deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #3171 from MicrosoftDocs/master

Browse Source 
Publish 06/25/2020 3:30 PM
This commit is contained in:
Gary Moore 2020-06-25 15:50:38 -07:00 committed by GitHub
commit c099b2d6c0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 87 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

171
windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
View File

@ -1,6 +1,6 @@
--- ---
title: MDM enrollment of Windows-based devices title: MDM enrollment of Windows 10-based devices
description: MDM enrollment of Windows-based devices description: MDM enrollment of Windows 10-based devices
MS-HAID: MS-HAID:
- 'p\_phdevicemgmt.enrollment\_ui' - 'p\_phdevicemgmt.enrollment\_ui'
- 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices' - 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices'
@ -15,35 +15,30 @@ author: manikadhiman
ms.date: 11/15/2017 ms.date: 11/15/2017
--- ---
# MDM enrollment of Windows-based devices # MDM enrollment of Windows 10-based devices
This topic describes the user experience of enrolling Windows 10-based PCs and devices. In todays cloud-first world, enterprise IT departments increasingly want to let employees use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organizations resources, such as apps, the corporate network, and email.
In todays cloud-first world, enterprise IT departments increasingly want to let employees bring their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organizations resources (such as apps, the corporate network, and email). > [!NOTE]
> When you connect your device using mobile device management (MDM) enrollment, your organization may enforce certain policies on your device.
> **Note**  When you connect your device using mobile device management (MDM) enrollment, your organization may enforce certain policies on your device. ## Connect corporate-owned Windows 10-based devices
You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain.
## Connecting corporate-owned Windows 10-based devices
Corporate owned devices can be connected to work either by joining the device to an Active Directory domain or an Azure Active Directory (Azure AD) domain. Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain.
![active directory azure ad signin](images/unifiedenrollment-rs1-1.png) ![active directory azure ad signin](images/unifiedenrollment-rs1-1.png)
### Connecting your device to an Active Directory domain (Join a domain) ### Connect your device to an Active Directory domain (join a domain)
Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education can be connected to an Active Directory domain. These devices can be connected using the Settings app. Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education can be connected to an Active Directory domain using the Settings app.
> **Note**  Mobile devices cannot be connected to an Active Directory domain. > [!NOTE]
> Mobile devices cannot be connected to an Active Directory domain.
### Out-of-box-experience
Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) is not supported. To join a domain:
### Out-of-box-experience (OOBE)
Because joining your device to an Active Directory domain during the OOBE is not supported, youll need to first create a local account and then connect the device using the Settings app.
1. On the **Who Owns this PC?** page, select **My work or school owns it**. 1. On the **Who Owns this PC?** page, select **My work or school owns it**.
@ -53,11 +48,13 @@ Because joining your device to an Active Directory domain during the OOBE is not
![select domain or azure ad](images/unifiedenrollment-rs1-3.png) ![select domain or azure ad](images/unifiedenrollment-rs1-3.png)
3. You will next see a prompt to set up a local account on the device. Enter your local account details and then click **Next** to continue. 3. You'll see a prompt to set up a local account on the device. Enter your local account details, and then select **Next** to continue.
![create pc account](images/unifiedenrollment-rs1-4.png) ![create pc account](images/unifiedenrollment-rs1-4.png)
### Using the Settings app ### Use the Settings app
To create a local account and connect the device:
1. Launch the Settings app. 1. Launch the Settings app.
@ -71,42 +68,44 @@ Because joining your device to an Active Directory domain during the OOBE is not
![select access work or school](images/unifiedenrollment-rs1-7.png) ![select access work or school](images/unifiedenrollment-rs1-7.png)
4. Click **Connect**. 4. Select **Connect**.
![connect to work or school](images/unifiedenrollment-rs1-8.png) ![connect to work or school](images/unifiedenrollment-rs1-8.png)
5. Under **Alternate actions**, click **Join this device to a local Active Directory domain**. 5. Under **Alternate actions**, select **Join this device to a local Active Directory domain**.
![join account to active directory domain](images/unifiedenrollment-rs1-9.png) ![join account to active directory domain](images/unifiedenrollment-rs1-9.png)
6. Type in your domain name, follow the instructions, and then click **Next** to continue. After you complete the flow and reboot your device, it should be connected to your Active Directory domain. You can now log into the device using your domain credentials. 6. Type in your domain name, follow the instructions, and then select **Next** to continue. After you complete the flow and restart your device, it should be connected to your Active Directory domain. You can now sign in to the device using your domain credentials.
