diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md
index 0bb98be706..7f11d203d5 100644
--- a/windows/client-management/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/azure-active-directory-integration-with-mdm.md
@@ -1,20 +1,11 @@
---
title: Azure Active Directory integration with MDM
description: Azure Active Directory is the world's largest enterprise cloud identity management service.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.collection:
- highpri
- tier2
-ms.date: 04/05/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
+ms.date: 08/10/2023
---
# Azure Active Directory integration with MDM
@@ -57,7 +48,7 @@ Azure AD MDM enrollment is a two-step process:
To support Azure AD enrollment, MDM vendors must host and expose a **Terms of Use endpoint** and an **MDM enrollment endpoint**.
-- **Terms of Use endpoint**: Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user's consent before the actual enrollment phase begins.
+- **Terms of Use endpoint**: Use this endpoint to inform users of the ways in which their organization can control their device. The **Terms of Use** page is responsible for collecting user's consent before the actual enrollment phase begins.
It's important to understand the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies.
@@ -82,7 +73,7 @@ A cloud-based MDM is a SaaS application that provides device management capabili
The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. For more information about how to add multi-tenant applications to Azure AD, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multi-tenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub.
> [!NOTE]
-> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow the step-by-step guides below:
+> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow these step-by-step guides:
>
> - [Quickstart: Create a new tenant in Azure Active Directory](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to set up a tenant.
> - [Associate or add an Azure subscription to your Azure Active Directory tenant](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to add a subscription, and manage it via the Azure Portal.
@@ -106,11 +97,11 @@ For more information about registering applications with Azure AD, see [Basics o
The application keys used by your MDM service are a sensitive resource. They should be protected and rolled over periodically for greater security. Access tokens obtained by your MDM service to call the Microsoft Graph API are bearer tokens and should be protected to avoid unauthorized disclosure.
-For security best practices, see [Windows Azure Security Essentials](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
+For security best practices, see [Microsoft Azure Security Essentials](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
-For cloud-based MDM, you can roll over the application keys without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant.
+For cloud-based MDM, you can roll over the application keys without requiring a customer interaction. There's a single set of keys across all customer tenants managed by the MDM vendor in their Azure AD tenant.
-For the on-premises MDM, the Azure AD authentication keys are within the customer tenant and must be rolled over by the customer's administrator. To improve security, provide guidance to customers about rolling over and protecting the keys.
+For the on-premises MDM, the Azure AD authentication keys are within the customer tenant and the customer's administrator must roll over the keys. To improve security, provide guidance to customers about rolling over and protecting the keys.
## Publish your MDM app to Azure AD app gallery
@@ -125,23 +116,23 @@ To publish your application, [submit a request to publish your application in Az
The following table shows the required information to create an entry in the Azure AD app gallery.
-|Item|Description|
-|--- |--- |
-|**Application ID**|The client ID of your MDM app that is configured within your tenant. This ID is the unique identifier for your multi-tenant app.|
-|**Publisher**|A string that identifies the publisher of the app.|
-|**Application URL**|A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL isn't used for the actual enrollment.|
-|**Description**|A brief description of your MDM app, which must be under 255 characters.|
-|**Icons**|A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215|
+| Item | Description |
+|---------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Application ID** | The client ID of your MDM app that is configured within your tenant. This ID is the unique identifier for your multi-tenant app. |
+| **Publisher** | A string that identifies the publisher of the app. |
+| **Application URL** | A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL isn't used for the actual enrollment. |
+| **Description** | A brief description of your MDM app, which must be under 255 characters. |
+| **Icons** | A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215 |
### Add on-premises MDM to the app gallery
There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant.
-However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. The ID and key obtain authorization to access the Microsoft Graph API and for reporting device compliance.
+However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. The ID and key obtain authorization to access the Microsoft Graph API and report device compliance.
## Themes
-The pages rendered by the MDM in the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). These templates are important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right.
+The pages rendered by the MDM in the integrated enrollment process must use Windows templates ([Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip)). These templates are important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Avoid copying the templates because it is difficult to get the button placement right.
There are three distinct scenarios:
@@ -167,7 +158,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is
## Terms of Use protocol semantics
-The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue.
+The MDM server hosts the **Terms of Use** endpoint. During the Azure AD Join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue.
### Redirect to the Terms of Use endpoint
@@ -175,12 +166,12 @@ This redirect is a full page redirect to the Terms of User endpoint hosted by th
The following parameters are passed in the query string:
-|Item|Description|
-|--- |--- |
-|redirect_uri|After the user accepts or rejects the Terms of Use, the user is redirected to this URL.|
-|client-request-id|A GUID that is used to correlate logs for diagnostic and debugging purposes. Use this parameter to log or trace the state of the enrollment request to help find the root cause of failures.|
-|api-version|Specifies the version of the protocol requested by the client. This value provides a mechanism to support version revisions of the protocol.|
-|mode|Specifies that the device is organization owned when mode=azureadjoin. This parameter isn't present for BYOD devices.|
+| Item | Description |
+|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| redirect_uri | After the user accepts or rejects the Terms of Use, the user is redirected to this URL. |
+| client-request-id | A GUID that is used to correlate logs for diagnostic and debugging purposes. Use this parameter to log or trace the state of the enrollment request to help find the root cause of failures. |
+| api-version | Specifies the version of the protocol requested by the client. This value provides a mechanism to support version revisions of the protocol. |
+| mode | Specifies that the device is organization owned when mode=azureadjoin. This parameter isn't present for BYOD devices. |
### Access token
@@ -190,12 +181,12 @@ Azure AD issues a bearer access token. The token is passed in the authorization
The following claims are expected in the access token passed by Windows to the Terms of Use endpoint:
-|Item|Description|
-|--- |--- |
-|Object ID|Identifier of the user object corresponding to the authenticated user.|
-|UPN|A claim containing the user principal name (UPN) of the authenticated user.|
-|TID|A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.|
-|Resource|A sanitized URL representing the MDM application. Example: `https://fabrikam.contosomdm.com` |
+| Item | Description |
+|-----------|----------------------------------------------------------------------------------------------|
+| Object ID | Identifier of the user object corresponding to the authenticated user. |
+| UPN | A claim containing the user principal name (UPN) of the authenticated user. |
+| TID | A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam. |
+| Resource | A sanitized URL representing the MDM application. Example: `https://fabrikam.contosomdm.com` |
> [!NOTE]
> There's no device ID claim in the access token because the device may not yet be enrolled at this time.
@@ -209,7 +200,7 @@ https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm
Authorization: Bearer eyJ0eXAiOi
```
-The MDM is expected to validate the signature of the access token to ensure it was issued by Azure AD and ensure that recipient is appropriate.
+The MDM is expected to validate the signature of the access token to ensure it is issued by Azure AD and that the recipient is appropriate.
### Terms of Use content
@@ -234,7 +225,7 @@ At this point, the user is on the Terms of Use page shown during the OOBE or fro
- **IsAccepted** - This Boolean value is required, and must be set to false. This option also applies if the user skipped the Terms of Use.
- **OpaqueBlob** - This parameter isn't expected to be used. The enrollment is stopped with an error message shown to the user.
-Users skip the Terms of Use when they're adding a Microsoft work account to their device. However, they can't skip it during the Azure AD Join process. Don't show the decline button in the Azure AD Join process. MDM enrollment can't be declined by the user if configured by the administrator for the Azure AD Join.
+Users skip the Terms of Use when they're adding a Microsoft work account to their device. However, they can't skip it during the Azure AD Join process. Don't show the decline button in the Azure AD Join process. The user can't decline the MDM enrollment if configured by the administrator for the Azure AD Join.
We recommend that you send the client-request-id parameters in the query string as part of this redirect response.
@@ -256,12 +247,12 @@ Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=A
The following table shows the error codes.
-|Cause|HTTP status|Error|Description|
-|--- |--- |--- |--- |
-|api-version|302|invalid_request|unsupported version|
-|Tenant or user data are missing or other required prerequisites for device enrollment aren't met|302|unauthorized_client|unauthorized user or tenant|
-|Azure AD token validation failed|302|unauthorized_client|unauthorized_client|
-|internal service error|302|server_error|internal service error|
+| Cause | HTTP status | Error | Description |
+|--------------------------------------------------------------------------------------------------|-------------|---------------------|-----------------------------|
+| api-version | 302 | invalid_request | unsupported version |
+| Tenant or user data are missing or other required prerequisites for device enrollment aren't met | 302 | unauthorized_client | unauthorized user or tenant |
+| Azure AD token validation failed | 302 | unauthorized_client | unauthorized_client |
+| internal service error | 302 | server_error | internal service error |
## Enrollment protocol with Azure AD
@@ -291,7 +282,7 @@ There are two different MDM enrollment types that integrate with Azure AD, and u
- **Multiple user management for Azure AD-joined devices**
- In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
+ In this scenario, the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest is logged on to the device.
