mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-17 11:23:45 +00:00
Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into apr28-addl
This commit is contained in:
LauraKellerGitHub
@ -45,6 +45,7 @@ This section lists the error codes for Microsoft Windows Update.
|
||||
| 0x80243FFD | `WU_E_NON_UI_MODE` | Unable to show UI when in non-UI mode; WU client UI modules may not be installed. |
|
||||
| 0x80243FFE | `WU_E_WUCLTUI_UNSUPPORTED_VERSION` | Unsupported version of WU client UI exported functions. |
|
||||
| 0x80243FFF | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. |
|
||||
| 0x8024043D | `WU_E_SERVICEPROP_NOTAVAIL` | The requested service property is not available. |
|
||||
|
||||
## Inventory errors
|
||||
|
||||
|
||||
@ -6,30 +6,29 @@ ms.mktglfcycl: manage
|
||||
author: jaimeo
|
||||
ms.localizationpriority: medium
|
||||
ms.author: jaimeo
|
||||
ms.reviewer:
|
||||
ms.reviewer:
|
||||
manager: laurawi
|
||||
ms.topic: article
|
||||
---
|
||||
# Enforcing compliance deadlines for updates
|
||||
# Enforcing compliance deadlines for updates
|
||||
|
||||
>Applies to: Windows 10
|
||||
> Applies to: Windows 10
|
||||
|
||||
Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions.
|
||||
Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions.
|
||||
|
||||
The compliance options have changed for devices on Windows 10, version 1709 and above:
|
||||
|
||||
- [For Windows 10, version 1709 and above](#for-windows-10-version-1709-and-above)
|
||||
- [For prior to Windows 10, version 1709](#prior-to-windows-10-version-1709)
|
||||
|
||||
- [Prior to Windows 10, version 1709](#prior-to-windows-10-version-1709)
|
||||
|
||||
## For Windows 10, version 1709 and above
|
||||
|
||||
With a current version of Windows 10, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and above: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings:
|
||||
|
||||
- Update/ConfigureDeadlineForFeatureUpdates
|
||||
- Update/ConfigureDeadlineForQualityUpdates
|
||||
- Update/ConfigureDeadlineGracePeriod
|
||||
- Update/ConfigureDeadlineNoAutoReboot
|
||||
- Update/ConfigureDeadlineForFeatureUpdates
|
||||
- Update/ConfigureDeadlineForQualityUpdates
|
||||
- Update/ConfigureDeadlineGracePeriod
|
||||
- Update/ConfigureDeadlineNoAutoReboot
|
||||
|
||||
This policy starts the countdown for the update installation deadline from when the update is published, instead of starting with the "restart pending" state as the older policies did.
|
||||
|
||||
@ -37,23 +36,19 @@ The policy also includes a configurable grace period to allow, for example, user
|
||||
|
||||
Further, the policy includes the option to opt out of automatic restarts until the deadline is reached by presenting the "engaged restart experience" until the deadline has actually expired. At this point the device will automatically schedule a restart regardless of active hours.
|
||||
|
||||
|
||||
|
||||
### Policy setting overview
|
||||
|
||||
|Policy|Description |
|
||||
|-|-|
|
||||
| (For Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | Similar to the older "Specify deadline before auto-restart for update installation," but starts the deadline countdown from when the update was published. Also introduces a configurable grace period and the option to opt out of automatic restarts until the deadline is reached. |
|
||||
| (Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | Similar to the older "Specify deadline before auto-restart for update installation," but starts the deadline countdown from when the update was published. Also introduces a configurable grace period and the option to opt out of automatic restarts until the deadline is reached. |
|
||||
|
||||
|
||||
|
||||
### Suggested configurations
|
||||
### Suggested configurations
|
||||
|
||||
|Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days|
|
||||
|-|-|-|-|-|
|
||||
|(For Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 7 | 2 |
|
||||
|(Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 7 | 2 |
|
||||
|
||||
When **Specify deadlines for automatic updates and restarts** is set (For Windows 10, version 1709 and above):
|
||||
When **Specify deadlines for automatic updates and restarts** is set (Windows 10, version 1709 and above):
|
||||
|
||||
- **While restart is pending, before the deadline occurs:**
|
||||
|
||||
@ -68,7 +63,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
|
||||
|
||||
|
||||
- **If the restart is still pending after the deadline passes:**
|
||||
|
||||
|
||||
- Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching:
|
||||
|
||||
|
||||
@ -80,22 +75,21 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
|
||||
|
||||
## Prior to Windows 10, version 1709
|
||||
|
||||
|
||||
Two compliance flows are available:
|
||||
Two compliance flows are available:
|
||||
|
||||
- [Deadline only](#deadline-only)
|
||||
- [Deadline with user engagement](#deadline-with-user-engagement)
|
||||
|
||||
### Deadline only
|
||||
### Deadline only
|
||||
|
||||
This flow only enforces the deadline where the device will attempt to silently restart outside of active hours before the deadline is reached. Once the deadline is reached the user is prompted with either a confirmation button or a restart now option.
