diff --git a/.openpublishing.redirection.windows-whats-new.json b/.openpublishing.redirection.windows-whats-new.json
index 9e05719ebc..b72627e6c6 100644
--- a/.openpublishing.redirection.windows-whats-new.json
+++ b/.openpublishing.redirection.windows-whats-new.json
@@ -159,11 +159,21 @@
"source_path":"windows/whats-new/whats-new-windows-10-version-20H2.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-20H2",
"redirect_document_id":false
- },
- {
- "source_path":"windows/whats-new/whats-new-windows-10-version-21H1.md",
- "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-21H1",
- "redirect_document_id":false
- }
- ]
- }
+ },
+ {
+ "source_path":"windows/whats-new/whats-new-windows-10-version-21H1.md",
+ "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-21H1",
+ "redirect_document_id":false
+ },
+ {
+ "source_path":"windows/whats-new/whats-new-windows-10-version-21H2.md",
+ "redirect_url":"/previous-versions/windows/it-pro/windows-10/whats-new/whats-new-windows-10-version-21H2",
+ "redirect_document_id":false
+ },
+ {
+ "source_path":"windows/whats-new/ltsc/index.yml",
+ "redirect_url":"/windows/whats-new/",
+ "redirect_document_id":false
+ }
+ ]
+}
diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md
index 042df87a74..072a760e05 100644
--- a/education/windows/change-home-to-edu.md
+++ b/education/windows/change-home-to-edu.md
@@ -21,12 +21,11 @@ Customers with qualifying subscriptions can upgrade student-owned and institutio
> [!NOTE]
> To be qualified for this process, customers must have a Windows Education subscription that includes the student use benefit and must have access to the Volume Licensing Service Center (VLSC) or the Microsoft 365 Admin Center.
-IT admins can upgrade student devices using a multiple activation key (MAK) manually or through Mobile Device Management (MDM). Alternatively, IT admins can set up a portal through [Kivuto OnTheHub](http://onthehub.com) where students can request a *Windows Pro Education* product key. The following table provides the recommended method depending on the scenario.
+IT admins can upgrade student devices using a multiple activation key (MAK) manually or through Mobile Device Management (MDM). The following table provides the recommended method depending on the scenario.
| Method | Product key source | Device ownership | Best for |
|-|-|-|-|
| MDM | VLSC | Personal (student-owned) | IT admin initiated via MDM |
-| Kivuto | Kivuto | Personal (student-owned) | Initiated on device by student, parent, or guardian |
| Provisioning package | VLSC | Personal (student-owned) or Corporate (institution-owned) | IT admin initiated at first boot |
These methods apply to devices with *Windows Home* installed; institution-owned devices can be upgraded from *Windows Professional* or *Windows Pro Edu* to *Windows Education* or *Windows Enterprise* using [Windows 10/11 Subscription Activation](/windows/deployment/windows-10-subscription-activation).
@@ -44,7 +43,7 @@ Some school institutions want to streamline student onboarding for student-owned
- [EnterpriseDesktopAppManagement](/windows/client-management/mdm/enterprisemodernappmanagement-csp) - which enables deployment of Windows installer or Win32 applications.
- [DeliveryOptimization](/windows/client-management/mdm/policy-csp-deliveryoptimization) - which enables configuration of Delivery Optimization.
-A full list of CSPs are available at [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). For more information about enrolling devices into Microsoft Intune, see [Deployment guide: Enroll Windows devices in Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment-windows).
+A full list of CSPs is available at [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). For more information about enrolling devices into Microsoft Intune, see [Deployment guide: Enroll Windows devices in Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment-windows).
## Requirements for using a MAK to upgrade from Windows Home to Windows Education
@@ -80,13 +79,6 @@ For a full list of methods to perform a Windows edition upgrade and more details
After upgrading from *Windows Home* to *Windows Education* there are some considerations for what happens during downgrade, reset or reinstall of the operating system.
-The following table highlights the differences by upgrade product key type:
-
-| Product Key Type | Downgrade (in-place) | Reset | Student reinstall |
-|-|-|-|-|
-| VLSC | No | Yes | No |
-| Kivuto OnTheHub | No | Yes | Yes |
-
### Downgrade
It isn't possible to downgrade to *Windows Home* from *Windows Education* without reinstalling Windows.
@@ -99,8 +91,6 @@ If the computer is reset, Windows Education is retained.
The Education upgrade doesn't apply to reinstalling Windows. Use the original Windows edition when reinstalling Windows. The original product key or [firmware-embedded product key](#what-is-a-firmware-embedded-activation-key) is used to activate Windows.
-If students require a *Windows Pro Education* key that can work on a new install of Windows, they should use [Kivuto OnTheHub](http://onthehub.com) to request a key before graduation.
-
For details on product keys and reinstalling Windows, see [Find your Windows product key](https://support.microsoft.com/windows/find-your-windows-product-key-aaa2bf69-7b2b-9f13-f581-a806abf0a886).
### Resale
diff --git a/education/windows/index.yml b/education/windows/index.yml
index 942a90b16b..ac12ab0836 100644
--- a/education/windows/index.yml
+++ b/education/windows/index.yml
@@ -137,4 +137,4 @@ additionalContent:
- text: Microsoft Intune community
url: https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune
- text: Microsoft Support community
- url: https://answers.microsoft.com/windows/forum
\ No newline at end of file
+ url: https://answers.microsoft.com/
\ No newline at end of file
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 56477ff62e..e5fd11df2b 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -103,7 +103,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `DigiExam` | 14.1.0 | `Win32` | `Digiexam` |
| `Digital Secure testing browser` | 15.0.0 | `Win32` | `Digiexam` |
| `Dolphin Guide Connect` | 1.27 | `Win32` | `Dolphin Guide Connect` |
-| `Dragon Professional Individual` | 15.00.100 | `Win32` | `Nuance Communications` |
+| `Dragon Professional Individual` | 16.00.200.121 | `Win32` | `Nuance Communications` |
| `DRC INSIGHT Online Assessments` | 14.0.0.0 | `Store` | `Data recognition Corporation` |
| `Duo from Cisco` | 6.3.0 | `Win32` | `Cisco` |
| `Dyknow` | 7.9.13.7 | `Win32` | `Dyknow` |
@@ -114,7 +114,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `ESET Endpoint Security` | 10.1.2046.0 | `Win32` | `ESET` |
| `ESET Remote Administrator Agent` | 10.0.1126.0 | `Win32` | `ESET` |
| `eTests` | 4.0.25 | `Win32` | `CASAS` |
-| `Exam Writepad` | 23.12.10.1200 | `Win32` | `Sheldnet` |
+| `Exam Writepad` | 24.4.1.1200 | `Win32` | `Sheldnet` |
| `FirstVoices Keyboard` | 15.0.270 | `Win32` | `SIL International` |
| `FortiClient` | 7.2.0.4034+ | `Win32` | `Fortinet` |
| `Free NaturalReader` | 16.1.2 | `Win32` | `Natural Soft` |
@@ -128,7 +128,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `IMT Lazarus` | 2.86.0 | `Win32` | `IMTLazarus` |
| `Inprint` | 3.7.6 | `Win32` | `Inprint` |
| `Inspiration 10` | 10.11 | `Win32` | `TechEdology Ltd` |
-| `Instashare` | 1.3.13.0 | `Win32` | `Instashare` |
+| `Instashare 2` | 1.3.13.0 | `Win32` | `BenQ` |
| `JAWS for Windows` | 2024.2312.53 | `Win32` | `Freedom Scientific` |
| `Kite Student Portal` | 9.0.0.0 | `Win32` | `Dynamic Learning Maps` |
| `Keyman` | 16.0.142 | `Win32` | `SIL International` |
@@ -170,7 +170,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Remote Help` | 5.0.1311.0 | `Win32` | `Microsoft` |
| `Respondus Lockdown Browser` | 2.1.1.05 | `Win32` | `Respondus` |
| `Safe Exam Browser` | 3.5.0.544 | `Win32` | `Safe Exam Browser` |
-|`SchoolYear` | 3.5.4 | `Win32` |`SchoolYear` |
+|`SchoolYear` | 3.7.10 | `Win32` |`SchoolYear` |
|`School Manager` | 3.6.10-1149 | `Win32` |`Linewize` |
|`Schoolnet Secure Tester` | 2.1.0 | `Win32` |`School Net` |
|`Scratch` | 3.0 | `Win32` |`MIT` |
@@ -188,8 +188,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Windows SEB` | 3.4.0 | `Win32` | `Illinois Stateboard of Education` |
| `Windows Notepad` | 12.0.78 | `Store` | `Microsoft Corporation` |
| `Zoom` | 5.12.8 (10232) | `Win32` | `Zoom` |
-| `ZoomText Fusion` | 2024.2310.13.400 | `Win32` | `Freedom Scientific` |
-| `ZoomText Magnifier/Reader` | 2024.2312.26.400 | `Win32` | `Freedom Scientific` |
+| `ZoomText Fusion` | 2024.2403.1.400 | `Win32` | `Freedom Scientific` |
+| `ZoomText Magnifier/Reader` | 2024.2402.66.400 | `Win32` | `Freedom Scientific` |
## Add your own applications
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index 964efc7788..4af32aae83 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -8,18 +8,20 @@ ms.author: cmcatee
author: cmcatee-MSFT
manager: scotv
ms.topic: conceptual
-ms.date: 01/11/2024
+ms.date: 06/21/2024
ms.reviewer:
---
# What's new in Microsoft Store for Business and Education
-> [!IMPORTANT]
->
-> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
-
## Latest updates for Store for Business and Education
+**June 2024**
+
+The Microsoft Store for Business and Microsoft Store for Education portals will retire on August 15, 2024. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-intune-integration-with-the-microsoft-store-on-windows/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). If you are using offline licensing, you can use the [WinGet Download command](/windows/package-manager/winget/download) to continue to access offline apps and license files.