- **Adding a work account and MDM enrollment to a device**:
@@ -312,7 +303,7 @@ There are two different MDM enrollment types that integrate with Azure AD, and u
- Device ID - identifies the device that is checking in
- Tenant ID
- Access tokens issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens:
+ Access tokens issued by Azure AD are JSON web tokens (JWTs). Windows presents a valid JWT token to the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens:
- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler).
- Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
@@ -344,8 +335,8 @@ Alert sample:
An alert is sent to the MDM server in DM package \#1.
-- Alert type - com.microsoft/MDM/LoginStatus
-- Alert format - chr
+- Alert type - `com.microsoft/MDM/LoginStatus`
+- Alert format - `chr`
- Alert data - provide sign-in status information for the current active logged in user.
- Signed-in user who has an Azure AD account - predefined text: user.
- Signed-in user without an Azure AD account- predefined text: others.
@@ -371,7 +362,7 @@ Here's an example.
## Report device compliance to Azure AD
-Once a device is enrolled with the MDM for management, organization policies configured by the IT administrator are enforced on the device. The device compliance with configured policies is evaluated by the MDM and then reported to Azure AD. This section covers the Graph API call you can use to report a device compliance status to Azure AD.
+Once a device is enrolled with the MDM for management, organization policies configured by the IT administrator are enforced on the device. MDM evaluates the device compliance with configured policies and then reports it to Azure AD. This section covers the Graph API call you can use to report a device compliance status to Azure AD.
For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822).
@@ -380,7 +371,7 @@ For a sample that illustrates how an MDM can obtain an access token using OAuth
### Use Microsoft Graph API
-The following sample REST API call illustrates how an MDM can use the Microsoft Graph API to report compliance status of a device being managed by it.
+The following sample REST API call illustrates how an MDM can use the Microsoft Graph API to report compliance status of a managed device.
> [!NOTE]
> This API is only applicable for approved MDM apps on Windows devices.
diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
index 1c9d410723..636a885451 100644
--- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
@@ -1,29 +1,18 @@
---
title: Automatic MDM enrollment in the Intune admin center
description: Automatic MDM enrollment in the Intune admin center
-ms.author: vinpa
ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 04/05/2023
-ms.reviewer:
-manager: aaroncz
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
+ms.date: 08/10/2023
---
# Automatic MDM enrollment in the Intune admin center
-Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure Portal.
-
-1. Go to your Azure AD Blade.
+Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure portal.
+1. Go to your Azure AD portal.
1. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
-
-1. Select **Microsoft Intune** and configure the blade. You can specify settings to allow **All** users to enroll a device, or choose to allow **Some** users (and specify a group).
+1. Select **Microsoft Intune** and configure the enrollment options. You can specify settings to allow **All** users to enroll a device, or choose to allow **Some** users (and specify a group).
-1. Select **Save** to configure MDM auto-enrollment for Azure AD joined devices and bring-your-own-device scenarios.
+1. Select **Save** to configure MDM autoenrollment for Azure AD joined devices and bring-your-own-device scenarios.
diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
index a09f295976..84c1486cec 100644
--- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md
@@ -1,26 +1,17 @@
---
title: Bulk enrollment
-description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
+description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices.
ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 04/05/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
+ms.date: 08/10/2023
---
# Bulk enrollment using Windows Configuration Designer
-Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join enrollment scenario.
+Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join enrollment scenario.
## Typical use cases
-- Set up devices in bulk for large organizations to be managed by MDM.
+- Set up devices in bulk for large organizations for MDM management.
- Set up kiosks, such as ATMs or point-of-sale (POS) terminals.
- Set up school computers.
- Set up industrial machinery.
@@ -130,7 +121,7 @@ Using the WCD, create a provisioning package using the enrollment information re
1. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
1. When you're done adding all the settings, on the **File** menu, select **Save**.
-1. Export and build the package (steps 10-13 in the procedure above).
+1. Export and build the package (steps 10-13 in previous section).
1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
1. Apply the package to your devices.
@@ -148,9 +139,9 @@ Using the WCD, create a provisioning package using the enrollment information re
## Retry logic if there's a failure
-- If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row.
-- If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from the SYSTEM context.
-- It will also retry to apply the provisioning each time it's launched, if started from somewhere else as well.
+- If the provisioning engine receives a failure from a CSP, it retries provisioning three times in a row.
+- If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts are run from the SYSTEM context.
+- It also retries the provisioning each time it's launched, if started from somewhere else as well.
- In addition, provisioning will be restarted in the SYSTEM context after a sign in and the [system has been idle](/windows/win32/taskschd/task-idle-conditions).
## Related articles
diff --git a/windows/client-management/certificate-authentication-device-enrollment.md b/windows/client-management/certificate-authentication-device-enrollment.md
index 6db2ca38a4..c1ab833e1c 100644
--- a/windows/client-management/certificate-authentication-device-enrollment.md
+++ b/windows/client-management/certificate-authentication-device-enrollment.md
@@ -1,17 +1,8 @@
---
title: Certificate authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 04/05/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
+ms.date: 08/10/2023
---
# Certificate authentication device enrollment
diff --git a/windows/client-management/certificate-renewal-windows-mdm.md b/windows/client-management/certificate-renewal-windows-mdm.md
index d7c3443131..233a34e3dc 100644
--- a/windows/client-management/certificate-renewal-windows-mdm.md
+++ b/windows/client-management/certificate-renewal-windows-mdm.md
@@ -1,22 +1,13 @@
---
title: Certificate Renewal
description: Learn how to find all the resources that you need to provide continuous access to client certificates.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 06/26/2017
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
+ms.date: 08/10/2023
---
# Certificate Renewal
-The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account. The enrollment client gets a new client certificate from the enrollment server, and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported.
+The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account. The enrollment client gets a new client certificate from the enrollment server, and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS#7 request, and signs the PKCS#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported.
> [!NOTE]
> Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered.
@@ -30,13 +21,13 @@ Windows supports automatic certificate renewal, also known as Renew On Behalf Of
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate.
-For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP's](mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL.
+For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP's](mdm/certificatestore-csp.md) ROBOSupport node under `CertificateStore/My/WSTEP/Renew` URL.
-With automatic renewal, the PKCS\#7 message content isn't b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content.
+With automatic renewal, the PKCS#7 message content isn't base64 encoded separately. With manual certificate renewal, base64 encoding for PKCS#7 message content is required.
-During the automatic certificate renewal process, if the root certificate isn't trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md).
+During the automatic certificate renewal process, if the device doesn't trust the root certificate, the authentication fails. Use one of device preinstalled root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md).
-During the automatic certificate renew process, the device will deny HTTP redirect request from the server. It won't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used.
+During the automatic certificate renewal process, the device denies HTTP redirect request from the server. It doesn't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used.
The following example shows the details of an automatic renewal request.
@@ -96,21 +87,21 @@ The following example shows the details of an automatic renewal request.
In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSP's RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired.
-For more information about the parameters, see the CertificateStore configuration service provider.
+For more information about the parameters, see the [CertificateStore configuration service provider](mdm/certificatestore-csp.md).
-Unlike manual certificate renewal, the device will not do an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead every 7 days (weekly). This change increases the chance that the device will try to connect at different days of the week.
+Unlike manual certificate renewal, the device doesn't perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead of every seven days (weekly). This change increases the chance that the device will try to connect at different days of the week.
## Certificate renewal response
-When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment):
+When RequestType is set to Renew, the web service verifies the following (in addition to the initial enrollment):
-- The signature of the PKCS\#7 BinarySecurityToken is correct
+- The signature of the PKCS#7 BinarySecurityToken is correct
- The client's certificate is in the renewal period
-- The certificate was issued by the enrollment service
+- The certificate is issued by the enrollment service
- The requester is the same as the requester for initial enrollment
- For standard client's request, the client hasn't been blocked
-After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA.
+After validation is completed, the web service retrieves the PKCS#10 content from the PKCS#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA.
> [!NOTE]
> The HTTP server response must not be chunked; it must be sent as one message.
@@ -120,7 +111,8 @@ The following example shows the details of a certificate renewal response.
```xml
-
+
+
@@ -147,9 +139,9 @@ The following example shows the details of a certificate renewal response.
## Configuration service providers supported during MDM enrollment and certificate renewal
-The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider.
+The following configuration service providers are supported during MDM enrollment and certificate renewal process.
