shanhix1 · Nov 9, 2021
diff --git a/‎articles/active-directory/devices/faq.yml
Lines changed: 29 additions & 30 deletions b/‎articles/active-directory/devices/faq.yml
Lines changed: 29 additions & 30 deletions
diff --git a/‎articles/active-directory/devices/troubleshoot-device-dsregcmd.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/devices/troubleshoot-device-dsregcmd.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/devices/troubleshoot-hybrid-join-windows-current.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/devices/troubleshoot-hybrid-join-windows-current.md
Lines changed: 1 addition & 1 deletion
@@ -22,13 +22,13 @@ sections:
     questions:
       - question: I registered the device recently. Why can't I see the device under my user info in the Azure portal? Or why is the device owner marked as N/A for hybrid Azure Active Directory (Azure AD) joined devices?
         answer: |
-          Windows 10 devices that are hybrid Azure AD joined don't show up under **USER devices**.
+          Windows 10 or later devices that are hybrid Azure AD joined don't show up under **USER devices**.
           Use the **All devices** view in the Azure portal. You can also use a PowerShell [Get-MsolDevice](/powershell/module/msonline/get-msoldevice) cmdlet.
           
           Only the following devices are listed under **USER devices**:
           
           - All personal devices that aren't hybrid Azure AD joined. 
-          - All non-Windows 10 or Windows Server 2016 devices.
+          - All non-Windows 10 or later and Windows Server 2016 or later devices.
           - All non-Windows devices. 
           
           
@@ -37,7 +37,7 @@ sections:
         answer: |
           In the Azure portal, go to **All devices**. Search for the device by using the device ID. Check the value under the join type column. Sometimes, the device might be reset or reimaged. So it's essential to also check the device registration state on the device:
           
-          - For Windows 10 and Windows Server 2016 or later devices, run `dsregcmd.exe /status`.
+          - For Windows 10 or later and Windows Server 2016 or later devices, run `dsregcmd.exe /status`.
           - For down-level OS versions, run `%programFiles%\Microsoft Workplace Join\autoworkplace.exe`.
           
           For troubleshooting information, see these articles:
@@ -54,9 +54,9 @@ sections:
           
           
           
-      - question: Why do my users see an error message saying "Your organization has deleted the device" or "Your organization has disabled the device" on their Windows 10 devices?
+      - question: Why do my users see an error message saying "Your organization has deleted the device" or "Your organization has disabled the device" on their Windows 10/11 devices?
         answer: |
-          On Windows 10 devices joined or registered with Azure AD, users are issued a [Primary refresh token (PRT)](concept-primary-refresh-token.md) which enables single sign on. The validity of the PRT is based on the validity of the device itself. Users see this message if the device is either deleted or disabled in Azure AD without initiating the action from the device itself. A device can be deleted or disabled in Azure AD one of the following scenarios: 
+          On Windows 10/11 devices joined or registered with Azure AD, users are issued a [Primary refresh token (PRT)](concept-primary-refresh-token.md) which enables single sign on. The validity of the PRT is based on the validity of the device itself. Users see this message if the device is either deleted or disabled in Azure AD without initiating the action from the device itself. A device can be deleted or disabled in Azure AD one of the following scenarios: 
           
           - User disables the device from the My Apps portal. 
           - An administrator (or user) deletes or disables the device in the Azure portal or by using PowerShell
@@ -78,7 +78,7 @@ sections:
           
            - If the device is deleted in Azure AD, you need to re-register the device. To re-register, you must take a manual action on the device. See below for instructions for re-registration based on the device state. 
           
-                To re-register hybrid Azure AD joined Windows 10 and Windows Server 2016/2019 devices, take the following steps:
+                To re-register hybrid Azure AD joined Windows 10/11 and Windows Server 2016/2019 devices, take the following steps:
           
                 1. Open the command prompt as an administrator.
                 1. Enter `dsregcmd.exe /debug /leave`.
@@ -90,14 +90,14 @@ sections:
                 1. Enter `"%programFiles%\Microsoft Workplace Join\autoworkplace.exe /l"`.
                 1. Enter `"%programFiles%\Microsoft Workplace Join\autoworkplace.exe /j"`.
           
-                For Azure AD joined devices Windows 10 devices, take the following steps:
+                For Azure AD joined devices Windows 10/11 devices, take the following steps:
           
                 1. Open the command prompt as an administrator
                 1. Enter `dsregcmd /forcerecovery` (You need to be an administrator to perform this action).
                 1. Click "Sign in" in the dialog that opens up and continue with the sign in process.
                 1. Sign out and sign in back to the device to complete the recovery.
           
