mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Merge branch 'vp-csp-auto2' of https://github.com/vinaypamnani-msft/windows-docs-pr into vp-csp-auto2
This commit is contained in:
Liz Long
commit
15c043f155
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Azure Active Directory integration with MDM
|
||||
description: Azure Active Directory is the world largest enterprise cloud identity management service.
|
||||
description: Azure Active Directory is the world's largest enterprise cloud identity management service.
|
||||
ms.reviewer:
|
||||
manager: aaroncz
|
||||
ms.author: vinpa
|
||||
@ -14,7 +14,7 @@ ms.date: 12/31/2017
|
||||
|
||||
# Azure Active Directory integration with MDM
|
||||
|
||||
Azure Active Directory is the world largest enterprise cloud identity management service. It’s used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow.
|
||||
Azure Active Directory is the world's largest enterprise cloud identity management service. It’s used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow.
|
||||
|
||||
Once a device is enrolled in MDM, the MDM:
|
||||
|
||||
|
||||
@ -64,7 +64,7 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
|
||||
| [Delay foreground download cache server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 |
|
||||
| [Delay background download cache server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 |
|
||||
| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 |
|
||||
| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 1809 |
|
||||
| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 |
|
||||
| [Maximum Foreground Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxForegroundDownloadBandwidth | 2004 |
|
||||
| [Maximum Background Download Bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) | DOMaxBackgroundDownloadBandwidth | 2004 |
|
||||
|
||||
|
||||
@ -21,6 +21,7 @@ ms.date: 12/31/2017
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server
|
||||
|
||||
## What is a servicing stack update?
|
||||
Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
|
||||
@ -61,3 +62,5 @@ Typically, the improvements are reliability and performance improvements that do
|
||||
## Simplifying on-premises deployment of servicing stack updates
|
||||
|
||||
With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update will include the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you will only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update will be available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.
|
||||
|
||||
|
||||
|
||||
@ -8,7 +8,7 @@ author: mestew
|
||||
ms.author: mstewart
|
||||
ms.localizationpriority: medium
|
||||
ms.topic: article
|
||||
ms.date: 12/05/2022
|
||||
ms.date: 12/22/2022
|
||||
ms.technology: itpro-updates
|
||||
---
|
||||
|
||||
@ -27,7 +27,7 @@ This article is targeted at configuring devices enrolled to [Microsoft Intune](/
|
||||
|
||||
## Create a configuration profile
|
||||
|
||||
Create a configuration profile that will set the required policies for Windows Update for Business reports. There are two profile types that can be used to create a configuration profile for Windows Update for Business reports:
|
||||
Create a configuration profile that will set the required policies for Windows Update for Business reports. There are two profile types that can be used to create a configuration profile for Windows Update for Business reports (select one):
|
||||
- The [settings catalog](#settings-catalog)
|
||||
- [Template](#custom-oma-uri-based-profile) for a custom OMA URI-based profile
|
||||
|
||||
@ -45,9 +45,12 @@ Create a configuration profile that will set the required policies for Windows U
|
||||
- **Value**: Basic (*Basic is the minimum value, but it can be safely set to a higher value*)
|
||||
- **Setting**: Allow Update Compliance Processing
|
||||
- **Value**: Enabled
|
||||
1. Recommended settings, but not required:
|
||||
- **Setting**: Configure Telemetry Opt In Settings Ux
|
||||
- **Value**: Disabled (*By turning this setting on you are disabling the ability for a user to potentially override the diagnostic data level of devices such that data won't be available for those devices in Windows Update for Business reports*)
|
||||
- **Setting**: Configure Telemetry Opt In Change Notification
|
||||
1. (*Recommended, but not required*) Allow device name to be sent in Windows Diagnostic Data. If this policy is disabled, the device name won't be sent and won't be visible in Windows Update for Business reports:
|
||||
- **Setting**: Allow device name to be sent in Windows diagnostic data
|
||||
- **Value**: Disabled (*By turning this setting on you are disabling notifications of diagnostic data changes*)
|
||||
- **Setting**: Allow device name to be sent in Windows diagnostic data (*If this policy is disabled, the device name won't be sent and won't be visible in Windows Update for Business reports*)
|
||||
- **Value**: Allowed
|
||||
|
||||
1. Continue through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
|
||||
|
||||
@ -203,6 +203,7 @@ The following table indicates which command-line options aren't compatible with
|
||||
|**/encrypt**|Required*|X|X||
|
||||
|**/keyfile**|N/A||X||
|
||||
|**/l**|||||
|
||||
|**/listfiles**|||X||
|
||||
|**/progress**|||X||
|
||||
|**/r**|||X||
|
||||
|**/w**|||X||
|
||||
|
||||
@ -94,7 +94,7 @@ sections:
|
||||
|
||||
- question: Can I use a convenience PIN with Azure Active Directory?
|
||||
answer: |
|
||||
It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN isn't supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users.
|
||||
It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. However, convenience PIN isn't supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users.
|
||||
|
||||
- question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera?
|
||||
answer: |
|
||||
|
||||
@ -35,6 +35,11 @@ Starting with Windows 10 version 1703, the enablement of BitLocker can be trigge
|
||||
|
||||
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well.
|
||||
|
||||
> [!NOTE]
|
||||
> To manage Bitlocker, except to enable and disable it, one of the following licenses must be assigned to your users:
|
||||
> - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5).
|
||||
> - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 and A5).
|
||||
|
||||
## Managing workplace-joined PCs and phones
|
||||
|
||||
For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD.