-- CertificateStore
-- w7 APPLICATION
-- DMClient
-- EnterpriseAppManagement
+- [CertificateStore](mdm/certificatestore-csp.md)
+- [w7 APPLICATION](mdm/w7-application-csp.md)
+- [DMClient](mdm/dmclient-csp.md)
+- [EnterpriseAppManagement](mdm/enterpriseappvmanagement-csp.md)
diff --git a/windows/client-management/client-tools/administrative-tools-in-windows.md b/windows/client-management/client-tools/administrative-tools-in-windows.md
index a511db702c..7c30da23de 100644
--- a/windows/client-management/client-tools/administrative-tools-in-windows.md
+++ b/windows/client-management/client-tools/administrative-tools-in-windows.md
@@ -1,20 +1,12 @@
---
title: Windows Tools/Administrative Tools
description: The folders for Windows Tools and Administrative Tools are folders in the Control Panel that contain tools for system administrators and advanced users.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-manager: aaroncz
ms.localizationpriority: medium
-ms.date: 04/11/2023
+ms.date: 08/10/2023
ms.topic: article
ms.collection:
- highpri
- tier2
-ms.technology: itpro-manage
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
---
# Windows Tools/Administrative Tools
@@ -70,6 +62,6 @@ These tools were included in previous versions of Windows. The associated docume
> [!TIP]
> If the linked content in this list doesn't provide the information you need to use that tool, send feedback with the **This page** link in the **Feedback** section at the bottom of this article.
-## Related topics
+## Related articles
[Diagnostic data viewer](/windows/privacy/diagnostic-data-viewer-overview)
diff --git a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md
index 2959430065..1bcd9ff753 100644
--- a/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md
+++ b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md
@@ -1,17 +1,9 @@
---
title: Windows default media removal policy
description: In Windows 10 and later, the default removal policy for external storage media changed from Better performance to Quick removal.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.date: 04/11/2023
+ms.date: 08/10/2023
ms.topic: article
ms.localizationpriority: medium
-manager: aaroncz
-ms.technology: itpro-manage
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
---
# Change in default removal policy for external storage media in Windows
@@ -24,7 +16,7 @@ You can change the policy setting for each external device, and the policy that
You can use the storage device policy setting to change the manner in which Windows manages storage devices to better meet your needs. The policy settings have the following effects:
-- **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows cannot cache disk write operations. This may degrade system performance.
+- **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows can't cache disk write operations. This may degrade system performance.
- **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish.
> [!IMPORTANT]
diff --git a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md
index 85c581ddd4..56f57c950e 100644
--- a/windows/client-management/client-tools/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md
@@ -1,20 +1,12 @@
---
title: Connect to remote Azure Active Directory joined device
description: Learn how to use Remote Desktop Connection to connect to an Azure AD joined device.
-ms.prod: windows-client
-author: vinaypamnani-msft
ms.localizationpriority: medium
-ms.author: vinpa
-ms.date: 04/11/2023
-manager: aaroncz
+ms.date: 08/10/2023
ms.topic: article
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
ms.collection:
- highpri
- tier2
-ms.technology: itpro-manage
---
# Connect to remote Azure Active Directory joined device
diff --git a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md
index da685db207..8efcf24c66 100644
--- a/windows/client-management/client-tools/manage-device-installation-with-group-policy.md
+++ b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md
@@ -1,31 +1,19 @@
---
-title: Manage Device Installation with Group Policy (Windows 10 and Windows 11)
+title: Manage Device Installation with Group Policy
description: Find out how to manage Device Installation Restrictions with Group Policy.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.date: 09/14/2021
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
+ms.date: 08/10/2023
ms.topic: article
-ms.technology: itpro-manage
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
---
# Manage Device Installation with Group Policy
-## Summary
-
By using Windows operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy.
## Introduction
### General
-This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and can't install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios:
+This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and can't install. This guide applies to all Windows versions starting with Windows 10, version 1809. The guide includes the following scenarios:
- Prevent users from installing devices that are on a "prohibited" list. If a device isn't on the list, then the user can install it.
- Allow users to install only devices that are on an "approved" list. If a device isn't on the list, then the user can't install it.
@@ -62,32 +50,15 @@ You can ensure that users install only those devices that your technical support
## Scenario Overview
-The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site.
+The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to create a Group policy object to manage your client computers, see [Create a Group Policy Object](/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object).
-Group Policy guides:
-
-- [Create a Group Policy Object (Windows 10) - Windows Security](/windows/security/threat-protection/windows-firewall/create-a-group-policy-object)
-- [Advanced Group Policy Management - Microsoft Desktop Optimization Pack](/microsoft-desktop-optimization-pack/agpm)
-
-### Scenario #1: Prevent installation of all printers
-
-In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the 'prevent/allow' functionality of Device Installation policies in Group Policy.
-
-### Scenario #2: Prevent installation of a specific printer
-
-In this scenario, the administrator allows standard users to install all printers while but preventing them from installing a specific one.
-
-### Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed
-
-In this scenario, you'll combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This scenario is a more realistic one and brings you a step farther in understanding of the Device Installation Restrictions policies.
-
-### Scenario #4: Prevent installation of a specific USB device
-
-This scenario, although similar to scenario #2, brings another layer of complexity—how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree.
-
-### Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive
-
-In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the 'prevent' functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario.
+| Scenario | Description|
+|--|--|
+| Scenario #1: Prevent installation of all printers | In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the 'prevent/allow' functionality of Device Installation policies in Group Policy. |
+| Scenario #2: Prevent installation of a specific printer | In this scenario, the administrator allows standard users to install all printers while but preventing them from installing a specific one. |
+| Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed | In this scenario, you combine what you learned from both scenario #1 and scenario #2. The administrator wants to allow standard users to install only a specific printer while preventing the installation of all other printers. This scenario is a more realistic one and brings you a step farther in understanding of the Device Installation Restrictions policies. |
+| Scenario #4: Prevent installation of a specific USB device | This scenario, although similar to scenario #2, brings another layer of complexity-how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree. |
+| Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive | In this scenario, combining all previous four scenarios, you learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the 'prevent' functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. |
## Technology Review
@@ -95,7 +66,7 @@ The following sections provide a brief overview of the core technologies discuss
### Device Installation in Windows
-A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition—it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type.
+A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition-it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type.
When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those strings included with the driver packages.
@@ -124,7 +95,7 @@ Hardware IDs are the identifiers that provide the exact match between a device a
Windows uses these identifiers to select a driver if the operating system can't find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they're generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device.
-When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see [How Windows selects a driver package for a device](/windows-hardware/drivers/install/how-windows-selects-a-driver-for-a-device).
+When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you're attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see [How Windows selects a driver package for a device](/windows-hardware/drivers/install/how-windows-selects-a-driver-for-a-device).
> [!NOTE]
> For more information about the driver installation process, see the "Technology review" section of the Step-by-Step Guide to Driver Signing and Staging.
@@ -197,7 +168,7 @@ Note: This policy setting takes precedence over any other policy settings that a
### Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria
-This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows:
+This policy setting changes the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows:
> **Device instance IDs** > **Device IDs** > **Device setup class** > **Removable devices**
@@ -206,7 +177,7 @@ This policy setting will change the evaluation order in which Allow and Prevent
>
> If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device.
-Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below.
+Some of these policies take precedence over other policies. The following flowchart illustrates how Windows processes them to determine whether a user can install a device or not.
_Device Installation policies flow chart_
@@ -217,11 +188,8 @@ Some of these policies take precedence over other policies. The flowchart shown
To complete each of the scenarios, ensure you have:
- A client computer running Windows.
-
- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a "removable disk drive", "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build.
-
- A USB/network printer pre-installed on the machine.
-
- Access to the administrator account on the testing machine. The procedures in this guide require administrator privileges for most steps.
### Understanding implications of applying 'Prevent' policies retroactive
@@ -248,7 +216,7 @@ To find device identification strings using Device Manager
1. Make sure your printer is plugged in and installed.
-1. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application.
+1. To open Device Manager, select the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application.
1. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped.
@@ -260,7 +228,7 @@ To find device identification strings using Device Manager
_Open the 'Details' tab to look for the device identifiers_
-1. From the 'Value' window, copy the most detailed Hardware ID—we'll use this value in the policies.
+1. From the 'Value' window, copy the most detailed Hardware ID-we'll use this value in the policies.
@@ -349,27 +317,27 @@ Creating the policy to prevent all printers from being installed:
1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button.
-1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block.
+1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option takes you to a table where you can enter the class identifier to block.
-1. Enter the printer class GUID you found above with the curly braces: `{4d36e979-e325-11ce-bfc1-08002be10318}`.
+1. Enter the printer class GUID you found with the curly braces: `{4d36e979-e325-11ce-bfc1-08002be10318}`.
- 
_List of prevent Class GUIDs_
+ 
_List of prevent Class GUIDs_
1. Click 'OK'.
-1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs.
+1. Click 'Apply' on the bottom right of the policy's window-this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs.
-1. Optional—if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed'
+1. Optional-if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed'
> [!IMPORTANT]
> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using 'Disk Drive' class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine.
-### Testing the scenario
+### Testing scenario 1
1. If you haven't completed step #9, follow these steps:
1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device".
- 1. For USB printer—unplug and plug back the cable; for network device—make a search for the printer in the Windows Settings app.
+ 1. For USB printer-unplug and plug back the cable; for network device-make a search for the printer in the Windows Settings app.
1. You shouldn't be able to reinstall the printer.
1. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use.
