IT admins can easily detect and remediate configuration mismatches in their environments or issues that prevent devices from having one or more software update workloads (Windows quality, feature updates, Microsoft Office, Microsoft Teams, or Microsoft Edge) fully managed by the Windows Autopatch service. Configuration mismatches can leave devices in a vulnerable state, out of compliance and exposed to security threats.
| + +### Device readiness checks available for each scenario + +| Required device readiness (prerequisite checks) prior to device registration (powered by Intune Graph API) | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension) | +| ----- | ----- | +|Once devices are remediated, it can take up to **24 hours** to show up in the **Ready** tab.
| + +## Additional resources + +- [Device registration overview](windows-autopatch-device-registration-overview.md) +- [Register your devices](windows-autopatch-register-devices.md) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index ffd3cf4cbf..ddd32f7d97 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices description: This article details how to register devices in Autopatch -ms.date: 08/08/2022 +ms.date: 09/07/2022 ms.prod: w11 ms.technology: windows ms.topic: how-to @@ -32,7 +32,7 @@ You must choose what devices to manage with Windows Autopatch by adding them to - Direct membership - Nesting other Azure AD dynamic/assigned groups -- Bulk operations – Import members +- [Bulk add/import group members](/azure/active-directory/enterprise-users/groups-bulk-import-members) Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. @@ -84,14 +84,26 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set For more information, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md). -## About the Ready and Not ready tabs +## About the Ready, Not ready and Not registered tabs -Windows Autopatch introduces a new user interface to help IT admins detect and troubleshoot device readiness statuses seamlessly with actionable in-UI device readiness reports for unregistered devices or unhealthy devices. +Windows Autopatch has three tabs within its device blade. Each tab is designed to provide a different set of device readiness status so IT admin knows where to go to monitor, and troubleshoot potential device health issues. -| Tab | Purpose | -| ----- | ----- | -| Ready | The purpose of the Ready tab is to show devices that were successfully registered to the Windows Autopatch service. | -| Not ready | The purpose of the Not ready tab is to help you identify and remediate devices that don't meet the pre-requisite checks to register into the Windows Autopatch service. This tab only shows devices that didn't successfully register into Windows Autopatch. | +| Device blade tab | Purpose | Expected device readiness status | +| ----- | ----- | ----- | +| Ready | The purpose of this tab is to show devices that were successfully registered with the Windows Autopatch service. | Active | +| Not ready | The purpose of this tab is to help you identify and remediate devices that failed to pass one or more post-device registration readiness checks. Devices showing up in this tab were successfully registered with Windows Autopatch. However, these devices aren't ready to have one or more software update workloads managed by the service. | Readiness failed and/or Inactive | +| Not registered | The purpose of this tab is to help you identify and remediate devices that don't meet one or more prerequisite checks to successfully register with the Windows Autopatch service. | Pre-requisites failed | + +## Device readiness statuses + +See all possible device readiness statuses in Windows Autopatch: + +| Readiness status | Description | Device blade tab | +| ----- | ----- | ----- | +| Active | Devices with this status successfully passed all prerequisite checks and subsequently successfully registered with Windows Autopatch. Additionally, devices with this status successfully passed all post-device registration readiness checks. | Ready | +| Readiness failed | Devices with this status haven't passed one or more post-device registration readiness checks. These devices aren't ready to have one or more software update workloads managed by Windows Autopatch. | Not ready | +| Inactive | Devices with this status haven't communicated with Microsoft Endpoint Manager-Intune in the last 28 days. | Not ready | +| Pre-requisites failed | Devices with this status haven't passed one or more pre-requisite checks and haven't successfully registered with Windows Autopatch | Not registered | ## Built-in roles required for device registration @@ -125,16 +137,16 @@ Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID 1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Devices** from the left navigation menu. 3. Under the **Windows Autopatch** section, select **Devices**. -4. Select either the **Ready** or the **Not ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. +4. Select either the **Ready** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. 