From e79e9ec86764390f80ac985657864b6540f31207 Mon Sep 17 00:00:00 2001 From: Anthony Swierkosz Date: Sat, 4 Jun 2022 20:58:17 -0400 Subject: [PATCH 01/21] Add `pull_request_template.md` --- .github/pull_request_template.md | 38 ++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/pull_request_template.md diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000000..4ecce018e7 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,38 @@ + + +# Description + + + +## Changes + + + +## Why + + + +Closes #[Issue Number] + + \ No newline at end of file From 19df4ab69921c669188c99ed344280e74f07aa27 Mon Sep 17 00:00:00 2001 From: Anthony Swierkosz Date: Sat, 4 Jun 2022 21:16:43 -0400 Subject: [PATCH 02/21] Refinements to PR template --- .github/pull_request_template.md | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 4ecce018e7..d22919be6a 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -2,18 +2,12 @@ Fill out the information below to help us review this pull request. You can delete these comments once you are done. --> - -# Description - +## Description -## Changes - - ## Why @@ -26,7 +20,14 @@ If your changes are extensive, you can provide a brief description here and list - For more information, see [Linking a pull request to an issue using a keyword](https://docs.github.com/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword). --> -Closes #[Issue Number] +- Closes #[Issue Number] + +## Changes + + @@ -25,7 +25,7 @@ If your changes are extensive: ## Changes From c43bc722effd7c2841df11182f62465c9451f307 Mon Sep 17 00:00:00 2001 From: benjamin-soon <37458876+benjamin-soon@users.noreply.github.com> Date: Fri, 26 Aug 2022 12:17:59 -0700 Subject: [PATCH 04/21] Update policy-csp-internetexplorer.md Includes the following policies into the list. - InternetExplorer/EnableGlobalWindowListInIEMode - InternetExplorer/HideIEAppRetirementNotification - InternetExplorer/ResetZoomForDialogInIEMode --- .../mdm/policy-csp-internetexplorer.md | 172 ++++++++++++++++++ 1 file changed, 172 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index ef76b0c2fb..bdaca6c326 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -213,6 +213,12 @@ manager: aaroncz
InternetExplorer/EnableExtendedIEModeHotkeys
+
+ InternetExplorer/EnableGlobalWindowListInIEMode +
+
+ InternetExplorer/HideInternetExplorer11RetirementNotification +
InternetExplorer/IncludeAllLocalSites
@@ -612,6 +618,9 @@ manager: aaroncz
InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls
+
+ InternetExplorer/ResetZoomForDialogInIEMode +
InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses
@@ -4423,6 +4432,115 @@ ADMX Info: +
+ + +**InternetExplorer/EnableGlobalWindowListInIEMode** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications. +The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser. + +- If you enable this policy, Internet Explorer mode will use the global window list. + +- If you disable or don’t configure this policy, Internet Explorer mode will continue to maintain a separate window list. + + + +The following list shows the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP Friendly name: *Enable global window list in Internet Explorer mode* +- GP name: *EnableGlobalWindowListInIEMode* +- GP path: *Windows Components/Internet Explorer/Main* +- GP ADMX file name: *inetres.admx* + + + + +
+ + +**InternetExplorer/HideInternetExplorer11RetirementNotification** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|No| +|Windows SE|No|No| +|Business|Yes|No| +|Enterprise|Yes|No| +|Education|Yes|No| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +This policy setting allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default, the Notification bar is displayed in Internet Explorer 11. + +- If you enable this policy setting, the Notification bar will not be displayed in Internet Explorer 11. + +- If you disable, or do not configure, this policy setting, the Notification bar will be displayed in Internet Explorer 11. + + + +The following list shows the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP Friendly name: *Hide Internet Explorer 11 retirement notification* +- GP name: *DisableIEAppDeprecationNotification* +- GP path: *Windows Components/Internet Explorer/Main* +- GP ADMX file name: *inetres.admx* + + + +