@@ -418,7 +386,7 @@ Creating the policy to prevent a single printer from being installed:
1. Optionally, if you would like to apply the policy to an existing install, open the **Prevent installation of devices that match any of these device IDs** policy again. In the 'Options' window, mark the checkbox that says 'Also apply to matching devices that are already installed'.
-### Testing the scenario
+### Testing scenario 2
If you completed step #8 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use.
@@ -448,14 +416,14 @@ Setting up the environment for the scenario with the following steps:
### Scenario steps - preventing installation of an entire class while allowing a specific printer
-Getting the device identifier for both the Printer Class and a specific printer—following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario:
+Getting the device identifier for both the Printer Class and a specific printer-following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario:
- ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318}
- Hardware ID = WSDPRINT\CanonMX920_seriesC1A0
First create a 'Prevent Class' policy and then create 'Allow Device' one:
-1. Open Group Policy Object Editor—either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
+1. Open Group Policy Object Editor-either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI.
1. Navigate to the Device Installation Restriction page:
@@ -469,15 +437,15 @@ First create a 'Prevent Class' policy and then create 'Allow Device' one:
1. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won't work): {4d36e979-e325-11ce-bfc1-08002be10318}
- 
_List of prevent Class GUIDs_
+ 
_List of prevent Class GUIDs_
1. Click 'OK'.
-1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs.
+1. Click 'Apply' on the bottom right of the policy's window-this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs.
1. To complete the coverage of all future and existing printers, open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK'
-1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it—this policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device.
+1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it-this policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device.
:::image type="content" alt-text="Screenshot of Local Group Policy Editor that shows the policies under Device Installation Restrictions and the policy named in this step." source="images/device-installation-apply-layered_policy-1.png" lightbox="images/device-installation-apply-layered_policy-1.png":::
@@ -493,13 +461,13 @@ First create a 'Prevent Class' policy and then create 'Allow Device' one:
1. Click 'OK'.
-1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and allows the target printer to be installed (or stayed installed).
+1. Click 'Apply' on the bottom right of the policy's window-this option pushes the policy and allows the target printer to be installed (or stayed installed).
-## Testing the scenario
+## Testing scenario 3
1. Look for your printer under Device Manager or the Windows Settings app and see that it's still there and accessible. Or just print a test document.
-1. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer—you shouldn't be bale to print anything or able to access the printer at all.
+1. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer-you shouldn't be bale to print anything or able to access the printer at all.
## Scenario #4: Prevent installation of a specific USB device
@@ -552,7 +520,7 @@ Creating the policy to prevent a single USB thumb-drive from being installed:
1. In the lower left side, in the 'Options' window, click the 'Show' box. This option will take you to a table where you can enter the device identifier to block.
-1. Enter the USB thumb-drive device ID you found above—`USBSTOR\DiskGeneric_Flash_Disk______8.07`.
+1. Enter the USB thumb-drive device ID you found above-`USBSTOR\DiskGeneric_Flash_Disk______8.07`.
_Prevent Device IDs list_
@@ -562,7 +530,7 @@ Creating the policy to prevent a single USB thumb-drive from being installed:
1. Optional - if you would like to apply the policy to an existing install, open the **Prevent installation of devices that match any of these device IDs** policy again. In the 'Options' window, mark the checkbox that says 'also apply to matching devices that are already installed'.
-### Testing the scenario
+### Testing scenario 4
1. If you haven't completed step #8, follow these steps:
@@ -658,7 +626,7 @@ First create a 'Prevent Class' policy and then create 'Allow Device' one:
1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow.
-1. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation—`USBSTOR\DiskGeneric_Flash_Disk______8.07`.
+1. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation-`USBSTOR\DiskGeneric_Flash_Disk______8.07`.
_Allowed USB Device IDs list_
@@ -668,6 +636,6 @@ First create a 'Prevent Class' policy and then create 'Allow Device' one:
1. To apply the 'Prevent' coverage of all currently installed USB devices, open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK'.
-### Testing the scenario
+### Testing scenario 5
-You shouldn't be able to install any USB thumb-drive, except the one you authorized for usage
+You shouldn't be able to install any USB thumb-drive, except the one you authorized for usage.
diff --git a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md
index a0af81bb73..afc00a6203 100644
--- a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md
@@ -1,18 +1,8 @@
---
title: Manage the Settings app with Group Policy
description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.date: 04/13/2023
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
+ms.date: 08/10/2023
ms.topic: article
-ms.technology: itpro-manage
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2016
---
# Manage the Settings app with Group Policy
diff --git a/windows/client-management/client-tools/mandatory-user-profile.md b/windows/client-management/client-tools/mandatory-user-profile.md
index 181e7485db..e83331a476 100644
--- a/windows/client-management/client-tools/mandatory-user-profile.md
+++ b/windows/client-management/client-tools/mandatory-user-profile.md
@@ -1,35 +1,26 @@
---
title: Create mandatory user profiles
description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.date: 04/11/2023
-ms.reviewer:
-manager: aaroncz
+ms.date: 08/10/2023
ms.topic: article
ms.collection:
- highpri
- tier2
-ms.technology: itpro-manage
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
---
# Create mandatory user profiles
-A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to) icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
+A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but aren't limited to) icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile aren't saved when a mandatory user profile is assigned.
Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles.
-When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile.
+When the server that stores the mandatory profile is unavailable, such as when the user isn't connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user is signed in with a temporary profile.
User profiles become mandatory profiles when the administrator renames the `NTuser.dat` file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile.
## Profile extension for each Windows version
-The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version.
+The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it applies to. The following table lists the correct extension for each operating system version.
| Client operating system version | Server operating system version | Profile extension |
|-------------------------------------|-------------------------------------------------|-------------------|
@@ -48,7 +39,7 @@ First, you create a default user profile with the customizations that you want,
### How to create a default user profile
-1. Sign in to a computer running Windows as a member of the local Administrator group. Do not use a domain account.
+1. Sign in to a computer running Windows as a member of the local Administrator group. Don't use a domain account.
> [!NOTE]
> Use a lab or extra computer running a clean installation of Windows to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders.
@@ -56,11 +47,11 @@ First, you create a default user profile with the customizations that you want,
1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on.
> [!NOTE]
- > Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics).
+ > Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-articles).
1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
-1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/apps-in-windows-10).
+1. Uninstall any application you don't need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/apps-in-windows-10).
> [!NOTE]
> It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times.
@@ -82,27 +73,27 @@ First, you create a default user profile with the customizations that you want,
1. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the setup, and then sign in to the computer using an account that has local administrator privileges.
-1. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section.
+1. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and select **Settings** in the **User Profiles** section.
-1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
+1. In **User Profiles**, select **Default Profile**, and then select **Copy To**.
-1. In **Copy To**, under **Permitted to use**, click **Change**.
+1. In **Copy To**, under **Permitted to use**, select **Change**.
-1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
+1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, select **Check Names**, and then select **OK**.
1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with `.v6` to identify it as a user profile folder for Windows 10, version 1607 or later.
- - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
+ - If the device is joined to the domain and you're signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
- - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
+ - If the device isn't joined to the domain, you can save the profile locally, and then copy it to the shared folder location.
-1. Click **OK** to copy the default user profile.
+1. Select **OK** to copy the default user profile.
### How to make the user profile mandatory
@@ -118,7 +109,7 @@ First, you create a default user profile with the customizations that you want,
1. Open the properties of the "profile.v6" folder.
1. Select the **Security** tab and then select **Advanced**.
1. Verify the **Owner** of the folder. It must be the builtin **Administrators** group. To change the owner, you must be a member of the Administrators group on the file server, or have "Set owner" privilege on the server.
-1. When you set the owner, select **Replace owner on subcontainers and objects** before you click OK.
+1. When you set the owner, select **Replace owner on subcontainers and objects** before you select OK.
## Apply a mandatory user profile to users
@@ -127,14 +118,10 @@ In a domain, you modify properties for the user account to point to the mandator
### How to apply a mandatory user profile to users
1. Open **Active Directory Users and Computers** (dsa.msc).
-
-1. Navigate to the user account that you will assign the mandatory profile to.
-
+1. Navigate to the user account that you'll assign the mandatory profile to.
1. Right-click the user name and open **Properties**.
-
1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is `\\server\share\profile.v6`, you would enter `\\server\share\profile`.
-
-1. Click **OK**.
+1. Select **OK**.
It may take some time for this change to replicate to all domain controllers.
@@ -149,9 +136,9 @@ When a user is configured with a mandatory profile, Windows starts as though it
| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ✅ | ❌ |
> [!NOTE]
-> The Group Policy settings above can be applied in Windows Professional edition.
+> These Group Policy settings can be applied in Windows Professional edition.
-## Related topics
+## Related articles
- [Manage Windows 10 Start layout and taskbar options](/windows/configuration/windows-10-start-layout-options-and-policies)
- [Lock down Windows 10 to specific apps](/windows/configuration/lock-down-windows-10-to-specific-apps)
diff --git a/windows/client-management/client-tools/quick-assist.md b/windows/client-management/client-tools/quick-assist.md
index 9997673adf..615806cfd5 100644
--- a/windows/client-management/client-tools/quick-assist.md
+++ b/windows/client-management/client-tools/quick-assist.md
@@ -1,18 +1,9 @@
---
title: Use Quick Assist to help users
description: Learn how IT Pros can use Quick Assist to help users.
