From 00fffaf676e00a5eba2f9dbeeb0a5a024d775e0e Mon Sep 17 00:00:00 2001 From: George Shih <40845924+geos-ms@users.noreply.github.com> Date: Wed, 30 Mar 2022 18:51:27 +0800 Subject: [PATCH 01/16] Update Hello FAQ to clarify lid closed case --- .../identity-protection/hello-for-business/hello-faq.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 7081a2b5d6..bb4c297899 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -79,10 +79,14 @@ sections: answer: | It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN isn't supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users. - - question: Can I use an external Windows Hello compatible camera when my laptop is closed or docked? + - question: Can I use an external Windows Hello compatible camera when my computer has a built in Windows Hello compatible camera? answer: | Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). + - question: Can I use an external Windows Hello compatible camera or other Windows Hello compatible accessory when my laptop lid is closed or docked? + answer: | + Some laptops and tablets with keyboards that close may not use an external Windows Hello compatible camera or other Windows Hello compatible accessory when the computer is docked with the lid closed. The issue has been addressed in the latest Windows Insiders builds and will be available in the future version of Windows 11. + - question: Why does authentication fail immediately after provisioning hybrid key trust? answer: | In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle. From 3b11486d01584a506045be6309441fd5be937672 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Wed, 30 Mar 2022 09:30:53 -0600 Subject: [PATCH 02/16] Update waas-delivery-optimization-faq.md Removed '.md' file extension to fix link. --- windows/deployment/update/waas-delivery-optimization-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization-faq.md b/windows/deployment/update/waas-delivery-optimization-faq.md index 0f59183964..6425a6af48 100644 --- a/windows/deployment/update/waas-delivery-optimization-faq.md +++ b/windows/deployment/update/waas-delivery-optimization-faq.md @@ -36,7 +36,7 @@ Delivery Optimization also communicates with its cloud service by using HTTP/HTT ## What are the requirements if I use a proxy? -For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting.md). +For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). ## What hostnames should I allow through my firewall to support Delivery Optimization? From 33ae7348ebb7faf369409c325b8ce3595cb4104e Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Wed, 30 Mar 2022 09:45:03 -0600 Subject: [PATCH 03/16] Update index.yml Add link to FAQ page. --- windows/deployment/do/index.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index 986056d1ce..c50e4d8d6b 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -47,6 +47,8 @@ landingContent: url: waas-delivery-optimization-setup.md#windows-powershell-cmdlets - text: Troubleshoot Delivery Optimization url: waas-delivery-optimization-setup.md#troubleshooting + - text: Delivery Optimization Frequently Asked Questions + url: waas-delivery-optimization-faq - text: Submit feedback url: https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app From 52ee27d353ef5a389213659b7027a30c6c295395 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Wed, 30 Mar 2022 09:57:35 -0600 Subject: [PATCH 04/16] Update index.yml --- windows/deployment/do/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index c50e4d8d6b..01e71f030f 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -48,7 +48,7 @@ landingContent: - text: Troubleshoot Delivery Optimization url: waas-delivery-optimization-setup.md#troubleshooting - text: Delivery Optimization Frequently Asked Questions - url: waas-delivery-optimization-faq + url: waas-delivery-optimization-faq.md - text: Submit feedback url: https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app From 164f674c97a731ffad8c20161017e8083f403469 Mon Sep 17 00:00:00 2001 From: Noah Myers <81661816+nonotnoah@users.noreply.github.com> Date: Wed, 30 Mar 2022 10:37:26 -0700 Subject: [PATCH 05/16] fix redundant acronym ATM machine is a redundant acronym. This fix is in line with other uses of ATM in this document such as here: https://docs.microsoft.com/en-us/windows/deployment/update/get-started-updates-channels-tools#long-term-servicing-channel --- windows/deployment/update/waas-quick-start.