+
+## Previous releases and updates
+
**January 2024**
**Removal of private store capability from Microsoft Store for Business and Education**
@@ -28,8 +30,6 @@ The private store tab and associated functionality was removed from the Microsof
We recommend customers use the [Private app repository, Windows Package Manager, and Company Portal app](/windows/application-management/private-app-repository-mdm-company-portal-windows-11) to provide a private app repository within their organization.
-## Previous releases and updates
-
[May 2023](release-history-microsoft-store-business-education.md#may-2023)
- Tab removed from Microsoft Store apps on Windows 10 PCs.
diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json
index 128c0cfc00..4f5ec979b0 100644
--- a/windows/application-management/docfx.json
+++ b/windows/application-management/docfx.json
@@ -69,11 +69,6 @@
"Windows 10"
]
},
- "fileMetadata": {
- "feedback_system": {
- "app-v/**/*.*": "None"
- }
- },
"template": [],
"dest": "win-app-management",
"markdownEngineName": "markdig"
diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml
index 7a3b8812e1..ae406114d7 100644
--- a/windows/application-management/index.yml
+++ b/windows/application-management/index.yml
@@ -9,7 +9,7 @@ metadata:
author: aczechowski
ms.author: aaroncz
manager: aaroncz
- ms.date: 08/18/2023
+ ms.date: 06/28/2024
ms.topic: landing-page
ms.service: windows-client
ms.subservice: itpro-apps
@@ -40,22 +40,3 @@ landingContent:
url: per-user-services-in-windows.md
- text: Changes to Service Host grouping in Windows 10
url: svchost-service-refactoring.md
-
- - title: Application Virtualization (App-V)
- linkLists:
- - linkListType: overview
- links:
- - text: App-V overview
- url: /microsoft-desktop-optimization-pack/app-v/appv-for-windows
- - text: Getting started with App-V
- url: /microsoft-desktop-optimization-pack/app-v/appv-getting-started
- - text: Planning for App-V
- url: /microsoft-desktop-optimization-pack/app-v/appv-planning-for-appv
- - text: Deploying App-V
- url: /microsoft-desktop-optimization-pack/app-v/appv-deploying-appv
- - text: Operations for App-V
- url: /microsoft-desktop-optimization-pack/app-v/appv-operations
- - text: Troubleshooting App-V
- url: /microsoft-desktop-optimization-pack/app-v/appv-troubleshooting
- - text: Technical Reference for App-V
- url: /microsoft-desktop-optimization-pack/app-v/appv-technical-reference
diff --git a/windows/application-management/overview-windows-apps.md b/windows/application-management/overview-windows-apps.md
index ab58f88f99..7188ebe6e0 100644
--- a/windows/application-management/overview-windows-apps.md
+++ b/windows/application-management/overview-windows-apps.md
@@ -4,7 +4,7 @@ description: Learn about the different types of apps that run on Windows. For ex
author: aczechowski
ms.author: aaroncz
manager: aaroncz
-ms.date: 08/28/2023
+ms.date: 06/28/2024
ms.topic: overview
ms.service: windows-client
ms.subservice: itpro-apps
@@ -31,7 +31,7 @@ For more information on deploying Microsoft 365 apps, see the [Deployment guide
### Power Apps
-These apps are custom, low-code apps to connect to business data, modernize processes, and solve unique challenges. Power Apps are available online and on-premises, can run in a web browser, and on mobile devices. They can be created by business analysts and professional developers.
+These apps are custom, low-code apps to connect to business data, modernize processes, and solve unique challenges. Power Apps are available online and on-premises, can run in a web browser, and on mobile devices. They can be created by business analysts and professional developers.
For more information, see [What is Power Apps?](/power-apps/powerapps-overview).
@@ -182,7 +182,7 @@ App-V allows Win32 apps to be used as virtual apps.
On an on-premises server, you install and configure the App-V server components, and then install your Win32 apps. On Windows Enterprise client devices, you use the App-V client components to run the virtualized apps. They allow users to open the virtual apps using the icons and file names they're familiar with. Users use the apps as if they're installed locally.
-The benefit is to deliver virtual apps in real time, and as-needed. For more information, see [Application Virtualization (App-V) for Windows overview](./app-v/appv-for-windows.md).
+The benefit is to deliver virtual apps in real time, and as-needed. For more information, see [Application Virtualization (App-V) for Windows overview](/microsoft-desktop-optimization-pack/app-v/appv-for-windows).
## Manage apps
diff --git a/windows/application-management/toc.yml b/windows/application-management/toc.yml
index 7e86c36a76..eaea302b9c 100644
--- a/windows/application-management/toc.yml
+++ b/windows/application-management/toc.yml
@@ -1,255 +1,17 @@
items:
- name: Manage Windows applications
href: index.yml
-- name: Application management
- items:
- - name: Overview of apps in Windows
- href: overview-windows-apps.md
- - name: Sideload line of business (LOB) apps
- href: sideload-apps-in-windows.md
- - name: Private app repo on Windows 11
- href: private-app-repository-mdm-company-portal-windows-11.md
- - name: Remove background task resource restrictions
- href: enterprise-background-activity-controls.md
- - name: Service host grouping in Windows 10
- href: svchost-service-refactoring.md
- - name: Per-user services in Windows
- href: per-user-services-in-windows.md
- - name: Keep removed apps from returning during an update
- href: remove-provisioned-apps-during-update.md
-- name: Application Virtualization (App-V)
- items:
- - name: App-V for Windows overview
- href: /microsoft-desktop-optimization-pack/app-v/appv-for-windows
- - name: Getting Started
- items:
- - name: Getting Started with App-V
- href: /microsoft-desktop-optimization-pack/app-v/appv-getting-started
- - name: What's new
- items:
- - name: What's new in App-V for Windows 10, version 1703 and earlier
- href: /microsoft-desktop-optimization-pack/app-v/appv-about-appv
- - name: Release Notes for App-V for Windows 10, version 1607
- href: /microsoft-desktop-optimization-pack/app-v/appv-release-notes-for-appv-for-windows
- - name: Release Notes for App-V for Windows 10, version 1703
- href: /microsoft-desktop-optimization-pack/app-v/appv-release-notes-for-appv-for-windows-1703
- - name: Evaluating App-V
- href: /microsoft-desktop-optimization-pack/app-v/appv-evaluating-appv
- - name: High Level Architecture for App-V
- href: /microsoft-desktop-optimization-pack/app-v/appv-high-level-architecture
- - name: Planning
- items:
- - name: Planning for App-V
- href: /microsoft-desktop-optimization-pack/app-v/appv-planning-for-appv
- - name: Preparing your environment
- items:
- - name: Preparing your environment for App-V
- href: /microsoft-desktop-optimization-pack/app-v/appv-preparing-your-environment
- - name: App-V Prerequisites
- href: /microsoft-desktop-optimization-pack/app-v/appv-prerequisites
- - name: App-V security considerations
- href: /microsoft-desktop-optimization-pack/app-v/appv-security-considerations
- - name: Planning to deploy
- items:
- - name: Planning to Deploy App-V
- href: /microsoft-desktop-optimization-pack/app-v/appv-planning-to-deploy-appv
- - name: App-V Supported Configurations
- href: /microsoft-desktop-optimization-pack/app-v/appv-supported-configurations
- - name: App-V Capacity Planning
- href: /microsoft-desktop-optimization-pack/app-v/appv-capacity-planning
- - name: Planning for High Availability with App-V
- href: /microsoft-desktop-optimization-pack/app-v/appv-planning-for-high-availability-with-appv
- - name: Planning to Deploy App-V with an Electronic Software Distribution System
- href: /microsoft-desktop-optimization-pack/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions
- - name: Planning for the App-V Server Deployment
- href: /microsoft-desktop-optimization-pack/app-v/appv-planning-for-appv-server-deployment
- - name: Planning for the App-V Sequencer and Client Deployment
- href: /microsoft-desktop-optimization-pack/app-v/appv-planning-for-sequencer-and-client-deployment
- - name: Planning for Using App-V with Office
- href: /microsoft-desktop-optimization-pack/app-v/appv-planning-for-using-appv-with-office
- - name: Planning to Use Folder Redirection with App-V
- href: /microsoft-desktop-optimization-pack/app-v/appv-planning-folder-redirection-with-appv
- - name: App-V Planning Checklist
- href: /microsoft-desktop-optimization-pack/app-v/appv-planning-checklist
- - name: Deploying
- items:
- - name: Deploying App-V
- href: /microsoft-desktop-optimization-pack/app-v/appv-deploying-appv
- - name: App-V sequencer and client configuration
- items:
- - name: Deploying the App-V Sequencer and Configuring the Client
- href: /microsoft-desktop-optimization-pack/app-v/appv-deploying-the-appv-sequencer-and-client
- - name: About Client Configuration Settings
- href: /microsoft-desktop-optimization-pack/app-v/appv-client-configuration-settings
- - name: Enable the App-V desktop client
- href: /microsoft-desktop-optimization-pack/app-v/appv-enable-the-app-v-desktop-client
- - name: How to Install the Sequencer
- href: /microsoft-desktop-optimization-pack/app-v/appv-install-the-sequencer
- - name: App-V server deployment
- items:
- - name: Deploying the App-V Server
- href: /microsoft-desktop-optimization-pack/app-v/appv-deploying-the-appv-server
- - name: How to Deploy the App-V Server
- href: /microsoft-desktop-optimization-pack/app-v/appv-deploy-the-appv-server
- - name: How to Deploy the App-V Server Using a Script
- href: /microsoft-desktop-optimization-pack/app-v/appv-deploy-the-appv-server-with-a-script