-ms.date: 04/11/2023
-ms.prod: windows-client
+ms.date: 08/10/2023
ms.topic: article
-ms.technology: itpro-manage
ms.localizationpriority: medium
-author: vinaypamnani-msft
-ms.author: vinpa
-manager: aaroncz
-ms.reviewer: pmadrigal
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
ms.collection:
- highpri
- tier1
diff --git a/windows/client-management/client-tools/windows-libraries.md b/windows/client-management/client-tools/windows-libraries.md
index 12e7efd5db..43666505af 100644
--- a/windows/client-management/client-tools/windows-libraries.md
+++ b/windows/client-management/client-tools/windows-libraries.md
@@ -1,20 +1,8 @@
---
title: Windows Libraries
description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-manager: aaroncz
-ms.reviewer:
-ms.technology: itpro-manage
ms.topic: article
-ms.date: 04/11/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
-- ✅ Windows Server 2022
-- ✅ Windows Server 2019
-- ✅ Windows Server 2016
+ms.date: 08/10/2023
---
# Windows libraries
@@ -23,7 +11,7 @@ Libraries are virtual containers for users' content. A library can contain files
## Features for Users
-Windows libraries are backed by full content search and rich metadata. Libraries offer the following advantages to users:
+Windows libraries provide full content search and rich metadata. Libraries offer the following advantages to users:
- Aggregate content from multiple storage locations into a single, unified presentation.
- Enable users to stack and group library contents based on metadata.
@@ -63,7 +51,7 @@ Libraries are built upon the legacy known folders (such as My Documents, My Pict
### Hiding Default Libraries
-Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane can't be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they don't exist on the computer. See [How to Hide Default Libraries](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_HideDefaultLibraries) for instructions.
+Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane can't be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and re-create them if they don't exist on the computer. See [How to Hide Default Libraries](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_HideDefaultLibraries) for instructions.
### Default Save Locations for Libraries
@@ -117,9 +105,7 @@ The following library attributes can be modified within Windows Explorer, the Li
- Order of library locations
- Default save location
-The library icon can be modified by the administrator or user by directly editing the Library Description schema file.
-
-See [Library Description Schema](/windows/win32/shell/library-schema-entry) for information on creating Library Description files.
+The library icon can be modified by the administrator or user by directly editing the Library Description schema file. See [Library Description Schema](/windows/win32/shell/library-schema-entry) for information on creating Library Description files.
## See also
diff --git a/windows/client-management/client-tools/windows-version-search.md b/windows/client-management/client-tools/windows-version-search.md
index 42f0454fa7..a9ff816f27 100644
--- a/windows/client-management/client-tools/windows-version-search.md
+++ b/windows/client-management/client-tools/windows-version-search.md
@@ -1,17 +1,8 @@
---
title: What version of Windows am I running?
description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel.
-ms.prod: windows-client
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.date: 04/13/2023
-ms.reviewer:
-manager: aaroncz
-ms.topic: troubleshooting
-ms.technology: itpro-manage
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
+ms.date: 08/10/2023
+ms.topic: article
---
# What version of Windows am I running?
@@ -20,11 +11,11 @@ The [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servi
In the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels), you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment.
-To determine if your device is enrolled in the Long-Term Servicing Channel or the General Availability Channel, you'll need to know what version of Windows you're running. There are a few ways to figure this out. Each method provides a different set of details, so it's useful to learn about all of them.
+To determine if your device is enrolled in the Long-Term Servicing Channel or the General Availability Channel, you need to know what version of Windows you're running. There are a few ways to figure this out. Each method provides a different set of details, so it's useful to learn about all of them.
## System Properties
-Select **Start** > **Settings** > **System**, then select **About**. You'll then see **Edition**, **Version**, and **OS Build** information.
+Select **Start** > **Settings** > **System**, then select **About**. You then see **Edition**, **Version**, and **OS Build** information.
:::image type="content" source="images/systemcollage.png" alt-text="screenshot of the system properties window for a device running Windows 10.":::
@@ -49,6 +40,6 @@ You can type the following in the search bar and press **ENTER** to see version
:::image type="content" source="images/refcmd.png" alt-text="screenshot of system information display text.":::
-- At the PowerShell or Command Prompt, type `slmgr /dlv`, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below:
+- At the PowerShell or Command Prompt, type `slmgr /dlv`, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the following image:
:::image type="content" source="images/slmgr-dlv.png" alt-text="screenshot of software licensing manager.":::
diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md
index d32bed289c..443c29c949 100644
--- a/windows/client-management/config-lock.md
+++ b/windows/client-management/config-lock.md
@@ -1,20 +1,15 @@
---
title: Secured-core configuration lock
description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration.
-manager: aaroncz
-ms.author: vinpa
ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 05/24/2022
+ms.date: 08/10/2023
appliesto:
- ✅ Windows 11
---
# Secured-core PC configuration lock
-In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
+In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a noncompliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
Secured-core configuration lock (config lock) is a new [secured-core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC.
@@ -24,11 +19,11 @@ To summarize, config lock:
- Detects drift remediates within seconds
- Doesn't prevent malicious attacks
+[!INCLUDE [secured-core-configuration-lock](../../includes/licensing/secured-core-configuration-lock.md)]
+
## Configuration Flow
-After a [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure) reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
-
-[!INCLUDE [secured-core-configuration-lock](../../includes/licensing/secured-core-configuration-lock.md)]
+After a [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure) reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock doesn't apply. If the device is a secured-core PC, config lock locks the policies listed under [List of locked policies](#list-of-locked-policies).
## Enabling config lock using Microsoft Intune
@@ -39,23 +34,24 @@ The steps to turn on config lock using Microsoft Intune are as follows:
1. Ensure that the device to turn on config lock is enrolled in Microsoft Intune.
1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Configuration Profiles** > **Create a profile**.
1. Select the following and press **Create**:
- - **Platform**: Windows 10 and later
- - **Profile type**: Templates
+ - **Platform**: `Windows 10 and later`
+ - **Profile type**: `Templates`
- **Template name**: Custom
:::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates.":::
1. Name your profile.
1. When you reach the Configuration Settings step, select "Add" and add the following information:
- - **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
- - **Data type**: Integer
- - **Value**: 1
+ - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock`
+ - **Data type**: `Integer`
+ - **Value**: `1`
+
To turn off config lock, change the value to 0.
- :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of config lock, a Description of Turn on config lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1.":::
+ :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of config lock, a Description of Turn-on config lock and the OMA-URI set, along with a Data type of Integer set to a Value of 1.":::
1. Select the devices to turn on config lock. If you're using a test tenant, you can select "+ Add all devices".
-1. You'll not need to set any applicability rules for test purposes.
+1. You don't need to set any applicability rules for test purposes.
