From e5038ce1d7539be68da0e56bce9c0c1214d6ee6c Mon Sep 17 00:00:00 2001 From: Alex Buck Date: Tue, 17 Oct 2023 23:15:18 -0400 Subject: [PATCH 1/5] [BULK] - DocuTune - Rebranding of Azure Active Dir --- ...e-active-directory-integration-with-mdm.md | 172 ++++++++++-------- ...omatic-mdm-enrollment-in-the-new-portal.md | 6 +- ...ollment-using-windows-provisioning-tool.md | 6 +- .../client-tools/connect-to-remote-aadj-pc.md | 64 ++++--- .../client-tools/quick-assist.md | 4 +- .../client-management/client-tools/toc.yml | 2 +- .../disconnecting-from-mdm-unenrollment.md | 14 +- ...device-automatically-using-group-policy.md | 24 +-- .../enterprise-app-management.md | 8 +- .../esim-enterprise-management.md | 2 +- ...rver-side-mobile-application-management.md | 28 +-- windows/client-management/index.yml | 4 +- ...-in-your-organization-modern-management.md | 12 +- .../mdm-diagnose-enrollment.md | 16 +- .../mdm-enrollment-of-windows-devices.md | 70 +++---- windows/client-management/mdm-known-issues.md | 8 +- windows/client-management/mdm-overview.md | 6 +- windows/client-management/toc.yml | 2 +- 18 files changed, 242 insertions(+), 206 deletions(-) diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index 7f11d203d5..fdff4dbb1a 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -1,6 +1,6 @@ --- -title: Azure Active Directory integration with MDM -description: Azure Active Directory is the world's largest enterprise cloud identity management service. +title: Microsoft Entra integration with MDM +description: Microsoft Entra ID is the world's largest enterprise cloud identity management service. ms.topic: article ms.collection: - highpri @@ -8,90 +8,94 @@ ms.collection: ms.date: 08/10/2023 --- -# Azure Active Directory integration with MDM +# Microsoft Entra integration with MDM -Azure Active Directory is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow. +Microsoft Entra ID is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Microsoft Entra ID as the underlying identity infrastructure. Windows integrates with Microsoft Entra ID, allowing devices to be registered in Microsoft Entra ID and enrolled into MDM in an integrated flow. Once a device is enrolled in MDM, the MDM: - Can enforce compliance with organization policies, add or remove apps, and more. -- Can report a device's compliance in Azure AD. -- Azure AD can allow access to organization resources or applications secured by Azure AD to devices that comply with policies. +- Can report a device's compliance in Microsoft Entra ID. +- Microsoft Entra ID can allow access to organization resources or applications secured by Microsoft Entra ID to devices that comply with policies. -To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. +To support these rich experiences with their MDM product, MDM vendors can integrate with Microsoft Entra ID. ## Integrated MDM enrollment and UX -There are several ways to connect your devices to Azure AD: +There are several ways to connect your devices to Microsoft Entra ID: -- [Join device to Azure AD](/azure/active-directory/devices/concept-azure-ad-join) -- [Join device to on-premises AD and Azure AD](/azure/active-directory/devices/concept-azure-ad-join-hybrid) +- [Join device to Microsoft Entra ID](/azure/active-directory/devices/concept-azure-ad-join) +- [Join device to on-premises AD and Microsoft Entra ID](/azure/active-directory/devices/concept-azure-ad-join-hybrid) - [Add a Microsoft work account to Windows](/azure/active-directory/devices/concept-azure-ad-register) -In each scenario, Azure AD authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment. The enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and bring-your-own-device (BYOD) devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN. +In each scenario, Microsoft Entra authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment. The enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and bring-your-own-device (BYOD) devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN. -In Windows 10, the web view during the out-of-the-box scenario is displayed as full-screen by default, providing MDM vendors with the capability to create a seamless edge-to-edge user experience. However, in Windows 11 the web view is rendered within an iframe. It's important that MDM vendors who integrate with Azure AD respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article. +In Windows 10, the web view during the out-of-the-box scenario is displayed as full-screen by default, providing MDM vendors with the capability to create a seamless edge-to-edge user experience. However, in Windows 11 the web view is rendered within an iframe. It's important that MDM vendors who integrate with Microsoft Entra ID respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article. -For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa). +For Microsoft Entra enrollment to work for an Active Directory Federated Services (AD FS) backed Microsoft Entra account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa). -Once a user has an Azure AD account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Access work or school**. Device management of either Azure AD Join for organization scenarios or BYOD scenarios is similar. +Once a user has a Microsoft Entra account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Access work or school**. Device management of either Microsoft Entra join for organization scenarios or BYOD scenarios is similar. > [!NOTE] -> Users can't remove the device enrollment through the **Access work or school** user interface because management is tied to the Azure AD or work account. +> Users can't remove the device enrollment through the **Access work or school** user interface because management is tied to the Microsoft Entra ID or work account. -### MDM endpoints involved in Azure AD integrated enrollment + -Azure AD MDM enrollment is a two-step process: +### MDM endpoints involved in Microsoft Entra integrated enrollment + +Microsoft Entra MDM enrollment is a two-step process: 1. Display the Terms of Use and gather user consent: This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM. 1. Enroll the device: This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device. -To support Azure AD enrollment, MDM vendors must host and expose a **Terms of Use endpoint** and an **MDM enrollment endpoint**. +To support Microsoft Entra enrollment, MDM vendors must host and expose a **Terms of Use endpoint** and an **MDM enrollment endpoint**. - **Terms of Use endpoint**: Use this endpoint to inform users of the ways in which their organization can control their device. The **Terms of Use** page is responsible for collecting user's consent before the actual enrollment phase begins. - It's important to understand the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies. + It's important to understand the Terms of Use flow is an "opaque box" to Windows and Microsoft Entra ID. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies. - The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. It's not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD. + The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. It's not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Microsoft Entra ID. -- **MDM enrollment endpoint**: After the users accept the Terms of Use, the device is registered in Azure AD. Automatic MDM enrollment begins. +- **MDM enrollment endpoint**: After the users accept the Terms of Use, the device is registered in Microsoft Entra ID. Automatic MDM enrollment begins. - The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint. + The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Microsoft Entra ID. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Microsoft Entra ID (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Microsoft Entra ID. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint. - [![azure ad enrollment flow](images/azure-ad-enrollment-flow.png)](images/azure-ad-enrollment-flow.png#lightbox) + [![Microsoft Entra enrollment flow](images/azure-ad-enrollment-flow.png)](images/azure-ad-enrollment-flow.png#lightbox) - The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article. + The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Microsoft Entra ID using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article. -## Make MDM a reliable party of Azure AD + -To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Azure AD. To report compliance with Azure AD, the MDM must authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). +## Make MDM a reliable party of Microsoft Entra ID + +To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Microsoft Entra ID. To report compliance with Microsoft Entra ID, the MDM must authenticate itself to Microsoft Entra ID and obtain authorization in the form of an access token that allows it to invoke the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). ### Cloud-based MDM -A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer. +A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Microsoft Entra ID in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer. -The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. For more information about how to add multi-tenant applications to Azure AD, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multi-tenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub. +The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. For more information about how to add multi-tenant applications to Microsoft Entra ID, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multi-tenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub. > [!NOTE] -> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow these step-by-step guides: +> For the MDM provider, if you don't have an existing Microsoft Entra tenant with a Microsoft Entra subscription that you manage, follow these step-by-step guides: > -> - [Quickstart: Create a new tenant in Azure Active Directory](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to set up a tenant. -> - [Associate or add an Azure subscription to your Azure Active Directory tenant](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to add a subscription, and manage it via the Azure Portal. +> - [Quickstart: Create a new tenant in Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to set up a tenant. +> - [Associate or add an Azure subscription to your Microsoft Entra tenant](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to add a subscription, and manage it via the Azure Portal. -The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, in the customer tenant where the managed device belongs. +The MDM application uses keys to request access tokens from Microsoft Entra ID. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Microsoft Entra ID, in the customer tenant where the managed device belongs. > [!NOTE] -> All MDM apps must implement Azure AD V2 tokens before we certify that integration works. Due to changes in the Azure AD app platform, using Azure AD V2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats). +> All MDM apps must implement Azure AD v2 tokens before we certify that integration works. Due to changes in the Microsoft Entra app platform, using Azure AD v2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats). ### On-premises MDM -An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and have a separate key for authentication with Azure AD. +An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and have a separate key for authentication with Microsoft Entra ID. -To add an on-premises MDM application to the tenant, use the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application** > **Create your own application**. Administrators can configure the required URLs for enrollment and Terms of Use. +To add an on-premises MDM application to the tenant, use the Microsoft Entra service, specifically under **Mobility (MDM and MAM)** > **Add application** > **Create your own application**. Administrators can configure the required URLs for enrollment and Terms of Use. -Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance. +Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Microsoft Entra ID when reporting device compliance. -For more information about registering applications with Azure AD, see [Basics of Registering an Application in Azure AD](/previous-versions/azure/dn499820(v=azure.100)). +For more information about registering applications with Microsoft Entra ID, see [Basics of Registering an Application in Microsoft Entra ID](/previous-versions/azure/dn499820(v=azure.100)). ### Key management and security guidelines @@ -99,22 +103,24 @@ The application keys used by your MDM service are a sensitive resource. They sho For security best practices, see [Microsoft Azure Security Essentials](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler). -For cloud-based MDM, you can roll over the application keys without requiring a customer interaction. There's a single set of keys across all customer tenants managed by the MDM vendor in their Azure AD tenant. +For cloud-based MDM, you can roll over the application keys without requiring a customer interaction. There's a single set of keys across all customer tenants managed by the MDM vendor in their Microsoft Entra tenant. -For the on-premises MDM, the Azure AD authentication keys are within the customer tenant and the customer's administrator must roll over the keys. To improve security, provide guidance to customers about rolling over and protecting the keys. +For the on-premises MDM, the Microsoft Entra authentication keys are within the customer tenant and the customer's administrator must roll over the keys. To improve security, provide guidance to customers about rolling over and protecting the keys. -## Publish your MDM app to Azure AD app gallery + -IT administrators use the Azure AD app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Azure AD. +## Publish your MDM app to Microsoft Entra app gallery + +IT administrators use the Microsoft Entra app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Microsoft Entra ID. ### Add cloud-based MDM to the app gallery > [!NOTE] -> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application +> You should work with the Microsoft Entra engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application -To publish your application, [submit a request to publish your application in Azure Active Directory application gallery](/azure/active-directory/manage-apps/v2-howto-app-gallery-listing) +To publish your application, [submit a request to publish your application in Microsoft Entra application gallery](/azure/active-directory/manage-apps/v2-howto-app-gallery-listing) -The following table shows the required information to create an entry in the Azure AD app gallery. +The following table shows the required information to create an entry in the Microsoft Entra app gallery. | Item | Description | |---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -132,12 +138,12 @@ However, key management is different for on-premises MDM. You must obtain the cl ## Themes -The pages rendered by the MDM in the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). These templates are important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Avoid copying the templates because it is difficult to get the button placement right. +The pages rendered by the MDM in the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). These templates are important for enrollment during the Microsoft Entra join experience in OOBE where all of the pages are edge-to-edge HTML pages. Avoid copying the templates because it is difficult to get the button placement right. There are three distinct scenarios: -1. MDM enrollment as part of Azure AD Join in Windows OOBE. -1. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**. +1. MDM enrollment as part of Microsoft Entra join in Windows OOBE. +1. MDM enrollment as part of Microsoft Entra join, after Windows OOBE from **Settings**. 1. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD). These scenarios support Windows Pro, Enterprise, and Education. @@ -158,7 +164,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is ## Terms of Use protocol semantics -The MDM server hosts the **Terms of Use** endpoint. During the Azure AD Join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue. +The MDM server hosts the **Terms of Use** endpoint. During the Microsoft Entra join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue. ### Redirect to the Terms of Use endpoint @@ -175,7 +181,7 @@ The following parameters are passed in the query string: ### Access token -Azure AD issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format: +Microsoft Entra ID issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format: **Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw... @@ -200,7 +206,7 @@ https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm Authorization: Bearer eyJ0eXAiOi ``` -The MDM is expected to validate the signature of the access token to ensure it is issued by Azure AD and that the recipient is appropriate. +The MDM is expected to validate the signature of the access token to ensure it is issued by Microsoft Entra ID and that the recipient is appropriate. ### Terms of Use content @@ -225,7 +231,7 @@ At this point, the user is on the Terms of Use page shown during the OOBE or fro - **IsAccepted** - This Boolean value is required, and must be set to false. This option also applies if the user skipped the Terms of Use. - **OpaqueBlob** - This parameter isn't expected to be used. The enrollment is stopped with an error message shown to the user. -Users skip the Terms of Use when they're adding a Microsoft work account to their device. However, they can't skip it during the Azure AD Join process. Don't show the decline button in the Azure AD Join process. The user can't decline the MDM enrollment if configured by the administrator for the Azure AD Join. +Users skip the Terms of Use when they're adding a Microsoft work account to their device. However, they can't skip it during the Microsoft Entra join process. Don't show the decline button in the Microsoft Entra join process. The user can't decline the MDM enrollment if configured by the administrator for the Microsoft Entra join. We recommend that you send the client-request-id parameters in the query string as part of this redirect response. @@ -251,14 +257,16 @@ The following table shows the error codes. |--------------------------------------------------------------------------------------------------|-------------|---------------------|-----------------------------| | api-version | 302 | invalid_request | unsupported version | | Tenant or user data are missing or other required prerequisites for device enrollment aren't met | 302 | unauthorized_client | unauthorized user or tenant | -| Azure AD token validation failed | 302 | unauthorized_client | unauthorized_client | +| Microsoft Entra token validation failed | 302 | unauthorized_client | unauthorized_client | | internal service error | 302 | server_error | internal service error | -## Enrollment protocol with Azure AD + + +## Enrollment protocol with Microsoft Entra ID With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments. -|Detail|Traditional MDM enrollment|Azure AD Join (organization-owned device)|Azure AD adds a work account (user-owned device)| +|Detail|Traditional MDM enrollment|Microsoft Entra join (organization-owned device)|Microsoft Entra ID adds a work account (user-owned device)| |--- |--- |--- |--- | |MDM auto-discovery using email address to retrieve MDM discovery URL|Enrollment|Not applicable
Discovery URL provisioned in Azure|| |Uses MDM discovery URL|Enrollment
Enrollment renewal
ROBO|Enrollment
Enrollment renewal
ROBO|Enrollment
Enrollment renewal
ROBO| @@ -268,7 +276,7 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove |EnrollmentServiceURL|Required (all auth)|Used (all auth)|Used (all auth)| |EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL|Highly recommended|Highly recommended|Highly recommended| |AuthenticationServiceURL used|Used (Federated auth)|Skipped|Skipped| -|BinarySecurityToken|Custom per MDM|Azure AD issued token|Azure AD issued token| +|BinarySecurityToken|Custom per MDM|Microsoft Entra ID issued token|Microsoft Entra ID issued token| |EnrollmentType|Full|Device|Full| |Enrolled certificate type|User certificate|Device certificate|User certificate| |Enrolled certificate store|My/User|My/System|My/User| @@ -276,41 +284,45 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove |EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL|Not supported|Supported|Supported| |CSPs accessible during enrollment|Windows 10 support:
- DMClient
- CertificateStore
- RootCATrustedCertificates
- ClientCertificateInstall
- EnterpriseModernAppManagement
- PassportForWork
- Policy