- - name: How to Deploy the App-V Databases by Using SQL Scripts
- href: /microsoft-desktop-optimization-pack/app-v/appv-deploy-appv-databases-with-sql-scripts
- - name: How to Install the Publishing Server on a Remote Computer
- href: /microsoft-desktop-optimization-pack/app-v/appv-install-the-publishing-server-on-a-remote-computer
- - name: How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services
- href: /microsoft-desktop-optimization-pack/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers
- - name: How to install the Management Server on a Standalone Computer and Connect it to the Database
- href: /microsoft-desktop-optimization-pack/app-v/appv-install-the-management-server-on-a-standalone-computer
- - name: About App-V Reporting
- href: /microsoft-desktop-optimization-pack/app-v/appv-reporting
- - name: How to install the Reporting Server on a Standalone Computer and Connect it to the Database
- href: /microsoft-desktop-optimization-pack/app-v/appv-install-the-reporting-server-on-a-standalone-computer
- - name: App-V Deployment Checklist
- href: /microsoft-desktop-optimization-pack/app-v/appv-deployment-checklist
- - name: Deploying Microsoft Office 2016 by Using App-V
- href: /microsoft-desktop-optimization-pack/app-v/appv-deploying-microsoft-office-2016-with-appv
- - name: Deploying Microsoft Office 2013 by Using App-V
- href: /microsoft-desktop-optimization-pack/app-v/appv-deploying-microsoft-office-2013-with-appv
- - name: Deploying Microsoft Office 2010 by Using App-V
- href: /microsoft-desktop-optimization-pack/app-v/appv-deploying-microsoft-office-2010-wth-appv
- - name: Operations
- items:
- - name: Operations for App-V
- href: /microsoft-desktop-optimization-pack/app-v/appv-operations
- - name: Creating and managing virtualized applications
- items:
- - name: Creating and Managing App-V Virtualized Applications
- href: /microsoft-desktop-optimization-pack/app-v/appv-creating-and-managing-virtualized-applications
- - name: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)
- href: /microsoft-desktop-optimization-pack/app-v/appv-auto-provision-a-vm
- - name: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)
- href: /microsoft-desktop-optimization-pack/app-v/appv-auto-batch-sequencing
- - name: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)
- href: /microsoft-desktop-optimization-pack/app-v/appv-auto-batch-updating
- - name: Manually sequence a new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)
- href: /microsoft-desktop-optimization-pack/app-v/appv-sequence-a-new-application
- - name: How to Modify an Existing Virtual Application Package
- href: /microsoft-desktop-optimization-pack/app-v/appv-modify-an-existing-virtual-application-package
- - name: How to Create and Use a Project Template
- href: /microsoft-desktop-optimization-pack/app-v/appv-create-and-use-a-project-template
- - name: How to Create a Package Accelerator
- href: /microsoft-desktop-optimization-pack/app-v/appv-create-a-package-accelerator
- - name: How to Create a Virtual Application Package Using an App-V Package Accelerator
- href: /microsoft-desktop-optimization-pack/app-v/appv-create-a-virtual-application-package-package-accelerator
- - name: Administering App-V
- items:
- - name: Administering App-V Virtual Applications by Using the Management Console
- href: /microsoft-desktop-optimization-pack/app-v/appv-administering-virtual-applications-with-the-management-console
- - name: About App-V Dynamic Configuration
- href: /microsoft-desktop-optimization-pack/app-v/appv-dynamic-configuration
- - name: How to Connect to the Management Console
- href: /microsoft-desktop-optimization-pack/app-v/appv-connect-to-the-management-console
- - name: How to Add or Upgrade Packages by Using the Management Console
- href: /microsoft-desktop-optimization-pack/app-v/appv-add-or-upgrade-packages-with-the-management-console
- - name: How to Configure Access to Packages by Using the Management Console
- href: /microsoft-desktop-optimization-pack/app-v/appv-configure-access-to-packages-with-the-management-console
- - name: How to Publish a Package by Using the Management Console
- href: /microsoft-desktop-optimization-pack/app-v/appv-publish-a-packages-with-the-management-console
- - name: How to Delete a Package in the Management Console
- href: /microsoft-desktop-optimization-pack/app-v/appv-delete-a-package-with-the-management-console
- - name: How to Add or Remove an Administrator by Using the Management Console
- href: /microsoft-desktop-optimization-pack/app-v/appv-add-or-remove-an-administrator-with-the-management-console
- - name: How to Register and Unregister a Publishing Server by Using the Management Console
- href: /microsoft-desktop-optimization-pack/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console
- - name: How to Create a Custom Configuration File by Using the App-V Management Console
- href: /microsoft-desktop-optimization-pack/app-v/appv-create-a-custom-configuration-file-with-the-management-console
- - name: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console
- href: /microsoft-desktop-optimization-pack/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console
- - name: How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console
- href: /microsoft-desktop-optimization-pack/app-v/appv-customize-virtual-application-extensions-with-the-management-console
- - name: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console
- href: /microsoft-desktop-optimization-pack/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console
- - name: Connection groups
- items:
- - name: Managing Connection Groups
- href: /microsoft-desktop-optimization-pack/app-v/appv-managing-connection-groups
- - name: About the Connection Group Virtual Environment
- href: /microsoft-desktop-optimization-pack/app-v/appv-connection-group-virtual-environment
- - name: About the Connection Group File
- href: /microsoft-desktop-optimization-pack/app-v/appv-connection-group-file
- - name: How to Create a Connection Group
- href: /microsoft-desktop-optimization-pack/app-v/appv-create-a-connection-group
- - name: How to Create a Connection Group with User-Published and Globally Published Packages
- href: /microsoft-desktop-optimization-pack/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages
- - name: How to Delete a Connection Group
- href: /microsoft-desktop-optimization-pack/app-v/appv-delete-a-connection-group
- - name: How to Publish a Connection Group
- href: /microsoft-desktop-optimization-pack/app-v/appv-publish-a-connection-group
- - name: How to Make a Connection Group Ignore the Package Version
- href: /microsoft-desktop-optimization-pack/app-v/appv-configure-connection-groups-to-ignore-the-package-version
- - name: How to Allow Only Administrators to Enable Connection Groups
- href: /microsoft-desktop-optimization-pack/app-v/appv-allow-administrators-to-enable-connection-groups
- - name: Deploying App-V packages with ESD
- items:
- - name: Deploying App-V Packages by Using Electronic Software Distribution (ESD)
- href: /microsoft-desktop-optimization-pack/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions
- - name: How to deploy App-V Packages Using Electronic Software Distribution
- href: /microsoft-desktop-optimization-pack/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions
- - name: How to Enable Only Administrators to Publish Packages by Using an ESD
- href: /microsoft-desktop-optimization-pack/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions
- - name: Using the management console
- items:
- - name: Using the App-V client management console
- href: /microsoft-desktop-optimization-pack/app-v/appv-using-the-client-management-console
- - name: Automatically clean up unpublished packages on the App-V client
- href: /microsoft-desktop-optimization-pack/app-v/appv-auto-clean-unpublished-packages
- - name: Migrating
- items:
- - name: Migrating to App-V from a previous version
- href: /microsoft-desktop-optimization-pack/app-v/appv-migrating-to-appv-from-a-previous-version
- - name: How to convert a package created in a previous version of App-V
- href: /microsoft-desktop-optimization-pack/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv
- - name: Maintenance
- items:
- - name: Maintaining App-V
- href: /microsoft-desktop-optimization-pack/app-v/appv-maintaining-appv
- - name: How to Move the App-V Server to Another Computer
- href: /microsoft-desktop-optimization-pack/app-v/appv-move-the-appv-server-to-another-computer
- - name: Administering App-V with Windows PowerShell
- items:
- - name: Administering App-V by using Windows PowerShell
- href: /microsoft-desktop-optimization-pack/app-v/appv-administering-appv-with-powershell
- - name: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help
- href: /microsoft-desktop-optimization-pack/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help
- - name: How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell
- href: /microsoft-desktop-optimization-pack/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell
- - name: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell
- href: /microsoft-desktop-optimization-pack/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell
- - name: How to Modify Client Configuration by Using Windows PowerShell
- href: /microsoft-desktop-optimization-pack/app-v/appv-modify-client-configuration-with-powershell
- - name: How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server
- href: /microsoft-desktop-optimization-pack/app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server
- - name: How to Apply the User Configuration File by Using Windows PowerShell
- href: /microsoft-desktop-optimization-pack/app-v/appv-apply-the-user-configuration-file-with-powershell
