deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into alexbuckgit/docutune-autopr-20231018-031908-5285705-ignore-build

Browse Source
This commit is contained in:
Gary Moore 2023-10-19 14:01:01 -07:00 committed by GitHub
commit c6c5904e60
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
28 changed files with 115 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/client-management/mdm/accounts-csp.md
View File

@ -46,7 +46,7 @@ Root node.
Interior node for the account domain information.
<a href="" id="domain-computername"></a>**Domain/ComputerName**
This node specifies the DNS hostname for a device. This setting can be managed remotely, but this remote management isn't supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters.
This node specifies the DNS hostname for a device. This setting can be managed remotely, but this remote management isn't supported for devices hybrid joined to Microsoft Entra ID and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters.
Available naming macros:

24
windows/client-management/mdm/bitlocker-csp.md
View File

@ -236,7 +236,7 @@ The expected values for this policy are:
1 = This is the default, when the policy isn't set. Warning prompt and encryption notification is allowed.
0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, the value 0 only takes effect on Azure Active Directory joined devices.
0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update, the value 0 only takes effect on Microsoft Entra joined devices.
Windows will attempt to silently enable BitLocker for value 0.
<!-- Device-AllowWarningForOtherDiskEncryption-Description-End -->
@ -244,12 +244,12 @@ Windows will attempt to silently enable BitLocker for value 0.
<!-- Device-AllowWarningForOtherDiskEncryption-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
> When you disable the warning prompt, the OS drive's recovery key will back up to the user's Microsoft Entra account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
>
> The endpoint for a fixed data drive's backup is chosen in the following order:
>
> 1. The user's Windows Server Active Directory Domain Services account.
> 2. The user's Azure Active Directory account.
> 2. The user's Microsoft Entra account.
> 3. The user's personal OneDrive (MDM/MAM only).
>
> Encryption will wait until one of these three locations backs up successfully.
@ -270,7 +270,7 @@ Windows will attempt to silently enable BitLocker for value 0.
| Value | Description |
|:--|:--|
| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable BitLocker for value 0. |
| 0 | Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Microsoft Entra joined devices. Windows will attempt to silently enable BitLocker for value 0. |
| 1 (Default) | Warning prompt allowed. |
<!-- Device-AllowWarningForOtherDiskEncryption-AllowedValues-End -->
@ -312,9 +312,9 @@ Windows will attempt to silently enable BitLocker for value 0.
<!-- Device-ConfigureRecoveryPasswordRotation-Description-Begin -->
<!-- Description-Source-DDF -->
Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on AAD and Hybrid domain joined devices.
Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Microsoft Entra ID and Hybrid domain joined devices.
When not configured, Rotation is turned on by default for AAD only and off on Hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required.
When not configured, Rotation is turned on by default for Microsoft Entra-only and off on Hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required.
For OS drive: Turn on "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives".
@ -322,8 +322,8 @@ For Fixed drives: Turn on "Do not enable BitLocker until recovery information is
Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
1 - Numeric Recovery Passwords Rotation upon use ON for AAD joined devices. Default value
2 - Numeric Recovery Passwords Rotation upon use ON for both AAD and Hybrid devices.
1 - Numeric Recovery Passwords Rotation upon use ON for Microsoft Entra joined devices. Default value
2 - Numeric Recovery Passwords Rotation upon use ON for both Microsoft Entra ID and Hybrid devices.
<!-- Device-ConfigureRecoveryPasswordRotation-Description-End -->
<!-- Device-ConfigureRecoveryPasswordRotation-Editable-Begin -->
@ -346,8 +346,8 @@ Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
| Value | Description |
|:--|:--|
| 0 (Default) | Refresh off (default). |
| 1 | Refresh on for Azure AD-joined devices. |
| 2 | Refresh on for both Azure AD-joined and hybrid-joined devices. |
| 1 | Refresh on for Microsoft Entra joined devices. |
| 2 | Refresh on for both Microsoft Entra joined and hybrid-joined devices. |
<!-- Device-ConfigureRecoveryPasswordRotation-AllowedValues-End -->
<!-- Device-ConfigureRecoveryPasswordRotation-Examples-Begin -->
@ -1269,7 +1269,7 @@ Disabling the policy won't turn off the encryption on the storage card. But will
<!-- Device-RotateRecoveryPasswords-Description-Begin -->
<!-- Description-Source-DDF -->
Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on an Azure Active Directory or hybrid-joined device.
Allows admin to push one-time rotation of all numeric recovery passwords for OS and Fixed Data drives on a Microsoft Entra ID or hybrid-joined device.
This policy is Execute type and rotates all numeric passwords when issued from MDM tools.
@ -1401,7 +1401,7 @@ This value represents a bitmask with each bit and the corresponding error code d
| 8 |Recovery key backup failed.|
| 9 |A fixed drive is unprotected.|
| 10 |The encryption method of the fixed drive doesn't match the BitLocker policy.|
| 11 |To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.|
| 11 |To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or if the device is joined to Microsoft Entra ID, the AllowStandardUserEncryption policy must be set to 1.|
| 12 |Windows Recovery Environment (WinRE) isn't configured.|
| 13 |A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. |
| 14 |The TPM isn't ready for BitLocker.|

30
windows/client-management/mdm/dmclient-csp.md
View File

@ -272,7 +272,7 @@ This node contains the URI-encoded value of the bootstrapped device management a
<!-- Device-Provider-{ProviderID}-AADDeviceID-Description-Begin -->
<!-- Description-Source-DDF -->
Device ID used for AAD device registration.
Device ID used for Microsoft Entra device registration.
<!-- Device-Provider-{ProviderID}-AADDeviceID-Description-End -->
<!-- Device-Provider-{ProviderID}-AADDeviceID-Editable-Begin -->
@ -311,12 +311,12 @@ Device ID used for AAD device registration.
<!-- Device-Provider-{ProviderID}-AADResourceID-Description-Begin -->
<!-- Description-Source-DDF -->
This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
This is the ResourceID used when requesting the user token from the OMA DM session for Microsoft Entra enrollments (Microsoft Entra join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
<!-- Device-Provider-{ProviderID}-AADResourceID-Description-End -->
<!-- Device-Provider-{ProviderID}-AADResourceID-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](../azure-active-directory-integration-with-mdm.md).
For more information about Microsoft Entra enrollment, see [Microsoft Entra integration with MDM](../azure-active-directory-integration-with-mdm.md).
<!-- Device-Provider-{ProviderID}-AADResourceID-Editable-End -->
<!-- Device-Provider-{ProviderID}-AADResourceID-DFProperties-Begin -->
@ -351,7 +351,7 @@ For more information about Azure AD enrollment, see [Azure Active Directory inte
<!-- Device-Provider-{ProviderID}-AADSendDeviceToken-Description-Begin -->
<!-- Description-Source-DDF -->
For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token can't be obtained.
