage/updates#supported-versions) - - [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune) + - [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.) - question: What are the licensing requirements for Windows Autopatch? answer: | - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). From 841d9ecb8862151be8ea47a8862fea5601114588 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Mon, 13 Jun 2022 08:53:09 -0700 Subject: [PATCH 08/11] Update windows-autopatch-faq.yml --- .../windows-autopatch/overview/windows-autopatch-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index f56dfdd794..6aed402396 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -42,7 +42,7 @@ sections: - [Azure Active Directory (Azure AD) Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) - [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) - - Additional pre-requisites for devices managed by Configuration Manager: + Additional pre-requisites for devices managed by Configuration Manager: - [Co-management](/prepare/windows-autopatch-prerequisites.md#co-management-requirements) - [A supported version of Configuration Manager](/mem/configmgr/core/servers/manage/updates#supported-versions) - [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.) From fd662101dadc4b1507ccbcb4a78d68a04ba8a838 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Mon, 13 Jun 2022 10:24:35 -0700 Subject: [PATCH 09/11] Add section about proc config changes --- ...ws-diagnostic-data-in-your-organization.md | 66 ++++++++++++++++++- 1 file changed, 63 insertions(+), 3 deletions(-) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 5c614eaed1..8a52c89678 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -8,9 +8,9 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp +author: DHB-MSFT +ms.author: danbrown +manager: dougeby ms.collection: - M365-security-compliance - highpri @@ -260,6 +260,9 @@ Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm ## Enable Windows diagnostic data processor configuration +> [!IMPORTANT] +> There are some significant changes planned for diagnostic data processor configuration. To learn more, [review this information](#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). + The Windows diagnostic data processor configuration enables you to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from your Windows devices that meet the configuration requirements. ### Prerequisites @@ -327,6 +330,63 @@ Windows Update for Business: - [How to enable deployment protections](/windows/deployment/update/deployment-service-overview#how-to-enable-deployment-protections) +### Significant changes coming to the Windows diagnostic data processor configuration + +Currently, to enroll devices in the Window diagnostic data processor configuration option, IT admins can use policies, such as the “Allow commercial data pipeline” policy, at the individual device level. + +To enable efficiencies and help us implement our plan to [store and process EU Data for European enterprise customers in the EU](https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boundary/), we'll be introducing the following significant change for enterprise Windows devices that have diagnostic data turned on. + +***We’ll stop using policies, such as the “Allow commercial data pipeline” policy, to configure the processor option. Instead, we’ll be introducing an organization-wide configuration based on Azure Active Directory (Azure AD) to determine Microsoft’s role in data processing.*** + +We’re making this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way, and in the same geographic region. + +#### Devices in Azure AD tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA) + +For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe. + +From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users’ [data subject requests](/compliance/regulatory/gdpr-dsr-windows). + +#### Devices in Azure AD tenants with a billing address outside of the EU and EFTA + +For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data: + +- [Update Compliance](/windows/deployment/update/update-compliance-monitor) +- [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) +- [Microsoft Managed Desktop](/managed-desktop/intro/) +- [Endpoint analytics (in Microsoft Endpoint Manager)](/mem/analytics/overview) + +*(Additional licensing requirements may apply to use these services.)* + +If you don’t sign up for any of these enterprise services, Microsoft will act as controller for the diagnostic data. + +> [!NOTE] +> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. + +#### Rollout plan for this change + +This change will roll out initially to Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program no earlier than July 2022. Once the rollout is initiated, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option. + +During this initial rollout, the following conditions apply to devices in the Dev Channel that are joined to an Azure AD tenant with a billing address outside of the EU or EFTA: + +- Devices can't be enabled for the Windows diagnostic data processor configuration at this time. +- The processor configuration will be disabled in any devices that were previously enabled. +- Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. + +It's recommended Insiders on these devices pause flighting if these changes aren't acceptable. + +For Windows devices in the Dev Channel that aren't joined to an Azure AD tenant, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply. + +For other Windows devices (not in the Dev Channel), additional details on supported versions of Windows 11 and Windows 10 will be announced at a later date. These changes will roll out no earlier than the last quarter of calendar year 2022. + +To prepare for this change, ensure that you meet the [prerequisites](#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD, and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services. + +As part of this change, the following policies will no longer be supported to configure the processor option: + - Allow commercial data pipeline + - Allow Desktop Analytics Processing + - Allow Update Compliance Processing + - Allow WUfB Cloud Processing + - Configure the Commercial ID + ## Limit optional diagnostic data for Desktop Analytics For more information about how to limit the diagnostic data to the minimum required by Desktop Analytics, see [Enable data sharing for Desktop Analytics](/mem/configmgr/desktop-analytics/enable-data-sharing). From ead3be19d36545111746a966b521aa97101c9dc2 Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Mon, 13 Jun 2022 10:34:09 -0700 Subject: [PATCH 10/11] Add links to info about data proc config changes --- .../privacy/changes-to-windows-diagnostic-data-collection.md | 3 +++ windows/privacy/windows-10-and-privacy-compliance.md | 3 +++ 2 files changed, 6 insertions(+) diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index e00f0e9479..4fc453ce1e 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -81,6 +81,9 @@ The following provides information on the current configurations: ## New Windows diagnostic data processor configuration +> [!IMPORTANT] +> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information](configure-windows-diagnostic-data-in-your-organization.