From 72aa691c6462a0b19846fe3fd6f03da3a367b952 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 2 Mar 2022 18:51:35 +0530 Subject: [PATCH] Acrolinx enhancement --- ...ent-tool-for-windows-store-for-business.md | 6 +- .../mdm/mdm-enrollment-of-windows-devices.md | 86 +++++++++---------- .../mdm/mobile-device-enrollment.md | 20 ++--- 3 files changed, 56 insertions(+), 56 deletions(-) diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index 408691f2ed..d210a1ee7e 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -46,13 +46,13 @@ The Store for Business provides services that enable a management tool to synchr ### Offline-licensed application distribution -The following diagram is an overview of app distribution, from getting an offline-licensed application to distributing to clients. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. +The following diagram is an overview of app distribution, from getting an offline-licensed application to distributing to clients. Once the applications are synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. ![business store offline app distribution.](images/businessstoreportalservices2.png) ### Online-licensed application distribution -The following diagram is an overview of app distribution, from getting an online-licensed application to distributing to clients. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application before issuing the policy to install the application. +The following diagram is an overview of app distribution, from getting an online-licensed application to distributing to clients. Once the applications are synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application before issuing the policy to install the application. ![business store online app distribution.](images/businessstoreportalservices3.png) @@ -85,7 +85,7 @@ Here are the details for requesting an authorization token: ## Using the management tool -After registering your management tool with Azure AD, the management tool can call into the management services. There are a couple of call patterns: +After you register your management tool with Azure AD, the management tool can call into the management services. There are a couple of call patterns: - First the ability to get new or updated applications. - Second the ability to assign or reclaim applications. diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index e475077509..f3255ab42f 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -24,7 +24,7 @@ In today’s cloud-first world, enterprise IT departments increasingly want to l ## Connect corporate-owned Windows 10-based devices -You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain. +You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 doesn't require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain. ![active directory azure ad signin.](images/unifiedenrollment-rs1-1.png) @@ -33,11 +33,11 @@ You can connect corporate-owned devices to work by either joining the device to Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education can be connected to an Active Directory domain using the Settings app. > [!NOTE] -> Mobile devices cannot be connected to an Active Directory domain. +> Mobile devices can't be connected to an Active Directory domain. ### Out-of-box-experience -Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) is not supported. To join a domain: +Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) isn't supported. To join a domain: 1. On the **Who Owns this PC?** page, select **My work or school owns it**. @@ -81,14 +81,14 @@ To create a local account and connect the device: ### Help with connecting to an Active Directory domain -There are a few instances where your device cannot be connected to an Active Directory domain. +There are a few instances where your device can't be connected to an Active Directory domain. | Connection issue | Description | |-----------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Your device is already connected to an Active Directory domain. | Your device can only be connected to a single Active Directory domain at a time. | -| Your device is connected to an Azure AD domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You cannot connect to both simultaneously. | -| You are logged in as a standard user. | Your device can only be connected to an Azure AD domain if you are logged in as an administrative user. You’ll need to switch to an administrator account to continue. | -| Your device is running Windows 10 Home. | This feature is not available on Windows 10 Home, so you will be unable to connect to an Active Directory domain. You will need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | +| Your device is connected to an Azure AD domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. | +| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue. | +| Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Active Directory domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | @@ -108,11 +108,11 @@ To join a domain: ![choose the domain or azure ad](images/unifiedenrollment-rs1-12.png) -3. Type in your Azure AD username. This is the email address you use to log into Microsoft Office 365 and similar services. +3. Type in your Azure AD username. This username is the email address you use to log into Microsoft Office 365 and similar services. - If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly on this page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication. + If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page will change to show the organization's custom branding, and you'll be able to enter your password directly on this page. If the tenant is part of a federated domain, you'll be redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication. - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain. + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain. ![azure ad signin.](images/unifiedenrollment-rs1-13.png) @@ -136,43 +136,43 @@ To create a local account and connect the device: ![Option of connect to work or school](images/unifiedenrollment-rs1-17.png) -5. Under **Alternate Actions**, selct **Join this device to Azure Active Directory**. +5. Under **Alternate Actions**, select **Join this device to Azure Active Directory**. ![option to join work or school account to azure ad](images/unifiedenrollment-rs1-18.png) -6. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services. +6. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. ![azure ad sign in.](images/unifiedenrollment-rs1-19.png) -7. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication. +7. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. + If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. - After you reach the end of the flow, your device should be connected to your organization’s Azure AD domain. You may now log out of your current account and sign in using your Azure AD username. + After you reach the end of the flow, your device should be connected to your organization’s Azure AD domain. You may now sign out of your current account and sign in using your Azure AD username. ![corporate sign in screen](images/unifiedenrollment-rs1-20.png) ### Help with connecting to an Azure AD domain -There are a few instances where your device cannot be connected to an Azure AD domain. +There are a few instances where your device can't be connected to an Azure AD domain. | Connection issue | Description | |-----------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. | -| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You cannot connect to both simultaneously. | -| Your device already has a user connected to a work account. | You can either connect to an Azure AD domain or connect to a work or school account. You cannot connect to both simultaneously. | -| You are logged in as a standard user. | Your device can only be connected to an Azure AD domain if you are logged in as an administrative user. You’ll need to switch to an administrator account to continue. | +| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. | +| Your device already has a user connected to a work account. | You can either connect to an Azure AD domain or connect to a work or school account. You can't connect to both simultaneously. | +| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue. | | Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. | -| Your device is running Windows 10 Home. | This feature is not available on Windows 10 Home, so you will be unable to connect to an Azure AD domain. You will need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | +| Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | ## Connect personally owned devices -Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 does not require a personal Microsoft account on devices to connect to work or school. +Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 doesn't require a personal Microsoft account on devices to connect to work or school. ### Connect to a work or school account @@ -194,17 +194,17 @@ To create a local account and connect the device: ![connect button to access the option of work or school.](images/unifiedenrollment-rs1-24-b.png) -4. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services. +4. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. ![sync work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png) -5. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication. +5. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. + If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. - Starting in Windows 10, version 1709, you will see the status page that shows the progress of your device being set up. + Starting in Windows 10, version 1709, you'll see the status page that shows the progress of your device being set up. ![corporate sign in - screen and option](images/unifiedenrollment-rs1-26.png) @@ -240,9 +240,9 @@ To create a local account and connect the device: ![set up work or school account screen](images/unifiedenrollment-rs1-32.png) -6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. +6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for more authentication information. - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen. + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you'll see the enrollment progress on screen. ![screen to set up your device](images/unifiedenrollment-rs1-33-b.png) @@ -255,10 +255,10 @@ There are a few instances where your device may not be able to connect to work. | Error Message | Description | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| | Your device is already connected to your organization’s cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. | -| We could not find your identity in your organization’s cloud. | The username you entered was not found on your Azure AD tenant. | +| We couldn't find your identity in your organization’s cloud. | The username you entered wasn't found on your Azure AD tenant. | | Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Endpoint Configuration Manager. | -| You don’t have the right privileges to perform this operation. Please talk to your admin. | You cannot enroll your device into MDM as a standard user. You must be on an administrator account. | -| We couldn’t auto-discover a management endpoint matching the username entered. Please check your username and try again. If you know the URL to your management endpoint, please enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | +| You don’t have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. | +| We couldn’t auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | ## Connect your Windows 10-based device to work using a deep link @@ -277,10 +277,10 @@ The deep link used for connecting your device to work will always use the follow | mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory Joined (AADJ). | |username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string | | servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string| -| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string | -| deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to pass in a unique device identifier. Added in Windows 10, version 1703. | GUID | -| tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string | -| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned | +| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string | +| deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to pass in a unique device identifier. Added in Windows 10, version 1703. | GUID | +| tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string | +| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned | > [!NOTE] > AWA and AADJ values for mode are only supported on Windows 10, version 1709 and later. @@ -297,7 +297,7 @@ To connect your devices to MDM using deep links: 1. Starting with Windows 10, version 1607, create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**: - (Be aware that this will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.) + (This link