-                For Azure AD registered Windows 10 devices, take the following steps:
+                For Azure AD registered Windows 10/11 devices, take the following steps:
           
                 1. Go to **Settings** > **Accounts** > **Access Work or School**. 
                 1. Select the account and select **Disconnect**.
@@ -107,15 +107,15 @@ sections:
           
       - question: Why do I see duplicate device entries in the Azure portal?
         answer: |
-          - For Windows 10 and Windows Server 2016, repeated tries to unjoin and rejoin the same device might cause duplicate entries. 
+          - For Windows 10  or later and Windows Server 2016 or later, repeated tries to unjoin and rejoin the same device might cause duplicate entries. 
           - Each Windows user who uses **Add Work or School Account** creates a new device record with the same device name.
           - For down-level Windows OS versions that are on-premises Azure Directory domain joined, automatic registration creates a new device record with the same device name for each domain user who signs in to the device. 
           - An Azure AD joined machine that's wiped, reinstalled, and rejoined with the same name shows up as another record with the same device name.
           
           
           
-      - question: Does Windows 10 device registration in Azure AD support TPMs in FIPS mode?
-        answer: Windows 10 device registration only supported for FIPS-compliant TPM 2.0 and not supported for TPM 1.2. If your devices have FIPS-compliant TPM 1.2, you must disable them before proceeding with Azure AD join or Hybrid Azure AD join. Microsoft does not provide any tools for disabling FIPS mode for TPMs as it is dependent on the TPM manufacturer. Contact your hardware OEM for support. 
+      - question: Does Windows 10/11 device registration in Azure AD support TPMs in FIPS mode?
+        answer: Windows 10/11 device registration is only supported for FIPS-compliant TPM 2.0 and not supported for TPM 1.2. If your devices have FIPS-compliant TPM 1.2, you must disable them before proceeding with Azure AD join or Hybrid Azure AD join. Microsoft does not provide any tools for disabling FIPS mode for TPMs as it is dependent on the TPM manufacturer. Contact your hardware OEM for support. 
 
       - question: Why can a user still access resources from a device I disabled in the Azure portal?
         answer: |
@@ -124,10 +124,13 @@ sections:
           >[!NOTE] 
           >For enrolled devices, we recommend that you wipe the device to make sure users can't access the resources. For more information, see [What is device enrollment?](/mem/intune/user-help/use-managed-devices-to-get-work-done). 
           
-      - question: I can't add more than 3 Azure AD user accounts under the same user session on a Windows 10 device, why?
+      - question: I can't add more than 3 Azure AD user accounts under the same user session on a Windows 10/11 device, why?
         answer: |
-          Azure AD added support for multiple Azure AD accounts in Windows 10 1803 release. However, Windows 10 restricts the number of Azure AD accounts on a device to 3 to limit the size of token requests and enable reliable single sign on (SSO). Once 3 accounts have been added, users will see an error for subsequent accounts. The Additional problem information on the error screen provides the following message indicating the reason - "Add account operation is blocked because account limit is reached". 
+          Azure AD added support for multiple Azure AD accounts starting in Windows 10 1803 release. However, Windows 10/11 restricts the number of Azure AD accounts on a device to 3 to limit the size of token requests and enable reliable single sign on (SSO). Once 3 accounts have been added, users will see an error for subsequent accounts. The Additional problem information on the error screen provides the following message indicating the reason - "Add account operation is blocked because account limit is reached". 
           
+      - question: What are the MS-Organization-Access certificates present on our Windows 10/11 devices? 
+        answer: |
+          The MS-Organization-Access certificates are issued by Azure AD Device Registration Service during the device registration process. These certificates are issued to all join types supported on Windows - Azure AD joined, hybrid Azure AD joined and Azure AD registered devices. Once issued, they are used as part of the authentication process from the device to request a Primary Refresh Token (PRT). For Azure AD joined and hybrid Azure AD joined devices, this certificate is present in Local Computer\Personal\Certificates whereas for Azure AD registered devices, certificate is present in Current User\Personal\Certificates.  All MS-Organization-Access certificates have a default lifetime of 10 years, however these certificates are deleted from the corresponding certificate store when the device is unregistered from Azure AD. Any inadvertent deletion of this certificate will lead to authentication failures for the user, and will require re-registration of the device in such cases. 
           