5. Add either devices through direct membership, or other Azure AD dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group. > [!NOTE] -> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not ready** tabs. +> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not registered** tabs. Once devices or other Azure AD groups (either dynamic or assigned) containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch's device discovery hourly function discovers these devices, and runs software-based prerequisite checks to try to register them with its service. > [!TIP] -> You can also use the **Discover Devices** button in either the **Ready** or **Not ready** tab to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. +> You can also use the **Discover Devices** button in either one of the **Ready**, **Not ready**, or **Not registered** device blade tabs to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. On demand means you don't have to wait for Windows Autopatch to discover devices from the Azure AD group on your behalf. ### Windows Autopatch on Windows 365 Enterprise Workloads diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png index 3abdb9288e..f5a8284a8c 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png b/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png new file mode 100644 index 0000000000..c6abcd6790 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png differ diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md index 15a138fcdf..50e4fd586e 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md @@ -37,7 +37,7 @@ In this example, we'll be discussing a device in the First ring. The Autopatch s In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline. -:::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience"::: +:::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience" lightbox="../media/windows-feature-typical-update-experience.png"::: ### Feature update deadline forces an update @@ -45,7 +45,7 @@ The following example builds on the scenario outlined in the typical user experi The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the active hours and force a restart to complete the installation. The user will receive a 15-minute warning, after which, the device will install the update and restart. -:::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update"::: +:::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update" lightbox="../media/windows-feature-force-update.png"::: ### Feature update grace period @@ -53,7 +53,7 @@ In the following example, the user is on holiday and the device is offline beyon Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification. -:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Window feature update grace period"::: +:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Windows feature update grace period" lightbox="../media/windows-feature-update-grace-period.png"::: ## Servicing window diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index c24e373172..1f19a0fd64 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -46,7 +46,7 @@ The final release schedule is communicated prior to release and may vary a littl | Fast | Release start + 60 days | | Broad | Release start + 90 days | -:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline"::: +:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline" lightbox="../media/windows-feature-release-process-timeline.png"::: ## New devices to Windows Autopatch diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md index 2515a08a9a..9fa7e60794 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md @@ -27,3 +27,7 @@ After you've completed enrollment in Windows Autopatch, some management settings | Setting | Description | | ----- | ----- | | Update rings for Windows 10 or later | For any update rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Azure AD group from each policy. For more information, see [Create and assign update rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).Windows Autopatch will also have created some update ring policies. all of which The policies will have "**Modern Workplace**" in the name. For example:
When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Azure AD group from the policies that Windows Autopatch created.
**To resolve the Not ready result:**
After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
**To resolve the Advisory result:**
For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
| + +## Windows Autopatch configurations + +Windows Autopatch deploys, manages and maintains all configurations related to the operation of the service, as described in [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). Don't make any changes to any of the Windows Autopatch configurations. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md index 555d20ee68..b83dc059df 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md @@ -36,7 +36,7 @@ Once the deferral period has passed, the device will download the update and not In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline. -:::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience"::: +:::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience" lightbox="../media/windows-quality-typical-update-experience.png"::: ### Quality update deadline forces an update @@ -48,7 +48,7 @@ In the following example, the user: The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the [active hours](#servicing-window) and force a restart to complete the update installation. The user will receive a 15-minute warning, after which, the device will install the update and restart. -:::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update"::: +:::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update" lightbox="../media/windows-quality-force-update.png"::: ### Quality update grace period @@ -56,7 +56,7 @@ In the following example, the user is on holiday and the device is offline beyon Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification. -:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period"::: +:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period" lightbox="../media/windows-quality-update-grace-period.png"::: ## Servicing window diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md index c7c96c2575..a8da5aeb86 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md @@ -50,7 +50,7 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Windows