For Microsoft Entra backed enrollments, this will cause the client to send a Device Token if the User Token can't be obtained.
<!-- Device-Provider-{ProviderID}-AADSendDeviceToken-Description-End -->
<!-- Device-Provider-{ProviderID}-AADSendDeviceToken-Editable-Begin -->
@ -2016,8 +2016,8 @@ Device only. This node decides whether or not the MDM device progress page skips
| Value | Description |
|:--|:--|
| false | Don't skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
| true (Default) | Skip the device progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
| false | Don't skip the device progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
| true (Default) | Skip the device progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
<!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipDeviceStatusPage-AllowedValues-End -->
<!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipDeviceStatusPage-Examples-Begin -->
@ -2065,8 +2065,8 @@ Device only. This node decides whether or not the MDM user progress page skips a
| Value | Description |
|:--|:--|
| false | Don't skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
| true (Default) | Skip the MGM user progress page after Azure AD joined or Hybrid Azure AD joined in OOBE. |
| false | Don't skip the MGM user progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
| true (Default) | Skip the MGM user progress page after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE. |
<!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipUserStatusPage-AllowedValues-End -->
<!-- Device-Provider-{ProviderID}-FirstSyncStatus-SkipUserStatusPage-Examples-Begin -->
@ -2182,7 +2182,7 @@ Integer node determining if a Device was Successfully provisioned. 0 is failure,
<!-- Device-Provider-{ProviderID}-ForceAadToken-Description-Begin -->
<!-- Description-Source-DDF -->
Force device to send device AAD token during check-in as a separate header.
Force device to send device Microsoft Entra token during check-in as a separate header.
<!-- Device-Provider-{ProviderID}-ForceAadToken-Description-End -->
<!-- Device-Provider-{ProviderID}-ForceAadToken-Editable-Begin -->
@ -2204,9 +2204,9 @@ Force device to send device AAD token during check-in as a separate header.
| Value | Description |
|:--|:--|
| 0 | ForceAadTokenNotDefined: the value isn't defined(default). |
| 1 | AlwaysSendAadDeviceTokenCheckIn: always send AAD device token during check-in as a separate header section(not as Bearer token). |
| 2 | Reserved for future. AlwaysSendAadUserTokenCheckin: always send AAD user token during check-in as a separate header section(not as Bearer token). |
| 4 | SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send AAD Device token for auth as Bearer token. |
| 1 | AlwaysSendAadDeviceTokenCheckIn: always send Microsoft Entra device token during check-in as a separate header section(not as Bearer token). |
| 2 | Reserved for future. AlwaysSendAadUserTokenCheckin: always send Microsoft Entra user token during check-in as a separate header section(not as Bearer token). |
| 4 | SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send Microsoft Entra Device token for auth as Bearer token. |
| 8 | Reserved for future. ForceAadTokenMaxAllowed: max value allowed. |
<!-- Device-Provider-{ProviderID}-ForceAadToken-AllowedValues-End -->
@ -2472,7 +2472,7 @@ This is an execution node and will trigger a silent Declared Configuration unenr
<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Enroll-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
This is an execution node and will trigger a silent Declared Configuration enrollment, using the AAD device token pulled from the Azure AD-joined device. There is no user interaction needed. When the **DiscoveryEndpoint** is not set, the Enroll node will fail with `ERROR_FILE_NOT_FOUND (0x80070002)` and there is no scheduled task created for dual enrollment.
This is an execution node and will trigger a silent Declared Configuration enrollment, using the Microsoft Entra device token pulled from the Microsoft Entra joined device. There is no user interaction needed. When the **DiscoveryEndpoint** is not set, the Enroll node will fail with `ERROR_FILE_NOT_FOUND (0x80070002)` and there is no scheduled task created for dual enrollment.
<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Enroll-Editable-End -->
<!-- Device-Provider-{ProviderID}-LinkedEnrollment-Enroll-DFProperties-Begin -->
@ -3735,7 +3735,7 @@ This node initiates a recovery action. The server can specify prerequisites befo
| Value | Description |
|:--|:--|
| 0 (Default) | Initiate MDM Recovery. |
| 1 | Initiate Recovery if Keys aren't already protected by the TPM, there is a TPM to put the keys into, AAD keys are protected by TPM, and the TPM is ready for attestation. |
| 1 | Initiate Recovery if Keys aren't already protected by the TPM, there is a TPM to put the keys into, Microsoft Entra ID keys are protected by TPM, and the TPM is ready for attestation. |
<!-- Device-Provider-{ProviderID}-Recovery-InitiateRecovery-AllowedValues-End -->
<!-- Device-Provider-{ProviderID}-Recovery-InitiateRecovery-Examples-Begin -->
@ -3761,7 +3761,7 @@ This node initiates a recovery action. The server can specify prerequisites befo
<!-- Device-Provider-{ProviderID}-Recovery-RecoveryStatus-Description-Begin -->
<!-- Description-Source-DDF -->
This node tracks the status of a Recovery request from the InitiateRecovery node. 0 - No Recovery request has been processed. 1 - Recovery is in Process. 2 - Recovery has finished successfully. 3 - Recovery has failed to start because TPM isn't available. 4 - Recovery has failed to start because AAD keys aren't protected by the TPM. 5 - Recovery has failed to start because the MDM keys are already protected by the TPM. 6 - Recovery has failed to start because the TPM isn't ready for attestation. 7 - Recovery has failed because the client can't authenticate to the server. 8 - Recovery has failed because the server has rejected the client's request.
This node tracks the status of a Recovery request from the InitiateRecovery node. 0 - No Recovery request has been processed. 1 - Recovery is in Process. 2 - Recovery has finished successfully. 3 - Recovery has failed to start because TPM isn't available. 4 - Recovery has failed to start because Microsoft Entra ID keys aren't protected by the TPM. 5 - Recovery has failed to start because the MDM keys are already protected by the TPM. 6 - Recovery has failed to start because the TPM isn't ready for attestation. 7 - Recovery has failed because the client can't authenticate to the server. 8 - Recovery has failed because the server has rejected the client's request.
<!-- Device-Provider-{ProviderID}-Recovery-RecoveryStatus-Description-End -->
<!-- Device-Provider-{ProviderID}-Recovery-RecoveryStatus-Editable-Begin -->

2
windows/client-management/mdm/healthattestation-csp.md
View File

@ -726,7 +726,7 @@ If the attestation process is launched successfully, this node will return code
- rpID (Relying Party Identifier): This field contains an identifier that can be used to help determine the caller.
- serviceEndpoint : This field contains the complete URL of the Microsoft Azure Attestation provider instance to be used for evaluation.
- nonce: This field contains an arbitrary number that can be used only once in a cryptographic communication. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in replay attacks.