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index 3c6ac3426f..9f6c9e6c7b 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -31,7 +31,7 @@ Some new terms have been introduced as part of Windows as a service, so you shou - **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and confirm compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. - **Servicing channels** allow organizations to choose when to deploy new features. - The **General Availability Channel** receives feature updates annually. - - The **Long-Term Servicing Channel**, which meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. + - The **Long-Term Servicing Channel**, which meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATMs, receives new feature releases every two to three years. - **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization. See [Overview of Windows as a service](waas-overview.md) for more information. From ec3db587d6fc0e75b0f40495a3ecd68884e4c8fd Mon Sep 17 00:00:00 2001 From: George Shih <40845924+geos-ms@users.noreply.github.com> Date: Thu, 31 Mar 2022 12:43:45 +0800 Subject: [PATCH 06/16] Address the case of ESS devices --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index bb4c297899..5edb16893e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -85,7 +85,7 @@ sections: - question: Can I use an external Windows Hello compatible camera or other Windows Hello compatible accessory when my laptop lid is closed or docked? answer: | - Some laptops and tablets with keyboards that close may not use an external Windows Hello compatible camera or other Windows Hello compatible accessory when the computer is docked with the lid closed. The issue has been addressed in the latest Windows Insiders builds and will be available in the future version of Windows 11. + Some laptops and tablets with keyboards that close may not use an external Windows Hello compatible camera or other Windows Hello compatible accessory when the computer is docked with the lid closed. The issue has been addressed in the latest Windows Insiders builds and will be available in the future version of Windows 11. However, using external Hello cameras and accessories is restricted if ESS is enabled, please see [Windows Hello Enhanced Sign-in Security](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#pluggableperipheral-biometric-sensors). - question: Why does authentication fail immediately after provisioning hybrid key trust? answer: | From e5fae1e841988c0237b57d92e00895ea1b3b4d14 Mon Sep 17 00:00:00 2001 From: George Shih <40845924+geos-ms@users.noreply.github.com> Date: Thu, 31 Mar 2022 13:50:00 +0800 Subject: [PATCH 07/16] Address the case of ESS devices again --- .../identity-protection/hello-for-business/hello-faq.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 5edb16893e..5762e33ff9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -81,11 +81,11 @@ sections: - question: Can I use an external Windows Hello compatible camera when my computer has a built in Windows Hello compatible camera? answer: | - Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). + Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). However, using external Hello cameras and accessories is restricted if ESS is enabled, please see [Windows Hello Enhanced Sign-in Security](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#pluggableperipheral-biometric-sensors). - question: Can I use an external Windows Hello compatible camera or other Windows Hello compatible accessory when my laptop lid is closed or docked? answer: | - Some laptops and tablets with keyboards that close may not use an external Windows Hello compatible camera or other Windows Hello compatible accessory when the computer is docked with the lid closed. The issue has been addressed in the latest Windows Insiders builds and will be available in the future version of Windows 11. However, using external Hello cameras and accessories is restricted if ESS is enabled, please see [Windows Hello Enhanced Sign-in Security](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#pluggableperipheral-biometric-sensors). + Some laptops and tablets with keyboards that close may not use an external Windows Hello compatible camera or other Windows Hello compatible accessory when the computer is docked with the lid closed. The issue has been addressed in the latest Windows Insiders builds and will be available in the future version of Windows 11. - question: Why does authentication fail immediately after provisioning hybrid key trust? answer: | From 3fd6313ebfa93ff6bfc6b69119dca69120b1c667 Mon Sep 17 00:00:00 2001 From: Mark Renoden Date: Fri, 1 Apr 2022 09:21:07 +1100 Subject: [PATCH 08/16] Update windows-10-subscription-activation.md Universal Store Service APIs and Web Application has been added to the Conditional Access policy editors so that organizations can avoid the MFA issue. --- windows/deployment/windows-10-subscription-activation.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 4a7dccff99..ad6bf5aa42 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -125,6 +125,8 @@ If the device is running Windows 10, version 1809 or later: ![Subscription Activation with MFA example 3.](images/sa-mfa3.png) +Organizations that use Azure Active Directory Conditional Access may want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f from their all users all cloud apps MFA policy to avoid this issue. + ### Windows 10/11 Education requirements - Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. From 43604a9b868d9e0031f763d760bb26cc56a610cf Mon Sep 17 00:00:00 2001 From: Noah Myers <81661816+nonotnoah@users.noreply.github.com> Date: Fri, 1 Apr 2022 09:24:30 -0700 Subject: [PATCH 09/16] Update windows/deployment/update/waas-quick-start.