- - name: How to Apply the Deployment Configuration File by Using Windows PowerShell
- href: /microsoft-desktop-optimization-pack/app-v/appv-apply-the-deployment-configuration-file-with-powershell
- - name: How to Sequence a Package by Using Windows PowerShell
- href: /microsoft-desktop-optimization-pack/app-v/appv-sequence-a-package-with-powershell
- - name: How to Create a Package Accelerator by Using Windows PowerShell
- href: /microsoft-desktop-optimization-pack/app-v/appv-create-a-package-accelerator-with-powershell
- - name: How to Enable Reporting on the App-V Client by Using Windows PowerShell
- href: /microsoft-desktop-optimization-pack/app-v/appv-enable-reporting-on-the-appv-client-with-powershell
- - name: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell
- href: /microsoft-desktop-optimization-pack/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell
- - name: Troubleshooting App-V
- href: /microsoft-desktop-optimization-pack/app-v/appv-troubleshooting
- - name: Technical Reference
- items:
- - name: Technical Reference for App-V
- href: /microsoft-desktop-optimization-pack/app-v/appv-technical-reference
- - name: Available Mobile Device Management (MDM) settings for App-V
- href: /microsoft-desktop-optimization-pack/app-v/appv-available-mdm-settings
- - name: Performance Guidance for Application Virtualization
- href: /microsoft-desktop-optimization-pack/app-v/appv-performance-guidance
- - name: Application Publishing and Client Interaction
- href: /microsoft-desktop-optimization-pack/app-v/appv-application-publishing-and-client-interaction
- - name: Viewing App-V Server Publishing Metadata
- href: /microsoft-desktop-optimization-pack/app-v/appv-viewing-appv-server-publishing-metadata
- - name: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications
- href: /microsoft-desktop-optimization-pack/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment
+- name: Overview of apps in Windows
+ href: overview-windows-apps.md
+- name: Sideload line of business (LOB) apps
+ href: sideload-apps-in-windows.md
+- name: Private app repo on Windows 11
+ href: private-app-repository-mdm-company-portal-windows-11.md
+- name: Remove background task resource restrictions
+ href: enterprise-background-activity-controls.md
+- name: Service host grouping in Windows 10
+ href: svchost-service-refactoring.md
+- name: Per-user services in Windows
+ href: per-user-services-in-windows.md
+- name: Keep removed apps from returning during an update
+ href: remove-provisioned-apps-during-update.md
diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md
index 27c5fb235c..eefc2151ab 100644
--- a/windows/client-management/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/azure-active-directory-integration-with-mdm.md
@@ -5,18 +5,18 @@ ms.topic: conceptual
ms.collection:
- highpri
- tier2
-ms.date: 08/10/2023
+ms.date: 07/08/2024
---
# Microsoft Entra integration with MDM
-Microsoft Entra ID is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Microsoft Entra ID as the underlying identity infrastructure. Windows integrates with Microsoft Entra ID, allowing devices to be registered in Microsoft Entra ID and enrolled into MDM in an integrated flow.
+Microsoft Entra ID is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Microsoft Entra ID as the underlying identity infrastructure. Windows integrates with Microsoft Entra ID, allowing devices to be registered in Microsoft Entra ID and enrolled into Mobile Device Management (MDM) in an integrated flow.
Once a device is enrolled in MDM, the MDM:
- Can enforce compliance with organization policies, add or remove apps, and more.
- Can report a device's compliance in Microsoft Entra ID.
-- Microsoft Entra ID can allow access to organization resources or applications secured by Microsoft Entra ID to devices that comply with policies.
+- Can allow access to organization resources or applications secured by Microsoft Entra ID to devices that comply with policies.
To support these rich experiences with their MDM product, MDM vendors can integrate with Microsoft Entra ID.
@@ -24,23 +24,21 @@ To support these rich experiences with their MDM product, MDM vendors can integr
There are several ways to connect your devices to Microsoft Entra ID:
-- [Join device to Microsoft Entra ID](/azure/active-directory/devices/concept-azure-ad-join)
-- [Join device to on-premises AD and Microsoft Entra ID](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
-- [Add a Microsoft work account to Windows](/azure/active-directory/devices/concept-azure-ad-register)
+- [Join device to Microsoft Entra ID](/entra/identity/devices/concept-directory-join)
+- [Join device to on-premises AD and Microsoft Entra ID](/entra/identity/devices/concept-hybrid-join)
+- [Add a Microsoft work account to Windows](/entra/identity/devices/concept-device-registration)
In each scenario, Microsoft Entra authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment. The enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and bring-your-own-device (BYOD) devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN.
In Windows 10, the web view during the out-of-the-box scenario is displayed as full-screen by default, providing MDM vendors with the capability to create a seamless edge-to-edge user experience. However, in Windows 11 the web view is rendered within an iframe. It's important that MDM vendors who integrate with Microsoft Entra ID respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article.
-For Microsoft Entra enrollment to work for an Active Directory Federated Services (AD FS) backed Microsoft Entra account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
+For Microsoft Entra enrollment to work for an Active Directory Federated Services (AD FS) backed Microsoft Entra account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Microsoft Entra multifactor authentication as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
Once a user has a Microsoft Entra account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Access work or school**. Device management of either Microsoft Entra join for organization scenarios or BYOD scenarios is similar.
> [!NOTE]
> Users can't remove the device enrollment through the **Access work or school** user interface because management is tied to the Microsoft Entra ID or work account.
-
-
### MDM endpoints involved in Microsoft Entra integrated enrollment
Microsoft Entra MDM enrollment is a two-step process:
@@ -64,17 +62,15 @@ To support Microsoft Entra enrollment, MDM vendors must host and expose a **Term
The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Microsoft Entra ID using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article.
-
-
## Make MDM a reliable party of Microsoft Entra ID
To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Microsoft Entra ID. To report compliance with Microsoft Entra ID, the MDM must authenticate itself to Microsoft Entra ID and obtain authorization in the form of an access token that allows it to invoke the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api).
### Cloud-based MDM
-A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Microsoft Entra ID in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
+A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multitenant application. This application is registered with Microsoft Entra ID in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
-The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. For more information about how to add multi-tenant applications to Microsoft Entra ID, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multi-tenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub.
+The MDM vendor must first register the application in their home tenant and mark it as a multitenant application. For more information about how to add multitenant applications to Microsoft Entra ID, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multitenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub.
> [!NOTE]
> For the MDM provider, if you don't have an existing Microsoft Entra tenant with a Microsoft Entra subscription that you manage, follow these step-by-step guides:
@@ -82,7 +78,7 @@ The MDM vendor must first register the application in their home tenant and mark
> - [Quickstart: Create a new tenant in Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to set up a tenant.
> - [Associate or add an Azure subscription to your Microsoft Entra tenant](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to add a subscription, and manage it via the Azure Portal.
-The MDM application uses keys to request access tokens from Microsoft Entra ID. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Microsoft Entra ID, in the customer tenant where the managed device belongs.
+The MDM application uses keys to request access tokens from Microsoft Entra ID. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multitenant MDM application to authenticate itself with Microsoft Entra ID, in the customer tenant where the managed device belongs.
> [!NOTE]
> All MDM apps must implement Microsoft Entra v2 tokens before we certify that integration works. Due to changes in the Microsoft Entra app platform, using Microsoft Entra v2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats).
@@ -107,8 +103,6 @@ For cloud-based MDM, you can roll over the application keys without requiring a
For the on-premises MDM, the Microsoft Entra authentication keys are within the customer tenant and the customer's administrator must roll over the keys. To improve security, provide guidance to customers about rolling over and protecting the keys.