Autopatch deployment rings](../operate/windows-autopatch-update-management.md#windows-autopatch-deployment-rings). -:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline"::: +:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline" lightbox="../media/release-process-timeline.png"::: ## Expedited releases @@ -74,10 +74,6 @@ If we pause the release, a policy will be deployed which prevents devices from u You can pause or resume a Windows quality update from the Release management tab in Microsoft Endpoint Manager. -## Rollback - -Windows Autopatch will rollback updates if we detect a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md). - ## Incidents and outages If devices in your tenant aren't meeting the [service level objective](../operate/windows-autopatch-wqu-overview.md#service-level-objective) for Windows quality updates, an incident will be raised, and the Windows Autopatch Service Engineering Team will work to bring the devices back into compliance. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md index 4e5a37bb81..d8b16b880a 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md @@ -42,7 +42,7 @@ The update is released to the Test ring on the second Tuesday of the month. Thos Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service. -The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices have upgraded to the new version. +The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices in your tenant have upgraded to the new version. As more devices update, the confidence of the analysis increases and gives us a clearer picture of release quality. If we determine that the user experience is impaired, Autopatch will either post a customer advisory or pause the release, depending on the criticality of the update. @@ -51,8 +51,8 @@ Autopatch monitors the following reliability signals: | Device reliability signal | Description | | ----- | ----- | | Blue screens | These events are highly disruptive to end users so are closely watched. | -| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known issue with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. | -| Microsoft Office reliability | Tracks the number of Office crashes or freezes per application per device. | +| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known limitation with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. | +| Microsoft Office reliability | Tracks the number of Office crashes and freezes per application per device. | | Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. | | Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. | diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 8b42365ad6..0ab881bf82 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -51,7 +51,7 @@ sections: - [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.) - question: What are the licensing requirements for Windows Autopatch? answer: | - - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). + - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). - [Azure AD Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) (for Co-management) - [Microsoft Intune](/mem/intune/fundamentals/licenses) (includes Configuration Manager 2010 or greater via co-management) - question: Are there hardware requirements for Windows Autopatch? @@ -76,12 +76,13 @@ sections: - question: What systems does Windows Autopatch update? answer: | - Windows 10/11 quality updates: Windows Autopatch manages all aspects of update rings. + - Windows 10/11 feature updates: Windows Autopatch manages all aspects of update rings. - Microsoft 365 Apps for enterprise updates: All devices registered for Windows Autopatch will receive updates from the Monthly Enterprise Channel. - Microsoft Edge: Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel and will provide support for issues with Microsoft Edge updates. - Microsoft Teams: Windows Autopatch allows eligible devices to benefit from the standard automatic update channels and will provide support for issues with Teams updates. - question: What does Windows Autopatch do to ensure updates are done successfully? answer: | - For Windows quality updates, updates are applied to device in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task. + For Windows quality updates, updates are applied to devices in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task. - question: What happens if there's an issue with an update? answer: | Autopatch relies on the following capabilities to help resolve update issues: @@ -98,7 +99,7 @@ sections: No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours. - question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership? answer: | - Windows autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). + Windows Autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). - question: Does Autopatch have two release cadences per update or are there two release cadences per-ring? answer: | The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index f5d9508b37..0b64d2adfa 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -1,7 +1,7 @@ --- title: Prerequisites description: This article details the prerequisites needed for Windows Autopatch -ms.date: 08/04/2022 +ms.date: 09/16/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -24,7 +24,7 @@ Getting started with Windows Autopatch has been designed to be easy. This articl | Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). | | Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.
For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.
At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.
Other device management prerequisites include:
See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works.