- aadToken: The Azure Active Directory token to be used for authentication against the Microsoft Azure Attestation service.
- aadToken: The Microsoft Entra token to be used for authentication against the Microsoft Azure Attestation service.
- cv: This field contains an identifier(Correlation Vector) that will be passed in to the service call, and that can be used for diagnostics purposes.
- Sample `<Data>`:

16
windows/client-management/mdm/laps-csp.md
View File

@ -23,7 +23,7 @@ ms.topic: reference
The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings).
> [!NOTE]
> For more information on specific OS updates required to use the Windows LAPS CSP and associated features, plus the current status of the Azure Active Directory LAPS scenario, see [Windows LAPS availability and Azure AD LAPS public preview status](/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status).
> For more information on specific OS updates required to use the Windows LAPS CSP and associated features, plus the current status of the Microsoft Entra LAPS scenario, see [Windows LAPS availability and Microsoft Entra LAPS public preview status](/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status).
> [!TIP]
> This article covers the specific technical details of the LAPS CSP. For more information about the scenarios in which the LAPS CSP would be used, see [Windows Local Administrator Password Solution](/windows-server/identity/laps/laps).
@ -449,7 +449,7 @@ Use this setting to configure which directory the local admin account password i
The allowable settings are:
0=Disabled (password won't be backed up)
1=Backup the password to Azure AD only
1=Backup the password to Microsoft Entra-only
2=Backup the password to Active Directory only.
If not specified, this setting will default to 0.
@ -475,7 +475,7 @@ If not specified, this setting will default to 0.
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled (password won't be backed up). |
| 1 | Backup the password to Azure AD only. |
| 1 | Backup the password to Microsoft Entra-only. |
| 2 | Backup the password to Active Directory only. |
<!-- Device-Policies-BackupDirectory-AllowedValues-End -->
@ -506,7 +506,7 @@ Use this policy to configure the maximum password age of the managed local admin
If not specified, this setting will default to 30 days.
This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password to Azure AD.
This setting has a minimum allowed value of 1 day when backing the password to on-premises Active Directory, and 7 days when backing the password to Microsoft Entra ID.
This setting has a maximum allowed value of 365 days.
<!-- Device-Policies-PasswordAgeDays-Description-End -->
@ -806,7 +806,7 @@ This setting has a maximum allowed value of 24 hours.
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
## Settings Applicability
The LAPS CSP can be used to manage devices that are either joined to Azure AD or joined to both Azure AD and Active Directory (hybrid-joined). The LAPS CSP manages a mix of AAD-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2.
The LAPS CSP can be used to manage devices that are either joined to Microsoft Entra ID or joined to both Microsoft Entra ID and Active Directory (hybrid-joined). The LAPS CSP manages a mix of Microsoft Entra-only and AD-only settings. The AD-only settings are only applicable for hybrid-joined devices, and then only when BackupDirectory is set to 2.
| Setting name | Azure-joined | Hybrid-joined |
|-------------------------------------|--------------|---------------|
@ -828,9 +828,11 @@ The LAPS CSP can be used to manage devices that are either joined to Azure AD or
The following examples are provided to show the correct format and shouldn't be considered as a recommendation.
### Azure-joined device backing password up to Azure AD
<a name='azure-joined-device-backing-password-up-to-azure-ad'></a>
This example shows how to configure an Azure-joined device to back up its password to Azure Active Directory:
### Azure-joined device backing password up to Microsoft Entra ID
This example shows how to configure an Azure-joined device to back up its password to Microsoft Entra ID:
```xml
<SyncMl xmlns="SYNCML:SYNCML1.2">

4
windows/client-management/mdm/networkqospolicy-csp.md
View File

@ -32,9 +32,9 @@ The following actions are supported:
- Layer 3 tagging using a differentiated services code point (DSCP) value
> [!NOTE]
> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on the following devices:
> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Microsoft Entra joined. Currently, this CSP is not supported on the following devices:
>
> - Azure AD Hybrid joined devices.
> - Microsoft Entra hybrid joined devices.
> - Devices that use both GPO and CSP at the same time.
>
> The minimum operating system requirement for this CSP is Windows 10, version 1703. This CSP is not supported in Microsoft Surface Hub prior to Windows 10, version 1703.

10
windows/client-management/mdm/passportforwork-csp.md
View File

@ -20,7 +20,7 @@ ms.topic: reference
<!-- PassportForWork-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards.
The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Microsoft Entra account and replace passwords, smartcards, and virtual smart cards.
> [!IMPORTANT]
> Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
@ -1119,9 +1119,9 @@ Windows Hello for Business can use certificates to authenticate to on-premise re
<!-- Device-{TenantId}-Policies-UseCloudTrustForOnPremAuth-Description-Begin -->
<!-- Description-Source-DDF -->
Boolean value that enables Windows Hello for Business to use Azure AD Kerberos to authenticate to on-premises resources.
Boolean value that enables Windows Hello for Business to use Microsoft Entra Kerberos to authenticate to on-premises resources.
- If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain.
- If you enable this policy setting, Windows Hello for Business will use a Microsoft Entra Kerberos ticket to authenticate to on-premises resources. The Microsoft Entra Kerberos ticket is returned to the client after a successful authentication to Microsoft Entra ID if Microsoft Entra Kerberos is enabled for the tenant and domain.
- If you disable or don't configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources.
<!-- Device-{TenantId}-Policies-UseCloudTrustForOnPremAuth-Description-End -->
@ -1226,7 +1226,7 @@ Windows requires a user to lock and unlock their session after changing this set
<!-- Device-{TenantId}-Policies-UsePassportForWork-Description-Begin -->
<!-- Description-Source-DDF -->
Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Microsoft Entra account that can replace passwords, Smart Cards, and Virtual Smart Cards.
- If you enable or don't configure this policy setting, the device provisions Windows Hello for Business for all users.
@ -2553,7 +2553,7 @@ A Trusted Platform Module (TPM) provides additional security benefits over softw
<!-- User-{TenantId}-Policies-UsePassportForWork-Description-Begin -->
<!-- Description-Source-DDF -->
Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards.
Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Microsoft Entra account that can replace passwords, Smart Cards, and Virtual Smart Cards.
- If you enable or don't configure this policy setting, the device provisions Windows Hello for Business for all users.

2
windows/client-management/mdm/policy-csp-admx-ncsi.md
View File

@ -269,7 +269,7 @@ This policy setting enables you to specify the HTTPS URL of the corporate websit
<!-- NCSI_DomainLocationDeterminationUrl-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> This indicates the Network Location Server (NLS) URL and applies exclusively to DirectAccess clients (it does NOT apply for example to VPN clients). For non-DirectAccess scenarios, such as Azure AD only joined devices, please refer to [Policy CSP - NetworkListManager](./policy-csp-networklistmanager.md).