-
-
## Publish your MDM app to Microsoft Entra app gallery
IT administrators use the Microsoft Entra app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Microsoft Entra ID.
@@ -124,7 +118,7 @@ The following table shows the required information to create an entry in the Mic
| Item | Description |
|---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Application ID** | The client ID of your MDM app that is configured within your tenant. This ID is the unique identifier for your multi-tenant app. |
+| **Application ID** | The client ID of your MDM app that is configured within your tenant. This ID is the unique identifier for your multitenant app. |
| **Publisher** | A string that identifies the publisher of the app. |
| **Application URL** | A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL isn't used for the actual enrollment. |
| **Description** | A brief description of your MDM app, which must be under 255 characters. |
@@ -191,7 +185,7 @@ The following claims are expected in the access token passed by Windows to the T
|-----------|----------------------------------------------------------------------------------------------|
| Object ID | Identifier of the user object corresponding to the authenticated user. |
| UPN | A claim containing the user principal name (UPN) of the authenticated user. |
-| TID | A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam. |
+| TID | A claim representing the tenant ID of the tenant. In the previous example, it's Fabrikam. |
| Resource | A sanitized URL representing the MDM application. Example: `https://fabrikam.contosomdm.com` |
> [!NOTE]
@@ -206,7 +200,7 @@ https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm
Authorization: Bearer eyJ0eXAiOi
```
-The MDM is expected to validate the signature of the access token to ensure it is issued by Microsoft Entra ID and that the recipient is appropriate.
+The MDM is expected to validate the signature of the access token to ensure it's issued by Microsoft Entra ID and that the recipient is appropriate.
### Terms of Use content
@@ -260,8 +254,6 @@ The following table shows the error codes.
| Microsoft Entra token validation failed | 302 | unauthorized_client | unauthorized_client |
| internal service error | 302 | server_error | internal service error |
-
-
## Enrollment protocol with Microsoft Entra ID
With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments.
@@ -284,8 +276,6 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove
|EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL|Not supported|Supported|Supported|
|CSPs accessible during enrollment|Windows 10 support:
- DMClient
- CertificateStore
- RootCATrustedCertificates
- ClientCertificateInstall
- EnterpriseModernAppManagement
- PassportForWork
- Policy
- w7 APPLICATION|||
-
-
## Management protocol with Microsoft Entra ID
There are two different MDM enrollment types that integrate with Microsoft Entra ID, and use Microsoft Entra user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
@@ -318,8 +308,6 @@ There are two different MDM enrollment types that integrate with Microsoft Entra
- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
- Refer to the Microsoft Entra authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
-
-
## Device Alert 1224 for Microsoft Entra user token
An alert is sent when the DM session starts and there's a Microsoft Entra user logged in. The alert is sent in OMA DM package #1. Here's an example:
@@ -372,15 +360,13 @@ Here's an example.
```
-
-
## Report device compliance to Microsoft Entra ID
Once a device is enrolled with the MDM for management, organization policies configured by the IT administrator are enforced on the device. MDM evaluates the device compliance with configured policies and then reports it to Microsoft Entra ID. This section covers the Graph API call you can use to report a device compliance status to Microsoft Entra ID.
For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822).
-- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Microsoft Entra ID.
+- **Cloud-based MDM** - If your product is a cloud-based multitenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Microsoft Entra ID.
- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Microsoft Entra ID. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Microsoft Entra ID.
### Use Microsoft Graph API
@@ -415,8 +401,6 @@ Response:
- Success - HTTP 204 with No Content.
- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found.
-
-
## Data loss during unenrollment from Microsoft Entra join
When a user is enrolled into MDM through Microsoft Entra join and then disconnects the enrollment, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data.
diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
index ab7c3e0a1c..aca40777f6 100644
--- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
@@ -2,7 +2,7 @@
title: Automatic MDM enrollment in the Intune admin center
description: Automatic MDM enrollment in the Intune admin center
ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
---
# Automatic MDM enrollment in the Intune admin center
diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
index d9938c6409..c248120cff 100644
--- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
@@ -1,13 +1,13 @@
---
title: Bulk enrollment
-description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices.
+description: Bulk enrollment is an efficient way to set up an MDM server to manage a large number of devices without the need to reimage the devices.
ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
---
# Bulk enrollment using Windows Configuration Designer
-Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Microsoft Entra join enrollment scenario.
+Bulk enrollment is an efficient way to set up an MDM server to manage a large number of devices without the need to reimage the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Microsoft Entra join enrollment scenario.
## Typical use cases
@@ -68,7 +68,7 @@ Using the WCD, create a provisioning package using the enrollment information re
1. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
-1. When you're done adding all the settings, on the **File** menu, select **Save**.
+1. After adding all the settings, select **Save** on the **File** menu.
1. On the main menu, select **Export** > **Provisioning package**.
@@ -120,7 +120,7 @@ Using the WCD, create a provisioning package using the enrollment information re
For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md).
1. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
-1. When you're done adding all the settings, on the **File** menu, select **Save**.
+1. After adding all the settings, select **Save** on the **File** menu.
1. Export and build the package (steps 10-13 in previous section).
1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
1. Apply the package to your devices.
@@ -142,7 +142,7 @@ Using the WCD, create a provisioning package using the enrollment information re
- If the provisioning engine receives a failure from a CSP, it retries provisioning three times in a row.
- If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts are run from the SYSTEM context.
- It also retries the provisioning each time it's launched, if started from somewhere else as well.
-- In addition, provisioning will be restarted in the SYSTEM context after a sign in and the [system has been idle](/windows/win32/taskschd/task-idle-conditions).
+- In addition, provisioning will be restarted in the SYSTEM context after a sign in and the [system is idle](/windows/win32/taskschd/task-idle-conditions).
## Related articles
diff --git a/windows/client-management/certificate-authentication-device-enrollment.md b/windows/client-management/certificate-authentication-device-enrollment.md
index e53a80cc55..2cea712e44 100644
--- a/windows/client-management/certificate-authentication-device-enrollment.md
+++ b/windows/client-management/certificate-authentication-device-enrollment.md
@@ -2,7 +2,7 @@
title: Certificate authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy.
ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
---
# Certificate authentication device enrollment
diff --git a/windows/client-management/certificate-renewal-windows-mdm.md b/windows/client-management/certificate-renewal-windows-mdm.md
index 573cbe71b2..66d42a4d90 100644
--- a/windows/client-management/certificate-renewal-windows-mdm.md
+++ b/windows/client-management/certificate-renewal-windows-mdm.md
@@ -2,7 +2,7 @@
title: Certificate Renewal
description: Learn how to find all the resources that you need to provide continuous access to client certificates.
ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
---
# Certificate Renewal
@@ -19,7 +19,7 @@ Windows supports automatic certificate renewal, also known as Renew On Behalf Of
> [!NOTE]
> Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
-Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate.
+Auto certificate renewal is the only supported MDM client certificate renewal method for a device enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate.
For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP's](mdm/certificatestore-csp.md) ROBOSupport node under `CertificateStore/My/WSTEP/Renew` URL.
@@ -89,7 +89,7 @@ In Windows, the renewal period can only be set during the MDM enrollment phase.
For more information about the parameters, see the [CertificateStore configuration service provider](mdm/certificatestore-csp.md).
-Unlike manual certificate renewal, the device doesn't perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead of every seven days (weekly). This change increases the chance that the device will try to connect at different days of the week.
+Unlike manual certificate renewal, the device doesn't perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead of every seven days (weekly). This change increases the chance that the device tries to connect at different days of the week.
## Certificate renewal response
@@ -99,7 +99,7 @@ When RequestType is set to Renew, the web service verifies the following (in add
- The client's certificate is in the renewal period
- The certificate is issued by the enrollment service
- The requester is the same as the requester for initial enrollment
-- For standard client's request, the client hasn't been blocked
+- For standard client's request, the client isn't blocked
After validation is completed, the web service retrieves the PKCS#10 content from the PKCS#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA.
diff --git a/windows/client-management/client-tools/add-remove-hide-features.md b/windows/client-management/client-tools/add-remove-hide-features.md
index 4fa8c60998..92fa8aaf85 100644
--- a/windows/client-management/client-tools/add-remove-hide-features.md
+++ b/windows/client-management/client-tools/add-remove-hide-features.md
@@ -1,19 +1,9 @@
---
title: Add, remove, or hide Windows features
description: Learn how to add or remove Windows optional features using the Optional features page in the Settings app. Also see the group policy objects (GPO) and MDM policies that show or hide Windows Features in the Settings app. Use Windows PowerShell to show or hide specific features in Windows Features.