- w7 APPLICATION||| -## Management protocol with Azure AD + -There are two different MDM enrollment types that integrate with Azure AD, and use Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users. +## Management protocol with Microsoft Entra ID -- **Multiple user management for Azure AD-joined devices** +There are two different MDM enrollment types that integrate with Microsoft Entra ID, and use Microsoft Entra user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users. - In this scenario, the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest is logged on to the device. +- **Multiple user management for Microsoft Entra joined devices** + + In this scenario, the MDM enrollment applies to every Microsoft Entra user who signs in to the Microsoft Entra joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Microsoft Entra user tokens. Each management session contains an extra HTTP header that contains a Microsoft Entra user token. This information is provided in the DM package sent to the management server. However, in some circumstances Microsoft Entra user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Microsoft Entra join process. Until Microsoft Entra join process is finished and Microsoft Entra user signs on to the machine, Microsoft Entra user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Microsoft Entra user sign in to machine and the initial management session doesn't contain a Microsoft Entra user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Microsoft Entra token in the OMA-DM payload is when a guest is logged on to the device. - **Adding a work account and MDM enrollment to a device**: - In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device. + In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Microsoft Entra tokens that may be sent over during management session. Whether Microsoft Entra token is present or missing, the management server sends both user and device policies to the device. -- **Evaluating Azure AD user tokens**: +- **Evaluating Microsoft Entra user tokens**: - The Azure AD token is in the HTTP Authorization header in the following format: + The Microsoft Entra token is in the HTTP Authorization header in the following format: ```console Authorization:Bearer ``` - More claims may be present in the Azure AD token, such as: + More claims may be present in the Microsoft Entra token, such as: - User - user currently logged in - Device compliance - value set the MDM service into Azure - Device ID - identifies the device that is checking in - Tenant ID - Access tokens issued by Azure AD are JSON web tokens (JWTs). Windows presents a valid JWT token to the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens: + Access tokens issued by Microsoft Entra ID are JSON web tokens (JWTs). Windows presents a valid JWT token to the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens: - Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler). - - Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667). + - Refer to the Microsoft Entra authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667). -## Device Alert 1224 for Azure AD user token + -An alert is sent when the DM session starts and there's an Azure AD user logged in. The alert is sent in OMA DM package #1. Here's an example: +## Device Alert 1224 for Microsoft Entra user token + +An alert is sent when the DM session starts and there's a Microsoft Entra user logged in. The alert is sent in OMA DM package #1. Here's an example: ```xml Alert Type: com.microsoft/MDM/AADUserToken @@ -338,8 +350,8 @@ An alert is sent to the MDM server in DM package \#1. - Alert type - `com.microsoft/MDM/LoginStatus` - Alert format - `chr` - Alert data - provide sign-in status information for the current active logged in user. - - Signed-in user who has an Azure AD account - predefined text: user. - - Signed-in user without an Azure AD account- predefined text: others. + - Signed-in user who has a Microsoft Entra account - predefined text: user. + - Signed-in user without a Microsoft Entra account- predefined text: others. - No active user - predefined text:none Here's an example. @@ -360,14 +372,16 @@ Here's an example. ``` -## Report device compliance to Azure AD + -Once a device is enrolled with the MDM for management, organization policies configured by the IT administrator are enforced on the device. MDM evaluates the device compliance with configured policies and then reports it to Azure AD. This section covers the Graph API call you can use to report a device compliance status to Azure AD. +## Report device compliance to Microsoft Entra ID + +Once a device is enrolled with the MDM for management, organization policies configured by the IT administrator are enforced on the device. MDM evaluates the device compliance with configured policies and then reports it to Microsoft Entra ID. This section covers the Graph API call you can use to report a device compliance status to Microsoft Entra ID. For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822). -- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Azure AD. -- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD. +- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Microsoft Entra ID. +- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Microsoft Entra ID. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Microsoft Entra ID. ### Use Microsoft Graph API @@ -390,9 +404,9 @@ Content-Type: application/json Where: -- **contoso.com** - This value is the name of the Azure AD tenant to whose directory the device has been joined. -- **db7ab579-3759-4492-a03f-655ca7f52ae1** - This value is the device identifier for the device whose compliance information is being reported to Azure AD. -- **eyJ0eXAiO**......... - This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request. +- **contoso.com** - This value is the name of the Microsoft Entra tenant to whose directory the device has been joined. +- **db7ab579-3759-4492-a03f-655ca7f52ae1** - This value is the device identifier for the device whose compliance information is being reported to Microsoft Entra ID. +- **eyJ0eXAiO**......... - This value is the bearer access token issued by Microsoft Entra ID to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request. - **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status. - **api-version** - Use this parameter to specify which version of the graph API is being requested. @@ -401,9 +415,11 @@ Response: - Success - HTTP 204 with No Content. - Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found. -## Data loss during unenrollment from Azure Active Directory Join + -When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data. +## Data loss during unenrollment from Microsoft Entra join + +When a user is enrolled into MDM through Microsoft Entra join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data. ![aadj unenrollment.](images/azure-ad-unenrollment.png) diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index 636a885451..e1c894e2c5 100644 --- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -7,12 +7,12 @@ ms.date: 08/10/2023 # Automatic MDM enrollment in the Intune admin center -Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure portal. +Windows devices can be enrolled in to Intune automatically when they join or register with Microsoft Entra ID. Automatic enrollment can be configured in Azure portal. -1. Go to your Azure AD portal. +1. Go to your Microsoft Entra admin center. 1. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app. 1. Select **Microsoft Intune** and configure the enrollment options. You can specify settings to allow **All** users to enroll a device, or choose to allow **Some** users (and specify a group). ![Configure the Blade.](images/azure-intune-configure-scope.png) -1. Select **Save** to configure MDM autoenrollment for Azure AD joined devices and bring-your-own-device scenarios. +1. Select **Save** to configure MDM autoenrollment for Microsoft Entra joined devices and bring-your-own-device scenarios. diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md index 84c1486cec..522b5d05b6 100644 --- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md @@ -7,7 +7,7 @@ ms.date: 08/10/2023 # Bulk enrollment using Windows Configuration Designer -Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join enrollment scenario. +Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Microsoft Entra join enrollment scenario. ## Typical use cases @@ -23,10 +23,10 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro > [!NOTE] > -> - Bulk-join is not supported in Azure Active Directory Join. +> - Bulk-join is not supported in Microsoft Entra join. > - Bulk enrollment does not work in Intune standalone environment. > - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console. -> - To change bulk enrollment settings, login to **Azure AD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. +> - To change bulk enrollment settings, login to **Microsoft Entra ID**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. > - Bulk Token creation is not supported with federated accounts. ## What you need diff --git a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md index 56f57c950e..2e3e741284 100644 --- a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md +++ b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md @@ -1,6 +1,6 @@ --- -title: Connect to remote Azure Active Directory joined device -description: Learn how to use Remote Desktop Connection to connect to an Azure AD joined device. +title: Connect to remote Microsoft Entra joined device +description: Learn how to use Remote Desktop Connection to connect to a Microsoft Entra joined device. ms.localizationpriority: medium ms.date: 08/10/2023 ms.topic: article @@ -9,36 +9,38 @@ ms.collection: - tier2 --- -# Connect to remote Azure Active Directory joined device +# Connect to remote Microsoft Entra joined device -Windows supports remote connections to devices joined to Active Directory s well as devices joined to Azure Active Directory (Azure AD) using Remote Desktop Protocol (RDP). +Windows supports remote connections to devices joined to Active Directory s well as devices joined to Microsoft Entra ID using Remote Desktop Protocol (RDP). - Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). -- Starting in Windows 10/11, with 2022-10 update installed, you can [use Azure AD authentication to connect to the remote Azure AD device](#connect-with-azure-ad-authentication). +- Starting in Windows 10/11, with 2022-10 update installed, you can [use Microsoft Entra authentication to connect to the remote Microsoft Entra device](#connect-with-azure-ad-authentication). ## Prerequisites - Both devices (local and remote) must be running a supported version of Windows. - Remote device must have the **Connect to and use this PC from another device using the Remote Desktop app** option selected under **Settings** > **System** > **Remote Desktop**. - It's recommended to select **Require devices to use Network Level Authentication to connect** option. -- If the user who joined the device to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the device remotely, you must [add users to the Remote Desktop Users group](#add-users-to-remote-desktop-users-group) on the remote device. +- If the user who joined the device to Microsoft Entra ID is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the device remotely, you must [add users to the Remote Desktop Users group](#add-users-to-remote-desktop-users-group) on the remote device. - Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard) is turned off on the device you're using to connect to the remote device. -## Connect with Azure AD Authentication + -Azure AD Authentication can be used on the following operating systems for both the local and remote device: +## Connect with Microsoft Entra authentication + +Microsoft Entra authentication can be used on the following operating systems for both the local and remote device: - Windows 11 with [2022-10 Cumulative Updates for Windows 11 (KB5018418)](https://support.microsoft.com/kb/KB5018418) or later