![type in domain name](images/unifiedenrollment-rs1-10.png) ![type in domain name](images/unifiedenrollment-rs1-10.png)
### Help with connecting to an Active Directory domain ### Help with connecting to an Active Directory domain
There are a few instances where your device cannot be connected to an Active Directory domain: There are a few instances where your device cannot be connected to an Active Directory domain.
| Connection issue | Explanation | | Connection issue | Description |
|-----------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-----------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Your device is already connected to an Active Directory domain. | Your device can be connected to only a single Active Directory domain at a time. | | Your device is already connected to an Active Directory domain. | Your device can only be connected to a single Active Directory domain at a time. |
| Your device is connected to an Azure AD domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You cannot connect to both simultaneously. | | Your device is connected to an Azure AD domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You cannot connect to both simultaneously. |
| You are logged in as a standard user. | Your device can only be connected to an Azure AD domain if you are logged in as an administrative user. Youll need to switch to an administrator account to continue. | | You are logged in as a standard user. | Your device can only be connected to an Azure AD domain if you are logged in as an administrative user. Youll need to switch to an administrator account to continue. |
| Your device is running Windows 10 Home. | This feature is not available on Windows 10 Home, so you will be unable to connect to an Active Directory domain. You will need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | | Your device is running Windows 10 Home. | This feature is not available on Windows 10 Home, so you will be unable to connect to an Active Directory domain. You will need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. |
### Connecting your device to an Azure AD domain (Join Azure AD) ### Connect your device to an Azure AD domain (join Azure AD)
All Windows devices can be connected to an Azure AD domain. These devices can be connected during OOBE. Additionally, desktop devices can be connected to an Azure AD domain using the Settings app. All Windows devices can be connected to an Azure AD domain. These devices can be connected during OOBE. Additionally, desktop devices can be connected to an Azure AD domain using the Settings app.
### Out-of-box-experience (OOBE) ### Out-of-box-experience
1. Select **My work or school owns it**, then click **Next.** To join a domain:
1. Select **My work or school owns it**, then select **Next.**
![oobe local account creation](images/unifiedenrollment-rs1-11.png) ![oobe local account creation](images/unifiedenrollment-rs1-11.png)
2. Click **Join Azure AD**, then click **Next.** 2. Select **Join Azure AD**, and then select **Next.**
![select domain or azure ad](images/unifiedenrollment-rs1-12.png) ![select domain or azure ad](images/unifiedenrollment-rs1-12.png)
@ -118,7 +117,9 @@ All Windows devices can be connected to an Azure AD domain. These devices can be
![azure ad signin](images/unifiedenrollment-rs1-13.png) ![azure ad signin](images/unifiedenrollment-rs1-13.png)
### Using the Settings app ### Use the Settings app
To create a local account and connect the device:
1. Launch the Settings app. 1. Launch the Settings app.
@ -132,11 +133,11 @@ All Windows devices can be connected to an Azure AD domain. These devices can be
![select access work or school](images/unifiedenrollment-rs1-16.png) ![select access work or school](images/unifiedenrollment-rs1-16.png)
4. Click **Connect**. 4. Select **Connect**.
![connect to work or school](images/unifiedenrollment-rs1-17.png) ![connect to work or school](images/unifiedenrollment-rs1-17.png)
5. Under **Alternate Actions**, click **Join this device to Azure Active Directory**. 5. Under **Alternate Actions**, selct **Join this device to Azure Active Directory**.
![join work or school account to azure ad](images/unifiedenrollment-rs1-18.png) ![join work or school account to azure ad](images/unifiedenrollment-rs1-18.png)
@ -144,7 +145,7 @@ All Windows devices can be connected to an Azure AD domain. These devices can be
![azure ad sign in](images/unifiedenrollment-rs1-19.png) ![azure ad sign in](images/unifiedenrollment-rs1-19.png)
7. If the tenant is a cloud only, password hash sync, or pass-through authentication tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly on this page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication. 7. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
@ -156,9 +157,9 @@ All Windows devices can be connected to an Azure AD domain. These devices can be
### Help with connecting to an Azure AD domain ### Help with connecting to an Azure AD domain
There are a few instances where your device cannot be connected to an Azure AD domain: There are a few instances where your device cannot be connected to an Azure AD domain.
