diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 723d827b23..49135c37f0 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6538,7 +6538,7 @@ { "source_path": "windows/access-protection/access-control/dynamic-access-control.md", "redirect_url": "/windows-server/identity/solution-guides/dynamic-access-control-overview", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/access-protection/access-control/local-accounts.md", @@ -6635,6 +6635,86 @@ "redirect_url": "/education/windows/switch-to-pro-education", "redirect_document_id": false }, + { + "source_path": "windows/client-management/administrative-tools-in-windows-10.md", + "redirect_url": "/windows/client-management/client-tools/administrative-tools-in-windows", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/change-default-removal-policy-external-storage-media.md", + "redirect_url": "/windows/client-management/client-tools/change-default-removal-policy-external-storage-media", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/connect-to-remote-aadj-pc.md", + "redirect_url": "/windows/client-management/client-tools/connect-to-remote-aadj-pc", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/group-policies-for-enterprise-and-education-editions.md", + "redirect_url": "https://www.microsoft.com/en-us/search/explore?q=Group+Policy+Settings+Reference+Spreadsheet", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/manage-device-installation-with-group-policy.md", + "redirect_url": "/windows/client-management/client-tools/manage-device-installation-with-group-policy", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/manage-settings-app-with-group-policy.md", + "redirect_url": "/windows/client-management/client-tools/manage-settings-app-with-group-policy", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/mandatory-user-profile.md", + "redirect_url": "/windows/client-management/client-tools/mandatory-user-profile", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/new-policies-for-windows-10.md", + "redirect_url": "https://www.microsoft.com/en-us/search/explore?q=Group+Policy+Settings+Reference+Spreadsheet", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/quick-assist.md", + "redirect_url": "/windows/client-management/client-tools/quick-assist", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/windows-libraries.md", + "redirect_url": "/windows/client-management/client-tools/windows-libraries", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/windows-version-search.md", + "redirect_url": "/windows/client-management/client-tools/windows-version-search", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/manage-corporate-devices.md", + "redirect_url": "/windows/client-management/manage-windows-10-in-your-organization-modern-management", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md", + "redirect_url": "/azure/active-directory/fundamentals/active-directory-access-create-new-tenant", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/register-your-free-azure-active-directory-subscription.md", + "redirect_url": "/microsoft-365/compliance/use-your-free-azure-ad-subscription-in-office-365", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/appv-deploy-and-config.md", + "redirect_url": "/windows/application-management/app-v/appv-for-windows", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/diagnose-mdm-failures-in-windows-10.md", + "redirect_url": "/windows/client-management/mdm-collect-logs", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/policy-admx-backed.md", "redirect_url": "/windows/client-management/mdm/policy-configuration-service-provider", @@ -19313,22 +19393,22 @@ { "source_path": "windows/deployment/update/change-history-for-update-windows-10.md", "redirect_url": "/windows/deployment/deploy-whats-new", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md", "redirect_url": "/windows/client-management/mdm/policy-csp-admx-wordwheel", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md", "redirect_url": "/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/policy-csp-admx-skydrive.md", "redirect_url": "/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md", @@ -19338,7 +19418,7 @@ { "source_path": "windows/privacy/windows-endpoints-1709-non-enterprise-editions.md", "redirect_url": "/windows/privacy/windows-endpoints-21h1-non-enterprise-editions", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/privacy/windows-endpoints-1803-non-enterprise-editions.md", @@ -19348,7 +19428,7 @@ { "source_path": "windows/privacy/manage-windows-1709-endpoints.md", "redirect_url": "/windows/privacy/manage-windows-21h2-endpoints", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/privacy/manage-windows-1803-endpoints.md", @@ -19772,7 +19852,7 @@ }, { "source_path": "windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md", - "redirect_url": "/windows/client-management/diagnose-mdm-failures-in-windows-10", + "redirect_url": "/windows/client-management/mdm-collect-logs", "redirect_document_id": false }, { @@ -20343,27 +20423,27 @@ { "source_path": "windows/deployment/windows-autopatch/prepare/index.md", "redirect_url": "/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/deploy/index.md", "redirect_url": "/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/index.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md", "redirect_url": "/windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md", "redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-overview", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md", @@ -20378,7 +20458,7 @@ { "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md", "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md", @@ -20428,12 +20508,12 @@ { "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md", "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md", "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md", @@ -20463,17 +20543,17 @@ { "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md", "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md", "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md", "redirect_url": "/windows/configuration/provisioning-packages/provision-pcs-with-apps", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/configuration/cortana-at-work/cortana-at-work-crm.md", @@ -20493,7 +20573,7 @@ { "source_path": "windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md", "redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard-protection-limits", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md", @@ -20518,7 +20598,7 @@ { "source_path": "windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md", "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-faq", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md", @@ -20533,92 +20613,92 @@ { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md", "redirect_url": "/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/policy-ddf-file.md", "redirect_url": "/windows/client-management/mdm/configuration-service-provider-ddf", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/applocker-xsd.md", "redirect_url": "/windows/client-management/mdm/applocker-csp#policy-xsd-schema", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/vpnv2-profile-xsd.md", "redirect_url": "/windows/client-management/mdm/vpnv2-csp#profilexml-xsd-schema", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md", "redirect_url": "/windows/client-management/mdm/enterprisedesktopappmanagement-csp#downloadinstall-xsd-schema", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/enterprisemodernappmanagement-xsd.md", "redirect_url": "/windows/client-management/mdm/enterprisemodernappmanagement-csp#enterprisemodernappmanagement-xsd", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "education/windows/education-scenarios-store-for-business.md", @@ -20638,11 +20718,6 @@ { "source_path": "windows/security/identity-protection/credential-guard/dg-readiness-tool.md", "redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard", - "redirect_document_id": true - }, - { - "source_path": "windows/security/information-protection/tpm/change-the-tpm-owner-password.md", - "redirect_url": "/windows/security", "redirect_document_id": false }, { @@ -20660,16 +20735,6 @@ "redirect_url": "/windows/security", "redirect_document_id": false }, - { - "source_path": "windows/security/information-protection/tpm/manage-tpm-commands.md", - "redirect_url": "/windows/security", - "redirect_document_id": false - }, - { - "source_path": "windows/security/information-protection/tpm/manage-tpm-lockout.md", - "redirect_url": "/windows/security", - "redirect_document_id": false - }, { "source_path": "windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md", "redirect_url": "/windows/security", @@ -20734,11 +20799,11 @@ "source_path": "windows/deployment/update/quality-updates.md", "redirect_url": "/windows/deployment/update/release-cycle", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md", "redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "store-for-business/sign-up-microsoft-store-for-business.md", diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index f9adaaae34..44eea6b076 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -96,6 +96,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` | | `ColorVeil` | 4.0.0.175 | Win32 | `East-Tec` | | `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` | +| `DigiExam` | 14.0.6 | Win32 | `Digiexam` | | `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` | | `DRC INSIGHT Online Assessments` | 13.0.0.0 | `Store` | `Data recognition Corporation` | | `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` | @@ -103,6 +104,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `EasyReader` | 10.0.3.481 | Win32 | `Dolphin Computer Access` | | `Epson iProjection` | 3.31 | Win32 | `Epson` | | `eTests` | 4.0.25 | Win32 | `CASAS` | +| `Exam Writepad` | 22.10.14.1834 | Win32 | `Sheldnet` | | `FirstVoices Keyboard` | 15.0.270 | Win32 | `SIL International` | | `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` | | `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` | @@ -126,7 +128,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` | | `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` | | `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` | -| `NAPLAN` | 2.5.0 | Win32 | `NAP` | +| `NAPLAN` | 5.2.2 | Win32 | `NAP` | | `Netref Student` | 23.1.0 | Win32 | `NetRef` | | `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` | | `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` | @@ -149,7 +151,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us |`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` | | `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` | | `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` | -| `WordQ` | 5.4.23 | Win32 | `WordQ` | +| `WordQ` | 5.4.29 | Win32 | `WordQ` | | `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` | | `ZoomText Fusion` | 2022.2109.10 | Win32 | `Freedom Scientific` | | `ZoomText Magnifier/Reader` | 2022.2109.25 | Win32 | `Freedom Scientific` | diff --git a/windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md deleted file mode 100644 index 160a97cca0..0000000000 --- a/windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md +++ /dev/null @@ -1,99 +0,0 @@ ---- -title: Add an Azure AD tenant and Azure AD subscription -description: Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 ---- - -# Add an Azure AD tenant and Azure AD subscription - -Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription. - -> **Note**  If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. For step-by-step guide to register this free subscription, see [Register your free Azure Active Directory subscription.](#register-your-free-azure-active-directory-subscription) - - -1. Sign up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization. - - ![sign up for azure ad tenant.](images/azure-ad-add-tenant1.png) - -2. Enter the information for your organization. Select **check availability** to verify that domain name that you selected is available. - - ![sign up for azure ad.](images/azure-ad-add-tenant2.png) - -3. Complete the login and country information. Enter a valid phone number, then select **Send text message** or **Call me**. - - ![create azure account.](images/azure-ad-add-tenant3.png) - -4. Enter the code that you receive and then select **Verify code**. After the code is verified and the continue button turns green, select **continue**. - - ![add aad tenant.](images/azure-ad-add-tenant3-b.png) - -5. After you finish creating your Azure account, you can add an Azure AD subscription. - - If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to the Office 356 portal at https://portal.office.com/, and then sign in using the admin account that you created in Step 4 (for example, user1@contosoltd.onmicrosoftcom). - - ![login to office 365](images/azure-ad-add-tenant4.png) - -6. Select **Install software**. - - ![login to office 365 portal](images/azure-ad-add-tenant5.png) - -7. In the Microsoft 365 admin center, select **Purchase Services** from the left navigation. - - ![purchase service option in admin center menu.](images/azure-ad-add-tenant6.png) - -8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then select to purchase. - - ![azure active directory option in purchase services page.](images/azure-ad-add-tenant7.png) - -9. Continue with your purchase. - - ![azure active directory premium payment page.](images/azure-ad-add-tenant8.png) - -10. After the purchase is completed, you can log on to your Office 365 Admin Portal and you'll see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint and Exchange). - - ![admin center left navigation menu.](images/azure-ad-add-tenant9.png) - - When you choose Azure AD, it will take you to the Azure AD portal where you can manage your Azure AD applications. - -## Register your free Azure Active Directory subscription - -If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. Here's a step-by-step guide to register your free Azure AD subscription using an Office 365 Premium Business subscription. - -1. Sign in to the Microsoft 365 admin center at using your organization's account. - - ![register in azuread.](images/azure-ad-add-tenant10.png) - -2. On the **Home** page, select on the Admin tools icon. - - ![register in azure-ad.](images/azure-ad-add-tenant11.png) - -3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This option will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information. - - ![register azuread](images/azure-ad-add-tenant12.png) - -4. On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**. - - ![registration in azure-ad](images/azure-ad-add-tenant13.png) - -5. It may take a few minutes to process the request. - - ![registration in azuread.](images/azure-ad-add-tenant14.png) - -6. You'll see a welcome page when the process completes. - - ![register screen of azuread](images/azure-ad-add-tenant15.png) - - - - - - - - diff --git a/windows/client-management/appv-deploy-and-config.md b/windows/client-management/appv-deploy-and-config.md deleted file mode 100644 index f0c9843f27..0000000000 --- a/windows/client-management/appv-deploy-and-config.md +++ /dev/null @@ -1,485 +0,0 @@ ---- -title: Deploy and configure App-V apps using MDM -description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Intune or App-V server. -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 -ms.reviewer: -manager: aaroncz ---- - -# Deploy and configure App-V apps using MDM - -## Executive summary - -

Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.

- -

MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.

- -### EnterpriseAppVManagement CSP node structure - -[EnterpriseAppVManagement CSP reference](mdm/enterpriseappvmanagement-csp.md) - -The following example shows the EnterpriseAppVManagement configuration service provider in tree format. - -```console -./Vendor/MSFT -EnterpriseAppVManagement -----AppVPackageManagement ---------EnterpriseID -------------PackageFamilyName ----------------PackageFullName -------------------Name -------------------Version -------------------Publisher -------------------InstallLocation -------------------InstallDate -------------------Users -------------------AppVPackageID -------------------AppVVersionId -------------------AppVPackageUri -----AppVPublishing ---------LastSync -------------LastError -------------LastErrorDescription -------------SyncStatusDescription -------------SyncProgress ---------Sync -------------PublishXML -----AppVDynamicPolicy ---------ConfigurationId -------------Policy -``` - -

(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following subnodes.

- -

AppVPublishing - An exec action node that contains the App-V publishing configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.

- -- EnterpriseAppVManagement - - AppVPackageManagement - - **AppVPublishing** - - LastSync - - LastError - - LastErrorDescription - - SyncStatusDescription - - SyncProgress - - Sync - - PublishXML - - AppVDynamicPolicy - -

Sync command:

- -[App-V Sync protocol reference](https://msdn.microsoft.com/enus/library/mt739986.aspx) - -

AppVDynamicPolicy - A read/write node that contains the App-V dynamic configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.

- -- EnterpriseAppVManagement - - AppVPackageManagement - - AppVPublishing - - **AppVDynamicPolicy** - - [ConfigurationId] - - Policy - -

Dynamic policy examples:

- -[Dynamic configuration processing](/windows/application-management/app-v/appv-application-publishing-and-client-interaction#dynamic-configuration-processing) - -

AppVPackageManagement - Primarily read-only App-V package inventory data for MDM servers to query current packages.

- -- EnterpriseAppVManagement - - **AppVPackageManagement** - - [EnterpriseID] - - [PackageFamilyName] - - [PackageFullName] - - Name - - Version - - Publisher - - InstallLocation - - InstallDate - - Users - - AppVPackageID - - AppVVersionId - - AppVPackageUri - - AppVPublishing - - AppVDynamicPolicy - -

The examples in the scenarios section demonstrate how the publishing document should be created to successfully publish packages, dynamic policies, and connection groups.

- -## Scenarios addressed in App-V MDM functionality - -

All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premises App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.

- -

A complete list of App-V policies can be found here:

- -[ADMX-backed policy reference](mdm/policy-configuration-service-provider.md) - -[EnterpriseAppVManagement CSP reference](mdm/enterpriseappvmanagement-csp.md) - -### SyncML examples - -

The following SyncML examples address specific App-V client scenarios.

- -#### Enable App-V client - -

This example shows how to enable App-V on the device.

- -```xml - - $CmdID$ - - - chr - text/plain - - - ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppvClient - - - - -``` - -#### Configure App-V client - -

This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts helps package deployments (add and publish of App-V apps).

- -```xml - - $CmdID$ - - - chr - text/plain - - - ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageScripts - - - - -``` - -

Complete list of App-V policies can be found here:

- -[Policy CSP](mdm/policy-configuration-service-provider.md) - -#### SyncML with package published for a device (global to all users for that device) - -

This SyncML example shows how to publish a package globally on an MDM enrolled device for all device users.

- -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L - - - xml - text/plain - - - - - - - - - - - - - -``` - -

*PackageUrl can be a UNC or HTTP/HTTPS endpoint.

- -#### SyncML with package (with dynamic configuration policy) published for a device (global to all users on that device) - -

This SyncML example shows how to publish a package globally, with a policy that adds two shortcuts for the package, on an MDM enrolled device.

- -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/38/Policy - - - xml - text/plain - - - - - - - - - - - [{ThisPCDesktopFolder}]\Skype_FromMDM.lnk - [{ProgramFilesX86}]\Skype\Phone\Skype.exe - [{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico - - [{ProgramFilesX86}]\Skype\ - Skype.Desktop.Application - Launch Skype - 1 - [{ProgramFilesX86}]\Skype\Phone\Skype.exe - - - - - [{Common Desktop}]\Skype_FromMDMAlso.lnk - [{ProgramFilesX86}]\Skype\Phone\Skype.exe - [{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico - - [{ProgramFilesX86}]\Skype\ - Skype.Desktop.Application - Launch Skype - 1 - [{ProgramFilesX86}]\Skype\Phone\Skype.exe - - - - - - - - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L - - - xml - text/plain - - - - - - - - - - - - - - -``` - -

*PackageUrl can be a UNC or HTTP/HTTPS endpoint.

- -#### SyncML with package (using user config deployment) published for a specific user - -

This SyncML example shows how to publish a package for a specific MDM user.

- -```xml - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI> - - - xml - text/plain - - - - - - - - - - - - - -``` - -#### SyncML for publishing mixed-mode connection group containing global and user-published packages - -

This SyncML example shows how to publish a connection group, and group applications and plugins together.

- -> [!NOTE] -> The user connection group has the user-only package as optional in this example, which implies users without the optional package can continue to launch the global package within the same connection group. - -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L - - - xml - text/plain - - - - - - - - - - - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI> - - - xml - text/plain - - - - - - - - - - - - - - - - - - - - -``` - -#### Unpublish example SyncML for all global packages - -

This SyncML example shows how to unpublish all global packages on the device by sending an empty package and connection group list in the SyncML.

- -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML - - - xml - text/plain - - - - - - - - - -``` - -#### Query packages on a device - -

These SyncML examples return all global, and user-published packages on the device.