installed. - Windows 10, version 20H2 or later with [2022-10 Cumulative Updates for Windows 10 (KB5018410)](https://support.microsoft.com/kb/KB5018410) or later installed. - Windows Server 2022 with [2022-10 Cumulative Update for Microsoft server operating system (KB5018421)](https://support.microsoft.com/kb/KB5018421) or later installed. -There's no requirement for the local device to be joined to a domain or Azure AD. As a result, this method allows you to connect to the remote Azure AD joined device from: +There's no requirement for the local device to be joined to a domain or Microsoft Entra ID. As a result, this method allows you to connect to the remote Microsoft Entra joined device from: -- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device. +- [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) or [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device. - Active Directory joined device. - Workgroup device. -Azure AD authentication can also be used to connect to Hybrid Azure AD joined devices. +Microsoft Entra authentication can also be used to connect to Microsoft Entra hybrid joined devices. To connect to the remote computer: @@ -48,29 +50,31 @@ To connect to the remote computer: > [!NOTE] > IP address cannot be used when **Use a web account to sign in to the remote computer** option is used. - > The name must match the hostname of the remote device in Azure AD and be network addressable, resolving to the IP address of the remote device. + > The name must match the hostname of the remote device in Microsoft Entra ID and be network addressable, resolving to the IP address of the remote device. - When prompted for credentials, specify your user name in `user@domain.com` format. -- You're then prompted to allow the remote desktop connection when connecting to a new PC. Azure AD remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect. +- You're then prompted to allow the remote desktop connection when connecting to a new PC. Microsoft Entra remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect. > [!IMPORTANT] -> If your organization has configured and is using [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview), your device must satisfy the conditional access requirements to allow connection to the remote computer. Conditional Access policies with [grant controls](/azure/active-directory/conditional-access/concept-conditional-access-grant) and [session controls](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime) may be applied to the application **Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c)** for controlled access. +> If your organization has configured and is using [Microsoft Entra Conditional Access](/azure/active-directory/conditional-access/overview), your device must satisfy the conditional access requirements to allow connection to the remote computer. Conditional Access policies with [grant controls](/azure/active-directory/conditional-access/concept-conditional-access-grant) and [session controls](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime) may be applied to the application **Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c)** for controlled access. ### Disconnection when the session is locked -The Windows lock screen in the remote session doesn't support Azure AD authentication tokens or passwordless authentication methods like FIDO keys. The lack of support for these authentication methods means that users can't unlock their screens in a remote session. When you try to lock a remote session, either through user action or system policy, the session is instead disconnected and the service sends a message to the user explaining they've been disconnected. +The Windows lock screen in the remote session doesn't support Microsoft Entra authentication tokens or passwordless authentication methods like FIDO keys. The lack of support for these authentication methods means that users can't unlock their screens in a remote session. When you try to lock a remote session, either through user action or system policy, the session is instead disconnected and the service sends a message to the user explaining they've been disconnected. -Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Azure AD reevaluates the applicable conditional access policies. +Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Microsoft Entra ID reevaluates the applicable conditional access policies. -## Connect without Azure AD Authentication + -By default, RDP doesn't use Azure AD authentication, even if the remote PC supports it. This method allows you to connect to the remote Azure AD joined device from: +## Connect without Microsoft Entra authentication -- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device using Windows 10, version 1607 or later. -- [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) device using Windows 10, version 2004 or later. +By default, RDP doesn't use Microsoft Entra authentication, even if the remote PC supports it. This method allows you to connect to the remote Microsoft Entra joined device from: + +- [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) or [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device using Windows 10, version 1607 or later. +- [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register) device using Windows 10, version 2004 or later. > [!NOTE] -> Both the local and remote device must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop. +> Both the local and remote device must be in the same Microsoft Entra tenant. Microsoft Entra B2B guests aren't supported for Remote desktop. To connect to the remote computer: @@ -79,26 +83,26 @@ To connect to the remote computer: - When prompted for credentials, specify your user name in either `user@domain.com` or `AzureAD\user@domain.com` format. > [!TIP] -> If you specify your user name in `domain\user` format, you may receive an error indicating the logon attempt failed with the message **Remote machine is AAD joined. If you are signing in to your work account, try using your work email address**. +> If you specify your user name in `domain\user` format, you may receive an error indicating the logon attempt failed with the message **Remote machine is Microsoft Entra joined. If you are signing in to your work account, try using your work email address**. > [!NOTE] > For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections. ### Supported configurations -This table lists the supported configurations for remotely connecting to an Azure AD joined device without using Azure AD authentication: +This table lists the supported configurations for remotely connecting to a Microsoft Entra joined device without using Microsoft Entra authentication: | **Criteria** | **Client operating system** | **Supported credentials** | |--------------------------------------------|-----------------------------------|--------------------------------------------------------------------| -| RDP from **Azure AD registered device** | Windows 10, version 2004 or later | Password, smart card | -| RDP from **Azure AD joined device** | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust | -| RDP from **hybrid Azure AD joined device** | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust | +| RDP from **Microsoft Entra registered device** | Windows 10, version 2004 or later | Password, smart card | +| RDP from **Microsoft Entra joined device** | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust | +| RDP from **Microsoft Entra hybrid joined device** | Windows 10, version 1607 or later | Password, smart card, Windows Hello for Business certificate trust | > [!NOTE] -> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure AD joined devices, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities). +> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Microsoft Entra joined devices, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities). > [!NOTE] -> When an Azure AD group is added to the **Remote Desktop Users** group on a Windows device, it isn't honored when the user that belongs to the Azure AD group logs in through RDP, resulting in failure to establish the remote connection. In this scenario, Network Level Authentication should be disabled to allow the connection. +> When a Microsoft Entra group is added to the **Remote Desktop Users** group on a Windows device, it isn't honored when the user that belongs to the Microsoft Entra group logs in through RDP, resulting in failure to establish the remote connection. In this scenario, Network Level Authentication should be disabled to allow the connection. ## Add users to Remote Desktop Users group @@ -106,7 +110,7 @@ Remote Desktop Users group is used to grant users and groups permissions to remo - **Adding users manually**: - You can specify individual Azure AD accounts for remote connections by running the following command, where `` is the UPN of the user, for example `user@domain.com`: + You can specify individual Microsoft Entra accounts for remote connections by running the following command, where `` is the UPN of the user, for example `user@domain.com`: ```cmd net localgroup "Remote Desktop Users" /add "AzureAD\" @@ -116,7 +120,7 @@ Remote Desktop Users group is used to grant users and groups permissions to remo - **Adding users using policy**: - Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). + Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Microsoft Entra joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). ## Related articles diff --git a/windows/client-management/client-tools/quick-assist.md b/windows/client-management/client-tools/quick-assist.md index 615806cfd5..58eceea5e1 100644 --- a/windows/client-management/client-tools/quick-assist.md +++ b/windows/client-management/client-tools/quick-assist.md @@ -19,7 +19,7 @@ All that's required to use Quick Assist is suitable network and internet connect ### Authentication -The helper can authenticate when they sign in by using a Microsoft account (MSA) or Azure Active Directory (Azure AD). Local Active Directory authentication isn't currently supported. +The helper can authenticate when they sign in by using a Microsoft account (MSA) or Microsoft Entra ID. Local Active Directory authentication isn't currently supported. ### Network considerations @@ -36,7 +36,7 @@ Quick Assist communicates over port 443 (https) and connects to the Remote Assis | `*.registrar.skype.com` | Required for Azure Communication Service. | | `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application | | `*.trouter.skype.com` | Used for Azure Communication Service for chat and connection between parties. | -| `aadcdn.msauth.net` | Required for logging in to the application (Azure AD). | +| `aadcdn.msauth.net` | Required for logging in to the application (Microsoft Entra ID). | | `edge.skype.com` | Used for Azure Communication Service for chat and connection between parties. | | `login.microsoftonline.com` | Required for Microsoft login service. | | `remoteassistanceprodacs.communication.azure.com` | Used