   - name: Azure AD join FAQ
     questions:
@@ -167,7 +170,7 @@ sections:
         answer: |
           Currently, UPN changes are not fully supported on Azure AD joined devices. So their authentication with Azure AD fails after their UPN changes. As a result, users have SSO and Conditional Access issues on their devices. At this time, users need to sign in to Windows through the "Other user" tile using their new UPN to resolve this issue. We are currently working on addressing this issue. However, users signing in with Windows Hello for Business do not face this issue. 
           
-          UPN changes are supported with Windows 10 2004 update. Users on devices with this update will not have any issues after changing their UPNs
+          UPN changes are supported starting with Windows 10 2004 update and also applicable to Windows 11. Users on devices with this update will not have any issues after changing their UPNs
           
           
           
@@ -215,17 +218,12 @@ sections:
           
           
           
-      - question: What are the MS-Organization-P2P-Access certificates present on our Windows 10 devices?
+      - question: What are the MS-Organization-P2P-Access certificates present on our Windows 10/11 devices?
         answer: |
           The MS-Organization-P2P-Access certificates are issued by Azure AD to both, Azure AD joined and hybrid Azure AD joined devices. These certificates are used to enable trust between devices in the same tenant for remote desktop scenarios. One certificate is issued to the device and another is issued to the user. The device certificate is present in `Local Computer\Personal\Certificates` and is valid for one day. This certificate is renewed (by issuing a new certificate) if the device is still active in Azure AD. The user certificate is present in `Current User\Personal\Certificates` and this certificate is also valid for one day, but it is issued on-demand when a user attempts a remote desktop session to another Azure AD joined device. It is not renewed on expiry. Both these certificates are issued using the MS-Organization-P2P-Access certificate present in the `Local Computer\AAD Token Issuer\Certificates`. This certificate is issued by Azure AD during device registration. 
           
           
           
-      - question: Why do I see multiple expired certificates issued by MS-Organization-P2P-Access on our Windows 10 devices? How can I delete them?
-        answer: |
-          There was an issue identified on Windows 10 version 1709 and lower where expired MS-Organization-P2P-Access certificates continued to exist on the computer store because of cryptographic issues. Your users could face issues with network connectivity, if you are using any VPN clients (for example, Cisco AnyConnect) that cannot handle the large number of expired certificates. This issue was fixed in Windows 10 1803 release to automatically delete any such expired MS-Organization-P2P-Access certificates. You can resolve this issue by updating your devices to Windows 10 1803. If you are unable to update, you can delete these certificates without any adverse impact.  
-          
-          
   - name: Hybrid Azure AD join FAQ
     questions:
       - question: How do I unjoin a Hybrid Azure AD joined device locally on the device?
@@ -238,29 +236,29 @@ sections:
           - [Troubleshooting hybrid Azure Active Directory joined Windows 10 and Windows Server 2016 devices](troubleshoot-hybrid-join-windows-current.md)
           - [Troubleshooting hybrid Azure Active Directory joined down-level devices](troubleshoot-hybrid-join-windows-legacy.md)
            
-      - question: Why do I see a duplicate Azure AD registered record for my Windows 10 hybrid Azure AD joined device in the Azure AD devices list?
+      - question: Why do I see a duplicate Azure AD registered record for my Windows 10/11 hybrid Azure AD joined device in the Azure AD devices list?
         answer: |
           When your users add their accounts to apps on a domain-joined device, they might be prompted with **Add account to Windows?** If they enter **Yes** on the prompt, the device registers with Azure AD. The trust type is marked as Azure AD registered. After you enable hybrid Azure AD join in your organization, the device also gets hybrid Azure AD joined. Then two device states show up for the same device. 
           
           In most cases, Hybrid Azure AD join takes precedence over the Azure AD registered state, resulting in your device being considered hybrid Azure AD joined for any authentication and Conditional Access evaluation. However, sometimes, this dual state can result in a non-deterministic evaluation of the device and cause access issues. We strongly recommend upgrading to Windows 10 version 1803 and above where we automatically clean up the Azure AD registered state. Learn how to [avoid or clean up this dual state on the Windows 10 machine](hybrid-azuread-join-plan.md#review-things-you-should-know). 
           