- -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData - - - -``` - -```xml - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData - - - -``` \ No newline at end of file diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index 5cd9b9cbb6..0bb98be706 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -9,159 +9,94 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.collection: - - highpri - - tier2 -ms.date: 12/31/2017 +- highpri +- tier2 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Azure Active Directory integration with MDM -Azure Active Directory is the world's largest enterprise cloud identity management service. It’s used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow. +Azure Active Directory is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow. Once a device is enrolled in MDM, the MDM: - Can enforce compliance with organization policies, add or remove apps, and more. -- Can report a device’s compliance in Azure AD. +- Can report a device's compliance in Azure AD. - Azure AD can allow access to organization resources or applications secured by Azure AD to devices that comply with policies. -To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This article describes the steps involved. - -## Connect to Azure AD - -Several ways to connect your devices: - -For company-owned devices: -- Join Windows to a traditional Active Directory domain -- Join Windows to Azure AD - -For personal devices (BYOD): -- Add a Microsoft work account to Windows - -### Azure AD Join - -Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as Microsoft Configuration Manager. In Windows 10, it’s also possible to manage domain joined devices with an MDM. - -Windows 10 introduces a new way to configure and deploy organization owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller. - -Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device won't be joined to Azure AD. - -> [!IMPORTANT] -> Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](/previous-versions/azure/dn499825(v=azure.100)) license. - - -### BYOD scenario - -Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If that’s the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. In the BYOD case, users can reject the MDM Terms of Use. The device isn't enrolled in MDM and access to organization resources is typically restricted. +To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. ## Integrated MDM enrollment and UX -Two Azure AD MDM enrollment scenarios: -- Joining a device to Azure AD for company-owned devices -- Adding a work account to a personal device (BYOD) +There are several ways to connect your devices to Azure AD: -In both scenarios, Azure AD authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment. +- [Join device to Azure AD](/azure/active-directory/devices/concept-azure-ad-join) +- [Join device to on-premises AD and Azure AD](/azure/active-directory/devices/concept-azure-ad-join-hybrid) +- [Add a Microsoft work account to Windows](/azure/active-directory/devices/concept-azure-ad-register) -In both scenarios, the enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN. +In each scenario, Azure AD authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment. The enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and bring-your-own-device (BYOD) devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN. -In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It's important that MDM vendors who integrate with Azure AD respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article. +In Windows 10, the web view during the out-of-the-box scenario is displayed as full-screen by default, providing MDM vendors with the capability to create a seamless edge-to-edge user experience. However, in Windows 11 the web view is rendered within an iframe. It's important that MDM vendors who integrate with Azure AD respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article. -For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service. For more information, see solution \#2 in [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa). +For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa). -Once a user has an Azure AD account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for organization scenarios or BYOD scenarios is similar. +Once a user has an Azure AD account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Access work or school**. Device management of either Azure AD Join for organization scenarios or BYOD scenarios is similar. > [!NOTE] -> Users can't remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. +> Users can't remove the device enrollment through the **Access work or school** user interface because management is tied to the Azure AD or work account. - -### MDM endpoints involved in Azure AD–integrated enrollment +### MDM endpoints involved in Azure AD integrated enrollment Azure AD MDM enrollment is a two-step process: -1. Display the Terms of Use and gather user consent. +1. Display the Terms of Use and gather user consent: This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM. +1. Enroll the device: This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device. - This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM. +To support Azure AD enrollment, MDM vendors must host and expose a **Terms of Use endpoint** and an **MDM enrollment endpoint**. -2. Enroll the device. +- **Terms of Use endpoint**: Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user's consent before the actual enrollment phase begins. - This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device. + It's important to understand the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies. -To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use endpoint and an MDM enrollment endpoint. + The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. It's not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD. -**Terms of Use endpoint** -Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user’s consent before the actual enrollment phase begins. +- **MDM enrollment endpoint**: After the users accept the Terms of Use, the device is registered in Azure AD. Automatic MDM enrollment begins. -It’s important to understand the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies. + The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint. -The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. It’s not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD. + [![azure ad enrollment flow](images/azure-ad-enrollment-flow.png)](images/azure-ad-enrollment-flow.png#lightbox) -**MDM enrollment endpoint** -After the users accepts the Terms of Use, the device is registered in Azure AD. Automatic MDM enrollment begins. + The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article. -The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint. - -![azure ad enrollment flow.](images/azure-ad-enrollment-flow.png) - -The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article. - -## Make the MDM a reliable party of Azure AD +## Make MDM a reliable party of Azure AD To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Azure AD. To report compliance with Azure AD, the MDM must authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). -### Add a cloud-based MDM +### Cloud-based MDM A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer. -The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661). +The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. For more information about how to add multi-tenant applications to Azure AD, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multi-tenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub. > [!NOTE] -> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. +> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow the step-by-step guides below: +> +> - [Quickstart: Create a new tenant in Azure Active Directory](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to set up a tenant. +> - [Associate or add an Azure subscription to your Azure Active Directory tenant](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to add a subscription, and manage it via the Azure Portal. -The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, whatever the customer tenant the managed device belongs. +The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, in the customer tenant where the managed device belongs. > [!NOTE] -> All MDM apps must implement Azure AD V2 tokens before we certify that integration works. Due to changes in the Azure AD app platform, using Azure AD V2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats-and-ownership). +> All MDM apps must implement Azure AD V2 tokens before we certify that integration works. Due to changes in the Azure AD app platform, using Azure AD V2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats). -Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery. +### On-premises MDM -1. Log on to the Azure Management Portal using an admin account in your home tenant. +An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and have a separate key for authentication with Azure AD. -2. In the left navigation, select **Active Directory**. - -3. Select the directory tenant where you want to register the application. - - Ensure you're logged into your home tenant. - -4. Select the **Applications** tab. - -5. In the drawer, select **Add**. - -6. Select **Add an application my organization is developing**. - -7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then select **Next**. - -8. Enter the logon URL for your MDM service. - -9. For the App ID, enter `https:///ContosoMDM`, then select OK. - -10. While still in the Azure portal, select the **Configure** tab of your application. - -11. Mark your application as **multi-tenant**. - -12. Find the client ID value and copy it. - - You'll need this ID later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery. - -13. Generate a key for your application and copy it. - - You need this key to call the Microsoft Graph API to report device compliance. This information is covered in the next section. - -For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667). - -### Add an on-premises MDM - -An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD. - -To add an on-premises MDM application to the tenant, use the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application**. Administrators can configure the required URLs for enrollment and Terms of Use. +To add an on-premises MDM application to the tenant, use the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application** > **Create your own application**. Administrators can configure the required URLs for enrollment and Terms of Use. Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance. @@ -173,24 +108,21 @@ The application keys used by your MDM service are a sensitive resource. They sho For security best practices, see [Windows Azure Security Essentials](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler). -You can roll over the application keys used by a cloud-based MDM service without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant. +For cloud-based MDM, you can roll over the application keys without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant. For the on-premises MDM, the Azure AD authentication keys are within the customer tenant and must be rolled over by the customer's administrator. To improve security, provide guidance to customers about rolling over and protecting the keys. ## Publish your MDM app to Azure AD app gallery - IT administrators use the Azure AD app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Azure AD. -The following image show how MDM applications show up in the Azure app gallery. - -![azure ad add an app for mdm.](images/azure-ad-app-gallery.png) - ### Add cloud-based MDM to the app gallery > [!NOTE] > You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application +To publish your application, [submit a request to publish your application in Azure Active Directory application gallery](/azure/active-directory/manage-apps/v2-howto-app-gallery-listing) + The following table shows the required information to create an entry in the Azure AD app gallery. |Item|Description| @@ -201,8 +133,6 @@ The following table shows the required information to create an entry in the Azu |**Description**|A brief description of your MDM app, which must be under 255 characters.| |**Icons**|A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215| - - ### Add on-premises MDM to the app gallery There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant. @@ -215,11 +145,11 @@ The pages rendered by the MDM in the integrated enrollment process must use Wind There are three distinct scenarios: -1. MDM enrollment as part of Azure AD Join in Windows OOBE. -2. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**. -3. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD). +1. MDM enrollment as part of Azure AD Join in Windows OOBE. +1. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**. +1. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD). -These scenarios support Windows client Pro, Enterprise, and Education. +These scenarios support Windows Pro, Enterprise, and Education. The CSS files provided by Microsoft contain version information and we recommend that you use the latest version. There are separate CSS files for Windows client devices, OOBE, and post-OOBE experiences. [Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip). @@ -256,7 +186,7 @@ The following parameters are passed in the query string: Azure AD issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format: -**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw… +**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw... The following claims are expected in the access token passed by Windows to the Terms of Use endpoint: @@ -267,13 +197,12 @@ The following claims are expected in the access token passed by Windows to the T |TID|A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.| |Resource|A sanitized URL representing the MDM application. Example: `https://fabrikam.contosomdm.com` | - > [!NOTE] > There's no device ID claim in the access token because the device may not yet be enrolled at this time. To retrieve the list of group memberships for the user, you can use the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). -Here's an example URL. +Here's an example URL: ```http https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0 @@ -288,8 +217,8 @@ The MDM may do other more redirects as necessary before displaying the Terms of The Terms of Use content should contain the following buttons: -- **Accept** - the user accepts the Terms of Use and proceeds with enrollment. -- **Decline** - the user declines and stops the enrollment process. +- **Accept** - the user accepts the Terms of Use and proceeds with enrollment. +- **Decline** - the user declines and stops the enrollment process. The Terms of Use content must be consistent with the theme used for the other pages rendered during this process. @@ -297,13 +226,13 @@ The Terms of Use content must be consistent with the theme used for the other pa At this point, the user is on the Terms of Use page shown during the OOBE or from the Setting experiences. The user has the following options on the page: -- **User clicks on the Accept button** - The MDM must redirect to the URI specified by the redirect\_uri parameter in the incoming request. The following query string parameters are expected: - - **IsAccepted** - This Boolean value is required, and must be set to true. - - **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this blob to make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes. - - Here's an example redirect - `ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true` -- **User clicks on the Decline button** - The MDM must redirect to the URI specified in redirect\_uri in the incoming request. The following query string parameters are expected: - - **IsAccepted** - This Boolean value is required, and must be set to false. This option also applies if the user skipped the Terms of Use. - - **OpaqueBlob** - This parameter isn't expected to be used. The enrollment is stopped with an error message shown to the user. +- **User clicks on the Accept button** - The MDM must redirect to the URI specified by the redirect\_uri parameter in the incoming request. The following query string parameters are expected: + - **IsAccepted** - This Boolean value is required, and must be set to true. + - **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this blob to make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes. + - Here's an example redirect - `ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true` +- **User clicks on the Decline button** - The MDM must redirect to the URI specified in redirect\_uri in the incoming request. The following query string parameters are expected: + - **IsAccepted** - This Boolean value is required, and must be set to false. This option also applies if the user skipped the Terms of Use. + - **OpaqueBlob** - This parameter isn't expected to be used. The enrollment is stopped with an error message shown to the user. Users skip the Terms of Use when they're adding a Microsoft work account to their device. However, they can't skip it during the Azure AD Join process. Don't show the decline button in the Azure AD Join process. MDM enrollment can't be declined by the user if configured by the administrator for the Azure AD Join. @@ -311,7 +240,7 @@ We recommend that you send the client-request-id parameters in the query string ### Terms Of Use Error handling -If an error occurs during the terms of use processing, the MDM can return two parameters – an error and error\_description parameter in its redirect request back to Windows. The URL should be encoded, and the contents of the error\_description should be in English plain text. This text isn't visible to the end-user. So, localization of the error description text isn't a concern. +If an error occurs during the terms of use processing, the MDM can return two parameters - an `error` and `error_description` parameter in its redirect request back to Windows. The URL should be encoded, and the contents of the `error_description` should be in English plain text. This text isn't visible to the end-user. So, localization of the `error_description` text isn't a concern. Here's the URL format: @@ -334,7 +263,6 @@ The following table shows the error codes. |Azure AD token validation failed|302|unauthorized_client|unauthorized_client| |internal service error|302|server_error|internal service error| - ## Enrollment protocol with Azure AD With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments. @@ -355,41 +283,43 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove |Enrolled certificate store|My/User|My/System|My/User| |CSR subject name|User Principal Name|Device ID|User Principal Name| |EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL|Not supported|Supported|Supported| -|CSPs accessible during enrollment|Windows 10 support:
- DMClient
- CertificateStore
- RootCATrustedCertificates
- ClientCertificateInstall
- EnterpriseModernAppManagement
- PassportForWork
- Policy
- w7 APPLICATION||| +|CSPs accessible during enrollment|Windows 10 support:
- DMClient
- CertificateStore
- RootCATrustedCertificates
- ClientCertificateInstall
- EnterpriseModernAppManagement
- PassportForWork
- Policy
- w7 APPLICATION||| ## Management protocol with Azure AD There are two different MDM enrollment types that integrate with Azure AD, and use Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users. -**Multiple user management for Azure AD-joined devices** -In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device. +- **Multiple user management for Azure AD-joined devices** -**Adding a work account and MDM enrollment to a device** -In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device. + In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device. -**Evaluating Azure AD user tokens** -The Azure AD token is in the HTTP Authorization header in the following format: +- **Adding a work account and MDM enrollment to a device**: -```console -Authorization:Bearer -``` + In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device. -More claims may be present in the Azure AD token, such as: +- **Evaluating Azure AD user tokens**: -- User - user currently logged in -- Device compliance - value set the MDM service into Azure -- Device ID - identifies the device that is checking in -- Tenant ID + The Azure AD token is in the HTTP Authorization header in the following format: -Access tokens issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens: + ```console + Authorization:Bearer + ``` -- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler). -- Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667). + More claims may be present in the Azure AD token, such as: + - User - user currently logged in + - Device compliance - value set the MDM service into Azure + - Device ID - identifies the device that is checking in + - Tenant ID + + Access tokens issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens: + + - Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler). + - Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667). ## Device Alert 1224 for Azure AD user token -An alert is sent when the DM session starts and there's an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example: +An alert is sent when the DM session starts and there's an Azure AD user logged in. The alert is sent in OMA DM package #1. Here's an example: ```xml Alert Type: com.microsoft/MDM/AADUserToken @@ -401,25 +331,25 @@ Alert sample: 1224 - com.microsoft/MDM/AADUserToken + com.microsoft/MDM/AADUserToken UserToken inserted here - … other XML tags … + ... other XML tags ... ``` ## Determine when a user is logged in through polling -An alert is sent to the MDM server in DM package\#1. +An alert is sent to the MDM server in DM package \#1. -- Alert type - com.microsoft/MDM/LoginStatus -- Alert format - chr -- Alert data - provide sign-in status information for the current active logged in user. - - Signed-in user who has an Azure AD account - predefined text: user. - - Signed-in user without an Azure AD account- predefined text: others. - - No active user - predefined text:none +- Alert type - com.microsoft/MDM/LoginStatus +- Alert format - chr +- Alert data - provide sign-in status information for the current active logged in user. + - Signed-in user who has an Azure AD account - predefined text: user. + - Signed-in user without an Azure AD account- predefined text: others. + - No active user - predefined text:none Here's an example. @@ -430,12 +360,12 @@ Here's an example. 1224 - com.microsoft/MDM/LoginStatus + com.microsoft/MDM/LoginStatus user - … other XML tags … + ... other XML tags ... ``` @@ -445,21 +375,21 @@ Once a device is enrolled with the MDM for management, organization policies con For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822). -- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Azure AD. -- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD. +- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Azure AD. +- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD. ### Use Microsoft Graph API The following sample REST API call illustrates how an MDM can use the Microsoft Graph API to report compliance status of a device being managed by it. > [!NOTE] -> This API is only applicable for approved MDM apps on Windows 10 devices. +> This API is only applicable for approved MDM apps on Windows devices. ```console Sample Graph API Request: PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1 -Authorization: Bearer eyJ0eXAiO……… +Authorization: Bearer eyJ0eXAiO......... Accept: application/json Content-Type: application/json { "isManaged":true, @@ -469,16 +399,16 @@ Content-Type: application/json Where: -- **contoso.com** – This value is the name of the Azure AD tenant to whose directory the device has been joined. -- **db7ab579-3759-4492-a03f-655ca7f52ae1** – This value is the device identifier for the device whose compliance information is being reported to Azure AD. -- **eyJ0eXAiO**……… – This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request. -- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status. -- **api-version** - Use this parameter to specify which version of the graph API is being requested. +- **contoso.com** - This value is the name of the Azure AD tenant to whose directory the device has been joined. +- **db7ab579-3759-4492-a03f-655ca7f52ae1** - This value is the device identifier for the device whose compliance information is being reported to Azure AD. +- **eyJ0eXAiO**......... - This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request. +- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status. +- **api-version** - Use this parameter to specify which version of the graph API is being requested. Response: -- Success - HTTP 204 with No Content. -- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found. +- Success - HTTP 204 with No Content. +- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found. ## Data loss during unenrollment from Azure Active Directory Join @@ -488,41 +418,4 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di ## Error codes -|Code|ID|Error message| -|--- |--- |--- | -|0x80180001|"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x80180002|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180003|"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180004|"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180005|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x80180006|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x80180007|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180008|"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x80180009|"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS|Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.| -|0x8018000A|"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED|This device is already enrolled. You can contact your system administrator with the error code {0}.| -|0x8018000D|"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.| -|0x8018000E|"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x8018000F|"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180010|"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x80180012|"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180013|"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.| -|0x80180014|"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.| -|0x80180015|"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.| -|0x80180016|"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW|The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180017|"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE|The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.| -|0x80180018|"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE|There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180019|"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID|Looks like the server isn't correctly configured. You can try to do this again or contact your system administrator with the error code {0}.| -|"rejectedTermsOfUse"|"idErrorRejectedTermsOfUse"|Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.| -|0x801c0001|"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x801c0002|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x801c0003|"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.| -|0x801c0006|"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x801c000B|"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED|The server being contacted isn't trusted. Contact your system administrator with the error code {0}.| -|0x801c000C|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x801c000E|"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.| -|0x801c000F|"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT|A reboot is required to complete device registration.| -|0x801c0010|"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR|Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.| -|0x801c0011|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x801c0012|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x801c0013|"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x801c0014|"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +[!INCLUDE [Enrollment error codes](includes/mdm-enrollment-error-codes.md)] diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index cc058826be..1c9d410723 100644 --- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -1,33 +1,29 @@ --- -title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal -description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal +title: Automatic MDM enrollment in the Intune admin center +description: Automatic MDM enrollment in the Intune admin center ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 12/18/2020 -ms.reviewer: +ms.date: 04/05/2023 +ms.reviewer: manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Intune admin center +# Automatic MDM enrollment in the Intune admin center -Microsoft Intune can be accessed directly using its own admin center. For more information, go to: - -- [Tutorial: Walkthrough Intune in Microsoft Intune admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) -- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -If you use the Azure portal, then you can access Intune using the following steps: +Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure Portal. 1. Go to your Azure AD Blade. -2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app. -3. Select **Microsoft Intune** and configure the blade. -![How to get to the Blade.](images/azure-mdm-intune.png) +1. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app. -Configure the blade +1. Select **Microsoft Intune** and configure the blade. You can specify settings to allow **All** users to enroll a device, or choose to allow **Some** users (and specify a group). -![Configure the Blade.](images/azure-intune-configure-scope.png) + ![Configure the Blade.](images/azure-intune-configure-scope.png) -You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users). +1. Select **Save** to configure MDM auto-enrollment for Azure AD joined devices and bring-your-own-device scenarios. diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md index c85858a2d0..a09f295976 100644 --- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md @@ -1,50 +1,52 @@ --- title: Bulk enrollment -description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and Windows 11. -MS-HAID: - - 'p\_phdevicemgmt.bulk\_enrollment' - - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool' -ms.reviewer: +description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Bulk enrollment +# Bulk enrollment using Windows Configuration Designer -Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario. +Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join enrollment scenario. ## Typical use cases -- Set up devices in bulk for large organizations to be managed by MDM. -- Set up kiosks, such as ATMs or point-of-sale (POS) terminals. -- Set up school computers. -- Set up industrial machinery. -- Set handheld POS devices. +- Set up devices in bulk for large organizations to be managed by MDM. +- Set up kiosks, such as ATMs or point-of-sale (POS) terminals. +- Set up school computers. +- Set up industrial machinery. +- Set handheld POS devices. -On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain. +On the desktop, you can create an Active Directory account, such as `enrollment@contoso.com` and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain. On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as `enroll@contoso.com` and `enrollmentpassword`. These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them. > [!NOTE] -> - Bulk-join is not supported in Azure Active Directory Join. -> - Bulk enrollment does not work in Intune standalone environment. -> - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console. -> - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. -> - Bulk Token creation is not supported with federated accounts. +> +> - Bulk-join is not supported in Azure Active Directory Join. +> - Bulk enrollment does not work in Intune standalone environment. +> - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console. +> - To change bulk enrollment settings, login to **Azure AD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. +> - Bulk Token creation is not supported with federated accounts. ## What you need -- Windows 10 devices. -- Windows Configuration Designer (WCD) tool. +- Windows devices. +- Windows Configuration Designer (WCD) tool. To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd). -- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.). -- Wi-Fi credentials, computer name scheme, and anything else required by your organization. + +- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.). +- Wi-Fi credentials, computer name scheme, and anything else required by your organization. Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain. @@ -53,112 +55,105 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. 1. Open the WCD tool. -2. Select **Advanced Provisioning**. +1. Select **Advanced Provisioning**. ![icd start page.](images/bulk-enrollment7.png) -3. Enter a project name and select **Next**. -4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then select **Next**. -5. Skip **Import a provisioning package (optional)** and select **Finish**. -6. Expand **Runtime settings** > **Workplace**. -7. Select **Enrollments**, enter a value in **UPN**, and then select **Add**. - The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". -8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. - Here's the list of available settings: - - **AuthPolicy** - Select **OnPremise**. - - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. - - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. - - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. - - **Secret** - Password - For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). - Here's the screenshot of the WCD at this point. + +1. Enter a project name and select **Next**. +1. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then select **Next**. +1. Skip **Import a provisioning package (optional)** and select **Finish**. +1. Expand **Runtime settings** > **Workplace**. +1. Select **Enrollments**, enter a value in **UPN**, and then select **Add**. The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as `enrollment@contoso.com`. +1. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. Here's the list of available settings: + + - **AuthPolicy** - Select **OnPremise**. + - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. + - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. + - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. + - **Secret** - Password + + For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). Here's the screenshot of the WCD at this point. ![bulk enrollment screenshot.](images/bulk-enrollment.png) -9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). -10. When you're done adding all the settings, on the **File** menu, select **Save**. -11. On the main menu, select **Export** > **Provisioning package**. + +1. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). +1. When you're done adding all the settings, on the **File** menu, select **Save**. +1. On the main menu, select **Export** > **Provisioning package**. ![icd menu for export.](images/bulk-enrollment2.png) -12. Enter the values for your package and specify the package output location. + +1. Enter the values for your package and specify the package output location. ![enter package information.](images/bulk-enrollment3.png) ![enter additional information for package information.](images/bulk-enrollment4.png) ![specify file location.](images/bulk-enrollment6.png) -13. Select **Build**. + +1. Select **Build**. ![icb build window.](images/bulk-enrollment5.png) -14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). -15. Apply the package to your devices. + +1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). +1. Apply the package to your devices. ## Create and apply a provisioning package for certificate authentication Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. 1. Open the WCD tool. -2. Select **Advanced Provisioning**. -3. Enter a project name and select **Next**. -4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions. -5. Skip **Import a provisioning package (optional)** and select **Finish**. -6. Specify the certificate. - 1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**. - 2. Enter a **CertificateName** and then select **Add**. - 3. Enter the **CertificatePasword**. - 4. For **CertificatePath**, browse and select the certificate to be used. - 5. Set **ExportCertificate** to False. - 6. For **KeyLocation**, select **Software only**. +1. Select **Advanced Provisioning**. +1. Enter a project name and select **Next**. +1. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions. +1. Skip **Import a provisioning package (optional)** and select **Finish**. +1. Specify the certificate: + + 1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**. + 1. Enter a **CertificateName** and then select **Add**. + 1. Enter the **CertificatePassword**. + 1. For **CertificatePath**, browse and select the certificate to be used. + 1. Set **ExportCertificate** to False. + 1. For **KeyLocation**, select **Software only**. ![icd certificates section.](images/bulk-enrollment8.png) -7. Specify the workplace settings. - 1. Got to **Workplace** > **Enrollments**. - 2. Enter the **UPN** for the enrollment and then select **Add**. - The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". - 3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. - Here's the list of available settings: - - **AuthPolicy** - Select **Certificate**. - - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. - - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. - - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. - - **Secret** - the certificate thumbprint. - For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). -8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). -9. When you're done adding all the settings, on the **File** menu, select **Save**. -10. Export and build the package (steps 10-13 in the procedure above). -11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). -12. Apply the package to your devices. + +1. Specify the workplace settings. + + 1. Got to **Workplace** > **Enrollments**. + 1. Enter the **UPN** for the enrollment and then select **Add**. The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as `enrollment@contoso.com`. + 1. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. Here's the list of available settings: + - **AuthPolicy** - Select **Certificate**. + - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. + - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. + - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. + - **Secret** - the certificate thumbprint. + + For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). + +1. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). +1. When you're done adding all the settings, on the **File** menu, select **Save**. +1. Export and build the package (steps 10-13 in the procedure above). +1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). +1. Apply the package to your devices. ## Apply a provisioning package -Here's the list of articles about applying a provisioning package: +- [Apply a package during initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#during-initial-setup) +- [Apply a package after initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup) +- [Apply a package directly](/windows/configuration/provisioning-packages/provisioning-apply-package#apply-directly) +- [Apply a package from the Settings app](/windows/configuration/provisioning-packages/provisioning-apply-package#windows-settings). -- [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package) -- [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) -- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - article below +## Validate that the provisioning package was applied -## Apply a package from the Settings menu - -1. Go to **Settings** > **Accounts** > **Access work or school**. -2. Select **Add or remove a provisioning package**. -3. Select **Add a package**. - -## Validate that the provisioning package was applied - -1. Go to **Settings** > **Accounts** > **Access work or school**. -2. Select **Add or remove a provisioning package**. - You should see your package listed. +1. Go to **Settings** > **Accounts** > **Access work or school**. +1. Select **Add or remove a provisioning package**. You should see your package listed. ## Retry logic if there's a failure -If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row. +- If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row. +- If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from the SYSTEM context. +- It will also retry to apply the provisioning each time it's launched, if started from somewhere else as well. +- In addition, provisioning will be restarted in the SYSTEM context after a sign in and the [system has been idle](/windows/win32/taskschd/task-idle-conditions). -If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from a SYSTEM context. - -It will also retry to apply the provisioning each time it's launched, if started from somewhere else as well. - -In addition, provisioning will be restarted in a SYSTEM context after a sign in and the system has been idle ([details on idle conditions](/windows/win32/taskschd/task-idle-conditions)). - -## Other provisioning articles - -Here are links to step-by-step provisioning articles: - -- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps) -- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) +## Related articles +- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps) +- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) diff --git a/windows/client-management/certificate-authentication-device-enrollment.md b/windows/client-management/certificate-authentication-device-enrollment.md index 2f5129ba9b..6db2ca38a4 100644 --- a/windows/client-management/certificate-authentication-device-enrollment.md +++ b/windows/client-management/certificate-authentication-device-enrollment.md @@ -1,30 +1,28 @@ --- title: Certificate authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Certificate authentication device enrollment -This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347). +This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows devices, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347). -> [!Note] +> [!NOTE] > To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package). -## In this topic - -- [Discovery service](#discovery-service) -- [Enrollment policy web service](#enrollment-policy-web-service) -- [Enrollment web service](#enrollment-web-service) - -For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). +> [!NOTE] +> For the list of enrollment scenarios not supported in Windows, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). ## Discovery Service @@ -37,34 +35,33 @@ User-Agent: Windows Enrollment Client Host: EnterpriseEnrollment.Contoso.com Content-Length: xxx Cache-Control: no-cache - - - + + http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover - - urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 - - http://www.w3.org/2005/08/addressing/anonymous - + + urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 + + http://www.w3.org/2005/08/addressing/anonymous + https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc - - - - - + + + + + user@contoso.com 101 10.0.0.0 - 3.0 + 3.0 10.0.0.0 Certificate - - - + + + ``` @@ -76,7 +73,7 @@ Content-Length: 865 Content-Type: application/soap+xml; charset=utf-8 Server: EnterpriseEnrollment.Contoso.com Date: Tue, 02 Aug 2012 00:32:56 GMT - @@ -87,9 +84,9 @@ http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoverySer urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 - - Certificate @@ -117,11 +114,11 @@ User-Agent: Windows Enrollment Client Host: enrolltest.contoso.com Content-Length: xxxx Cache-Control: no-cache - @@ -135,16 +132,16 @@ Cache-Control: no-cache https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - B64EncodedSampleBinarySecurityToken - + - - @@ -190,29 +187,29 @@ Content-Type: application/soap+xml Content-Length: xxxx - http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse - d4335d7c-e192-402d-b0e7-f5d550467e3c urn:uuid: 69960163-adad-4a72-82d2-bb0e5cff5598 - - - - + - - @@ -268,11 +265,11 @@ Host: enrolltest.contoso.com Content-Length: 3242 Cache-Control: no-cache - @@ -289,36 +286,35 @@ Cache-Control: no-cache 2014-10-16T17:55:13Z 2014-10-16T17:57:13Z - + + wsu:Id="29801C2F-F26B-46AD-984B-AFAEFB545FF8"> B64EncodedSampleBinarySecurityToken - + - - + MessageDigestValue - SignedMessageBlob/ds:SignatureValue> - + SignedMessageBlob/ds:SignatureValue> + - - + - + @@ -331,8 +327,8 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue - DER format PKCS#10 certificate request in Base64 encoding Insterted Here @@ -354,7 +350,7 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol - 7BA748C8-703E-4DF2-A74A-92984117346A + 7BA748C8-703E-4DF2-A74A-92984117346A 3J4KLJ9SDJFAL93JLAKHJSDFJHAO83HAKSHFLAHSKFNHNPA2934342 @@ -376,8 +372,8 @@ Content-Type: application/soap+xml; charset=utf-8 Server: Microsoft-IIS/7.0 Date: Fri, 03 Aug 2012 00:32:59 GMT - @@ -393,14 +389,14 @@ Date: Fri, 03 Aug 2012 00:32:59 GMT - http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken - - + - - + + - + @@ -480,14 +476,14 @@ The following example shows the encoded provisioning XML. - + - + @@ -495,7 +491,7 @@ The following example shows the encoded provisioning XML. - -``` \ No newline at end of file +``` diff --git a/windows/client-management/certificate-renewal-windows-mdm.md b/windows/client-management/certificate-renewal-windows-mdm.md index 8b44256d9e..d7c3443131 100644 --- a/windows/client-management/certificate-renewal-windows-mdm.md +++ b/windows/client-management/certificate-renewal-windows-mdm.md @@ -1,10 +1,7 @@ --- title: Certificate Renewal description: Learn how to find all the resources that you need to provide continuous access to client certificates. -MS-HAID: - - 'p\_phdevicemgmt.certificate\_renewal' - - 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -12,29 +9,32 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Certificate Renewal The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account. The enrollment client gets a new client certificate from the enrollment server, and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported. -> [!Note] +> [!NOTE] > Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered. ## Automatic certificate renewal request Windows supports automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that doesn't require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to do client Transport Layer Security (TLS). The user security token isn't needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate-based client authentication for automatic certificate renewal. -> [!Note] +> [!NOTE] > Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI. Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate. -For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP’s](mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL. +For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP's](mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL. -With automatic renewal, the PKCS\#7 message content isn’t b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content. +With automatic renewal, the PKCS\#7 message content isn't b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content. -During the automatic certificate renewal process, if the root certificate isn’t trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md). +During the automatic certificate renewal process, if the root certificate isn't trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md). During the automatic certificate renew process, the device will deny HTTP redirect request from the server. It won't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used. @@ -94,28 +94,25 @@ The following example shows the details of an automatic renewal request. ## Certificate renewal schedule configuration -In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSP’s RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired. +In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSP's RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired. For more information about the parameters, see the CertificateStore configuration service provider. Unlike manual certificate renewal, the device will not do an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead every 7 days (weekly). This change increases the chance that the device will try to connect at different days of the week. -> [!Note] -> For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval. - ## Certificate renewal response When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment): -- The signature of the PKCS\#7 BinarySecurityToken is correct -- The client’s certificate is in the renewal period -- The certificate was issued by the enrollment service -- The requester is the same as the requester for initial enrollment -- For standard client’s request, the client hasn’t been blocked +- The signature of the PKCS\#7 BinarySecurityToken is correct +- The client's certificate is in the renewal period +- The certificate was issued by the enrollment service +- The requester is the same as the requester for initial enrollment +- For standard client's request, the client hasn't been blocked After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA. -> [!Note] +> [!NOTE] > The HTTP server response must not be chunked; it must be sent as one message. The following example shows the details of a certificate renewal response. @@ -145,14 +142,14 @@ The following example shows the details of a certificate renewal response. ``` -> [!Note] +> [!NOTE] > The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time. ## Configuration service providers supported during MDM enrollment and certificate renewal The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider. -- CertificateStore -- w7 APPLICATION -- DMClient -- EnterpriseAppManagement +- CertificateStore +- w7 APPLICATION +- DMClient +- EnterpriseAppManagement diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/client-tools/administrative-tools-in-windows.md similarity index 91% rename from windows/client-management/administrative-tools-in-windows-10.md rename to windows/client-management/client-tools/administrative-tools-in-windows.md index 095188a9ba..a511db702c 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/client-tools/administrative-tools-in-windows.md @@ -6,24 +6,22 @@ author: vinaypamnani-msft ms.author: vinpa manager: aaroncz ms.localizationpriority: medium -ms.date: 03/28/2022 +ms.date: 04/11/2023 ms.topic: article ms.collection: - - highpri - - tier2 +- highpri +- tier2 ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Windows Tools/Administrative Tools -**Applies to** - -- Windows 11 -- Windows 10 - **Windows Tools** is a folder in the Windows 11 Control Panel. **Administrative Tools** is a folder in the Windows 10 Control Panel. These folders contain tools for system administrators and advanced users. -## Windows Tools folder (Windows 11) +## Windows Tools folder The following graphic shows the **Windows Tools** folder in Windows 11: @@ -33,7 +31,7 @@ The tools in the folder might vary depending on which edition of Windows you use :::image type="content" source="images/win11-windows-tools.png" alt-text="Screenshot of the contents of the Windows Tools folder in Windows 11." lightbox="images/win11-windows-tools.png"::: -## Administrative Tools folder (Windows 10) +## Administrative Tools folder The following graphic shows the **Administrative Tools** folder in Windows 10: diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md similarity index 58% rename from windows/client-management/change-default-removal-policy-external-storage-media.md rename to windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md index d3410f5068..2959430065 100644 --- a/windows/client-management/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md @@ -1,26 +1,22 @@ --- -title: Windows 10 default media removal policy -description: In Windows 10, version 1809, the default removal policy for external storage media changed from Better performance to Quick removal. +title: Windows default media removal policy +description: In Windows 10 and later, the default removal policy for external storage media changed from Better performance to Quick removal. ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa -ms.date: 11/25/2020 +ms.date: 04/11/2023 ms.topic: article -ms.custom: - - CI 111493 - - CI 125140 - - CSSTroubleshooting -audience: ITPro ms.localizationpriority: medium -manager: kaushika +manager: aaroncz ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Change in default removal policy for external storage media in Windows 10, version 1809 +# Change in default removal policy for external storage media in Windows -Windows defines two main policies, **Quick removal** and **Better performance**, that control how the system interacts with external storage devices such as USB thumb drives or Thunderbolt-enabled external drives. Beginning in Windows 10 version 1809, the default policy is **Quick removal**. - -In earlier versions of Windows, the default policy was **Better performance**. +Windows defines two main policies, **Quick removal** and **Better performance**, that control how the system interacts with external storage devices such as USB thumb drives or Thunderbolt-enabled external drives. Beginning in Windows 10 version 1809, the default policy is **Quick removal**. In earlier versions of Windows, the default policy was **Better performance**. You can change the policy setting for each external device, and the policy that you set remains in effect if you disconnect the device and then connect it again to the same computer port. @@ -28,31 +24,32 @@ You can change the policy setting for each external device, and the policy that You can use the storage device policy setting to change the manner in which Windows manages storage devices to better meet your needs. The policy settings have the following effects: -* **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows cannot cache disk write operations. This may degrade system performance. -* **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish. - > [!IMPORTANT] - > If you use the **Better performance** policy, you must use the Safely Remove Hardware process to remove the device. If you remove or disconnect the device without following the safe removal instructions, you risk losing data. +- **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows cannot cache disk write operations. This may degrade system performance. +- **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish. - > [!NOTE] - > If you select **Better performance**, we recommend that you also select **Enable write caching on the device**. +> [!IMPORTANT] +> If you use the **Better performance** policy, you must use the Safely Remove Hardware process to remove the device. If you remove or disconnect the device without following the safe removal instructions, you risk losing data. + +> [!NOTE] +> If you select **Better performance**, we recommend that you also select **Enable write caching on the device**. To change the policy for an external storage device: 1. Connect the device to the computer. -2. Right-click **Start**, then select **File Explorer**. -3. In File Explorer, identify the letter or label that is associated with the device (for example, **USB Drive (D:)**). -4. Right-click **Start**, then select **Disk Management**. -5. In the lower section of the Disk Management window, right-click the label of the device, and then select **Properties**. - +1. Right-click **Start**, then select **File Explorer**. +1. In File Explorer, identify the letter or label that is associated with the device (for example, **USB Drive (D:)**). +1. Right-click **Start**, then select **Disk Management**. +1. In the lower section of the Disk Management window, right-click the label of the device, and then select **Properties**. + ![In Disk Management, right-click the device and click Properties.](./images/change-def-rem-policy-1.png) - -6. Select **Policies**. - - > [!NOTE] - > Some recent versions of Windows may use a different arrangement of tabs in the disk properties dialog box. - > + +1. Select **Policies**. + + > [!NOTE] + > Some recent versions of Windows may use a different arrangement of tabs in the disk properties dialog box. + > > If you do not see the **Policies** tab, select **Hardware**, select the removable drive from the **All disk drives** list, and then select **Properties**. The **Policies** tab should now be available. - -7. Select the policy that you want to use. - + +1. Select the policy that you want to use. + ![Policy options for disk management.](./images/change-def-rem-policy-2.png) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md similarity index 93% rename from windows/client-management/connect-to-remote-aadj-pc.md rename to windows/client-management/client-tools/connect-to-remote-aadj-pc.md index 42c1d58c19..85c581ddd4 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md @@ -1,29 +1,29 @@ --- -title: Connect to remote Azure Active Directory joined device (Windows) +title: Connect to remote Azure Active Directory joined device description: Learn how to use Remote Desktop Connection to connect to an Azure AD joined device. ms.prod: windows-client author: vinaypamnani-msft ms.localizationpriority: medium ms.author: vinpa -ms.date: 01/18/2022 +ms.date: 04/11/2023 manager: aaroncz ms.topic: article appliesto: - - ✅ Windows 10 and later - - ✅ Windows 11 and later +- ✅ Windows 11 +- ✅ Windows 10 ms.collection: - - highpri - - tier2 +- highpri +- tier2 ms.technology: itpro-manage --- # Connect to remote Azure Active Directory joined device -From its release, Windows has supported remote connections to devices joined to Active Directory using Remote Desktop Protocol (RDP). Windows 10, version 1607 added the ability to connect to a device that is joined to Azure Active Directory (Azure AD) using RDP. +Windows supports remote connections to devices joined to Active Directory s well as devices joined to Azure Active Directory (Azure AD) using Remote Desktop Protocol (RDP). - Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). - Starting in Windows 10/11, with 2022-10 update installed, you can [use Azure AD authentication to connect to the remote Azure AD device](#connect-with-azure-ad-authentication). - + ## Prerequisites - Both devices (local and remote) must be running a supported version of Windows. @@ -39,20 +39,20 @@ Azure AD Authentication can be used on the following operating systems for both - Windows 11 with [2022-10 Cumulative Updates for Windows 11 (KB5018418)](https://support.microsoft.com/kb/KB5018418) or later installed. - Windows 10, version 20H2 or later with [2022-10 Cumulative Updates for Windows 10 (KB5018410)](https://support.microsoft.com/kb/KB5018410) or later installed. - Windows Server 2022 with [2022-10 Cumulative Update for Microsoft server operating system (KB5018421)](https://support.microsoft.com/kb/KB5018421) or later installed. - + There's no requirement for the local device to be joined to a domain or Azure AD. As a result, this method allows you to connect to the remote Azure AD joined device from: - [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device. - Active Directory joined device. - Workgroup device. - + Azure AD authentication can also be used to connect to Hybrid Azure AD joined devices. To connect to the remote computer: - Launch **Remote Desktop Connection** from Windows Search, or by running `mstsc.exe`. - Select **Use a web account to sign in to the remote computer** option in the **Advanced** tab. This option is equivalent to the `enablerdsaadauth` RDP property. For more information, see [Supported RDP properties with Remote Desktop Services](/windows-server/remote/remote-desktop-services/clients/rdp-files). -- Specify the name of the remote computer and select **Connect**. +- Specify the name of the remote computer and select **Connect**. > [!NOTE] > IP address cannot be used when **Use a web account to sign in to the remote computer** option is used. @@ -129,5 +129,3 @@ Remote Desktop Users group is used to grant users and groups permissions to remo ## Related articles [How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c) - - diff --git a/windows/client-management/images/admin-tools-folder.png b/windows/client-management/client-tools/images/admin-tools-folder.png similarity index 100% rename from windows/client-management/images/admin-tools-folder.png rename to windows/client-management/client-tools/images/admin-tools-folder.png diff --git a/windows/client-management/images/admin-tools.png b/windows/client-management/client-tools/images/admin-tools.png similarity index 100% rename from windows/client-management/images/admin-tools.png rename to windows/client-management/client-tools/images/admin-tools.png diff --git a/windows/client-management/images/allow-rdp.png b/windows/client-management/client-tools/images/allow-rdp.png similarity index 100% rename from windows/client-management/images/allow-rdp.png rename to windows/client-management/client-tools/images/allow-rdp.png diff --git a/windows/client-management/images/change-def-rem-policy-1.png b/windows/client-management/client-tools/images/change-def-rem-policy-1.png similarity index 100% rename from windows/client-management/images/change-def-rem-policy-1.png rename to windows/client-management/client-tools/images/change-def-rem-policy-1.png diff --git a/windows/client-management/images/change-def-rem-policy-2.png b/windows/client-management/client-tools/images/change-def-rem-policy-2.png similarity index 100% rename from windows/client-management/images/change-def-rem-policy-2.png rename to windows/client-management/client-tools/images/change-def-rem-policy-2.png diff --git a/windows/client-management/images/checkmark.png b/windows/client-management/client-tools/images/checkmark.png similarity index 100% rename from windows/client-management/images/checkmark.png rename to windows/client-management/client-tools/images/checkmark.png diff --git a/windows/client-management/images/copy-to-change.png b/windows/client-management/client-tools/images/copy-to-change.png similarity index 100% rename from windows/client-management/images/copy-to-change.png rename to windows/client-management/client-tools/images/copy-to-change.png diff --git a/windows/client-management/images/copy-to-path.png b/windows/client-management/client-tools/images/copy-to-path.png similarity index 100% rename from windows/client-management/images/copy-to-path.png rename to windows/client-management/client-tools/images/copy-to-path.png diff --git a/windows/client-management/images/copy-to.PNG b/windows/client-management/client-tools/images/copy-to.png similarity index 100% rename from windows/client-management/images/copy-to.PNG rename to windows/client-management/client-tools/images/copy-to.png diff --git a/windows/client-management/images/crossmark.png b/windows/client-management/client-tools/images/crossmark.png similarity index 100% rename from windows/client-management/images/crossmark.png rename to windows/client-management/client-tools/images/crossmark.png diff --git a/windows/client-management/images/device-installation-apply-layered-policy-2.png b/windows/client-management/client-tools/images/device-installation-apply-layered-policy-2.png similarity index 100% rename from windows/client-management/images/device-installation-apply-layered-policy-2.png rename to windows/client-management/client-tools/images/device-installation-apply-layered-policy-2.png diff --git a/windows/client-management/images/device-installation-apply-layered_policy-1.png b/windows/client-management/client-tools/images/device-installation-apply-layered_policy-1.png similarity index 100% rename from windows/client-management/images/device-installation-apply-layered_policy-1.png rename to windows/client-management/client-tools/images/device-installation-apply-layered_policy-1.png diff --git a/windows/client-management/images/device-installation-dm-printer-by-device.png b/windows/client-management/client-tools/images/device-installation-dm-printer-by-device.png similarity index 100% rename from windows/client-management/images/device-installation-dm-printer-by-device.png rename to windows/client-management/client-tools/images/device-installation-dm-printer-by-device.png diff --git a/windows/client-management/images/device-installation-dm-printer-compatible-ids.png b/windows/client-management/client-tools/images/device-installation-dm-printer-compatible-ids.png similarity index 100% rename from windows/client-management/images/device-installation-dm-printer-compatible-ids.png rename to windows/client-management/client-tools/images/device-installation-dm-printer-compatible-ids.png diff --git a/windows/client-management/images/device-installation-dm-printer-details-screen.png b/windows/client-management/client-tools/images/device-installation-dm-printer-details-screen.png similarity index 100% rename from windows/client-management/images/device-installation-dm-printer-details-screen.png rename to windows/client-management/client-tools/images/device-installation-dm-printer-details-screen.png diff --git a/windows/client-management/images/device-installation-dm-printer-hardware-ids.png b/windows/client-management/client-tools/images/device-installation-dm-printer-hardware-ids.png similarity index 100% rename from windows/client-management/images/device-installation-dm-printer-hardware-ids.png rename to windows/client-management/client-tools/images/device-installation-dm-printer-hardware-ids.png diff --git a/windows/client-management/images/device-installation-dm-usb-by-connection-blocked.png b/windows/client-management/client-tools/images/device-installation-dm-usb-by-connection-blocked.png similarity index 100% rename from windows/client-management/images/device-installation-dm-usb-by-connection-blocked.png rename to windows/client-management/client-tools/images/device-installation-dm-usb-by-connection-blocked.png diff --git a/windows/client-management/images/device-installation-dm-usb-by-connection-layering.png b/windows/client-management/client-tools/images/device-installation-dm-usb-by-connection-layering.png similarity index 100% rename from windows/client-management/images/device-installation-dm-usb-by-connection-layering.png rename to windows/client-management/client-tools/images/device-installation-dm-usb-by-connection-layering.png diff --git a/windows/client-management/images/device-installation-dm-usb-by-connection.png b/windows/client-management/client-tools/images/device-installation-dm-usb-by-connection.png similarity index 100% rename from windows/client-management/images/device-installation-dm-usb-by-connection.png rename to windows/client-management/client-tools/images/device-installation-dm-usb-by-connection.png diff --git a/windows/client-management/images/device-installation-dm-usb-by-device.png b/windows/client-management/client-tools/images/device-installation-dm-usb-by-device.png similarity index 100% rename from windows/client-management/images/device-installation-dm-usb-by-device.png rename to windows/client-management/client-tools/images/device-installation-dm-usb-by-device.png diff --git a/windows/client-management/images/device-installation-dm-usb-hwid.png b/windows/client-management/client-tools/images/device-installation-dm-usb-hwid.png similarity index 100% rename from windows/client-management/images/device-installation-dm-usb-hwid.png rename to windows/client-management/client-tools/images/device-installation-dm-usb-hwid.png diff --git a/windows/client-management/images/device-installation-flowchart.png b/windows/client-management/client-tools/images/device-installation-flowchart.png similarity index 100% rename from windows/client-management/images/device-installation-flowchart.png rename to windows/client-management/client-tools/images/device-installation-flowchart.png diff --git a/windows/client-management/images/device-installation-gpo-allow-device-id-list-printer.png b/windows/client-management/client-tools/images/device-installation-gpo-allow-device-id-list-printer.png similarity index 100% rename from windows/client-management/images/device-installation-gpo-allow-device-id-list-printer.png rename to windows/client-management/client-tools/images/device-installation-gpo-allow-device-id-list-printer.png diff --git a/windows/client-management/images/device-installation-gpo-allow-device-id-list-usb.png b/windows/client-management/client-tools/images/device-installation-gpo-allow-device-id-list-usb.png similarity index 100% rename from windows/client-management/images/device-installation-gpo-allow-device-id-list-usb.png rename to windows/client-management/client-tools/images/device-installation-gpo-allow-device-id-list-usb.png diff --git a/windows/client-management/images/device-installation-gpo-prevent-class-list.png b/windows/client-management/client-tools/images/device-installation-gpo-prevent-class-list.png similarity index 100% rename from windows/client-management/images/device-installation-gpo-prevent-class-list.png rename to windows/client-management/client-tools/images/device-installation-gpo-prevent-class-list.png diff --git a/windows/client-management/images/device-installation-gpo-prevent-device-id-list-printer.png b/windows/client-management/client-tools/images/device-installation-gpo-prevent-device-id-list-printer.png similarity index 100% rename from windows/client-management/images/device-installation-gpo-prevent-device-id-list-printer.png rename to windows/client-management/client-tools/images/device-installation-gpo-prevent-device-id-list-printer.png diff --git a/windows/client-management/images/device-installation-gpo-prevent-device-id-list-usb.png b/windows/client-management/client-tools/images/device-installation-gpo-prevent-device-id-list-usb.png similarity index 100% rename from windows/client-management/images/device-installation-gpo-prevent-device-id-list-usb.png rename to windows/client-management/client-tools/images/device-installation-gpo-prevent-device-id-list-usb.png diff --git a/windows/client-management/images/msinfo32.png b/windows/client-management/client-tools/images/msinfo32.png similarity index 100% rename from windows/client-management/images/msinfo32.png rename to windows/client-management/client-tools/images/msinfo32.png diff --git a/windows/client-management/images/quick-assist-flow.png b/windows/client-management/client-tools/images/quick-assist-flow.png similarity index 100% rename from windows/client-management/images/quick-assist-flow.png rename to windows/client-management/client-tools/images/quick-assist-flow.png diff --git a/windows/client-management/images/quick-assist-get.png b/windows/client-management/client-tools/images/quick-assist-get.png similarity index 100% rename from windows/client-management/images/quick-assist-get.png rename to windows/client-management/client-tools/images/quick-assist-get.png diff --git a/windows/client-management/images/rdp.png b/windows/client-management/client-tools/images/rdp.png similarity index 100% rename from windows/client-management/images/rdp.png rename to windows/client-management/client-tools/images/rdp.png diff --git a/windows/client-management/images/refcmd.png b/windows/client-management/client-tools/images/refcmd.png similarity index 100% rename from windows/client-management/images/refcmd.png rename to windows/client-management/client-tools/images/refcmd.png diff --git a/windows/client-management/images/settings-page-visibility-gp.png b/windows/client-management/client-tools/images/settings-page-visibility-gp.png similarity index 100% rename from windows/client-management/images/settings-page-visibility-gp.png rename to windows/client-management/client-tools/images/settings-page-visibility-gp.png diff --git a/windows/client-management/images/slmgr_dlv.png b/windows/client-management/client-tools/images/slmgr-dlv.png similarity index 100% rename from windows/client-management/images/slmgr_dlv.png rename to windows/client-management/client-tools/images/slmgr-dlv.png diff --git a/windows/client-management/images/sysprep-error.png b/windows/client-management/client-tools/images/sysprep-error.png similarity index 100% rename from windows/client-management/images/sysprep-error.png rename to windows/client-management/client-tools/images/sysprep-error.png diff --git a/windows/client-management/images/systemcollage.png b/windows/client-management/client-tools/images/systemcollage.png similarity index 100% rename from windows/client-management/images/systemcollage.png rename to windows/client-management/client-tools/images/systemcollage.png diff --git a/windows/client-management/images/win11-control-panel-windows-tools.png b/windows/client-management/client-tools/images/win11-control-panel-windows-tools.png similarity index 100% rename from windows/client-management/images/win11-control-panel-windows-tools.png rename to windows/client-management/client-tools/images/win11-control-panel-windows-tools.png diff --git a/windows/client-management/images/win11-windows-tools.png b/windows/client-management/client-tools/images/win11-windows-tools.png similarity index 100% rename from windows/client-management/images/win11-windows-tools.png rename to windows/client-management/client-tools/images/win11-windows-tools.png diff --git a/windows/client-management/images/WinVer.PNG b/windows/client-management/client-tools/images/winver.png similarity index 100% rename from windows/client-management/images/WinVer.PNG rename to windows/client-management/client-tools/images/winver.png diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md similarity index 69% rename from windows/client-management/manage-device-installation-with-group-policy.md rename to windows/client-management/client-tools/manage-device-installation-with-group-policy.md index 6f1cf2860e..da685db207 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md @@ -4,21 +4,19 @@ description: Find out how to manage Device Installation Restrictions with Group ms.prod: windows-client author: vinaypamnani-msft ms.date: 09/14/2021 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +- ✅ Windows Server 2022 --- # Manage Device Installation with Group Policy -**Applies to** - -- Windows 10 -- Windows 11 -- Windows Server 2022 - ## Summary By using Windows operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy. @@ -26,6 +24,7 @@ By using Windows operating systems, administrators can determine what devices ca ## Introduction ### General + This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and can't install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios: - Prevent users from installing devices that are on a "prohibited" list. If a device isn't on the list, then the user can install it. @@ -63,7 +62,7 @@ You can ensure that users install only those devices that your technical support ## Scenario Overview -The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy.. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site. +The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site. Group Policy guides: @@ -72,7 +71,7 @@ Group Policy guides: ### Scenario #1: Prevent installation of all printers -In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the ‘prevent/allow’ functionality of Device Installation policies in Group Policy. +In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the 'prevent/allow' functionality of Device Installation policies in Group Policy. ### Scenario #2: Prevent installation of a specific printer @@ -84,11 +83,11 @@ In this scenario, you'll combine what you learned from both scenario #1 and scen ### Scenario #4: Prevent installation of a specific USB device -This scenario, although similar to scenario #2, brings another layer of complexity – how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree. +This scenario, although similar to scenario #2, brings another layer of complexity—how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree. ### Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive -In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the ‘prevent’ functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. +In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the 'prevent' functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. ## Technology Review @@ -96,7 +95,7 @@ The following sections provide a brief overview of the core technologies discuss ### Device Installation in Windows -A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition - it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type. +A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition—it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type. When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those strings included with the driver packages. @@ -107,7 +106,7 @@ The four types of identifiers are: - Device Instance ID - Device ID - Device setup classes -- ‘Removable Devices’ device type +- 'Removable Devices' device type #### Device Instance ID @@ -146,12 +145,12 @@ For more information, see [Device Setup Classes](/windows-hardware/drivers/insta This guide doesn't depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices. -The following two links provide the complete list of Device Setup Classes. ‘System Use’ classes are mostly referred to devices that come with a computer/machine from the factory, while ‘Vendor’ classes are mostly referred to devices that could be connected to an existing computer/machine: +The following two links provide the complete list of Device Setup Classes. 'System Use' classes are mostly referred to devices that come with a computer/machine from the factory, while 'Vendor' classes are mostly referred to devices that could be connected to an existing computer/machine: - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use) -#### ‘Removable Device’ Device type +#### 'Removable Device' Device type Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. @@ -164,7 +163,7 @@ Device Installation section in Group Policy is a set of policies that control wh The following passages are brief descriptions of the Device Installation policies that are used in this guide. > [!NOTE] -> Device Installation control is applied only to machines (‘computer configuration’) and not users (‘user configuration’) by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section. +> Device Installation control is applied only to machines ('computer configuration') and not users ('user configuration') by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section. #### Allow administrators to override Device Installation Restriction policies @@ -219,22 +218,22 @@ To complete each of the scenarios, ensure you have: - A client computer running Windows. -- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build. +- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a "removable disk drive", "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build. - A USB/network printer pre-installed on the machine. - Access to the administrator account on the testing machine. The procedures in this guide require administrator privileges for most steps. -### Understanding implications of applying ‘Prevent’ policies retroactive +### Understanding implications of applying 'Prevent' policies retroactive -All ‘Prevent’ policies can apply the block functionality to already installed devices—devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices. +All 'Prevent' policies can apply the block functionality to already installed devices-devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices. -For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the “apply this policy to already installed devices” option. Marking this option will prevent access to already installed devices in addition to any future ones. +For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the "apply this policy to already installed devices" option. Marking this option will prevent access to already installed devices in addition to any future ones. This option is a powerful tool, but as such it has to be used carefully. > [!IMPORTANT] -> Applying the ‘Prevent retroactive’ option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all ‘Disk Drives’ could block the access to the disk on which the OS boots with; Preventing retroactive all ‘Net’ could block this machine from accessing network and to fix the issue the admin will have to have a direct connection. +> Applying the 'Prevent retroactive' option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all 'Disk Drives' could block the access to the disk on which the OS boots with; Preventing retroactive all 'Net' could block this machine from accessing network and to fix the issue the admin will have to have a direct connection. ## Determine device identification strings @@ -249,19 +248,19 @@ To find device identification strings using Device Manager 1. Make sure your printer is plugged in and installed. -2. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application. +1. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application. -3. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped. +1. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped. -4. Find the “Printers” section and find the target printer +1. Find the "Printers" section and find the target printer ![Selecting the printer in Device Manager.](images/device-installation-dm-printer-by-device.png)
_Selecting the printer in Device Manager_ -5. Double-click the printer and move to the ‘Details’ tab. +1. Double-click the printer and move to the 'Details' tab. - ![‘Details’ tab.](images/device-installation-dm-printer-details-screen.png)
_Open the ‘Details’ tab to look for the device identifiers_ + !['Details' tab.](images/device-installation-dm-printer-details-screen.png)
_Open the 'Details' tab to look for the device identifiers_ -6. From the ‘Value’ window, copy the most detailed Hardware ID – we'll use this value in the policies. +1. From the 'Value' window, copy the most detailed Hardware ID—we'll use this value in the policies. ![HWID.](images/device-installation-dm-printer-hardware-ids.png) @@ -311,24 +310,24 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Disable all previous Device Installation policies, except ‘Apply layered order of evaluation’—although the policy is disabled in default, this policy is recommended to be enabled in most practical applications. +1. Disable all previous Device Installation policies, except 'Apply layered order of evaluation'-although the policy is disabled in default, this policy is recommended to be enabled in most practical applications. -3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters +1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters -4. Have a USB/network printer available to test the policy with +1. Have a USB/network printer available to test the policy with -### Scenario steps – preventing installation of prohibited devices +### Scenario steps - preventing installation of prohibited devices Getting the right device identifier to prevent it from being installed: 1. If you have on your system a device from the class you want to block, you could follow the steps in the previous section to find the Device Class identifier through Device Manager or PnPUtil (Class GUID). -2. If you don’t have such device installed on your system or know the name of the class, you can check the following two links: +1. If you don't have such device installed on your system or know the name of the class, you can check the following two links: - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use) -3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market: +1. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market: > Printers\ > Class = Printer\ @@ -340,40 +339,40 @@ Getting the right device identifier to prevent it from being installed: Creating the policy to prevent all printers from being installed: -1. Open Group Policy Object Editor—either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor-either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Make sure all policies are disabled (recommended to keep ‘applied layered order of evaluation’ policy enabled). +1. Make sure all policies are disabled (recommended to keep 'applied layered order of evaluation' policy enabled). -4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button. -5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block. -6. Enter the printer class GUID you found above with the curly braces (this convention is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} +1. Enter the printer class GUID you found above with the curly braces: `{4d36e979-e325-11ce-bfc1-08002be10318}`. ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ -7. Click ‘OK’. +1. Click 'OK'. -8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs. +1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs. -9. Optional – if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ +1. Optional—if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' > [!IMPORTANT] -> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using ‘Disk Drive’ class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine. +> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using 'Disk Drive' class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine. ### Testing the scenario -1. If you haven't completed step #9 – follow these steps: +1. If you haven't completed step #9, follow these steps: - 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. - 1. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app. + 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device". + 1. For USB printer—unplug and plug back the cable; for network device—make a search for the printer in the Windows Settings app. 1. You shouldn't be able to reinstall the printer. -2. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use. +1. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use. ## Scenario #2: Prevent installation of a specific printer @@ -385,39 +384,39 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Ensure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional. +1. Ensure all previous Device Installation policies are disabled except 'Apply layered order of evaluation' (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional. -### Scenario steps – preventing installation of a specific device +### Scenario steps - preventing installation of a specific device Getting the right device identifier to prevent it from being installed: -1. Get your printer’s Hardware ID – in this example we'll use the identifier we found previously +1. Get your printer's Hardware ID. In this example we'll use the identifier we found previously. ![Printer Hardware ID identifier.](images/device-installation-dm-printer-hardware-ids.png)
_Printer Hardware ID_ -2. Write down the device ID (in this case Hardware ID) – WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers +1. Write down the device ID (in this case Hardware ID): `WSDPRINT\CanonMX920_seriesC1A0;`. Take the more specific identifier to make sure you block a specific printer and not a family of printers Creating the policy to prevent a single printer from being installed: -1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices that match any of these device IDs** policy and select the 'Enable' radio button. -4. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to block. -5. Enter the printer device ID you found above – WSDPRINT\CanonMX920_seriesC1A0 +1. Enter the printer device ID you found above: `WSDPRINT\CanonMX920_seriesC1A0`. ![Prevent Device ID list.](images/device-installation-gpo-prevent-device-id-list-printer.png)
_Prevent Device ID list_ -6. Click ‘OK’. +1. Click 'OK'. -7. Click ‘Apply’ on the bottom right of the policy’s window. This option pushes the policy and blocks the target printer in future installations, but doesn’t apply to an existing install. +1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks the target printer in future installations, but doesn't apply to an existing install. -8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’. +1. Optionally, if you would like to apply the policy to an existing install, open the **Prevent installation of devices that match any of these device IDs** policy again. In the 'Options' window, mark the checkbox that says 'Also apply to matching devices that are already installed'. ### Testing the scenario @@ -425,12 +424,11 @@ If you completed step #8 above and restarted the machine, look for your printer If you haven't completed step #8, follow these steps: -1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. +1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device". -2. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app. - -3. You shouldn't be able to reinstall the printer. +1. For USB printer, unplug and plug back the cable; for network device, make a search for the printer in the Windows Settings app. +1. You shouldn't be able to reinstall the printer. ## Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed @@ -442,67 +440,66 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Disable all previous Device Installation policies, and enable ‘Apply layered order of evaluation’. +1. Disable all previous Device Installation policies, and enable 'Apply layered order of evaluation'. -3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters. +1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters. -4. Have a USB/network printer available to test the policy with. +1. Have a USB/network printer available to test the policy with. -### Scenario steps – preventing installation of an entire class while allowing a specific printer +### Scenario steps - preventing installation of an entire class while allowing a specific printer -Getting the device identifier for both the Printer Class and a specific printer – following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario: +Getting the device identifier for both the Printer Class and a specific printer—following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario: - ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318} - Hardware ID = WSDPRINT\CanonMX920_seriesC1A0 -First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one: +First create a 'Prevent Class' policy and then create 'Allow Device' one: -1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor—either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Make sure all policies are disabled +1. Make sure all policies are disabled -4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button. -5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block. -6. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} +1. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won't work): {4d36e979-e325-11ce-bfc1-08002be10318} ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ -7. Click ‘OK’. +1. Click 'OK'. -8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs. +1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs. -9. To complete the coverage of all future and existing printers – Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’ +1. To complete the coverage of all future and existing printers, open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK' -10. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device. +1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it—this policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device. - ![Image of Local Group Policy Editor that shows the policies under "Device Installation Restrictions" and the policy named in this step.](images/device-installation-apply-layered_policy-1.png) + :::image type="content" alt-text="Screenshot of Local Group Policy Editor that shows the policies under Device Installation Restrictions and the policy named in this step." source="images/device-installation-apply-layered_policy-1.png" lightbox="images/device-installation-apply-layered_policy-1.png"::: - ![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.".](images/device-installation-apply-layered-policy-2.png)
_Apply layered order of evaluation policy_ + [![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.](images/device-installation-apply-layered-policy-2.png)](images/device-installation-apply-layered-policy-2.png#lightbox)
_Apply layered order of evaluation policy_ -9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. +1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button. -10. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to allow. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow. -11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0. +1. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0. ![Allow Printer Hardware ID.](images/device-installation-gpo-allow-device-id-list-printer.png)
_Allow Printer Hardware ID_ -12. Click ‘OK’. +1. Click 'OK'. -13. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and allows the target printer to be installed (or stayed installed). +1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and allows the target printer to be installed (or stayed installed). ## Testing the scenario 1. Look for your printer under Device Manager or the Windows Settings app and see that it's still there and accessible. Or just print a test document. -2. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer – you shouldn't be bale to print anything or able to access the printer at all. - +1. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer—you shouldn't be bale to print anything or able to access the printer at all. ## Scenario #4: Prevent installation of a specific USB device @@ -514,67 +511,65 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section -2. Ensure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this prerequisite is optional to be On/Off this scenario) – although the policy is disabled in default, it's recommended to be enabled in most practical applications. +1. Ensure all previous Device Installation policies are disabled except 'Apply layered order of evaluation'. This prerequisite is optional to be On/Off this scenario. Although the policy is disabled in default, it's recommended to be enabled in most practical applications. -### Scenario steps – preventing installation of a specific device +### Scenario steps - preventing installation of a specific device Getting the right device identifier to prevent it from being installed and its location in the PnP tree: 1. Connect a USB thumb drive to the machine -2. Open Device Manager +1. Open Device Manager + +1. Find the USB thumb-drive and select it. -3. Find the USB thumb-drive and select it. - ![Selecting the usb thumb-drive in Device Manager.](images/device-installation-dm-usb-by-device.png)
_Selecting the usb thumb-drive in Device Manager_ -4. Change View (in the top menu) to ‘Devices by connections’. This view represents the way devices are installed in the PnP tree. +1. Change View (in the top menu) to 'Devices by connections'. This view represents the way devices are installed in the PnP tree. ![Changing view in Device Manager to see the PnP connection tree.](images/device-installation-dm-usb-by-connection.png)
_Changing view in Device Manager to see the PnP connection tree_ > [!NOTE] - > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a “Generic USB Hub” from being installed, all the devices that lay below a “Generic USB Hub” will be blocked. - + > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a "Generic USB Hub" from being installed, all the devices that lay below a "Generic USB Hub" will be blocked. + ![Blocking nested devices from the root.](images/device-installation-dm-usb-by-connection-blocked.png)
_When blocking one device, all the devices that are nested below it will be blocked as well_ -5. Double-click the USB thumb-drive and move to the ‘Details’ tab. +1. Double-click the USB thumb-drive and move to the 'Details' tab. + +1. From the 'Value' window, copy the most detailed Hardware ID-we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 -6. From the ‘Value’ window, copy the most detailed Hardware ID—we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 - ![USB device hardware IDs.](images/device-installation-dm-usb-hwid.png)
_USB device hardware IDs_ Creating the policy to prevent a single USB thumb-drive from being installed: -1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor and either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices that match any of these device IDs** policy and select the 'Enable' radio button. -4. In the lower left side, in the ‘Options’ window, click the ‘Show’ box. This option will take you to a table where you can enter the device identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show' box. This option will take you to a table where you can enter the device identifier to block. + +1. Enter the USB thumb-drive device ID you found above—`USBSTOR\DiskGeneric_Flash_Disk______8.07`. -5. Enter the USB thumb-drive device ID you found above – USBSTOR\DiskGeneric_Flash_Disk______8.07 - ![Prevent Device IDs list.](images/device-installation-gpo-prevent-device-id-list-usb.png)
_Prevent Device IDs list_ -6. Click ‘OK’. +1. Click 'OK'. -7. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks the target USB thumb-drive in future installations, but doesn’t apply to an existing install. - -8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window, mark the checkbox that says ‘also apply to matching devices that are already installed’ +1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks the target USB thumb-drive in future installations, but doesn't apply to an existing install. +1. Optional - if you would like to apply the policy to an existing install, open the **Prevent installation of devices that match any of these device IDs** policy again. In the 'Options' window, mark the checkbox that says 'also apply to matching devices that are already installed'. ### Testing the scenario -1. If you haven't completed step #8 – follow these steps: +1. If you haven't completed step #8, follow these steps: - - Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click “Uninstall device”. + - Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click "Uninstall device". - You shouldn't be able to reinstall the device. -2. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use. - +1. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use. ## Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive @@ -586,15 +581,15 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Disable all previous Device Installation policies, and **enable** ‘Apply layered order of evaluation’. +1. Disable all previous Device Installation policies, and **enable** 'Apply layered order of evaluation'. -3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters. +1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters. -4. Have a USB thumb-drive available to test the policy with. +1. Have a USB thumb-drive available to test the policy with. -### Scenario steps – preventing installation of all USB devices while allowing only an authorized USB thumb-drive +### Scenario steps - preventing installation of all USB devices while allowing only an authorized USB thumb-drive -Getting the device identifier for both the USB Classes and a specific USB thumb-drive – following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario: +Getting the device identifier for both the USB Classes and a specific USB thumb-drive and following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario: - USB Bus Devices (hubs and host controllers) - Class = USB @@ -610,16 +605,16 @@ Getting the device identifier for both the USB Classes and a specific USB thumb- As mentioned in scenario #4, it's not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well: -- “Intel(R) USB 3.0 eXtensible Host Controller – 1.0 (Microsoft)” -> PCI\CC_0C03 -- “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30 -- “Generic USB Hub” -> USB\USB20_HUB - +- "Intel(R) USB 3.0 eXtensible Host Controller - 1.0 (Microsoft)" -> PCI\CC_0C03 +- "USB Root Hub (USB 3.0)" -> USB\ROOT_HUB30 +- "Generic USB Hub" -> USB\USB20_HUB + ![USB devices nested in the PnP tree.](images/device-installation-dm-usb-by-connection-layering.png)
_USB devices nested under each other in the PnP tree_ These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't enable any external/peripheral device from being installed on the machine. > [!IMPORTANT] -> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. See below for the list: +> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an 'Allow list' in such cases. See below for the list: > > PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/ > USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/ @@ -629,49 +624,49 @@ These devices are internal devices on the machine that define the USB port conne > > Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done. -First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one: +First create a 'Prevent Class' policy and then create 'Allow Device' one: -1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor: either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Make sure all policies are disabled +1. Make sure all policies are disabled -4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button. -5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block. -6. Enter both USB classes GUID you found above with the curly braces: +1. Enter both USB classes GUID you found above with the curly braces: > {36fc9e60-c465-11cf-8056-444553540000}/ - > {88BAE032-5A81-49f0-BC3D-A4FF138216D6} + > {88BAE032-5A81-49f0-BC3D-A4FF138216D6} -7. Click ‘OK’. +1. Click 'OK'. -8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future USB device installations, but doesn’t apply to existing installs. +1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks all future USB device installations, but doesn't apply to existing installs. > [!IMPORTANT] > The previous step prevents all future USB devices from being installed. Before you move to the next step make sure you have as complete list as possible of all the USB Host Controllers, USB Root Hubs and Generic USB Hubs Device IDs available to prevent blocking you from interacting with your system through keyboards and mice. -9. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device. +1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it. This policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device. ![Apply layered order of evaluation policy.](images/device-installation-apply-layered_policy-1.png)
_Apply layered order of evaluation policy_ -10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. +1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button. -11. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to allow. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow. -12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation – USBSTOR\DiskGeneric_Flash_Disk______8.07 +1. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation—`USBSTOR\DiskGeneric_Flash_Disk______8.07`. ![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs.".](images/device-installation-gpo-allow-device-id-list-usb.png)
_Allowed USB Device IDs list_ -13. Click ‘OK’. +1. Click 'OK'. -14. Click ‘Apply’ on the bottom right of the policy’s window. +1. Click 'Apply' on the bottom right of the policy's window. -15. To apply the ‘Prevent’ coverage of all currently installed USB devices – Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’. +1. To apply the 'Prevent' coverage of all currently installed USB devices, open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK'. ### Testing the scenario diff --git a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md new file mode 100644 index 0000000000..a0af81bb73 --- /dev/null +++ b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md @@ -0,0 +1,44 @@ +--- +title: Manage the Settings app with Group Policy +description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users. +ms.prod: windows-client +author: vinaypamnani-msft +ms.date: 04/13/2023 +ms.reviewer: +manager: aaroncz +ms.author: vinpa +ms.topic: article +ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +- ✅ Windows Server 2016 +--- + +# Manage the Settings app with Group Policy + +You can manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. + +> [!NOTE] +> To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. Each server that you want to manage access to the Settings App must be patched. + +If your organization uses the [Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for Group Policy management, to manage the policies, copy the ControlPanel.admx and ControlPanel.adml file to PolicyDefinitions folder. + +This policy is available for both User and Computer configurations. + +- **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. +- **User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. + +![Settings page visibility policy.](images/settings-page-visibility-gp.png) + +## Configuring the Group Policy + +The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). + +> [!IMPORTANT] +> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string. + +For example: + +- To show only the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **ShowOnly:Network-Proxy;Network-Ethernet**. +- To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**. diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/client-tools/mandatory-user-profile.md similarity index 64% rename from windows/client-management/mandatory-user-profile.md rename to windows/client-management/client-tools/mandatory-user-profile.md index 6f1798eb0e..181e7485db 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/client-tools/mandatory-user-profile.md @@ -1,46 +1,44 @@ --- -title: Create mandatory user profiles (Windows 10 and Windows 11) +title: Create mandatory user profiles description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa -ms.date: 09/14/2021 +ms.date: 04/11/2023 ms.reviewer: manager: aaroncz ms.topic: article ms.collection: - - highpri - - tier2 +- highpri +- tier2 ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Create mandatory user profiles -**Applies to** - -- Windows 10 -- Windows 11 - -A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. +A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to) icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles. When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile. -User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile. +User profiles become mandatory profiles when the administrator renames the `NTuser.dat` file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile. ## Profile extension for each Windows version The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version. -| Client operating system version | Server operating system version | Profile extension | -| --- | --- | --- | -| Windows XP | Windows Server 2003
Windows Server 2003 R2 | none | -| Windows Vista
Windows 7 | Windows Server 2008
Windows Server 2008 R2 | v2 | -| Windows 8 | Windows Server 2012 | v3 | -| Windows 8.1 | Windows Server 2012 R2 | v4 | -| Windows 10, versions 1507 and 1511 | N/A | v5 | -| Windows 10, versions 1607, 1703, 1709, 1803, 1809, 1903 and 1909 | Windows Server 2016 and Windows Server 2019 | v6 | +| Client operating system version | Server operating system version | Profile extension | +|-------------------------------------|-------------------------------------------------|-------------------| +| Windows XP | Windows Server 2003
Windows Server 2003 R2 | none | +| Windows Vista
Windows 7 | Windows Server 2008
Windows Server 2008 R2 | v2 | +| Windows 8 | Windows Server 2012 | v3 | +| Windows 8.1 | Windows Server 2012 R2 | v4 | +| Windows 10, versions 1507 and 1511 | N/A | v5 | +| Windows 10, versions 1607 and later | Windows Server 2016 and Windows Server 2019 | v6 | For more information, see [Deploy Roaming User Profiles, Appendix B](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](/troubleshoot/windows-server/user-profiles-and-logon/roaming-user-profiles-versioning). @@ -50,33 +48,33 @@ First, you create a default user profile with the customizations that you want, ### How to create a default user profile -1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account. +1. Sign in to a computer running Windows as a member of the local Administrator group. Do not use a domain account. > [!NOTE] - > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. + > Use a lab or extra computer running a clean installation of Windows to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. 1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. > [!NOTE] > Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics). -1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. +1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. -1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](/windows/application-management/apps-in-windows-10). +1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/apps-in-windows-10). > [!NOTE] > It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times. 1. At a command prompt, type the following command and press **ENTER**. - ```console + ```cmd sysprep /oobe /reboot /generalize /unattend:unattend.xml ``` - (Sysprep.exe is located at: C:\\Windows\\System32\\sysprep. By default, Sysprep looks for unattend.xml in this same folder.) + (Sysprep.exe is located at: `C:\Windows\System32\sysprep`. By default, Sysprep looks for `unattend.xml` in the same folder.) > [!TIP] - > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following: + > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open `%WINDIR%\System32\Sysprep\Panther\setupact.log` and look for an entry like the following: > > ![Microsoft Bing Translator package error.](images/sysprep-error.png) > @@ -88,7 +86,6 @@ First, you create a default user profile with the customizations that you want, 1. In **User Profiles**, click **Default Profile**, and then click **Copy To**. - ![Example of User Profiles UI.](images/copy-to.png) 1. In **Copy To**, under **Permitted to use**, click **Change**. @@ -97,7 +94,7 @@ First, you create a default user profile with the customizations that you want, 1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**. -1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607. +1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with `.v6` to identify it as a user profile folder for Windows 10, version 1607 or later. - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. @@ -105,8 +102,6 @@ First, you create a default user profile with the customizations that you want, - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. - ![Example of Copy To UI with UNC path.](images/copy-to-path.png) - 1. Click **OK** to copy the default user profile. ### How to make the user profile mandatory @@ -137,7 +132,7 @@ In a domain, you modify properties for the user account to point to the mandator 1. Right-click the user name and open **Properties**. -1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\\profile.v6, you would enter \\\\*server*\\profile. +1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is `\\server\share\profile.v6`, you would enter `\\server\share\profile`. 1. Click **OK**. @@ -145,16 +140,16 @@ It may take some time for this change to replicate to all domain controllers. ## Apply policies to improve sign-in time -When a user is configured with a mandatory profile, Windows 10 starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. (The table shows which operating system versions each policy setting can apply to.) +When a user is configured with a mandatory profile, Windows starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. -| Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 | -| --- | --- | --- | --- | --- | -| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | -| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | -| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported.](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | +| Group Policy setting | Windows 10 | Windows Server 2016 | +|-----------------------------------------------------------------------------------------------------------------------------------------------|:----------:|:-------------------:| +| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ✅ | ✅ | +| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ✅ | ✅ | +| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ✅ | ❌ | > [!NOTE] -> The Group Policy settings above can be applied in Windows 10 Professional edition. +> The Group Policy settings above can be applied in Windows Professional edition. ## Related topics diff --git a/windows/client-management/quick-assist.md b/windows/client-management/client-tools/quick-assist.md similarity index 96% rename from windows/client-management/quick-assist.md rename to windows/client-management/client-tools/quick-assist.md index 4e59e30993..9997673adf 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/client-tools/quick-assist.md @@ -1,6 +1,7 @@ --- title: Use Quick Assist to help users description: Learn how IT Pros can use Quick Assist to help users. +ms.date: 04/11/2023 ms.prod: windows-client ms.topic: article ms.technology: itpro-manage @@ -10,12 +11,11 @@ ms.author: vinpa manager: aaroncz ms.reviewer: pmadrigal appliesto: - - ✅ Windows 10 and later - - ✅ Windows 11 and later +- ✅ Windows 11 +- ✅ Windows 10 ms.collection: - - highpri - - tier1 -ms.date: 03/06/2023 +- highpri +- tier1 --- # Use Quick Assist to help users @@ -26,9 +26,6 @@ Quick Assist is a Microsoft Store application that enables a person to share the All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate. -> [!IMPORTANT] -> Quick Assist is not available in the Azure Government cloud. - ### Authentication The helper can authenticate when they sign in by using a Microsoft account (MSA) or Azure Active Directory (Azure AD). Local Active Directory authentication isn't currently supported. diff --git a/windows/client-management/client-tools/toc.yml b/windows/client-management/client-tools/toc.yml new file mode 100644 index 0000000000..311cb0c84f --- /dev/null +++ b/windows/client-management/client-tools/toc.yml @@ -0,0 +1,19 @@ +items: + - name: Windows Tools/Administrative Tools + href: administrative-tools-in-windows.md + - name: Use Quick Assist to help users + href: quick-assist.md + - name: Connect to remote Azure Active Directory-joined PC + href: connect-to-remote-aadj-pc.md + - name: Create mandatory user profiles + href: mandatory-user-profile.md + - name: Manage Device Installation with Group Policy + href: manage-device-installation-with-group-policy.md + - name: Manage the Settings app with Group Policy + href: manage-settings-app-with-group-policy.md + - name: Manage default media removal policy + href: change-default-removal-policy-external-storage-media.md + - name: What version of Windows am I running + href: windows-version-search.md + - name: Windows libraries + href: windows-libraries.md diff --git a/windows/client-management/windows-libraries.md b/windows/client-management/client-tools/windows-libraries.md similarity index 72% rename from windows/client-management/windows-libraries.md rename to windows/client-management/client-tools/windows-libraries.md index 89b5f46cfd..12e7efd5db 100644 --- a/windows/client-management/windows-libraries.md +++ b/windows/client-management/client-tools/windows-libraries.md @@ -1,26 +1,30 @@ --- -ms.reviewer: -manager: aaroncz title: Windows Libraries +description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. ms.prod: windows-client +author: vinaypamnani-msft ms.author: vinpa -ms.manager: dongill +manager: aaroncz +ms.reviewer: ms.technology: itpro-manage ms.topic: article -author: vinaypamnani-msft -description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. -ms.date: 09/15/2021 +ms.date: 04/11/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +- ✅ Windows Server 2022 +- ✅ Windows Server 2019 +- ✅ Windows Server 2016 --- # Windows libraries -> Applies to: Windows 10, Windows 11, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 - -Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location. +Libraries are virtual containers for users' content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location. ## Features for Users Windows libraries are backed by full content search and rich metadata. Libraries offer the following advantages to users: + - Aggregate content from multiple storage locations into a single, unified presentation. - Enable users to stack and group library contents based on metadata. - Enable fast, full-text searches across multiple storage locations, from Windows Explorer or from the Start menu. @@ -30,6 +34,7 @@ Windows libraries are backed by full content search and rich metadata. Libraries ## Features for Administrators Administrators can configure and control Windows libraries in the following methods: + - Create custom libraries by creating and deploying Library Description (*.library-ms) files. - Hide or delete the default libraries. (The Library node itself can't be hidden or deleted from the Windows Explorer navigation pane.) - Specify a set of libraries available to Default User, and then deploy those libraries to users that derive from Default User. @@ -48,6 +53,7 @@ Including a folder in a library doesn't physically move or change the storage lo ### Default Libraries and Known Folders The default libraries include: + - Documents - Music - Pictures @@ -64,16 +70,17 @@ Users or administrators can hide or delete the default libraries, though the lib Each library has a default save location. Files are saved or copied to this location if the user chooses to save or copy a file to a library, rather than a specific location within the library. Known folders are the default save locations; however, users can select a different save location. If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations can't be saved to, then the save operation fails. -### Indexing Requirements and “Basic” Libraries +### Indexing Requirements and "Basic" Libraries Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing isn't enabled for one or more locations within a library, the entire library reverts to basic functionality: + - No support for metadata browsing via **Arrange By** views. - Grep-only searches. - Grep-only search suggestions. The only properties available for input suggestions are **Date Modified** and **Size**. - No support for searching from the Start menu. Start menu searches don't return files from basic libraries. - No previews of file snippets for search results returned in Content mode. -To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that aren't indexed remotely can be added to the local index using Offline File synchronization. This feature gives the user the benefits of local storage even though the location is remote. Making a folder “Always available offline” creates a local copy of the folder’s files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations that aren't indexed remotely and aren't using folder redirection to gain the benefits of being indexed locally. +To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that aren't indexed remotely can be added to the local index using Offline File synchronization. This feature gives the user the benefits of local storage even though the location is remote. Making a folder "Always available offline" creates a local copy of the folder's files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations that aren't indexed remotely and aren't using folder redirection to gain the benefits of being indexed locally. For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_EnableIndexLocations). @@ -81,20 +88,20 @@ If your environment doesn't support caching files locally, you should enable the ### Folder Redirection -While library files themselves can't be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side. +While library files themselves can't be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the "My Documents" folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side. ### Supported storage locations The following table shows which locations are supported in Windows libraries. -|Supported Locations|Unsupported Locations| -|---|---| -|Fixed local volumes (NTFS/FAT)|Removable drives| -|Shares that are indexed (departmental servers*, Windows home PCs)|Removable media (such as DVDs)