will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.) - IT admins can add this link to a welcome email that users can select to enroll into MDM. @@ -311,7 +311,7 @@ To connect your devices to MDM using deep links: ![set up a work or school account screen](images/deeplinkenrollment3.png) -3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. +3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for more authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. After you complete the flow, your device will be connected to your organization's MDM. @@ -326,15 +326,15 @@ To manage your work or school connections, select **Settings** > **Accounts** > ### Info -The **Info** button can be found on work or school connections involving MDM. This includes the following scenarios: +The **Info** button can be found on work or school connections involving MDM. This button is included in the following scenarios: - Connecting your device to an Azure AD domain that has auto-enroll into MDM configured. - Connecting your device to a work or school account that has auto-enroll into MDM configured. - Connecting your device to MDM. -Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session which forces your device to communicate to the MDM server and fetch any updates to policies if needed. +Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session that forces your device to communicate to the MDM server and fetch any updates to policies if needed. -Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screenshot. +Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here's an example screenshot. ![work or school info.](images/unifiedenrollment-rs1-35-b.png) @@ -343,10 +343,10 @@ Starting in Windows 10, version 1709, selecting the **Info** button will show a ### Disconnect -The **Disconnect** button can be found on all work connections. Generally, selecting the **Disconnect** button will remove the connection from the device. There are a few exceptions to this: +The **Disconnect** button can be found on all work connections. Generally, selecting the **Disconnect** button will remove the connection from the device. There are a few exceptions to this functionality: -- Devices that enforce the AllowManualMDMUnenrollment policy will not allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command. -- On mobile devices, you cannot disconnect from Azure AD. These connections can only be removed by wiping the device. +- Devices that enforce the AllowManualMDMUnenrollment policy won't allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command. +- On mobile devices, you can't disconnect from Azure AD. These connections can only be removed by wiping the device. > [!WARNING] > Disconnecting might result in the loss of data on the device. @@ -356,7 +356,7 @@ The **Disconnect** button can be found on all work connections. Generally, selec You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and then selecting the **Export your management logs** link under **Related Settings**. Next, select **Export**, and follow the path displayed to retrieve your management log files. -Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you will see the button to create a report, as shown here. +Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you'll see the button to create a report, as shown here. ![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png) diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 10c37d020b..7a55677360 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -33,7 +33,7 @@ The enrollment process includes the following steps: ## Enrollment protocol -There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +There are many changes made to the enrollment protocol to better support various scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). The enrollment process involves the following steps: @@ -56,7 +56,7 @@ The following topics describe the end-to-end enrollment process using various au - [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) > [!Note] -> As a best practice, do not use hardcoded server-side checks on values such as: +> As a best practice, don't use hardcoded server-side checks on values such as: > - User agent string > - Any fixed URIs that are passed during enrollment > - Specific formatting of any value unless otherwise noted, such as the format of the device ID. @@ -67,11 +67,11 @@ Devices that are joined to an on-premises Active Directory can enroll into MDM v ## Disable MDM enrollments -In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**. +In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. With the GP editor being used, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**. ![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png) -Here is the corresponding registry key: +Here's the corresponding registry key: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM @@ -79,10 +79,10 @@ Value: DisableRegistration ## Enrollment scenarios not supported -The following scenarios do not allow MDM enrollments: +The following scenarios don't allow MDM enrollments: -- Built-in administrator accounts on Windows desktop cannot enroll into MDM. -- Standard users cannot enroll in MDM. Only admin users can enroll. +- Built-in administrator accounts on Windows desktop can't enroll into MDM. +- Standard users can't enroll in MDM. Only admin users can enroll. ## Enrollment error messages @@ -128,7 +128,7 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma - **Namespace**: `s:` - **Subcode**: Authorization - **Error**: MENROLL_E_DEVICE_AUTHORIZATION_ERROR - - **Description**: The user is not authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator. + - **Description**: The user isn't authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator. - **HRESULT**: 80180003 - **Namespace**: `s:` @@ -155,7 +155,7 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma - **Description**: The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator. - **HRESULT**: 80180007 -In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here is an example: +In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here's an example: ```xml @@ -224,7 +224,7 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. - **Description**: The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly. - **HRESULT**: 80180019 -TraceID is a freeform text node which is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment. +TraceID is a freeform text node that is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment. ## Related topics