for Azure Communication Service for chat and connection between parties. | diff --git a/windows/client-management/client-tools/toc.yml b/windows/client-management/client-tools/toc.yml index 311cb0c84f..115ff9afd8 100644 --- a/windows/client-management/client-tools/toc.yml +++ b/windows/client-management/client-tools/toc.yml @@ -3,7 +3,7 @@ items: href: administrative-tools-in-windows.md - name: Use Quick Assist to help users href: quick-assist.md - - name: Connect to remote Azure Active Directory-joined PC + - name: Connect to remote Microsoft Entra joined PC href: connect-to-remote-aadj-pc.md - name: Create mandatory user profiles href: mandatory-user-profile.md diff --git a/windows/client-management/disconnecting-from-mdm-unenrollment.md b/windows/client-management/disconnecting-from-mdm-unenrollment.md index 9b12683d3e..00e2645545 100644 --- a/windows/client-management/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/disconnecting-from-mdm-unenrollment.md @@ -100,24 +100,26 @@ When the server initiates disconnection, all undergoing sessions for the enrollm ## Unenrollment from Work Access settings page -If the user is enrolled into MDM using an Azure Active Directory (Azure AD Join or by adding a Microsoft work account), the MDM account shows up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the Azure AD association to the device. +If the user is enrolled into MDM using a Microsoft Entra ID (Microsoft Entra join or by adding a Microsoft work account), the MDM account shows up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the Microsoft Entra association to the device. You can only use the Work Access page to unenroll under the following conditions: - Enrollment was done using bulk enrollment. - Enrollment was created using the Work Access page. -## Unenrollment from Azure Active Directory Join + -When a user is enrolled into MDM through Azure Active Directory Join and later, the enrollment disconnects, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data. +## Unenrollment from Microsoft Entra join + +When a user is enrolled into MDM through Microsoft Entra join and later, the enrollment disconnects, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data. ![aadj unenerollment.](images/azure-ad-unenrollment.png) -During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporate devices in unmanaged state. +During the process in which a device is enrolled into MDM through Microsoft Entra join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Microsoft Entra association is also removed. This safeguard is in place to avoid leaving the corporate devices in unmanaged state. -Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that isn't part of Azure AD, otherwise the device won't have any admin user after the operation. +Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that isn't part of Microsoft Entra ID, otherwise the device won't have any admin user after the operation. -In mobile devices, remote unenrollment for Azure Active Directory Joined devices fails. To remove corporate content from these devices, we recommend you remotely wipe the device. +In mobile devices, remote unenrollment for Microsoft Entra joined devices fails. To remove corporate content from these devices, we recommend you remotely wipe the device. ## IT admin-requested disconnection diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index 62fce24e34..e711afcc6a 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -12,31 +12,31 @@ ms.collection: You can use a Group Policy to trigger autoenrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices. -The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account. +The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Microsoft Entra account. **Requirements**: - The Active Directory joined device must be running a [supported version of Windows](/windows/release-health/supported-versions-windows-client). - The enterprise has configured a Mobile Device Management (MDM) service. -- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad). +- The on-premises Active Directory must be [integrated with Microsoft Entra ID (via Microsoft Entra Connect)](/azure/architecture/reference-architectures/identity/azure-ad). - Service connection point (SCP) configuration. For more information see [configuring the SCP using Microsoft Entra Connect](/azure/active-directory/devices/how-to-hybrid-join). For environments not publishing SCP data to AD, see [Microsoft Entra hybrid join targeted deployment](/azure/active-directory/devices/hybrid-join-control#targeted-deployment-of-microsoft-entra-hybrid-join-on-windows-current-devices). - The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents fail enrollment with `error 0x80180026`). -- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. For more information, see [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan). +- The minimum Windows Server version requirement is based on the Microsoft Entra hybrid join requirement. For more information, see [How to plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan). > [!TIP] > For more information, see the following topics: > -> - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) -> - [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) -> - [Azure Active Directory integration with MDM](./azure-active-directory-integration-with-mdm.md) +> - [How to configure automatic registration of Windows domain-joined devices with Microsoft Entra ID](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) +> - [How to plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) +> - [Microsoft Entra integration with MDM](./azure-active-directory-integration-with-mdm.md) -The autoenrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD-registered. +The autoenrollment relies on the presence of an MDM service and the Microsoft Entra registration for the PC. Once the enterprise has registered its AD with Microsoft Entra ID, a Windows PC that is domain joined is automatically Microsoft Entra registered. > [!NOTE] > In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. -When the autoenrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task uses the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user gets prompted to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. +When the autoenrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task uses the existing MDM service configuration from the Microsoft Entra information of the user. If multi-factor authentication is required, the user gets prompted to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. - Starting in Windows 10, version 1709, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM. - Starting in Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins). @@ -47,7 +47,7 @@ For this policy to work, you must verify that the MDM service provider allows Gr To configure autoenrollment using a group policy, use the following steps: -1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. +1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Microsoft Entra credentials**. 1. Create a Security Group for the PCs. 1. Link the GPO. 1. Filter using Security Groups. @@ -87,7 +87,7 @@ This procedure is only for illustration purposes to show how the new autoenrollm 1. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**. -1. Double-click **Enable automatic MDM enrollment using default Azure AD credentials**. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**. +1. Double-click **Enable automatic MDM enrollment using default Microsoft Entra credentials**. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**. :::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png"::: @@ -96,14 +96,14 @@ This procedure is only for illustration purposes to show how the new autoenrollm > > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop). -When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). +When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). If two-factor authentication is required, you are prompted to complete the process. Here's an example screenshot. :::image type="content" source="images/autoenrollment-2-factor-auth.png" alt-text="Screenshot of Two-factor authentication notification."::: > [!TIP] -> You can avoid this behavior by using Conditional Access Policies in Azure AD. Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview). +> You can avoid this behavior by using Conditional Access Policies in Microsoft Entra ID. Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview). ## Verify enrollment diff --git a/windows/client-management/enterprise-app-management.md b/windows/client-management/enterprise-app-management.md index 56d0b0809b..976b340e5a 100644 --- a/windows/client-management/enterprise-app-management.md +++ b/windows/client-management/enterprise-app-management.md @@ -200,10 +200,10 @@ If you purchased an app from the Store for Business and the app is specified for Here are the requirements for this scenario: -- The app is assigned to a user Azure Active Directory (Azure AD) identity in the Store for Business. You can assign directly in the Store for Business or through a management server. +- The app is assigned to a user Microsoft Entra identity in the Store for Business. You can assign directly in the Store for Business or through a management server. - The device requires connectivity to the Microsoft Store. - Microsoft Store services must be enabled on the device. The UI for the Microsoft Store can be disabled by the enterprise admin. -- The user must be signed in with their Azure AD identity. +- The user must be signed in with their Microsoft Entra identity. Here's an example: @@ -267,7 +267,7 @@ Here are the requirements for this scenario: - The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (`https://contoso.com/app1.appx`). - The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements. - The device doesn't need to have connectivity to the Microsoft Store, store services, or have the Microsoft Store UI be enabled. -- The user must be logged in, but association with Azure AD identity isn't required. +- The user must be logged in, but association with Microsoft Entra identity isn't required. > [!NOTE] > You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user). @@ -384,7 +384,7 @@ Here are the requirements for this scenario: - The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (`https://contoso.com/app1.appx\`) - The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements. - The device doesn't need to have connectivity to the Microsoft Store, or store services enabled. -- The device doesn't need any Azure AD identity or domain membership. +- The device doesn't need any Microsoft Entra identity or domain membership. - For nonStore app, your device must be unlocked. - For Store offline apps, the required licenses must be deployed before deploying the apps. diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md index 21cae9d2ac..970b5917af 100644 --- a/windows/client-management/esim-enterprise-management.md +++ b/windows/client-management/esim-enterprise-management.md @@ -14,7 +14,7 @@ The expectations from an MDM are that it uses the same sync mechanism that it us If you're a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps: -- Onboard to Azure Active Directory +- Onboard to Microsoft Entra ID - Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for MDM providers to manager eSIM profiles for enterprise use cases. However, Windows doesn't limit how ecosystem partners offer this service to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This characteristic makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you're looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md index 9f3374bb96..ae35a82630 100644 --- a/windows/client-management/implement-server-side-mobile-application-management.md +++ b/windows/client-management/implement-server-side-mobile-application-management.md @@ -11,13 +11,15 @@ Windows Information Protection (WIP) is a lightweight solution for managing comp [!INCLUDE [Deprecate Windows Information Protection](../security/information-protection/windows-information-protection/includes/wip-deprecation.md)] -## Integration with Azure AD + -WIP is integrated with Azure Active Directory (Azure AD) identity service. The WIP service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of WIP policies. WIP integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md). +## Integration with Microsoft Entra ID -WIP uses Workplace Join (WPJ). WPJ is integrated with adding a work account flow to a personal device. If a user adds their work or school Entra ID account as a secondary account to the machine, their device registered with WPJ. If a user joins their device to Azure AD, it's enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be registered with WPJ. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. +WIP is integrated with Microsoft Entra identity service. The WIP service supports Microsoft Entra integrated authentication for the user and the device during enrollment and the downloading of WIP policies. WIP integration with Microsoft Entra ID is similar to mobile device management (MDM) integration. See [Microsoft Entra integration with MDM](azure-active-directory-integration-with-mdm.md). -On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft 365 apps. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**. +WIP uses Workplace Join (WPJ). WPJ is integrated with adding a work account flow to a personal device. If a user adds their work or school Microsoft Entra account as a secondary account to the machine, their device registered with WPJ. If a user joins their device to Microsoft Entra ID, it's enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be registered with WPJ. A Microsoft Entra join, and enrollment to MDM, should be used to manage corporate devices. + +On personal devices, users can add a Microsoft Entra account as a secondary account to the device while keeping their personal account as primary. Users can add a Microsoft Entra account to the device from a supported Microsoft Entra integrated application, such as the next update of Microsoft 365 apps. Alternatively, users can add a Microsoft Entra account from **Settings > Accounts > Access work or school**. Regular non administrator users can enroll to MAM. @@ -35,26 +37,28 @@ MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID END ``` -## Configuring an Azure AD tenant for MAM enrollment + -MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. The same cloud-based Management MDM app in Azure AD supports both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. This screenshot illustrates the management app for an IT admin configuration. +## Configuring a Microsoft Entra tenant for MAM enrollment + +MAM enrollment requires integration with Microsoft Entra ID. The MAM service provider needs to publish the Management MDM app to the Microsoft Entra app gallery. The same cloud-based Management MDM app in Microsoft Entra ID supports both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. This screenshot illustrates the management app for an IT admin configuration. :::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png"::: -MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that contains both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. +MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Microsoft Entra Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that contains both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Microsoft Entra ID: one for MAM and one for MDM. > [!NOTE] -> If the MDM service in an organization isn't integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured. +> If the MDM service in an organization isn't integrated with Microsoft Entra ID and uses auto-discovery, only one Management app for MAM needs to be configured. ## MAM enrollment -MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method. +MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). MAM enrollment supports Microsoft Entra ID [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method. These are the protocol changes for MAM enrollment: - MDM discovery isn't supported. - APPAUTH node in [DMAcc CSP](mdm/dmacc-csp.md) is optional. -- MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way TLS/SSL using server certificate authentication. +- MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use a Microsoft Entra token for client authentication during policy syncs. Policy sync sessions must be performed over one-way TLS/SSL using server certificate authentication. Here's an example provisioning XML for MAM enrollment. @@ -104,7 +108,7 @@ We don't recommend configuring both Exchange ActiveSync (EAS) and MAM policies f ## Policy sync -MAM policy syncs are modeled after MDM. The MAM client uses an Azure AD token to authenticate to the service for policy syncs. +MAM policy syncs are modeled after MDM. The MAM client uses a Microsoft Entra token to authenticate to the service for policy syncs. ## Change MAM enrollment to MDM @@ -121,4 +125,4 @@ In the process of changing MAM enrollment to MDM, MAM policies will be removed f - EDP CSP Enterprise ID is the same for both MAM and MDM. - EDP CSP RevokeOnMDMHandoff is set to false. -If the MAM device is properly configured for MDM enrollment, then the *Enroll only to device management* link is displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account won't be affected. +If the MAM device is properly configured for MDM enrollment, then the *Enroll only to device management* link is displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Microsoft Entra account won't be affected. diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index b0c40d0dca..40f4cb654f 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -87,7 +87,7 @@ landingContent: links: - text: Enroll Windows devices url: mdm-enrollment-of-windows-devices.md - - text: Automatic enrollment using Azure AD + - text: Automatic enrollment using Microsoft Entra ID url: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md - text: Automatic enrollment using group policy url: enroll-a-windows-10-device-automatically-using-group-policy.md @@ -102,7 +102,7 @@ landingContent: url: client-tools/administrative-tools-in-windows.md - text: Use Quick assist url: client-tools/quick-assist.md - - text: Connect to Azure AD devices + - text: Connect to Microsoft Entra devices url: client-tools/connect-to-remote-aadj-pc.md - text: Create mandatory user profiles url: client-tools/mandatory-user-profile.md diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 5b432d5e1d..cd24637c71 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -32,7 +32,7 @@ Windows offers a range of management options, as shown in the following diagram: :::image type="content" source="images/windows-10-management-range-of-options.png" alt-text="Diagram of the path to modern IT." lightbox="images/windows-10-management-range-of-options.png"::: -As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, and Microsoft 365. +As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Microsoft Entra ID, Azure Information Protection, and Microsoft 365. ## Deployment and provisioning @@ -48,21 +48,21 @@ You have multiple options for [upgrading to Windows 10 and Windows 11](/windows/ ## Identity and authentication -You can use Windows and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them. +You can use Windows and services like [Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them. You can envision user and device management as falling into these two categories: - **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows, your employees can self-provision their devices: - - For corporate devices, they can set up corporate access with [Azure AD join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud. + - For corporate devices, they can set up corporate access with [Microsoft Entra join](/azure/active-directory/devices/overview). When you offer them Microsoft Entra join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud. - Azure AD join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources. + Microsoft Entra join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources. - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device. - **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises. - With Windows, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides: + With Windows, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Microsoft Entra ID](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Microsoft Entra ID. This registration provides: - Single sign-on to cloud and on-premises resources from everywhere - [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-enable) @@ -72,7 +72,7 @@ You can envision user and device management as falling into these two categories Domain joined PCs and tablets can continue to be managed with [Configuration Manager](/mem/configmgr/core/understand/introduction) client or group policy. -As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD. +As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Microsoft Entra ID. :::image type="content" source="images/windows-10-management-cyod-byod-flow.png" alt-text="Diagram of decision tree for device authentication options." lightbox="images/windows-10-management-cyod-byod-flow.png"::: diff --git a/windows/client-management/mdm-diagnose-enrollment.md b/windows/client-management/mdm-diagnose-enrollment.md index 08c2a6ed6b..c3dd757bb5 100644 --- a/windows/client-management/mdm-diagnose-enrollment.md +++ b/windows/client-management/mdm-diagnose-enrollment.md @@ -17,7 +17,7 @@ To ensure that the autoenrollment feature is working as expected, you must verif :::image type="content" alt-text="Screenshot of Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png"::: -1. Verify that autoenrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). +1. Verify that autoenrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Microsoft Entra ID