|
||||
This flow only enforces the deadline where the device will attempt to silently restart outside of active hours before the deadline is reached. Once the deadline is reached the user is prompted with either a confirmation button or a restart now option.
|
||||
|
||||
#### End-user experience
|
||||
|
||||
Once the device is in the pending restart state, it will attempt to restart the device during non-active hours. This is known as the auto-restart period, and by default it does not require user interaction to restart the device.
|
||||
Once the device is in the pending restart state, it will attempt to restart the device during non-active hours. This is known as the auto-restart period, and by default it does not require user interaction to restart the device.
|
||||
|
||||
>[!NOTE]
|
||||
>Deadlines are enforced from pending restart state (for example, when the device has completed the installation and download from Windows Update).
|
||||
> [!NOTE]
|
||||
> Deadlines are enforced from pending restart state (for example, when the device has completed the installation and download from Windows Update).
|
||||
|
||||
#### Policy overview
|
||||
|
||||
@ -104,9 +98,6 @@ Once the device is in the pending restart state, it will attempt to restart the
|
||||
|Specify deadline before auto-restart for update installation|Governs the update experience once the device has entered pending restart state. It specifies a deadline, in days, to enforce compliance (such as imminent installation).|
|
||||
|Configure Auto-restart warning notification schedule for updates|Configures the reminder notification and the warning notification for a scheduled installation. The user can dismiss a reminder, but not the warning.|
|
||||
|
||||
|
||||
|
||||
|
||||
#### Suggested configuration
|
||||
|
||||
|Policy|Location|3-day compliance|5-day compliance|7-day compliance|
|
||||
@ -129,13 +120,13 @@ Notification users get for a feature update deadline:
|
||||
|
||||
|
||||
|
||||
### Deadline with user engagement
|
||||
### Deadline with user engagement
|
||||
|
||||
This flow provides the end user with prompts to select a time to restart the device before the deadline is reached. If the device is unable to restart at the time specified by the user or the time selected is outside the deadline, the device will restart the next time it is active.
|
||||
This flow provides the end user with prompts to select a time to restart the device before the deadline is reached. If the device is unable to restart at the time specified by the user or the time selected is outside the deadline, the device will restart the next time it is active.
|
||||
|
||||
#### End-user experience
|
||||
|
||||
Before the deadline the device will be in two states: auto-restart period and engaged-restart period. During the auto-restart period the device will silently try to restart outside of active hours. If the device can't find an idle moment to restart, then the device will go into engaged-restart. The end user, at this point, can select a time that they would like the device to try to restart. Both phases happen before the deadline; once that deadline has passed then the device will restart at the next available time.
|
||||
Before the deadline the device will be in two states: auto-restart period and engaged-restart period. During the auto-restart period the device will silently try to restart outside of active hours. If the device can't find an idle moment to restart, then the device will go into engaged-restart. The end user, at this point, can select a time that they would like the device to try to restart. Both phases happen before the deadline; once that deadline has passed then the device will restart at the next available time.