> This indicates the Network Location Server (NLS) URL and applies exclusively to DirectAccess clients (it does NOT apply for example to VPN clients). For non-DirectAccess scenarios, such as Microsoft Entra-only joined devices, please refer to [Policy CSP - NetworkListManager](./policy-csp-networklistmanager.md).
<!-- NCSI_DomainLocationDeterminationUrl-Editable-End -->
<!-- NCSI_DomainLocationDeterminationUrl-DFProperties-Begin -->

2
windows/client-management/mdm/policy-csp-applicationdefaults.md
View File

@ -37,7 +37,7 @@ ms.topic: reference
<!-- DefaultAssociationsConfiguration-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc. xml), and then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc. xml), and then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Microsoft Entra joined, the associations assigned in SyncML will be processed and default associations will be applied.
<!-- DefaultAssociationsConfiguration-Description-End -->
<!-- DefaultAssociationsConfiguration-Editable-Begin -->

24
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -39,13 +39,13 @@ ms.topic: reference
<!-- AllowAadPasswordReset-Description-Begin -->
<!-- Description-Source-DDF -->
Specifies whether password reset is enabled for AAD accounts.
Specifies whether password reset is enabled for Microsoft Entra accounts.
<!-- AllowAadPasswordReset-Description-End -->
<!-- AllowAadPasswordReset-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
This policy allows the Azure Active Directory (Azure AD) tenant administrator to enable the self-service password reset feature on the Windows sign-in screen.
This policy allows the Microsoft Entra tenant administrator to enable the self-service password reset feature on the Windows sign-in screen.
<!-- AllowAadPasswordReset-Editable-End -->
<!-- AllowAadPasswordReset-DFProperties-Begin -->
@ -262,7 +262,7 @@ Specifies a list of domains that are allowed to access the webcam in Web Sign-in
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> Web sign-in is only supported on Azure AD joined PCs.
> Web sign-in is only supported on Microsoft Entra joined PCs.
<!-- ConfigureWebcamAccessDomainNames-Editable-End -->
<!-- ConfigureWebcamAccessDomainNames-DFProperties-Begin -->
@ -312,7 +312,7 @@ Specifies a list of URLs that are navigable in Web Sign-in based authentication
This policy specifies the list of domains that users can access in certain authentication scenarios. For example:
- Azure Active Directory (Azure AD) PIN reset
- Microsoft Entra ID PIN reset
- Web sign-in Windows device scenarios where authentication is handled by Active Directory Federation Services (AD FS) or a third-party federated identity provider
> [!NOTE]
@ -358,13 +358,13 @@ Your organization's PIN reset or web sign-in authentication flow is expected to
<!-- EnableFastFirstSignIn-Description-Begin -->
<!-- Description-Source-DDF -->
Specifies whether new non-admin AAD accounts should auto-connect to pre-created candidate local accounts.
Specifies whether new non-admin Microsoft Entra accounts should auto-connect to pre-created candidate local accounts.
<!-- EnableFastFirstSignIn-Description-End -->
<!-- EnableFastFirstSignIn-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Microsoft Entra accounts to the pre-configured candidate local accounts.
> [!IMPORTANT]
> Pre-configured candidate local accounts are any local accounts that are pre-configured or added on the device.
@ -386,8 +386,8 @@ This policy is intended for use on Shared PCs to enable a quick first sign-in ex
| Value | Description |
|:--|:--|
| 0 (Default) | The feature defaults to the existing SKU and device capabilities. |
| 1 | Enabled. Auto-connect new non-admin Azure AD accounts to pre-configured candidate local accounts. |
| 2 | Disabled. Don't auto-connect new non-admin Azure AD accounts to pre-configured local accounts. |
| 1 | Enabled. Auto-connect new non-admin Microsoft Entra accounts to pre-configured candidate local accounts. |
| 2 | Disabled. Don't auto-connect new non-admin Microsoft Entra accounts to pre-configured local accounts. |
<!-- EnableFastFirstSignIn-AllowedValues-End -->
<!-- EnableFastFirstSignIn-Examples-Begin -->
@ -470,12 +470,12 @@ Specifies whether web-based sign-in is allowed for signing in to Windows.
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!WARNING]
> The Web sign-in feature is intended for recovery purposes in the event a password isn't available as an authentication method. Web sign-in only supports *temporary access pass* as an authentication method for Azure Active Directory (Azure AD), unless it's used in a limited federated scope.
> The Web sign-in feature is intended for recovery purposes in the event a password isn't available as an authentication method. Web sign-in only supports *temporary access pass* as an authentication method for Microsoft Entra ID, unless it's used in a limited federated scope.
**Web sign-in** is a modern way of signing into a Windows PC. It enables Windows sign-in support for new Azure AD credentials, like temporary access pass.
**Web sign-in** is a modern way of signing into a Windows PC. It enables Windows sign-in support for new Microsoft Entra credentials, like temporary access pass.
> [!NOTE]
> Web sign-in is only supported on Azure AD joined PCs.
> Web sign-in is only supported on Microsoft Entra joined PCs.
<!-- EnableWebSignIn-Editable-End -->
<!-- EnableWebSignIn-DFProperties-Begin -->
@ -521,7 +521,7 @@ Specifies whether web-based sign-in is allowed for signing in to Windows.
<!-- PreferredAadTenantDomainName-Description-Begin -->
<!-- Description-Source-DDF -->
Specifies the preferred domain among available domains in the AAD tenant.
Specifies the preferred domain among available domains in the Microsoft Entra tenant.
<!-- PreferredAadTenantDomainName-Description-End -->
<!-- PreferredAadTenantDomainName-Editable-Begin -->

6
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -703,13 +703,13 @@ Note this is a best effort optimization and shouldn't be relied on for an authen
<!-- DOGroupIdSource-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = AAD. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Microsoft Entra ID. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
<!-- DOGroupIdSource-Description-End -->
<!-- DOGroupIdSource-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> The default behavior, when neither the DOGroupId or DOGroupIdSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If DOGroupIdSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead.
> The default behavior, when neither the DOGroupId or DOGroupIdSource policies are set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. If DOGroupIdSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead.
<!-- DOGroupIdSource-Editable-End -->
<!-- DOGroupIdSource-DFProperties-Begin -->
@ -732,7 +732,7 @@ Set this policy to restrict peer selection to a specific source. Available optio
| 2 | Authenticated domain SID. |
| 3 | DHCP user option. |
| 4 | DNS suffix. |
| 5 | AAD. |
| 5 | Microsoft Entra ID. |
<!-- DOGroupIdSource-AllowedValues-End -->
<!-- DOGroupIdSource-GpMapping-Begin -->

2
windows/client-management/mdm/policy-csp-experience.md
View File

@ -352,7 +352,7 @@ When Find My Device is off, the device and its location aren't registered and th
<!-- AllowManualMDMUnenrollment-Description-Begin -->
<!-- Description-Source-DDF -->
Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e. g. auto-enrolled), then disabling the MDM unenrollment has no effect.
Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Microsoft Entra joined and MDM enrolled (e. g. auto-enrolled), then disabling the MDM unenrollment has no effect.
> [!NOTE]
> The MDM server can always remotely delete the account. Most restricted value is 0.

4
windows/client-management/mdm/policy-csp-federatedauthentication.md
View File

@ -43,7 +43,7 @@ Specifies whether web-based sign-in is enabled with the Primary User experience.
<!-- EnableWebSignInForPrimaryUser-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> Web Sign-in is only supported on Azure AD Joined PCs.
> Web Sign-in is only supported on Microsoft Entra joined PCs.
<!-- EnableWebSignInForPrimaryUser-Editable-End -->
<!-- EnableWebSignInForPrimaryUser-DFProperties-Begin -->
@ -63,7 +63,7 @@ Specifies whether web-based sign-in is enabled with the Primary User experience.
|:--|:--|
| 0 (Default) | Feature defaults as appropriate for edition and device capabilities. As of now, all editions/devices exhibit Disabled behavior by default. However, this may change for future editions/devices. |
| 1 | Enabled. Web Sign-in Credential Provider will be enabled for device sign-in. |
| 2 | Disabled. Web Sign-in Credential Provider will be not be enabled for device sign-in. |
| 2 | Disabled. Web Sign-in Credential Provider isn't be enabled for device sign-in. |
<!-- EnableWebSignInForPrimaryUser-AllowedValues-End -->
<!-- EnableWebSignInForPrimaryUser-Examples-Begin -->

12
windows/client-management/mdm/policy-csp-kerberos.md
View File

@ -98,11 +98,11 @@ This policy setting defines the list of trusting forests that the Kerberos clien
<!-- CloudKerberosTicketRetrievalEnabled-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows retrieving the Azure AD Kerberos Ticket Granting Ticket during logon.
This policy setting allows retrieving the Microsoft Entra Kerberos Ticket Granting Ticket during logon.
- If you disable or don't configure this policy setting, the Azure AD Kerberos Ticket Granting Ticket isn't retrieved during logon.
- If you disable or don't configure this policy setting, the Microsoft Entra Kerberos Ticket Granting Ticket isn't retrieved during logon.
- If you enable this policy setting, the Azure AD Kerberos Ticket Granting Ticket is retrieved during logon.
- If you enable this policy setting, the Microsoft Entra Kerberos Ticket Granting Ticket is retrieved during logon.
<!-- CloudKerberosTicketRetrievalEnabled-Description-End -->
<!-- CloudKerberosTicketRetrievalEnabled-Editable-Begin -->
@ -134,7 +134,7 @@ This policy setting allows retrieving the Azure AD Kerberos Ticket Granting Tick
| Name | Value |
|:--|:--|
| Name | CloudKerberosTicketRetrievalEnabled |
| Friendly Name | Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon |
| Friendly Name | Allow retrieving the Microsoft Entra Kerberos Ticket Granting Ticket during logon |
| Location | Computer Configuration |
| Path | System > Kerberos |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters |
@ -781,8 +781,8 @@ The size of the context token buffer determines the maximum size of SSPI context
<!-- UPNNameHints-Description-Begin -->
<!-- Description-Source-DDF -->
Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal.
This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it's otherwise unable to resolve a UPN to a principal.
Devices joined to Microsoft Entra ID in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve a Microsoft Entra UPN into an Active Directory Principal.
This parameter adds a list of domains that a Microsoft Entra joined device should attempt to contact if it's otherwise unable to resolve a UPN to a principal.
<!-- UPNNameHints-Description-End -->
<!-- UPNNameHints-Editable-Begin -->

16
windows/client-management/mdm/policy-csp-localusersandgroups.md
View File

@ -54,7 +54,7 @@ members that aren't specified in the policy are removed.
<!-- Configure-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#configuregroupmembership) policy setting also allows you to configure members (users or Azure Active Directory groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.
> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#configuregroupmembership) policy setting also allows you to configure members (users or Microsoft Entra groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.
>
> Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersAndGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results.
<!-- Configure-Editable-End -->
@ -166,21 +166,21 @@ where:
> [!NOTE]
> When specifying member names of the user accounts, you must use following format - AzureAD\userUPN. For example, "AzureAD\user1@contoso.com" or "AzureAD\user2@contoso.co.uk".
For adding Azure AD groups, you need to specify the Azure AD Group SID. Azure AD group names are not supported with this policy.
For adding Microsoft Entra groups, you need to specify the Microsoft Entra group SID. Microsoft Entra group names are not supported with this policy.
For more information, see [LookupAccountNameA function](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea).
See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles.
> [!IMPORTANT]
>
> - `<add member>` and `<remove member>` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using [Graph](/graph/api/resources/group?view=graph-rest-1.0&preserve-view=true#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute.
> - `<add member>` and `<remove member>` can use a Microsoft Entra SID or the user's name. For adding or removing Microsoft Entra groups using this policy, you must use the group's SID. Microsoft Entra group SIDs can be obtained using [Graph](/graph/api/resources/group?view=graph-rest-1.0&preserve-view=true#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute.
> - When specifying a SID in the `<add member>` or `<remove member>`, member SIDs are added without attempting to resolve them. Therefore, be very careful when specifying a SID to ensure it is correct.
> - `<remove member>` is not valid for the R (Restrict) action and will be ignored if present.
> - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that, if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present.
**Example 1**: Azure Active Directory focused.
**Example 1**: Microsoft Entra ID focused.
The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with an Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine.
The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with a Microsoft Entra account "bob@contoso.com" and a Microsoft Entra group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on a Microsoft Entra joined machine.
```xml
<GroupConfiguration>
@ -192,7 +192,7 @@ The following example updates the built-in administrators group with the SID **S
</GroupConfiguration>
```
**Example 2**: Replace / Restrict the built-in administrators group with an Azure AD user account.
**Example 2**: Replace / Restrict the built-in administrators group with a Microsoft Entra user account.
> [!NOTE]
> When using the 'R' replace option to configure the built-in Administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** you should always specify the administrator as a member plus any other custom members. This is necessary because the built-in administrator must always be a member of the administrators group.
@ -209,7 +209,7 @@ The following example updates the built-in administrators group with the SID **S
**Example 3**: Update action for adding and removing group members on a hybrid joined machine.
The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add an Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists.
The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a Microsoft Entra group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists.