Network shares that are accessible through DFS Namespaces or are part of a failover cluster| -|Shares that are available offline (redirected folders that use Offline Files)|Network shares that aren't available offline or remotely indexed

Network Attached Storage (NAS) devices| -||Other data sources: SharePoint, Exchange, etc.| +| Supported Locations | Unsupported Locations | +|--|--| +| Fixed local volumes (NTFS/FAT) | Removable drives | +| Shares that are indexed (departmental servers*, Windows home PCs) | Removable media (such as DVDs)

Network shares that are accessible through DFS Namespaces or are part of a failover cluster | +| Shares that are available offline (redirected folders that use Offline Files) | Network shares that aren't available offline or remotely indexed

Network Attached Storage (NAS) devices | +| | Other data sources: SharePoint, Exchange, etc. | -\* For shares that are indexed on a departmental server, Windows Search works well in workgroups or on a domain server that has similar characteristics to a workgroup server. For example, Windows Search works well on a single share departmental server with the following characteristics: +\* For shares that are indexed on a departmental server, Windows Search works well in a workgroup or on a domain server that has similar characteristics to a workgroup server. For example, Windows Search works well on a single share departmental server with the following characteristics: - Expected maximum load is four concurrent query requests. - Expected indexing corpus is a maximum of one million documents. @@ -104,6 +111,7 @@ The following table shows which locations are supported in Windows libraries. ### Library Attributes The following library attributes can be modified within Windows Explorer, the Library Management dialog, or the Library Description file (*.library-ms): + - Name - Library locations - Order of library locations @@ -111,7 +119,7 @@ The following library attributes can be modified within Windows Explorer, the Li The library icon can be modified by the administrator or user by directly editing the Library Description schema file. -See the [Library Description Schema](/windows/win32/shell/library-schema-entry) topic on MSDN for information on creating Library Description files. +See [Library Description Schema](/windows/win32/shell/library-schema-entry) for information on creating Library Description files. ## See also @@ -127,4 +135,4 @@ See the [Library Description Schema](/windows/win32/shell/library-schema-entry) ### Other resources - [Folder Redirection, Offline Files, and Roaming User Profiles](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)) -- [Library Description Schema](/windows/win32/shell/library-schema-entry) \ No newline at end of file +- [Library Description Schema](/windows/win32/shell/library-schema-entry) diff --git a/windows/client-management/client-tools/windows-version-search.md b/windows/client-management/client-tools/windows-version-search.md new file mode 100644 index 0000000000..42f0454fa7 --- /dev/null +++ b/windows/client-management/client-tools/windows-version-search.md @@ -0,0 +1,54 @@ +--- +title: What version of Windows am I running? +description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. +ms.prod: windows-client +author: vinaypamnani-msft +ms.author: vinpa +ms.date: 04/13/2023 +ms.reviewer: +manager: aaroncz +ms.topic: troubleshooting +ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +--- + +# What version of Windows am I running? + +The [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) build of Windows doesn't contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. It's important to remember that the LTSC model is primarily for specialized devices. + +In the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels), you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment. + +To determine if your device is enrolled in the Long-Term Servicing Channel or the General Availability Channel, you'll need to know what version of Windows you're running. There are a few ways to figure this out. Each method provides a different set of details, so it's useful to learn about all of them. + +## System Properties + +Select **Start** > **Settings** > **System**, then select **About**. You'll then see **Edition**, **Version**, and **OS Build** information. + +:::image type="content" source="images/systemcollage.png" alt-text="screenshot of the system properties window for a device running Windows 10."::: + +## Using Keyword Search + +You can type the following in the search bar and press **ENTER** to see version details for your device. + +- **"winver"**: + + :::image type="content" source="images/winver.png" alt-text="screenshot of the About Windows display text."::: + +- **"msinfo"** or **"msinfo32"** to open **System Information**: + + :::image type="content" source="images/msinfo32.png" alt-text="screenshot of the System Information display text."::: + +> [!TIP] +> You can also use `winver` or `msinfo32` commands at the command prompt. + +## Using Command Prompt or PowerShell + +- At the PowerShell or Command Prompt, type `systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"` and then press **ENTER** + + :::image type="content" source="images/refcmd.png" alt-text="screenshot of system information display text."::: + +- At the PowerShell or Command Prompt, type `slmgr /dlv`, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below: + + :::image type="content" source="images/slmgr-dlv.png" alt-text="screenshot of software licensing manager."::: diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md index 56b72cdf0a..2e86f60f6a 100644 --- a/windows/client-management/config-lock.md +++ b/windows/client-management/config-lock.md @@ -8,14 +8,12 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 05/24/2022 +appliesto: +- ✅ Windows 11 --- # Secured-core PC configuration lock -**Applies to** - -- Windows 11 - In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. Secured-core configuration lock (config lock) is a new [secured-core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC. @@ -77,7 +75,7 @@ Config lock is designed to ensure that a secured-core PC isn't unintentionally m - Can I disable config lock? Yes. You can use MDM to turn off config lock completely or put it in temporary unlock mode for helpdesk activities. -### List of locked policies +## List of locked policies |**CSPs** | |-----| diff --git a/windows/client-management/device-update-management.md b/windows/client-management/device-update-management.md index 4c730c626d..9680e7249e 100644 --- a/windows/client-management/device-update-management.md +++ b/windows/client-management/device-update-management.md @@ -1,6 +1,6 @@ --- title: Mobile device management MDM for device updates -description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management. +description: Windows provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -8,10 +8,13 @@ ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 11/15/2017 +ms.date: 04/05/2023 ms.collection: - - highpri - - tier2 +- highpri +- tier2 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Mobile device management (MDM) for device updates @@ -19,38 +22,34 @@ ms.collection: >[!TIP] >If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq). -With PCs, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we're investing heavily in extending the management capabilities available to MDMs. One key feature we're adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates. +With PCs, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows, we're investing heavily in extending the management capabilities available to MDMs. One key feature we're adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates. -In particular, Windows 10 provides APIs to enable MDMs to: +In particular, Windows provides APIs to enable MDMs to: -- Ensure machines stay up to date by configuring Automatic Update policies. -- Test updates on a smaller set of machines by configuring which updates are approved for a given device. Then, do an enterprise-wide rollout. -- Get compliance status of managed devices. IT can understand which machines still need a security patch, or how current is a particular machine. +- Ensure machines stay up to date by configuring Automatic Update policies. +- Test updates on a smaller set of machines by configuring which updates are approved for a given device. Then, do an enterprise-wide rollout. +- Get compliance status of managed devices. IT can understand which machines still need a security patch, or how current is a particular machine. +- Configure automatic update policies to ensure devices stay up to date. +- Get device compliance information (the list of updates that are needed but not yet installed). +- Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested. +- Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs. -This article provides independent software vendors (ISV) with the information they need to implement update management in Windows 10. +This article provides independent software vendors (ISV) with the information they need to implement update management in Windows. For more information, see [Policy CSP - Update](mdm/policy-csp-update.md). -In Windows 10, the MDM protocol has been extended to better enable IT admins to manage updates. In particular, Windows has added configuration service providers (CSPs) that expose policies and actions for MDMs to: - -- Configure automatic update policies to ensure devices stay up to date. -- Get device compliance information (the list of updates that are needed but not yet installed). -- Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested. -- Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs. - -The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update’s title, description, KB, update type, like a security update or service pack. For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c). - -For more information about the CSPs, see [Update CSP](mdm/update-csp.md) and the update policy area of the [Policy CSP](mdm/policy-configuration-service-provider.md). +> [!NOTE] +> The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update's title, description, KB, update type, like a security update or service pack. For more information, see [[MS-WSUSSS]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c). The following diagram provides a conceptual overview of how this works: -![mobile device update management.](images/mdm-update-sync.png) +:::image type="content" source="images/mdm-update-sync.png" alt-text="mobile device update management."::: The diagram can be roughly divided into three areas: -- The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram). -- The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram). -- The device gets updates from Microsoft Update using client/server protocol. It only downloads and installs updates that apply to the device and are approved by IT (right portion of the diagram). +- The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram). +- The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram). +- The device gets updates from Microsoft Update using client/server protocol. It only downloads and installs updates that apply to the device and are approved by IT (right portion of the diagram). -## Getting update metadata using the Server-Server sync protocol +## Getting update metadata using the Server-Server sync protocol The Microsoft Update Catalog contains many updates that aren't needed by MDM-managed devices. It includes updates for legacy software, like updates to servers, down-level desktop operating systems, & legacy apps, and a large number of drivers. We recommend MDMs use the Server-Server sync protocol to get update metadata for updates reported from the client. @@ -60,40 +59,39 @@ This section describes this setup. The following diagram shows the server-server MSDN provides much information about the Server-Server sync protocol. In particular: -- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development. -- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`. +- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development. +- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it's even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`. Some important highlights: -- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how authorization is done. Even though it's called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired. -- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision numbers is `./Vendor/MSFT/Update/InstallableUpdates?list=StructData`. Because not all updates are available via S2S sync, make sure you handle SOAP errors. -- For mobile devices, you can sync metadata for a particular update by calling GetUpdateData. Or, for a local on-premises solution, you can use Windows Server Update Services (WSUS) and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process). +- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how authorization is done. Even though it's called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired. +- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision numbers is `./Vendor/MSFT/Update/InstallableUpdates?list=StructData`. Because not all updates are available via S2S sync, make sure you handle SOAP errors. +- For mobile devices, you can sync metadata for a particular update by calling GetUpdateData. Or, for a local on-premises solution, you can use Windows Server Update Services (WSUS) and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process). > [!NOTE] -> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, and so on). Each time such a change is made that doesn’t affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number). +> Over time, Microsoft Update modifies metadata for a given update, for example, by updating descriptive information, fixing bugs in applicability rules, making localization changes, and so on. Each time a change occurs that doesn't affect the update itself, a new update revision is created. An UpdateID (GUID) and a RevisionNumber (int) compounds to comprise an identity key for an update revision. The MDM doesn't present an update revision to IT. Instead, for each UpdateID (GUID) the MDM keeps the metadata for the later revision of that update, which is the one with the highest revision number. - -## Examples of update metadata XML structure and element descriptions +### Examples of update metadata XML structure and element descriptions The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). Some of the key elements are described below: -- **UpdateID** – The unique identifier for an update -- **RevisionNumber** – Revision number for the update in case the update was modified. -- **CreationDate** – the date on which this update was created. -- **UpdateType** – The type of update, which could include the following: - - **Detectoid** – if this update identity represents a compatibility logic - - **Category** – This element could represent either of the following: - - A Product category the update belongs to. For example, Windows, MS office, and so on. - - The classification the update belongs to. For example, drivers, security, and so on. - - **Software** – If the update is a software update. - - **Driver** – if the update is a driver update. -- **LocalizedProperties** – represents the language the update is available in, title and description of the update. It has the following fields: - - **Language** – The language code identifier (LCID). For example, en or es. - - **Title** – Title of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)” - - **Description** – Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you've installed this item, it can't be removed.” -- **KBArticleID** – The KB article number for this update that has details about the particular update. For example, `https://support.microsoft.com/kb/2902892`. +- **UpdateID** - The unique identifier for an update +- **RevisionNumber** - Revision number for the update in case the update was modified. +- **CreationDate** - The date on which this update was created. +- **UpdateType** - The type of update, which could include the following: + - **Detectoid** - If this update identity represents a compatibility logic + - **Category** - This element could represent either of the following: + - A Product category the update belongs to. For example, Windows, MS office, and so on. + - The classification the update belongs to. For example, drivers, security, and so on. + - **Software** - If the update is a software update. + - **Driver** - If the update is a driver update. +- **LocalizedProperties** - Represents the language the update is available in, title and description of the update. It has the following fields: + - **Language** - The language code identifier (LCID). For example, en or es. + - **Title** - Title of the update. For example, "Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)" + - **Description** - Description of the update. For example, "Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you've installed this item, it can't be removed." +- **KBArticleID** - The KB article number for this update that has details about the particular update. For example, `https://support.microsoft.com/kb/2902892`. -## Recommended Flow for Using the Server-Server Sync Protocol +### Recommended Flow for Using the Server-Server Sync Protocol This section describes a possible algorithm for using the server-server sync protocol to pull in update metadata to the MDM. @@ -103,782 +101,43 @@ First some background: - A metadata sync service can then be implemented. The service periodically calls server-server sync to pull in metadata for the updates IT cares about. - The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client, if those updates aren't already known to the device. - The following procedure describes a basic algorithm for a metadata sync service: -- Initialization uses the following steps: - a. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative. -- Sync periodically (we recommend once every 2 hours - no more than once/hour). - 1. Implement the authorization phase of the protocol to get a cookie if you don’t already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). - 2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and: - - Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB. - - If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one. - - Remove updates from the "needed update IDs to fault in" list once they've been brought in. +1. Create an empty list of "needed update IDs to fault in". This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative. +1. Sync periodically (we recommend once every 2 hours - no more than once/hour). + 1. Implement the authorization phase of the protocol to get a cookie if you don't already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). + 1. Implement the metadata portion of the protocol. See **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB. + - If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one. + - Remove updates from the "needed update IDs to fault in" list once they've been brought in. These steps get information about the set of Microsoft Updates that IT needs to manage, so the information can be used in various update management scenarios. For example, at update approval time, you can get information so IT can see what updates they're approving. Or, for compliance reports to see what updates are needed but not yet installed. -## Managing updates using OMA DM +## Managing updates using OMA DM An MDM can manage updates via OMA DM. The details of how to use and integrate an MDM with the Windows OMA DM protocol, and how to enroll devices for MDM management, is documented in [Mobile device management](mobile-device-enrollment.md). This section focuses on how to extend that integration to support update management. The key aspects of update management include the following information: -- Configure automatic update policies to ensure devices stay up to date. -- Get device compliance information (the list of updates that are needed but not yet installed) -- Specify a per-device update approval list. The list makes sure devices only install updates that are approved and tested. -- Approve EULAs for the end user so update deployment can be automated, even for updates with EULAs +- Configure automatic update policies to ensure devices stay up to date. +- Get device compliance information (the list of updates that are needed but not yet installed). +- Specify a per-device update approval list. The list makes sure devices only install updates that are approved and tested. +- Approve EULAs for the end user so update deployment can be automated, even for updates with EULAs. The following list describes a suggested model for applying updates. -1. Have a "Test Group" and an "All Group". -2. In the Test group, just let all updates flow. -3. In the All Group, set up Quality Update deferral for seven days. Then, Quality Updates will be auto approved after the seven days. Definition Updates are excluded from Quality Update deferrals, and will be auto approved when they're available. This schedule can be done by setting Update/DeferQualityUpdatesPeriodInDays to seven, and just letting updates flow after seven days or pushing Pause if any issues. +1. Have a "Test Group" and an "All Group". +1. In the Test group, let all updates flow. +1. In the All Group, set the Quality Update deferral for seven days, and then, Quality Updates are auto approved after seven days. Quality Update deferrals exclude Definition Updates, so Definition Updates automatically are approved when they're available. Match the schedule for Definition Updates with the Quality Update deferral schedule by setting Update/DeferQualityUpdatesPeriodInDays to seven. Let updates flow after seven days or by pausing if any issues occur. -Updates are configured using a combination of the [Update CSP](mdm/update-csp.md), and the update portion of the [Policy CSP](mdm/policy-configuration-service-provider.md). +Updates are configured using the [Update Policy CSP](mdm/policy-csp-update.md). -### Update policies - -The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](mdm/policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP. - -The following information shows the Update policies in a tree format. - -```console -./Vendor/MSFT -Policy -----Config ---------Update ------------ActiveHoursEnd ------------ActiveHoursMaxRange ------------ActiveHoursStart ------------AllowAutoUpdate ------------AllowMUUpdateService ------------AllowNonMicrosoftSignedUpdate ------------AllowUpdateService ------------AutoRestartNotificationSchedule ------------AutoRestartRequiredNotificationDismissal ------------BranchReadinessLevel ------------DeferFeatureUpdatesPeriodInDays ------------DeferQualityUpdatesPeriodInDays ------------DeferUpdatePeriod ------------DeferUpgradePeriod ------------EngagedRestartDeadline ------------EngagedRestartSnoozeSchedule ------------EngagedRestartTransitionSchedule ------------ExcludeWUDriversInQualityUpdate ------------IgnoreMOAppDownloadLimit ------------IgnoreMOUpdateDownloadLimit ------------PauseDeferrals ------------PauseFeatureUpdates ------------PauseQualityUpdates ------------RequireDeferUpgrade ------------RequireUpdateApproval ------------ScheduleImminentRestartWarning ------------ScheduledInstallDay ------------ScheduledInstallTime ------------ScheduleRestartWarning ------------SetAutoRestartNotificationDisable ------------UpdateServiceUrl ------------UpdateServiceUrlAlternate -``` - -**Update/ActiveHoursEnd** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1607. When used with **Update/ActiveHoursStart**, it allows the IT admin to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. There's a 12-hour maximum from start time. - -> [!NOTE] -> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article. - -Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on. - -The default is 17 (5 PM). - -**Update/ActiveHoursMaxRange** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. - -Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. - -Supported values are 8-18. - -The default value is 18 (hours). - -**Update/ActiveHoursStart** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. - - -Added in Windows 10, version 1607. When used with **Update/ActiveHoursEnd**, it allows the IT admin to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time. - -> [!NOTE] -> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article. - -Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on. - -The default value is 8 (8 AM). - -**Update/AllowAutoUpdate** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. - - -Enables the IT admin to manage automatic update behavior to scan, download, and install updates. - -Supported operations are Get and Replace. - -The following list shows the supported values: - -- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. -- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart. -- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default behavior for unmanaged devices. Devices are updated quickly. But, it increases the risk of accidental data loss caused by an application that doesn't shutdown properly on restart. -- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. -- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only. -- 5 – Turn off automatic updates. - -> [!IMPORTANT] -> This option should be used only for systems under regulatory compliance, as you will not get security updates as well. - - -If the policy isn't configured, end users get the default behavior (Auto install and restart). - -**Update/AllowMUUpdateService** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. - -The following list shows the supported values: - -- 0 – Not allowed or not configured. -- 1 – Allowed. Accepts updates received through Microsoft Update. - -**Update/AllowNonMicrosoftSignedUpdate** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education. - - -Allows the IT admin to manage if Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution. - -Supported operations are Get and Replace. - -The following list shows the supported values: - -- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. -- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate in the "Trusted Publishers" certificate store of the local computer. - -This policy is specific to desktop and local publishing using WSUS for third-party updates (binaries and updates not hosted on Microsoft Update). It allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. - -**Update/AllowUpdateService** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft. - -Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update. - -Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working. - -The following list shows the supported values: - -- 0 – Update service isn't allowed. -- 1 (default) – Update service is allowed. - -> [!NOTE] -> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. - - -**Update/AutoRestartNotificationSchedule** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. - -Supported values are 15, 30, 60, 120, and 240 (minutes). - -The default value is 15 (minutes). - -**Update/AutoRestartRequiredNotificationDismissal** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed. - -The following list shows the supported values: - -- 1 (default) – Auto Dismissal. -- 2 – User Dismissal. - -**Update/BranchReadinessLevel** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. - -The following list shows the supported values: - -- 16 (default) – User gets all applicable upgrades from Current Branch (CB). -- 32 – User gets upgrades from Current Branch for Business (CBB). - -**Update/DeferFeatureUpdatesPeriodInDays** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. - -Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. - -Supported values are 0-180. - -**Update/DeferQualityUpdatesPeriodInDays** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. - -Supported values are 0-30. - -**Update/DeferUpdatePeriod** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -> -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. - - -Allows IT Admins to specify update delays for up to four weeks. - -Supported values are 0-4, which refers to the number of weeks to defer updates. - -If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by**; and **Pause Updates and Upgrades** settings have no effect. - -If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect. - -- **Update category**: OS upgrade - - **Maximum deferral**: 8 months - - **Deferral increment**: 1 month - - **Update type/notes**: Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 - -- **Update category**: Update - - **Maximum deferral**: 1 month - - **Deferral increment**: 1 week - - **Update type/notes**: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. - - - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 - - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 - - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F - - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 - - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB - - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F - - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 - - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 - -- **Update category**: Other/cannot defer - - **Maximum deferral**: No deferral - - **Deferral increment**: No deferral - - **Update type/notes**: Any update category not enumerated above falls into this category. - - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B - -**Update/DeferUpgradePeriod** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. -> -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. - - -Allows IT Admins to enter more upgrade delays for up to eight months. - -Supported values are 0-8, which refers to the number of months to defer upgrades. - -If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect. - -If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect. - -**Update/EngagedRestartDeadline** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, then the restart won't be automatically executed. It will remain Engaged restart (pending user scheduling). - -Supported values are 2-30 days. - -The default value is 0 days (not specified). - -**Update/EngagedRestartSnoozeSchedule** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications. - -Supported values are 1-3 days. - -The default value is three days. - -**Update/EngagedRestartTransitionSchedule** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. - -Supported values are 2-30 days. - -The default value is seven days. - -**Update/ExcludeWUDriversInQualityUpdate** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. - -Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. - -The following list shows the supported values: - -- 0 (default) – Allow Windows Update drivers. -- 1 – Exclude Windows Update drivers. - -**Update/IgnoreMOAppDownloadLimit** -Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. - -> [!WARNING] -> Setting this policy might cause devices to incur costs from MO operators. - -The following list shows the supported values: - -- 0 (default) – Don't ignore MO download limit for apps and their updates. -- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates. - -To validate this policy: - -1. Enable the policy ensure the device is on a cellular network. -2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: - - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f` - - - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""` - -3. Verify that any downloads that are above the download size limit will complete without being paused. - - -**Update/IgnoreMOUpdateDownloadLimit** -Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. - -> [!WARNING] -> Setting this policy might cause devices to incur costs from MO operators. - -The following list shows the supported values: - -- 0 (default) – Don't ignore MO download limit for OS updates. -- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates. - -To validate this policy: - -1. Enable the policy and ensure the device is on a cellular network. -2. Run the scheduled task on the devices to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: - - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""` - -3. Verify that any downloads that are above the download size limit will complete without being paused. - - -**Update/PauseDeferrals** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -> -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. - - -Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks. - -The following list shows the supported values: - -- 0 (default) – Deferrals aren't paused. -- 1 – Deferrals are paused. - -If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect. - -If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect. - -**Update/PauseFeatureUpdates** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. - -Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. - -The following list shows the supported values: - -- 0 (default) – Feature Updates aren't paused. -- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. - -**Update/PauseQualityUpdates** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. - -The following list shows the supported values: - -- 0 (default) – Quality Updates aren't paused. -- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. - -**Update/RequireDeferUpgrade** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -> -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. - - -Allows the IT admin to set a device to CBB train. - -The following list shows the supported values: - -- 0 (default) – User gets upgrades from Current Branch. -- 1 – User gets upgrades from Current Branch for Business. - -**Update/RequireUpdateApproval** - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - -
- -> [!NOTE] -> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. - - -Allows the IT admin to restrict the updates that are installed on a device to only the updates on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update for the end user. EULAs are approved once an update is approved. - -Supported operations are Get and Replace. - -The following list shows the supported values: - -- 0 – Not configured. The device installs all applicable updates. -- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required before deployment. - -**Update/ScheduleImminentRestartWarning** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. - -Supported values are 15, 30, or 60 (minutes). - -The default value is 15 (minutes). - -**Update/ScheduledInstallDay** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Enables the IT admin to schedule the day of the update installation. - -The data type is a string. - -Supported operations are Add, Delete, Get, and Replace. - -The following list shows the supported values: - -- 0 (default) – Every day -- 1 – Sunday -- 2 – Monday -- 3 – Tuesday -- 4 – Wednesday -- 5 – Thursday -- 6 – Friday -- 7 – Saturday - -**Update/ScheduledInstallTime** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Enables the IT admin to schedule the time of the update installation. - -The data type is a string. - -Supported operations are Add, Delete, Get, and Replace. - -Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. - -The default value is 3. - -**Update/ScheduleRestartWarning** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications. - -Supported values are 2, 4, 8, 12, or 24 (hours). - -The default value is 4 (hours). - -**Update/SetAutoRestartNotificationDisable** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations. - -The following list shows the supported values: - -- 0 (default) – Enabled -- 1 – Disabled - -**Update/UpdateServiceUrl** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - -> [!Important] -> Starting in Windows 10, version 1703 this policy isn't supported in IoT Enterprise. - -Allows the device to check for updates from a WSUS server instead of Microsoft Update. Using WSUS is useful for on-premises MDMs that need to update devices that can't connect to the Internet. - -Supported operations are Get and Replace. - -The following list shows the supported values: - -- Not configured. The device checks for updates from Microsoft Update. -- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL. - -Example - -```xml - - $CmdID$ - - - chr - text/plain - - - ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl - - http://abcd-srv:8530 - - -``` - -**Update/UpdateServiceUrlAlternate** - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. - -Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. - -This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. - -To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. - -Value type is string and the default value is an empty string. If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, then the Automatic Updates client connects directly to the Windows Update site on the Internet. - -> [!Note] -> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. -> If the "Alternate Download Server" Group Policy isn't set, it will use the WSUS server by default to download updates. -> This policy isn't supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. - -### Update management - -The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](mdm/update-csp.md). The following information shows the Update CSP in tree format. - -```console -./Vendor/MSFT -Update -----ApprovedUpdates ---------Approved Update Guid -------------ApprovedTime -----FailedUpdates ---------Failed Update Guid -------------HResult -------------Status -------------RevisionNumber -----InstalledUpdates ---------Installed Update Guid -------------RevisionNumber -----InstallableUpdates ---------Installable Update Guid -------------Type -------------RevisionNumber -----PendingRebootUpdates ---------Pending Reboot Update Guid -------------InstalledTime -------------RevisionNumber -----LastSuccessfulScanTime -----DeferUpgrade -----Rollback ---------QualityUpdate ---------FeatureUpdate ---------QualityUpdateStatus ---------FeatureUpdateStatus -``` - -**Update** -The root node. - -Supported operation is Get. - -**ApprovedUpdates** -Node for update approvals and EULA acceptance for the end user. - -> [!NOTE] -> When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. - -The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to present the EULA is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update. - -The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (updates to the virus and spyware definitions on devices) and Security Updates (product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstall of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs because of changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. - -> [!NOTE] -> For the Windows 10 build, the client may need to reboot after additional updates are added. - - - -Supported operations are Get and Add. - -**ApprovedUpdates/***Approved Update Guid* -Specifies the update GUID. - -To auto-approve a class of updates, you can specify the [Update Classifications](/previous-versions/windows/desktop/ff357803(v=vs.85)) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. - -Supported operations are Get and Add. - -Sample syncml: - -``` -./Vendor/MSFT/Update/ApprovedUpdates/%7ba317dafe-baf4-453f-b232-a7075efae36e%7d -``` - -**ApprovedUpdates/*Approved Update Guid*/ApprovedTime** -Specifies the time the update gets approved. - -Supported operations are Get and Add. - -**FailedUpdates** -Specifies the approved updates that failed to install on a device. - -Supported operation is Get. - -**FailedUpdates/***Failed Update Guid* -Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. - -Supported operation is Get. - -**FailedUpdates/*Failed Update Guid*/HResult** -The update failure error code. - -Supported operation is Get. - -**FailedUpdates/*Failed Update Guid*/Status** -Specifies the failed update status (for example, download, install). - -Supported operation is Get. - -**InstalledUpdates** -The updates that are installed on the device. - -Supported operation is Get. - -**InstalledUpdates/***Installed Update Guid* -UpdateIDs that represent the updates installed on a device. - -Supported operation is Get. - -**InstallableUpdates** -The updates that are applicable and not yet installed on the device. This information includes updates that aren't yet approved. - -Supported operation is Get. - -**InstallableUpdates/***Installable Update Guid* -Update identifiers that represent the updates applicable and not installed on a device. - -Supported operation is Get. - -**InstallableUpdates/*Installable Update Guid*/Type** -The UpdateClassification value of the update. Valid values are: - -- 0 - None -- 1 - Security -- 2 = Critical - -Supported operation is Get. - -**InstallableUpdates/*Installable Update Guid*/RevisionNumber** -The revision number for the update that must be passed in server to server sync to get the metadata for the update. - -Supported operation is Get. - -**PendingRebootUpdates** -The updates that require a reboot to complete the update session. - -Supported operation is Get. - -**PendingRebootUpdates/***Pending Reboot Update Guid* -Update identifiers for the pending reboot state. - -Supported operation is Get. - -**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime** -The time the update is installed. - -Supported operation is Get. - -**LastSuccessfulScanTime** -The last successful scan time. - -Supported operation is Get. - -**DeferUpgrade** -Upgrades deferred until the next period. - -Supported operation is Get. - - -## Windows 10, version 1607 for update management - -Here are the new policies added in Windows 10, version 1607 in [Policy CSP](mdm/policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices. - -- Update/ActiveHoursEnd -- Update/ActiveHoursStart -- Update/AllowMUUpdateService -- Update/BranchReadinessLevel -- Update/DeferFeatureUpdatePeriodInDays -- Update/DeferQualityUpdatePeriodInDays -- Update/ExcludeWUDriversInQualityUpdate -- Update/PauseFeatureUpdates -- Update/PauseQualityUpdates - -Here's the list of corresponding Group Policy settings in HKLM\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate. - -|GPO key|Type|Value| -|--- |--- |--- | -|BranchReadinessLevel|REG_DWORD|16: systems take Feature Updates on the Current Branch (CB) train