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/waas-quick-start.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index 9f6c9e6c7b..57fcb750ea 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -31,7 +31,7 @@ Some new terms have been introduced as part of Windows as a service, so you shou - **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and confirm compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. - **Servicing channels** allow organizations to choose when to deploy new features. - The **General Availability Channel** receives feature updates annually. - - The **Long-Term Servicing Channel**, which meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATMs, receives new feature releases every two to three years. + - The **Long-Term Servicing Channel**, which is meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATMs, receives new feature releases every two to three years. - **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization. See [Overview of Windows as a service](waas-overview.md) for more information. From 1cbafc45b679aae61de8b2a92d945a358fe0fcf2 Mon Sep 17 00:00:00 2001 From: cathyethoca <39312769+cathyethoca@users.noreply.github.com> Date: Fri, 1 Apr 2022 14:10:05 -0400 Subject: [PATCH 10/16] Fixing Markdown errors that hid wildcards 0x80072EE2 has a list of URLs that includes wildcard (*) characters. Markdown was treating them as italics instead of displaying them. --- windows/deployment/update/windows-update-errors.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index b500ca17a8..c3688b1dda 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -198,7 +198,7 @@ The following table provides information about common errors you might run into | Message | Description | Mitigation | |---------|-------------|------------| -| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to Windows Update, Configuration Manager, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager.
Check with your network team to ensure that the device can reach the update sources. For more info, see [Troubleshoot software update scan failures in Configuration Manager](/mem/configmgr/troubleshoot-software-update-scan-failures).
If you’re using the public Microsoft update servers, check that your device can access the following Windows Update endpoints:
`http://windowsupdate.microsoft.com`
https://.windowsupdate.microsoft.com
https://update.microsoft.com
https://*.update.microsoft.com
https://windowsupdate.com
https://*.windowsupdate.com
https://download.windowsupdate.com
https://*.download.windowsupdate.com
https://download.microsoft.com
https://*.download.windowsupdate.com
https://wustat.windows.com
https://*.wustat.windows.com
https://ntservicepack.microsoft.com | +| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to Windows Update, Configuration Manager, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager.
Check with your network team to ensure that the device can reach the update sources. For more info, see [Troubleshoot software update scan failures in Configuration Manager](/mem/configmgr/troubleshoot-software-update-scan-failures).
If you’re using the public Microsoft update servers, check that your device can access the following Windows Update endpoints:
`http://windowsupdate.microsoft.com`
`https://*.windowsupdate.microsoft.com`
`https://update.microsoft.com`
`https://*.update.microsoft.com`
`https://windowsupdate.com`
`https://*.windowsupdate.com`
`https://download.windowsupdate.com`
`https://*.download.windowsupdate.com`
`https://download.microsoft.com`
`https://*.download.windowsupdate.com`
`https://wustat.windows.com`
`https://*.wustat.windows.com`
`https://ntservicepack.microsoft.com` | ## 0x80240022 From 45e0643b0f0c6ff686374139b9457cd002a7f579 Mon Sep 17 00:00:00 2001 From: Scott Brondel Date: Mon, 4 Apr 2022 13:30:02 -0500 Subject: [PATCH 11/16] Fix incorrect EFI mount code The $EFIDestinationFolder needs a top-level \EFI folder in the path, which was not present in that line. To avoid potential confusion by having a C:\EFI\EFI\... structure in $MountPoint, I also changed $MountPoint from C:\EFI to C:\EFIMount for clarity. --- .../deployment/deploy-wdac-policies-with-script.