1. Review the Configuration and select "Create" if everything is correct.
1. After the device syncs with the Microsoft Intune server, you can confirm if the config lock was successfully enabled.
@@ -75,52 +71,52 @@ Config lock is designed to ensure that a secured-core PC isn't unintentionally m
## List of locked policies
-|**CSPs** |
-|-----|
-|[BitLocker](mdm/bitlocker-csp.md) |
-|[PassportForWork](mdm/passportforwork-csp.md) |
-|[WindowsDefenderApplicationGuard](mdm/windowsdefenderapplicationguard-csp.md) |
-|[ApplicationControl](mdm/applicationcontrol-csp.md)
+| **CSPs** |
+|-------------------------------------------------------------------------------|
+| [BitLocker](mdm/bitlocker-csp.md) |
+| [PassportForWork](mdm/passportforwork-csp.md) |
+| [WindowsDefenderApplicationGuard](mdm/windowsdefenderapplicationguard-csp.md) |
+| [ApplicationControl](mdm/applicationcontrol-csp.md) |
-|**MDM policies** | **Supported by Group Policy** |
-|-----|-----|
-|[DataProtection/AllowDirectMemoryAccess](mdm/policy-csp-dataprotection.md) | No |
-|[DataProtection/LegacySelectiveWipeID](mdm/policy-csp-dataprotection.md) | No |
-|[DeviceGuard/ConfigureSystemGuardLaunch](mdm/policy-csp-deviceguard.md) | Yes |
-|[DeviceGuard/EnableVirtualizationBasedSecurity](mdm/policy-csp-deviceguard.md) | Yes |
-|[DeviceGuard/LsaCfgFlags](mdm/policy-csp-deviceguard.md) | Yes |
-|[DeviceGuard/RequirePlatformSecurityFeatures](mdm/policy-csp-deviceguard.md) | Yes |
-|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](mdm/policy-csp-deviceinstallation.md) | Yes |
-|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](mdm/policy-csp-deviceinstallation.md) | Yes |
-|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](mdm/policy-csp-deviceinstallation.md) | Yes |
-|[DeviceInstallation/PreventDeviceMetadataFromNetwork](mdm/policy-csp-deviceinstallation.md) | Yes |
-|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](mdm/policy-csp-deviceinstallation.md) | Yes |
-|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](mdm/policy-csp-deviceinstallation.md) | Yes |
-|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](mdm/policy-csp-deviceinstallation.md) | Yes |
-|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](mdm/policy-csp-deviceinstallation.md) | Yes |
-|[DmaGuard/DeviceEnumerationPolicy](mdm/policy-csp-dmaguard.md) | Yes |
-|[WindowsDefenderSecurityCenter/CompanyName](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/DisableClearTpmButton](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/DisableFamilyUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/DisableHealthUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/DisableNetworkUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/DisableNotifications](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](mdm/policy-csp-windowsdefendersecuritycenter.md)| Yes |
-|[WindowsDefenderSecurityCenter/DisableVirusUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/Email](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/EnableInAppCustomization](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/HideSecureBoot](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/Phone](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[WindowsDefenderSecurityCenter/URL](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
-|[SmartScreen/EnableAppInstallControl](mdm/policy-csp-smartscreen.md)| Yes |
-|[SmartScreen/EnableSmartScreenInShell](mdm/policy-csp-smartscreen.md) | Yes |
-|[SmartScreen/PreventOverrideForFilesInShell](mdm/policy-csp-smartscreen.md) | Yes |
+| **MDM policies** | **Supported by Group Policy** |
+|-----------------------------------------------------------------------------------------------------------------------------|-------------------------------|
+| [DataProtection/AllowDirectMemoryAccess](mdm/policy-csp-dataprotection.md) | No |
+| [DataProtection/LegacySelectiveWipeID](mdm/policy-csp-dataprotection.md) | No |
+| [DeviceGuard/ConfigureSystemGuardLaunch](mdm/policy-csp-deviceguard.md) | Yes |
+| [DeviceGuard/EnableVirtualizationBasedSecurity](mdm/policy-csp-deviceguard.md) | Yes |
+| [DeviceGuard/LsaCfgFlags](mdm/policy-csp-deviceguard.md) | Yes |
+| [DeviceGuard/RequirePlatformSecurityFeatures](mdm/policy-csp-deviceguard.md) | Yes |
+| [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](mdm/policy-csp-deviceinstallation.md) | Yes |
+| [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](mdm/policy-csp-deviceinstallation.md) | Yes |
+| [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](mdm/policy-csp-deviceinstallation.md) | Yes |
+| [DeviceInstallation/PreventDeviceMetadataFromNetwork](mdm/policy-csp-deviceinstallation.md) | Yes |
+| [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](mdm/policy-csp-deviceinstallation.md) | Yes |
+| [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](mdm/policy-csp-deviceinstallation.md) | Yes |
+| [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](mdm/policy-csp-deviceinstallation.md) | Yes |
+| [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](mdm/policy-csp-deviceinstallation.md) | Yes |
+| [DmaGuard/DeviceEnumerationPolicy](mdm/policy-csp-dmaguard.md) | Yes |
+| [WindowsDefenderSecurityCenter/CompanyName](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/DisableAccountProtectionUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/DisableAppBrowserUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/DisableClearTpmButton](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/DisableEnhancedNotifications](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/DisableFamilyUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/DisableHealthUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/DisableNetworkUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/DisableNotifications](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/DisableVirusUI](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/Email](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/EnableCustomizedToasts](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/EnableInAppCustomization](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/HideSecureBoot](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/HideTPMTroubleshooting](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/Phone](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [WindowsDefenderSecurityCenter/URL](mdm/policy-csp-windowsdefendersecuritycenter.md) | Yes |
+| [SmartScreen/EnableAppInstallControl](mdm/policy-csp-smartscreen.md) | Yes |
+| [SmartScreen/EnableSmartScreenInShell](mdm/policy-csp-smartscreen.md) | Yes |
+| [SmartScreen/PreventOverrideForFilesInShell](mdm/policy-csp-smartscreen.md) | Yes |
diff --git a/windows/client-management/device-update-management.md b/windows/client-management/device-update-management.md
index 9680e7249e..e6c914668a 100644
--- a/windows/client-management/device-update-management.md
+++ b/windows/client-management/device-update-management.md
@@ -1,20 +1,11 @@
---
title: Mobile device management MDM for device updates
description: Windows provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 04/05/2023
+ms.date: 08/10/2023
ms.collection:
- highpri
- tier2
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
---
# Mobile device management (MDM) for device updates
@@ -59,8 +50,8 @@ This section describes this setup. The following diagram shows the server-server
MSDN provides much information about the Server-Server sync protocol. In particular:
-- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
-- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it's even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`.
+- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, to simplify development.
+- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it's even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`.
Some important highlights:
@@ -73,7 +64,7 @@ Some important highlights:
### Examples of update metadata XML structure and element descriptions
-The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). Some of the key elements are described below:
+The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). Some of the key elements are described here:
- **UpdateID** - The unique identifier for an update
- **RevisionNumber** - Revision number for the update in case the update was modified.
@@ -103,9 +94,9 @@ First some background:
The following procedure describes a basic algorithm for a metadata sync service:
-1. Create an empty list of "needed update IDs to fault in". This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative.
+1. Create an empty list of "needed update IDs to fault in". This list gets updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative.
1. Sync periodically (we recommend once every 2 hours - no more than once/hour).
- 1. Implement the authorization phase of the protocol to get a cookie if you don't already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a).
+ 1. Implement the authorization phase of the protocol to get a cookie if you don't already have a nonexpired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a).
1. Implement the metadata portion of the protocol. See **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB.
- If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one.
- Remove updates from the "needed update IDs to fault in" list once they've been brought in.
@@ -131,7 +122,7 @@ Updates are configured using the [Update Policy CSP](mdm/policy-csp-update.md).
### Update management user experience screenshot
-The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields.
+The following screenshots of the administrator console show the list of update titles, approval status, and other metadata fields.
:::image type="content" source="images/deviceupdatescreenshot1.png" alt-text="mdm update management screenshot.":::
diff --git a/windows/client-management/disconnecting-from-mdm-unenrollment.md b/windows/client-management/disconnecting-from-mdm-unenrollment.md
index 6e4d3f8d8c..9b12683d3e 100644
--- a/windows/client-management/disconnecting-from-mdm-unenrollment.md
+++ b/windows/client-management/disconnecting-from-mdm-unenrollment.md
@@ -1,23 +1,14 @@
---
title: Disconnecting from the management infrastructure (unenrollment)
description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 04/13/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
+ms.date: 08/10/2023
---
# Disconnecting from the management infrastructure (unenrollment)
The Disconnecting process is done either locally by the user who uses a phone or remotely by the IT administrator using management server. The user-initiated disconnection process is similar to the initial connection, wherein its initiation is from the same location in the Setting Control Panel as creating the workplace account.
-The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they've left the company or because the device is regularly failing to comply with the organization's security settings policy.
+The users choose to disconnect for any number of reasons, such as leaving the company or getting a new device or not needing access to their LOB apps on the old device anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they've left the company or because the device is regularly failing to comply with the organization's security settings policy.
During disconnection, the client executes the following tasks:
@@ -29,7 +20,7 @@ During disconnection, the client executes the following tasks:
## User-initiated disconnection
-In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This notification is a best-effort action as no retry is built-in to ensure the notification is successfully sent to the device.
+In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will notify to the MDM server that the account will be removed. This notification is a best-effort action as no retry is built in to ensure the notification is successfully sent to the device.
This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work.
@@ -40,7 +31,7 @@ The vendor uses the Type attribute to specify what type of generic alert it is.
After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DM client starts a DM session, including a user unenroll generic alert in the first package that it sends to the server.
-The following sample shows an OMA DM first package that contains a generic alert message. For more information on WP OMA DM support, see the [OMA DM protocol support](oma-dm-protocol-support.md) topic.
+The following sample shows an OMA DM first package that contains a generic alert message. For more information on WP OMA DM support, see the [OMA DM protocol support](oma-dm-protocol-support.md) article.
```xml
@@ -91,7 +82,7 @@ After the previous package is sent, the unenrollment process begins.
## Server-initiated disconnection
-When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server will not get a response for the unenrollment, instead a generic alert notification is sent with `messageid=1`.
+When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server doesn't get a response for the unenrollment, instead a generic alert notification is sent with `messageid=1`.
```xml
@@ -109,7 +100,7 @@ When the server initiates disconnection, all undergoing sessions for the enrollm
## Unenrollment from Work Access settings page
-If the user is enrolled into MDM using an Azure Active Directory (AAD Join or by adding a Microsoft work account), the MDM account will show up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the Azure AD association to the device.
+If the user is enrolled into MDM using an Azure Active Directory (Azure AD Join or by adding a Microsoft work account), the MDM account shows up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the Azure AD association to the device.