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). + Enterprise customers have an option for controlling their Windows diagnostic data for their Azure Active Directory-joined devices. This configuration option is supported on the following versions of Windows: - Windows 11 Enterprise, Professional, and Education diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md index 3bdd705db6..5c3e01a880 100644 --- a/windows/privacy/windows-10-and-privacy-compliance.md +++ b/windows/privacy/windows-10-and-privacy-compliance.md @@ -151,6 +151,9 @@ An administrator can disable a user’s ability to delete their device’s diagn #### _2.3.7 Diagnostic data: Enabling the Windows diagnostic data processor configuration_ +> [!IMPORTANT] +> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information](configure-windows-diagnostic-data-in-your-organization.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration). + **Applies to:** - Windows 11 Enterprise, Professional, and Education editions From 83354c184d8d1bf3eaf4419799295e701bea6eab Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Mon, 13 Jun 2022 14:20:08 -0700 Subject: [PATCH 11/11] Aligning with UX based on Mounica's walkthrough. --- .../operate/windows-autopatch-edge.md | 2 +- .../operate/windows-autopatch-support-request.md | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md index 4b27f96da4..988fb95d21 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md @@ -22,7 +22,7 @@ For a device to be eligible for Microsoft Edge updates as a part of Windows Auto - The device must be powered on and have an internet connection. - There are no policy conflicts between Windows Autopatch policies and customer policies. -- The device must be able to access the required network endpoints to reach the Microsoft Edge update service. +- The device must be able to access the required network endpoints to reach the Microsoft Edge update service. - If Microsoft Edge is open, it must restart for the update process to complete. ## Update release schedule diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md index 06eeae4e4d..dbb8cdf6e1 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md @@ -26,8 +26,8 @@ Support requests are triaged and responded to as they're received. **To submit a new support request:** 1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant administration** menu. -1. In the **Windows Autopatch** section, select **Service requests**. -1. In the **Service requests** section, select **+ New support request**. +1. In the **Windows Autopatch** section, select **Support requests**. +1. In the **Support requests** section, select **+ New support request**. 1. Enter your question(s) and/or a description of the problem. 1. Review all the information you provided for accuracy. 1. When you're ready, select **Create**. @@ -43,7 +43,7 @@ You can see the summary status of all your support requests. At any time, you ca **To view all your active support requests:** 1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant Administration** menu. -1. In the **Windows Autopatch** section, select **Service request**. +1. In the **Windows Autopatch** section, select **Support request**. 1. From this view, you can export the summary view or select any case to view the details. ## Edit support request details @@ -53,8 +53,8 @@ You can edit support request details, for example, updating the primary case con **To edit support request details:** 1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant Administration** menu. -1. In the **Windows Autopatch** section, select **Service request**. -1. In the **Service requests** section, use the search bar or filters to find the case you want to edit. +1. In the **Windows Autopatch** section, select **Support request**. +1. In the **Support requests** section, use the search bar or filters to find the case you want to edit. 1. Select the case to open the request's details. 1. Scroll to the bottom of the request details and select **Edit**. 1. Update the editable information, add attachments to the case, or add a note for the Windows Autopatch Service Engineering Team. @@ -64,8 +64,8 @@ Once a support request is mitigated, it can no longer be edited. If a request ha ## Microsoft FastTrack -[Microsoft FastTrack](https://www.microsoft.com/en-us/fasttrack) offers Microsoft 365 deployment guidance for customers with 150 or more licenses of an eligible subscription at no additional cost. FastTrack Specialists can help customers work through the Windows Autopatch technical prerequisites described in the [FAQ](../overview/windows-autopatch-faq.yml). For more information, visit the [FastTrack website](https://www.microsoft.com/en-ca/fasttrack?rtc=1). +[Microsoft FastTrack](https://www.microsoft.com/fasttrack) offers Microsoft 365 deployment guidance for customers with 150 or more licenses of an eligible subscription at no additional cost. FastTrack Specialists can help customers work through the Windows Autopatch technical prerequisites described in the [FAQ](../overview/windows-autopatch-faq.yml). For more information, visit the [Microsoft FastTrack website](https://www.microsoft.com/fasttrack?rtc=1). -Customers who need help with Microsoft 365 workloads can sign in to https://fasttrack.microsoft.com/ with a valid Azure ID and submit a Request for Assistance. +Customers who need help with Microsoft 365 workloads can sign in to [Microsoft FastTrack](https://fasttrack.microsoft.com/) with a valid Azure ID and submit a Request for Assistance. Contact your Microsoft account team if you need additional assistance.