| Connection issue | Explanation | | Connection issue | Description |
|-----------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-----------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. | | Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. |
| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You cannot connect to both simultaneously. | | Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You cannot connect to both simultaneously. |
@ -169,18 +170,20 @@ There are a few instances where your device cannot be connected to an Azure AD d
## Connecting personally-owned devices (Bring your own device) ## Connect personally-owned devices
Personally owned devices, also known as bring your own device or BYOD, can be connected to a work or school account or to MDM. Windows 10 does not require a personal Microsoft account on devices to connect to work or school. Personally-owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 does not require a personal Microsoft account on devices to connect to work or school.
### Connecting to a work or school account ### Connect to a work or school account
All Windows 10-based devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps such as the universal Office apps. All Windows 10-based devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps, such as the universal Office apps.
### Using the Settings app ### Use the Settings app
1. Launch the Settings app and then click **Accounts**. Click **Start**, then the Settings icon, and then select **Accounts** To create a local account and connect the device:
1. Launch the Settings app, and then select **Accounts** >**Start** > **Settings** > **Accounts**.
![windows settings page](images/unifiedenrollment-rs1-21-b.png) ![windows settings page](images/unifiedenrollment-rs1-21-b.png)
@ -188,7 +191,7 @@ All Windows 10-based devices can be connected to a work or school account. You
![select access work or school](images/unifiedenrollment-rs1-23-b.png) ![select access work or school](images/unifiedenrollment-rs1-23-b.png)
3. Click **Connect**. 3. Select **Connect**.
![connect to work or school](images/unifiedenrollment-rs1-24-b.png) ![connect to work or school](images/unifiedenrollment-rs1-24-b.png)
@ -196,7 +199,7 @@ All Windows 10-based devices can be connected to a work or school account. You
![join work or school account to azure ad](images/unifiedenrollment-rs1-25-b.png) ![join work or school account to azure ad](images/unifiedenrollment-rs1-25-b.png)
5. If the tenant is a cloud only, password hash sync, or pass-through authentication tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly into the page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication. 5. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
@ -210,11 +213,13 @@ All Windows 10-based devices can be connected to a work or school account. You
![account successfully added](images/unifiedenrollment-rs1-27.png) ![account successfully added](images/unifiedenrollment-rs1-27.png)
### Connecting to MDM on a desktop (Enrolling in device management) ### Connect to MDM on a desktop (enrolling in device management)
All Windows 10-based devices can be connected to an MDM. You can connect to an MDM through the Settings app. All Windows 10-based devices can be connected to MDM. You can connect to an MDM through the Settings app.
### Using the Settings app ### Use the Settings app
To create a local account and connect the device:
1. Launch the Settings app. 1. Launch the Settings app.
@ -228,7 +233,7 @@ All Windows 10-based devices can be connected to an MDM. You can connect to an
![access work or school](images/unifiedenrollment-rs1-30.png) ![access work or school](images/unifiedenrollment-rs1-30.png)
4. Click the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, use [Connecting your Windows 10-based device to work using a deep link](#connecting-your-windows-10-based-device-to-work-using-a-deep-link). 4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, use [Connecting your Windows 10-based device to work using a deep link](#connecting-your-windows-10-based-device-to-work-using-a-deep-link).
![connect to work or school](images/unifiedenrollment-rs1-31.png) ![connect to work or school](images/unifiedenrollment-rs1-31.png)
@ -245,17 +250,17 @@ All Windows 10-based devices can be connected to an MDM. You can connect to an
After you complete the flow, your device will be connected to your organizations MDM. After you complete the flow, your device will be connected to your organizations MDM.
### Connecting to MDM on a phone (Enrolling in device management) ### Connect to MDM on a phone (enroll in device management)
1. Launch the **Settings** app and then click **Accounts**. 1. Launch the Settings app, and then select **Accounts**.
![phone settings](images/unifiedenrollment-rs1-38.png) ![phone settings](images/unifiedenrollment-rs1-38.png)
2. Click **Access work or school**. 2. Select **Access work or school**.
![phone settings](images/unifiedenrollment-rs1-39.png) ![phone settings](images/unifiedenrollment-rs1-39.png)
3. Click the **Enroll only in device management** link. This is only available in the servicing build 14393.82 (KB3176934). For older builds, use [Connecting your Windows 10-based device to work using a deep link](#connecting-your-windows-10-based-device-to-work-using-a-deep-link). 3. Select the **Enroll only in device management** link. This is only available in the servicing build 14393.82 (KB3176934). For older builds, use [Connecting your Windows 10-based device to work using a deep link](#connecting-your-windows-10-based-device-to-work-using-a-deep-link).