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index e7c5dca396..43ecea1845 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -85,8 +85,8 @@ In addition to the steps outlined above, the binary policy file must also be cop 1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt: ```powershell - $MountPoint = 'C:\EFI' - $EFIDestinationFolder = "$MountPoint\Microsoft\Boot\CiPolicies\Active" + $MountPoint = 'C:\EFIMount' + $EFIDestinationFolder = "$MountPoint\EFI\Microsoft\Boot\CiPolicies\Active" $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0] mountvol $MountPoint $EFIPartition mkdir $EFIDestinationFolder From 59ccba0896a1e0c007f1ad1caecd34ceca3ea58d Mon Sep 17 00:00:00 2001 From: Doug Eby <17034284+dougeby@users.noreply.github.com> Date: Tue, 5 Apr 2022 13:35:51 -0700 Subject: [PATCH 12/16] Update index.yml --- windows/deployment/do/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index 01e71f030f..a28f2419bc 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -48,7 +48,7 @@ landingContent: - text: Troubleshoot Delivery Optimization url: waas-delivery-optimization-setup.md#troubleshooting - text: Delivery Optimization Frequently Asked Questions - url: waas-delivery-optimization-faq.md + url: ../update/waas-delivery-optimization-faq.md - text: Submit feedback url: https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app From e39fb2f7634e880e6e7ae5ba95dc74c36d9cef8e Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Wed, 6 Apr 2022 11:04:30 +0530 Subject: [PATCH 13/16] Update references of Azure AD graph to Microsoft Graph Updated as per task : 5916612. Thanks! --- ...e-active-directory-integration-with-mdm.md | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 634025c4b9..68f72c7329 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -99,11 +99,11 @@ The following diagram illustrates the high-level flow involved in the actual enr ![azure ad enrollment flow.](images/azure-ad-enrollment-flow.png) -The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article. +The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article. ## Make the MDM a reliable party of Azure AD -To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Azure AD. To report compliance with Azure AD, the MDM must authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api). +To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Azure AD. To report compliance with Azure AD, the MDM must authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). ### Add a cloud-based MDM @@ -148,7 +148,7 @@ Use the following steps to register a cloud-based MDM application with Azure AD. 13. Generate a key for your application and copy it. - You need this key to call the Azure AD Graph API to report device compliance. This information is covered in the next section. + You need this key to call the Microsoft Graph API to report device compliance. This information is covered in the next section. For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667). @@ -164,7 +164,7 @@ For more information about registering applications with Azure AD, see [Basics o ### Key management and security guidelines -The application keys used by your MDM service are a sensitive resource. They should be protected and rolled over periodically for greater security. Access tokens obtained by your MDM service to call the Azure AD Graph API are bearer tokens and should be protected to avoid unauthorized disclosure. +The application keys used by your MDM service are a sensitive resource. They should be protected and rolled over periodically for greater security. Access tokens obtained by your MDM service to call the Microsoft Graph API are bearer tokens and should be protected to avoid unauthorized disclosure. For security best practices, see [Windows Azure Security Essentials](https://go.microsoft.com/fwlink/p/?LinkId=613715). @@ -202,7 +202,7 @@ The following table shows the required information to create an entry in the Azu There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrator to add an app to their tenant. -However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. Thee ID and key obtain authorization to access the Azure AD Graph API and for reporting device compliance. +However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. Thee ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance. ## Themes @@ -247,7 +247,6 @@ The following parameters are passed in the query string: |api-version|Specifies the version of the protocol requested by the client. This value provides a mechanism to support version revisions of the protocol.| |mode|Specifies that the device is organization owned when mode=azureadjoin. This parameter isn't present for BYOD devices.| - ### Access token Azure AD issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format: @@ -267,7 +266,7 @@ The following claims are expected in the access token passed by Windows to the T > [!NOTE] > There's no device ID claim in the access token because the device may not yet be enrolled at this time. -To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api). +To retrieve the list of group memberships for the user, you can use the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). Here's an example URL. @@ -443,9 +442,9 @@ For a sample that illustrates how an MDM can obtain an access token using OAuth - **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Azure AD. - **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD. -### Use Azure AD Graph API +### Use Microsoft