**InternetExplorer/IncludeAllLocalSites** @@ -11161,6 +11279,60 @@ ADMX Info:
+ +**InternetExplorer/ResetZoomForDialogInIEMode** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +This policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode. + +- If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page. + +- If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page. + + + +The following list shows the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP Friendly name: *Reset zoom to default for HTML dialogs in Internet Explorer mode* +- GP name: *ResetZoomForDialogInIEMode* +- GP path: *Windows Components/Internet Explorer/Main* +- GP ADMX file name: *inetres.admx* + + + + +
+ **InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses** From 054efffea6402ad856a4da14a653a225306d1451 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 1 Sep 2022 08:17:54 -0700 Subject: [PATCH 05/21] Apply suggestions from code review Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-internetexplorer.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index bdaca6c326..c92b313661 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -4519,9 +4519,9 @@ ADMX Info: This policy setting allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default, the Notification bar is displayed in Internet Explorer 11. -- If you enable this policy setting, the Notification bar will not be displayed in Internet Explorer 11. +- If you enable this policy setting, the notification bar will not be displayed in Internet Explorer 11. -- If you disable, or do not configure, this policy setting, the Notification bar will be displayed in Internet Explorer 11. +- If you disable, or do not configure, this policy setting, the notification bar will be displayed in Internet Explorer 11. From 9041007ced760fe6fd8f4d7cc156bbf1f94e5fb2 Mon Sep 17 00:00:00 2001 From: Vignesh Mitsume <48824590+VigneshMitsume@users.noreply.github.com> Date: Mon, 5 Sep 2022 16:15:34 +0900 Subject: [PATCH 06/21] Add warning notes Regarding autopatch, adding the devices directly to the autopatch groups are unsupported and might cause unexpected impact to the service. But system allows to do so. Hence updating the docs accordingly. --- .../operate/windows-autopatch-update-management.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index 982440f7ea..ae88d14238 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -40,6 +40,9 @@ During the [tenant enrollment process](../prepare/windows-autopatch-enroll-tenan Each deployment ring has a different set of update deployment policies to control the updates rollout. +> [!Warning] +> Adding/Importing devices into any of these groups directly is not supported and doing so might cause unexpected impact to the autopatch service. To add/move devices between these groups see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). + > [!IMPORTANT] > Windows Autopatch device registration doesn't assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments. From f05a91d408636feeb3fa08c888f0d577e0e94268 Mon Sep 17 00:00:00 2001 From: rlianmsft <112862018+rlianmsft@users.noreply.github.com> Date: Mon, 5 Sep 2022 10:43:05 +0100 Subject: [PATCH 07/21] Update windows-autopatch-changes-to-tenant.md Standardized Ring Group Descriptions in the AAD Groups table to match descriptions used elsewhere in docs for example: https://docs.microsoft.com/en-us/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#windows-autopatch-deployment-rings --- .../references/windows-autopatch-changes-to-tenant.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index ab4daa7fe2..4ca89f1b2d 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -29,10 +29,10 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Modern Workplace-All | All Modern Workplace users | | Modern Workplace - Windows 11 Pre-Release Test Devices | Device group for Windows 11 Pre-Release testing. | | Modern Workplace Devices-All | All Modern Workplace devices | -| Modern Workplace Devices-Windows Autopatch-Test | Immediate ring for device rollout | -| Modern Workplace Devices-Windows Autopatch-First | First production ring for early adopters | -| Modern Workplace Devices-Windows Autopatch-Fast | Fast ring for quick rollout and adoption | -| Modern Workplace Devices-Windows Autopatch-Broad | Final ring for broad rollout into an organization | +| Modern Workplace Devices-Windows Autopatch-Test | Deployment ring for testing update deployments prior production rollout | +| Modern Workplace Devices-Windows Autopatch-First | First production deployment ring for early adopters | +| Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption | +| Modern Workplace Devices-Windows Autopatch-Broad | Final deployment ring for broad rollout into the organization | | Modern Workplace Devices Dynamic - Windows 10 | Microsoft Managed Desktop Devices with Windows 10