![access work or school page](images/unifiedenrollment-rs1-40.png) ![access work or school page](images/unifiedenrollment-rs1-40.png)
@ -273,7 +278,7 @@ All Windows 10-based devices can be connected to an MDM. You can connect to an
### Help with connecting personally-owned devices ### Help with connecting personally-owned devices
There are a few instances where your device may not be able to connect to work, as described in the following table. There are a few instances where your device may not be able to connect to work.
| Error Message | Description | | Error Message | Description |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
@ -284,20 +289,20 @@ There are a few instances where your device may not be able to connect to work,
| We couldnt auto-discover a management endpoint matching the username entered. Please check your username and try again. If you know the URL to your management endpoint, please enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | | We couldnt auto-discover a management endpoint matching the username entered. Please check your username and try again. If you know the URL to your management endpoint, please enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. |
## Connecting your Windows 10-based device to work using a deep link ## Connect your Windows 10-based device to work using a deep link
Windows 10-based devices may be connected to work using a deep link. Users will be able to click or open a link in a particular format from anywhere in Windows 10 and be directed to the new enrollment experience. Windows 10-based devices may be connected to work using a deep link. Users will be able to select or open a link in a particular format from anywhere in Windows 10, and be directed to the new enrollment experience.
In Windows 10, version 1607, deep linking will only be supported for connecting devices to MDM. It will not support adding a work or school account, joining a device to Azure AD, and joining a device to Active Directory. In Windows 10, version 1607, deep linking will only be supported for connecting devices to MDM. It will not support adding a work or school account, joining a device to Azure AD, and joining a device to Active Directory.
The deep link used for connecting your device to work will always use the following format: The deep link used for connecting your device to work will always use the following format.
**ms-device-enrollment:?mode={mode\_name}** **ms-device-enrollment:?mode={mode\_name}**
| Parameter | Description | Supported Value for Windows 10| | Parameter | Description | Supported Value for Windows 10|
|-----------|--------------------------------------------------------------|----------------------------------------------| |-----------|--------------------------------------------------------------|----------------------------------------------|
| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| MDM (Mobile Device Management), AWA (Adding Work Account), and AADJ (Azure Active Directory Joined). | | mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory Joined (AADJ). |
|username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string | |username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string |
| servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string| | servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string|
| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string | | accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string |
@ -305,47 +310,44 @@ The deep link used for connecting your device to work will always use the follow
| tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string | | tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string |
| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3 | | ownership | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3 |
> **Note** "awa" and "aadj" values for mode are only supported on Windows 10, version 1709 and later. > [!NOTE]
> AWA and AADJ values for mode are only supported on Windows 10, version 1709 and later.
### Connecting to MDM using a deep link ### Connect to MDM using a deep link
> **Note** Deep links only work with Internet Explorer or Edge browsers. > [!NOTE]
When connecting to MDM using a deep link, the URI you should use is > Deep links only work with Internet Explorer or Microsoft Edge browsers. When connecting to MDM using a deep link, the URI you should use is:
> **ms-device-enrollment:?mode=mdm**
> **ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=<https://example.server.com>**
**ms-device-enrollment:?mode=mdm** To connect your devices to MDM using deep links:
**ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=<https://example.server.com>**
The following procedure describes how users can connect their devices to MDM using deep links. 1. Starting with Windows 10, version 1607, create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**:
1. Starting with Windows 10, version 1607, you can create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm** and user-friendly display text, such as **Click here to connect Windows to work**: > (Be aware that this will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.)
> **Note**  This will launch the flow equivalent to the Enroll into device management option in Windows 10, version 1511. - IT admins can add this link to a welcome email that users can select to enroll into MDM.
- IT admins can add this link to a welcome email that users can click on to enroll into MDM.