```xml
<GroupConfiguration>
@ -223,7 +223,7 @@ The following example shows how you can update a local group (**Administrators**
```
> [!NOTE]
> When Azure Active Directory group SID's are added to local groups, Azure AD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device:
> When Microsoft Entra group SID's are added to local groups, Microsoft Entra account logon privileges are evaluated only for the following well-known groups on a Windows 10 device:
>
> - Administrators
> - Users

14
windows/client-management/mdm/policy-csp-mixedreality.md
View File

@ -42,24 +42,24 @@ These policies are only supported on [Microsoft HoloLens 2](/hololens/hololens2-
<!-- AADGroupMembershipCacheValidityInDays-Description-Begin -->
<!-- Description-Source-DDF -->
This policy controls for how many days, AAD group membership cache is allowed to be used for Assigned Access configurations targeting AAD groups for signed in user. Once this policy is set only then cache is used otherwise not. In order for this policy to take effect, user must sign-out and sign-in with Internet available at least once before the cache can be used for subsequent 'disconnected' sessions.
This policy controls for how many days, Microsoft Entra group membership cache is allowed to be used for Assigned Access configurations targeting Microsoft Entra groups for signed in user. Once this policy is set only then cache is used otherwise not. In order for this policy to take effect, user must sign-out and sign-in with Internet available at least once before the cache can be used for subsequent 'disconnected' sessions.
<!-- AADGroupMembershipCacheValidityInDays-Description-End -->
<!-- AADGroupMembershipCacheValidityInDays-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
Steps to use this policy correctly:
1. Create a device configuration profile for kiosk, which targets Azure AD groups. Assign it to the HoloLens devices.
1. Create a device configuration profile for kiosk, which targets Microsoft Entra groups. Assign it to the HoloLens devices.
1. Create a custom OMA URI-based device configuration. Set this policy value to the chosen number of days greater than zero (`0`). Then assign the configuration to the HoloLens devices.
- The URI value should be entered in OMA-URI text box as `./Device/Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays`
- The value can be any integer in the allowed range.
1. Enroll the HoloLens devices. Verify that both configurations apply to the device.
1. When internet is available, sign in as an Azure AD user. Once the user signs-in, and Azure AD group membership is confirmed successfully, the cache will be created.
1. When internet is available, sign in as a Microsoft Entra user. Once the user signs-in, and Microsoft Entra group membership is confirmed successfully, the cache will be created.
1. You can now take the HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days.
1. Steps 4 and 5 can be repeated for any other Azure AD user. The key point is that any Azure AD user must sign-in at least once to a device while on the internet. Then we can determine that they're a member of an Azure AD group to which the kiosk configuration is targeted.
1. Steps 4 and 5 can be repeated for any other Microsoft Entra user. The key point is that any Microsoft Entra user must sign-in at least once to a device while on the internet. Then we can determine that they're a member of a Microsoft Entra group to which the kiosk configuration is targeted.
> [!NOTE]
> Until you do step 4 for an Azure AD user, the user will experience failure behavior similar to a disconnected environment.
> Until you do step 4 for a Microsoft Entra user, the user will experience failure behavior similar to a disconnected environment.
<!-- AADGroupMembershipCacheValidityInDays-Editable-End -->
<!-- AADGroupMembershipCacheValidityInDays-DFProperties-Begin -->
@ -212,7 +212,7 @@ On a device where you configure this policy, the user specified in the policy ne
> [!NOTE]
>
> - Some events such as major OS updates may require the specified user to sign in to the device again to resume auto-logon behavior.
> - Auto-logon is only supported for Microsoft accounts and Azure Active Directory (Azure AD) users.
> - Auto-logon is only supported for Microsoft accounts and Microsoft Entra users.
<!-- AutoLogonUser-Editable-End -->
<!-- AutoLogonUser-DFProperties-Begin -->
@ -507,7 +507,7 @@ The following XML string is an example of the value for this policy:
<!-- ConfigureSharedAccount-Description-Begin -->
<!-- Description-Source-DDF -->
This policy specifies the configuration for Shared Accounts on the device. Shared Accounts are AAD accounts that are deployed to the device by an IT admin and can be used by anyone with physical access to the device. These accounts excel in deployments where the HoloLens device is used like a tool shared between multiple people and it doesn't matter which account is used to access AAD resources. Because these accounts can be signed in without requiring the user to provide credentials, you should ensure that these devices are physically secure, with access granted only to authorized personnel. You should also lock down these accounts to only have access to the required resources.
This policy specifies the configuration for Shared Accounts on the device. Shared Accounts are Microsoft Entra accounts that are deployed to the device by an IT admin and can be used by anyone with physical access to the device. These accounts excel in deployments where the HoloLens device is used like a tool shared between multiple people and it doesn't matter which account is used to access Microsoft Entra resources. Because these accounts can be signed in without requiring the user to provide credentials, you should ensure that these devices are physically secure, with access granted only to authorized personnel. You should also lock down these accounts to only have access to the required resources.
<!-- ConfigureSharedAccount-Description-End -->
<!-- ConfigureSharedAccount-Editable-Begin -->

2
windows/client-management/mdm/policy-csp-privacy.md
View File

@ -93,7 +93,7 @@ Allows or disallows the automatic acceptance of the pairing and privacy user con
<!-- Description-Source-ADMX -->
This policy setting determines whether Clipboard contents can be synchronized across devices.
- If you enable this policy setting, Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Azure AD account.
- If you enable this policy setting, Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Microsoft Entra account.
- If you disable this policy setting, Clipboard contents can't be shared to other devices.

4
windows/client-management/mdm/policy-csp-remotedesktop.md
View File

@ -95,13 +95,13 @@ To automatically subscribe to [Azure Virtual Desktop](/azure/virtual-desktop/ove
<!-- LoadAadCredKeyFromProfile-Description-Begin -->
<!-- Description-Source-DDF -->
Allow encrypted DPAPI cred keys to be loaded from user profiles for AAD accounts.
Allow encrypted DPAPI cred keys to be loaded from user profiles for Microsoft Entra accounts.
<!-- LoadAadCredKeyFromProfile-Description-End -->
<!-- LoadAadCredKeyFromProfile-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
This policy allows the user to load the data protection API (DPAPI) cred key from their user profile, and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using [FSLogix user profiles](/fslogix/overview) from Azure AD-joined VMs.
This policy allows the user to load the data protection API (DPAPI) cred key from their user profile, and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using [FSLogix user profiles](/fslogix/overview) from Microsoft Entra joined VMs.
<!-- LoadAadCredKeyFromProfile-Editable-End -->
<!-- LoadAadCredKeyFromProfile-DFProperties-Begin -->

4
windows/client-management/mdm/policy-csp-restrictedgroups.md
View File

@ -20,7 +20,7 @@ ms.topic: reference
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!IMPORTANT]
> Starting from Windows 10, version 20H2, to configure members of Windows local groups, use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy. These members can be users or Azure Active Directory (Azure AD) groups.
> Starting from Windows 10, version 20H2, to configure members of Windows local groups, use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy. These members can be users or Microsoft Entra groups.