32: systems take Feature Updates on the Current Branch for Business

Other value or absent: receive all applicable updates (CB)| -|DeferQualityUpdates|REG_DWORD|1: defer quality updates

Other value or absent: don’t defer quality updates| -|DeferQualityUpdatesPeriodInDays|REG_DWORD|0-30: days to defer quality updates| -|PauseQualityUpdates|REG_DWORD|1: pause quality updates

Other value or absent: don’t pause quality updates| -|DeferFeatureUpdates|REG_DWORD|1: defer feature updates

Other value or absent: don’t defer feature updates| -|DeferFeatureUpdatesPeriodInDays|REG_DWORD|0-180: days to defer feature updates| -|PauseFeatureUpdates|REG_DWORD|1: pause feature updates

Other value or absent: don’t pause feature updates| -|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude Windows Update drivers

Other value or absent: offer Windows Update drivers| - -Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices. - -- Update/RequireDeferUpgrade -- Update/DeferUpgradePeriod -- Update/DeferUpdatePeriod -- Update/PauseDeferrals - -## Update management user experience screenshot +### Update management user experience screenshot The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields. -![mdm update management screenshot.](images/deviceupdatescreenshot1.png) +:::image type="content" source="images/deviceupdatescreenshot1.png" alt-text="mdm update management screenshot."::: -![mdm update management metadata screenshot.](images/deviceupdatescreenshot2.png) +:::image type="content" source="images/deviceupdatescreenshot2.png" alt-text="mdm update management metadata screenshot."::: - -## SyncML example +### SyncML example Set auto update to notify and defer. @@ -929,16 +188,21 @@ Set auto update to notify and defer. The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog. -![mdm device update management screenshot3.](images/deviceupdatescreenshot3.png) +:::image type="content" source="images/deviceupdatescreenshot3.png" alt-text="mdm device update management screenshot3."::: -![mdm device update management screenshot4](images/deviceupdatescreenshot4.png) +:::image type="content" source="images/deviceupdatescreenshot4.png" alt-text="mdm device update management screenshot4"::: -![mdm device update management screenshot5](images/deviceupdatescreenshot5.png) +:::image type="content" source="images/deviceupdatescreenshot5.png" alt-text="mdm device update management screenshot5"::: -![mdm device update management screenshot6](images/deviceupdatescreenshot6.png) +:::image type="content" source="images/deviceupdatescreenshot6.png" alt-text="mdm device update management screenshot6"::: -![mdm device update management screenshot7](images/deviceupdatescreenshot7.png) +:::image type="content" source="images/deviceupdatescreenshot7.png" alt-text="mdm device update management screenshot7"::: -![mdm device update management screenshot8](images/deviceupdatescreenshot8.png) +:::image type="content" source="images/deviceupdatescreenshot8.png" alt-text="mdm device update management screenshot8"::: -![mdm device update management screenshot9](images/deviceupdatescreenshot9.png) +:::image type="content" source="images/deviceupdatescreenshot9.png" alt-text="mdm device update management screenshot9"::: + +## Related articles + +- [Policy CSP - Update](mdm/policy-csp-update.md) +- [Policy configuration service provider](mdm/policy-configuration-service-provider.md) diff --git a/windows/client-management/disconnecting-from-mdm-unenrollment.md b/windows/client-management/disconnecting-from-mdm-unenrollment.md index 371357b658..6e4d3f8d8c 100644 --- a/windows/client-management/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/disconnecting-from-mdm-unenrollment.md @@ -1,41 +1,31 @@ --- title: Disconnecting from the management infrastructure (unenrollment) description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server. -MS-HAID: - - 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_' - - 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 04/13/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Disconnecting from the management infrastructure (unenrollment) -The Disconnecting process is done either locally by the user who uses a phone or remotely by the IT administrator using management server. The user-initiated disconnection process is similar to the initial connection, wherein its initiation is from the same location in the Setting Control Panel as creating the workplace account. -The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they’ve left the company or because the device is regularly failing to comply with the organization’s security settings policy. +The Disconnecting process is done either locally by the user who uses a phone or remotely by the IT administrator using management server. The user-initiated disconnection process is similar to the initial connection, wherein its initiation is from the same location in the Setting Control Panel as creating the workplace account. +The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they've left the company or because the device is regularly failing to comply with the organization's security settings policy. During disconnection, the client executes the following tasks: -- Removes the enterprise application token that allowed installing and running LOB apps. Any business applications associated with this enterprise token are removed as well. -- Removes certificates that are configured by MDM server. -- Ceases enforcement of the settings policies applied by the management infrastructure. -- Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure. -- Reports successfully initiated disassociation to the management infrastructure if the admin initiated the process. In Windows, a user-initiated disassociation is reported to the server as a best effort. - - -## In this topic - -- [User-initiated disconnection](#user-initiated-disconnection) -- [Server-initiated disconnection](#server-initiated-disconnection) -- [Unenrollment from Work Access settings page](#unenrollment-from-work-access-settings-page) -- [IT admin–requested disconnection](#it-admin-requested-disconnection) -- [Unenrollment from Azure Active Directory Join](#dataloss) - +- Removes the enterprise application token that allowed installing and running LOB apps. Any business applications associated with this enterprise token are removed as well. +- Removes certificates that are configured by MDM server. +- Ceases enforcement of the settings policies applied by the management infrastructure. +- Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure. +- Reports successfully initiated disassociation to the management infrastructure if the admin initiated the process. In Windows, a user-initiated disassociation is reported to the server as a best effort. ## User-initiated disconnection @@ -44,16 +34,15 @@ In Windows, after the user confirms the account deletion command and before the This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. > [!NOTE] -> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). +> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). -  The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**. After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DM client starts a DM session, including a user unenroll generic alert in the first package that it sends to the server. The following sample shows an OMA DM first package that contains a generic alert message. For more information on WP OMA DM support, see the [OMA DM protocol support](oma-dm-protocol-support.md) topic. -``` +```xml 1.2 @@ -100,10 +89,9 @@ The following sample shows an OMA DM first package that contains a generic alert After the previous package is sent, the unenrollment process begins. - ## Server-initiated disconnection -When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server will not get a response for the unenrollment, instead a generic alert notification is sent with messageid=1. +When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server will not get a response for the unenrollment, instead a generic alert notification is sent with `messageid=1`. ```xml @@ -119,41 +107,29 @@ When the server initiates disconnection, all undergoing sessions for the enrollm ``` - - ## Unenrollment from Work Access settings page If the user is enrolled into MDM using an Azure Active Directory (AAD Join or by adding a Microsoft work account), the MDM account will show up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the Azure AD association to the device. You can only use the Work Access page to unenroll under the following conditions: -- Enrollment was done using bulk enrollment. -- Enrollment was created using the Work Access page. +- Enrollment was done using bulk enrollment. +- Enrollment was created using the Work Access page. - - ## Unenrollment from Azure Active Directory Join When a user is enrolled into MDM through Azure Active Directory Join and later, the enrollment disconnects, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. ![aadj unenerollment.](images/azure-ad-unenrollment.png) -During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state. +During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be re-imaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporate devices in un-managed state. -Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that is not part of the Azure tenant, otherwise the device will not have any admin user after the operation. +Before remotely un-enrolling corporate devices, you must ensure that there is at least one admin user on the device that is not part of the Azure tenant, otherwise the device will not have any admin user after the operation. In mobile devices, remote unenrollment for Azure Active Directory Joined devices will fail. To remove corporate content from these devices, we recommend you remotely wipe the device. - -## IT admin–requested disconnection +## IT admin-requested disconnection -The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service provider’s Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration topic. +The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service provider's Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration topic. When the disconnection is completed, the user is notified that the device has been disconnected from enterprise management. - -  - - - - - diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index c3e140606c..1aecb97d90 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -43,7 +43,7 @@ "ms.technology": "itpro-manage", "audience": "ITPro", "ms.topic": "article", - "manager": "dansimp", + "manager": "aaroncz", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", @@ -55,20 +55,26 @@ }, "titleSuffix": "Windows Client Management", "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", "jborsecnik", "tiburd", "garycentric", - "beccarobins" + "beccarobins", + "american-dipper", + "angelamotherofdragons", + "v-stsavell", + "stacyrch140" ], - "searchScope": ["Windows 10"] + "searchScope": [ + "Windows 10" + ] }, "fileMetadata": {}, "template": [], "dest": "win-client-management", "markdownEngineName": "markdig" } -} +} \ No newline at end of file diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md index 67353c881b..c60b1439b5 100644 --- a/windows/client-management/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md @@ -10,16 +10,17 @@ ms.localizationpriority: medium ms.date: 11/01/2017 ms.reviewer: manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Enable ADMX policies in MDM - -Here's how to configure Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM). - -Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](mdm/policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](mdm/policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy. +Starting in Windows 10, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](mdm/policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](mdm/policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy. Summary of steps to enable a policy: + - Find the policy from the list ADMX policies. - Find the Group Policy related information from the MDM policy description. - Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy. @@ -27,21 +28,18 @@ Summary of steps to enable a policy: See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX policies using Microsoft Intune](/archive/blogs/senthilkumar/intune-deploying-admx-backed-policies-using-microsoft-intune) for a walk-through using Intune. - - - ## Enable a policy > [!NOTE] > See [Understanding ADMX policies in Policy CSP](understanding-admx-backed-policies.md). -1. Find the policy from the list [ADMX policies](mdm/policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description. +1. Find the policy from the list [ADMX policies](mdm/policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description. - GP Friendly name - GP name - GP ADMX file name - GP path -2. Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc +1. Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc 1. Click **Start**, then in the text box type **gpedit**. @@ -61,7 +59,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ![Enable App-V client.](images/admx-appv-enableapp-vclient.png) -3. Create the SyncML to enable the policy that doesn't require any parameter. +1. Create the SyncML to enable the policy that doesn't require any parameter. In this example, you configure **Enable App-V Client** to **Enabled**. @@ -89,10 +87,8 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ``` - ## Enable a policy that requires parameters - 1. Create the SyncML to enable the policy that requires parameters. In this example, the policy is in **Administrative Templates > System > App-V > Publishing**. @@ -103,23 +99,22 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ![Enable publishing server 2 settings.](images/admx-app-v-enablepublishingserver2settings.png) - 2. Find the variable names of the parameters in the ADMX file. + 1. Find the variable names of the parameters in the ADMX file. You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-csp-appvirtualization.md#publishingallowserver2). ![Publishing server 2 policy description.](images/admx-appv-policy-description.png) - 3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the ADMX files) and open appv.admx. + 1. Navigate to **C:\Windows\PolicyDefinitions** (default location of the ADMX files) and open appv.admx. - 4. Search for GP name **Publishing_Server2_policy**. + 1. Search for GP name **Publishing_Server2_policy**. - - 5. Under **policy name="Publishing_Server2_Policy"** you can see the \ listed. The *text id* and *enum id* represent the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor. + 1. Under **policy name="Publishing_Server2_Policy"** you can see the \ listed. The *text id* and *enum id* represent the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor. Here's the snippet from appv.admx: ```xml - + @@ -206,7 +201,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ``` - 6. From the **\** tag, copy all of the *text id* and *enum id* and create an XML with *data id* and *value* fields. The *value* field contains the configuration settings that you would enter in the Group Policy Editor. + 1. From the **\** tag, copy all of the *text id* and *enum id* and create an XML with *data id* and *value* fields. The *value* field contains the configuration settings that you would enter in the Group Policy Editor. Here's the example XML for Publishing_Server2_Policy: @@ -223,7 +218,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ``` - 7. Create the SyncML to enable the policy. Payload contains \ and name/value pairs. + 1. Create the SyncML to enable the policy. Payload contains \ and name/value pairs. Here's the example for **AppVirtualization/PublishingAllowServer2**: @@ -263,7 +258,6 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ``` - ## Disable a policy The \ payload is \. Here is an example to disable AppVirtualization/PublishingAllowServer2. diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index 8bffb182d7..fc976f6277 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -1,322 +1,146 @@ --- -title: Enroll a Windows 10 device automatically using Group Policy +title: Enroll a Windows device automatically using Group Policy description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 04/30/2022 +ms.date: 04/13/2023 ms.reviewer: manager: aaroncz ms.collection: - - highpri - - tier2 +- highpri +- tier2 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Enroll a Windows 10 device automatically using Group Policy +# Enroll a Windows device automatically using Group Policy -**Applies to:** - -- Windows 11 -- Windows 10 - -Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices. +You can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices. The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account. -Requirements: -- Active Directory-joined PC running Windows 10, version 1709 or later -- The enterprise has configured a mobile device management (MDM) service -- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad) -- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`) +**Requirements**: + +- The Active Directory joined device must be running a [supported version of Windows](/windows/release-health/supported-versions-windows-client). +- The enterprise has configured a Mobile Device Management (MDM) service. +- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad). +- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`). - The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. For more information, see [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan). > [!TIP] > For more information, see the following topics: +> > - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) > - [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) > - [Azure Active Directory integration with MDM](./azure-active-directory-integration-with-mdm.md) -The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD–registered. +The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD-registered. > [!NOTE] > In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. -In Windows 10, version 1709 or later, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM. Since Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins). +- Starting in Windows 10, version 1709, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM. +- Starting in Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins). For this policy to work, you must verify that the MDM service provider allows Group Policy initiated MDM enrollment for domain-joined devices. -## Verify auto-enrollment requirements and settings - -To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. -The following steps demonstrate required settings using the Intune service: - -1. Verify that the user who is going to enroll the device has a valid [Intune license](/mem/intune/fundamentals/licenses). - - :::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png"::: - -2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). - - ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png) - - > [!IMPORTANT] - > For bring-your-own devices (BYOD devices), the Mobile Application Management (MAM) user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled. - > - > For corporate-owned devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled. - -3. Verify that the device OS version is Windows 10, version 1709 or later. - -4. Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line. - - You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**. - - ![Auto-enrollment device status result.](images/auto-enrollment-device-status-result.png) - - Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**. - - ![Auto-enrollment Azure AD prt verification.](images/auto-enrollment-azureadprt-verification.png) - - This information can also be found on the Azure AD device list. - - ![Azure AD device list.](images/azure-ad-device-list.png) - -5. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc - - ![MDM discovery URL.](images/auto-enrollment-mdm-discovery-url.png) - -6. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**. - - :::image type="content" alt-text="Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png"::: - -7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune. - -You may contact your domain administrators to verify if the group policy has been deployed successfully. - -8. Verify that the device isn't enrolled with the old Intune client used on the Intune Silverlight Portal (the Intune portal used before the Azure portal). - -9. Verify that Microsoft Intune should allow enrollment of Windows devices. - - :::image type="content" alt-text="Enrollment of Windows devices." source="images/auto-enrollment-enrollment-of-windows-devices.png" lightbox="images/auto-enrollment-enrollment-of-windows-devices.png"::: - -## Configure the auto-enrollment Group Policy for a single PC - -This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices). - -Requirements: -- AD-joined PC running Windows 10, version 1709 or later -- Enterprise has MDM service already configured -- Enterprise AD must be registered with Azure AD - -1. Run `GPEdit.msc`. Choose **Start**, then in the text box type `gpedit`. - - ![GPEdit desktop app search result.](images/autoenrollment-gpedit.png) - -2. Under **Best match**, select **Edit group policy** to launch it. - -3. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**. - - :::image type="content" alt-text="MDM policies." source="images/autoenrollment-mdm-policies.png" lightbox="images/autoenrollment-mdm-policies.png"::: - -4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the **Selected Credential Type to use**. - - :::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png"::: - -5. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**. - - > [!NOTE] - > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. The default behavior for older releases is to revert to **User Credential**. - > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop). - - When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called "Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory." - - To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). - - If two-factor authentication is required, you'll be prompted to complete the process. Here's an example screenshot. - - ![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png) - - > [!Tip] - > You can avoid this behavior by using Conditional Access Policies in Azure AD. - Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview). - -6. To verify successful enrollment to MDM, go to **Start** > **Settings** > **Accounts** > **Access work or school**, then select your domain account. - -7. Select **Info** to see the MDM enrollment information. - - ![Work School Settings.](images/autoenrollment-settings-work-school.png) - - If you don't see the **Info** button or the enrollment information, enrollment might have failed. Check the status in [Task Scheduler app](#task-scheduler-app). - - -### Task Scheduler app - -1. Select **Start**, then in the text box type `task scheduler`. - - ![Task Scheduler search result.](images/autoenrollment-task-schedulerapp.png) - -2. Under **Best match**, select **Task Scheduler** to launch it. - -3. In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**. - - :::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png"::: - - To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). You can see the logs in the **History** tab. - - If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy. - - > [!NOTE] - > The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies. - ## Configure the auto-enrollment for a group of devices -Requirements: -- AD-joined PC running Windows 10, version 1709 or later -- Enterprise has MDM service already configured (with Intune or a third-party service provider) -- Enterprise AD must be integrated with Azure AD. -- Ensure that PCs belong to same computer group. +To configure auto-enrollment using a group policy, use the following steps: -> [!IMPORTANT] -> If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible. +1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. +1. Create a Security Group for the PCs. +1. Link the GPO. +1. Filter using Security Groups. -1. Download: +If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803 or later installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible. - - 1803 --> [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) +1. Download the administrative templates for the desired version: - - 1809 --> [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) + - [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) + - [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) + - [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) + - [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591) + - [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445) + - [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) + - [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124) + - [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) + - [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677) + - [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593) - - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) +1. Install the package on the Domain Controller. - - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591) +1. Navigate to `C:\Program Files (x86)\Microsoft Group Policy`, and locate the appropriate sub-directory depending on the installed version. - - 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445) - - - 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) - - - 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124) - - - 21H2 --> [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) - - - 22H2 --> [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677) - - - 22H2 --> [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593) - -2. Install the package on the Domain Controller. - -3. Navigate, depending on the version to the folder: - - - 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2** - - - 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** - - - 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3** - - - 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)** - - - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)** - - - 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)** - - - 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)** - - - 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update V2 (21H2)** - - - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2022 Update (22H2)** - - - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)** - -4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`. - -5. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`. +1. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`. If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain. -6. Wait for the SYSVOL DFSR replication to be completed for the policy to be available. +1. Wait for the SYSVOL DFSR replication to be completed for the policy to be available. -This procedure will work for any future version as well. +## Configure the auto-enrollment Group Policy for a single PC -1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. +This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise. -2. Create a Security Group for the PCs. +1. Run `GPEdit.msc`. Choose **Start**, then in the text box type `gpedit`. -3. Link the GPO. +1. Under **Best match**, select **Edit group policy** to launch it. -4. Filter using Security Groups. +1. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**. -## Troubleshoot auto-enrollment of devices +1. Double-click **Enable automatic MDM enrollment using default Azure AD credentials**. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**. -Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. + :::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png"::: -To collect Event Viewer logs: + > [!NOTE] + > In Windows 10, version 1903 and later, the MDM.admx file was updated to include the **Device Credential** option to select which credential is used to enroll the device. The default behavior for older releases is to revert to **User Credential**. + > + > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop). -1. Open Event Viewer. +When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). -2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-Diagnostic-Provider** > **Admin**. +If two-factor authentication is required, you'll be prompted to complete the process. Here's an example screenshot. - > [!Tip] - > For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc). +:::image type="content" source="images/autoenrollment-2-factor-auth.png" alt-text="Screenshot of Two-factor authentication notification."::: -3. Search for event ID 75, which represents a successful auto-enrollment. Here's an example screenshot that shows the auto-enrollment completed successfully: +> [!TIP] +> You can avoid this behavior by using Conditional Access Policies in Azure AD. Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview). - :::image type="content" alt-text="Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png" lightbox="images/auto-enrollment-troubleshooting-event-id-75.png"::: +## Verify enrollment - If you can't find event ID 75 in the logs, it indicates that the auto-enrollment failed. This failure can happen because of the following reasons: +To verify successful enrollment to MDM, go to **Start** > **Settings** > **Accounts** > **Access work or school**, then select your domain account.Select **Info** to see the MDM enrollment information. - - The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here's an example screenshot that shows that the auto-enrollment failed: +:::image type="content" source="images/autoenrollment-settings-work-school.png" alt-text="Screenshot of Work School Settings."::: - :::image type="content" alt-text="Event ID 76." source="images/auto-enrollment-troubleshooting-event-id-76.png" lightbox="images/auto-enrollment-troubleshooting-event-id-76.png"::: +> [!NOTE] +> If you don't see the **Info** button or the enrollment information, enrollment might have failed. Check the status in [Task Scheduler app](#task-scheduler-app) and see [Diagnose MDM enrollment](./mdm-diagnose-enrollment.md). - To troubleshoot, check the error code that appears in the event. For more information, see [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors). +## Task Scheduler app - - The auto-enrollment didn't trigger at all. In this case, you'll not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section. +Select **Start**, then in the text box type `task scheduler`. Under **Best match**, select **Task Scheduler** to launch it. - The auto-enrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot: +In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**. - :::image type="content" alt-text="Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png"::: +:::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png"::: - > [!Note] - > This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task. +To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. You can see the logs in the **History** tab. - This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs: - **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Azure Active Directory is triggered by event ID 107. +The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy. - :::image type="content" alt-text="Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png"::: +> [!NOTE] +> The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies. - When the task is completed, a new event ID 102 is logged. - - :::image type="content" alt-text="Event ID 102." source="images/auto-enrollment-event-id-102.png" lightbox="images/auto-enrollment-event-id-102.png"::: - - The task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It doesn't indicate the success or failure of auto-enrollment. - - If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Azure AD is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required. - One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: - - :::image type="content" alt-text="Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png"::: - - By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs** > **Microsoft** > **Windows** > **Task Scheduler** > **Operational** event log file under event ID 7016. - - A resolution to this issue is to remove the registry key manually. If you don't know which registry key to remove, go for the key that displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: - - :::image type="content" alt-text="Manually deleted entries." source="images/auto-enrollment-activation-verification-less-entries.png" lightbox="images/auto-enrollment-activation-verification-less-entries.png"::: - -### Related topics +## Related topics - [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) - [Create and Edit a Group Policy Object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754740(v=ws.11)) - [Link a Group Policy Object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732979(v=ws.11)) - [Filter Using Security Groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc752992(v=ws.11)) - [Enforce a Group Policy Object Link](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753909(v=ws.11)) -- [Group Policy Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) - [Getting started with Cloud Native Windows Endpoints](/mem/cloud-native-windows-endpoints) -- [A Framework for Windows endpoint management transformation](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/a-framework-for-windows-endpoint-management-transformation/ba-p/2460684) -- [Success with remote Windows Autopilot and Hybrid Azure Active Director join](https://techcommunity.microsoft.com/t5/intune-customer-success/success-with-remote-windows-autopilot-and-hybrid-azure-active/ba-p/2749353) - - -### Useful Links -- [Windows 10 Administrative Templates for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) -- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124) -- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591) -- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495) -- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576) diff --git a/windows/client-management/enterprise-app-management.md b/windows/client-management/enterprise-app-management.md index 6646d4df78..197087b7dc 100644 --- a/windows/client-management/enterprise-app-management.md +++ b/windows/client-management/enterprise-app-management.md @@ -1,170 +1,51 @@ --- title: Enterprise app management -description: This article covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows. -ms.reviewer: +description: This article covers one of the key mobile device management (MDM) features for managing the lifecycle of apps across Windows devices. +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 10/04/2021 +ms.date: 04/13/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Enterprise app management -This article covers one of the key mobile device management (MDM) features in Windows 10. It manages the lifecycle of apps across all of Windows. It's the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps. +This article will discuss one of the key features of Windows' Mobile Device Management (MDM) capabilities: the ability to manage apps' lifecycle on all Windows devices. This includes both Store and non-Store apps, which can be managed natively through MDM. + +By using Windows MDM to manage app lifecycles, administrators can deploy and manage updates, remove outdated or unused apps, and ensure that all devices have the necessary apps installed to meet the organization's needs. This feature streamlines the app management process and saves time and effort for IT professionals. ## Application management goals -Windows 10 offers the ability for management servers to: +Windows offers the ability for management servers to: -- Install apps directly from the Microsoft Store for Business -- Deploy offline Store apps and licenses -- Deploy line-of-business (LOB) apps (non-Store apps) -- Inventory all apps for a user (Store and non-Store apps) -- Inventory all apps for a device (Store and non-Store apps) -- Uninstall all apps for a user (Store and non-Store apps) -- Provision apps so they're installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) -- Remove the provisioned app on the device running Windows 10 for desktop editions +- Install apps directly from the Microsoft Store for Business +- Deploy offline Store apps and licenses +- Deploy line-of-business (LOB) apps (non-Store apps) +- Inventory all apps for a user (Store and non-Store apps) +- Inventory all apps for a device (Store and non-Store apps) +- Uninstall all apps for a user (Store and non-Store apps) +- Provision apps so they're installed for all users of a device running Windows desktop editions (Home, Pro, Enterprise, and Education) +- Remove the provisioned app on the device running Windows desktop editions -## Inventory your apps +## Inventory apps -Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](mdm/enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications: +Windows lets you inventory all apps deployed to a user, and inventory all apps for all users of a Windows device. The [EnterpriseModernAppManagement](mdm/enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications: -- Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business -- nonStore - Apps that weren't acquired from the Microsoft Store. -- System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried. +- **Store**: Apps that have been acquired from the Microsoft Store, either directly or delivered with the enterprise from the Store for Business. +- **nonStore**: Apps that were not acquired from the Microsoft Store. +- **System**: Apps that are part of the operating system and cannot be uninstalled. This classification is read-only and can only be inventoried. -These classifications are represented as nodes in the EnterpriseModernAppManagement CSP. +Each app is identified by one package family name and one or more package full names, and the apps are grouped based on their origin. The EnterpriseModernAppManagement CSP displays these classifications as nodes. -The following information shows the EnterpriseModernAppManagement CSP in a tree format: +Inventory can be run recursively at any level from the AppManagement node through the package full name. You can also choose to inventory specific attributes only. The inventory is specific to the package full name and lists bundled and resource packs as applicable under the package family name. -```console -./Device/Vendor/MSFT -or -./User/Vendor/MSFT -EnterpriseAppManagement -----AppManagement ---------UpdateScan ---------LastScanError ---------AppInventoryResults ---------AppInventoryQuery ---------RemovePackage ---------AppStore -----------PackageFamilyName -------------PackageFullName ---------------Name ---------------Version ---------------Publisher ---------------Architecture ---------------InstallLocation ---------------IsFramework ---------------IsBundle ---------------InstallDate ---------------ResourceID ---------------RequiresReinstall ---------------PackageStatus ---------------Users ---------------IsProvisioned ---------------IsStub -------------DoNotUpdate -------------AppSettingPolicy ---------------SettingValue -------------MaintainProcessorArchitectureOnUpdate -------------NonRemovable -----------ReleaseManagement -------------ReleaseManagementKey ---------------ChannelId ---------------ReleaseId ---------------EffectiveRelease ------------------ChannelId ------------------ReleaseId ---------nonStore -----------PackageFamilyName -------------PackageFullName ---------------Name ---------------Version ---------------Publisher ---------------Architecture ---------------InstallLocation ---------------IsFramework ---------------IsBundle ---------------InstallDate ---------------ResourceID ---------------RequiresReinstall ---------------PackageStatus ---------------Users ---------------IsProvisioned ---------------IsStub -------------DoNotUpdate -------------AppSettingPolicy ---------------SettingValue -------------MaintainProcessorArchitectureOnUpdate -------------NonRemoveable ---------System -----------PackageFamilyName -------------PackageFullName ---------------Name ---------------Version ---------------Publisher ---------------Architecture ---------------InstallLocation ---------------IsFramework ---------------IsBundle ---------------InstallDate ---------------ResourceID ---------------RequiresReinstall ---------------PackageStatus ---------------Users ---------------IsProvisioned ---------------IsStub -------------DoNotUpdate -------------AppSettingPolicy ---------------SettingValue -------------MaintainProcessorArchitectureOnUpdate -------------NonRemoveable -----AppInstallation ---------PackageFamilyName -----------StoreInstall -----------HostedInstall -----------LastError -----------LastErrorDesc -----------Status -----------ProgressStatus -----AppLicenses ---------StoreLicenses -----------LicenseID -------------LicenseCategory -------------LicenseUsage -------------RequesterID -------------AddLicense -------------GetLicenseFromStore -``` - -Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System). - -Inventory can run recursively at any level from the AppManagement node through the package full name. Inventory can also run only for a specific inventory attribute. - -Inventory is specific to the package full name and lists bundled packs and resources packs as applicable under the package family name. - -Here are the nodes for each package full name: - -- Name -- Version -- Publisher -- Architecture -- InstallLocation -- IsFramework -- IsBundle -- InstallDate -- ResourceID -- RequiresReinstall -- PackageStatus -- Users -- IsProvisioned - -For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md). +For more information on each node, refer to the detailed descriptions provided in the [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md). ### App inventory @@ -172,126 +53,121 @@ You can use the EnterpriseModernAppManagement CSP to query for all apps installe Doing a full inventory of a device can be resource-intensive based on the hardware and number of apps that are installed. The data returned can also be large. You may want to chunk these requests to reduce the impact to clients and network traffic. -Here's an example of a query for all apps on the device. +- Example query for all apps on the device. -```xml - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement?list=StructData - - - -``` + ```xml + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement?list=StructData + + + + ``` -Here's an example of a query for a specific app for a user. +- Example query for a specific app for a user. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}?list=StructData - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}?list=StructData + + + + ``` ### Store license inventory You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses, event if they were installed via MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device. -Here are the nodes for each license ID: - -- LicenseCategory -- LicenseUsage -- RequestedID - For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md). > [!NOTE] > The LicenseID in the CSP is the content ID for the license. -Here's an example of a query for all app licenses on a device. +- Here's an example of a query for all app licenses on a device. -```xml - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses?list=StructData - - - -``` + ```xml + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses?list=StructData + + + + ``` -Here's an example of a query for all app licenses for a user. +- Here's an example of a query for all app licenses for a user. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id}?list=StructData - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id}?list=StructData + + + + ``` ## Enable the device to install non-Store apps -There are two basic types of apps you can deploy: Store apps and enterprise signed apps. To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment. +There are two basic types of apps you can deploy: + +- Store apps. +- Enterprise signed apps. + +To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment. ### Unlock the device for non-Store apps -To deploy apps that aren't from the Microsoft Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device if there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user). +To deploy apps that aren't from the Microsoft Store, you must configure the [ApplicationManagement/AllowAllTrustedApps](mdm/policy-csp-applicationmanagement.md) policy. This policy allows the installation of non-Store apps on the device if there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user). -The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device, or a root certificate in the Trusted Root of the device. The policy isn't configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device. +The AllowAllTrustedApps policy enables the installation of apps that are trusted by a certificate in the Trusted People on the device, or a root certificate in the Trusted Root of the device. The policy isn't configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device. -For more information about the AllowAllTrustedApps policy, see [Policy CSP](mdm/policy-configuration-service-provider.md). - -Here are some examples. +Here's an example: ```xml - 1 - - +1 + + ./Vendor/MSFT/Policy/Result/ApplicationManagement/AllowAllTrustedApps?list=StructData - - + + - 2 - - +2 + + ./Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAllTrustedApps - - + + int text/plain - - 1 - + + 1 + ``` ### Unlock the device for developer mode -Development of apps on Windows 10 no longer requires a special license. You can enable debugging and deployment of non-packaged apps using ApplicationManagement/AllowDeveloperUnlock policy in Policy CSP. +Development of apps on Windows devices no longer requires a special license. You can enable debugging and deployment of non-packaged apps using [ApplicationManagement/AllowDeveloperUnlock](mdm/policy-csp-applicationmanagement.md) policy in Policy CSP. AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock isn't configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device. -Deployment of apps to Windows 10 for desktop editions requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. - -For more information about the AllowDeveloperUnlock policy, see [Policy CSP](mdm/policy-configuration-service-provider.md). +Deployment of apps to Windows devices requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. Here's an example. @@ -321,7 +197,7 @@ Here's an example. ``` -## Install your apps +## Install apps You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store. Or, they're installed from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md) to install apps. @@ -333,47 +209,46 @@ If you purchased an app from the Store for Business and the app is specified for Here are the requirements for this scenario: -- The app is assigned to a user Azure Active Directory (Azure AD) identity in the Store for Business. You can assign directly in the Store for Business or through a management server. -- The device requires connectivity to the Microsoft Store. -- Microsoft Store services must be enabled on the device. The UI for the Microsoft Store can be disabled by the enterprise admin. -- The user must be signed in with their Azure AD identity. +- The app is assigned to a user Azure Active Directory (Azure AD) identity in the Store for Business. You can assign directly in the Store for Business or through a management server. +- The device requires connectivity to the Microsoft Store. +- Microsoft Store services must be enabled on the device. The UI for the Microsoft Store can be disabled by the enterprise admin. +- The user must be signed in with their Azure AD identity. -Here are some examples. +Here's an example: ```xml - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/StoreInstall - - - xml - - - + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/StoreInstall + + + xml + + + + + ``` Here are the changes from the previous release: -1. The "{CatID}" reference should be updated to "{ProductID}". This value is acquired as a part of the Store for Business management tool. -2. The value for flags can be "0" or "1" - - When using "0", the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1", the management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available. - -3. The `skuid` is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync. +1. The `{CatID}` reference should be updated to `{ProductID}`. This value is acquired as a part of the Store for Business management tool. +1. The value for flags can be 0 or 1. + - When using "0", the management tool calls back to the Store for Business sync to assign a user a seat of an application. + - When using "1", the management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available. +1. The `skuid` is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync. ### Deploy an offline license to a user -If you purchased an app from the Store for Business, the app license must be deployed to the device. +If you purchased an app from the Store for Business, the app license must be deployed to the device. The app license only needs to be deployed as part of the initial installation of the app. During an update, only the app is deployed to the user. -The app license only needs to be deployed as part of the initial installation of the app. During an update, only the app is deployed to the user. +In the SyncML, you need to specify the following information in the `Exec` command: -In the SyncML, you need to specify the following information in the Exec command: - -- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business. -- License Content - This content is specified in the data section. The License Content is the Base64 encoded blob of the license. +- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business. +- License Content - This content is specified in the data section. The License Content is the Base64 encoded blob of the license. Here's an example of an offline license installation. @@ -392,7 +267,6 @@ Here's an example of an offline license installation. ``` - ### Deploy apps to a user from a hosted location If you purchased an app from the Store for Business and the app is specified for an offline license or the app is a non-Store app, the app must be deployed from a hosted location. @@ -409,106 +283,106 @@ Here are the requirements for this scenario: The Add command for the package family name is required to ensure proper removal of the app at unenrollment. -Here's an example of a line-of-business app installation. +- Here's an example of a line-of-business app installation. -```xml - - - 0 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName} - - - - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall - - - xml - - - - -``` + ```xml + + + 0 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName} + + + + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + + ``` -Here's an example of an app installation with dependencies. +- Here's an example of an app installation with dependencies. -```xml - - - 0 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName - - - - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall - - - xml - - - - - - - - - - - -``` + ```xml + + + 0 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName + + + + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + + + + + + + + + ``` -Here's an example of an app installation with dependencies and optional packages. +- Here's an example of an app installation with dependencies and optional packages. -```xml - - - 0 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName - - - - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall - - - xml - - - - - - - - - - - - - - - -``` + ```xml + + + 0 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName + + + + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + + + + + + + + + + + + + ``` ### Provision apps for all users of a device @@ -528,124 +402,116 @@ To provision app for all users of a device from a hosted location, the managemen > [!NOTE] > When you remove the provisioned app, it will not remove it from the users that already installed the app. -Here's an example of app installation. +- Here's an example of app installation: -> [!NOTE] -> This is only supported in Windows 10 for desktop editions. + ```xml + + + 0 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName + + + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + + ``` -```xml - - - 0 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName - - - - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall - - - xml - - - - -``` + The HostedInstall Exec command contains a Data node that requires an embedded XML. Here are the requirements for the data XML: -The HostedInstall Exec command contains a Data node that requires an embedded XML. Here are the requirements for the data XML: + - Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPS location. + - Dependencies can be specified if required to be installed with the package. This is optional. -- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPS location. -- Dependencies can be specified if required to be installed with the package. This is optional. + The DeploymentOptions parameter is only available in the user context. -The DeploymentOptions parameter is only available in the user context. +- Here's an example of app installation with dependencies. -Here's an example of app installation with dependencies. - -> [!NOTE] -> This is only supported in Windows 10 for desktop editions. - -```xml - - - 0 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName - - - - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall - - - xml - - - - - - - - - - - -``` + ```xml + + + 0 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName + + + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + + + + + + + + + ``` ### Get status of app installations When an app installation is completed, a Windows notification is sent. You can also query the status of using the AppInstallation node. Here's the list of information you can get back in the query: -- Status - indicates the status of app installation. - - NOT\_INSTALLED (0) - The node was added, but the execution wasn't completed. - - INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, then this value is updated. - - FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. - - INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean up action hasn't completed, then this state may briefly appear. -- LastError - The last error reported by the app deployment server. -- LastErrorDescription - Describes the last error reported by the app deployment server. -- Status - An integer that indicates the progress of the app installation. In cases of an HTTPS location, this status shows the estimated download progress. +- Status - indicates the status of app installation. + - NOT\_INSTALLED (0) - The node was added, but the execution wasn't completed. + - INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, then this value is updated. + - FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. + - INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean up action hasn't completed, then this state may briefly appear. +- LastError - The last error reported by the app deployment server. +- LastErrorDescription - Describes the last error reported by the app deployment server. +- Status - An integer that indicates the progress of the app installation. In cases of an HTTPS location, this status shows the estimated download progress. Status isn't available for provisioning and only used for user-based installations. For provisioning, the value is always 0. - Status isn't available for provisioning and only used for user-based installations. For provisioning, the value is always 0. +When an app is installed successfully, the node is cleaned up and no longer present. The status of the app can be reported under the [AppManagement node](mdm/enterprisemodernappmanagement-csp.md#deviceappmanagement). -When an app is installed successfully, the node is cleaned up and no longer present. The status of the app can be reported under the AppManagement node. +- Here's an example of a query for a specific app installation. -Here's an example of a query for a specific app installation. + ```xml + + + 2 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}?list=StructData + + + + ``` -```xml - - - 2 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}?list=StructData - - - -``` +- Here's an example of a query for all app installations. -Here's an example of a query for all app installations. - -```xml - - - 2 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation?list=StructData - - - -``` + ```xml + + + 2 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation?list=StructData + + + + ``` ### Alert for installation completion @@ -670,51 +536,50 @@ Here's an example of an alert. ``` -For user-based installation, use the ./User path and for provisioning of apps, use the ./Device path. +For user-based installation, use the `./User` path and for provisioning of apps, use the `./Device` path. The Data field value of 0 (zero) indicates success. Otherwise it's an error code. If there's a failure, you can get more details from the AppInstallation node. > [!NOTE] -> At this time, the alert for Store app installation isn't yet available. - +> At this time, the alert for Store app installation isn't available. ## Uninstall your apps -You can uninstall apps from users from Windows 10 devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes: +You can uninstall apps from users from Windows devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes: -- AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business. -- nonStore - These apps that weren't acquired from the Microsoft Store. -- System - These apps are part of the OS. You can't uninstall these apps. +- AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business. +- nonStore - These apps that weren't acquired from the Microsoft Store. +- System - These apps are part of the OS. You can't uninstall these apps. To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family name and package full name. -Here's an example for uninstalling all versions of an app for a user. + Here's an example for uninstalling all versions of an app for a user. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName} - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName} + + + + ``` -Here's an example for uninstalling a specific version of the app for a user. +-Here's an example for uninstalling a specific version of the app for a user. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName} - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName} + + + + ``` ### Removed provisioned apps from a device @@ -723,70 +588,69 @@ You can remove provisioned apps from a device for a specific version, or for all > [!NOTE] > You can only remove an app that has an inventory value IsProvisioned = 1. - Removing provisioned app occurs in the device context. -Here's an example for removing a provisioned app from a device. +- Here's an example for removing a provisioned app from a device. -```xml - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName} - - - -``` + ```xml + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName} + + + + ``` -Here's an example for removing a specific version of a provisioned app from a device: +- Here's an example for removing a specific version of a provisioned app from a device: -```xml - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName} - - - -``` + ```xml + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName} + + + + ``` ### Remove a store app license You can remove app licenses from a device per app based on the content ID. -Here's an example for removing an app license for a user. +- Here's an example for removing an app license for a user. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id} - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id} + + + + ``` -Here's an example for removing an app license for a provisioned package (device context). +- Here's an example for removing an app license for a provisioned package (device context). -```xml - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id} - - - -``` + ```xml + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id} + + + + ``` -### Alert for app uninstallation +### Alert for app uninstall Uninstallation of an app can take some time complete. So, the uninstall is run asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success. @@ -818,33 +682,33 @@ Apps installed on a device can be updated using the management server. Apps can To update an app from Microsoft Store, the device requires contact with the store services. -Here's an example of an update scan. +- Here's an example of an update scan. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/UpdateScan - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/UpdateScan + + + + ``` -Here's an example of a status check. +- Here's an example of a status check. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/LastScanError - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/LastScanError + + + + ``` ### Update apps from a hosted location @@ -863,7 +727,7 @@ Turning off updates only applies to updates from the Microsoft Store at the devi Here's an example. ```xml - + 1 @@ -889,9 +753,9 @@ The Universal Windows app can share application data between the users of the de > [!NOTE] > This is only applicable to multi-user devices. -The AllowSharedUserAppData policy in [Policy CSP](mdm/policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API. +The [ApplicationManagement/AllowSharedUserAppData](mdm/policy-csp-applicationmanagement.md) policy enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API. -If you disable this policy, applications can't share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there's any shared data, and /Remove-SharedAppxData to remove it). +If you disable this policy, applications can't share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((`/Get-ProvisionedAppxPackage` to detect if there's any shared data, and `/Remove-SharedAppxData` to remove it). The valid values are 0 (off, default value) and 1 (on). diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md index 5acabf7ab8..48902df441 100644 --- a/windows/client-management/esim-enterprise-management.md +++ b/windows/client-management/esim-enterprise-management.md @@ -8,20 +8,36 @@ ms.author: vinpa ms.topic: conceptual ms.technology: itpro-manage ms.date: 12/31/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # How Mobile Device Management Providers support eSIM Management on Windows -The eSIM Profile Management Solution places the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already-existing solution that customers are familiar with and use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. - If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps: + +The eSIM Profile Management Solution places the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already-existing solution that customers are familiar with and use to manage devices. + +The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/un-assignment, etc.) the same way as they currently do device management. + +If you're a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps: + - Onboard to Azure Active Directory -- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this capability to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This characteristic makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include: - - [HPE Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html) - - [IDEMIA The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub) +- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for MDM providers to manager eSIM profiles for enterprise use cases. However, Windows doesn't limit how ecosystem partners offer this service to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This characteristic makes it possible to remotely manage the eSIM profiles according to the company policies. + + As an MDM provider, if you're looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. + + Potential orchestrator providers you could contact include: + + - [HPE Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html) + - [IDEMIA The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub) + - Assess solution type that you would like to provide your customers - Batch/offline solution - IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices. - Operator doesn't have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to - Real-time solution -- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time. +- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via SIM vendor solution component. IT Admin can view subscription pool and provision eSIM in real time. - Operator is notified of the status of each eSIM profile and has visibility on which devices are being used -**Note:** End users don't notice the solution type. The choice between the two is made between the MDM and the Mobile Operator. + +> [!NOTE] +> End users don't notice the solution type. The choice between the two is made between the MDM and the Mobile Operator. diff --git a/windows/client-management/federated-authentication-device-enrollment.md b/windows/client-management/federated-authentication-device-enrollment.md index a50c18383c..7ae977249a 100644 --- a/windows/client-management/federated-authentication-device-enrollment.md +++ b/windows/client-management/federated-authentication-device-enrollment.md @@ -1,14 +1,17 @@ --- title: Federated authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using federated authentication policy. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 07/28/2017 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Federated authentication device enrollment @@ -17,28 +20,23 @@ This section provides an example of the mobile device enrollment protocol using The `` element the discovery response message specifies web authentication broker page start URL. -For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). +For details about the Microsoft mobile device enrollment protocol for Windows, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). -## In this topic - -[Discovery service](#discovery-service) -[Enrollment policy web service](#enrollment-policy-web-service) -[Enrollment web service](#enrollment-web-service) - -For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). +> [!NOTE] +> For the list of enrollment scenarios not supported in Windows, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). ## Discovery service The discovery web service provides the configuration information necessary for a user to enroll a phone with a management service. The service is a restful web service over HTTPS (server authentication only). > [!NOTE] -> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. +> The administrator of the discovery service must create a host with the address `enterpriseenrollment..com`. -The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`. +The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain **enterpriseenrollment** to the domain of the email address, and by appending the path `/EnrollmentServer/Discovery.svc`. For example, if the email address is `sample@contoso.com`, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`. The first request is a standard HTTP GET request. -The following example shows a request via HTTP GET to the discovery server given user@contoso.com as the email address. +The following example shows a request via HTTP GET to the discovery server given `user@contoso.com` as the email address. ```http Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc @@ -70,16 +68,16 @@ Content-Type: text/html Content-Length: 0 ``` -After the device gets a response from the server, the device sends a POST request to enterpriseenrollment.*domain\_name*/EnrollmentServer/Discovery.svc. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to enterpriseenrollment.*domain\_name* to the enrollment server. +After the device gets a response from the server, the device sends a POST request to `enterpriseenrollment./EnrollmentServer/Discovery.svc`. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to `enterpriseenrollment.` enrollment server. The following logic is applied: -1. The device first tries HTTPS. If the server cert isn't trusted by the device, the HTTPS fails. -2. If that fails, the device tries HTTP to see whether it's redirected: - - If the device isn't redirected, it prompts the user for the server address. - - If the device is redirected, it prompts the user to allow the redirect. +1. The device first tries HTTPS. If the server cert isn't trusted by the device, the HTTPS fails. +1. If that fails, the device tries HTTP to see whether it's redirected: + - If the device isn't redirected, it prompts the user for the server address. + - If the device is redirected, it prompts the user to allow the redirect. -The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address +The following example shows a request via an HTTP POST command to the discovery web service given `user@contoso.com` as the email address ```http https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc @@ -90,64 +88,68 @@ The following example shows the discovery service request. ```xml - - - http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover - - urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 - - http://www.w3.org/2005/08/addressing/anonymous - - - https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc - - - - - - user@contoso.com - 3 - 3.0 - WindowsPhone - 10.0.0.0 - - OnPremise - Federated - - - - + xmlns:s="http://www.w3.org/2003/05/soap-envelope"> + + + http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover + + urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc + + + + + + user@contoso.com + 3 + + 3.0 + + WindowsPhone + + 10.0.0.0 + + OnPremise + Federated + + + + ``` The discovery response is in the XML format and includes the following fields: -- Enrollment service URL (EnrollmentServiceUrl) – Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. -- Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. -- In Windows, Federated is added as another supported value. This addition allows the server to use the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. +- Enrollment service URL (EnrollmentServiceUrl) - Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. +- Authentication policy (AuthPolicy) - Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. +- In Windows, Federated is added as another supported value. This addition allows the server to use the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. -> [!Note] +> [!NOTE] > The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message. When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call. -> [!Note] +> [!NOTE] > Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance: -> - Parse the OS version from the data sent up during the discovery request. -> - Append the OS version as a parameter in the AuthenticationServiceURL. -> - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication. +> +> - Parse the OS version from the data sent up during the discovery request. +> - Append the OS version as a parameter in the AuthenticationServiceURL. +> - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication. -A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist. +A new XML tag, **AuthenticationServiceUrl**, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist. -> [!Note] +> [!NOTE] > The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service, the enrollment client is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented. The following are the explicit requirements for the server. -- The ```` element must support HTTPS. -- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail. -- WP doesn’t support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device. +- The ```` element must support HTTPS. +- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail. +- WP doesn't support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device. The enrollment client issues an HTTPS request as follows: @@ -164,7 +166,7 @@ After authentication is complete, the auth server should return an HTML form doc > To make an application compatible with strict Content Security Policy, it's usually necessary to make some changes to HTML templates and client-side code, add the policy header, and test that everything works properly once the policy is deployed. ```html -HTTP/1.1 200 OK +HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 556 @@ -196,35 +198,34 @@ The following example shows a response received from the discovery web service t ```xml - - - http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse - - - d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8 - - urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 - - - - - Federated - 3.0 - - https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - - - https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - - - https://portal.manage.contoso.com/LoginRedirect.aspx - - - - + xmlns:a="http://www.w3.org/2005/08/addressing"> + + + http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse + + + d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8 + + urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 + + + + + Federated + 3.0 + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + https://portal.manage.contoso.com/LoginRedirect.aspx + + + + ``` @@ -236,12 +237,12 @@ This web service implements the X.509 Certificate Enrollment Policy Protocol (MS For Federated authentication policy, the security token credential is provided in a request message using the `` element \[WSS\]. The security token is retrieved as described in the discovery response section. The authentication information is as follows: -- wsse:Security: The enrollment client implements the `` element defined in \[WSS\] section 5. The `` element must be a child of the `` element. -- wsse:BinarySecurityToken: The enrollment client implements the `` element defined in \[WSS\] section 6.3. The `` element must be included as a child of the `` element in the SOAP header. +- wsse:Security: The enrollment client implements the `` element defined in \[WSS\] section 5. The `` element must be a child of the `` element. +- wsse:BinarySecurityToken: The enrollment client implements the `` element defined in \[WSS\] section 6.3. The `` element must be included as a child of the `` element in the SOAP header. As was described in the discovery response section, the inclusion of the `` element is opaque to the enrollment client, and the client doesn't interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the `` element of `` and the enterprise server. -The `` element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the `` element. +The `` element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the `` element. - wsse:BinarySecurityToken/attributes/ValueType: The `` ValueType attribute must be `http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken`. @@ -251,42 +252,39 @@ The following example is an enrollment policy request with a received security t ```xml - - - http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies - - urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 - - http://www.w3.org/2005/08/addressing/anonymous - - - https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - - - - B64EncodedSampleBinarySecurityToken - - - - - - - - - - - - + xmlns:a="http://www.w3.org/2005/08/addressing" + xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" + xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" + xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" + xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization"> + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies + + urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + + B64EncodedSampleBinarySecurityToken + + + + + + + + + + + + ``` @@ -386,7 +384,7 @@ The RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft. The RST may also specify many AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. -> [!Note] +> [!NOTE] > The policy service and the enrollment service must be on the same server; that is, they must have the same host name. The following example shows the enrollment web service request for federated authentication. @@ -474,15 +472,15 @@ The following example shows the enrollment web service request for federated aut After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR). -> [!Note] +> [!NOTE] > The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message. Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (`http://schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc`), because the token is more than an X.509 v3 certificate. The provisioning XML contains: -- The requested certificates (required) -- The DM client configuration (required) +- The requested certificates (required) +- The DM client configuration (required) The client will install the client certificate, the enterprise root certificate, and intermediate CA certificate if there's one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DM client calls back to the server. @@ -495,8 +493,8 @@ Here's a sample RSTR message and a sample of OMA client provisioning XML within The following example shows the enrollment web service response. ```xml - @@ -512,7 +510,7 @@ The following example shows the enrollment web service response. - @@ -520,7 +518,7 @@ The following example shows the enrollment web service response. - @@ -548,7 +546,7 @@ The following code shows sample provisioning XML (presented in the preceding pac - + @@ -558,7 +556,7 @@ The following code shows sample provisioning XML (presented in the preceding pac - + @@ -602,7 +600,7 @@ The following code shows sample provisioning XML (presented in the preceding pac - + @@ -614,15 +612,15 @@ The following code shows sample provisioning XML (presented in the preceding pac ``` > [!NOTE] -> -> - `` and `` elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase. -> -> - In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML. -> -> - Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document. -> -> - The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique. -> -> - Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate. -> -> - CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it. +> +> - `` and `` elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase. +> +> - In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML. +> +> - Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document. +> +> - The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique. +> +> - Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate. +> +> - CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it. diff --git a/windows/client-management/group-policies-for-enterprise-and-education-editions.md b/windows/client-management/group-policies-for-enterprise-and-education-editions.md deleted file mode 100644 index 3f1e0ef47a..0000000000 --- a/windows/client-management/group-policies-for-enterprise-and-education-editions.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: Group Policy settings that apply only to Windows 10 Enterprise and Education Editions (Windows 10) -description: Use this topic to learn about Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education. -ms.prod: windows-client -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/14/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: troubleshooting -ms.technology: itpro-manage ---- - -# Group Policy settings that apply only to Windows 10 Enterprise and Education Editions - -**Applies to** -- Windows 10 -- Windows 11 - - -In Windows 10, version 1607, the following Group Policy settings apply only to Windows 10 Enterprise and Windows 10 Education. - -| Policy name | Policy path | Comments | -| --- | --- | --- | -| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. | -| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) | -| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) | -| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) | -| **Do not require CTRL+ALT+DEL**
combined with
**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon
and
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](/windows/configuration/set-up-a-device-for-anyone-to-use)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro.

**Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.| -| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) | -| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) | -| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | In Windows 10, version 1703, this policy setting can be applied to Windows 10 Pro. For more info, see [Manage Windows 10 Start layout options and policies](/windows/configuration/windows-10-start-layout-options-and-policies) | -| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store). | -| **Only display the private store within the Microsoft Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app

User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) | -| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) | - - - - diff --git a/windows/client-management/images/auto-enrollment-enrollment-of-windows-devices.png b/windows/client-management/images/auto-enrollment-enrollment-of-windows-devices.png index 5f7fb2c44b..f35f11cc5d 100644 Binary files a/windows/client-management/images/auto-enrollment-enrollment-of-windows-devices.png and b/windows/client-management/images/auto-enrollment-enrollment-of-windows-devices.png differ diff --git a/windows/client-management/images/azure-ad-device-list.png b/windows/client-management/images/azure-ad-device-list.png deleted file mode 100644 index 607c36c307..0000000000 Binary files a/windows/client-management/images/azure-ad-device-list.png and /dev/null differ diff --git a/windows/client-management/images/implement-server-side-mobile-application-management.png b/windows/client-management/images/implement-server-side-mobile-application-management.png index 88555f2d3b..822b7f7ea0 100644 Binary files a/windows/client-management/images/implement-server-side-mobile-application-management.png and b/windows/client-management/images/implement-server-side-mobile-application-management.png differ diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md index 91645ea1af..01cff16e92 100644 --- a/windows/client-management/implement-server-side-mobile-application-management.md +++ b/windows/client-management/implement-server-side-mobile-application-management.md @@ -6,15 +6,19 @@ ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 08/03/2022 +ms.date: 04/05/2023 ms.reviewer: manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- - # Support for mobile application management on Windows -The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703. +The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP). + +[!INCLUDE [Deprecate Windows Information Protection](../security/information-protection/windows-information-protection/includes/wip-deprecation.md)] ## Integration with Azure AD @@ -22,7 +26,7 @@ MAM on Windows is integrated with Azure Active Directory (Azure AD) identity ser MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices will be enrolled to MAM or MDM, depending on the user's actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. -On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**. +On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft 365 apps. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**. Regular non-admin users can enroll to MAM. @@ -34,15 +38,15 @@ To make applications WIP-aware, app developers need to include the following dat ``` syntax // Mark this binary as Allowed for WIP (EDP) purpose - MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID - BEGIN - 0x0001 - END +MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID + BEGIN + 0x0001 + END ``` ## Configuring an Azure AD tenant for MAM enrollment -MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. With Azure AD in Windows 10, version 1703, onward, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration. +MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. The same cloud-based Management MDM app in Azure AD will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration. :::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png"::: @@ -83,12 +87,12 @@ MAM on Windows supports the following configuration service providers (CSPs). Al - [AppLocker CSP](mdm/applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps. - [ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs. -- [DeviceStatus CSP](mdm/devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703). +- [DeviceStatus CSP](mdm/devicestatus-csp.md) required for Conditional Access support. - [DevInfo CSP](mdm/devinfo-csp.md). - [DMAcc CSP](mdm/dmacc-csp.md). - [DMClient CSP](mdm/dmclient-csp.md) for polling schedules configuration and MDM discovery URL. - [EnterpriseDataProtection CSP](mdm/enterprisedataprotection-csp.md) has Windows Information Protection policies. -- [Health Attestation CSP](mdm/healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703). +- [Health Attestation CSP](mdm/healthattestation-csp.md) required for Conditional Access support. - [PassportForWork CSP](mdm/passportforwork-csp.md) for Windows Hello for Business PIN management. - [Policy CSP](mdm/policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas. - [Reporting CSP](mdm/reporting-csp.md) for retrieving Windows Information Protection logs. @@ -127,13 +131,3 @@ In the process of changing MAM enrollment to MDM, MAM policies will be removed f - EDP CSP RevokeOnMDMHandoff is set to false. If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account won't be affected. - -## Skype for Business compliance with MAM - -We've updated Skype for Business to work with MAM. The following table explains Office release channels and release dates for Skype for Business compliance with the MAM feature. - -|Update channel|Primary purpose|LOB Tattoo availability|Default update channel for the products| -|--- |--- |--- |--- | -|[Current channel](/deployoffice/overview-update-channels#BKMK_CB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|March 9 2017|Visio Pro for Office 365
Project Desktop Client
Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)| -|[Deferred channel](/deployoffice/overview-update-channels#BKMK_CBB)|Provide users with new features of Office only a few times a year.|October 10 2017|Microsoft 365 Apps for enterprise| -|[First release for deferred channel](/deployoffice/overview-update-channels#BKMK_FRCBB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|June 13 2017|| diff --git a/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md b/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md deleted file mode 100644 index 57b5523dd9..0000000000 --- a/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge doesn't use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy. Also, the users must be signed in with a school or work account. diff --git a/windows/client-management/includes/allow-address-bar-drop-down-shortdesc.md b/windows/client-management/includes/allow-address-bar-drop-down-shortdesc.md deleted file mode 100644 index 031d179b36..0000000000 --- a/windows/client-management/includes/allow-address-bar-drop-down-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the Configure search suggestions in Address bar policy. We recommend disabling this policy if you want to minimize network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. When you disable this policy, Microsoft Edge also disables the _Show search and site suggestions as I type_ toggle in Settings. diff --git a/windows/client-management/includes/allow-adobe-flash-shortdesc.md b/windows/client-management/includes/allow-adobe-flash-shortdesc.md deleted file mode 100644 index 45365c58bd..0000000000 --- a/windows/client-management/includes/allow-adobe-flash-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default. With this policy, you can configure Microsoft Edge to prevent Adobe Flash content from running. diff --git a/windows/client-management/includes/allow-clearing-browsing-data-on-exit-shortdesc.md b/windows/client-management/includes/allow-clearing-browsing-data-on-exit-shortdesc.md deleted file mode 100644 index 82ccb5f2ed..0000000000 --- a/windows/client-management/includes/allow-clearing-browsing-data-on-exit-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not clear the browsing data on exit by default, but users can configure the _Clear browsing data_ option in Settings. Browsing data includes information you entered in forms, passwords, and even the websites visited. With this policy, you can configure Microsoft Edge to clear the browsing data automatically each time Microsoft Edge closes. diff --git a/windows/client-management/includes/allow-configuration-updates-for-books-library-shortdesc.md b/windows/client-management/includes/allow-configuration-updates-for-books-library-shortdesc.md deleted file mode 100644 index f8b89a8e2e..0000000000 --- a/windows/client-management/includes/allow-configuration-updates-for-books-library-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge automatically updates the configuration data for the Books library. Disabling this policy prevents Microsoft Edge from updating the configuration data. If Microsoft receives feedback about the amount of data about the Books library, the data comes as a JSON file. diff --git a/windows/client-management/includes/allow-developer-tools-shortdesc.md b/windows/client-management/includes/allow-developer-tools-shortdesc.md deleted file mode 100644 index 41176ffb3b..0000000000 --- a/windows/client-management/includes/allow-developer-tools-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to use the F12 developer tools to build and debug web pages by default. With this policy, you can configure Microsoft Edge to prevent users from using the F12 developer tools. diff --git a/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md b/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md deleted file mode 100644 index 3c9d3f6b42..0000000000 --- a/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and more diagnostic data, such as usage data. diff --git a/windows/client-management/includes/allow-extensions-shortdesc.md b/windows/client-management/includes/allow-extensions-shortdesc.md deleted file mode 100644 index 8276b06760..0000000000 --- a/windows/client-management/includes/allow-extensions-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to add or personalize extensions in Microsoft Edge by default. With this policy, you can configure Microsoft to prevent users from adding or personalizing extensions. diff --git a/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md b/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md deleted file mode 100644 index 8c616dedff..0000000000 --- a/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows fullscreen mode by default, which shows only the web content and hides the Microsoft Edge UI. To use fullscreen mode, users and extensions must have the proper permissions. Disabling this policy prevents fullscreen mode in Microsoft Edge. diff --git a/windows/client-management/includes/allow-inprivate-browsing-shortdesc.md b/windows/client-management/includes/allow-inprivate-browsing-shortdesc.md deleted file mode 100644 index 1340e13406..0000000000 --- a/windows/client-management/includes/allow-inprivate-browsing-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows InPrivate browsing, and after closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device. With this policy, you can configure Microsoft Edge to prevent InPrivate web browsing. diff --git a/windows/client-management/includes/allow-microsoft-compatibility-list-shortdesc.md b/windows/client-management/includes/allow-microsoft-compatibility-list-shortdesc.md deleted file mode 100644 index 35a86bfd85..0000000000 --- a/windows/client-management/includes/allow-microsoft-compatibility-list-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat. diff --git a/windows/client-management/includes/allow-prelaunch-shortdesc.md b/windows/client-management/includes/allow-prelaunch-shortdesc.md deleted file mode 100644 index a8437f2035..0000000000 --- a/windows/client-management/includes/allow-prelaunch-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start Microsoft Edge. You can also configure Microsoft Edge to prevent from pre-launching. diff --git a/windows/client-management/includes/allow-printing-shortdesc.md b/windows/client-management/includes/allow-printing-shortdesc.md deleted file mode 100644 index 288599efdd..0000000000 --- a/windows/client-management/includes/allow-printing-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to print web content by default. With this policy, you can configure Microsoft Edge to prevent users from printing web content. diff --git a/windows/client-management/includes/allow-saving-history-shortdesc.md b/windows/client-management/includes/allow-saving-history-shortdesc.md deleted file mode 100644 index 8f5084cda1..0000000000 --- a/windows/client-management/includes/allow-saving-history-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy doesn't stop roaming of existing browsing history or browsing history from other devices. diff --git a/windows/client-management/includes/allow-search-engine-customization-shortdesc.md b/windows/client-management/includes/allow-search-engine-customization-shortdesc.md deleted file mode 100644 index d7acad8b8d..0000000000 --- a/windows/client-management/includes/allow-search-engine-customization-shortdesc.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can execute the following tasks in Settings: -- Add new search engines -- Change the default search engine - -With this policy, you can prevent users from customizing the search engine in the Microsoft Edge browser. diff --git a/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md b/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md deleted file mode 100644 index 5774f8089e..0000000000 --- a/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but doesn't prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). diff --git a/windows/client-management/includes/allow-tab-preloading-shortdesc.md b/windows/client-management/includes/allow-tab-preloading-shortdesc.md deleted file mode 100644 index 5008070f5b..0000000000 --- a/windows/client-management/includes/allow-tab-preloading-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows preloading of the Start and New Tab pages during Windows sign-in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs. diff --git a/windows/client-management/includes/allow-web-content-on-new-tab-page-shortdesc.md b/windows/client-management/includes/allow-web-content-on-new-tab-page-shortdesc.md deleted file mode 100644 index 5d9a75ed5a..0000000000 --- a/windows/client-management/includes/allow-web-content-on-new-tab-page-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 11/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads the default New Tab page and lets the users make changes. If you disable this policy, a blank page loads instead of the New Tab page and prevents users from changing it. diff --git a/windows/client-management/includes/allow-windows-app-to-share-data-users-shortdesc.md b/windows/client-management/includes/allow-windows-app-to-share-data-users-shortdesc.md deleted file mode 100644 index 2c63762356..0000000000 --- a/windows/client-management/includes/allow-windows-app-to-share-data-users-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -With this policy, you can configure Windows 10 to share application data among multiple users on the system and with other instances of that app. Data shared through the SharedLocal folder is available through the Windows.Storage API. If you previously enabled this policy and now want to disable it, any shared app data remains in the SharedLocal folder. diff --git a/windows/client-management/includes/always-show-books-library-shortdesc.md b/windows/client-management/includes/always-show-books-library-shortdesc.md deleted file mode 100644 index a9e0bdb003..0000000000 --- a/windows/client-management/includes/always-show-books-library-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy, you can configure Microsoft Edge to show the Books Library regardless of the device’s country or region. diff --git a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md b/windows/client-management/includes/configure-additional-search-engines-shortdesc.md deleted file mode 100644 index 2560751600..0000000000 --- a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -The Set default search engine policy enables the users to: - -- Set a default search engine -- Configure up to five more search engines, and set any one of them as the default - -If you previously enabled this policy and now want to disable it, doing so results in deletion of all the configured search engines - diff --git a/windows/client-management/includes/configure-adobe-flash-click-to-run-setting-shortdesc.md b/windows/client-management/includes/configure-adobe-flash-click-to-run-setting-shortdesc.md deleted file mode 100644 index d409c6374c..0000000000 --- a/windows/client-management/includes/configure-adobe-flash-click-to-run-setting-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge supports Adobe Flash as a built-in feature rather than as an external add-on and updates automatically via Windows Update. By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the **Click-to-Run** button. Depending on how often the content loads and runs, the sites for the content gets added to the auto-allowed list. Disable this policy if you want Adobe Flash content to load automatically. diff --git a/windows/client-management/includes/configure-autofill-shortdesc.md b/windows/client-management/includes/configure-autofill-shortdesc.md deleted file mode 100644 index 74af7970c6..0000000000 --- a/windows/client-management/includes/configure-autofill-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can choose to use the Autofill feature to populate the form fields automatically. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill. diff --git a/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md b/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md deleted file mode 100644 index 935810a840..0000000000 --- a/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge doesn't send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID. diff --git a/windows/client-management/includes/configure-cookies-shortdesc.md b/windows/client-management/includes/configure-cookies-shortdesc.md deleted file mode 100644 index eeb223000b..0000000000 --- a/windows/client-management/includes/configure-cookies-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows all cookies from all websites by default. With this policy, you can configure Microsoft to block only 3rd-party cookies or block all cookies. diff --git a/windows/client-management/includes/configure-do-not-track-shortdesc.md b/windows/client-management/includes/configure-do-not-track-shortdesc.md deleted file mode 100644 index d69135a7e9..0000000000 --- a/windows/client-management/includes/configure-do-not-track-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge doesn't send ‘Do Not Track’ requests to websites that ask for tracking information. However, users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information. diff --git a/windows/client-management/includes/configure-enterprise-mode-site-list-shortdesc.md b/windows/client-management/includes/configure-enterprise-mode-site-list-shortdesc.md deleted file mode 100644 index f98aa94435..0000000000 --- a/windows/client-management/includes/configure-enterprise-mode-site-list-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode. diff --git a/windows/client-management/includes/configure-favorites-bar-shortdesc.md b/windows/client-management/includes/configure-favorites-bar-shortdesc.md deleted file mode 100644 index 661818a582..0000000000 --- a/windows/client-management/includes/configure-favorites-bar-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge hides the favorites bar by default but shows it on the Start and New Tab pages. Also, by default, the Favorites Bar toggle, in Settings, is set to Off but enabled letting users make changes. With this policy, you can configure Microsoft Edge to either show or hide the Favorites Bar on all pages. diff --git a/windows/client-management/includes/configure-home-button-shortdesc.md b/windows/client-management/includes/configure-home-button-shortdesc.md deleted file mode 100644 index 17d1b68784..0000000000 --- a/windows/client-management/includes/configure-home-button-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the home button to load the New Tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button. diff --git a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md b/windows/client-management/includes/configure-kiosk-mode-shortdesc.md deleted file mode 100644 index b16c3d18e4..0000000000 --- a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -You can define a behavior for the Microsoft Edge browser, which it shall display when part of many applications running on a kiosk device. - -> [!NOTE] -> You can define the browser's behavior only if you have the assigned access privileges. - -You can also define a behavior when Microsoft Edge serves as a single application. - -You can facilitate the following functionalities in the Microsoft Edge browser: -- Execution of InPrivate full screen -- Execution of InPrivate multi-tab with a tailored experience for kiosks -- Provision for normal browsing diff --git a/windows/client-management/includes/configure-kiosk-reset-after-idle-timeout-shortdesc.md b/windows/client-management/includes/configure-kiosk-reset-after-idle-timeout-shortdesc.md deleted file mode 100644 index 767c933e7c..0000000000 --- a/windows/client-management/includes/configure-kiosk-reset-after-idle-timeout-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -You can configure Microsoft Edge kiosk mode to reset to the configured start experience after a specified amount of idle time in minutes (0-1440). The reset timer begins after the last user interaction. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge kiosk mode resets after 30 seconds. Resetting to the configured start experience deletes the current user’s browsing data. diff --git a/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md b/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md deleted file mode 100644 index 26dc5e0d88..0000000000 --- a/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allows users to make changes. With this policy, you can configure Microsoft Edge to load the Start page, New Tab page, or the previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy. diff --git a/windows/client-management/includes/configure-password-manager-shortdesc.md b/windows/client-management/includes/configure-password-manager-shortdesc.md deleted file mode 100644 index f0b41c5b0f..0000000000 --- a/windows/client-management/includes/configure-password-manager-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge uses Password Manager automatically, allowing users to manager passwords locally. Disabling this policy restricts Microsoft Edge from using Password Manager. Don’t configure this policy if you want to let users choose to save and manage passwords locally using Password Manager. diff --git a/windows/client-management/includes/configure-pop-up-blocker-shortdesc.md b/windows/client-management/includes/configure-pop-up-blocker-shortdesc.md deleted file mode 100644 index a34c788e1e..0000000000 --- a/windows/client-management/includes/configure-pop-up-blocker-shortdesc.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge turns off Pop-up Blocker, which opens pop-up windows. Enabling this policy turns on Pop-up Blocker preventing pop-up windows from opening. If you want users to choose to use Pop-up Blocker, don’t configure this policy. - diff --git a/windows/client-management/includes/configure-search-suggestions-in-address-bar-shortdesc.md b/windows/client-management/includes/configure-search-suggestions-in-address-bar-shortdesc.md deleted file mode 100644 index 71b3e06d0d..0000000000 --- a/windows/client-management/includes/configure-search-suggestions-in-address-bar-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can choose to see search suggestions in the Address bar of Microsoft Edge. Disabling this policy hides the search suggestions and enabling this policy shows the search suggestions. diff --git a/windows/client-management/includes/configure-start-pages-shortdesc.md b/windows/client-management/includes/configure-start-pages-shortdesc.md deleted file mode 100644 index 76e4a07003..0000000000 --- a/windows/client-management/includes/configure-start-pages-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads the pages specified in App settings as the default Start pages. With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users can't make changes. diff --git a/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md b/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md deleted file mode 100644 index 1682bc2ca2..0000000000 --- a/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users can't disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. diff --git a/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md b/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md deleted file mode 100644 index 12bcdd34b8..0000000000 --- a/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies can't be changed, and they remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start pages or any Start page configured with the Configure Start pages policy. diff --git a/windows/client-management/includes/do-not-sync-browser-settings-shortdesc.md b/windows/client-management/includes/do-not-sync-browser-settings-shortdesc.md deleted file mode 100644 index b269a7f3e3..0000000000 --- a/windows/client-management/includes/do-not-sync-browser-settings-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, the “browser” group syncs automatically between user’s devices and allowing users to choose to make changes. The “browser” group uses the _Sync your Settings_ option in Settings to sync information like history and favorites. Enabling this policy prevents the “browser” group from using the Sync your Settings option. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option. diff --git a/windows/client-management/includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md b/windows/client-management/includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md deleted file mode 100644 index 0b377e56b6..0000000000 --- a/windows/client-management/includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge does not sync the user’s favorites between IE and Microsoft Edge. Enabling this policy syncs favorites between Internet Explorer and Microsoft Edge. Changes to favorites in one browser reflect in the other, including additions, deletions, modifications, and ordering of favorites. diff --git a/windows/client-management/includes/mdm-enrollment-error-codes.md b/windows/client-management/includes/mdm-enrollment-error-codes.md new file mode 100644 index 0000000000..017a48153f --- /dev/null +++ b/windows/client-management/includes/mdm-enrollment-error-codes.md @@ -0,0 +1,46 @@ +--- +author: vinaypamnani-msft +ms.author: vinpa +ms.prod: windows +ms.topic: include +ms.date: 04/06/2023 +--- + +|Code|ID|Error message| +|--- |--- |--- | +|0x80180001|"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x80180002|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180003|"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180004|"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180005|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x80180006|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x80180007|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180008|"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x80180009|"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS|Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.| +|0x8018000A|"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED|This device is already enrolled. You can contact your system administrator with the error code {0}.| +|0x8018000D|"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.| +|0x8018000E|"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x8018000F|"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180010|"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x80180012|"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180013|"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.| +|0x80180014|"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.| +|0x80180015|"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.| +|0x80180016|"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW|The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180017|"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE|The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.| +|0x80180018|"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE|There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180019|"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID|Looks like the server isn't correctly configured. You can try to do this again or contact your system administrator with the error code {0}.| +|"rejectedTermsOfUse"|"idErrorRejectedTermsOfUse"|Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.| +|0x801c0001|"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x801c0002|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x801c0003|"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.| +|0x801c0006|"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x801c000B|"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED|The server being contacted isn't trusted. Contact your system administrator with the error code {0}.| +|0x801c000C|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x801c000E|"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.| +|0x801c000F|"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT|A reboot is required to complete device registration.| +|0x801c0010|"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR|Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.| +|0x801c0011|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x801c0012|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x801c0013|"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x801c0014|"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| diff --git a/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md b/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md deleted file mode 100644 index d5f609cfa6..0000000000 --- a/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can access the about:flags page in Microsoft Edge that is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page. diff --git a/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md b/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md deleted file mode 100644 index f6b222fde2..0000000000 --- a/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading the unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of the unverified file(s). diff --git a/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md b/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md deleted file mode 100644 index d04429bef8..0000000000 --- a/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious sites, allowing them to continue to the site. With this policy though, you can configure Microsoft Edge to prevent users from bypassing the warnings, blocking them from continuing to the site. diff --git a/windows/client-management/includes/prevent-certificate-error-overrides-shortdesc.md b/windows/client-management/includes/prevent-certificate-error-overrides-shortdesc.md deleted file mode 100644 index c73e676517..0000000000 --- a/windows/client-management/includes/prevent-certificate-error-overrides-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge, by default, allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings. diff --git a/windows/client-management/includes/prevent-changes-to-favorites-shortdesc.md b/windows/client-management/includes/prevent-changes-to-favorites-shortdesc.md deleted file mode 100644 index b635ee64e8..0000000000 --- a/windows/client-management/includes/prevent-changes-to-favorites-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can add, import, and make changes to the Favorites list in Microsoft Edge. Enabling this policy locks down the Favorites list in Microsoft Edge, preventing users from making changes. When enabled, Microsoft Edge turns off the Save a Favorite, Import settings, and context menu items, such as Create a new folder. Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. diff --git a/windows/client-management/includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md b/windows/client-management/includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md deleted file mode 100644 index bba9ec1ad5..0000000000 --- a/windows/client-management/includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge collects the Live Tile metadata and sends it to Microsoft to help provide users a complete experience when they pin Live Tiles to the Start menu. However, with this policy, you can configure Microsoft Edge to prevent Microsoft from collecting Live Tile metadata, providing users with a limited experience. diff --git a/windows/client-management/includes/prevent-first-run-webpage-from-opening-shortdesc.md b/windows/client-management/includes/prevent-first-run-webpage-from-opening-shortdesc.md deleted file mode 100644 index c156c94126..0000000000 --- a/windows/client-management/includes/prevent-first-run-webpage-from-opening-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, when launching Microsoft Edge for the first time, the First Run webpage (a welcome page) hosted on Microsoft.com loads automatically via an FWLINK. The welcome page lists the new features and helpful tips of Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent loading the welcome page on first explicit user-launch. diff --git a/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md b/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md deleted file mode 100644 index 4209d79579..0000000000 --- a/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -The Microsoft Edge browser allows users to uninstall extensions, by default. When the users work with extensions that come under a policy that is enabled, they can configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any extra permissions requested by future updates of the extension get granted automatically. If - at this stage - you disable the policy, the list of extension package family names (PFNs) defined in this policy get ignored. diff --git a/windows/client-management/includes/prevent-users-to-turn-on-browser-syncing-shortdesc.md b/windows/client-management/includes/prevent-users-to-turn-on-browser-syncing-shortdesc.md deleted file mode 100644 index 037c535aa8..0000000000 --- a/windows/client-management/includes/prevent-users-to-turn-on-browser-syncing-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. With this policy, though, you can prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy. diff --git a/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md b/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md deleted file mode 100644 index fe0bc3c307..0000000000 --- a/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge shows localhost IP address while making calls through usage of the WebRTC protocol. Enabling this policy hides the localhost IP addresses. diff --git a/windows/client-management/includes/provision-favorites-shortdesc.md b/windows/client-management/includes/provision-favorites-shortdesc.md deleted file mode 100644 index 6f47ca66c4..0000000000 --- a/windows/client-management/includes/provision-favorites-shortdesc.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -You can customize the Favorites list in the Microsoft Edge browser. Customization of the favorites list includes: - -- Creating a standard list - - This standard list includes: - - Folders (which you can add) - - the list of favorites that you manually add, after creating the standard list - -This customized favorite is the final version. - - diff --git a/windows/client-management/includes/send-all-intranet-sites-to-ie-shortdesc.md b/windows/client-management/includes/send-all-intranet-sites-to-ie-shortdesc.md deleted file mode 100644 index 3b17cd7e5f..0000000000 --- a/windows/client-management/includes/send-all-intranet-sites-to-ie-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, all websites, including intranet sites, open in Microsoft Edge automatically. Only enable this policy if there are known compatibility problems with Microsoft Edge. Enabling this policy loads only intranet sites in Internet Explorer 11 automatically. diff --git a/windows/client-management/includes/set-default-search-engine-shortdesc.md b/windows/client-management/includes/set-default-search-engine-shortdesc.md deleted file mode 100644 index 958dd67138..0000000000 --- a/windows/client-management/includes/set-default-search-engine-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge uses the search engine specified in App settings, letting users make changes at any time unless the Allow search engine customization policy is disabled, which restricts users from making changes. With this policy, you can either remove or use the policy-set search engine. When you remove the policy-set search engine, Microsoft Edge uses the specified search engine for the market, which lets users make changes to the default search engine. You can use the policy-set search engine specified in the OpenSearch XML, which prevents users from making changes. diff --git a/windows/client-management/includes/set-home-button-url-shortdesc.md b/windows/client-management/includes/set-home-button-url-shortdesc.md deleted file mode 100644 index 67e62738a6..0000000000 --- a/windows/client-management/includes/set-home-button-url-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge shows the home button and loads the Start page, and locks down the home button to prevent users from changing what page loads. Enabling this policy loads a custom URL for the home button. When you enable this policy, and enable the Configure Home Button policy with the _Show home button & set a specific page_ option selected, a custom URL loads when the user clicks the home button. diff --git a/windows/client-management/includes/set-new-tab-url-shortdesc.md b/windows/client-management/includes/set-new-tab-url-shortdesc.md deleted file mode 100644 index a909cbbdc7..0000000000 --- a/windows/client-management/includes/set-new-tab-url-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge loads the default New Tab page by default. Enabling this policy lets you set a New Tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New Tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank. diff --git a/windows/client-management/includes/show-message-when-opening-sites-in-ie-shortdesc.md b/windows/client-management/includes/show-message-when-opening-sites-in-ie-shortdesc.md deleted file mode 100644 index 5fda91f3db..0000000000 --- a/windows/client-management/includes/show-message-when-opening-sites-in-ie-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge. If you want users to continue in Microsoft Edge, enable this policy to show the _Keep going in Microsoft Edge_ link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both. diff --git a/windows/client-management/includes/unlock-home-button-shortdesc.md b/windows/client-management/includes/unlock-home-button-shortdesc.md deleted file mode 100644 index 722998c5bf..0000000000 --- a/windows/client-management/includes/unlock-home-button-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, when you enable the Configure Home Button policy or provide a URL in the Set Home Button URL policy, Microsoft Edge locks down the home button to prevent users from changing the settings. When you enable this policy, users can make changes to the home button even if you enabled the Configure Home Button or Set Home Button URL policies. diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index d782edc5b3..8b288e7905 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -15,7 +15,7 @@ metadata: author: aczechowski ms.author: aaroncz manager: dougeby - ms.date: 03/28/2022 #Required; mm/dd/yyyy format. + ms.date: 04/13/2023 localization_priority: medium # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -37,9 +37,9 @@ landingContent: - text: Enterprise settings, policies, and app management url: windows-mdm-enterprise-settings.md - text: Windows Tools/Administrative Tools - url: administrative-tools-in-windows-10.md + url: client-tools/administrative-tools-in-windows.md - text: Create mandatory user profiles - url: mandatory-user-profile.md + url: client-tools/mandatory-user-profile.md - title: Device enrollment linkLists: diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md deleted file mode 100644 index 1ed28e0f9b..0000000000 --- a/windows/client-management/manage-corporate-devices.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Manage corporate devices -description: You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -keywords: [MDM, device management] -ms.prod: windows-client -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/14/2021 -ms.topic: article -ms.technology: itpro-manage ---- - -# Manage corporate devices - - -**Applies to** - -- Windows 10 -- Windows 11 - -You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10 and Windows 11. - -## In this section - -| Topic | Description | -| --- | --- | -| [Manage Windows 10 (and Windows 11) in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10 (and Windows 11), including deploying Windows 10 (and Windows 11) in a mixed environment | -| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC | -| [Manage Windows 10 (and Windows 11) and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees | -| [New policies for Windows 10 (and Windows 11)](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 | -| [Group Policies that apply only to Windows Enterprise and Windows Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education | -| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 (and Windows 11) in their organizations | - - - -## Learn more - -[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Configuration Manager](/mem/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm) - -[Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/) - -[Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery) - -[Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768) - -Microsoft Virtual Academy course: [Configuration Manager & Windows Intune](/training/) - diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md deleted file mode 100644 index 0bb88c2d24..0000000000 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Manage the Settings app with Group Policy (Windows 10 and Windows 11) -description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users. -ms.prod: windows-client -author: vinaypamnani-msft -ms.date: 09/14/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.technology: itpro-manage ---- - -# Manage the Settings app with Group Policy - -**Applies to** - -- Windows 10 -- Windows 11 -- Windows Server 2016 - -You can now manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely. -To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. - ->[!Note] ->Each server that you want to manage access to the Settings App must be patched. - -If your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management, to centrally manage the new policies, copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store). - -This policy is available for both User and Computer depending on the version of the OS. Windows Server 2016 with KB 4457127 applied will have both User and Computer policy. Windows 10, version 1703, added Computer policy for the Settings app. Windows 10, version 1809, added User policy for the Settings app. - -Policy paths: - -**Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. - -**User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. - -![Settings page visibility policy.](images/settings-page-visibility-gp.png) - -## Configuring the Group Policy - -The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). - ->[!NOTE] -> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string. - -Here are some examples: - -- To show only the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **ShowOnly:Network-Proxy;Network-Ethernet**. -- To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**. \ No newline at end of file diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 37aae00014..3595276771 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -1,24 +1,25 @@ --- -title: Manage Windows 10 in your organization - transitioning to modern management -description: This article offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. +title: Manage Windows devices in your organization - transitioning to modern management +description: This article offers strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment. ms.prod: windows-client ms.localizationpriority: medium -ms.date: 06/03/2022 +ms.date: 04/05/2023 author: vinaypamnani-msft ms.author: vinpa ms.reviewer: manager: aaroncz ms.topic: overview ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Manage Windows 10 in your organization - transitioning to modern management +# Manage Windows devices in your organization - transitioning to modern management -Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization. +Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows devices gradually, following the normal upgrade schedules used in your organization. -Your organization might have considered bringing in Windows 10 devices and downgrading them to an earlier version of Windows until everything is in place for a formal upgrade process. This downgrade may appear to save costs due to standardization. But, you typically save more if you don't downgrade, and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it's easy for versions to coexist. - -Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster. +Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows faster. This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance. @@ -27,64 +28,58 @@ This six-minute video demonstrates how users can bring in a new retail device an > [!NOTE] > The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal) -This article offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. It covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle: +This article offers guidance on strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment. It covers [management options](#reviewing-the-management-options-for-windows) plus the four stages of the device lifecycle: - [Deployment and Provisioning](#deployment-and-provisioning) - [Identity and Authentication](#identity-and-authentication) - [Configuration](#settings-and-configuration) - [Updating and Servicing](#updating-and-servicing) -## Reviewing the management options with Windows 10 +## Reviewing the management options for Windows -Windows 10 offers a range of management options, as shown in the following diagram: +Windows offers a range of management options, as shown in the following diagram: :::image type="content" source="images/windows-10-management-range-of-options.png" alt-text="Diagram of the path to modern IT." lightbox="images/windows-10-management-range-of-options.png"::: -As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business. +As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, and Microsoft 365. ## Deployment and provisioning -With Windows 10, you can continue to use traditional OS deployment, but you can also "manage out of the box." To transform new devices into fully configured, fully managed devices, you can: +With Windows, you can continue to use traditional OS deployment, but you can also "manage out of the box". To transform new devices into fully configured, fully managed devices, you can: -- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/). +- Avoid re-imaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/). - Create self-contained provisioning packages built with the Windows Configuration Designer. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages). - Use traditional imaging techniques such as deploying custom images using [Configuration Manager](/mem/configmgr/core/understand/introduction). -You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive - everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today. +You have multiple options for [upgrading to Windows 10 and Windows 11](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 10, you can use the robust in-place upgrade process for a fast, reliable move to Windows 11 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive - everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today. ## Identity and authentication -You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them. +You can use Windows and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them. You can envision user and device management as falling into these two categories: -- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices: +- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows, your employees can self-provision their devices: - - For corporate devices, they can set up corporate access with [Azure AD join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud. + - For corporate devices, they can set up corporate access with [Azure AD join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud. Azure AD join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources. - - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device. + - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device. - **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises. - With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides: + With Windows, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides: - - Single sign-on to cloud and on-premises resources from everywhere + - Single sign-on to cloud and on-premises resources from everywhere + - [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-enable) + - [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device + - [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) + - Windows Hello - - [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-enable) - - - [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device - - - [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) - - - Windows Hello - - Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/mem/configmgr/core/understand/introduction) client or group policy. - -For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](/azure/active-directory/devices/overview). + Domain joined PCs and tablets can continue to be managed with [Configuration Manager](/mem/configmgr/core/understand/introduction) client or group policy. As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD. @@ -92,19 +87,19 @@ As you review the roles in your organization, you can use the following generali ## Settings and configuration -Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. +Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. You can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. -**MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, group policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using group policy that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go. +- **MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, group policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using group policy that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go. -**Group policy** and **Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer's 1,500 configurable group policy settings. If so, group policy and Configuration Manager continue to be excellent management choices: +- **Group policy** and **Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level using group policy settings. If so, group policy and Configuration Manager continue to be excellent management choices: -- Group policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add group policy settings with each new version of Windows. + - **Group policy** is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add group policy settings with each new version of Windows. -- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment. + - **Configuration Manager** remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment. ## Updating and servicing -With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple - often automatic - patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios). +With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on General Availability Channel or Long-Term Servicing Channel, devices receive the latest feature and quality updates through simple - often automatic - patching processes. For more information, see [Windows deployment scenarios](/windows/deployment/windows-10-deployment-scenarios). MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules. @@ -116,11 +111,11 @@ There are various steps you can take to begin the process of modernizing device **Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs. -**Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario. +**Review the decision trees in this article.** With the different options in Windows, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario. -**Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policy-configuration-service-provider.md). +**Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on modern Windows devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policies-in-policy-csp-supported-by-group-policy.md). -**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. For more information, see the following articles: +**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Co-management enables you to concurrently manage Windows devices by using both Configuration Manager and Intune. For more information, see the following articles: - [Co-management for Windows devices](/mem/configmgr/comanage/overview) - [Prepare Windows devices for co-management](/mem/configmgr/comanage/how-to-prepare-Win10) @@ -130,5 +125,5 @@ There are various steps you can take to begin the process of modernizing device ## Related articles - [What is Intune?](/mem/intune/fundamentals/what-is-intune) -- [Windows 10 policy CSP](./mdm/policy-configuration-service-provider.md) -- [Windows 10 configuration service providers](./mdm/index.yml) +- [Policy CSP](./mdm/policy-configuration-service-provider.md) +- [Configuration service providers reference](./mdm/index.yml) diff --git a/windows/client-management/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm-collect-logs.md similarity index 81% rename from windows/client-management/diagnose-mdm-failures-in-windows-10.md rename to windows/client-management/mdm-collect-logs.md index 246e8babc9..d544eab6d4 100644 --- a/windows/client-management/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm-collect-logs.md @@ -1,6 +1,6 @@ --- -title: Diagnose MDM failures in Windows 10 -description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server. +title: Collect MDM logs +description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows devices managed by an MDM server. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -8,31 +8,36 @@ ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/25/2018 +ms.date: 04/13/2023 ms.collection: - - highpri - - tier2 +- highpri +- tier2 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Diagnose MDM failures in Windows 10 +# Collect MDM logs -To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop. The following sections describe the procedures for collecting MDM logs. +To help diagnose enrollment or device management issues in Windows devices managed by an MDM server, you can examine the MDM logs collected from the desktop. The following sections describe the procedures for collecting MDM logs. -## Download the MDM Diagnostic Information log from Windows 10 PCs +## Download the MDM Diagnostic Information log from Windows devices 1. On your managed device, go to **Settings** > **Accounts** > **Access work or school**. -1. Click your work or school account, then click **Info.** +1. Click your work or school account, then click **Info**. + ![Access work or school page in Settings.](images/diagnose-mdm-failures15.png) 1. At the bottom of the **Settings** page, click **Create report**. + ![Access work or school page and then Create report.](images/diagnose-mdm-failures16.png) 1. A window opens that shows the path to the log files. Click **Export**. ![Access work or school log files.](images/diagnose-mdm-failures17.png) -1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report. +1. In File Explorer, navigate to `C:\Users\Public\Documents\MDMDiagnostics` to see the report. -## Use command to collect logs directly from Windows 10 PCs +## Use command to collect logs directly from Windows devices You can also collect the MDM Diagnostic Information logs using the following command: @@ -55,9 +60,9 @@ The zip file will have logs according to the areas that were used in the command - MdmLogCollectorFootPrint.txt: mdmdiagnosticslog tool logs from running the command - *.evtx: Common event viewer logs microsoft-windows-devicemanagement-enterprise-diagnostics-provider-admin.evtx main one that contains MDM events. -## Collect logs directly from Windows 10 PCs +## Collect logs directly from Windows devices -Starting with the Windows 10, version 1511, MDM logs are captured in the Event Viewer in the following location: +MDM logs are captured in the Event Viewer in the following location: - Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider @@ -70,26 +75,26 @@ In this location, the **Admin** channel logs events by default. However, if you ### Collect admin logs 1. Right click on the **Admin** node. -2. Select **Save all events as**. -3. Choose a location and enter a filename. -4. Click **Save**. -5. Choose **Display information for these languages** and then select **English**. -6. Click **Ok**. +1. Select **Save all events as**. +1. Choose a location and enter a filename. +1. Click **Save**. +1. Choose **Display information for these languages** and then select **English**. +1. Click **Ok**. For more detailed logging, you can enable **Debug** logs. Right click on the **Debug** node and then click **Enable Log**. ### Collect debug logs 1. Right click on the **Debug** node. -2. Select **Save all events as**. -3. Choose a location and enter a filename. -4. Click **Save**. -5. Choose **Display information for these languages** and then select **English**. -6. Click **Ok**. +1. Select **Save all events as**. +1. Choose a location and enter a filename. +1. Click **Save**. +1. Choose **Display information for these languages** and then select **English**. +1. Click **Ok**. -You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC running the November 2015 update. +You can open the log files (.evtx files) in the Event Viewer on a Windows device. -## Collect logs remotely from Windows 10 PCs +## Collect logs remotely from Windows devices When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this facility. The [DiagnosticLog CSP](mdm/diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels: @@ -137,7 +142,7 @@ Example: Export the Debug logs ``` -## Collect logs remotely from Windows 10 Holographic +## Collect logs remotely from Windows Holographic For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](mdm/diagnosticlog-csp.md). @@ -240,32 +245,32 @@ After the logs are collected on the device, you can retrieve the files through t For best results, ensure that the PC or VM on which you're viewing logs matches the build of the OS from which the logs were collected. 1. Open eventvwr.msc. -2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**. +1. Right-click on **Event Viewer(Local)** and select **Open Saved Log**. ![event viewer screenshot.](images/diagnose-mdm-failures9.png) -3. Navigate to the etl file that you got from the device and then open the file. -4. Click **Yes** when prompted to save it to the new log format. +1. Navigate to the etl file that you got from the device and then open the file. +1. Click **Yes** when prompted to save it to the new log format. ![event viewer prompt.](images/diagnose-mdm-failures10.png) ![diagnose mdm failures.](images/diagnose-mdm-failures11.png) -5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu. +1. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu. ![event viewer actions.](images/diagnose-mdm-failures12.png) -6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**. +1. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**. ![event filter for Device Management.](images/diagnose-mdm-failures13.png) -7. Now you're ready to start reviewing the logs. +1. Now you're ready to start reviewing the logs. ![event viewer review logs.](images/diagnose-mdm-failures14.png) ## Collect device state data -Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](mdm/diagnosticlog-csp.md), version 1.3, which was added in Windows 10, version 1607. You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files. +Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](mdm/diagnosticlog-csp.md). You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files. ```xml diff --git a/windows/client-management/mdm-diagnose-enrollment.md b/windows/client-management/mdm-diagnose-enrollment.md new file mode 100644 index 0000000000..5022ba4bf1 --- /dev/null +++ b/windows/client-management/mdm-diagnose-enrollment.md @@ -0,0 +1,121 @@ +--- +title: Diagnose MDM enrollment failures +description: Learn how to diagnose enrollment failures for Windows devices +ms.reviewer: +manager: aaroncz +ms.author: vinpa +ms.topic: article +ms.prod: windows-client +ms.technology: itpro-manage +author: vinaypamnani-msft +ms.date: 04/12/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +--- + +# Diagnose MDM enrollment + +This article provides suggestions for troubleshooting device enrollment issues for MDM. + +## Verify auto-enrollment requirements and settings + +To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service: + +1. Verify that the user who is going to enroll the device has a valid [Intune license](/mem/intune/fundamentals/licenses). + + :::image type="content" alt-text="Screenshot of Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png"::: + +1. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). + + ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png) + + > [!IMPORTANT] + > For bring-your-own devices (BYOD devices), the Mobile Application Management (MAM) user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled. + > + > For corporate-owned devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled. + +1. Verify that the device is running a [supported version of Windows](/windows/release-health/supported-versions-windows-client). + +1. Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line. + + You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**. + + ![Auto-enrollment device status result.](images/auto-enrollment-device-status-result.png) + + Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**. + + ![Auto-enrollment Azure AD prt verification.](images/auto-enrollment-azureadprt-verification.png) + + This information can also be found on the Azure AD device list. + +1. Verify that the MDM discovery URL during auto-enrollment is `https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc`. + + ![MDM discovery URL.](images/auto-enrollment-mdm-discovery-url.png) + +1. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**. + + :::image type="content" alt-text="Screenshot of Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png"::: + +1. When using group policy for enrollment, verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully. + +1. Verify that Microsoft Intune allows enrollment of Windows devices. + + :::image type="content" alt-text="Screenshot of Enrollment of Windows devices." source="images/auto-enrollment-enrollment-of-windows-devices.png" lightbox="images/auto-enrollment-enrollment-of-windows-devices.png"::: + +## Troubleshoot group policy enrollment + +Investigate the logs if you have issues even after performing all the verification steps. The first log file to investigate is the event log on the target Windows device. To collect Event Viewer logs: + +1. Open Event Viewer. + +1. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-Diagnostic-Provider** > **Admin**. + + > [!TIP] + > For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc). + +1. Search for event ID 75, which represents a successful auto-enrollment. Here's an example screenshot that shows the auto-enrollment completed successfully: + + :::image type="content" alt-text="Screenshot of Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png" lightbox="images/auto-enrollment-troubleshooting-event-id-75.png"::: + +If you can't find event ID 75 in the logs, it indicates that the auto-enrollment failed. This failure can happen because of the following reasons: + +- The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here's an example screenshot that shows that the auto-enrollment failed: + + :::image type="content" alt-text="Screenshot of Event ID 76." source="images/auto-enrollment-troubleshooting-event-id-76.png" lightbox="images/auto-enrollment-troubleshooting-event-id-76.png"::: + + To troubleshoot, check the error code that appears in the event. For more information, see [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors). + +- The auto-enrollment didn't trigger at all. In this case, you'll not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described below: + + The auto-enrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot: + + :::image type="content" alt-text="Screenshot of Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png"::: + + > [!NOTE] + > This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task. + + This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs: **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Azure Active Directory is triggered by event ID 107. + + :::image type="content" alt-text="Screenshot of Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png"::: + + When the task is completed, a new event ID 102 is logged. + + :::image type="content" alt-text="Screenshot of Event ID 102." source="images/auto-enrollment-event-id-102.png" lightbox="images/auto-enrollment-event-id-102.png"::: + + The task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It doesn't indicate the success or failure of auto-enrollment. + + If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Azure AD is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required. + One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: + + :::image type="content" alt-text="Screenshot of Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png"::: + + By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs** > **Microsoft** > **Windows** > **Task Scheduler** > **Operational** event log file under event ID 7016. + + A resolution to this issue is to remove the registry key manually. If you don't know which registry key to remove, go for the key that displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: + + :::image type="content" alt-text="Screenshot showing manually deleted entries." source="images/auto-enrollment-activation-verification-less-entries.png" lightbox="images/auto-enrollment-activation-verification-less-entries.png"::: + +## Error codes + +[!INCLUDE [Enrollment error codes](includes/mdm-enrollment-error-codes.md)] diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index 7023a7b517..7974866d71 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -1,9 +1,6 @@ --- -title: MDM enrollment of Windows 10-based devices -description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organization’s resources. -MS-HAID: - - 'p\_phdevicemgmt.enrollment\_ui' - - 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices' +title: MDM enrollment of Windows devices +description: Learn about mobile device management (MDM) enrollment of Windows devices to simplify access to your organization's resources. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -12,280 +9,208 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.collection: - - highpri - - tier2 -ms.date: 12/31/2017 +- highpri +- tier2 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# MDM enrollment of Windows 10-based devices +# MDM enrollment of Windows devices -In today’s cloud-first world, enterprise IT departments increasingly want to let employees use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organization’s resources, such as apps, the corporate network, and email. +In today's cloud-first world, enterprise IT departments increasingly want to let employees use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organization's resources, such as apps, the corporate network, and email. > [!NOTE] > When you connect your device using mobile device management (MDM) enrollment, your organization may enforce certain policies on your device. -## Connect corporate-owned Windows 10-based devices +## Connect corporate-owned Windows devices -You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 doesn't require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain. +You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows doesn't require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain. ![active directory azure ad signin.](images/unifiedenrollment-rs1-1.png) -### Connect your device to an Active Directory domain (join a domain) - -Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education can be connected to an Active Directory domain using the Settings app. - > [!NOTE] -> Mobile devices can't be connected to an Active Directory domain. - -### Out-of-box-experience - -Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) isn't supported. To join a domain: - -1. On the **Who Owns this PC?** page, select **My work or school owns it**. - - ![oobe creation of a local account](images/unifiedenrollment-rs1-2.png) - -2. Next, select **Join a domain**. - - ![select domain or azure-ad](images/unifiedenrollment-rs1-3.png) - -3. You'll see a prompt to set up a local account on the device. Enter your local account details, and then select **Next** to continue. - - ![create pc account.](images/unifiedenrollment-rs1-4.png) - -### Use the Settings app - -To create a local account and connect the device: - -1. Launch the Settings app. - - ![windows settings screen](images/unifiedenrollment-rs1-5.png) - -2. Next, select **Accounts**. - - ![windows settings accounts chosen](images/unifiedenrollment-rs1-6.png) - -3. Navigate to **Access work or school**. - - ![choose access work or school](images/unifiedenrollment-rs1-7.png) - -4. Select **Connect**. - - ![connect to work or to school](images/unifiedenrollment-rs1-8.png) - -5. Under **Alternate actions**, select **Join this device to a local Active Directory domain**. - - ![join account to active directory domain.](images/unifiedenrollment-rs1-9.png) - -6. Type in your domain name, follow the instructions, and then select **Next** to continue. After you complete the flow and restart your device, it should be connected to your Active Directory domain. You can now sign in to the device using your domain credentials. - - ![type in domain name.](images/unifiedenrollment-rs1-10.png) - -### Help with connecting to an Active Directory domain - -There are a few instances where your device can't be connected to an Active Directory domain. - -| Connection issue | Description | -|-----------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Your device is already connected to an Active Directory domain. | Your device can only be connected to a single Active Directory domain at a time. | -| Your device is connected to an Azure AD domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. | -| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue. | -| Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Active Directory domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | - - +> For devices joined to on-premises Active Directory, see [Group policy enrollment](enroll-a-windows-10-device-automatically-using-group-policy.md). ### Connect your device to an Azure AD domain (join Azure AD) All Windows devices can be connected to an Azure AD domain. These devices can be connected during OOBE. Additionally, desktop devices can be connected to an Azure AD domain using the Settings app. -### Out-of-box-experience +#### Out-of-box-experience To join a domain: -1. Select **My work or school owns it**, then select **Next.** +1. Select **My work or school owns it**, then select **Next.** ![oobe - local account creation](images/unifiedenrollment-rs1-11.png) -2. Select **Join Azure AD**, and then select **Next.** +1. Select **Join Azure AD**, and then select **Next.** ![choose the domain or azure ad](images/unifiedenrollment-rs1-12.png) -3. Type in your Azure AD username. This username is the email address you use to log into Microsoft Office 365 and similar services. +1. Type in your Azure AD username. This username is the email address you use to log into Microsoft Office 365 and similar services. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page will change to show the organization's custom branding, and you'll be able to enter your password directly on this page. If the tenant is part of a federated domain, you'll be redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication. - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain. + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. + + If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). After you complete the flow, your device will be connected to your organization's Azure AD domain. ![azure ad signin.](images/unifiedenrollment-rs1-13.png) -### Use the Settings app - -To create a local account and connect the device: - -1. Launch the Settings app. - - ![screen displaying windows settings](images/unifiedenrollment-rs1-14.png) - -2. Next, navigate to **Accounts**. - - ![choose windows settings accounts](images/unifiedenrollment-rs1-15.png) - -3. Navigate to **Access work or school**. - - ![choose option of access work or school](images/unifiedenrollment-rs1-16.png) - -4. Select **Connect**. - - ![Option of connect to work or school](images/unifiedenrollment-rs1-17.png) - -5. Under **Alternate Actions**, select **Join this device to Azure Active Directory**. - - ![option to join work or school account to azure ad](images/unifiedenrollment-rs1-18.png) - -6. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. - - ![azure ad sign in.](images/unifiedenrollment-rs1-19.png) - -7. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. - - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - - If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. - - After you reach the end of the flow, your device should be connected to your organization’s Azure AD domain. You may now sign out of your current account and sign in using your Azure AD username. - - ![corporate sign in screen](images/unifiedenrollment-rs1-20.png) - -### Help with connecting to an Azure AD domain - -There are a few instances where your device can't be connected to an Azure AD domain. - -| Connection issue | Description | -|-----------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. | -| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. | -| Your device already has a user connected to a work account. | You can either connect to an Azure AD domain or connect to a work or school account. You can't connect to both simultaneously. | -| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue. | -| Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. | -| Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | - - - -## Connect personally owned devices - - -Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 doesn't require a personal Microsoft account on devices to connect to work or school. - -### Connect to a work or school account - -All Windows 10-based devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps, such as the universal Office apps. - -### Use the Settings app - -To create a local account and connect the device: - -1. Launch the Settings app, and then select **Accounts** >**Start** > **Settings** > **Accounts**. - - ![screen of windows settings](images/unifiedenrollment-rs1-21-b.png) - -2. Navigate to **Access work or school**. - - ![user's option of access work or school](images/unifiedenrollment-rs1-23-b.png) - -3. Select **Connect**. - - ![connect button to access the option of work or school.](images/unifiedenrollment-rs1-24-b.png) - -4. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. - - ![sync work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png) - -5. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. - - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - - If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. - - Starting in Windows 10, version 1709, you'll see the status page that shows the progress of your device being set up. - - ![corporate sign in - screen and option](images/unifiedenrollment-rs1-26.png) - -6. After you complete the flow, your Microsoft account will be connected to your work or school account. - - ![account successfully added.](images/unifiedenrollment-rs1-27.png) - -### Connect to MDM on a desktop (enrolling in device management) - -All Windows 10-based devices can be connected to MDM. You can connect to an MDM through the Settings app. - -### Use the Settings app +#### Use the Settings app To create a local account and connect the device: 1. Launch the Settings app. - ![screen that displays windows settings](images/unifiedenrollment-rs1-28.png) + ![screen displaying windows settings](images/unifiedenrollment-rs1-14.png) -2. Next, navigate to **Accounts**. +1. Next, navigate to **Accounts**. - ![windows settings accounts page.](images/unifiedenrollment-rs1-29.png) + ![choose windows settings accounts](images/unifiedenrollment-rs1-15.png) -3. Navigate to **Access work or school**. +1. Navigate to **Access work or school**. - ![access work or school.](images/unifiedenrollment-rs1-30.png) + ![choose option of access work or school](images/unifiedenrollment-rs1-16.png) -4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link). +1. Select **Connect**. - ![connect to work or school screen](images/unifiedenrollment-rs1-31.png) + ![Option of connect to work or school](images/unifiedenrollment-rs1-17.png) -5. Type in your work email address. +1. Under **Alternate Actions**, select **Join this device to Azure Active Directory**. - ![set up work or school account screen](images/unifiedenrollment-rs1-32.png) + ![option to join work or school account to azure ad](images/unifiedenrollment-rs1-18.png) -6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for more authentication information. +1. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you'll see the enrollment progress on screen. + ![azure ad sign in.](images/unifiedenrollment-rs1-19.png) - ![screen to set up your device](images/unifiedenrollment-rs1-33-b.png) + If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. - After you complete the flow, your device will be connected to your organization’s MDM. + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. + + If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. + + After you reach the end of the flow, your device should be connected to your organization's Azure AD domain. You may now sign out of your current account and sign in using your Azure AD username. + + ![corporate sign in screen](images/unifiedenrollment-rs1-20.png) + +#### Help with connecting to an Azure AD domain + +There are a few instances where your device can't be connected to an Azure AD domain. + +| Connection issue | Description | +|--|--| +| Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. | +| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. | +| Your device already has a user connected to a work account. | You can either connect to an Azure AD domain or connect to a work or school account. You can't connect to both simultaneously. | +| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You'll need to switch to an administrator account to continue. | +| Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. | +| Your device is running Home edition. | This feature isn't available on Windows Home edition, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Pro, Enterprise, or Education edition to continue. | + +## Connect personally owned devices + +Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows devices don't require a personal Microsoft account on devices to connect to work or school. + +All Windows devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps, such as the universal Office apps. + +### Register device in AAD and enroll in MDM + +To create a local account and connect the device: + +1. Launch the Settings app, and then select **Accounts** >**Start** > **Settings** > **Accounts**. + + ![screen of windows settings](images/unifiedenrollment-rs1-21-b.png) + +1. Navigate to **Access work or school**. + + ![user's option of access work or school](images/unifiedenrollment-rs1-23-b.png) + +1. Select **Connect**. + + ![connect button to access the option of work or school.](images/unifiedenrollment-rs1-24-b.png) + +1. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. + + ![sync work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png) + +1. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. + + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. + + If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). + + You'll see the status page that shows the progress of your device being set up. + + ![corporate sign in - screen and option](images/unifiedenrollment-rs1-26.png) + +1. After you complete the flow, your Microsoft account will be connected to your work or school account. + + ![account successfully added.](images/unifiedenrollment-rs1-27.png) ### Help with connecting personally owned devices There are a few instances where your device may not be able to connect to work. -| Error Message | Description | -|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Your device is already connected to your organization’s cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. | -| We couldn't find your identity in your organization’s cloud. | The username you entered wasn't found on your Azure AD tenant. | -| Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Configuration Manager. | -| You don’t have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. | -| We couldn’t auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | +| Error Message | Description | +|--|--| +| Your device is already connected to your organization's cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. | +| We couldn't find your identity in your organization's cloud. | The username you entered wasn't found on your Azure AD tenant. | +| Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Configuration Manager. | +| You don't have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. | +| We couldn't auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | +## Enroll in device management only -## Connect your Windows 10-based device to work using a deep link +All Windows devices can be connected to MDM. You can connect to an MDM through the Settings app. To create a local account and connect the device: +1. Launch the Settings app. -Windows 10-based devices may be connected to work using a deep link. Users will be able to select or open a link in a particular format from anywhere in Windows 10, and be directed to the new enrollment experience. + ![screen that displays windows settings](images/unifiedenrollment-rs1-28.png) -In Windows 10, version 1607, deep linking will only be supported for connecting devices to MDM. It will not support adding a work or school account, joining a device to Azure AD, and joining a device to Active Directory. +1. Next, navigate to **Accounts**. + + ![windows settings accounts page.](images/unifiedenrollment-rs1-29.png) + +1. Navigate to **Access work or school**. + + ![access work or school.](images/unifiedenrollment-rs1-30.png) + +1. Select the **Enroll only in device management** link. + + ![connect to work or school screen](images/unifiedenrollment-rs1-31.png) + +1. Type in your work email address. + + ![set up work or school account screen](images/unifiedenrollment-rs1-32.png) + +1. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you'll be presented with a new window that will ask you for more authentication information. + + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. You'll see the enrollment progress on screen. + + ![screen to set up your device](images/unifiedenrollment-rs1-33-b.png) + + After you complete the flow, your device will be connected to your organization's MDM. + +## Connect your Windows device to work using a deep link + +Windows devices may be connected to work using a deep link. Users will be able to select or open a link in a particular format from anywhere in Windows, and be directed to the new enrollment experience. The deep link used for connecting your device to work will always use the following format. -**ms-device-enrollment:?mode={mode\_name}** +**ms-device-enrollment:?mode={mode\_name}**: -| Parameter | Description | Supported Value for Windows 10| -|-----------|--------------------------------------------------------------|----------------------------------------------| -| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory-joined. | -|username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string | -| servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string| -| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string | -| deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to pass in a unique device identifier. Added in Windows 10, version 1703. | GUID | -| tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string | -| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned | - -> [!NOTE] -> AWA and Azure Active Directory-joined values for mode are only supported on Windows 10, version 1709 and later. +| Parameter | Description | Supported Value for Windows | +|--|--|--| +| mode | Describes which mode will be executed in the enrollment app. | Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory-joined. | +| username | Specifies the email address or UPN of the user who should be enrolled into MDM. | string | +| servername | Specifies the MDM server URL that will be used to enroll the device. | string | +| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used as a token to validate the enrollment request. | string | +| deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to pass in a unique device identifier. | GUID | +| tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to identify which tenant the device or user belongs to. | GUID or string | +| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to determine whether the device is BYOD or Corp Owned. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned | ### Connect to MDM using a deep link @@ -297,9 +222,9 @@ The deep link used for connecting your device to work will always use the follow To connect your devices to MDM using deep links: -1. Starting with Windows 10, version 1607, create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**: +1. Create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**: - (This link will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.) + (This link will launch the flow equivalent to the Enroll into the device management option.) - IT admins can add this link to a welcome email that users can select to enroll into MDM. @@ -310,13 +235,13 @@ To connect your devices to MDM using deep links: - IT admins can also add this link to an internal web page that users refer to enrollment instructions. -2. After you select the link or run it, Windows 10 launches the enrollment app in a special mode that only allows MDM enrollments (similar to the Enroll into device management option in Windows 10, version 1511). +1. After you select the link or run it, Windows launches the enrollment app in a special mode that only allows MDM enrollments (similar to the Enroll into device management option). Type in your work email address. ![set up a work or school account screen](images/deeplinkenrollment3.png) -3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for more authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. +1. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you'll be presented with a new window that will ask you for more authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. After you complete the flow, your device will be connected to your organization's MDM. @@ -324,7 +249,6 @@ To connect your devices to MDM using deep links: ## Manage connections - To manage your work or school connections, select **Settings** > **Accounts** > **Access work or school**. Your connections will show on this page and selecting one will expand options for that connection. ![managing work or school account.](images/unifiedenrollment-rs1-34-b.png) @@ -333,41 +257,30 @@ To manage your work or school connections, select **Settings** > **Accounts** > The **Info** button can be found on work or school connections involving MDM. This button is included in the following scenarios: -- Connecting your device to an Azure AD domain that has auto-enroll into MDM configured. -- Connecting your device to a work or school account that has auto-enroll into MDM configured. -- Connecting your device to MDM. +- Connecting your device to an Azure AD domain that has auto-enroll into MDM configured. +- Connecting your device to a work or school account that has auto-enroll into MDM configured. +- Connecting your device to MDM. -Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session that forces your device to communicate to the MDM server and fetch any updates to policies if needed. +Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You'll be able to view your organization's support information (if configured) on this page. You'll also be able to start a sync session that forces your device to communicate to the MDM server and fetch any updates to policies if needed. -Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here's an example screenshot. +Selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here's an example screenshot. ![work or school info.](images/unifiedenrollment-rs1-35-b.png) -> [!NOTE] -> Starting in Windows 10, version 1709, the **Manage** button is no longer available. - ### Disconnect The **Disconnect** button can be found on all work connections. Generally, selecting the **Disconnect** button will remove the connection from the device. There are a few exceptions to this functionality: -- Devices that enforce the AllowManualMDMUnenrollment policy won't allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command. -- On mobile devices, you can't disconnect from Azure AD. These connections can only be removed by wiping the device. +- Devices that enforce the AllowManualMDMUnenrollment policy won't allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command. +- On mobile devices, you can't disconnect from Azure AD. These connections can only be removed by wiping the device. > [!WARNING] > Disconnecting might result in the loss of data on the device. ## Collecting diagnostic logs - You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and then selecting the **Export your management logs** link under **Related Settings**. Next, select **Export**, and follow the path displayed to retrieve your management log files. -Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you'll see the button to create a report, as shown here. - -![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png) - - - - - - +You can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you'll see the button to create a report. +For more information, see [Collect MDM logs](mdm-collect-logs.md). diff --git a/windows/client-management/mdm-known-issues.md b/windows/client-management/mdm-known-issues.md new file mode 100644 index 0000000000..8c3dc27e89 --- /dev/null +++ b/windows/client-management/mdm-known-issues.md @@ -0,0 +1,244 @@ +--- +title: Known issues in MDM +description: Learn about known issues for Windows devices in MDM +ms.reviewer: +manager: aaroncz +ms.author: vinpa +ms.topic: article +ms.prod: windows-client +ms.technology: itpro-manage +author: vinaypamnani-msft +ms.date: 04/12/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +--- + +# Known issues + +## Get command inside an atomic command isn't supported + +A Get command inside an atomic command isn't supported. + +## Apps installed using WMI classes are not removed + +Applications installed using WMI classes aren't removed when the MDM account is removed from device. + +## Passing CDATA in SyncML does not work + +Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work. + +## SSL settings in IIS server for SCEP must be set to "Ignore" + +The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore". + +:::image type="content" source="images/ssl-settings.png" alt-text="Screenshot of SSL settings in IIS."::: + +## MDM enrollment fails on the Windows device when traffic is going through proxy + +When the Windows device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that doesn't require authentication or remove the proxy setting from the connected network. + +## Server-initiated unenrollment failure + +Server-initiated unenrollment for a device enrolled by adding a work account silently fails to leave the MDM account active. MDM policies and resources are still in place and the client can continue to sync with the server. + +Remote server unenrollment is disabled for mobile devices enrolled via Azure Active Directory Join. It returns an error message to the server. The only way to remove enrollment for a mobile device that is Azure AD joined is by remotely wiping the device. + +## Certificates causing issues with Wi-Fi and VPN + +When using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This dual installation may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We're working to fix this issue. + +## Version information for Windows 11 + +The software version information from **DevDetail/Ext/Microsoft/OSPlatform** doesn't match the version in **Settings** under **System/About**. + +## Multiple certificates might cause Wi-Fi connection instabilities + +In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned doesn't have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate. + +Enterprises deploying certificate-based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as: + +- The user may be prompted to select the certificate. +- The wrong certificate may get auto selected and cause an authentication failure. + +A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP Configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication. + +EAP XML must be updated with relevant information for your environment. This task can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows: + +- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM's guidance on how to deploy a new Wi-Fi profile. +- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field. + +For information about EAP Settings, see . + +For information about generating an EAP XML, see [EAP configuration](mdm/eap-configuration.md). + +For more information about extended key usage, see . + +For information about adding extended key usage (EKU) to a certificate, see . + +The following list describes the prerequisites for a certificate to be used with EAP: + +- The certificate must have at least one of the following EKU (Extended Key Usage) properties: + - Client Authentication. + - As defined by RFC 5280, this property is a well-defined OID with Value 1.3.6.1.5.5.7.3.2. + - Any Purpose. + - An EKU, defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering. + - All Purpose. + - As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes. +- The user or the computer certificate on the client chains to a trusted root CA. +- The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy. +- The user or the computer certificate doesn't fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server. +- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user. + +The following XML sample explains the properties for the EAP TLS XML including certificate filtering. + +> [!NOTE] +> For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements. + +```xml + + + 13 + + + 0 + 0 + 0 + + + + + + + 13 + + + + + true + + + + + + + false + + + false + false + false + + + + + + ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + + + + + + + + + + + ContostoITEKU + + 1.3.6.1.4.1.311.42.1.15 + + + + + + + + + ContostoITEKU + + + + + Example1 + + + true + + + + + + + + + + + +``` + +> [!NOTE] +> The EAP TLS XSD is located at **%systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd** + +Alternatively you can use the following procedure to create an EAP Configuration XML. + +1. Follow steps 1 through 7 in [EAP configuration](mdm/eap-configuration.md). + +1. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop-down menu (this drop-down menu selects EAP TLS.). + + :::image type="content" alt-text="vpn selfhost properties window." source="images/certfiltering1.png"::: + + > [!NOTE] + > For PEAP or TTLS, select the appropriate method and continue following this procedure. + +1. Click the **Properties** button underneath the drop-down menu. + +1. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. + + :::image type="content" alt-text="smart card or other certificate properties window." source="images/certfiltering2.png"::: + +1. In the **Configure Certificate Selection** menu, adjust the filters as needed. + + :::image type="content" alt-text="configure certificate selection window." source="images/certfiltering3.png"::: + +1. Click **OK** to close the windows to get back to the main `rasphone.exe` dialog box. + +1. Close the rasphone dialog box. + +1. Continue following the procedure in [EAP configuration](mdm/eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering. + +> [!NOTE] +> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)). + +## MDM client will immediately check in with the MDM server after client renews WNS channel URI + +After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary. + +## User provisioning failure in Azure Active Directory-joined devices + +For Azure AD joined devices, provisioning `.\User` resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design. + +## Requirements to note for VPN certificates also used for Kerberos Authentication + +If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that don't meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. + +## Device management agent for the push-button reset is not working + +The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service. diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md index fd9f4c2321..ecc058a048 100644 --- a/windows/client-management/mdm-overview.md +++ b/windows/client-management/mdm-overview.md @@ -1,7 +1,7 @@ --- title: Mobile Device Management overview -description: Windows 10 and Windows 11 provide an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy. -ms.date: 08/04/2022 +description: Windows provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy. +ms.date: 04/05/2023 ms.technology: itpro-manage ms.topic: article ms.prod: windows-client @@ -9,29 +9,37 @@ ms.localizationpriority: medium author: vinaypamnani-msft ms.author: vinpa manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.collection: - - highpri - - tier2 +- highpri +- tier2 --- # Mobile Device Management overview -Windows 10 and Windows 11 provide an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server. +Windows provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server. There are two parts to the Windows management component: -- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server. +- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server. For more information, see [Enrollment overview](mobile-device-enrollment.md). - The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT. -Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers don't need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). +Third-party MDM servers can manage Windows devices using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows users. MDM servers don't need to create or download a client to manage Windows. + +For details about the MDM protocols, see + +- [[MS-MDE2]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) +- [[MS-MDM]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) ## MDM security baseline -With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros' operational needs, addressing security concerns for modern cloud-managed devices. +Microsoft provides MDM security baselines that function like the Microsoft group policy security baseline. You can easily integrate this baseline into any MDM solution to support IT pros' operational needs, addressing security concerns for modern cloud-managed devices. The MDM security baseline includes policies that cover the following areas: -- Microsoft inbox security technology (not deprecated) such as BitLocker, Windows Defender SmartScreen, and Device Guard (virtual-based security), Exploit Guard, Microsoft Defender Antivirus, and Firewall +- Microsoft inbox security technologies (not deprecated) such as BitLocker, Windows Defender SmartScreen, Exploit Guard, Microsoft Defender Antivirus, and Firewall - Restricting remote access to devices - Setting credential requirements for passwords and PINs - Restricting use of legacy technology @@ -48,26 +56,22 @@ For more information about the MDM policies defined in the MDM security baseline For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all). -## Learn about device enrollment +## Frequently Asked Questions -- [Mobile device enrollment](mobile-device-enrollment.md) -- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) -- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) -- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) +### Can there be more than one MDM server to enroll and manage devices in Windows? -## Learn about device management +No. Only one MDM is allowed. -- [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md) -- [Enterprise app management](enterprise-app-management.md) -- [Mobile device management (MDM) for device updates](device-update-management.md) -- [OMA DM protocol support](oma-dm-protocol-support.md) -- [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md) -- [Server requirements for OMA DM](server-requirements-windows-mdm.md) -- [Enterprise settings, policies, and app management](windows-mdm-enterprise-settings.md) +### How do I set the maximum number of Azure Active Directory-joined devices per user? -## Learn about configuration service providers +1. Sign in to the portal as tenant admin: . +1. Navigate to **Azure AD**, then **Devices**, and then click **Device Settings**. +1. Change the number under **Maximum number of devices per user**. -- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md) -- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md) -- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) -- [Configuration service provider reference](mdm/index.yml) +### What is dmwappushsvc? + +| Entry | Description | +| --------------- | -------------------- | +| What is dmwappushsvc? | It's a Windows service that ships in Windows operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | +| What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry. | +| How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail. | diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 5042ee9974..59a54a27da 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -95,49 +95,41 @@ In **Windows 10, version 1909**, Microsoft Edge kiosk mode support was added. Th For more examples, see [AssignedAccessConfiguration examples](#assignedaccessconfiguration-examples). -
-
- Get Configuration +- Get Configuration -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/Configuration - - - - - - -``` + ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/Configuration + + + + + + + ``` -
+- Delete Configuration -
-
- Delete Configuration - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/Configuration - - - - - - -``` - -
+ ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/Configuration + + + + + + + ``` @@ -201,101 +193,85 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu **Examples**: -
-
- Add KioskModeApp +- Add KioskModeApp -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp - - - chr - - {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"} - - - - - -``` + ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp + + + chr + + {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"} + + + + + + ``` -
+- Delete KioskModeApp -
-
- Delete KioskModeApp + ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp + + + + + + + ``` -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp - - - - - - -``` +- Get KioskModeApp -
+ ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp + + + + + + + ``` -
-
- Get KioskModeApp +- Replace KioskModeApp -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp - - - - - - -``` - -
- -
-
- Replace KioskModeApp - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp - - - chr - - {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsAlarms_8wekyb3d8bbwe!App"} - - - - - -``` - -
+ ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp + + + chr + + {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsAlarms_8wekyb3d8bbwe!App"} + + + + + + ``` @@ -351,412 +327,387 @@ For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllau > [!NOTE] > Shell Launcher V2 uses a separate XSD and namespace for backward compatibility. The original V1 XSD has a reference to the V2 XSD. -
-
- Shell Launcher V1 XSD +- Shell Launcher V1 XSD -```xml - - + ```xml + + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - + + + + + - - -``` -
+ + + + + -
-
- Shell Launcher V2 XSD + + + + + + + + -```xml - - + + + + + + + + + + + + + + - - - - - - - - + + + - + + + + + + + + - -``` + + + + + + + -