For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview).
| +| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements).
Other device management prerequisites include:
See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works.
For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).
| | Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). | ## More about licenses @@ -45,13 +45,13 @@ The following Windows OS 10 editions, 1809 builds and architecture are supported - Windows 10 (1809+)/11 Enterprise - Windows 10 (1809+)/11 Pro for Workstations -## Configuration Manager Co-management requirements +## Configuration Manager co-management requirements Windows Autopatch fully supports co-management. The following co-management requirements apply: - Use a currently supported [Configuration Manager version](/mem/configmgr/core/servers/manage/updates#supported-versions). -- ConfigMgr must be [cloud-attached with Intune (Co-management)](/mem/configmgr/cloud-attach/overview) and must have the following Co-management workloads enabled: - - Set the [Windows Update workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune. +- ConfigMgr must be [cloud-attached with Intune (co-management)](/mem/configmgr/cloud-attach/overview) and must have the following co-management workloads enabled: + - Set the [Windows Update policies workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune. - Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune. - Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune. diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index 4ca89f1b2d..698612aa82 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -14,6 +14,11 @@ msreviewer: hathind # Changes made at tenant enrollment +The following configuration details are provided as information to help you understand the changes made to your tenant when enrolling into the Windows Autopatch service. + +> [!IMPORTANT] +> The service manages and maintains the following configuration items. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. + ## Service principal Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is: @@ -132,4 +137,4 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr | Script | Description | | ----- | ----- | -| Modern Workplace - Autopatch Client Setup | Installs necessary client components for the Windows Autopatch service | +| Modern Workplace - Autopatch Client Setup v1.1 | Installs necessary client components for the Windows Autopatch service | diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md index fa5d7a9ffd..c90d19fae5 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md @@ -20,7 +20,7 @@ Windows Autopatch is a cloud service for enterprise customers designed to keep e Windows Autopatch provides its service to enterprise customers, and properly administers customers' enrolled devices by using data from various sources. -The sources include Azure Active Directory (Azure AD), Microsoft Intune, and Microsoft Windows 10/11. The sources provide a comprehensive view of the devices that Windows Autopatch manages. The service also uses these Microsoft services to enable Windows Autopatch to provide IT as a Service (ITaaS) capabilities: +The sources include Azure Active Directory (Azure AD), Microsoft Intune, and Microsoft Windows 10/11. The sources provide a comprehensive view of the devices that Windows Autopatch manages. | Data source | Purpose | | ------ | ------ | diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json deleted file mode 100644 index ce2b043c43..0000000000 --- a/windows/device-security/docfx.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg", - "**/*.gif" - ], - "exclude": [ - "**/obj/**", - "**/includes/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "recommendations": true, - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", - "ms.technology": "windows", - "ms.topic": "article", - "ms.date": "04/05/2017", - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "MSDN.win-device-security", - "folder_relative_path_in_docset": "./" - } - }, - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "jborsecnik", - "tiburd", - "garycentric" - ] - }, - "fileMetadata": {}, - "template": [], - "dest": "win-device-security", - "markdownEngineName": "markdig" - } -} diff --git a/windows/eulas/docfx.json b/windows/eulas/docfx.json deleted file mode 100644 index 2834682ce7..0000000000 --- a/windows/eulas/docfx.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "_themes/**", - "_themes.pdf/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "_themes/**", - "_themes.pdf/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "recommendations": true, - "breadcrumb_path": "/windows/eulas/breadcrumb/toc.json", - "extendBreadcrumb": true, - "feedback_system": "None", - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "jborsecnik", - "tiburd", - "garycentric" - ] - }, - "fileMetadata": {}, - "template": [], - "dest": "eula-vsts", - "markdownEngineName": "markdig" - } -} \ No newline at end of file diff --git a/windows/hub/WaaS-infographic.pdf b/windows/hub/WaaS-infographic.pdf deleted file mode 100644 index cb1ef988a1..0000000000 Binary files a/windows/hub/WaaS-infographic.pdf and /dev/null differ diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index 461e6028a8..508d741a9b 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -22,8 +22,7 @@ "**/*.png", "**/*.jpg", "**/*.svg", - "**/*.gif", - "**/*.pdf" + "**/*.gif" ], "exclude": [ "**/obj/**", diff --git a/windows/keep-secure/docfx.json b/windows/keep-secure/docfx.json deleted file mode 100644 index aa250a2f5c..0000000000 --- a/windows/keep-secure/docfx.