           
           
-      - question: Why do my users have issues on Windows 10 hybrid Azure AD joined devices after changing their UPN?
+      - question: Why do my users have issues on Windows 10/11 hybrid Azure AD joined devices after changing their UPN?
         answer: |
           Currently UPN changes are not fully supported with hybrid Azure AD joined devices. While users can sign in to the device and access their on-premises applications, authentication with Azure AD fails after a UPN change. As a result, users have SSO and Conditional Access issues on their devices. At this time, you need to unjoin the device from Azure AD (run "dsregcmd /leave" with elevated privileges) and rejoin (happens automatically) to resolve the issue. We are currently working on addressing this issue. However, users signing in with Windows Hello for Business do not face this issue. 
           
-          UPN changes are supported with Windows 10 2004 update. Users on devices with this update will not have any issues after changing their UPNs
+          UPN changes are supported with Windows 10 2004 update and also applicable to Windows 11. Users on devices with this update will not have any issues after changing their UPNs
           
           
           
-      - question: Do Windows 10 hybrid Azure AD joined devices require line of sight to the domain controller to get access to cloud resources?
+      - question: Do Windows 10/11 hybrid Azure AD joined devices require line of sight to the domain controller to get access to cloud resources?
         answer: |
-          No, except when the user's password is changed. After Windows 10 hybrid Azure AD join is complete, and the user has signed in at least once, the device doesn't require line of sight to the domain controller to access cloud resources. Windows 10 can get single sign-on to Azure AD applications from anywhere with an internet connection, except when a password is changed. Users who sign in with Windows Hello for Business continue to get single sign-on to Azure AD applications even after a password change, even if they don't have line of sight to their domain controller. 
+          No, except when the user's password is changed. After Windows 10/11 hybrid Azure AD join is complete, and the user has signed in at least once, the device doesn't require line of sight to the domain controller to access cloud resources. Windows 10/11 can get single sign-on to Azure AD applications from anywhere with an internet connection, except when a password is changed. Users who sign in with Windows Hello for Business continue to get single sign-on to Azure AD applications even after a password change, even if they don't have line of sight to their domain controller. 
           
           
           
-      - question: What happens if a user changes their password and tries to sign in to their Windows 10 hybrid Azure AD joined device outside the corporate network?
+      - question: What happens if a user changes their password and tries to sign in to their Windows 10/11 hybrid Azure AD joined device outside the corporate network?
         answer: |
           If a password is changed outside the corporate network (for example, by using Azure AD SSPR), then the user sign in with the new password will fail. For hybrid Azure AD joined devices, on-premises Active Directory is the primary authority. When a device does not have line of sight to the domain controller, it is unable to validate the new password. So, user needs to establish connection with the domain controller (either via VPN or being in the corporate network) before they're able to sign in to the device with their new password. Otherwise, they can only sign in with their old password because of cached sign in capability in Windows. However, the old password is invalidated by Azure AD during token requests and hence, prevents single sign-on and fails any device-based Conditional Access policies. This issue doesn't occur if you use Windows Hello for Business. 
           
@@ -269,19 +267,19 @@ sections:
     questions:
       - question: How do I remove an Azure AD registered state for a device locally?
         answer: |
-          - For Windows 10 Azure AD registered devices, Go to **Settings** > **Accounts** > **Access Work or School**. Select your account and select **Disconnect**. Device registration is per user profile on Windows 10.
+          - For Windows 10/11 Azure AD registered devices, Go to **Settings** > **Accounts** > **Access Work or School**. Select your account and select **Disconnect**. Device registration is per user profile on Windows 10/11.
           - For iOS and Android, you can use the Microsoft Authenticator application **Settings** > **Device Registration** and select **Unregister device**.
           - For macOS, you can use the Microsoft Intune Company Portal application to unenroll the device from management and remove any registration. 
           
-          For Windows 10 devices, this process can be automated with the [Workplace Join (WPJ) removal tool](https://download.microsoft.com/download/8/e/f/8ef13ae0-6aa8-48a2-8697-5b1711134730/WPJCleanUp.zip)
+          For Windows 10/11 devices, this process can be automated with the [Workplace Join (WPJ) removal tool](https://download.microsoft.com/download/8/e/f/8ef13ae0-6aa8-48a2-8697-5b1711134730/WPJCleanUp.zip)
           
           > [!NOTE]
           > This tool removes all SSO accounts on the device. After this operation, all applications will lose SSO state, and the device will be unenrolled from management tools (MDM) and unregistered from the cloud. The next time an application tries to sign in, users will be asked to add the account again.
           