Graph API -The following sample REST API call illustrates how an MDM can use the Azure AD Graph API to report compliance status of a device being managed by it. +The following sample REST API call illustrates how an MDM can use the Microsoft Graph API to report compliance status of a device being managed by it. > [!NOTE] > This API is only applicable for approved MDM apps on Windows 10 devices. @@ -466,7 +465,7 @@ Where: - **contoso.com** – This value is the name of the Azure AD tenant to whose directory the device has been joined. - **db7ab579-3759-4492-a03f-655ca7f52ae1** – This value is the device identifier for the device whose compliance information is being reported to Azure AD. -- **eyJ0eXAiO**……… – This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Azure AD Graph API. The access token is placed in the HTTP authorization header of the request. +- **eyJ0eXAiO**……… – This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request. - **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status. - **api-version** - Use this parameter to specify which version of the graph API is being requested. From 9c63c01291e976925aaa3918594d30a974097f23 Mon Sep 17 00:00:00 2001 From: Foad Sojoodi Farimani Date: Wed, 6 Apr 2022 14:42:18 +0200 Subject: [PATCH 14/16] and --> or just a simple fix --- .../windows-sandbox/windows-sandbox-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index 65b8c21047..bb68f8ea94 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -59,7 +59,7 @@ The following video provides an overview of Windows Sandbox. Set-VMProcessor -VMName \ -ExposeVirtualizationExtensions $true ``` -3. Use the search bar on the task bar and type **Turn Windows Features on and off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted. +3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted. If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this is incorrect, review the prerequisite list as well as steps 1 and 2. From 018754e1d921385b4895af8cd1a9f2a322c04ec2 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 7 Apr 2022 09:55:09 -0700 Subject: [PATCH 15/16] Update azure-active-directory-integration-with-mdm.md --- .../mdm/azure-active-directory-integration-with-mdm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 68f72c7329..96dd333a39 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -112,7 +112,7 @@ A cloud-based MDM is a SaaS application that provides device management capabili The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661). > [!NOTE] -> For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. +> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, whatever the customer tenent the managed device belongs. From 3065e76df2cc325d8b14b244d1925084257c877a Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 11 Apr 2022 12:46:13 -0600 Subject: [PATCH 16/16] Update windows-update-errors.md Fix Acro Sync PR https://github.com/MicrosoftDocs/windows-docs-pr/pull/6454 --- windows/deployment/update/windows-update-errors.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index c3688b1dda..3442f06f82 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -118,7 +118,7 @@ The following table provides information about common errors you might run into | Message | Description | Mitigation | |---------|-------------|------------| -| CBS_E_ABORT; client abort, IDABORT returned by ICbsUIHandler method except Error() | CBS transaction timeout exceeded. | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires. Extending the timeout will mitigate the issue. Increase the resources on the device. If a virtual machine, increase virtual CPU and memory to speed up operations. Make sure the has installed the update in KB4493473 or later.| +| CBS_E_ABORT; client abort, IDABORT returned by ICbsUIHandler method except Error() | CBS transaction timeout exceeded. | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires. Extending the timeout will mitigate the issue. Increase the resources on the device. If a virtual machine, increase virtual CPU and memory to speed up operations. Make sure the device has installed the update in KB4493473 or later.| ## 0x800f0825 @@ -148,7 +148,7 @@ The following table provides information about common errors you might run into | Message | Description | Mitigation | |---------|-------------|------------| -| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an access was denied.
Go to %Windir%\logs\CBS, open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the access denial. It could be acess denied to a file, registry key. Determine what object needs the right permissions and change the permissions as needed. | +| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an access was denied.
Go to %Windir%\logs\CBS, open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the access denial. It could be access denied to a file, registry key. Determine what object needs the right permissions and change the permissions as needed. | ## 0x80070570