|
||||
|
||||
#### Policy overview
|
||||
|
||||
@ -144,15 +135,15 @@ Before the deadline the device will be in two states: auto-restart period and en
|
||||
|Specify engaged restart transition and notification schedule for updates|Governs how the user will be impacted by the pending restart. Transition days, first starts out in Auto-Restart where the device will find an idle moment to restart the device. After 2 days engaged restart will commence and the user will be able to choose a time|
|
||||
|Configure Auto-restart required notification for updates|Governs the notifications during the Auto-Restart period. During Active hours, the user will be notified that the device is trying to restart. They will have the option to confirm or dismiss the notification|
|
||||
|
||||
#### Suggested configuration
|
||||
#### Suggested configuration
|
||||
|
||||
|Policy| Location| 3-day compliance| 5-day compliance| 7-day compliance |
|
||||
|-|-|-|-|-|
|
||||
|Specify engaged restart transition and notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Engaged restart transition and notification schedule for updates|State: Enabled<br>**Transition** (Days): 2<br>**Snooze** (Days): 2<br>**Deadline** (Days): 3|State: Enabled<br>**Transition** (Days): 2<br>**Snooze** (Days): 2<br>**Deadline** (Days): 4|State: Enabled<br>**Transition** (Days): 2<br>**Snooze** (Days): 2<br>**Deadline** (Days): 5|
|
||||
|
||||
#### Controlling notification experience for engaged deadline
|
||||
#### Controlling notification experience for engaged deadline
|
||||
|
||||
|Policy| Location |Suggested Configuration
|
||||
|Policy| Location |Suggested Configuration
|
||||
|-|-|-|
|
||||
|Configure Auto-restart required notification for updates |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Auto-restart required notification for updates|State: Enabled <br>**Method**: 2- User|
|
||||
|
||||
@ -174,4 +165,3 @@ Notification users get for a feature update deadline:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -4,14 +4,14 @@ description: Configure Client Computers
|
||||
ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc
|
||||
ms.reviewer:
|
||||
manager: laurawi
|
||||
author: greg-lindsay
|
||||
ms.author: greglin
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: activation
|
||||
audience: itpro
|
||||
author: greg-lindsay
|
||||
ms.date: 04/25/2017
|
||||
ms.date: 04/30/2020
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
@ -19,26 +19,27 @@ ms.topic: article
|
||||
|
||||
To enable the Volume Activation Management Tool (VAMT) to function correctly, certain configuration changes are required on all client computers:
|
||||
|
||||
- An exception must be set in the client computer's firewall.
|
||||
- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) will not allow remote administrative operations.
|
||||
- An exception must be set in the client computer's firewall.
|
||||
- A registry key must be created and set properly, for computers in a workgroup; otherwise, Windows® User Account Control (UAC) will not allow remote administrative operations.
|
||||
|
||||
Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows.
|
||||
|
||||
**Important**
|
||||
This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://go.microsoft.com/fwlink/p/?LinkId=182933).
|
||||
> [IMPORTANT]
|
||||
> This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://docs.microsoft.com/windows/win32/wmisdk/connecting-to-wmi-remotely-with-vbscript).
|
||||
|
||||
## Configuring the Windows Firewall to allow VAMT access
|
||||
|
||||
Enable the VAMT to access client computers using the **Windows Firewall** Control Panel:
|
||||
1. Open Control Panel and double-click **System and Security**.
|
||||
2. Click **Windows Firewall**.
|
||||
3. Click **Allow a program or feature through Windows Firewall**.
|
||||
4. Click the **Change settings** option.
|
||||
5. Select the **Windows Management Instrumentation (WMI)** checkbox.
|
||||
6. Click **OK**.
|
||||
|
||||
**Warning**
|
||||
By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below.
|
||||
1. Open Control Panel and double-click **System and Security**.
|
||||
2. Click **Windows Firewall**.
|
||||
3. Click **Allow a program or feature through Windows Firewall**.
|
||||
4. Click the **Change settings** option.
|
||||
5. Select the **Windows Management Instrumentation (WMI)** checkbox.
|
||||
6. Click **OK**.
|
||||
|
||||
**Warning**
|
||||
By default, Windows Firewall Exceptions only apply to traffic originating on the local subnet. To expand the exception to apply to multiple subnets, you need to change the exception settings in the Windows Firewall with Advanced Security, as described below.