>
> Don't apply both policies to the same device, it's unsupported and may yield unpredictable results.
<!-- RestrictedGroups-Editable-End -->
@ -135,7 +135,7 @@ Descriptions of the properties:
- `<accessgroup desc>` contains the local group SID or group name to configure. If a SID is specified here, the policy uses the [LookupAccountName](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for `<accessgroup desc>`.
- `<member name>` contains the members to add to the group in `<accessgroup desc>`. A member can be specified as a name or as a SID. For best results, use a SID for `<member name>`. The member SID can be a user account or a group in Active Directory, Azure AD, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in Active Directory or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
- `<member name>` contains the members to add to the group in `<accessgroup desc>`. A member can be specified as a name or as a SID. For best results, use a SID for `<member name>`. The member SID can be a user account or a group in Active Directory, Microsoft Entra ID, or on the local machine. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. Name can be used for a user account or a group in Active Directory or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
- In this example, `Group1` and `Group2` are local groups on the device being configured, and `Group3` is a domain group.

2
windows/client-management/mdm/policy-csp-security.md
View File

@ -354,7 +354,7 @@ Configures the use of passwords for Windows features.
<!-- PreventAutomaticDeviceEncryptionForAzureADJoinedDevices-Description-Begin -->
<!-- Description-Source-DDF -->
Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
Specifies whether to allow automatic device encryption during OOBE when the device is Microsoft Entra joined.
<!-- PreventAutomaticDeviceEncryptionForAzureADJoinedDevices-Description-End -->
<!-- PreventAutomaticDeviceEncryptionForAzureADJoinedDevices-Editable-Begin -->

14
windows/client-management/mdm/policy-csp-system.md
View File

@ -113,12 +113,12 @@ This policy is only supported up to Windows 10, Version 1703. Please use 'Manage
<!-- Description-Source-ADMX -->
This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
AllowCommercialDataPipeline configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
AllowCommercialDataPipeline configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
To enable this behavior:
1. Enable this policy setting
2. Join an Azure Active Directory account to the device.
2. Join a Microsoft Entra account to the device.
Windows diagnostic data is collected when the Allow Telemetry policy setting is set to value 1 - Required or above. Configuring this setting doesn't change the Windows diagnostic data collection level set for the device.
@ -198,7 +198,7 @@ This policy setting, in combination with the Allow Telemetry and Configure the C
To enable this behavior:
1. Enable this policy setting
2. Join an Azure Active Directory account to the device.
2. Join a Microsoft Entra account to the device.
3. Set Allow Telemetry to value 1 - Required, or higher
4. Set the Configure the Commercial ID setting for your Desktop Analytics workspace.
@ -574,7 +574,7 @@ Specifies whether to allow app access to the Location service. Most restricted v
<!-- AllowMicrosoftManagedDesktopProcessing-Description-Begin -->
<!-- Description-Source-DDF -->
This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
This policy setting configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
For customers who enroll into the Microsoft Managed Desktop service, enabling this policy is required to allow Microsoft to process data for operational and analytic needs. See <https://go.microsoft.com/fwlink/?linkid=2184944> for more information.
hen these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
This setting has no effect on devices unless they're properly enrolled in Microsoft Managed Desktop. If you disable this policy setting, devices may not appear in Microsoft Managed Desktop.
@ -762,7 +762,7 @@ This policy setting, in combination with the Allow Telemetry and Configure the C
To enable this behavior:
1. Enable this policy setting
2. Join an Azure Active Directory account to the device.
2. Join a Microsoft Entra account to the device.
3. Set Allow Telemetry to value 1 - Required, or higher
4. Set the Configure the Commercial ID setting for your Update Compliance workspace.
@ -884,12 +884,12 @@ Specifies whether to allow the user to factory reset the device by using control
<!-- Description-Source-ADMX -->
This policy is deprecated and will only work on Windows 10 version 1809. Setting this policy will have no effect for other supported versions of Windows.
This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
This policy setting configures a Microsoft Entra joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the Product Terms at< https://go.microsoft.com/fwlink/?linkid=2185086>.
To enable this behavior:
1. Enable this policy setting
2. Join an Azure Active Directory account to the device.
2. Join a Microsoft Entra account to the device.
3. Set Allow Telemetry to value 1 - Required, or higher.

6
windows/client-management/mdm/policy-csp-tenantrestrictions.md
View File

@ -39,12 +39,12 @@ ms.topic: reference
<!-- ConfigureTenantRestrictions-Description-Begin -->
<!-- Description-Source-ADMX -->
This setting enables and configures the device-based tenant restrictions feature for Azure Active Directory.
This setting enables and configures the device-based tenant restrictions feature for Microsoft Entra ID.
When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Azure AD tenant.
When you enable this setting, compliant applications will be prevented from accessing disallowed tenants, according to a policy set in your Microsoft Entra tenant.
> [!NOTE]
> Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Restrictions for more details.
> Creation of a policy in your home tenant is required, and additional security measures for managed devices are recommended for best protection. Refer to Microsoft Entra tenant Restrictions for more details.
<https://go.microsoft.com/fwlink/?linkid=2148762>

2
windows/client-management/mdm/policy-csp-userrights.md
View File

@ -93,7 +93,7 @@ For example, the following syntax grants user rights to Authenticated Users and
<![CDATA[Authenticated Users&#xF000;Replicator]]>
```
For example, the following syntax grants user rights to two specific Azure Active Directory (Azure AD) users from Contoso, user1 and user2:
For example, the following syntax grants user rights to two specific Microsoft Entra users from Contoso, user1 and user2:
```xml
<![CDATA[AzureAD\user1@contoso.com&#xF000;AzureAD\user2@contoso.com]]>

4
windows/client-management/mdm/policy-csp-windowslogon.md
View File

@ -43,7 +43,7 @@ This policy setting controls whether a device will automatically sign in and loc
This only occurs if the last interactive user didn't sign out before the restart or shutdown.
If the device is joined to Active Directory or Azure Active Directory, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.
If the device is joined to Active Directory or Microsoft Entra ID, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.
- If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.
@ -574,7 +574,7 @@ The locations that Switch User interface appear are in the Logon UI, the Start m
<!-- OverrideShellProgram-Description-Begin -->
<!-- Description-Source-DDF -->
OverrideShellProgram policy allows IT admin to configure the shell program for Windows OS on a device. This policy has the highest precedence over other ways of configuring the shell program. The policy currently supports below options: 1. Not Configured: Default shell will be launched. 2. Apply Lightweight Shell: Lightweight shell doesn't have a user interface and helps the device to achieve better performance as the shell consumes limited resources over default shell. Lightweight shell contains a limited set of features which could be consumed by applications. This configuration can be useful if the device needs to have a continuous running user interface application which would consume features offered by Lightweight shell. If you disable or don't configure this policy setting, then the default shell will be launched.