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ``` + +- Shell Launcher V2 XSD + + ```xml + + + + + + + + + + + + + + + + ``` **Examples**: -
-
- Add +- Add -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher - - - chr - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - -``` + ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher + + + chr + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + ``` -
+- Add AutoLogon -
-
- Add AutoLogon + This function creates an auto-logon account on your behalf. It's a standard user with no password. The auto-logon account is managed by AssignedAccessCSP, so the account name isn't exposed. -This function creates an auto-logon account on your behalf. It's a standard user with no password. The auto-logon account is managed by AssignedAccessCSP, so the account name isn't exposed. + > [!NOTE] + > The auto-logon function is designed to be used after OOBE with provisioning packages. -> [!NOTE] -> The auto-logon function is designed to be used after OOBE with provisioning packages. + ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher + + + chr + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + ``` -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher - - - chr - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - -``` +- V2 Add -
+ ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher + + + chr + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + ``` -
-
- V2 Add +- Get -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher - - - chr - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - -``` - -
- -
-
- Get - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher - - - - - - -``` - -
+ ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher + + + + + + + ``` @@ -814,10 +765,6 @@ Additionally, the Status payload includes the following fields: **AssignedAccessAlert XSD**: -
-
- Expand this section to see the schema XML - ```xml ``` -

- **Example**: ```xml @@ -954,10 +899,6 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat **StatusConfiguration XSD**: -
-
- Expand this section to see the schema XML - ```xml ``` -

- **Examples**: -
-
- Add StatusConfiguration with StatusEnabled set to OnWithAlerts +- Add StatusConfiguration with StatusEnabled set to OnWithAlerts - ```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration - - - chr - - - - - OnWithAlerts - - ]]> - - - - - - - ``` - -
- -
-
- Delete StatusConfiguration - - ```xml - + ```xml + - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration - - - - + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + chr + + + + + OnWithAlerts + + ]]> + + + + - - ``` + + ``` -
+- Delete StatusConfiguration -
-
- Get StatusConfiguration + ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + + + + + ``` - ```xml - +- Get StatusConfiguration + + ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + + + + + ``` + +- Replace StatusEnabled value with On + + ```xml + - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration - - - - + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + chr + + + + + On + + ]]> + + + + - - ``` - -
- -
-
- Replace StatusEnabled value with On - - ```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration - - - chr - - - - - On - - ]]> - - - - - - - ``` - -
+ + ``` @@ -1108,322 +1031,306 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat ## AssignedAccessConfiguration XSD -
-
- Schema for AssignedAccessConfiguration. +- Schema for AssignedAccessConfiguration. -```xml - - + ```xml + + - - - + + + - - - - - - - - - - - - - - - - - - - - - - - + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -); -``` -
+ + + + -
-
- Schema for features introduced in Windows 10, version 1909 which added support for Microsoft Edge kiosk mode and breakout key sequence customization. + + + + -```xml - - + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - -``` - -
- -
-
- Schema for new features introduced in Windows 10 1809 release. - -```xml - - - - - - - - - - + + + + + + + + + + + + - - - + - - - + + + + + + + + + + - - - - - + + + + + - + + + + - + + + - + + + - + + + + + - -``` + + + + + + -
+ + + + + + + + + + + -
-
- Schema for Windows 10 prerelease. + + + + -```xml - - + + + + - - - - - + + + - - - + + + + + + + - - - + + + + + + - -``` + + + + + -
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ); + ``` + +- Schema for features introduced in Windows 10, version 1909 which added support for Microsoft Edge kiosk mode and breakout key sequence customization. + + ```xml + + + + + + + + + + + + + + ``` + +- Schema for new features introduced in Windows 10 1809 release. + + ```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ``` + +- Schema for Windows 10 prerelease. + + ```xml + + + + + + + + + + + + + + + + + + + ``` ## AssignedAccessConfiguration examples @@ -1444,118 +1351,108 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat > > ``` -
-
- Example XML configuration for a multi-app kiosk for Windows 10. +- Example XML configuration for a multi-app kiosk for Windows 10. -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - MultiAppKioskUser - - - - -``` + ```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + MultiAppKioskUser + + + + + ``` -
+- Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode. -
-
- Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode. + ```xml + + + + + + + + + + EdgeKioskUser + + + + + ``` -```xml - - - - - - - - - - EdgeKioskUser - - - - -``` +- Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk. -
+ > [!NOTE] + > **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk. -
-
- Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk. - -> [!NOTE] -> **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk. - -```xml - - - - - - - - - - - EdgeKioskUser - - - - -``` + ```xml + + + + + + + + + + + EdgeKioskUser + + + + + ```
@@ -1563,10 +1460,6 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](/hololens/hololens-provisioning). -
-
- Expand this section to see the example. - ```xml diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 34dbe6281b..19f240cd0e 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -498,7 +498,7 @@ For each channel node, the user can: - Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel. - Specify an XPath query to filter events while exporting the channel event data. -For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10](../diagnose-mdm-failures-in-windows-10.md). +For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Collect MDM logs](../mdm-collect-logs.md). diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 28b396eb2f..8bf785ab2e 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -2143,9 +2143,9 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie | Value | Description | |:--|:--| -| 0 | Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. | -| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. | -| 2 (Default) | Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. | +| 0 | Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. | +| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shut down properly on restart. | +| 2 (Default) | Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shut down properly on restart. | | 3 | Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. | | 4 | Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. | | 5 | Turn off automatic updates. | @@ -3069,6 +3069,15 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie +The ScheduledInstall*week policies operate on numeric days. + +- [ScheduledInstallFirstWeek](#scheduledinstallfirstweek): First week of the month (Days 1-7). +- [ScheduledInstallSecondWeek](#scheduledinstallsecondweek): Second week of the month (Days 8-14). +- [ScheduledInstallThirdWeek](#scheduledinstallthirdweek): Third week of the month (Days 15-21). +- [ScheduledInstallFourthWeek](#scheduledinstallfourthweek): Fourth week of the month (Days 22-31). + +These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday), it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. If the device is unavailable at the scheduled time, it can postpone installation of updates until the next month. + > [!NOTE] > This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. @@ -3167,6 +3176,15 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie +The ScheduledInstall*week policies operate on numeric days. + +- [ScheduledInstallFirstWeek](#scheduledinstallfirstweek): First week of the month (Days 1-7). +- [ScheduledInstallSecondWeek](#scheduledinstallsecondweek): Second week of the month (Days 8-14). +- [ScheduledInstallThirdWeek](#scheduledinstallthirdweek): Third week of the month (Days 15-21). +- [ScheduledInstallFourthWeek](#scheduledinstallfourthweek): Fourth week of the month (Days 22-31). + +These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday), it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. If the device is unavailable at the scheduled time, it can postpone installation of updates until the next month. + > [!NOTE] > This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. @@ -3265,6 +3283,15 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie +The ScheduledInstall*week policies operate on numeric days. + +- [ScheduledInstallFirstWeek](#scheduledinstallfirstweek): First week of the month (Days 1-7). +- [ScheduledInstallSecondWeek](#scheduledinstallsecondweek): Second week of the month (Days 8-14). +- [ScheduledInstallThirdWeek](#scheduledinstallthirdweek): Third week of the month (Days 15-21). +- [ScheduledInstallFourthWeek](#scheduledinstallfourthweek): Fourth week of the month (Days 22-31). + +These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday), it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. If the device is unavailable at the scheduled time, it can postpone installation of updates until the next month. + > [!NOTE] > This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. @@ -3363,6 +3390,15 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie +The ScheduledInstall*week policies operate on numeric days. + +- [ScheduledInstallFirstWeek](#scheduledinstallfirstweek): First week of the month (Days 1-7). +- [ScheduledInstallSecondWeek](#scheduledinstallsecondweek): Second week of the month (Days 8-14). +- [ScheduledInstallThirdWeek](#scheduledinstallthirdweek): Third week of the month (Days 15-21). +- [ScheduledInstallFourthWeek](#scheduledinstallfourthweek): Fourth week of the month (Days 22-31). + +These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday), it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. If the device is unavailable at the scheduled time, it can postpone installation of updates until the next month. + > [!NOTE] > This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. @@ -3515,7 +3551,7 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie -This setting allows to remove access to "Pause updates" feature. +This setting allows removal access to "Pause updates" feature. Once enabled user access to pause updates is removed. @@ -3657,7 +3693,7 @@ The following rules are followed regarding battery power: - Above 40% - allowed to reboot; - Above 20% - allowed to continue work. -This setting overrides the install deferral behaviour of [AllowAutoUpdate](#allowautoupdate). +This setting overrides the install deferral behavior of [AllowAutoUpdate](#allowautoupdate). These settings are designed for education devices that remain in carts overnight that are left in sleep mode. It is not designed for 1:1 devices. @@ -4062,7 +4098,7 @@ If you disable or do not configure this policy, the default method will be used. > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](#changes-in-windows-10-version-1607). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify update delays for up to four weeks. Supported values are 0-4, which refers to the number of weeks to defer updates. @@ -4154,7 +4190,7 @@ Allows IT Admins to specify additional upgrade delays for up to 8 months. Suppor - If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](#changes-in-windows-10-version-1607). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. @@ -4275,7 +4311,7 @@ Enable this policy to control the timing before transitioning from Auto restarts You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period. If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. @@ -4345,7 +4381,7 @@ Enable this policy to control the timing before transitioning from Auto restarts You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period. If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. @@ -4415,7 +4451,7 @@ Enable this policy to control the timing before transitioning from Auto restarts You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period. If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. @@ -4485,7 +4521,7 @@ Enable this policy to control the timing before transitioning from Auto restarts You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days. -You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. +You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period. If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart. @@ -4813,7 +4849,7 @@ To validate this policy: > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](#changes-in-windows-10-version-1607). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. @@ -4915,7 +4951,7 @@ This policy is deprecated. Use Update/RequireUpdateApproval instead. > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to Semi-Annual Channel train. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](#changes-in-windows-10-version-1607). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to Semi-Annual Channel train. @@ -5218,6 +5254,27 @@ If you disable or do not configure this policy, the default notification behavio +## Changes in Windows 10, version 1607 + +Here are the new policies added in Windows 10, version 1607. Use these policies for Windows 10, version 1607 devices instead of the older policies + +- ActiveHoursEnd +- ActiveHoursStart +- AllowMUUpdateService +- BranchReadinessLevel +- DeferFeatureUpdatePeriodInDays +- DeferQualityUpdatePeriodInDays +- ExcludeWUDriversInQualityUpdate +- PauseFeatureUpdates +- PauseQualityUpdates + +Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices. + +- RequireDeferUpgrade +- DeferUpgradePeriod +- DeferUpdatePeriod +- PauseDeferrals + diff --git a/windows/client-management/mobile-device-enrollment.md b/windows/client-management/mobile-device-enrollment.md index 361556d8dd..1b1fb7c688 100644 --- a/windows/client-management/mobile-device-enrollment.md +++ b/windows/client-management/mobile-device-enrollment.md @@ -1,6 +1,6 @@ --- title: Mobile device enrollment -description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise. +description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -8,10 +8,13 @@ ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 08/11/2017 +ms.date: 04/05/2023 ms.collection: - - highpri - - tier2 +- highpri +- tier2 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Mobile device enrollment @@ -20,63 +23,53 @@ Mobile device enrollment is the first phase of enterprise management. The device The enrollment process includes the following steps: -1. Discovery of the enrollment endpoint - - This step provides the enrollment endpoint configuration settings. - -2. Certificate installation - - This step handles user authentication, certificate generation, and certificate installation. The installed certificates will be used in the future to manage client/server Secure Sockets Layer (SSL) mutual authentication. - -3. DM Client provisioning - - This step configures the Device Management (DM) client to connect to a Mobile Device Management (MDM) server after enrollment via DM SyncML over HTTPS (also known as Open Mobile Alliance Device Management (OMA DM) XML). +1. **Discovery of the enrollment endpoint**: This step provides the enrollment endpoint configuration settings. +1. **Certificate installation**: This step handles user authentication, certificate generation, and certificate installation. The installed certificates will be used in the future to manage client/server Secure Sockets Layer (SSL) mutual authentication. +1. **DM Client provisioning**: This step configures the Device Management (DM) client to connect to a Mobile Device Management (MDM) server after enrollment via DM SyncML over HTTPS (also known as Open Mobile Alliance Device Management (OMA DM) XML). ## Enrollment protocol -There are many changes made to the enrollment protocol to better support various scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +There are many changes made to the enrollment protocol to better support various scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see: + +- [[MS-MDM]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f). +- [[MS-MDE2]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). The enrollment process involves the following steps: ### Discovery request - The discovery request is a simple HTTP post call that returns XML over HTTP. The returned XML includes the authentication URL, the management service URL, and the user credential type. + +The discovery request is a simple HTTP post call that returns XML over HTTP. The returned XML includes the authentication URL, the management service URL, and the user credential type. ### Certificate enrollment policy -The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in \[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](/openspecs/windows_protocols/ms-xcep/08ec4475-32c2-457d-8c27-5a176660a210) + +The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in [MS-XCEP]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). + +For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](/openspecs/windows_protocols/ms-xcep/08ec4475-32c2-457d-8c27-5a176660a210) ### Certificate enrollment + The certificate enrollment is an implementation of the MS-WSTEP protocol. ### Management configuration + The server sends provisioning XML that contains a server certificate (for SSL server authentication), a client certificate issued by enterprise CA, DM client bootstrap information (for the client to communicate with the management server), an enterprise application token (for the user to install enterprise applications), and the link to download the Company Hub application. The following topics describe the end-to-end enrollment process using various authentication methods: -- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) -- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) -- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) +- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) +- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) +- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) -> [!Note] +> [!NOTE] > As a best practice, don't use hardcoded server-side checks on values such as: -> - User agent string -> - Any fixed URIs that are passed during enrollment -> - Specific formatting of any value unless otherwise noted, such as the format of the device ID. +> +> - User agent string +> - Any fixed URIs that are passed during enrollment +> - Specific formatting of any value unless otherwise noted, such as the format of the device ID. ## Enrollment support for domain-joined devices -Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device. - -## Disable MDM enrollments - -In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. With the GP editor being used, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**. - -![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png) - -Here's the corresponding registry key: - -HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM - -Value: DisableRegistration +Devices that are joined to an on-premises Active Directory can enroll into MDM via **Settings** > **Access work or school**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device. ## Enrollment scenarios not supported @@ -85,6 +78,15 @@ The following scenarios don't allow MDM enrollments: - Built-in administrator accounts on Windows desktop can't enroll into MDM. - Standard users can't enroll in MDM. Only admin users can enroll. +## Disable MDM enrollments + +IT admin can disable MDM enrollments for domain-joined PCs using the **Disable MDM Enrollment** group policy. + +Group Policy Path: **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**. +Corresponding registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM\DisableRegistration (REG_DWORD)` + +![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png) + ## Enrollment error messages The enrollment server can decline enrollment messages using the SOAP Fault format. Errors created can be sent as follows: @@ -112,51 +114,19 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma ``` -**Sample error messages** +**Sample error messages**: -- **Namespace**: `s:` - - **Subcode**: MessageFormat - - **Error**: MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR - - **Description**: Invalid message from the Mobile Device Management (MDM) server. - - **HRESULT**: 80180001 +| Namespace | Subcode | Error | Description | HRESULT | +|-----------|----------------------|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|----------| +| s: | MessageFormat | MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR | Invalid message from the Mobile Device Management (MDM) server. | 80180001 | +| s: | Authentication | MENROLL_E_DEVICE_AUTHENTICATION_ERROR | The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator. | 80180002 | +| s: | Authorization | MENROLL_E_DEVICE_AUTHORIZATION_ERROR | The user isn't authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator. | 80180003 | +| s: | CertificateRequest | MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR | The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator. | 80180004 | +| s: | EnrollmentServer | MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR | The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator. | 80180005 | +| a: | InternalServiceFault | MENROLL_E_DEVICE_INTERNALSERVICE_ERROR | There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator. | 80180006 | +| a: | InvalidSecurity | MENROLL_E_DEVICE_INVALIDSECURITY_ERROR | The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator. | 80180007 | -- **Namespace**: `s:` - - **Subcode**: Authentication - - **Error**: MENROLL_E_DEVICE_AUTHENTICATION_ERROR - - **Description**: The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator. - - **HRESULT**: 80180002 - -- **Namespace**: `s:` - - **Subcode**: Authorization - - **Error**: MENROLL_E_DEVICE_AUTHORIZATION_ERROR - - **Description**: The user isn't authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator. - - **HRESULT**: 80180003 - -- **Namespace**: `s:` - - **Subcode**: CertificateRequest - - **Error**: MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR - - **Description**: The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator. - - **HRESULT**: 80180004 - -- **Namespace**: `s:` - - **Subcode**: EnrollmentServer - - **Error**: MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR - - **Description**: The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator. - - **HRESULT**: 80180005 - -- **Namespace**: `a:` - - **Subcode**: InternalServiceFault - - **Error**: MENROLL_E_DEVICE_INTERNALSERVICE_ERROR - - **Description**: There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator. - - **HRESULT**: 80180006 - -- **Namespace**: `a:` - - **Subcode**: InvalidSecurity - - **Error**: MENROLL_E_DEVICE_INVALIDSECURITY_ERROR - - **Description**: The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator. - - **HRESULT**: 80180007 - -In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here's an example: +SOAP format also includes `deviceenrollmentserviceerror` element. Here's an example: ```xml @@ -188,48 +158,23 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. ``` -**Sample error messages** +**Sample error messages**: -- **Subcode**: DeviceCapReached - - **Error**: MENROLL_E_DEVICECAPREACHED - - **Description**: The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error. - - **HRESULT**: 80180013 - -- **Subcode**: DeviceNotSupported - - **Error**: MENROLL_E_DEVICENOTSUPPORTED - - **Description**: The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device. - - **HRESULT**: 80180014 - -- **Subcode**: NotSupported - - **Error**: MENROLL_E_NOT_SUPPORTED - - **Description**: Mobile Device Management (MDM) is generally not supported for this device. - - **HRESULT**: 80180015 - -- **Subcode**: NotEligibleToRenew - - **Error**: MENROLL_E_NOTELIGIBLETORENEW - - **Description**: The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device. - - **HRESULT**: 80180016 - -- **Subcode**: InMaintenance - - **Error**: MENROLL_E_INMAINTENANCE - - **Description**: The Mobile Device Management (MDM) server states your account is in maintenance, try again later. - - **HRESULT**: 80180017 - -- **Subcode**: UserLicense - - **Error**: MENROLL_E_USER_LICENSE - - **Description**: There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator. - - **HRESULT**: 80180018 - -- **Subcode**: InvalidEnrollmentData - - **Error**: MENROLL_E_ENROLLMENTDATAINVALID - - **Description**: The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly. - - **HRESULT**: 80180019 +| Subcode | Error | Description | HRESULT | +|-----------------------|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| +| DeviceCapReached | MENROLL_E_DEVICECAPREACHED | The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error. | 80180013 | +| DeviceNotSupported | MENROLL_E_DEVICENOTSUPPORTED | The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device. | 80180014 | +| NotSupported | MENROLL_E_NOT_SUPPORTED | Mobile Device Management (MDM) is generally not supported for this device. | 80180015 | +| NotEligibleToRenew | MENROLL_E_NOTELIGIBLETORENEW | The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device. | 80180016 | +| InMaintenance | MENROLL_E_INMAINTENANCE | The Mobile Device Management (MDM) server states your account is in maintenance, try again later. | 80180017 | +| UserLicense | MENROLL_E_USER_LICENSE | There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator. | 80180018 | +| InvalidEnrollmentData | MENROLL_E_ENROLLMENTDATAINVALID | The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly. | 80180019 | TraceID is a freeform text node that is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment. ## Related topics -- [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) -- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) -- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) -- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) +- [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) +- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) +- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) +- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) diff --git a/windows/client-management/new-in-windows-mdm-enrollment-management.md b/windows/client-management/new-in-windows-mdm-enrollment-management.md index aa0fa503b7..b1f316d46d 100644 --- a/windows/client-management/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/new-in-windows-mdm-enrollment-management.md @@ -1,9 +1,6 @@ --- title: What's new in MDM enrollment and management -description: Discover what's new and breaking changes in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. -MS-HAID: - - 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview' - - 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management' +description: Discover what's new and breaking changes in mobile device management (MDM) enrollment and management experience across all Windows devices. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -12,14 +9,17 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.localizationpriority: medium -ms.date: 09/16/2022 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # What's new in mobile device enrollment and management -This article provides information about what's new in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 and Windows 11 devices. This article also provides details about the breaking changes and known issues and frequently asked questions. +This article provides information about what's new in mobile device management (MDM) enrollment and management experience across all Windows devices. This article also provides details about the breaking changes and known issues and frequently asked questions. -For details about Microsoft mobile device management protocols for Windows 10 and Windows 11, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +For details about Microsoft mobile device management protocols for Windows, see [[MS-MDM]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [[MS-MDE2]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). ## What's new in MDM for Windows 11, version 22H2 @@ -28,7 +28,7 @@ For details about Microsoft mobile device management protocols for Windows 10 an | [DeviceStatus](mdm/devicestatus-csp.md) | Added the following node:
  • MDMClientCertAttestation | | [eUUICs](mdm/euiccs-csp.md) | Added the following node:
  • IsDiscoveryServer | | [PersonalDataEncryption](mdm/personaldataencryption-csp.md) | New CSP | -| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
  • Accounts/RestrictToEnterpriseDeviceAuthenticationOnly
  • DesktopAppInstaller/EnableAdditionalSources
  • DesktopAppInstaller/EnableAllowedSources
  • DesktopAppInstaller/EnableAppInstaller
  • DesktopAppInstaller/EnableDefaultSource
  • DesktopAppInstaller/EnableExperimentalFeatures
  • DesktopAppInstaller/EnableHashOverride
  • DesktopAppInstaller/EnableLocalManifestFiles
  • DesktopAppInstaller/EnableMicrosoftStoreSource
  • DesktopAppInstaller/EnableMSAppInstallerProtocol
  • DesktopAppInstaller/EnableSettings
  • DesktopAppInstaller/SourceAutoUpdateInterval
  • Education/EnableEduThemes
  • Experience/AllowSpotlightCollectionOnDesktop
  • FileExplorer/DisableGraphRecentItems
  • HumanPresence/ForceInstantDim
  • InternetExplorer/EnableGlobalWindowListInIEMode
  • InternetExplorer/HideIEAppRetirementNotification
  • InternetExplorer/ResetZoomForDialogInIEMode
  • LocalSecurityAuthority/AllowCustomSSPsAPs
  • LocalSecurityAuthority/ConfigureLsaProtectedProcess
  • MixedReality/AllowCaptivePortalBeforeLogon
  • MixedReality/AllowLaunchUriInSingleAppKiosk
  • MixedReality/AutoLogonUser
  • MixedReality/ConfigureMovingPlatform
  • MixedReality/ConfigureNtpClient
  • MixedReality/ManualDownDirectionDisabled
  • MixedReality/NtpClientEnabled
  • MixedReality/SkipCalibrationDuringSetup
  • MixedReality/SkipTrainingDuringSetup
  • NetworkListManager/AllowedTlsAuthenticationEndpoints
  • NetworkListManager/ConfiguredTLSAuthenticationNetworkName
  • Printers/ConfigureCopyFilesPolicy
  • Printers/ConfigureDriverValidationLevel
  • Printers/ConfigureIppPageCountsPolicy
  • Printers/ConfigureRedirectionGuard
  • Printers/ConfigureRpcConnectionPolicy
  • Printers/ConfigureRpcListenerPolicy
  • Printers/ConfigureRpcTcpPort
  • Printers/ManageDriverExclusionList
  • Printers/RestrictDriverInstallationToAdministrators
  • RemoteDesktopServices/DoNotAllowWebAuthnRedirection
  • Search/AllowSearchHighlights
  • Search/DisableSearch
  • SharedPC/EnabledSharedPCModeWithOneDriveSync
  • Start/DisableControlCenter
  • Start/DisableEditingQuickSettings
  • Start/HideRecommendedSection
  • Start/HideTaskViewButton
  • Start/SimplifyQuickSettings
  • Stickers/EnableStickers
  • Textinput/allowimenetworkaccess
  • Update/NoUpdateNotificationDuringActiveHours
  • WebThreatDefense/EnableService
  • WebThreatDefense/NotifyMalicious
  • WebThreatDefense/NotifyPasswordReuse
  • WebThreatDefense/NotifyUnsafeApp
  • Windowslogon/EnableMPRNotifications | +| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
  • Accounts/RestrictToEnterpriseDeviceAuthenticationOnly
  • DesktopAppInstaller/EnableAdditionalSources
  • DesktopAppInstaller/EnableAllowedSources
  • DesktopAppInstaller/EnableAppInstaller
  • DesktopAppInstaller/EnableDefaultSource
  • DesktopAppInstaller/EnableExperimentalFeatures
  • DesktopAppInstaller/EnableHashOverride
  • DesktopAppInstaller/EnableLocalManifestFiles
  • DesktopAppInstaller/EnableMicrosoftStoreSource
  • DesktopAppInstaller/EnableMSAppInstallerProtocol
  • DesktopAppInstaller/EnableSettings
  • DesktopAppInstaller/SourceAutoUpdateInterval
  • Education/EnableEduThemes
  • Experience/AllowSpotlightCollectionOnDesktop
  • FileExplorer/DisableGraphRecentItems
  • HumanPresence/ForceInstantDim
  • InternetExplorer/EnableGlobalWindowListInIEMode
  • InternetExplorer/HideIEAppRetirementNotification
  • InternetExplorer/ResetZoomForDialogInIEMode
  • LocalSecurityAuthority/AllowCustomSSPsAPs
  • LocalSecurityAuthority/ConfigureLsaProtectedProcess
  • MixedReality/AllowCaptivePortalBeforeLogon
  • MixedReality/AllowLaunchUriInSingleAppKiosk
  • MixedReality/AutoLogonUser
  • MixedReality/ConfigureMovingPlatform
  • MixedReality/ConfigureNtpClient
  • MixedReality/ManualDownDirectionDisabled
  • MixedReality/NtpClientEnabled
  • MixedReality/SkipCalibrationDuringSetup
  • MixedReality/SkipTrainingDuringSetup
  • NetworkListManager/AllowedTlsAuthenticationEndpoints
  • NetworkListManager/ConfiguredTLSAuthenticationNetworkName
  • Printers/ConfigureCopyFilesPolicy
  • Printers/ConfigureDriverValidationLevel
  • Printers/ConfigureIppPageCountsPolicy
  • Printers/ConfigureRedirectionGuard
  • Printers/ConfigureRpcConnectionPolicy
  • Printers/ConfigureRpcListenerPolicy
  • Printers/ConfigureRpcTcpPort
  • Printers/ManageDriverExclusionList
  • Printers/RestrictDriverInstallationToAdministrators
  • RemoteDesktopServices/DoNotAllowWebAuthnRedirection
  • Search/AllowSearchHighlights
  • Search/DisableSearch
  • SharedPC/EnableSharedPCModeWithOneDriveSync
  • Start/DisableControlCenter
  • Start/DisableEditingQuickSettings
  • Start/HideRecommendedSection
  • Start/HideTaskViewButton
  • Start/SimplifyQuickSettings
  • Stickers/EnableStickers
  • Textinput/allowimenetworkaccess
  • Update/NoUpdateNotificationDuringActiveHours
  • WebThreatDefense/EnableService
  • WebThreatDefense/NotifyMalicious
  • WebThreatDefense/NotifyPasswordReuse
  • WebThreatDefense/NotifyUnsafeApp
  • Windowslogon/EnableMPRNotifications | | [SecureAssessment](mdm/secureassessment-csp.md) | Added the following node:
  • Assessments | | [WindowsAutopilot](mdm/windowsautopilot-csp.md) | Added the following node:
  • HardwareMismatchRemediationData | @@ -52,7 +52,7 @@ For details about Microsoft mobile device management protocols for Windows 10 an | New or updated article | Description | |-----|-----| -| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
  • ApplicationManagement/BlockNonAdminUserInstall
  • Bluetooth/SetMinimumEncryptionKeySize
  • DeliveryOptimization/DOCacheHostSource
  • DeliveryOptimization/DOMaxBackgroundDownloadBandwidth
  • DeliveryOptimization/DOMaxForegroundDownloadBandwidth
  • Education/AllowGraphingCalculator
  • TextInput/ConfigureJapaneseIMEVersion
  • TextInput/ConfigureSimplifiedChineseIMEVersion
  • TextInput/ConfigureTraditionalChineseIMEVersion