Group Rule:

  • `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
  • `(device.deviceOSVersion -notStartsWith \"10.0.22000\")`

Exclusions:
  • Modern Workplace - Telemetry Settings for Windows 11
| | Modern Workplace Devices Dynamic - Windows 11 | Microsoft Managed Desktop Devices with Windows 11

Group Rule:

  • `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
  • `(device.deviceOSVersion -startsWith \"10.0.22000\")`

Exclusions:
  • Modern Workplace - Telemetry Settings for Windows 10
| | Modern Workplace Roles - Service Administrator | All users granted access to Modern Workplace Service Administrator Role | From a7f1a728a72a9f3ce26ff18fe10e10fbadbb7aa6 Mon Sep 17 00:00:00 2001 From: rlianmsft <112862018+rlianmsft@users.noreply.github.com> Date: Mon, 5 Sep 2022 14:02:10 +0100 Subject: [PATCH 08/21] Update windows-autopatch-register-devices.md Making it clear on which methods can be used to populate the Windows Autopatch Device Registration group. --- .../deploy/windows-autopatch-register-devices.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index fb3df8f46b..85f82eee83 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -28,7 +28,13 @@ Windows Autopatch can take over software update management control of devices th ### About the use of an Azure AD group to register devices -You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. +You must choose what devices to manage with Windows Autopatch by adding them into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can be added using the following methods: + +- Direct Membership +- Nesting other Azure AD dynamic/assigned groups +- Bulk operations – Import members + +Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. > [!NOTE] > Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the **Ready** or **Not ready** tab to register devices on demand. From 113c5d7f2609dac7bb7cfa08bb2c31b393760d60 Mon Sep 17 00:00:00 2001 From: rlianmsft <112862018+rlianmsft@users.noreply.github.com> Date: Mon, 5 Sep 2022 14:18:45 +0100 Subject: [PATCH 09/21] Update windows-autopatch-update-management.md Added some explicit detail around what "manually" adding devices to the Test ring means. I.E follow the moving devices between rings process and not manually editing the AD group. --- .../operate/windows-autopatch-update-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index 982440f7ea..fbb30b4d6c 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -58,7 +58,7 @@ The Windows Autopatch deployment ring calculation happens during the [device reg | Deployment ring | Default device balancing percentage | Description | | ----- | ----- | ----- | -| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:
  • **0–500** devices: minimum **one** device.
  • **500–5000** devices: minimum **five** devices.
  • **5000+** devices: minimum **50** devices.
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | +| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure, see [Moving devices in between deployment rings](windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:
  • **0–500** devices: minimum **one** device.
  • **500–5000** devices: minimum **five** devices.
  • **5000+** devices: minimum **50** devices.
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | | First | **1%** | The First ring is the first group of production users to receive a change.

This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| | Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

| | Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.| From c65cab7823445def85d210b0027ac924026bf126 Mon Sep 17 00:00:00 2001 From: rlianmsft <112862018+rlianmsft@users.noreply.github.com> Date: Mon, 5 Sep 2022 15:08:46 +0100 Subject: [PATCH 10/21] Update windows-autopatch-update-management.md Added warning to call out explicit point to not edit AAD group membership directly. --- .../operate/windows-autopatch-update-management.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index 982440f7ea..11ac6f1406 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -80,7 +80,10 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad > [!NOTE] > You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.