           
-      - question: How can I block users from adding more work accounts (Azure AD registered) on my corporate Windows 10 devices?
+      - question: How can I block users from adding more work accounts (Azure AD registered) on my corporate Windows 10/11 devices?
         answer: |
-          Enable the following registry to block your users from adding additional work accounts to your corporate domain joined, Azure AD joined, or hybrid Azure AD joined Windows 10 devices. This policy can also be used to block domain joined machines from inadvertently getting Azure AD registered with the same user account. 
+          Enable the following registry to block your users from adding additional work accounts to your corporate domain joined, Azure AD joined, or hybrid Azure AD joined Windows 10/11 devices. This policy can also be used to block domain joined machines from inadvertently getting Azure AD registered with the same user account. 
           
           `HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin, "BlockAADWorkplaceJoin"=dword:00000001`
           
@@ -311,3 +309,4 @@ additionalContent: |
   - Learn more about [Azure AD joined devices](concept-azure-ad-join.md)
   - Learn more about [hybrid Azure AD joined devices](concept-azure-ad-join-hybrid.md)
   - [The Microsoft Error Lookup Tool](/windows/win32/debug/system-error-code-lookup-tool)
+  
@@ -10,7 +10,7 @@ ms.date: 11/21/2019
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: karenhoran
-ms.reviewer: spunukol
+ms.reviewer: ravenn
 
 ms.collection: M365-identity-device-management
 ---
@@ -64,7 +64,7 @@ The state is displayed only when the device is Azure AD-joined or hybrid Azure A
 - **TpmProtected**: The state is set to *YES* if the device private key is stored in a hardware Trusted Platform Module (TPM).
 - **DeviceAuthStatus**: Performs a check to determine the device's health in Azure AD. The health statuses are:  
   * *SUCCESS* if the device is present and enabled in Azure AD.  
-  * *FAILED. Device is either disabled or deleted* if the device is either disabled or deleted. For more information about this issue, see [Azure Active Directory device management FAQ](faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-devices).  
+  * *FAILED. Device is either disabled or deleted* if the device is either disabled or deleted. For more information about this issue, see [Azure Active Directory device management FAQ](faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-11-devices). 
   * *FAILED. ERROR* if the test was unable to run. This test requires network connectivity to Azure AD.
     > [!NOTE]
     > The **DeviceAuthStatus** field was added in the Windows 10 May 2021 update (version 21H1).  
 
@@ -477,7 +477,7 @@ Use Event Viewer to look for the log entries that are logged by the Azure AD Clo
 
 | Error code | Reason | Resolution |
 | --- | --- | --- |
-| **AADSTS50155: Device authentication failed** | <li>Azure AD is unable to authenticate the device to issue a PRT.<li>Confirm that the device hasn't been deleted or disabled in the Azure portal. For more information about this issue, see [Azure Active Directory device management FAQ](faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-devices). | Follow the instructions for this issue in [Azure Active Directory device management FAQ](faq.yml#i-disabled-or-deleted-my-device-in-the-azure-portal-or-by-using-windows-powershell--but-the-local-state-on-the-device-says-it-s-still-registered--what-should-i-do) to re-register the device based on the device join type. |
+| **AADSTS50155: Device authentication failed** | <li>Azure AD is unable to authenticate the device to issue a PRT.<li>Confirm that the device hasn't been deleted or disabled in the Azure portal. For more information about this issue, see [Azure Active Directory device management FAQ](faq.yml#why-do-my-users-see-an-error-message-saying--your-organization-has-deleted-the-device--or--your-organization-has-disabled-the-device--on-their-windows-10-11-devices). | Follow the instructions for this issue in [Azure Active Directory device management FAQ](faq.yml#i-disabled-or-deleted-my-device-in-the-azure-portal-or-by-using-windows-powershell--but-the-local-state-on-the-device-says-it-s-still-registered--what-should-i-do) to re-register the device based on the device join type. |
 | **AADSTS50034: The user account `Account` does not exist in the `tenant id` directory** | Azure AD is unable to find the user account in the tenant. | <li>Ensure that the user is typing the correct UPN.<li>Ensure that the on-premises user account is being synced with Azure AD.<li>Event 1144 (Azure AD analytics logs) will contain the UPN provided. |
 | **AADSTS50126: Error validating credentials due to invalid username or password.** | <li>The username and password entered by the user in the Windows LoginUI are incorrect.<li>If the tenant has password hash sync enabled, the device is hybrid-joined, and the user just changed the password, it's likely that the new password hasn’t synced with Azure AD. | To acquire a fresh PRT with the new credentials, wait for the Azure AD password sync to finish. |
 | | |