OverrideShellProgram policy allows IT admin to configure the shell program for Windows OS on a device. This policy has the highest precedence over other ways of configuring the shell program. The policy currently supports below options: 1. Not Configured: Default shell will be launched. 2. Apply Lightweight Shell: Lightweight shell doesn't have a user interface and helps the device to achieve better performance as the shell consumes limited resources over default shell. Lightweight shell contains a limited set of features, which could be consumed by applications. This configuration can be useful if the device needs to have a continuous running user interface application that would consume features offered by Lightweight shell. If you disable or don't configure this policy setting, then the default shell will be launched.
<!-- OverrideShellProgram-Description-End -->
<!-- OverrideShellProgram-Editable-Begin -->

2
windows/client-management/mdm/remotewipe-csp.md
View File

@ -96,7 +96,7 @@ Node for the Autopilot Reset operation.
<!-- Device-AutomaticRedeployment-doAutomaticRedeployment-Description-Begin -->
<!-- Description-Source-DDF -->
Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Microsoft Entra ID and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
<!-- Device-AutomaticRedeployment-doAutomaticRedeployment-Description-End -->
<!-- Device-AutomaticRedeployment-doAutomaticRedeployment-Editable-Begin -->

8
windows/client-management/mdm/surfacehub-csp.md
View File

@ -106,7 +106,7 @@ The following list shows the SurfaceHub configuration service provider nodes:
<!-- Device-DeviceAccount-Description-Begin -->
<!-- Description-Source-DDF -->
Node for setting device account information. A device account is a Microsoft Exchange account that's connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the [Surface Hub administrator guide](/surface-hub/) for more information about setting up a device account. To use a device account from Azure Active Directory: 1. Set the UserPrincipalName (for Azure AD). 2. Set a valid Password. 3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD. 4. Get the ErrorContext in case something goes wrong during validation.
Node for setting device account information. A device account is a Microsoft Exchange account that's connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the [Surface Hub administrator guide](/surface-hub/) for more information about setting up a device account. To use a device account from Microsoft Entra ID: 1. Set the UserPrincipalName (for Microsoft Entra ID). 2. Set a valid Password. 3. Execute ValidateAndCommit to validate the specified username and password combination against Microsoft Entra ID. 4. Get the ErrorContext in case something goes wrong during validation.
<!-- Device-DeviceAccount-Description-End -->
<!-- Device-DeviceAccount-Editable-Begin -->
@ -333,7 +333,7 @@ Possible error values:
| **ErrorContext value** | **Stage where error occurred** | **Description and suggestions** |
| --- | --- | --- |
| 1 | Unknown | |
| 2 | Populating account | Unable to retrieve account details using the username and password you provided.<br/><br/> For Azure AD accounts, ensure that UserPrincipalName and Password are valid.<br/> For AD accounts, ensure that DomainName, UserName, and Password are valid.<br/> Ensure that the specified account has an Exchange server mailbox. |
| 2 | Populating account | Unable to retrieve account details using the username and password you provided.<br/><br/> For Microsoft Entra accounts, ensure that UserPrincipalName and Password are valid.<br/> For AD accounts, ensure that DomainName, UserName, and Password are valid.<br/> Ensure that the specified account has an Exchange server mailbox. |
| 3 | Populating Exchange server address | Unable to auto-discover your Exchange server address. Try to manually specify the Exchange server address using the ExchangeServer field. |
| 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure the ExchangeServer field is valid. |
| 5 | Saving account information | Unable to save account details to the system. |
@ -499,7 +499,7 @@ Password for the device account. Get is allowed here, but will always return a b
<!-- Device-DeviceAccount-PasswordRotationEnabled-Description-Begin -->
<!-- Description-Source-DDF -->
Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Microsoft Entra ID).
<!-- Device-DeviceAccount-PasswordRotationEnabled-Description-End -->
<!-- Device-DeviceAccount-PasswordRotationEnabled-Editable-Begin -->
@ -625,7 +625,7 @@ Username of the device account when you are using Active Directory. To use a dev
<!-- Device-DeviceAccount-UserPrincipalName-Description-Begin -->
<!-- Description-Source-DDF -->
User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.
User principal name (UPN) of the device account. To use a device account from Microsoft Entra ID or a hybrid deployment, you should specify the UPN of the device account.
<!-- Device-DeviceAccount-UserPrincipalName-Description-End -->
<!-- Device-DeviceAccount-UserPrincipalName-Editable-Begin -->

2
windows/client-management/mdm/tenantlockdown-csp.md
View File

@ -52,7 +52,7 @@ When RequireNetworkInOOBE is true, when the device goes through OOBE at first si
- True - Require network in OOBE.
- False - No network connection requirement in OOBE.
Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account.
Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Microsoft Entra credentials. There is no option to skip the network connection and create a local account.
## Related topics

8
windows/client-management/mdm/vpnv2-csp.md
View File

@ -964,7 +964,7 @@ Determines the level of data encryption required for the connection.
<!-- Device-{ProfileName}-DeviceCompliance-Description-Begin -->
<!-- Description-Source-DDF -->
Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN.
Nodes under DeviceCompliance can be used to enable Microsoft Entra ID based Conditional Access for VPN.
<!-- Device-{ProfileName}-DeviceCompliance-Description-End -->
<!-- Device-{ProfileName}-DeviceCompliance-Editable-Begin -->
@ -1003,7 +1003,7 @@ Nodes under DeviceCompliance can be used to enable AAD based Conditional Access
<!-- Device-{ProfileName}-DeviceCompliance-Enabled-Description-Begin -->
<!-- Description-Source-DDF -->
Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Microsoft Entra ID to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Microsoft Entra ID.
<!-- Device-{ProfileName}-DeviceCompliance-Enabled-Description-End -->
<!-- Device-{ProfileName}-DeviceCompliance-Enabled-Editable-Begin -->
@ -5261,7 +5261,7 @@ Determines the level of data encryption required for the connection.
<!-- User-{ProfileName}-DeviceCompliance-Description-Begin -->
<!-- Description-Source-DDF -->
Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN.
Nodes under DeviceCompliance can be used to enable Microsoft Entra ID based Conditional Access for VPN.
<!-- User-{ProfileName}-DeviceCompliance-Description-End -->
<!-- User-{ProfileName}-DeviceCompliance-Editable-Begin -->
@ -5300,7 +5300,7 @@ Nodes under DeviceCompliance can be used to enable AAD based Conditional Access
<!-- User-{ProfileName}-DeviceCompliance-Enabled-Description-Begin -->
<!-- Description-Source-DDF -->
Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Microsoft Entra ID to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Microsoft Entra ID.
<!-- User-{ProfileName}-DeviceCompliance-Enabled-Description-End -->
<!-- User-{ProfileName}-DeviceCompliance-Enabled-Editable-Begin -->