You can only use the Work Access page to unenroll under the following conditions:
@@ -118,18 +109,18 @@ You can only use the Work Access page to unenroll under the following conditions
## Unenrollment from Azure Active Directory Join
-When a user is enrolled into MDM through Azure Active Directory Join and later, the enrollment disconnects, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
+When a user is enrolled into MDM through Azure Active Directory Join and later, the enrollment disconnects, there's no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message doesn't indicate the loss of WIP data.
-During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be re-imaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporate devices in un-managed state.
+During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporate devices in unmanaged state.
-Before remotely un-enrolling corporate devices, you must ensure that there is at least one admin user on the device that is not part of the Azure tenant, otherwise the device will not have any admin user after the operation.
+Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that isn't part of Azure AD, otherwise the device won't have any admin user after the operation.
-In mobile devices, remote unenrollment for Azure Active Directory Joined devices will fail. To remove corporate content from these devices, we recommend you remotely wipe the device.
+In mobile devices, remote unenrollment for Azure Active Directory Joined devices fails. To remove corporate content from these devices, we recommend you remotely wipe the device.
## IT admin-requested disconnection
-The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service provider's Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration topic.
+The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service provider's Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration article.
When the disconnection is completed, the user is notified that the device has been disconnected from enterprise management.
diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json
index d388516c8b..06a528a0ca 100644
--- a/windows/client-management/docfx.json
+++ b/windows/client-management/docfx.json
@@ -42,7 +42,10 @@
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.technology": "itpro-manage",
"audience": "ITPro",
+ "ms.prod": "windows-client",
"ms.topic": "article",
+ "ms.author": "vinpa",
+ "author": "vinaypamnani-msft",
"manager": "aaroncz",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
@@ -72,7 +75,18 @@
"Windows 10"
]
},
- "fileMetadata": {},
+ "fileMetadata": {
+ "appliesto": {
+ "./*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10"
+ ],
+ "client-tools/*.md": [
+ "✅ Windows 11",
+ "✅ Windows 10"
+ ]
+ }
+ },
"template": [],
"dest": "win-client-management",
"markdownEngineName": "markdig"
diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md
index c60b1439b5..bd41f63d4d 100644
--- a/windows/client-management/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md
@@ -1,18 +1,9 @@
---
title: Enable ADMX policies in MDM
description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM).
-ms.author: vinpa
ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
ms.localizationpriority: medium
-ms.date: 11/01/2017
-ms.reviewer:
-manager: aaroncz
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
+ms.date: 08/10/2023
---
# Enable ADMX policies in MDM
@@ -41,9 +32,9 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
1. Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc
- 1. Click **Start**, then in the text box type **gpedit**.
+ 1. Select **Start**, then in the text box type **gpedit**.
- 2. Under **Best match**, click **Edit group policy** to launch it.
+ 2. Under **Best match**, select **Edit group policy** to launch it.
@@ -109,7 +100,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
1. Search for GP name **Publishing_Server2_policy**.
- 1. Under **policy name="Publishing_Server2_Policy"** you can see the \ listed. The *text id* and *enum id* represent the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor.
+ 1. Under **policy name="Publishing_Server2_Policy"** you can see the `` listed. The `text id` and `enum id` represent the `data id` you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor.
Here's the snippet from appv.admx:
@@ -201,7 +192,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
```
- 1. From the **\** tag, copy all of the *text id* and *enum id* and create an XML with *data id* and *value* fields. The *value* field contains the configuration settings that you would enter in the Group Policy Editor.
+ 1. From the `` tag, copy all of the `text id` and `enum id` and create an XML with `data id` and `value` fields. The *value* field contains the configuration settings that you would enter in the Group Policy Editor.
Here's the example XML for Publishing_Server2_Policy:
@@ -260,7 +251,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
## Disable a policy
-The \ payload is \. Here is an example to disable AppVirtualization/PublishingAllowServer2.
+The \ payload is \. Here's an example to disable AppVirtualization/PublishingAllowServer2.
```xml
diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
index fc976f6277..031f810c1b 100644
--- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -1,25 +1,16 @@
---
title: Enroll a Windows device automatically using Group Policy
-description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices.
-ms.author: vinpa
+description: Learn how to use a Group Policy to trigger autoenrollment to MDM for Active Directory (AD) domain-joined devices.
ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 04/13/2023
-ms.reviewer:
-manager: aaroncz
+ms.date: 08/10/2023
ms.collection:
- highpri
- tier2
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
---
# Enroll a Windows device automatically using Group Policy
-You can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices.
+You can use a Group Policy to trigger autoenrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices.
The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.
@@ -28,7 +19,7 @@ The enrollment into Intune is triggered by a group policy created on your local
- The Active Directory joined device must be running a [supported version of Windows](/windows/release-health/supported-versions-windows-client).
- The enterprise has configured a Mobile Device Management (MDM) service.
- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad).
-- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`).
+- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents fail enrollment with `error 0x80180026`).
- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. For more information, see [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan).
> [!TIP]
@@ -38,28 +29,28 @@ The enrollment into Intune is triggered by a group policy created on your local
> - [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
> - [Azure Active Directory integration with MDM](./azure-active-directory-integration-with-mdm.md)
-The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD-registered.
+The autoenrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD-registered.
> [!NOTE]
> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
-When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
+When the autoenrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task uses the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user gets prompted to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
- Starting in Windows 10, version 1709, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM.
- Starting in Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins).
For this policy to work, you must verify that the MDM service provider allows Group Policy initiated MDM enrollment for domain-joined devices.
-## Configure the auto-enrollment for a group of devices
+## Configure the autoenrollment for a group of devices
-To configure auto-enrollment using a group policy, use the following steps:
+To configure autoenrollment using a group policy, use the following steps:
1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
1. Create a Security Group for the PCs.
1. Link the GPO.
1. Filter using Security Groups.
-If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803 or later installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible.
+If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803 or later installed. To fix the issue, use the following procedures. The latest MDM.admx is backwards compatible.
1. Download the administrative templates for the desired version:
@@ -76,17 +67,17 @@ If you don't see the policy, it may be because you don't have the ADMX for Windo
1. Install the package on the Domain Controller.
-1. Navigate to `C:\Program Files (x86)\Microsoft Group Policy`, and locate the appropriate sub-directory depending on the installed version.
+1. Navigate to `C:\Program Files (x86)\Microsoft Group Policy`, and locate the appropriate subdirectory depending on the installed version.
1. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`.
- If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain.
+ If this folder doesn't exist, then copy the files to the [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your domain.
1. Wait for the SYSVOL DFSR replication to be completed for the policy to be available.
-## Configure the auto-enrollment Group Policy for a single PC
+## Configure the autoenrollment Group Policy for a single PC
-This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise.
+This procedure is only for illustration purposes to show how the new autoenrollment policy works. It's not recommended for the production environment in the enterprise.
1. Run `GPEdit.msc`. Choose **Start**, then in the text box type `gpedit`.
@@ -105,7 +96,7 @@ This procedure is only for illustration purposes to show how the new auto-enroll
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
-If two-factor authentication is required, you'll be prompted to complete the process. Here's an example screenshot.
+If two-factor authentication is required, you are prompted to complete the process. Here's an example screenshot.
:::image type="content" source="images/autoenrollment-2-factor-auth.png" alt-text="Screenshot of Two-factor authentication notification.":::
@@ -127,16 +118,16 @@ Select **Start**, then in the text box type `task scheduler`. Under **Best match
In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**.
-:::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png":::
+:::image type="content" alt-text="Autoenrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png":::
-To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. You can see the logs in the **History** tab.
+To see the result of the task, move the scroll bar to see the **Last Run Result**. You can see the logs in the **History** tab.
The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy.
> [!NOTE]
> The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies.
-## Related topics
+## Related articles
- [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
- [Create and Edit a Group Policy Object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754740(v=ws.11))
diff --git a/windows/client-management/enterprise-app-management.md b/windows/client-management/enterprise-app-management.md
index 197087b7dc..56d0b0809b 100644
--- a/windows/client-management/enterprise-app-management.md
+++ b/windows/client-management/enterprise-app-management.md
@@ -1,22 +1,13 @@
---
title: Enterprise app management
description: This article covers one of the key mobile device management (MDM) features for managing the lifecycle of apps across Windows devices.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 04/13/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
+ms.date: 08/10/2023
---
# Enterprise app management
-This article will discuss one of the key features of Windows' Mobile Device Management (MDM) capabilities: the ability to manage apps' lifecycle on all Windows devices. This includes both Store and non-Store apps, which can be managed natively through MDM.
+This article discusses one of the key features of Windows' Mobile Device Management (MDM) capabilities: the ability to manage apps' lifecycle on all Windows devices. This includes both Store and non-Store apps, which can be managed natively through MDM.
By using Windows MDM to manage app lifecycles, administrators can deploy and manage updates, remove outdated or unused apps, and ensure that all devices have the necessary apps installed to meet the organization's needs. This feature streamlines the app management process and saves time and effort for IT professionals.