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg" - ], - "exclude": [ - "**/obj/**", - "**/includes/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "recommendations": true, - "feedback_system": "None", - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "MSDN.keep-secure", - "folder_relative_path_in_docset": "./" - } - }, - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "jborsecnik", - "tiburd", - "garycentric" - ] - }, - "fileMetadata": {}, - "template": [], - "dest": "keep-secure", - "markdownEngineName": "markdig" - } -} diff --git a/windows/known-issues/docfx.json b/windows/known-issues/docfx.json deleted file mode 100644 index 2119242b44..0000000000 --- a/windows/known-issues/docfx.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "_themes/**", - "_themes.pdf/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "_themes/**", - "_themes.pdf/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "recommendations": true, - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "jborsecnik", - "tiburd", - "garycentric" - ] - }, - "fileMetadata": {}, - "template": [], - "dest": "known-issues", - "markdownEngineName": "markdig" - } -} \ No newline at end of file diff --git a/windows/manage/TOC.yml b/windows/manage/TOC.yml deleted file mode 100644 index 892ce64421..0000000000 --- a/windows/manage/TOC.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: Test - href: test.md diff --git a/windows/manage/docfx.json b/windows/manage/docfx.json deleted file mode 100644 index c5275101bf..0000000000 --- a/windows/manage/docfx.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg" - ], - "exclude": [ - "**/obj/**", - "**/includes/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "recommendations": true, - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "MSDN.windows-manage", - "folder_relative_path_in_docset": "./" - } - }, - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "jborsecnik", - "tiburd", - "garycentric" - ] - }, - "fileMetadata": {}, - "template": [], - "dest": "windows-manage", - "markdownEngineName": "markdig" - } -} diff --git a/windows/manage/test.md b/windows/manage/test.md deleted file mode 100644 index 36d16a3f6b..0000000000 --- a/windows/manage/test.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Test -description: Test -ms.prod: w11 -ms.mktglfcycl: deploy -ms.sitesec: library -author: dstrome -ms.author: dstrome -ms.reviewer: -manager: dstrome -ms.topic: article ---- - -# Test - -## Deployment planning - -This article provides guidance to help you plan for Windows 11 in your organization. - diff --git a/windows/media/ModernSecureDeployment/Deploy-CleanInstallation.pdf b/windows/media/ModernSecureDeployment/Deploy-CleanInstallation.pdf deleted file mode 100644 index 557f45193a..0000000000 Binary files a/windows/media/ModernSecureDeployment/Deploy-CleanInstallation.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf b/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf deleted file mode 100644 index d01542ed2b..0000000000 Binary files a/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf b/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf deleted file mode 100644 index 87110d6b3e..0000000000 Binary files a/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/ProtectionSolutions.pdf b/windows/media/ModernSecureDeployment/ProtectionSolutions.pdf deleted file mode 100644 index 8d04e66910..0000000000 Binary files a/windows/media/ModernSecureDeployment/ProtectionSolutions.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/Series-ModernAndSecureWindowsDeployment.pdf b/windows/media/ModernSecureDeployment/Series-ModernAndSecureWindowsDeployment.pdf deleted file mode 100644 index 86529c1665..0000000000 Binary files a/windows/media/ModernSecureDeployment/Series-ModernAndSecureWindowsDeployment.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/WindowsServicing.pdf b/windows/media/ModernSecureDeployment/WindowsServicing.pdf deleted file mode 100644 index 19a419e3a9..0000000000 Binary files a/windows/media/ModernSecureDeployment/WindowsServicing.pdf and /dev/null differ diff --git a/windows/plan/docfx.json b/windows/plan/docfx.json deleted file mode 100644 index 9a47bdcced..0000000000 --- a/windows/plan/docfx.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg" - ], - "exclude": [ - "**/obj/**", - "**/includes/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "recommendations": true, - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "MSDN.windows-plan", - "folder_relative_path_in_docset": "./" - } - }, - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "jborsecnik", - "tiburd", - "garycentric" - ] - }, - "fileMetadata": {}, - "template": [], - "dest": "windows-plan", - "markdownEngineName": "markdig" - } -} diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml index e518d55a86..ea38374d15 100644 --- a/windows/privacy/index.yml +++ b/windows/privacy/index.yml @@ -45,17 +45,17 @@ productDirectory: # Card - title: Windows 11 required diagnostic data # imageSrc should be square in ratio with no whitespace - imageSrc: https://docs.microsoft.com/media/common/i_extend.svg + imageSrc: /media/common/i_extend.svg summary: Learn more about basic Windows diagnostic data events and fields collected. url: required-windows-11-diagnostic-events-and-fields.md # Card - title: Windows 10 required diagnostic data - imageSrc: https://docs.microsoft.com/media/common/i_build.svg + imageSrc: /media/common/i_build.svg summary: See what changes Windows is making to align to the new data collection taxonomy url: required-windows-diagnostic-data-events-and-fields-2004.md # Card - title: Optional diagnostic data - imageSrc: https://docs.microsoft.com/media/common/i_get-started.svg + imageSrc: /media/common/i_get-started.svg summary: Get examples of the types of optional diagnostic data