If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Endpoint Manager-Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). - + +> [!WARNING] +> Moving devices between deployment rings through directly changing Azure AD group membership is not supported and may cause unintended configuration conflict within the Autopatch service. In order to avoid service interruption to devices, use the **Assign device to ring** action described above to move devices between deployment rings. + ## Automated deployment ring remediation functions Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: From 9bee2d99b9e55457c32c46d3cb3bef3410124ee8 Mon Sep 17 00:00:00 2001 From: rlianmsft <112862018+rlianmsft@users.noreply.github.com> Date: Tue, 6 Sep 2022 11:13:16 +0100 Subject: [PATCH 11/21] Update windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 85f82eee83..2dabad0015 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -28,7 +28,7 @@ Windows Autopatch can take over software update management control of devices th ### About the use of an Azure AD group to register devices -You must choose what devices to manage with Windows Autopatch by adding them into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can be added using the following methods: +You must choose what devices to manage with Windows Autopatch by adding them to the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can be added using the following methods: - Direct Membership - Nesting other Azure AD dynamic/assigned groups From 66826e4976d9de576aec1bef1e82dcb4554ad40a Mon Sep 17 00:00:00 2001 From: rlianmsft <112862018+rlianmsft@users.noreply.github.com> Date: Tue, 6 Sep 2022 11:14:27 +0100 Subject: [PATCH 12/21] Update windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 2dabad0015..ffd3cf4cbf 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -30,7 +30,7 @@ Windows Autopatch can take over software update management control of devices th You must choose what devices to manage with Windows Autopatch by adding them to the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can be added using the following methods: -- Direct Membership +- Direct membership - Nesting other Azure AD dynamic/assigned groups - Bulk operations – Import members From 54c48454550d2f7c2774d8f1633a554b8d4662bb Mon Sep 17 00:00:00 2001 From: rlianmsft <112862018+rlianmsft@users.noreply.github.com> Date: Tue, 6 Sep 2022 11:26:07 +0100 Subject: [PATCH 13/21] Update windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../operate/windows-autopatch-update-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index fbb30b4d6c..aa55b5893a 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -58,7 +58,7 @@ The Windows Autopatch deployment ring calculation happens during the [device reg | Deployment ring | Default device balancing percentage | Description | | ----- | ----- | ----- | -| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure, see [Moving devices in between deployment rings](windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:

  • **0–500** devices: minimum **one** device.
  • **500–5000** devices: minimum **five** devices.
  • **5000+** devices: minimum **50** devices.
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | +| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:
  • **0–500** devices: minimum **one** device.
  • **500–5000** devices: minimum **five** devices.
  • **5000+** devices: minimum **50** devices.
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | | First | **1%** | The First ring is the first group of production users to receive a change.

This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| | Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

| | Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.| From 8b1648d4fa885e74d65a5c4527d659b7cb43da05 Mon Sep 17 00:00:00 2001 From: rlianmsft <112862018+rlianmsft@users.noreply.github.com> Date: Tue, 6 Sep 2022 11:50:38 +0100 Subject: [PATCH 14/21] Update windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../operate/windows-autopatch-update-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index 11ac6f1406..22b6c68efd 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -82,7 +82,7 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad > You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.

If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Endpoint Manager-Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). > [!WARNING] -> Moving devices between deployment rings through directly changing Azure AD group membership is not supported and may cause unintended configuration conflict within the Autopatch service. In order to avoid service interruption to devices, use the **Assign device to ring** action described above to move devices between deployment rings. +> Moving devices between deployment rings through directly changing Azure AD group membership is not supported and may cause unintended configuration conflict within the Windows Autopatch service. In order to avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings. ## Automated deployment ring remediation functions From 6f5851f4048ab41db6dbd717875bc4c3b407f6c3 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 6 Sep 2022 10:23:56 -0700 Subject: [PATCH 15/21] remove retired video --- .../windows-autopilot/demonstrate-deployment-on-vm.md | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 0164891a96..b8fe13f82f 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -419,15 +419,9 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B > [!IMPORTANT] > If you've already registered your VM (or device) using Intune, then skip this step. -Optional: see the following video for an overview of the process. - -  - -> [!video https://www.youtube.com/embed/IpLIZU_j7Z0] - First, you need a Microsoft Store for Business account. You can use the same one you created above for Intune, or follow [these instructions](/microsoft-store/windows-store-for-business-overview) to create a new one. -Next, to sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) with your test account, select **Sign in** on the upper-right-corner of the main page. +Next, to sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/store) with your test account, select **Sign in** on the upper-right-corner of the main page. Select **Manage** from the top menu, then select the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example: @@ -528,8 +522,6 @@ Select **OK**, and then select **Create**. If you already created and assigned a profile via Intune with the steps immediately above, then skip this section. -A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in Microsoft Store for Business. These steps are also summarized below. - First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab. Select **Manage** from the top menu, then select **Devices** from the left navigation tree. From 965b9a33fb79dbda0dc82e91b0716ea9b9b40225 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 6 Sep 2022 11:10:41 -0700 Subject: [PATCH 16/21] Update windows-autopatch-update-management.md Fixed link --- .../operate/windows-autopatch-update-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index aa55b5893a..7b5efa23ab 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -58,7 +58,7 @@ The Windows Autopatch deployment ring calculation happens during the [device reg | Deployment ring | Default device balancing percentage | Description | | ----- | ----- | ----- | -| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:

