6 Appendix A: Product Behavior
The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.
The terms "earlier" and "later", when used with a product version, refer to either all preceding versions or all subsequent versions, respectively. The term "through" refers to the inclusive range of versions. Applicable Microsoft products are listed chronologically in this section.
The following tables show the relationships between Microsoft product versions or supplemental software and the roles they perform.
|
Windows Client release |
Client role |
Server role |
|---|---|---|
|
Windows 10 v1511 operating system |
Yes |
No |
|
Windows 11 operating system |
Yes |
No |
|
Windows Server release |
Client role |
Server role |
|---|---|---|
|
Windows Server 2016 operating system |
Yes |
Yes |
|
Windows Server operating system |
Yes |
Yes |
|
Windows Server 2019 operating system |
Yes |
Yes |
Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.
Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.
<1> Section 1.5: Only Windows Server 2016 with [MSKB-4019472] installed but without [MSKB-4038801] installed and Windows Server v1709 operating system without [MSKB-4058258] installed implement the REQUIRED parts for RP-Initiated Logout as defined in [OIDCSession] section 5.
<2> Section 1.6: Support for the OpenID Connect 1.0 protocol in AD FS is available in Windows 10 v1511 and later and in Windows Server 2016 and later.
<3> Section 2.2.3.2: In Windows Server 2016 with [MSKB-4019472] installed but without [MSKB-4038801] installed and in Windows Server v1709 without [MSKB-4058258] installed, the AD FS server can be configured in an implementation-specific way to either return or not return the end_session_endpoint metadata.
<4> Section 2.2.3.2: Windows Server 2016 without [MSKB-4038801] installed and Windows Server v1709 without [MSKB-4058258] installed do not support [OIDCFrontChanLO].
<5> Section 2.2.3.2: [RFC8628] is supported in Windows Server v1809 operating system and later and in Windows Server 2019 and later. It is also supported in Windows Server 2016 if [MSKB-4457127] is installed.
<6> Section 2.2.3.2: The capabilities field is not supported on Windows 10 v1511 or Windows 10 v1607 operating system. It is also not supported on Windows Server 2016 without [MSKB-4022723] installed.
<7> Section 3.1.5.3: Windows 10 v1511 and Windows 10 v1607 do not use the extensions to OpenID Connect Discovery.
<8> Section 3.1.5.4: Logout support in Windows Server 2016 without [MSKB-4038801] installed and in Windows Server v1709 without [MSKB-4058258] installed is limited to OpenID Connect Session Management ([OIDCSession], specifically, section 5).
Windows Client operating systems (Windows 10 v1511 and later) do not implement the extensions to OpenID Connect Session Management or OpenID Connect Front-Channel Logout.
<9> Section 3.2.5.1.1.3: Windows implementations of the AD FS server use the UPN or Windows account name for the locally unique identifier if either of these is available. Otherwise, the identifier depends on configuration by an administrator.
<10> Section 3.2.5.1.1.3: Windows implementations of the AD FS server include a pwd_exp claim only if the identity store provides a value for it.
<11> Section 3.2.5.1.1.3: Windows implementations of the AD FS server include a pwd_url claim only if the identity store provides a value for it.
<12> Section 3.2.5.3.1.3: Even though AD_FS_BEHAVIOR_LEVEL_3 is supported on Windows Server 2016 ([MS-OAPX] section 3.2.1.1), the krctx parameter and the "winhello_cert_kr" value are supported on Windows Server 2016 only if [MSKB-4088889] is installed.
<13> Section 3.2.5.3.1.3: KDF Version 2 is supported on the operating systems specified in [MSFT-CVE-2021-33779], each with its related KB article download installed.
<14> Section 3.2.5.4: The following support information applies to the Logout endpoint:
§ The Logout endpoint is not supported on Windows Server 2016 unless [MSKB-4019472] is installed.
§ The Logout endpoint is implemented as OpenID Connect Session Management ([OIDCSession], specifically, section 5) in Windows Server 2016 with [MSKB-4019472] installed but without [MSKB-4038801] installed.
§ The Logout endpoint is implemented as OpenID Connect Session Management ([OIDCSession], specifically, section 5) in Windows Server v1709 without [MSKB-4058258] installed.
§ The Logout endpoint is implemented as OpenID Connect Front-Channel Logout ([OIDCFrontChanLO]) in Windows Server 2016 with [MSKB-4038801] installed, Windows Server v1709 with [MSKB-4058258] installed, and Windows Server v1803 operating system and later.