From fe835d46e4edb9e42d457bba8a80fcc9c995c53d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20Peter=20Edstr=C3=B8m?= <22084975+timpeteren@users.noreply.github.com> Date: Sun, 19 Dec 2021 23:56:07 +0100 Subject: [PATCH 1/8] Replaced old Azure AD Graph-based examples Updated section "Verify the onPremisesDistinguishedName attribute is synchronized" as suggested in user feedback for issue #10216 Replaced Azure AD Graph examples with Microsoft Graph. #ATCP --- .../hello-hybrid-aadj-sso-cert.md | 46 ++++++++++++++++--- 1 file changed, 40 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index cd403a4167..d6ce21bdd3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -87,17 +87,51 @@ Sign-in to computer running Azure AD Connect with access equivalent to _local ad ### Verify the onPremisesDistinguishedName attribute is synchronized -The easiest way to verify the onPremisesDistingushedNamne attribute is synchronized is to use Azure AD Graph Explorer. +The easiest way to verify that the onPremisesDistingushedNamne attribute is synchronized is to use the Graph Explorer for Microsoft Graph. -1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/ +1. Open a web browser and navigate to https://developer.microsoft.com/en-us/graph/graph-explorer -2. Click **Login** and provide Azure credentials +2. Click **Sign in to Graph Explorer** and provide Azure credentials -3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go** +> [!NOTE] +> To successfully query the Graph API, adequate [permissions](/graph/api/user-get?view=graph-rest-1.0&tabs=http#permissions) must be granted. -4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user. +3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and click **Consent**. You will now be prompted for delegated permissions consent. - ![Azure AD Connect On-Prem DN Attribute.](images/aadjcert/aadconnectonpremdn.png) +4. In the Graph Explorer URL, type https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName, where **[userid]** is the user principal name of a user in the Azure Active Directory. Click **Run query** + +> [!NOTE] +> Because the v1.0 endpoint of the Graph API only provides a limited set of parameters we will use the $select [Optional OData query parameter](/graph/api/user-get?view=graph-rest-1.0&tabs=http#optional-query-parameters). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios. + +#### Request + + +```msgraph-interactive +GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,userPrincipalName,onPremisesDistinguishedName +``` + +5. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute is not synchronized the value will be **null**. + +#### Response + +```http +HTTP/1.1 200 OK +Content-type: application/json + +{ + "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(displayName,userPrincipalName,onPremisesDistinguishedName)/$entity", + "displayName": "Nestor Wilke", + "userPrincipalName": "NestorW@contoso.com", + "onPremisesDistinguishedName" : "CN=Nestor Wilke,OU=Operations,DC=contoso,DC=com" +} +``` ## Prepare the Network Device Enrollment Services (NDES) Service Account From 28b5dbc5b87461f5e74fb36f8f1fba7cc16a0f70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20Peter=20Edstr=C3=B8m?= <22084975+timpeteren@users.noreply.github.com> Date: Mon, 20 Dec 2021 15:14:13 +0100 Subject: [PATCH 2/8] Update Graph Explorer URL Was uncertain as to keep or not keep the locale in the URL. I noticed it worked either way, so thanks for clarifying! :-) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index d6ce21bdd3..30fa08883f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -89,7 +89,7 @@ Sign-in to computer running Azure AD Connect with access equivalent to _local ad The easiest way to verify that the onPremisesDistingushedNamne attribute is synchronized is to use the Graph Explorer for Microsoft Graph. -1. Open a web browser and navigate to https://developer.microsoft.com/en-us/graph/graph-explorer +1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). 2. Click **Sign in to Graph Explorer** and provide Azure credentials From ffbe7994c5809665ddb01c5fe7cafd1ca367734b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20Peter=20Edstr=C3=B8m?= <22084975+timpeteren@users.noreply.github.com> Date: Mon, 20 Dec 2021 15:15:05 +0100 Subject: [PATCH 3/8] Select rather than Click ...and a full stop, thanks :-) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 30fa08883f..70de4da80f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -91,7 +91,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync 1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). -2. Click **Sign in to Graph Explorer** and provide Azure credentials +2. Select **Sign in to Graph Explorer** and provide Azure credentials. > [!NOTE] > To successfully query the Graph API, adequate [permissions](/graph/api/user-get?view=graph-rest-1.0&tabs=http#permissions) must be granted. From bf9231540fac8dc39bef2ff66a3fd720bbc976d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20Peter=20Edstr=C3=B8m?= <22084975+timpeteren@users.noreply.github.com> Date: Mon, 20 Dec 2021 15:16:13 +0100 Subject: [PATCH 4/8] Lets get rid of click! Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 70de4da80f..74e6286f69 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -96,7 +96,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync > [!NOTE] > To successfully query the Graph API, adequate [permissions](/graph/api/user-get?view=graph-rest-1.0&tabs=http#permissions) must be granted. -3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and click **Consent**. You will now be prompted for delegated permissions consent. +3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You will now be prompted for delegated permissions consent. 4. In the Graph Explorer URL, type https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName, where **[userid]** is the user principal name of a user in the Azure Active Directory. Click **Run query** From 01dc646ce3e1972a8bfe8d11cc2c58b24cb1e765 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20Peter=20Edstr=C3=B8m?= <22084975+timpeteren@users.noreply.github.com> Date: Mon, 20 Dec 2021 15:17:01 +0100 Subject: [PATCH 5/8] Clean up text Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 74e6286f69..4892c11eb3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -98,7 +98,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync 3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You will now be prompted for delegated permissions consent. -4. In the Graph Explorer URL, type https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName, where **[userid]** is the user principal name of a user in the Azure Active Directory. Click **Run query** +4. In the Graph Explorer URL, enter https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName, where **[userid]** is the user principal name of a user in Azure Active Directory. Select **Run query**. > [!NOTE] > Because the v1.0 endpoint of the Graph API only provides a limited set of parameters we will use the $select [Optional OData query parameter](/graph/api/user-get?view=graph-rest-1.0&tabs=http#optional-query-parameters). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios. From 53f68a50da0331345fc890a615e6404121a943e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20Peter=20Edstr=C3=B8m?= <22084975+timpeteren@users.noreply.github.com> Date: Mon, 20 Dec 2021 15:17:40 +0100 Subject: [PATCH 6/8] Correct writing. Thanks for reading through and proposing changes! Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 4892c11eb3..b7b190c49c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -101,7 +101,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync 4. In the Graph Explorer URL, enter https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName, where **[userid]** is the user principal name of a user in Azure Active Directory. Select **Run query**. > [!NOTE] -> Because the v1.0 endpoint of the Graph API only provides a limited set of parameters we will use the $select [Optional OData query parameter](/graph/api/user-get?view=graph-rest-1.0&tabs=http#optional-query-parameters). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios. +> Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?view=graph-rest-1.0&tabs=http#optional-query-parameters). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios. #### Request From 218d85c22cd5b2b4f1d826bb14f75842672c4daf Mon Sep 17 00:00:00 2001 From: Rafal Sosnowski <51166236+rafals2@users.noreply.github.com> Date: Thu, 3 Feb 2022 11:39:09 -0800 Subject: [PATCH 7/8] Update bitlocker-csp.md updated the part for encryption type with non-silent / silent enablement --- windows/client-management/mdm/bitlocker-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 4530da2896..cb39d3bcd2 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -120,7 +120,7 @@ If you want to disable this policy, use the following SyncML: ``` > [!NOTE] -> Currently only used space encryption is supported when using this CSP. +> Currently full disk encryption is supported when using this CSP for silent encryption. For non-silent encryption, encryption type will depend on SystemDrivesEncryptionType and FixedDrivesEncryptionType configured on the device. From ccb4c783d4b4fd1b91676ec0da3aa35591bedf45 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 4 Feb 2022 09:03:28 -0800 Subject: [PATCH 8/8] Update bitlocker-csp.md --- windows/client-management/mdm/bitlocker-csp.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index cb39d3bcd2..6b83e9c150 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 04/16/2020 +ms.date: 02/04/2022 ms.reviewer: manager: dansimp ms.collection: highpri @@ -21,7 +21,7 @@ The BitLocker configuration service provider (CSP) is used by the enterprise to > > You must send all the settings together in a single SyncML to be effective. -A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns +A `Get` operation on any of the settings, except for `RequireDeviceEncryption` and `RequireStorageCardEncryption`, returns the setting configured by the admin. For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength). @@ -120,7 +120,7 @@ If you want to disable this policy, use the following SyncML: ``` > [!NOTE] -> Currently full disk encryption is supported when using this CSP for silent encryption. For non-silent encryption, encryption type will depend on SystemDrivesEncryptionType and FixedDrivesEncryptionType configured on the device. +> Currently full disk encryption is supported when using this CSP for silent encryption. For non-silent encryption, encryption type will depend on `SystemDrivesEncryptionType` and `FixedDrivesEncryptionType` configured on the device.