![using enrollment deeplink in email](images/deeplinkenrollment1.png) ![using enrollment deeplink in email](images/deeplinkenrollment1.png)
- IT admins can also add this link to an internal web page that users refer to enrollment instructions. - IT admins can also add this link to an internal web page that users refer to enrollment instructions.
2. After clicking the link or running it, Windows 10 will launch the enrollment app in a special mode that only allows MDM enrollments (similar to the Enroll into device management option in Windows 10, version 1511). 2. After you select the link or run it, Windows 10 launches the enrollment app in a special mode that only allows MDM enrollments (similar to the Enroll into device management option in Windows 10, version 1511).
Type in your work email address. Type in your work email address.
![set up work or school account](images/deeplinkenrollment3.png) ![set up work or school account](images/deeplinkenrollment3.png)
3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, youll be presented with a new window that will ask you for additional authentication information. 3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, youll be presented with a new window that will ask you for additional authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
> **Note**  Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
After you complete the flow, your device will be connected to your organizations MDM.
After you complete the flow, your device will be connected to your organizations MDM.
![corporate sign in](images/deeplinkenrollment4.png) ![corporate sign in](images/deeplinkenrollment4.png)
## Managing connections ## Manage connections
Your work or school connections can be managed on the **Settings** &gt; **Accounts** &gt; **Access work or school** page. Your connections will show on this page and clicking on one will expand options for that connection. To manage your work or school connections, select **Settings** > **Accounts** > **Access work or school**. Your connections will show on this page and selecting one will expand options for that connection.
![managing work or school account](images/unifiedenrollment-rs1-34-b.png) ![managing work or school account](images/unifiedenrollment-rs1-34-b.png)
@ -357,30 +359,31 @@ The **Info** button can be found on work or school connections involving MDM. Th
- Connecting your device to a work or school account that has auto-enroll into MDM configured. - Connecting your device to a work or school account that has auto-enroll into MDM configured.
- Connecting your device to MDM. - Connecting your device to MDM.
Clicking the **Info** button will open a new page in the Settings app that provides details about your MDM connection. Youll be able to view your organizations support information (if configured) on this page. Youll also be able to start a sync session which will force your device to communicate to the MDM server and fetch any updates to policies if needed. Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. Youll be able to view your organizations support information (if configured) on this page. Youll also be able to start a sync session which forces your device to communicate to the MDM server and fetch any updates to policies if needed.
Starting in Windows 10, version 1709, clicking the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screenshot. Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screenshot.
![work or school info](images/unifiedenrollment-rs1-35-b.png) ![work or school info](images/unifiedenrollment-rs1-35-b.png)
> [NOTE] > [!NOTE]
> Starting in Windows 10, version 1709, the **Manage** button is no longer available. > Starting in Windows 10, version 1709, the **Manage** button is no longer available.
### Disconnect ### Disconnect
The **Disconnect** button can be found on all work connections. Generally, clicking the **Disconnect** button will remove the connection from the device. There are a few exceptions to this: The **Disconnect** button can be found on all work connections. Generally, selecting the **Disconnect** button will remove the connection from the device. There are a few exceptions to this:
- Devices that enforce the AllowManualMDMUnenrollment policy will not allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command. - Devices that enforce the AllowManualMDMUnenrollment policy will not allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command.
- On mobile devices, you cannot disconnect from Azure AD. These connections can only be removed by wiping the device. - On mobile devices, you cannot disconnect from Azure AD. These connections can only be removed by wiping the device.
> **Warning**  Disconnecting might result in the loss of data on the device. > [!WARNING]  
> Disconnecting might result in the loss of data on the device.
## Collecting diagnostic logs ## Collecting diagnostic logs
You can collect diagnostic logs around your work connections by going to **Settings** &gt; **Accounts** &gt; **Access work or school**, and clicking the **Export your management logs** link under **Related Settings**. After you click the link, click **Export** and follow the path displayed to retrieve your management log files. You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and then selecting the **Export your management logs** link under **Related Settings**. Next, select **Export**, and follow the path displayed to retrieve your management log files.
Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** &gt; **Accounts** &gt; **Access work or school**, and clicking the **Info** button. At the bottom of the Settings page you will see the button to create a report. Here is an example screenshot. Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you will see the button to create a report, as shown here.
![collecting enrollment management log files](images/unifiedenrollment-rs1-37-c.png) ![collecting enrollment management log files](images/unifiedenrollment-rs1-37-c.png)