mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 10:23:37 +00:00
Merged PR 9321: premises
This commit is contained in:
Jeanie Decker
@ -13,7 +13,7 @@ ms.date: 06/26/2017
|
||||
|
||||
## Executive summary
|
||||
|
||||
<p>Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premise group policies using System Center Configuration Manager (SCCM) or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premise counterparts.</p>
|
||||
<p>Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using System Center Configuration Manager (SCCM) or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.</p>
|
||||
|
||||
<p>MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.</p>
|
||||
|
||||
@ -79,7 +79,7 @@ ms.date: 06/26/2017
|
||||
|
||||
## Scenarios addressed in App-V MDM functionality
|
||||
|
||||
<p>All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premise App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.</p>
|
||||
<p>All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premises App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.</p>
|
||||
|
||||
<p>A complete list of App-V policies can be found here:</p>
|
||||
|
||||
|
||||
@ -30,7 +30,7 @@ On the desktop, you can create an Active Directory account, such as "enrollment@
|
||||
|
||||
On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
|
||||
|
||||
> **Note**
|
||||
>[!NOTE]
|
||||
> - Bulk-join is not supported in Azure Active Directory Join.
|
||||
> - Bulk enrollment does not work in Intune standalone enviroment.
|
||||
> - Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console.
|
||||
@ -47,7 +47,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
|
||||
|
||||
Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain.
|
||||
|
||||
## Create and apply a provisioning package for on-premise authentication
|
||||
## Create and apply a provisioning package for on-premises authentication
|
||||
|
||||
Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
|
||||
|
||||
|
||||
@ -630,7 +630,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
|
||||
> [!Important]
|
||||
> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Enterprise.
|
||||
|
||||
<p style="margin-left: 20px">Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet.
|
||||
<p style="margin-left: 20px">Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
|
||||
|
||||
<p style="margin-left: 20px">Supported operations are Get and Replace.
|
||||
|
||||
|
||||
@ -138,11 +138,11 @@ The following is a list of functions performed by the Device HealthAttestation C
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td style="vertical-align:top">Device Health Attestation – On Premise<p>(DHA-OnPrem)</p></td>
|
||||
<td style="vertical-align:top"><p>DHA-OnPrem refers to DHA-Service that is running on premise:</p>
|
||||
<td style="vertical-align:top"><p>DHA-OnPrem refers to DHA-Service that is running on premises:</p>
|
||||
<ul>
|
||||
<li>Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service) </li>
|
||||
<li>Hosted on an enterprise owned and managed server device/hardware</li>
|
||||
<li>Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on premise and hybrid (Cloud + OnPrem) hardware attestation scenarios</li>
|
||||
<li>Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios</li>
|
||||
<li><p>Accessible to all enterprise managed devices via following:</p>
|
||||
<ul>
|
||||
<li>FQDN = (enterprise assigned)</li>
|
||||
@ -151,14 +151,14 @@ The following is a list of functions performed by the Device HealthAttestation C
|
||||
</ul>
|
||||
</li>
|
||||
</ul></td>
|
||||
<td style="vertical-align:top">The operation cost of running one or more instances of Server 2016 on premise.</td>
|
||||
<td style="vertical-align:top">The operation cost of running one or more instances of Server 2016 on-premises.</td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td style="vertical-align:top">Device Health Attestation - Enterprise Managed Cloud<p>(DHA-EMC)</p></td>
|
||||
<td style="vertical-align:top"><p>DHA-EMC refers to an enterprise managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise managed cloud service, such as Microsoft Azure.</p>
|
||||
<ul>
|
||||
<li>Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)</li>
|
||||
<li>Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on premise and hybrid (Cloud + OnPrem) hardware attestation scenarios </li>
|
||||
<li>Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios </li>
|
||||
<li><p>Accessible to all enterprise managed devices via following:</p>
|
||||
<ul>
|
||||
<li>FQDN = (enterprise assigned)</li>
|
||||
@ -304,7 +304,7 @@ SSL-Session:
|
||||
|
||||
There are three types of DHA-Service:
|
||||
- Device Health Attestation – Cloud (owned and operated by Microsoft)
|
||||
- Device Health Attestation – On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premise)
|
||||
- Device Health Attestation – On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premises)
|
||||
- Device Health Attestation - Enterprise Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise managed cloud)
|
||||
|
||||
DHA-Cloud is the default setting. No further action is required if an enterprise is planning to use Microsoft DHA-Cloud as the trusted DHA-Service provider.