and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png) @@ -28,7 +28,7 @@ To ensure that the autoenrollment feature is working as expected, you must verif 1. Verify that the device is running a [supported version of Windows](/windows/release-health/supported-versions-windows-client). -1. Autoenrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line. +1. Autoenrollment into Intune via Group Policy is valid only for devices that are Microsoft Entra hybrid joined. This condition means that the device must be joined into both local Active Directory and Microsoft Entra ID. To verify that the device is Microsoft Entra hybrid joined, run `dsregcmd /status` from the command line. You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**. @@ -36,9 +36,9 @@ To ensure that the autoenrollment feature is working as expected, you must verif Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**. - ![Auto-enrollment Azure AD prt verification.](images/auto-enrollment-azureadprt-verification.png) + ![Auto-enrollment Microsoft Entra prt verification.](images/auto-enrollment-azureadprt-verification.png) - This information can also be found on the Azure AD device list. + This information can also be found on the Microsoft Entra device list. 1. Verify that the MDM discovery URL during autoenrollment is `https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc`. @@ -48,7 +48,7 @@ To ensure that the autoenrollment feature is working as expected, you must verif :::image type="content" alt-text="Screenshot of Mobility setting MDM Intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png"::: -1. When using group policy for enrollment, verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully. +1. When using group policy for enrollment, verify that the *Enable Automatic MDM enrollment using default Microsoft Entra credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully. 1. Verify that Microsoft Intune allows enrollment of Windows devices. @@ -79,14 +79,14 @@ If you can't find event ID 75 in the logs, it indicates that the autoenrollment - The autoenrollment didn't trigger at all. In this case, you won't find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described here: - The autoenrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot: + The autoenrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Microsoft Entra credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot: :::image type="content" alt-text="Screenshot of Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png"::: > [!NOTE] > This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task. - This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs: **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Azure Active Directory is triggered by event ID 107. + This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs: **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID is triggered by event ID 107. :::image type="content" alt-text="Screenshot of Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png"::: @@ -96,7 +96,7 @@ If you can't find event ID 75 in the logs, it indicates that the autoenrollment The task scheduler log displays event ID 102 (task completed) regardless of the autoenrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the autoenrollment task is triggered or not. It doesn't indicate the success or failure of autoenrollment. - If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Azure AD is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required. + If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required. One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: :::image type="content" alt-text="Screenshot of Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png"::: diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index 9c772124fe..d16c6d7207 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -17,16 +17,18 @@ In today's cloud-first world, enterprise IT departments increasingly want to let ## Connect corporate-owned Windows devices -You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows doesn't require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain. +You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to a Microsoft Entra domain. Windows doesn't require a personal Microsoft account on devices joined to Microsoft Entra ID or an on-premises Active Directory domain. -![active directory azure ad signin.](images/unifiedenrollment-rs1-1.png) +![active directory Microsoft Entra sign-in.](images/unifiedenrollment-rs1-1.png) > [!NOTE] > For devices joined to on-premises Active Directory, see [Group policy enrollment](enroll-a-windows-10-device-automatically-using-group-policy.md). -### Connect your device to an Azure AD domain (join Azure AD) + -All Windows devices can be connected to an Azure AD domain. These devices can be connected during OOBE. Additionally, desktop devices can be connected to an Azure AD domain using the Settings app. +### Connect your device to a Microsoft Entra domain (join Microsoft Entra ID) + +All Windows devices can be connected to a Microsoft Entra domain. These devices can be connected during OOBE. Additionally, desktop devices can be connected to a Microsoft Entra domain using the Settings app. #### Out-of-box-experience @@ -36,19 +38,19 @@ To join a domain: ![oobe - local account creation](images/unifiedenrollment-rs1-11.png) -1. Select **Join Azure AD**, and then select **Next.** +1. Select **Join Microsoft Entra ID**, and then select **Next.** - ![choose the domain or azure ad](images/unifiedenrollment-rs1-12.png) + ![choose the domain or Microsoft Entra ID](images/unifiedenrollment-rs1-12.png) -1. Type in your Azure AD username. This username is the email address you use to log into Microsoft Office 365 and similar services. +1. Type in your Microsoft Entra username. This username is the email address you use to log into Microsoft Office 365 and similar services. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you're able to enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - If your Azure AD tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). After you complete the flow, your device will be connected to your organization's Azure AD domain. + If your Microsoft Entra tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). After you complete the flow, your device will be connected to your organization's Microsoft Entra domain. - ![azure ad signin.](images/unifiedenrollment-rs1-13.png) + ![Microsoft Entra sign-in.](images/unifiedenrollment-rs1-13.png) #### Use the Settings app @@ -70,36 +72,38 @@ To create a local account and connect the device: ![Option of connect to work or school](images/unifiedenrollment-rs1-17.png) -1. Under **Alternate Actions**, select **Join this device to Azure Active Directory**. +1. Under **Alternate Actions**, select **Join this device to Microsoft Entra ID**. - ![option to join work or school account to azure ad](images/unifiedenrollment-rs1-18.png) + ![option to join work or school account to Microsoft Entra ID](images/unifiedenrollment-rs1-18.png) -1. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. +1. Type in your Microsoft Entra username. This username is the email address you use to log into Office 365 and similar services. - ![azure ad sign in.](images/unifiedenrollment-rs1-19.png) + ![Microsoft Entra sign-in.](images/unifiedenrollment-rs1-19.png) If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - If your Azure AD tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to connect your device to MDM. + If your Microsoft Entra tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to connect your device to MDM. - After you reach the end of the flow, your device should be connected to your organization's Azure AD domain. You may now sign out of your current account and sign in using your Azure AD username. + After you reach the end of the flow, your device should be connected to your organization's Microsoft Entra domain. You may now sign out of your current account and sign in using your Microsoft Entra username. ![corporate sign in screen](images/unifiedenrollment-rs1-20.png) -#### Help with connecting to an Azure AD domain + -There are a few instances where your device can't be connected to an Azure AD domain. +#### Help with connecting to a Microsoft Entra domain + +There are a few instances where your device can't be connected to a Microsoft Entra domain. | Connection issue | Description | |--|--| -| Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. | -| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. | -| Your device already has a user connected to a work account. | You can either connect to an Azure AD domain or connect to a work or school account. You can't connect to both simultaneously. | -| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You must switch to an administrator account to continue. | -| Your device is already managed by MDM. | The connect to Azure AD flow attempts to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. | -| Your device is running Home edition. | This feature isn't available on Windows Home edition, so you can't connect to an Azure AD domain. You must upgrade to Pro, Enterprise, or Education edition to continue. | +| Your device is connected to a Microsoft Entra domain. | Your device can only be connected to a single Microsoft Entra domain at a time. | +| Your device is already connected to an Active Directory domain. | Your device can either be connected to a Microsoft Entra domain or an Active Directory domain. You can't connect to both simultaneously. | +| Your device already has a user connected to a work account. | You can either connect to a Microsoft Entra domain or connect to a work or school account. You can't connect to both simultaneously. | +| You're logged in as a standard user. | Your device can only be connected to a Microsoft Entra domain if you're logged in as an administrative user. You must switch to an administrator account to continue. | +| Your device is already managed by MDM. | The connect to Microsoft Entra ID flow attempts to enroll your device into MDM if your Microsoft Entra tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Microsoft Entra ID in this case. | +| Your device is running Home edition. | This feature isn't available on Windows Home edition, so you can't connect to a Microsoft Entra domain. You must upgrade to Pro, Enterprise, or Education edition to continue. | ## Connect personally owned devices @@ -107,7 +111,9 @@ Personally owned devices, also known as bring your own device (BYOD), can be con All Windows devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps, such as the universal Office apps. -### Register device in Azure AD and enroll in MDM + + +### Register device in Microsoft Entra ID and enroll in MDM To create a local account and connect the device: @@ -123,15 +129,15 @@ To create a local account and connect the device: ![connect button to access the option of work or school.](images/unifiedenrollment-rs1-24-b.png) -1. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. +1. Type in your Microsoft Entra username. This username is the email address you use to log into Office 365 and similar services. - ![sync work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png) + ![sync work or school account to Azure AD.](images/unifiedenrollment-rs1-25-b.png) 1. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - If your Azure AD tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). + If your Microsoft Entra tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). You can see the status page that shows the progress of your device being set up. @@ -147,8 +153,8 @@ There are a few instances where your device may not be able to connect to work. | Error Message | Description | |--|--| -| Your device is already connected to your organization's cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. | -| We couldn't find your identity in your organization's cloud. | The username you entered wasn't found on your Azure AD tenant. | +| Your device is already connected to your organization's cloud. | Your device is already connected to either Microsoft Entra ID, a work or school account, or an AD domain. | +| We couldn't find your identity in your organization's cloud. | The username you entered wasn't found on your Microsoft Entra tenant. | | Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Configuration Manager. | | You don't have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. | | We couldn't autodiscover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | @@ -195,7 +201,7 @@ The deep link used for connecting your device to work uses the following format. | Parameter | Description | Supported Value for Windows | |--|--|--| -| mode | Describes which mode is executed in the enrollment app. | Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory-joined. | +| mode | Describes which mode is executed in the enrollment app. | Mobile Device Management (MDM), Adding Work Account (AWA), and Microsoft Entra joined. | | username | Specifies the email address or UPN of the user who should be enrolled into MDM. | string | | servername | Specifies the MDM server URL that is used to enroll the device. | string | | accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used as a token to validate the enrollment request. | string | @@ -248,7 +254,7 @@ To manage your work or school connections, select **Settings** > **Accounts** > The **Info** button can be found on work or school connections involving MDM. This button is included in the following scenarios: -- Connecting your device to an Azure AD domain that has autoenroll into MDM configured. +- Connecting your device to a Microsoft Entra domain that has autoenroll into MDM configured. - Connecting your device to a work or school account that has autoenroll into MDM configured. - Connecting your device to MDM. @@ -263,7 +269,7 @@ Selecting the **Info** button shows a list of policies and line-of-business apps The **Disconnect** button can be found on all work connections. Generally, selecting the **Disconnect** button removes the connection from the device. There are a few exceptions to this functionality: - Devices that enforce the AllowManualMDMUnenrollment policy don't allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command. -- On mobile devices, you can't disconnect from Azure AD. These connections can only be removed by wiping the device. +- On mobile devices, you can't disconnect from Microsoft Entra ID. These connections can only be removed by wiping the device. > [!WARNING] > Disconnecting might result in the loss of data on the device. diff --git a/windows/client-management/mdm-known-issues.md b/windows/client-management/mdm-known-issues.md index 7676911fc4..3b715665e0 100644 --- a/windows/client-management/mdm-known-issues.md +++ b/windows/client-management/mdm-known-issues.md @@ -33,7 +33,7 @@ When the Windows device is configured to use a proxy that requires authenticatio Server-initiated unenrollment for a device enrolled by adding a work account silently fails to leave the MDM account active. MDM policies and resources are still in place and the client can continue to sync with the server. -Remote server unenrollment is disabled for mobile devices enrolled via Azure Active Directory Join. It returns an error message to the server. The only way to remove enrollment for a mobile device that is Azure AD joined is by remotely wiping the device. +Remote server unenrollment is disabled for mobile devices enrolled via Microsoft Entra join. It returns an error message to the server. The only way to remove enrollment for a mobile device that is Microsoft Entra joined is by remotely wiping the device. ## Certificates causing issues with Wi-Fi and VPN @@ -222,9 +222,11 @@ Alternatively you can use the following procedure to create an EAP Configuration After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary. -## User provisioning failure in Azure Active Directory-joined devices + -For Azure AD joined devices, provisioning `.\User` resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design. +## User provisioning failure in Microsoft Entra joined devices + +For Microsoft Entra joined devices, provisioning `.\User` resources fails when the user isn't logged in as a Microsoft Entra user. If you attempt to join Microsoft Entra ID from **Settings** > **System** > **About** user interface, ensure to sign out and sign in with Microsoft Entra credentials to get your organizational configuration from your MDM server. This behavior is by design. ## Requirements to note for VPN certificates also used for Kerberos Authentication diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md index da0013abc4..4777c1d28c 100644 --- a/windows/client-management/mdm-overview.md +++ b/windows/client-management/mdm-overview.md @@ -56,10 +56,12 @@ For information about the MDM policies defined in the Intune security baseline, No. Only one MDM is allowed. -### How do I set the maximum number of Azure Active Directory-joined devices per user? + + +### How do I set the maximum number of Microsoft Entra joined devices per user? 1. Sign in to the portal as tenant admin: . -1. Navigate to **Azure AD**, then **Devices**, and then select **Device Settings**. +1. Navigate to **Microsoft Entra ID**, then **Devices**, and then select **Device Settings**. 1. Change the number under **Maximum number of devices per user**. ### What is dmwappushsvc? diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml index 2fa1371357..347afc4322 100644 --- a/windows/client-management/toc.yml +++ b/windows/client-management/toc.yml @@ -12,7 +12,7 @@ items: href: mdm-overview.md - name: What's new in MDM href: new-in-windows-mdm-enrollment-management.md - - name: Azure Active Directory integration + - name: Microsoft Entra integration href: azure-active-directory-integration-with-mdm.md - name: Transitioning to modern management href: manage-windows-10-in-your-organization-modern-management.md From e02a108da1fe6daf52008084fbb5615f79c52ac3 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 18 Oct 2023 13:04:51 -0400 Subject: [PATCH 2/5] Update windows/client-management/azure-active-directory-integration-with-mdm.md --- .../azure-active-directory-integration-with-mdm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index fdff4dbb1a..efb65c5991 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -85,7 +85,7 @@ The MDM vendor must first register the application in their home tenant and mark The MDM application uses keys to request access tokens from Microsoft Entra ID. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Microsoft Entra ID, in the customer tenant where the managed device belongs. > [!NOTE] -> All MDM apps must implement Azure AD v2 tokens before we certify that integration works. Due to changes in the Microsoft Entra app platform, using Azure AD v2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats). +> All MDM apps must implement Microsoft Entra v2 tokens before we certify that integration works. Due to changes in the Microsoft Entra app platform, using Microsoft Entra v2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats). ### On-premises MDM From f61f18c34d177df632927ed8bec910c49d09310e Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 18 Oct 2023 13:05:00 -0400 Subject: [PATCH 3/5] Update windows/client-management/mdm-enrollment-of-windows-devices.md --- windows/client-management/mdm-enrollment-of-windows-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index d16c6d7207..e49994a1fa 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -50,7 +50,7 @@ To join a domain: If your Microsoft Entra tenant has autoenrollment configured, your device also gets enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for autoenrollment, you must go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). After you complete the flow, your device will be connected to your organization's Microsoft Entra domain. - ![Microsoft Entra sign-in.](images/unifiedenrollment-rs1-13.png) + ![Microsoft Entra sign-in during OOBE.](images/unifiedenrollment-rs1-13.png) #### Use the Settings app From f46fea76be7ff2cfbae525897de6a85913372e0c Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 18 Oct 2023 13:05:09 -0400 Subject: [PATCH 4/5] Update windows/client-management/mdm-enrollment-of-windows-devices.md --- windows/client-management/mdm-enrollment-of-windows-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index e49994a1fa..ef09eea68f 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -78,7 +78,7 @@ To create a local account and connect the device: 1. Type in your Microsoft Entra username. This username is the email address you use to log into Office 365 and similar services. - ![Microsoft Entra sign-in.](images/unifiedenrollment-rs1-19.png) + ![Microsoft Entra sign-in using Settings app.](images/unifiedenrollment-rs1-19.png) If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. From 935abcd7d6d5339798daa0802462c00719991e80 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 18 Oct 2023 13:19:11 -0400 Subject: [PATCH 5/5] Update manage-windows-10-in-your-organization-modern-management.md Removed references to youtube video --- ...ge-windows-10-in-your-organization-modern-management.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index cd24637c71..7129573f55 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -12,13 +12,6 @@ Use of personal devices for work, and employees working outside the office, may Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows faster. -This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance. - -> [!VIDEO https://www.youtube.com/embed/g1rIcBhhxpA] - -> [!NOTE] -> The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal) - This article offers guidance on strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment. It covers [management options](#reviewing-the-management-options-for-windows) plus the four stages of the device lifecycle: - [Deployment and Provisioning](#deployment-and-provisioning)