@@ -38,18 +29,18 @@ Windows offers the ability for management servers to:
Windows lets you inventory all apps deployed to a user, and inventory all apps for all users of a Windows device. The [EnterpriseModernAppManagement](mdm/enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications:
- **Store**: Apps that have been acquired from the Microsoft Store, either directly or delivered with the enterprise from the Store for Business.
-- **nonStore**: Apps that were not acquired from the Microsoft Store.
-- **System**: Apps that are part of the operating system and cannot be uninstalled. This classification is read-only and can only be inventoried.
+- **nonStore**: Apps that weren't acquired from the Microsoft Store.
+- **System**: Apps that are part of the operating system and can't be uninstalled. This classification is read-only and can only be inventoried.
Each app is identified by one package family name and one or more package full names, and the apps are grouped based on their origin. The EnterpriseModernAppManagement CSP displays these classifications as nodes.
Inventory can be run recursively at any level from the AppManagement node through the package full name. You can also choose to inventory specific attributes only. The inventory is specific to the package full name and lists bundled and resource packs as applicable under the package family name.
-For more information on each node, refer to the detailed descriptions provided in the [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md).
+For more information on each node, see the detailed descriptions provided in the [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md).
### App inventory
-You can use the EnterpriseModernAppManagement CSP to query for all apps installed for a user or device. The query returns all apps, even if they were installed using MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device.
+You can use the EnterpriseModernAppManagement CSP to query for all apps installed for a user or device. The query returns all apps, even if they were installed using MDM or other methods. Inventory can run at the user or device level. Inventory at the device level returns information for all users on the device.
Doing a full inventory of a device can be resource-intensive based on the hardware and number of apps that are installed. The data returned can also be large. You may want to chunk these requests to reduce the impact to clients and network traffic.
@@ -83,7 +74,7 @@ Doing a full inventory of a device can be resource-intensive based on the hardwa
### Store license inventory
-You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses, event if they were installed via MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device.
+You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses, event if they were installed via MDM or other methods. Inventory can run at the user or device level. Inventory at the device level returns information for all users on the device.
For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md).
@@ -237,8 +228,8 @@ Here are the changes from the previous release:
1. The `{CatID}` reference should be updated to `{ProductID}`. This value is acquired as a part of the Store for Business management tool.
1. The value for flags can be 0 or 1.
- - When using "0", the management tool calls back to the Store for Business sync to assign a user a seat of an application.
- - When using "1", the management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available.
+ - **0**: The management tool calls back to the Store for Business sync to assign a user a seat of an application.
+ - **1**: The management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP claims a seat if one is available.
1. The `skuid` is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync.
### Deploy an offline license to a user
@@ -386,7 +377,7 @@ The Add command for the package family name is required to ensure proper removal
### Provision apps for all users of a device
-Provisioning allows you to stage the app to the device and all users of the device can have the app registered on their next login. This feature is only supported for app purchased from the Store for Business, and the app is specified for an offline license or the app is a non-Store app. The app must be offered from a hosted location. The app is installed as a local system. To install to a local file share, the 'local system' of the device must have access to the share.
+Provisioning allows you to stage the app to the device and all users of the device can have the app registered on their next sign in. This feature is only supported for app purchased from the Store for Business, and the app is specified for an offline license or the app is a non-Store app. The app must be offered from a hosted location. The app is installed as a local system. To install to a local file share, the 'local system' of the device must have access to the share.
Here are the requirements for this scenario:
@@ -432,7 +423,7 @@ To provision app for all users of a device from a hosted location, the managemen
The HostedInstall Exec command contains a Data node that requires an embedded XML. Here are the requirements for the data XML:
- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPS location.
- - Dependencies can be specified if required to be installed with the package. This is optional.
+ - Dependencies can be specified if necessary to be installed with the package. This is optional.
The DeploymentOptions parameter is only available in the user context.
@@ -583,7 +574,7 @@ To uninstall an app, you delete it under the origin node, package family name, a
### Removed provisioned apps from a device
-You can remove provisioned apps from a device for a specific version, or for all versions of a package family. When a provisioned app is removed, it isn't available to future users for the device. Logged in users who have the app registered to them will continue to have access to the app. If you want to remove the app for those users, you must explicitly uninstall the app for those users.
+You can remove provisioned apps from a device for a specific version, or for all versions of a package family. When a provisioned app is removed, it isn't available to future users for the device. Logged in users who have the app registered to them continue to have access to the app. If you want to remove the app for those users, you must explicitly uninstall the app for those users.
> [!NOTE]
> You can only remove an app that has an inventory value IsProvisioned = 1.
@@ -755,7 +746,7 @@ The Universal Windows app can share application data between the users of the de
The [ApplicationManagement/AllowSharedUserAppData](mdm/policy-csp-applicationmanagement.md) policy enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API.
-If you disable this policy, applications can't share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((`/Get-ProvisionedAppxPackage` to detect if there's any shared data, and `/Remove-SharedAppxData` to remove it).
+If you disable this policy, applications can't share user application data among multiple users. However, prewritten shared data persists. To clean prewritten shared data, use DISM (`/Get-ProvisionedAppxPackage` to detect if there's any shared data, and `/Remove-SharedAppxData` to remove it).
The valid values are 0 (off, default value) and 1 (on).
diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md
index 1d585aaf8e..21cae9d2ac 100644
--- a/windows/client-management/esim-enterprise-management.md
+++ b/windows/client-management/esim-enterprise-management.md
@@ -1,23 +1,16 @@
---
title: eSIM Enterprise Management
description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows.
-ms.prod: windows-client
-author: vinaypamnani-msft
ms.localizationpriority: medium
-ms.author: vinpa
ms.topic: conceptual
-ms.technology: itpro-manage
-ms.date: 12/31/2017
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
+ms.date: 08/10/2023
---
# How Mobile Device Management Providers support eSIM Management on Windows
The eSIM Profile Management Solution places the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already-existing solution that customers are familiar with and use to manage devices.
-The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/un-assignment, etc.) the same way as they currently do device management.
+The expectations from an MDM are that it uses the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/un-assignment, etc.) the same way as they currently do device management.
If you're a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps:
diff --git a/windows/client-management/federated-authentication-device-enrollment.md b/windows/client-management/federated-authentication-device-enrollment.md
index 7ae977249a..a96b2ed7e3 100644
--- a/windows/client-management/federated-authentication-device-enrollment.md
+++ b/windows/client-management/federated-authentication-device-enrollment.md
@@ -1,17 +1,8 @@
---
title: Federated authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using federated authentication policy.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 04/05/2023
-appliesto:
-- ✅ Windows 11
-- ✅ Windows 10
+ms.date: 08/10/2023
---
# Federated authentication device enrollment
@@ -72,10 +63,10 @@ After the device gets a response from the server, the device sends a POST reques
The following logic is applied:
-1. The device first tries HTTPS. If the server cert isn't trusted by the device, the HTTPS fails.
+1. The device first tries HTTPS. If the device doesn't trust the server cert, the HTTPS attempt fails.
1. If that fails, the device tries HTTP to see whether it's redirected:
- - If the device isn't redirected, it prompts the user for the server address.
- - If the device is redirected, it prompts the user to allow the redirect.
+ - If the device isn't redirected, the user is prompted for the server address.
+ - If the device is redirected, the user is prompted to allow the redirect.
The following example shows a request via an HTTP POST command to the discovery web service given `user@contoso.com` as the email address
@@ -125,13 +116,13 @@ The following example shows the discovery service request.
The discovery response is in the XML format and includes the following fields:
- Enrollment service URL (EnrollmentServiceUrl) - Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory.
-- Authentication policy (AuthPolicy) - Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
+- Authentication policy (AuthPolicy) - Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user is authenticated when calling the management service URL. This field is mandatory.
- In Windows, Federated is added as another supported value. This addition allows the server to use the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
> [!NOTE]
> The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
-When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call.
+When authentication policy is set to be Federated, Web Authentication Broker (WAB) is used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client calls the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage is used by the enrollment client as the device security secret during the client certificate enrollment request call.
> [!NOTE]
> Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance:
@@ -148,7 +139,7 @@ A new XML tag, **AuthenticationServiceUrl**, is introduced in the DiscoveryRespo
The following are the explicit requirements for the server.
- The ```` element must support HTTPS.
-- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail.
+- The authentication server must use a device trusted root certificate. Otherwise, the WAP call fails.
- WP doesn't support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device.
The enrollment client issues an HTTPS request as follows:
@@ -157,8 +148,8 @@ The enrollment client issues an HTTPS request as follows:
AuthenticationServiceUrl?appru=&login_hint=
```
-- `` is of the form ms-app://string
-- `` is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign-in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication.
+- `` is of the form `ms-app://string`
+- `` is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign-in page. The value of this attribute serves as a hint that is used by the authentication server as part of the authentication.
After authentication is complete, the auth server should return an HTML form document with a POST method action of appid identified in the query string parameter.
@@ -192,7 +183,7 @@ Content-Length: 556