|
||||
|
||||
@ -62,7 +62,7 @@ The following topics describe the end-to-end enrollment process using various au
|
||||
|
||||
## Enrollment support for domain-joined devices
|
||||
|
||||
Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
|
||||
Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
|
||||
|
||||
## Disable MDM enrollments
|
||||
|
||||
|
||||
@ -1600,7 +1600,8 @@ Alternatively you can use the following procedure to create an EAP Configuration
|
||||
7. Close the rasphone dialog box.
|
||||
8. Continue following the procedure in the [EAP configuration](eap-configuration.md) topic from Step 9 to get an EAP TLS profile with appropriate filtering.
|
||||
|
||||
> **Note** You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) topic.
|
||||
>[!NOTE]
|
||||
>You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) topic.
|
||||
|
||||
|
||||
### <a href="" id="remote"></a>Remote PIN reset not supported in Azure Active Directory joined mobile devices
|
||||
@ -1617,7 +1618,7 @@ In Azure AD joined Windows 10 PC, provisioning /.User resources fails when the
|
||||
|
||||
### <a href="" id="kerberos"></a>Requirements to note for VPN certificates also used for Kerberos Authentication
|
||||
|
||||
If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premise resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that do not meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. This issue primarily impacts Windows Phone.
|
||||
If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that do not meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. This issue primarily impacts Windows Phone.
|
||||
|
||||
### <a href="" id="pushbuttonreset"></a>Device management agent for the push-button reset is not working
|
||||
|
||||
@ -2204,7 +2205,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
|
||||
<td style="vertical-align:top">[Mobile device enrollment](mobile-device-enrollment.md)</td>
|
||||
<td style="vertical-align:top"><p>Added the following statement:</p>
|
||||
<ul>
|
||||
<li>Devices that are joined to an on-premise Active Directory can enroll into MDM via the Work access page in <strong>Settings</strong>. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.</li>
|
||||
<li>Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in <strong>Settings</strong>. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.</li>
|
||||
</ul>
|
||||
</td></tr>
|
||||
<tr class="odd">
|
||||
|
||||
@ -76,7 +76,7 @@ This cloud service encrypts a recovery secret, which is stored locally on the cl
|
||||
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
|
||||
|
||||
<a href="" id="tenantid-policies-usecertificateforonpremauth--only-for---device-vendor-msft-"></a>***TenantId*/Policies/UseCertificateForOnPremAuth** (only for ./Device/Vendor/MSFT)
|
||||
<p style="margin-left: 20px">Boolean value that enables Windows Hello for Business to use certificates to authenticate on-premise resources.
|
||||
<p style="margin-left: 20px">Boolean value that enables Windows Hello for Business to use certificates to authenticate on-premises resources.
|
||||
|
||||
<p style="margin-left: 20px">If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
|
||||
|
||||
|
||||
@ -657,7 +657,7 @@ If you disable or do not configure this policy setting, the PIN recovery secret
|
||||
<Replace />
|
||||
</AccessType>
|
||||
<DefaultValue>False</DefaultValue>
|
||||
<Description>Windows Hello for Business can use certificates to authenticate to on-premise resources.
|
||||
<Description>Windows Hello for Business can use certificates to authenticate to on-premises resources.
|
||||
|
||||
If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
|
||||
|
||||
|
||||
@ -283,7 +283,7 @@ The following list shows the supported values:
|
||||
<!--Description-->
|
||||
Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.
|
||||
|
||||
The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD).
|
||||
The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premises only environment, cloud domain-joined in a hybrid environment, and BYOD).
|
||||
|
||||
<!--/Description-->
|
||||
<!--ADMXMapped-->
|
||||
|
||||
@ -2968,7 +2968,7 @@ The following list shows the supported values:
|
||||
> [!Important]
|
||||
> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile.
|
||||
|
||||
Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet.
|
||||
Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
|
||||
|
||||
Supported operations are Get and Replace.
|
||||
|
||||
|
||||
@ -40,7 +40,7 @@ The full URL for the discovery service.
|
||||
<a href="" id="provisioning-enrollments-upn-secret"></a>**Provisioning/Enrollments/*UPN*/Secret**
|
||||
This information is dependent on the AuthPolicy being used. Possible values:
|
||||
|
||||
- Password string for on-premise authentication enrollment
|
||||
- Password string for on-premises authentication enrollment
|
||||
- Federated security token for federated enrollment
|
||||
- Certificate thumb print for certificated based enrollment
|
||||
|
||||
|
||||
Reference in New Issue
Block a user