-author: aczechowski
-ms.author: aaroncz
-manager: aaroncz
-ms.date: 03/28/2024
+ms.date: 07/01/2024
ms.topic: how-to
-ms.service: windows-client
-ms.subservice: itpro-apps
-ms.localizationpriority: medium
-ms.collection: tier2
zone_pivot_groups: windows-versions-11-10
-appliesto:
- - ✅ Windows 11
- - ✅ Windows 10
---
# Add, remove, or hide Windows features
@@ -29,7 +19,7 @@ Open the **Optional features** pane in the **Settings** app by selecting the fol
> [!div class="nextstepaction"]
> [Optional features](ms-settings:optionalfeatures)
-or
+Or
1. Right-click on the **Start** menu and select **Run**.
@@ -41,7 +31,7 @@ or
and then select **OK**.
-or
+Or
::: zone pivot="windows-11"
diff --git a/windows/client-management/client-tools/administrative-tools-in-windows.md b/windows/client-management/client-tools/administrative-tools-in-windows.md
index 1e319e16a4..63b3fbd65c 100644
--- a/windows/client-management/client-tools/administrative-tools-in-windows.md
+++ b/windows/client-management/client-tools/administrative-tools-in-windows.md
@@ -1,18 +1,26 @@
---
-title: Windows Tools/Administrative Tools
+title: Windows Tools
description: The folders for Windows Tools and Administrative Tools are folders in the Control Panel that contain tools for system administrators and advanced users.
-ms.localizationpriority: medium
-ms.date: 08/10/2023
+ms.date: 07/01/2024
ms.topic: conceptual
-ms.collection:
-- highpri
-- tier2
-- essentials-manage
+zone_pivot_groups: windows-versions-11-10
---
-# Windows Tools/Administrative Tools
+# Windows Tools
-**Windows Tools** is a folder in the Windows 11 Control Panel. **Administrative Tools** is a folder in the Windows 10 Control Panel. These folders contain tools for system administrators and advanced users.
+::: zone pivot="windows-11"
+
+**Windows Tools** is a folder in the Windows 11 Control Panel. This folder contains tools for system administrators and advanced users.
+
+::: zone-end
+
+::: zone pivot="windows-10"
+
+**Administrative Tools** is a folder in the Windows 10 Control Panel. This folder contains tools for system administrators and advanced users.
+
+::: zone-end
+
+::: zone pivot="windows-11"
## Windows Tools folder
@@ -24,6 +32,10 @@ The tools in the folder might vary depending on which edition of Windows you use
:::image type="content" source="images/win11-windows-tools.png" alt-text="Screenshot of the contents of the Windows Tools folder in Windows 11." lightbox="images/win11-windows-tools.png":::
+::: zone-end
+
+::: zone pivot="windows-10"
+
## Administrative Tools folder
The following graphic shows the **Administrative Tools** folder in Windows 10:
@@ -34,34 +46,7 @@ The tools in the folder might vary depending on which edition of Windows you use
-## Tools
-
-The tools are located in the folder `C:\Windows\System32\` or its subfolders.
-
-These tools were included in previous versions of Windows. The associated documentation for each tool can help you use them. The following list provides links to documentation for each tool.
-
-- [Component Services](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731901(v=ws.11))
-- [Computer Management](https://support.microsoft.com/topic/how-to-use-computer-management-in-windows-xp-d5872f93-4498-f4dd-3a34-36d6f569924f)
-- [Defragment and Optimize Drives](https://support.microsoft.com/windows/ways-to-improve-your-computer-s-performance-c6018c78-0edd-a71a-7040-02267d68ea90)
-- [Disk Cleanup](https://support.microsoft.com/windows/disk-cleanup-in-windows-8a96ff42-5751-39ad-23d6-434b4d5b9a68)
-- [Event Viewer](/previous-versions/windows/it-pro/windows-2000-server/cc938674(v=technet.10))
-- [iSCSI Initiator](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476(v=ws.10))
-- [Local Security Policy](/previous-versions/tn-archive/dd277395(v=technet.10))
-- [ODBC Data Sources](/sql/odbc/admin/odbc-data-source-administrator)
-- [Performance Monitor](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc749115(v=ws.11))
-- [Print Management](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731857(v=ws.11))
-- [Recovery Drive](https://support.microsoft.com/windows/create-a-recovery-drive-abb4691b-5324-6d4a-8766-73fab304c246)
-- [Registry Editor](/windows/win32/sysinfo/registry)
-- [Resource Monitor](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd883276(v=ws.10))
-- [Services](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772408(v=ws.11))
-- [System Configuration](/troubleshoot/windows-client/performance/system-configuration-utility-troubleshoot-configuration-errors)
-- [System Information](/previous-versions/windows/it-pro/windows-2000-server/cc957818(v=technet.10))
-- [Task Scheduler](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766428(v=ws.11))
-- [Windows Firewall with Advanced Security](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754274(v=ws.11))
-- [Windows Memory Diagnostic](/previous-versions/technet-magazine/cc745953(v=msdn.10))
-
-> [!TIP]
-> If the linked content in this list doesn't provide the information you need to use that tool, send feedback with the **This page** link in the **Feedback** section at the bottom of this article.
+::: zone-end
## Related articles
diff --git a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md
index 685f872e8a..725c23927a 100644
--- a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md
+++ b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md
@@ -1,12 +1,11 @@
---
title: Windows default media removal policy
-description: In Windows 10 and later, the default removal policy for external storage media changed from Better performance to Quick removal.
-ms.date: 08/10/2023
+description: Manage default media removal policy in Windows.
+ms.date: 07/01/2024
ms.topic: conceptual
-ms.localizationpriority: medium
---
-# Change in default removal policy for external storage media in Windows
+# Manage default media removal policy
Windows defines two main policies, **Quick removal** and **Better performance**, that control how the system interacts with external storage devices such as USB thumb drives or Thunderbolt-enabled external drives. Beginning in Windows 10 version 1809, the default policy is **Quick removal**. In earlier versions of Windows, the default policy was **Better performance**.
@@ -16,7 +15,7 @@ You can change the policy setting for each external device, and the policy that
You can use the storage device policy setting to change the manner in which Windows manages storage devices to better meet your needs. The policy settings have the following effects:
-- **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows can't cache disk write operations. This may degrade system performance.
+- **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows can't cache disk write operations. This can degrade system performance.
- **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish.
> [!IMPORTANT]
diff --git a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md
index b47fad81ee..c08492c201 100644
--- a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md
@@ -2,7 +2,7 @@
title: Connect to remote Microsoft Entra joined device
description: Learn how to use Remote Desktop Connection to connect to a Microsoft Entra joined device.
ms.localizationpriority: medium
-ms.date: 08/10/2023
+ms.date: 07/01/2024
ms.topic: conceptual
ms.collection:
- highpri
@@ -14,18 +14,16 @@ ms.collection:
Windows supports remote connections to devices joined to Active Directory s well as devices joined to Microsoft Entra ID using Remote Desktop Protocol (RDP).
- Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
-- Starting in Windows 10/11, with 2022-10 update installed, you can [use Microsoft Entra authentication to connect to the remote Microsoft Entra device](#connect-with-azure-ad-authentication).
+- Starting in Windows 10/11, with 2022-10 update installed, you can [use Microsoft Entra authentication to connect to the remote Microsoft Entra device](#connect-with-microsoft-entra-authentication).
## Prerequisites
- Both devices (local and remote) must be running a supported version of Windows.
- Remote device must have the **Connect to and use this PC from another device using the Remote Desktop app** option selected under **Settings** > **System** > **Remote Desktop**.
- - It's recommended to select **Require devices to use Network Level Authentication to connect** option.
+ - Select **Require devices to use Network Level Authentication to connect** option is recommended.
- If the user who joined the device to Microsoft Entra ID is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the device remotely, you must [add users to the Remote Desktop Users group](#add-users-to-remote-desktop-users-group) on the remote device.
- Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard) is turned off on the device you're using to connect to the remote device.
-
-
## Connect with Microsoft Entra authentication
Microsoft Entra authentication can be used on the following operating systems for both the local and remote device:
@@ -64,8 +62,6 @@ The Windows lock screen in the remote session doesn't support Microsoft Entra au
Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Microsoft Entra ID reevaluates the applicable conditional access policies.
-
-
## Connect without Microsoft Entra authentication
By default, RDP doesn't use Microsoft Entra authentication, even if the remote PC supports it. This method allows you to connect to the remote Microsoft Entra joined device from:
diff --git a/windows/client-management/client-tools/images/change-def-rem-policy-2.png b/windows/client-management/client-tools/images/change-def-rem-policy-2.png
index d05d5dd16f..d99919de15 100644
Binary files a/windows/client-management/client-tools/images/change-def-rem-policy-2.png and b/windows/client-management/client-tools/images/change-def-rem-policy-2.png differ
diff --git a/windows/client-management/client-tools/images/settings-page-visibility-gp.png b/windows/client-management/client-tools/images/settings-page-visibility-gp.png
index 198fc83a7c..eabe085176 100644
Binary files a/windows/client-management/client-tools/images/settings-page-visibility-gp.png and b/windows/client-management/client-tools/images/settings-page-visibility-gp.png differ
diff --git a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md
index 0aaf41776d..052dc9e72a 100644
--- a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md
+++ b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md
@@ -1,7 +1,7 @@
---
title: Manage Device Installation with Group Policy
description: Find out how to manage Device Installation Restrictions with Group Policy.