collected from Windows url: windows-diagnostic-data.md @@ -68,50 +68,50 @@ productDirectory: # # Card # - title: cardtitle1 # links: -# - url: file1.md OR https://docs.microsoft.com/file1 +# - url: file1.md OR https://learn.microsoft.com/file1 # itemType: itemType # text: linktext1 -# - url: file2.md OR https://docs.microsoft.com/file2 +# - url: file2.md OR https://learn.microsoft.com/file2 # itemType: itemType # text: linktext2 -# - url: file3.md OR https://docs.microsoft.com/file3 +# - url: file3.md OR https://learn.microsoft.com/file3 # itemType: itemType # text: linktext3 # # footerLink (optional) # footerLink: -# url: filefooter.md OR https://docs.microsoft.com/filefooter +# url: filefooter.md OR https://learn.microsoft.com/filefooter # text: See more # # Card # - title: cardtitle2 # links: -# - url: file1.md OR https://docs.microsoft.com/file1 +# - url: file1.md OR https://learn.microsoft.com/file1 # itemType: itemType # text: linktext1 -# - url: file2.md OR https://docs.microsoft.com/file2 +# - url: file2.md OR https://learn.microsoft.com/file2 # itemType: itemType # text: linktext2 -# - url: file3.md OR https://docs.microsoft.com/file3 +# - url: file3.md OR https://learn.microsoft.com/file3 # itemType: itemType # text: linktext3 # # footerLink (optional) # footerLink: -# url: filefooter.md OR https://docs.microsoft.com/filefooter +# url: filefooter.md OR https://learn.microsoft.com/filefooter # text: See more # # Card # - title: cardtitle3 # links: -# - url: file1.md OR https://docs.microsoft.com/file1 +# - url: file1.md OR https://learn.microsoft.com/file1 # itemType: itemType # text: linktext1 -# - url: file2.md OR https://docs.microsoft.com/file2 +# - url: file2.md OR https://learn.microsoft.com/file2 # itemType: itemType # text: linktext2 -# - url: file3.md OR https://docs.microsoft.com/file3 +# - url: file3.md OR https://learn.microsoft.com/file3 # itemType: itemType # text: linktext3 # # footerLink (optional) # footerLink: -# url: filefooter.md OR https://docs.microsoft.com/filefooter +# url: filefooter.md OR https://learn.microsoft.com/filefooter # text: See more # # tools section (optional) @@ -122,15 +122,15 @@ productDirectory: # # Card # - title: cardtitle1 # # imageSrc should be square in ratio with no whitespace -# imageSrc: ./media/index/image1.svg OR https://docs.microsoft.com/media/logos/image1.svg +# imageSrc: ./media/index/image1.svg OR https://learn.microsoft.com/media/logos/image1.svg # url: file1.md # # Card # - title: cardtitle2 -# imageSrc: ./media/index/image2.svg OR https://docs.microsoft.com/media/logos/image2.svg +# imageSrc: ./media/index/image2.svg OR https://learn.microsoft.com/media/logos/image2.svg # url: file2.md # # Card # - title: cardtitle3 -# imageSrc: ./media/index/image3.svg OR https://docs.microsoft.com/media/logos/image3.svg +# imageSrc: ./media/index/image3.svg OR https://learn.microsoft.com/media/logos/image3.svg # url: file3.md # additionalContent section (optional) @@ -144,15 +144,15 @@ productDirectory: # # Card # - title: cardtitle1 # summary: cardsummary1 -# url: file1.md OR https://docs.microsoft.com/file1 +# url: file1.md OR https://learn.microsoft.com/file1 # # Card # - title: cardtitle2 # summary: cardsummary2 -# url: file1.md OR https://docs.microsoft.com/file2 +# url: file1.md OR https://learn.microsoft.com/file2 # # Card # - title: cardtitle3 # summary: cardsummary3 -# url: file1.md OR https://docs.microsoft.com/file3 +# url: file1.md OR https://learn.microsoft.com/file3 # # footer (optional) # footer: "footertext [linktext](/footerfile)" @@ -181,4 +181,4 @@ additionalContent: - text: Support for GDPR Accountability on Service Trust Portal url: https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted # footer (optional) - # footer: "footertext [linktext](/footerfile)" \ No newline at end of file + # footer: "footertext [linktext](/footerfile)" diff --git a/windows/release-information/docfx.json b/windows/release-information/docfx.json deleted file mode 100644 index c5cbdfb50a..0000000000 --- a/windows/release-information/docfx.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "_themes/**", - "_themes.pdf/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "_themes/**", - "_themes.pdf/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "recommendations": true, - "breadcrumb_path": "/windows/release-information/breadcrumb/toc.json", - "ms.prod": "w10", - "ms.date": "4/30/2019", - "audience": "ITPro", - "titleSuffix": "Windows Release Information", - "extendBreadcrumb": true, - "feedback_system": "None", - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "jborsecnik", - "tiburd", - "garycentric" - ] - }, - "fileMetadata": {}, - "template": [], - "dest": "release-information", - "markdownEngineName": "markdig" - } -} diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md index 603dcc1d9c..c6ff98bda7 100644 --- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md +++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md @@ -25,6 +25,8 @@ appliesto: param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier) +Set-StrictMode -Version Latest + $path = "C:\DGLogs\" $LogFile = $path + "DeviceGuardCheckLog.txt" @@ -796,7 +798,13 @@ function CheckOSArchitecture function CheckSecureBootState { - $_secureBoot = Confirm-SecureBootUEFI + try { + $_secureBoot = Confirm-SecureBootUEFI + } + catch + { + $_secureBoot = $false + } Log $_secureBoot if($_secureBoot) { diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index ebbea60361..d057f242cd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -78,7 +78,7 @@ To allow facial recognition, you must have devices with integrated special infra - Effective, real world FRR with Anti-spoofing or liveness detection: <10% > [!NOTE] ->Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock you device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint. +>Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint. ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index d995550c13..3a4f97b0d0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -69,9 +69,7 @@ If the error occurs again, check the error code against the following table to s | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | -| 0xC00000BB | Your PIN or this option is temporarily unavailable.| The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Use a different login method.| - - +| 0xC00000BB | Your PIN or this option is temporarily unavailable. | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client can not verify the KDC certificate CRL. Use a different login method.| ## Errors with unknown mitigation @@ -100,6 +98,7 @@ For errors listed in this table, contact Microsoft Support for assistance. | 0x801C03F1 | There is no UPN in the token. | | 0x801C044C | There is no core window for the current thread. | | 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request Azure Active Directory token for provisioning. Unable to enroll a device to use a PIN for login. | +| 0xCAA30193 | HTTP 403 Request Forbidden: it means request left the device, however either Server, proxy or firewall generated this response. | ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md index 8765cbc8c3..95583c6427 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md @@ -63,6 +63,11 @@ The following scenarios aren't supported using Windows Hello for Business cloud - Using cloud trust for "Run as" - Signing in with cloud trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity +> [!NOTE] +> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with Cloud Trust or FIDO2 security keys. +> +> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,\**OR**
[Microsoft Endpoint Configuration Manager](/configmgr/)
**OR**
[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
**OR**
Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index f85611c594..fe15669214 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -49,7 +49,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de
- Create a new base policy using [New-CIPolicy](/powershell/module/configci/new-cipolicy?view=win10-ps&preserve-view=true)
```powershell
- New-CIPolicy -MultiplePolicyFormat -ScanPath
Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
Must NOT have execute and write permissions for the same page
Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType.
BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |
+|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
+|TPM AUX Index|Platform must set up a AUX index with index, attributes, and policy that exactly corresponds to the AUX index specified in the TXT DG with a data size of exactly 104 bytes (for SHA256 AUX data). (NameAlg = SHA256)
Platforms must set up a PS (Platform Supplier) index with:
PS index data DataRevocationCounters, SINITMinVersion, and PolicyControl must all be 0x00 |
+|AUX Policy|The required AUX policy must be as follows:
|
+|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
|
+|Platform firmware|Platform firmware must carry all code required to execute an Intel® Trusted Execution Technology secure launch:
|
+|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
+
+|For AMD® processors starting with Zen2 or later silicon|Description|
+|--------|-----------|
+|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
+|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0 OR Microsoft Pluton TPM.|
+|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).|
+|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. |
+|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory).
Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
Must NOT have execute and write permissions for the same page
BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |
+|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
+|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
|
+|Platform firmware|Platform firmware must carry all code required to execute Secure Launch:
Platform must have AMD® Secure Processor Firmware Anti-Rollback protection enabled
Platform must have AMD® Memory Guard enabled.|
+|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
+
+|For Qualcomm® processors with SD850 or later chipsets|Description|
+|--------|-----------|
+|Monitor Mode Communication|All Monitor Mode communication buffers must be implemented in either EfiRuntimeServicesData (recommended), data sections of EfiRuntimeServicesCode as described by the Memory Attributes Table, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types|
+|Monitor Mode Page Tables|All Monitor Mode page tables must:
|
+|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
+|Platform firmware|Platform firmware must carry all code required to launch.|
+|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index 5c9e29a065..e3cc007d51 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -72,43 +72,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
> [!NOTE]
-> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
-
-## System requirements for System Guard
-
-|For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon|Description|
-|--------|-----------|
-|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
-|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs aren't supported, except Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.|
-|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).|
-|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. |
-|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory).
Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
Must NOT have execute and write permissions for the same page
Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType.
BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |
-|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
-|TPM AUX Index|Platform must set up a AUX index with index, attributes, and policy that exactly corresponds to the AUX index specified in the TXT DG with a data size of exactly 104 bytes (for SHA256 AUX data). (NameAlg = SHA256)
Platforms must set up a PS (Platform Supplier) index with:
PS index data DataRevocationCounters, SINITMinVersion, and PolicyControl must all be 0x00 |
-|AUX Policy|The required AUX policy must be as follows:
|
-|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
|
-|Platform firmware|Platform firmware must carry all code required to execute an Intel® Trusted Execution Technology secure launch:
|
-|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
-
-|For AMD® processors starting with Zen2 or later silicon|Description|
-|--------|-----------|
-|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
-|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0 OR Microsoft Pluton TPM.|
-|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).|
-|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. |
-|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory).
Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
Must NOT have execute and write permissions for the same page
BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |
-|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
-|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
|
-|Platform firmware|Platform firmware must carry all code required to execute Secure Launch:
Platform must have AMD® Secure Processor Firmware Anti-Rollback protection enabled
Platform must have AMD® Memory Guard enabled.|
-|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
-
-|For Qualcomm® processors with SD850 or later chipsets|Description|
-|--------|-----------|
-|Monitor Mode Communication|All Monitor Mode communication buffers must be implemented in either EfiRuntimeServicesData (recommended), data sections of EfiRuntimeServicesCode as described by the Memory Attributes Table, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types|
-|Monitor Mode Page Tables|All Monitor Mode page tables must:
|
-|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
-|Platform firmware|Platform firmware must carry all code required to launch.|
-|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
+> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
> [!NOTE]
> For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/).
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index e42fab8ddb..5325926107 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -28,13 +28,8 @@ Windows Sandbox has the following properties:
- **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
- **Efficient:** Uses the integrated kernel scheduler, smart memory management, and virtual GPU.
- > [!IMPORTANT]
- > Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking).
-
-The following video provides an overview of Windows Sandbox.
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4rFAo]
-
+> [!IMPORTANT]
+> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking).
## Prerequisites
diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json
deleted file mode 100644
index 5f30884997..0000000000
--- a/windows/threat-protection/docfx.json
+++ /dev/null
@@ -1,62 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg",
- "**/*.gif"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows",
- "ms.topic": "article",
- "audience": "ITPro",
- "ms.date": "04/05/2017",
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "MSDN.win-threat-protection",
- "folder_relative_path_in_docset": "./"
- }
- },
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "win-threat-protection",
- "markdownEngineName": "markdig"
- }
-}
diff --git a/windows/update/docfx.json b/windows/update/docfx.json
deleted file mode 100644
index d577905730..0000000000
--- a/windows/update/docfx.json
+++ /dev/null
@@ -1,56 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "MSDN.windows-update",
- "folder_relative_path_in_docset": "./"
- }
- },
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "windows-update",
- "markdownEngineName": "markdig"
- }
-}
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index 6b9654ecf4..2c6b25ecff 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -114,4 +114,4 @@ You might already be using App Assure and Test Base in your Windows 10 environme
## Also see
-[Plan to deploy updates for Windows 10 and Microsoft 365 Apps](/learn/modules/windows-plan/)
+[Plan to deploy updates for Windows 10 and Microsoft 365 Apps](/training/modules/windows-plan/)
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index bbf3ef592b..7967b76c83 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -125,7 +125,7 @@ Don't overlook the importance of user readiness to deliver an effective, enterpr
## Learn more
-See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path.
+See the [Stay current with Windows 10 and Microsoft 365 Apps](/training/paths/m365-stay-current/) learning path.
- The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11.