  • **0–500** devices: minimum **one** device.
  • **500–5000** devices: minimum **five** devices.
  • **5000+** devices: minimum **50** devices.
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | +| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:
  • **0–500** devices: minimum **one** device.
  • **500–5000** devices: minimum **five** devices.
  • **5000+** devices: minimum **50** devices.
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | | First | **1%** | The First ring is the first group of production users to receive a change.

This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| | Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

| | Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.| From b1f705f14179daaee8e36676d0abc631f0db6fdf Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 6 Sep 2022 11:12:11 -0700 Subject: [PATCH 17/21] Update windows-autopatch-update-management.md Fixed style. --- .../operate/windows-autopatch-update-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index 22b6c68efd..b3530cb885 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -82,7 +82,7 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad > You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.

If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Endpoint Manager-Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). > [!WARNING] -> Moving devices between deployment rings through directly changing Azure AD group membership is not supported and may cause unintended configuration conflict within the Windows Autopatch service. In order to avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings. +> Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings. ## Automated deployment ring remediation functions From 95f0e76fa3038c79791a129059210a2808edac8a Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 6 Sep 2022 13:26:38 -0700 Subject: [PATCH 18/21] Update windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md Agreed and reviewed. Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../operate/windows-autopatch-update-management.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index ae88d14238..604042e159 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -40,8 +40,8 @@ During the [tenant enrollment process](../prepare/windows-autopatch-enroll-tenan Each deployment ring has a different set of update deployment policies to control the updates rollout. -> [!Warning] -> Adding/Importing devices into any of these groups directly is not supported and doing so might cause unexpected impact to the autopatch service. To add/move devices between these groups see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). +> [!WARNING] +> Adding or importing devices into any of these groups directly is not supported and doing so might cause an unexpected impact on the Windows Autopatch service. To move devices between these groups, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). > [!IMPORTANT] > Windows Autopatch device registration doesn't assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments. From 0a0d77053b4930123fc2987034228978a93749cb Mon Sep 17 00:00:00 2001 From: jcaparas Date: Tue, 6 Sep 2022 14:19:25 -0700 Subject: [PATCH 19/21] update --- .../microsoft-defender-smartscreen-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index 3f1a94a7ad..59695ee06d 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -2,8 +2,8 @@ title: Microsoft Defender SmartScreen overview description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. ms.prod: m365-security -author: mjcaparas -ms.author: macapara +author: dansimp +ms.author: dansimp ms.localizationpriority: high ms.reviewer: manager: dansimp From 08b9003bb9fa710660eb4346db5c462685f40486 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Tue, 6 Sep 2022 14:28:04 -0700 Subject: [PATCH 20/21] update --- .../applocker/understand-applocker-enforcement-settings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md index f99766832e..005c1ddcc2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md @@ -3,13 +3,13 @@ title: Understand AppLocker enforcement settings (Windows) description: This topic describes the AppLocker enforcement settings for rule collections. ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e ms.reviewer: -ms.author: macapara +ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: mjcaparas +author: dansimp manager: dansimp audience: ITPro ms.collection: M365-security-compliance From 4acbb403e397a0d387ea93dbe23138b08cf69f80 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Tue, 6 Sep 2022 14:38:26 -0700 Subject: [PATCH 21/21] update --- .../applocker/script-rules-in-applocker.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index e30b2c517a..b7d7521a48 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -3,13 +3,13 @@ title: Script rules in AppLocker (Windows) description: This article describes the file formats and available default rules for the script rule collection. ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f ms.reviewer: -ms.author: macapara +ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: mjcaparas +author: dansimp manager: dansimp audience: ITPro ms.collection: M365-security-compliance