|
||||
|
||||
@ -158,15 +158,15 @@ This event generates only if Success auditing is enabled for the [Audit Handle M
|
||||
|
||||
**Access Request Information:**
|
||||
|
||||
- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same the **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
|
||||
- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
|
||||
|
||||
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
|
||||
|
||||
> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
|
||||
|
||||
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
|
||||
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
|
||||
|
||||
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
|
||||
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
|
||||
|
||||
- **Privileges Used for Access Check** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below:
|
||||
|
||||
@ -218,4 +218,4 @@ For 4661(S, F): A handle to an object was requested.
|
||||
|
||||
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
|
||||
|
||||
- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document.
|
||||
- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document.
|
||||
|
||||
@ -126,12 +126,12 @@ These events are generated for [ALPC Ports](/windows/win32/etw/alpc) access requ
|
||||
|
||||
**Access Request Information:**
|
||||
|
||||
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. “Table 13. File access codes.” contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
|
||||
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
|
||||
|
||||
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. See “Table 13. File access codes.” for more information about file access rights. For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
|
||||
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
|
||||
|
||||
## Security Monitoring Recommendations
|
||||
|
||||
For 4691(S): Indirect access to an object was requested.
|
||||
|
||||
- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with ALPC Ports.
|
||||
- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with ALPC Ports.
|
||||
|
||||
@ -133,7 +133,7 @@ This event generates once per session, when first access attempt was made.
|
||||
|
||||
**Access Request Information:**
|
||||
|
||||
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights. Has always “**0x1**” value for this event.
|
||||
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) for different hexadecimal values for access rights. It always has “**0x1**” value for this event.
|
||||
|
||||
- **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. Has always “**ReadData (or ListDirectory)**” value for this event.
|
||||
|
||||
|
||||
@ -135,7 +135,7 @@ This event generates every time network share object (file or folder) was access
|
||||
|
||||
**Access Request Information:**
|
||||
|
||||
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights.
|
||||
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) for different hexadecimal values for access rights.
|
||||
|
||||
- **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**.
|
||||
|
||||
@ -319,4 +319,4 @@ For 5145(S, F): A network share object was checked to see whether client can be
|
||||
|
||||
- WRITE\_DAC
|
||||
|
||||
- WRITE\_OWNER
|
||||
- WRITE\_OWNER
|
||||
|
||||
@ -82,7 +82,7 @@ Application Guard functionality is turned off by default. However, you can quick
|
||||
3. Type the following command:
|
||||
|
||||
```
|
||||
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
|
||||
Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard
|
||||
```
|
||||
4. Restart the device.
|
||||
|
||||
|
||||
@ -94,7 +94,7 @@ The Security Compliance Manager is a downloadable tool that helps you plan, depl
|
||||
|
||||
**To administer security policies by using the Security Compliance Manager**
|
||||
|
||||
1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](/archive/blogs/secguide/) blog.
|
||||
1. Download the most recent version. You can find more info on the [Microsoft Security Baselines](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines) blog.
|
||||
1. Read the relevant security baseline documentation that is included in this tool.
|
||||
1. Download and import the relevant security baselines. The installation process steps you through baseline selection.
|
||||
1. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.
|
||||
|
||||
@ -398,6 +398,17 @@ The following GPO snippet performs the following tasks:
|
||||
|
||||
|
||||
|
||||
The following table also contains the six actions to configure in the GPO:
|
||||
|
||||
| Program/Script | Arguments |
|
||||
|------------------------------------|----------------------------------------------------------------------------------------------------------|
|
||||
| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /e:true |
|
||||
| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /ms:102432768 |
|
||||
| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-AppLocker/EXE and DLL" /ms:102432768 |
|
||||
| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /ca:"O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-32-573)" |
|
||||
| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-DriverFrameworks-UserMode/Operational" /e:true |
|
||||
| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-DriverFrameworks-UserMode/Operational" /ms:52432896 |
|
||||
|
||||
## <a href="" id="bkmk-appendixd"></a>Appendix D - Minimum GPO for WEF Client configuration
|
||||
|
||||
Here are the minimum steps for WEF to operate:
|
||||
@ -656,4 +667,4 @@ You can get more info with the following links:
|
||||
- [Event Queries and Event XML](/previous-versions/bb399427(v=vs.90))
|
||||
- [Event Query Schema](/windows/win32/wes/queryschema-schema)
|
||||
- [Windows Event Collector](/windows/win32/wec/windows-event-collector)
|
||||
- [4625(F): An account failed to log on](./auditing/event-4625.md)
|
||||
- [4625(F): An account failed to log on](./auditing/event-4625.md)
|
||||
|
||||
@ -35,8 +35,6 @@ You must have Windows 10, version 1709 or later. The ADMX/ADML template files fo
|
||||
|
||||
There are two stages to using the contact card and customized notifications. First, you have to enable the contact card or custom notifications (or both), and then you must specify at least a name for your organization and one piece of contact information.
|
||||
|
||||
This can only be done in Group Policy.
|
||||
|
||||
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
|
||||
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
@ -47,6 +45,9 @@ This can only be done in Group Policy.
|
||||
|
||||
1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**.
|
||||
|
||||
> [!NOTE]
|
||||
> This can only be done in Group Policy.
|
||||
|
||||
2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**.
|
||||
|
||||
5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
|
||||
@ -58,5 +59,7 @@ This can only be done in Group Policy.
|
||||
|
||||
7. Select **OK** after you configure each setting to save your changes.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.
|
||||
To enable the customized notifications and add the contact information in Intune, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy) and [Settings for the Windows Security experience profile in Microsoft Intune](/mem/intune/protect/antivirus-security-experience-windows-settings).
|
||||
|
||||
> [!IMPORTANT]
|
||||
> You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user