-ms.date: 08/10/2023
+ms.date: 07/01/2024
ms.topic: conceptual
---
diff --git a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md
index bf19bb6ad7..fb091f005b 100644
--- a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md
@@ -1,7 +1,7 @@
---
title: Manage the Settings app with Group Policy
description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users.
-ms.date: 08/10/2023
+ms.date: 07/01/2024
ms.topic: conceptual
---
diff --git a/windows/client-management/client-tools/mandatory-user-profile.md b/windows/client-management/client-tools/mandatory-user-profile.md
index 78e358f1fd..5e64dd2f66 100644
--- a/windows/client-management/client-tools/mandatory-user-profile.md
+++ b/windows/client-management/client-tools/mandatory-user-profile.md
@@ -1,16 +1,13 @@
---
title: Create mandatory user profiles
-description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users.
-ms.date: 08/10/2023
+description: A mandatory user profile is a special type of preconfigured roaming user profile that administrators can use to specify settings for users.
+ms.date: 07/01/2024
ms.topic: conceptual
-ms.collection:
-- highpri
-- tier2
---
# Create mandatory user profiles
-A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but aren't limited to) icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile aren't saved when a mandatory user profile is assigned.
+A mandatory user profile is a roaming user profile that has been preconfigured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but aren't limited to) icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile aren't saved when a mandatory user profile is assigned.
Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles.
@@ -118,12 +115,12 @@ In a domain, you modify properties for the user account to point to the mandator
### How to apply a mandatory user profile to users
1. Open **Active Directory Users and Computers** (dsa.msc).
-1. Navigate to the user account that you'll assign the mandatory profile to.
+1. Navigate to the user account that you want to assign the mandatory profile to.
1. Right-click the user name and open **Properties**.
1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is `\\server\share\profile.v6`, you would enter `\\server\share\profile`.
1. Select **OK**.
-It may take some time for this change to replicate to all domain controllers.
+It can take some time for this change to replicate to all domain controllers.
## Apply policies to improve sign-in time
diff --git a/windows/client-management/client-tools/quick-assist.md b/windows/client-management/client-tools/quick-assist.md
index 397791e335..25a3039918 100644
--- a/windows/client-management/client-tools/quick-assist.md
+++ b/windows/client-management/client-tools/quick-assist.md
@@ -1,9 +1,8 @@
---
title: Use Quick Assist to help users
description: Learn how IT Pros can use Quick Assist to help users.
-ms.date: 05/09/2024
+ms.date: 07/01/2024
ms.topic: conceptual
-ms.localizationpriority: medium
ms.collection:
- highpri
- tier1
@@ -134,7 +133,7 @@ Quick Assist for macOS is available for interactions with Microsoft Support. If
## Disable Quick Assist within your organization
-If your organization utilizes another remote support tool such as [Remote Help](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune-remote-help), disable or remove Quick Assist as a best practice, if it isn't used within your environment. This prevents external users from using Quick Assist to gain access to devices within your organization.
+If your organization utilizes another remote support tool such as [Remote Help](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune-remote-help), disable or remove Quick Assist as a best practice, if it isn't used within your environment. This prevents guests from using Quick Assist to gain access to devices within your organization.
### Disable Quick Assist
diff --git a/windows/client-management/client-tools/toc.yml b/windows/client-management/client-tools/toc.yml
index 17b21a7926..9600b605e4 100644
--- a/windows/client-management/client-tools/toc.yml
+++ b/windows/client-management/client-tools/toc.yml
@@ -15,7 +15,7 @@ items:
href: manage-settings-app-with-group-policy.md
- name: Manage default media removal policy
href: change-default-removal-policy-external-storage-media.md
- - name: What version of Windows am I running
- href: windows-version-search.md
- name: Windows libraries
href: windows-libraries.md
+ - name: What version of Windows am I running
+ href: windows-version-search.md
\ No newline at end of file
diff --git a/windows/client-management/client-tools/windows-libraries.md b/windows/client-management/client-tools/windows-libraries.md
index 3486649f20..65a263719f 100644
--- a/windows/client-management/client-tools/windows-libraries.md
+++ b/windows/client-management/client-tools/windows-libraries.md
@@ -2,13 +2,15 @@
title: Windows Libraries
description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures.
ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/01/2024
---
# Windows libraries
Libraries are virtual containers for users' content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location.
+To show libraries in File Explorer, go to **Options**, select the **View** tab, and then select **Show libraries**.
+
## Features for Users
Windows libraries provide full content search and rich metadata. Libraries offer the following advantages to users:
diff --git a/windows/client-management/client-tools/windows-version-search.md b/windows/client-management/client-tools/windows-version-search.md
index 2bb838cf72..2c34266131 100644
--- a/windows/client-management/client-tools/windows-version-search.md
+++ b/windows/client-management/client-tools/windows-version-search.md
@@ -1,7 +1,7 @@
---
title: What version of Windows am I running?
description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel.
-ms.date: 08/10/2023
+ms.date: 07/01/2024
ms.topic: conceptual
---
@@ -17,8 +17,6 @@ To determine if your device is enrolled in the Long-Term Servicing Channel or th
Select **Start** > **Settings** > **System**, then select **About**. You then see **Edition**, **Version**, and **OS Build** information.
-:::image type="content" source="images/systemcollage.png" alt-text="screenshot of the system properties window for a device running Windows 10.":::
-
## Using Keyword Search
You can type the following in the search bar and press **ENTER** to see version details for your device.
diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md
index 30b905a41d..f497c86712 100644
--- a/windows/client-management/config-lock.md
+++ b/windows/client-management/config-lock.md
@@ -2,7 +2,7 @@
title: Secured-core configuration lock
description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration.
ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
appliesto:
- ✅ Windows 11
---
@@ -63,7 +63,7 @@ The steps to turn on config lock using Microsoft Intune are as follows:
Config lock is designed to ensure that a secured-core PC isn't unintentionally misconfigured. You keep the ability to enable or disable SCPC features, for example, firmware protection. You can make these changes with group policies or MDM services like Microsoft Intune.
-:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off.":::
+:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of System Guard protects your device from compromised firmware. The setting is set to Off.":::
## FAQ
diff --git a/windows/client-management/declared-configuration-extensibility.md b/windows/client-management/declared-configuration-extensibility.md
index 3121be77f0..7b1f9991f8 100644
--- a/windows/client-management/declared-configuration-extensibility.md
+++ b/windows/client-management/declared-configuration-extensibility.md
@@ -1,13 +1,13 @@
---
title: Declared configuration extensibility
description: Learn more about declared configuration extensibility through native WMI providers.
-ms.date: 09/26/2023
+ms.date: 07/08/2024
ms.topic: how-to
---
# Declared configuration extensibility providers
-The declared configuration enrollment, which supports the declared configuration client stack, offers extensibility through native WMI providers. This feature instantiates and interfaces with a Windows Management Instrumentation (WMI) provider that has implemented a management infrastructure (MI) interface. The interface must implement GetTargetResource, TestTargetResource, and SetTargetResource methods, and may implement any number of string properties.
+The declared configuration enrollment, which supports the declared configuration client stack, offers extensibility through native WMI providers. This feature instantiates and interfaces with a Windows Management Instrumentation (WMI) provider that implements a management infrastructure (MI) interface. The interface must implement GetTargetResource, TestTargetResource, and SetTargetResource methods, and can implement any number of string properties.
> [!NOTE]
> Only string properties are currently supported by extensibility providers.
@@ -51,7 +51,7 @@ uint32 SetTargetResource(
To create a native WMI provider, follow the steps outlined in [How to implement an MI provider](/previous-versions/windows/desktop/wmi_v2/how-to-implement-an-mi-provider). These steps include how to generate the source code for an MI interface using the `Convert-MofToProvider.exe` tool to generate the DLL and prepare it for placement.
-1. Create a MOF file that defines the schema for the desired state configuration resource including parameters and methods. This file includes the required parameters for the resource.
+1. Create a Managed Object Format (MOF) file that defines the schema for the desired state configuration resource including parameters and methods. This file includes the required parameters for the resource.
2. Copy the schema MOF file along with any required files into the provider tools directory, for example: ProviderGenerationTool.
3. Edit the required files and include the correct file names and class names.
4. Invoke the provider generator tool to generate the provider's project files.
diff --git a/windows/client-management/declared-configuration.md b/windows/client-management/declared-configuration.md
index f655d1ae19..e12a89b7ca 100644
--- a/windows/client-management/declared-configuration.md
+++ b/windows/client-management/declared-configuration.md
@@ -1,7 +1,7 @@
---
title: Declared configuration protocol
description: Learn more about using declared configuration protocol for desired state management of Windows devices.