|
||||
|
||||
## Configure Windows Firewall to allow VAMT access across multiple subnets
|
||||
|
||||
@ -46,50 +47,54 @@ Enable the VAMT to access client computers across multiple subnets using the **W
|
||||
|
||||
|
||||
|
||||
1. Open the Control Panel and double-click **Administrative Tools**.
|
||||
2. Click **Windows Firewall with Advanced Security**.
|
||||
3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private):
|
||||
- Windows Management Instrumentation (ASync-In)
|
||||
- Windows Management Instrumentation (DCOM-In)
|
||||
- Windows Management Instrumentation (WMI-In)
|
||||
1. Open the Control Panel and double-click **Administrative Tools**.
|
||||
2. Click **Windows Firewall with Advanced Security**.
|
||||
3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private):
|
||||
|
||||
- Windows Management Instrumentation (ASync-In)
|
||||
- Windows Management Instrumentation (DCOM-In)
|
||||
- Windows Management Instrumentation (WMI-In)
|
||||
|
||||
4. In the **Windows Firewall with Advanced Security** dialog box, select **Inbound Rules** from the left-hand panel.
|
||||
|
||||
|
||||
5. Right-click the desired rule and select **Properties** to open the **Properties** dialog box.
|
||||
|
||||
- On the **General** tab, select the **Allow the connection** checkbox.
|
||||
- On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need.
|
||||
- On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public).
|
||||
|
||||
- On the **General** tab, select the **Allow the connection** checkbox.
|
||||
- On the **Scope** tab, change the Remote IP Address setting from "Local Subnet" (default) to allow the specific access you need.
|
||||
- On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public).
|
||||
|
||||
In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports.
|
||||
For more info, see [How to configure RPC dynamic port allocation to work with firewalls](https://go.microsoft.com/fwlink/p/?LinkId=182911).
|
||||
In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports.
|
||||
|
||||
For more info, see [How to configure RPC dynamic port allocation to work with firewalls](https://support.microsoft.com/help/929851).
|
||||
|
||||
## Create a registry value for the VAMT to access workgroup-joined computer
|
||||
|
||||
**Caution**
|
||||
This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](https://go.microsoft.com/fwlink/p/?LinkId=182912).
|
||||
> [WARNING]
|
||||
> This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](https://support.microsoft.com/help/256986).
|
||||
|
||||
On the client computer, create the following registry key using regedit.exe.
|
||||
|
||||
1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system`
|
||||
2. Enter the following details:
|
||||
**Value Name: LocalAccountTokenFilterPolicy**
|
||||
**Type: DWORD**
|
||||
**Value Data: 1**
|
||||
**Note**
|
||||
To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client.
|
||||
1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system`
|
||||
2. Enter the following details:
|
||||
|
||||
- **Value Name: LocalAccountTokenFilterPolicy**
|
||||
- **Type: DWORD**
|
||||
- **Value Data: 1**
|
||||
|
||||
> [NOTE]
|
||||
> To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client.
|
||||
|
||||
## Deployment options
|
||||
|
||||
There are several options for organizations to configure the WMI firewall exception for computers:
|
||||
- **Image.** Add the configurations to the master Windows image deployed to all clients.
|
||||
- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**.
|
||||
- **Script.** Execute a script using Microsoft Endpoint Configuration Manager or a third-party remote script execution facility.
|
||||
- **Manual.** Configure the WMI firewall exception individually on each client.
|
||||
|
||||
- **Image.** Add the configurations to the master Windows image deployed to all clients.
|
||||
- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**.
|
||||
- **Script.** Execute a script using Microsoft Endpoint Configuration Manager or a third-party remote script execution facility.
|
||||
- **Manual.** Configure the WMI firewall exception individually on each client.
|
||||
|
||||
The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception.
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Install and Configure VAMT](install-configure-vamt.md)
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user