Merge pull request #89428 from billmath/fixes1

Jak-MS · web-flow · commit 9f412f5c2ad8 · 2019-09-23T16:55:01.000-05:00
updating
diff --git a/articles/active-directory/hybrid/reference-connect-version-history.md b/articles/active-directory/hybrid/reference-connect-version-history.md
@@ -12,7 +12,7 @@ ms.devlang: na
 ms.topic: reference
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 05/23/2019
+ms.date: 09/23/2019
 ms.subservice: hybrid
 ms.author: billmath
 
@@ -41,7 +41,13 @@ Not all releases of Azure AD Connect will be made available for auto upgrade. Th
 ## 1.4.X.0
 
 >[!IMPORTANT]
->Previously, Windows down-level computers joined to on-prem AD were incorrectly getting synced to the cloud under some circumstances. As an example, the userCertificate attribute value for Windows down-level devices in AD is populated. But such devices in Azure AD always stayed in the “pending” state because these OS versions were not designed to be registered with Azure AD via AAD Sync. In this version of Azure AD Connect, AAD Sync will stop syncing Windows down-level computers to Azure AD and will also remove the previously incorrectly synced Windows down-level devices from Azure AD. Please note that this change will not delete any Windows down-level devices that were correctly registered with Azure AD by using the MSI package. Those devices will continue to work as expected for the purposes of device-based conditional access. Some customers may see some or all of their Windows down-level devices disappear from Azure AD. This is not a cause for concern, as these device identities were never actually used by Azure AD during conditional access authorization. Such customers may need to revisit https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan and get their Windows down-level devices registered correctly to ensure that such devices can fully participate in device-based conditional access. Note that if you see these deletes of down-level Computer/Device objects in Azure AD exceeding the Export Deletion Threshold, it is advised that the customer allow these deletes to go through.
+>Windows Computers registered as Hybrid Azure AD Joined are represented in Azure AD as device objects. These device objects can be used for conditional access. Windows 10 Computers are synced to the cloud via Azure AD Connect, down level Windows Computers are registered directly using either AD FS or seamless single sign on.
+>
+>Only Windows 10 computers with a specific userCertificate attribute value configured by Hybrid Azure AD Join are supposed to be synced to the cloud by Azure AD Connect.  In previous versions of Azure AD Connect this requirement was not rigorously enforced, resulting in unnecessary device objects in Azure AD. Such devices in Azure AD always stayed in the “pending” state because these computers were not intended to be registered with Azure AD.
+>
+>This version of Azure AD Connect will only sync Windows 10 computers that are correctly configured to be Hybrid Azure AD Joined. Azure AD Connect should never be syncing [down-level Windows devices](../../active-directory/devices/hybrid-azuread-join-plan.md#windows-down-level-devices).  Any devices in Azure AD previously synced incorrectly will now be deleted from Azure AD.  However, this change won't delete any Windows devices that were correctly registered with Azure AD for Hybrid Azure AD Join. 
+>
+>Some customers may see some or all of their Windows devices disappear from Azure AD. This is not a cause for concern, as these device identities are not used by Azure AD during conditional access authorization. Some customers may need to revisit [How To: Plan your hybrid Azure Active Directory join implementation](../../active-directory/devices/hybrid-azuread-join-plan.md) to get their Windows computers registered correctly and ensure that such devices can fully participate in device-based conditional access. If Azure AD Connect is attempting to delete [down-level Windows devices](../../active-directory/devices/hybrid-azuread-join-plan.md#windows-down-level-devices) then the device is not the one that was created by the [Microsoft Workplace Join for non-Windows 10 computers MSI](https://www.microsoft.com/download/details.aspx?id=53554) and it is not able to be consumed by any other Azure AD feature.  If you see the deletes of Computer/Device objects in Azure AD exceeding the Export Deletion Threshold, it is advised that the customer allow these deletes to go through.
 
 ### Release status
 9/10/2019: Released for auto-upgrade only
@@ -1268,7 +1274,7 @@ Released: December 2014
 **New features:**
 
 * Password synchronization with attribute-based filtering is now supported. For more information, see [Password synchronization with filtering](how-to-connect-sync-configure-filtering.md).
-* The ms-DS-ExternalDirectoryObjectID attribute is written back to Active Directory. This feature adds support for Office 365 applications. It uses OAuth2 to access Online and On-Premises mailboxes in a Hybrid Exchange Deployment.
+* The ms-DS-ExternalDirectoryObjectID attribute is written back to Active Directory. This feature adds support for Office 365 applications. It uses OAuth2 to access online and on-premises mailboxes in a Hybrid Exchange Deployment.
 
 **Fixed upgrade issues:**
 