-ms.date: 09/26/2023
+ms.date: 07/08/2024
ms.topic: overview
---
diff --git a/windows/client-management/device-update-management.md b/windows/client-management/device-update-management.md
index c298893a3a..5f61783f99 100644
--- a/windows/client-management/device-update-management.md
+++ b/windows/client-management/device-update-management.md
@@ -2,7 +2,7 @@
title: Mobile device management MDM for device updates
description: Windows provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management.
ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
ms.collection:
- highpri
- tier2
@@ -25,7 +25,7 @@ In particular, Windows provides APIs to enable MDMs to:
- Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested.
- Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs.
-This article provides independent software vendors (ISV) with the information they need to implement update management in Windows. For more information, see [Policy CSP - Update](mdm/policy-csp-update.md).
+This article provides independent software publishers (ISV) with the information they need to implement update management in Windows. For more information, see [Policy CSP - Update](mdm/policy-csp-update.md).
> [!NOTE]
> The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update's title, description, KB, update type, like a security update or service pack. For more information, see [[MS-WSUSSS]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
@@ -88,7 +88,7 @@ This section describes a possible algorithm for using the server-server sync pro
First some background:
-- If you have a multi-tenant MDM, the update metadata can be kept in a shared partition, since it's common to all tenants.
+- If you have a multitenant MDM, the update metadata can be kept in a shared partition, since it's common to all tenants.
- A metadata sync service can then be implemented. The service periodically calls server-server sync to pull in metadata for the updates IT cares about.
- The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client, if those updates aren't already known to the device.
@@ -130,7 +130,7 @@ The following screenshots of the administrator console show the list of update t
### SyncML example
-Set auto update to notify and defer.
+Set Microsoft AutoUpdate to notify and defer.
```xml
diff --git a/windows/client-management/disconnecting-from-mdm-unenrollment.md b/windows/client-management/disconnecting-from-mdm-unenrollment.md
index 612dd07651..cfc52d7c69 100644
--- a/windows/client-management/disconnecting-from-mdm-unenrollment.md
+++ b/windows/client-management/disconnecting-from-mdm-unenrollment.md
@@ -2,7 +2,7 @@
title: Disconnecting from the management infrastructure (unenrollment)
description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server.
ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
---
# Disconnecting from the management infrastructure (unenrollment)
@@ -22,14 +22,14 @@ During disconnection, the client executes the following tasks:
In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This notification is a best-effort action as no retry is built in to ensure the notification is successfully sent to the device.
-This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work.
+This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment can succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work.
> [!NOTE]
> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).
The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**.
-After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DM client starts a DM session, including a user unenroll generic alert in the first package that it sends to the server.
+After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DMClient starts a DM session, including a user unenroll generic alert in the first package that it sends to the server.
The following sample shows an OMA DM first package that contains a generic alert message. For more information on WP OMA DM support, see the [OMA DM protocol support](oma-dm-protocol-support.md) article.
@@ -107,15 +107,13 @@ You can only use the Work Access page to unenroll under the following conditions
- Enrollment was done using bulk enrollment.
- Enrollment was created using the Work Access page.
-
-
## Unenrollment from Microsoft Entra join
When a user is enrolled into MDM through Microsoft Entra join and later, the enrollment disconnects, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data.
-During the process in which a device is enrolled into MDM through Microsoft Entra join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Microsoft Entra association is also removed. This safeguard is in place to avoid leaving the corporate devices in unmanaged state.
+During the process in which a device is enrolled into MDM through Microsoft Entra join and then remotely unenrolled, the device can get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Microsoft Entra association is also removed. This safeguard is in place to avoid leaving the corporate devices in unmanaged state.
Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that isn't part of Microsoft Entra ID, otherwise the device won't have any admin user after the operation.
diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md
index 00618845b9..db0f36a085 100644
--- a/windows/client-management/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md
@@ -3,7 +3,7 @@ title: Enable ADMX policies in MDM
description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM).
ms.topic: conceptual
ms.localizationpriority: medium
-ms.date: 08/10/2023
+ms.date: 07/08/2024
---
# Enable ADMX policies in MDM
diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
index f9ccd5cc0a..409c283821 100644
--- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -2,7 +2,7 @@
title: Enroll a Windows device automatically using Group Policy
description: Learn how to use a Group Policy to trigger autoenrollment to MDM for Active Directory (AD) domain-joined devices.
ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
ms.collection:
- highpri
- tier2
@@ -12,7 +12,7 @@ ms.collection:
You can use a Group Policy to trigger autoenrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices.
-The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Microsoft Entra account.
+The group policy created on your local AD triggers enrollment into Intune without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Microsoft Entra account.
**Requirements**:
diff --git a/windows/client-management/enterprise-app-management.md b/windows/client-management/enterprise-app-management.md
index b6e975a1c8..323376d673 100644
--- a/windows/client-management/enterprise-app-management.md
+++ b/windows/client-management/enterprise-app-management.md
@@ -2,7 +2,7 @@
title: Enterprise app management
description: This article covers one of the key mobile device management (MDM) features for managing the lifecycle of apps across Windows devices.
ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
---
# Enterprise app management
@@ -116,7 +116,7 @@ There are two basic types of apps you can deploy:
- Store apps.
- Enterprise signed apps.
-To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment.
+To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for nonstore app deployment.
### Unlock the device for non-Store apps
@@ -154,7 +154,7 @@ Here's an example:
### Unlock the device for developer mode
-Development of apps on Windows devices no longer requires a special license. You can enable debugging and deployment of non-packaged apps using [ApplicationManagement/AllowDeveloperUnlock](mdm/policy-csp-applicationmanagement.md) policy in Policy CSP.
+Development of apps on Windows devices no longer requires a special license. You can enable debugging and deployment of nonpackaged apps using [ApplicationManagement/AllowDeveloperUnlock](mdm/policy-csp-applicationmanagement.md) policy in Policy CSP.
AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock isn't configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device.
@@ -238,8 +238,8 @@ If you purchased an app from the Store for Business, the app license must be dep
In the SyncML, you need to specify the following information in the `Exec` command:
-- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business.
-- License Content - This content is specified in the data section. The License Content is the Base64 encoded blob of the license.
+- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base 64 encoded license download from the Store for Business.
+- License Content - This content is specified in the data section. The License Content is the Base 64 encoded blob of the license.
Here's an example of an offline license installation.
@@ -469,7 +469,7 @@ When an app installation is completed, a Windows notification is sent. You can a
- NOT\_INSTALLED (0) - The node was added, but the execution wasn't completed.
- INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, then this value is updated.
- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription.
- - INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean up action hasn't completed, then this state may briefly appear.
+ - INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean-up action hasn't completed, then this state may briefly appear.
- LastError - The last error reported by the app deployment server.
- LastErrorDescription - Describes the last error reported by the app deployment server.
- Status - An integer that indicates the progress of the app installation. In cases of an HTTPS location, this status shows the estimated download progress. Status isn't available for provisioning and only used for user-based installations. For provisioning, the value is always 0.
diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md
index 970b5917af..2a28981591 100644
--- a/windows/client-management/esim-enterprise-management.md
+++ b/windows/client-management/esim-enterprise-management.md
@@ -3,7 +3,7 @@ title: eSIM Enterprise Management
description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows.
ms.localizationpriority: medium
ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
---
# How Mobile Device Management Providers support eSIM Management on Windows
@@ -28,7 +28,7 @@ If you're a Mobile Device Management (MDM) Provider and want to support eSIM Man
- Assess solution type that you would like to provide your customers
- Batch/offline solution
- IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices.
-- Operator doesn't have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to
+- Operator doesn't have visibility over status of the eSIM profiles
- Real-time solution
- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via SIM vendor solution component. IT Admin can view subscription pool and provision eSIM in real time.
- Operator is notified of the status of each eSIM profile and has visibility on which devices are being used
diff --git a/windows/client-management/federated-authentication-device-enrollment.md b/windows/client-management/federated-authentication-device-enrollment.md
index ecb42e8160..32b2fef7ef 100644
--- a/windows/client-management/federated-authentication-device-enrollment.md
+++ b/windows/client-management/federated-authentication-device-enrollment.md
@@ -2,7 +2,7 @@
title: Federated authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using federated authentication policy.
ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 07/08/2024
---
# Federated authentication device enrollment
@@ -122,7 +122,7 @@ The discovery response is in the XML format and includes the following fields:
> [!NOTE]
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
-When authentication policy is set to be Federated, Web Authentication Broker (WAB) is used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client calls the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage is used by the enrollment client as the device security secret during the client certificate enrollment request call.
+When authentication policy is set to be Federated, Web Authentication Broker (WAB) is used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client calls the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an end page is used by the enrollment client as the device security secret during the client certificate enrollment request call.
> [!NOTE]
> Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance:
@@ -183,7 +183,7 @@ Content-Length: 556