    Updated the following policy in Windows 10, version 2004:
  • DeliveryOptimization/DOCacheHost

    Deprecated the following policies in Windows 10, version 2004:
  • DeliveryOptimization/DOMaxDownloadBandwidth
  • DeliveryOptimization/DOMaxUploadBandwidth
  • DeliveryOptimization/DOPercentageMaxDownloadBandwidth | +| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
  • ApplicationManagement/BlockNonAdminUserInstall
  • Bluetooth/SetMinimumEncryptionKeySize
  • DeliveryOptimization/DOCacheHostSource
  • DeliveryOptimization/DOMaxBackgroundDownloadBandwidth
  • DeliveryOptimization/DOMaxForegroundDownloadBandwidth
  • Education/AllowGraphingCalculator
  • TextInput/ConfigureJapaneseIMEVersion
  • TextInput/ConfigureSimplifiedChineseIMEVersion
  • TextInput/ConfigureTraditionalChineseIMEVersion

    Updated the following policy:
  • DeliveryOptimization/DOCacheHost

    Deprecated the following policies:
  • DeliveryOptimization/DOMaxDownloadBandwidth
  • DeliveryOptimization/DOMaxUploadBandwidth
  • DeliveryOptimization/DOPercentageMaxDownloadBandwidth | | [DevDetail CSP](mdm/devdetail-csp.md) | Added the following new node:
  • Ext/Microsoft/DNSComputerName | | [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md) | Added the following node:
  • IsStub | | [SUPL CSP](mdm/supl-csp.md) | Added the following node:
  • FullVersion | @@ -71,7 +71,7 @@ For details about Microsoft mobile device management protocols for Windows 10 an | [Policy CSP - Audit](mdm/policy-csp-audit.md) | Added the new Audit policy CSP. | | [ApplicationControl CSP](mdm/applicationcontrol-csp.md) | Added the new CSP. | | [Defender CSP](mdm/defender-csp.md) | Added the following new nodes:
  • Health/TamperProtectionEnabled
  • Health/IsVirtualMachine
  • Configuration
  • Configuration/TamperProtection
  • Configuration/EnableFileHashComputation | -| [DiagnosticLog CSP](mdm/diagnosticlog-csp.md)
    [DiagnosticLog DDF](mdm/diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903.
    Added the new 1.4 version of the DDF.
    Added the following new nodes:
  • Policy
  • Policy/Channels
  • Policy/Channels/ChannelName
  • Policy/Channels/ChannelName/MaximumFileSize
  • Policy/Channels/ChannelName/SDDL
  • Policy/Channels/ChannelName/ActionWhenFull
  • Policy/Channels/ChannelName/Enabled
  • DiagnosticArchive
  • DiagnosticArchive/ArchiveDefinition
  • DiagnosticArchive/ArchiveResults | +| [DiagnosticLog CSP](mdm/diagnosticlog-csp.md)
    [DiagnosticLog DDF](mdm/diagnosticlog-ddf.md) | Added version 1.4 of the CSP.
    Added the new 1.4 version of the DDF.
    Added the following new nodes:
  • Policy
  • Policy/Channels
  • Policy/Channels/ChannelName
  • Policy/Channels/ChannelName/MaximumFileSize
  • Policy/Channels/ChannelName/SDDL
  • Policy/Channels/ChannelName/ActionWhenFull
  • Policy/Channels/ChannelName/Enabled
  • DiagnosticArchive
  • DiagnosticArchive/ArchiveDefinition
  • DiagnosticArchive/ArchiveResults | | [EnrollmentStatusTracking CSP](mdm/enrollmentstatustracking-csp.md) | Added the new CSP. | | [PassportForWork CSP](mdm/passportforwork-csp.md) | Added the following new nodes:
  • SecurityKey
  • SecurityKey/UseSecurityKeyForSignin | @@ -80,7 +80,7 @@ For details about Microsoft mobile device management protocols for Windows 10 an | New or updated article | Description | |-----|-----| |[Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
  • ApplicationManagement/LaunchAppAfterLogOn
  • ApplicationManagement/ScheduleForceRestartForUpdateFailures
  • Authentication/EnableFastFirstSignIn (Preview mode only
  • Authentication/EnableWebSignIn (Preview mode only
  • Authentication/PreferredAadTenantDomainName
  • Browser/AllowFullScreenMode
  • Browser/AllowPrelaunch
  • Browser/AllowPrinting
  • Browser/AllowSavingHistory
  • Browser/AllowSideloadingOfExtensions
  • Browser/AllowTabPreloading
  • Browser/AllowWebContentOnNewTabPage
  • Browser/ConfigureFavoritesBar
  • Browser/ConfigureHomeButton
  • Browser/ConfigureKioskMode
  • Browser/ConfigureKioskResetAfterIdleTimeout
  • Browser/ConfigureOpenMicrosoftEdgeWith
  • Browser/ConfigureTelemetryForMicrosoft365Analytics
  • Browser/PreventCertErrorOverrides
  • Browser/SetHomeButtonURL
  • Browser/SetNewTabPageURL
  • Browser/UnlockHomeButton
  • Defender/CheckForSignaturesBeforeRunningScan
  • Defender/DisableCatchupFullScan
  • Defender/DisableCatchupQuickScan
  • Defender/EnableLowCPUPriority
  • Defender/SignatureUpdateFallbackOrder
  • Defender/SignatureUpdateFileSharesSources
  • DeviceGuard/ConfigureSystemGuardLaunch
  • DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
  • DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
  • DeviceInstallation/PreventDeviceMetadataFromNetwork
  • DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
  • DmaGuard/DeviceEnumerationPolicy
  • Experience/AllowClipboardHistory
  • Experience/DoNotSyncBrowserSettings
  • Experience/PreventUsersFromTurningOnBrowserSyncing
  • Kerberos/UPNNameHints
  • Privacy/AllowCrossDeviceClipboard
  • Privacy/DisablePrivacyExperience
  • Privacy/UploadUserActivities
  • Security/RecoveryEnvironmentAuthentication
  • System/AllowDeviceNameInDiagnosticData
  • System/ConfigureMicrosoft365UploadEndpoint
  • System/DisableDeviceDelete
  • System/DisableDiagnosticDataViewer
  • Storage/RemovableDiskDenyWriteAccess
  • TaskManager/AllowEndTask
  • Update/DisableWUfBSafeguards
  • Update/EngagedRestartDeadlineForFeatureUpdates
  • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
  • Update/EngagedRestartTransitionScheduleForFeatureUpdates
  • Update/SetDisablePauseUXAccess
  • Update/SetDisableUXWUAccess
  • WindowsDefenderSecurityCenter/DisableClearTpmButton
  • WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
  • WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
  • WindowsLogon/DontDisplayNetworkSelectionUI | -| [BitLocker CSP](mdm/bitlocker-csp.md) | Added a new node AllowStandardUserEncryption.
  • Added support for Windows 10 Pro. | +| [BitLocker CSP](mdm/bitlocker-csp.md) | Added a new node AllowStandardUserEncryption.
  • Added support for Pro edition. | | [Defender CSP](mdm/defender-csp.md) | Added a new node Health/ProductStatus. | | [DevDetail CSP](mdm/devdetail-csp.md) | Added a new node SMBIOSSerialNumber. | | [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node. | @@ -94,255 +94,3 @@ For details about Microsoft mobile device management protocols for Windows 10 an | [WindowsLicensing CSP](mdm/windowslicensing-csp.md) | Added S mode settings and SyncML examples. | | [Win32CompatibilityAppraiser CSP](mdm/win32compatibilityappraiser-csp.md) | New CSP. | -## Breaking changes and known issues - -### Get command inside an atomic command isn't supported - -In Windows 10 and Windows 11, a Get command inside an atomic command isn't supported. - -### Apps installed using WMI classes are not removed - -Applications installed using WMI classes aren't removed when the MDM account is removed from device. - -### Passing CDATA in SyncML does not work - -Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work in Windows 10 and Windows 11. - -### SSL settings in IIS server for SCEP must be set to "Ignore" - -The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10 and Windows 11. - -![ssl settings.](images/ssl-settings.png) - -### MDM enrollment fails on the Windows device when traffic is going through proxy - -When the Windows device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that doesn't require authentication or remove the proxy setting from the connected network. - -### Server-initiated unenrollment failure - -Server-initiated unenrollment for a device enrolled by adding a work account silently fails to leave the MDM account active. MDM policies and resources are still in place and the client can continue to sync with the server. - -Remote server unenrollment is disabled for mobile devices enrolled via Azure Active Directory Join. It returns an error message to the server. The only way to remove enrollment for a mobile device that is Azure AD joined is by remotely wiping the device. - -### Certificates causing issues with Wi-Fi and VPN - -In Windows 10 and Windows 11, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This dual installation may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We're working to fix this issue. - -### Version information for Windows 11 - -The software version information from **DevDetail/Ext/Microsoft/OSPlatform** doesn't match the version in **Settings** under **System/About**. - -### Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 and Windows 11 - -In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned doesn't have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate. - -Enterprises deploying certificate-based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as: - -- The user may be prompted to select the certificate. -- The wrong certificate may get auto selected and cause an authentication failure. - -A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP Configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication. - -EAP XML must be updated with relevant information for your environment. This task can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows: - -- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile. -- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field. - -For information about EAP Settings, see . - -For information about generating an EAP XML, see [EAP configuration](mdm/eap-configuration.md). - -For more information about extended key usage, see . - -For information about adding extended key usage (EKU) to a certificate, see . - -The following list describes the prerequisites for a certificate to be used with EAP: - -- The certificate must have at least one of the following EKU (Extended Key Usage) properties: - - Client Authentication. - - As defined by RFC 5280, this property is a well-defined OID with Value 1.3.6.1.5.5.7.3.2. - - Any Purpose. - - An EKU, defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering. - - All Purpose. - - As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes. -- The user or the computer certificate on the client chains to a trusted root CA. -- The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy. -- The user or the computer certificate doesn't fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server. -- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user. - -The following XML sample explains the properties for the EAP TLS XML including certificate filtering. - -> [!NOTE] -> For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements. - -```xml - - - 13 - - - 0 - 0 - 0 - - - - - - - 13 - - - - - true - - - - - - - false - - - false - false - false - - - - - - ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff - - - - - - - - - - - ContostoITEKU - - 1.3.6.1.4.1.311.42.1.15 - - - - - - - - - ContostoITEKU - - - - - Example1 - - - true - - - - - - - - - - - -``` - -> [!NOTE] -> The EAP TLS XSD is located at **%systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd** - -Alternatively you can use the following procedure to create an EAP Configuration XML. - -1. Follow steps 1 through 7 in [EAP configuration](mdm/eap-configuration.md). - -2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop-down menu (this drop-down menu selects EAP TLS.). - - :::image type="content" alt-text="vpn selfhost properties window." source="images/certfiltering1.png"::: - - > [!NOTE] - > For PEAP or TTLS, select the appropriate method and continue following this procedure. - -3. Click the **Properties** button underneath the drop-down menu. - -4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. - - :::image type="content" alt-text="smart card or other certificate properties window." source="images/certfiltering2.png"::: - -5. In the **Configure Certificate Selection** menu, adjust the filters as needed. - - :::image type="content" alt-text="configure certificate selection window." source="images/certfiltering3.png"::: - -6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box. - -7. Close the rasphone dialog box. - -8. Continue following the procedure in [EAP configuration](mdm/eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering. - -> [!NOTE] -> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)). - -### MDM client will immediately check in with the MDM server after client renews WNS channel URI - -After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary. - -### User provisioning failure in Azure Active Directory-joined Windows 10 and Windows 11 devices - -In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design. - -### Requirements to note for VPN certificates also used for Kerberos Authentication - -If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that don't meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. - -### Device management agent for the push-button reset is not working - -The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service. - -## Frequently Asked Questions - -### Can there be more than one MDM server to enroll and manage devices in Windows 10 or 11? - -No. Only one MDM is allowed. - -### How do I set the maximum number of Azure Active Directory-joined devices per user? - -1. Sign in to the portal as tenant admin: https://portal.azure.com. -2. Select Active Directory on the left pane. -3. Choose your tenant. -4. Select **Configure**. -5. Set quota to unlimited. - - :::image type="content" alt-text="aad maximum joined devices." source="images/faq-max-devices.png"::: - -### What is dmwappushsvc? - -Entry | Description ---------------- | -------------------- -What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | -What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry.| -How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.| diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md deleted file mode 100644 index 0adc1b4483..0000000000 --- a/windows/client-management/new-policies-for-windows-10.md +++ /dev/null @@ -1,517 +0,0 @@ ---- -title: New policies for Windows 10 (Windows 10) -description: Learn how Windows 10 includes new policies for management, like Group Policy settings for the Windows system and components. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.prod: windows-client -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/15/2021 -ms.topic: reference -ms.technology: itpro-manage ---- - -# New policies for Windows 10 - - -**Applies to** - -- Windows 10 -- Windows 11 - -As of September 2020 This page will no longer be updated. To find the Group Polices that ship in each version of Windows, refer to the Group Policy Settings Reference Spreadsheet. You can always locate the most recent version of the Spreadsheet by searching the Internet for "Windows Version + Group Policy Settings Reference". - -For example, searching for "Windows 2004" + "Group Policy Settings Reference Spreadsheet" in a web browser will return to you the link to download the Group Policy Settings Reference Spreadsheet for Windows 2004. - -The latest [group policy reference for Windows 10 version 2004 is available here](https://www.microsoft.com/download/101451). - -## New Group Policy settings in Windows 10, version 1903 - -The following Group Policy settings were added in Windows 10, version 1903: - -**System** - -- System\Service Control Manager Settings\Security Settings\Enable svchost.exe mitigation options -- System\Storage Sense\Allow Storage Sense -- System\Storage Sense\Allow Storage Sense Temporary Files cleanup -- System\Storage Sense\Configure Storage Sense -- System\Storage Sense\Configure Storage Sense Cloud content dehydration threshold -- System\Storage Sense\Configure Storage Sense Recycle Bin cleanup threshold -- System\Storage Sense\Configure Storage Sense Downloads cleanup threshold -- System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Troubleshooting:Allow users to access recommended troubleshooting for known problems - - -**Windows Components** - -- Windows Components\App Privacy\Let Windows apps activate with voice -- Windows Components\App Privacy\Let Windows apps activate with voice while the system is locked -- Windows Components\Data Collection and Preview Builds\Allow commercial data pipeline -- Windows Components\Data Collection and Preview Builds\Configure collection of browsing data for Desktop Analytics -- Windows Components\Data Collection and Preview Builds\Configure diagnostic data upload endpoint for Desktop Analytics -- Windows Components\Delivery Optimization\Delay background download Cache Server fallback (in seconds) -- Windows Components\Delivery Optimization\Delay Foreground download Cache Server fallback (in seconds) -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use WDDM graphics display driver for Remote Desktop Connections -- Windows Components\Windows Logon Options\Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot - -## New Group Policy settings in Windows 10, version 1809 - -The following Group Policy settings were added in Windows 10, version 1809: - -**Start Menu and Taskbar** - -- Start Menu and Taskbar\Force Start to be either full screen size or menu size -- Start Menu and Taskbar\Remove "Recently added" list from Start Menu -- Start Menu and Taskbar\Remove All Programs list from the Start menu -- Start Menu and Taskbar\Remove frequent programs list from the Start Menu - -**System** - -- System\Group Policy\Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services -- System\Group Policy\Configure Applications preference extension policy processing -- System\Group Policy\Configure Data Sources preference extension policy processing -- System\Group Policy\Configure Devices preference extension policy processing -- System\Group Policy\Configure Drive Maps preference extension policy processing -- System\Group Policy\Configure Environment preference extension policy processing -- System\Group Policy\Configure Files preference extension policy processing -- System\Group Policy\Configure Folder Options preference extension policy processing -- System\Group Policy\Configure Folders preference extension policy processing -- System\Group Policy\Configure Ini Files preference extension policy processing -- System\Group Policy\Configure Internet Settings preference extension policy processing -- System\Group Policy\Configure Local Users and Groups preference extension policy processing -- System\Group Policy\Configure Network Options preference extension policy processing -- System\Group Policy\Configure Network Shares preference extension policy processing -- System\Group Policy\Configure Power Options preference extension policy processing -- System\Group Policy\Configure Printers preference extension policy processing -- System\Group Policy\Configure Regional Options preference extension policy processing -- System\Group Policy\Configure Registry preference extension policy processing -- System\Group Policy\Configure Scheduled Tasks preference extension policy processing -- System\Group Policy\Configure Services preference extension policy processing -- System\Group Policy\Configure Shortcuts preference extension policy processing -- System\Group Policy\Configure Start Menu preference extension policy processing -- System\Group Policy\Logging and tracing\Configure Applications preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Data Sources preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Devices preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Drive Maps preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Environment preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Files preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Folder Options preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Folders preference logging and tracing -- System\Group Policy\Logging and tracing\Configure INI Files preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Internet Settings preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Local Users and Groups preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Network Options preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Network Shares preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Power Options preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Printers preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Regional Options preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Registry preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Scheduled Tasks preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Services preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Shortcuts preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Start Menu preference logging and tracing -- System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection -- System\OS Policies\Allow Clipboard History -- System\OS Policies\Allow Clipboard synchronization across devices - -**Windows Components** - -- Windows Components\Data Collection and Preview Builds\Configure Microsoft 365 Update Readiness upload endpoint -- Windows Components\Data Collection and Preview Builds\Disable deleting diagnostic data -- Windows Components\Data Collection and Preview Builds\Disable diagnostic data viewer -- Windows Components\Delivery Optimization\[Reserved for future use] Cache Server Hostname -- Windows Components\Location and Sensors\Windows Location Provider\Turn off Windows Location Provider -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\DFS Management -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\File Server Resource Manager -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Share and Storage Management -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Storage Manager for SANs -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\DFS Management Extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\Disk Management Extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\File Server Resource Manager Extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\Share and Storage Management Extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\Storage Manager for SANS Extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy Management Editor -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy Starter GPO Editor -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Application snap-ins -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Applications preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Control Panel Settings (Computers) -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Control Panel Settings (Users) -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Data Sources preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Devices preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Drive Maps preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Environment preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Files preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Folder Options preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Folders preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Ini Files preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Internet Settings preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Local Users and Groups preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Network Options preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Network Shares preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Power Options preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Preferences tab -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Printers preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Regional Options preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Registry preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Scheduled Tasks preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Services preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Shortcuts preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Start Menu preference extension -- Windows Components\OOBE\Don't launch privacy settings experience on user logon -- Windows Components\OOBE\Don't launch privacy settings experience on user logon -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Do not use Remote Desktop Session Host server IP address when virtual IP address is not available -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Select the network adapter to be used for Remote Desktop IP Virtualization -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Turn off Windows Installer RDS Compatibility -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Turn on Remote Desktop IP Virtualization -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow remote start of unlisted programs -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Turn off Fair Share CPU Scheduling -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Allow time zone redirection -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow Clipboard redirection -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection\Redirect only the default client printer -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection\Redirect only the default client printer -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker\Use RD Connection Broker load balancing -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Allow desktop composition for remote desktop sessions -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Always show desktop on connection -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Do not allow font smoothing -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Remove remote desktop wallpaper -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for logoff of RemoteApp sessions -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for logoff of RemoteApp sessions -- Windows Components\Microsoft Defender Antivirus\Configure detection for potentially unwanted applications -- Windows Components\Microsoft Defender Antivirus\Scan\Configure low CPU priority for scheduled scans -- Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard -- Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard -- Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user’s device -- Windows Components\Windows Defender Application Guard\Configure additional sources for untrusted files in Windows Defender Application Guard -- Windows Components\Windows Hello for Business\Use Windows Hello for Business certificates as smart card certificates -- Windows Components\Windows Media Player\Do Not Show First Use Dialog Boxes -- Windows Components\Windows Media Player\Prevent Automatic Updates -- Windows Components\Windows Media Player\Prevent CD and DVD Media Information Retrieval -- Windows Components\Windows Media Player\Prevent Desktop Shortcut Creation -- Windows Components\Windows Media Player\Prevent Media Sharing -- Windows Components\Windows Media Player\Prevent Music File Media Information Retrieval -- Windows Components\Windows Media Player\Prevent Quick Launch Toolbar Shortcut Creation -- Windows Components\Windows Media Player\Prevent Radio Station Preset Retrieval -- Windows Components\Windows Media Player\Prevent Video Smoothing -- Windows Components\Windows Media Player\Networking\Configure HTTP Proxy -- Windows Components\Windows Media Player\Networking\Configure MMS Proxy -- Windows Components\Windows Media Player\Networking\Configure Network Buffering -- Windows Components\Windows Media Player\Networking\Configure RTSP Proxy -- Windows Components\Windows Media Player\Networking\Hide Network Tab -- Windows Components\Windows Media Player\Networking\Streaming Media Protocols -- Windows Components\Windows Media Player\Playback\Allow Screen Saver -- Windows Components\Windows Media Player\Playback\Prevent Codec Download -- Windows Components\Windows Media Player\User Interface\Do Not Show Anchor -- Windows Components\Windows Media Player\User Interface\Hide Privacy Tab -- Windows Components\Windows Media Player\User Interface\Hide Security Tab -- Windows Components\Windows Media Player\User Interface\Set and Lock Skin -- Windows Components\Windows Security\Account protection\Hide the Account protection area -- Windows Components\Windows Security\App and browser protection\Hide the App and browser protection area -- Windows Components\Windows Security\App and browser protection\Prevent users from modifying settings -- Windows Components\Windows Security\Device performance and health\Hide the Device performance and health area -- Windows Components\Windows Security\Device security\Disable the Clear TPM button -- Windows Components\Windows Security\Device security\Hide the Device security area -- Windows Components\Windows Security\Device security\Hide the Secure boot area -- Windows Components\Windows Security\Device security\Hide the Security processor (TPM) troubleshooter page -- Windows Components\Windows Security\Device security\Hide the TPM Firmware Update recommendation -- Windows Components\Windows Security\Enterprise Customization\Configure customized contact information -- Windows Components\Windows Security\Enterprise Customization\Configure customized notifications -- Windows Components\Windows Security\Enterprise Customization\Specify contact company name -- Windows Components\Windows Security\Enterprise Customization\Specify contact email address or Email ID -- Windows Components\Windows Security\Enterprise Customization\Specify contact phone number or Skype ID -- Windows Components\Windows Security\Enterprise Customization\Specify contact website -- Windows Components\Windows Security\Family options\Hide the Family options area -- Windows Components\Windows Security\Firewall and network protection\Hide the Firewall and network protection area -- Windows Components\Windows Security\Notifications\Hide all notifications -- Windows Components\Windows Security\Notifications\Hide non-critical notifications -- Windows Components\Windows Security\Systray\Hide Windows Security Systray -- Windows Components\Windows Security\Virus and threat protection\Hide the Ransomware data recovery area -- Windows Components\Windows Security\Virus and threat protection\Hide the Virus and threat protection area -- Windows Components\Windows Update\Display options for update notifications -- Windows Components\Windows Update\Remove access to "Pause updates" feature - -**Control Panel** - -- Control Panel\Settings Page Visibility -- Control Panel\Regional and Language Options\Allow users to enable online speech recognition services - -**Network** - -- Network\Windows Connection Manager\Enable Windows to soft-disconnect a computer from a network - - -## New Group Policy settings in Windows 10, version 1803 - -The following Group Policy settings were added in Windows 10, version 1803: - -**System** - -- System\Credentials Delegation\Encryption Oracle Remediation -- System\Group Policy\Phone-PC linking on this device -- System\OS Policies\Allow upload of User Activities - -**Windows Components** - -- Windows Components\App Privacy\Let Windows apps access an eye tracker device -- Windows Components\Cloud Content\Turn off Windows Spotlight on Settings -- Windows Components\Data Collection and Preview Builds\Allow device name to be sent in Windows diagnostic data -- Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface -- Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in change notifications -- Windows Components\Delivery Optimization\Maximum Background Download Bandwidth (percentage) -- Windows Components\Delivery Optimization\Maximum Foreground Download Bandwidth (percentage) -- Windows Components\Delivery Optimization\Select the source of Group IDs -- Windows Components\Delivery Optimization\Delay background download from http (in secs) -- Windows Components\Delivery Optimization\Delay Foreground download from http (in secs) -- Windows Components\Delivery Optimization\Select a method to restrict Peer Selection -- Windows Components\Delivery Optimization\Set Business Hours to Limit Background Download Bandwidth -- Windows Components\Delivery Optimization\Set Business Hours to Limit Foreground Download Bandwidth -- Windows Components\IME\Turn on Live Sticker -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow video capture redirection -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use hardware graphics adapters for all Remote Desktop Services sessions -- Windows Components\Search\Allow Cortana Page in OOBE on an Azure Active Directory account -- Windows Components\Store\Disable all apps from Microsoft Store -- Windows Components\Text Input\Allow Uninstallation of Language Features -- Windows Components\Text Input\Improve inking and typing recognition -- Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard -- Windows Components\Windows Defender Security Center\Account protection\Hide the Account protection area -- Windows Components\Windows Defender Security Center\Device security\Hide the Device security area -- Windows Components\Windows Defender Security Center\Device security\Hide the Security processor (TPM) troubleshooter page -- Windows Components\Windows Defender Security Center\Device security\Hide the Secure boot area -- Windows Components\Windows Defender Security Center\Virus and threat protection\Hide the Ransomware data recovery area - - -## New Group Policy settings in Windows 10, version 1709 - -The following Group Policy settings were added in Windows 10, version 1709: - -**Control Panel** - -- Control Panel\Allow Online Tips - -**Network** - -- Network\Network Connectivity Status Indicator\Specify global DNS -- Network\WWAN Service\WWAN UI Settings\Set Per-App Cellular Access UI Visibility -- Network\WWAN Service\Cellular Data Access\Let Windows apps access cellular data - -**System** - -- System\Device Health Attestation Service\Enable Device Health Attestation Monitoring and Reporting -- System\OS Policies\Enables Activity Feed -- System\OS Policies\Allow publishing of User Activities -- System\Power Management\Power Throttling Settings\Turn off Power Throttling -- System\Storage Health\Allow downloading updates to the Disk Failure Prediction Model -- System\Trusted Platform Module Services\Configure the system to clear the TPM if it is not in a ready state. - -**Windows Components** - -- Windows Components\App Privacy\Let Windows apps communicate with unpaired devices -- Windows Components\Data Collection and Preview Builds\Limit Enhanced diagnostic data to the minimum required by Windows Analytics -- Windows Components\Handwriting\Handwriting Panel Default Mode Docked -- Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing\Hide the button (next to the New Tab button) that opens Microsoft Edge -- Windows Components\MDM\Auto MDM Enrollment with Azure Active Directory Token -- Windows Components\Messaging\Allow Message Service Cloud Sync -- Windows Components\Microsoft Edge\Always show the Books Library in Microsoft Edge -- Windows Components\Microsoft Edge\Provision Favorites -- Windows Components\Microsoft Edge\Prevent changes to Favorites on Microsoft Edge -- Windows Components\Microsoft FIDO Authentication\Enable usage of FIDO devices to sign on -- Windows Components\OneDrive\Prevent OneDrive from generating network traffic until the user signs in to OneDrive -- Windows Components\Push To Install\Turn off Push To Install service -- Windows Components\Search\Allow Cloud Search -- Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard -- Windows Components\Windows Defender Application Guard\Allow auditing events in Windows Defender Application Guard -- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Network Protection\Prevent users and apps from accessing dangerous websites -- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure Controlled folder access -- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules -- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Exclude files and paths from Attack Surface Reduction Rules -- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure allowed applications -- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure protected folders -- Windows Components\Windows Defender Exploit Guard\Exploit Protection\Use a common set of exploit protection settings -- Windows Components\Windows Defender Security Center\Virus and threat protection\Hide the Virus and threat protection area -- Windows Components\Windows Defender Security Center\Firewall and network protection\Hide the Firewall and network protection area -- Windows Components\Windows Defender Security Center\App and browser protection\Hide the App and browser protection area -- Windows Components\Windows Defender Security Center\App and browser protection\Prevent users from modifying settings -- Windows Components\Windows Defender Security Center\Device performance and health\Hide the Device performance and health area -- Windows Components\Windows Defender Security Center\Family options\Hide the Family options area -- Windows Components\Windows Defender Security Center\Notifications\Hide all notifications -- Windows Components\Windows Defender Security Center\Notifications\Hide non-critical notifications -- Windows Components\Windows Defender Security Center\Enterprise Customization\Configure customized notifications -- Windows Components\Windows Defender Security Center\Enterprise Customization\Configure customized contact information -- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact company name -- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact phone number or Skype ID -- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact email address or Email ID -- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact website -- Windows Components\Windows Hello for Business\Configure device unlock factors -- Windows Components\Windows Hello for Business\Configure dynamic lock factors -- Windows Components\Windows Hello for Business\Turn off smart card emulation -- Windows Components\Windows Hello for Business\Allow enumeration of emulated smart card for all users -- Windows Components\Windows Update\Allow updates to be downloaded automatically over metered connections -- Windows Components\Windows Update\Do not allow update deferral policies to cause scans against Windows Update - - -## New Group Policy settings in Windows 10, version 1703 - -The following Group Policy settings were added in Windows 10, version 1703: - -**Control Panel** - -- Control Panel\Add or Remove Programs\Specify default category for Add New Programs -- Control Panel\Add or Remove Programs\Hide the "Add a program from CD-ROM or floppy disk" option -- Control Panel\Personalization\Prevent changing lock screen and logon image - -**Network** - -- Network\Background Intelligent Transfer Service (BITS)\Limit the maximum network bandwidth for BITS background transfers -- Network\Background Intelligent Transfer Service (BITS)\Allow BITS Peercaching -- Network\Background Intelligent Transfer Service (BITS)\Limit the age of files in the BITS Peercache -- Network\Background Intelligent Transfer Service (BITS)\Limit the BITS Peercache size -- Network\DNS Client\Allow NetBT queries for fully qualified domain names -- Network\Network Connections\Prohibit access to properties of components of a LAN connection -- Network\Network Connections\Ability to Enable/Disable a LAN connection -- Network\Offline Files\Turn on economical application of administratively assigned Offline Files -- Network\Offline Files\Configure slow-link mode -- Network\Offline Files\Enable Transparent Caching -- Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Site-Local Clouds\Set the Seed Server -- Network\Microsoft Peer-to-Peer Networking Services\Disable password strength validation for Peer Grouping - -**System** - -- System\App-V\Streaming\Location Provider -- System\App-V\Streaming\Certificate Filter For Client SSL -- System\Credentials Delegation\Allow delegating default credentials with NTLM-only server authentication -- System\Ctrl+Alt+Del Options\Remove Change Password -- System\Ctrl+Alt+Del Options\Remove Lock Computer -- System\Ctrl+Alt+Del Options\Remove Task Manager -- System\Ctrl+Alt+Del Options\Remove Logoff -- System\Device Installation\Do not send a Windows error report when a generic driver is installed on a device -- System\Device Installation\Prevent Windows from sending an error report when a device driver requests additional software during installation -- System\Locale Services\Disallow user override of locale settings -- System\Logon\Do not process the legacy run list -- System\Logon\Always use custom logon background -- System\Logon\Do not display network selection UI -- System\Logon\Block user from showing account details on sign-in -- System\Logon\Turn off app notifications on the lock screen -- System\User Profiles\Establish timeout value for dialog boxes -- System\Enable Windows NTP Server\Windows Time Service\Enable Windows NTP Client - -**Windows Components** - -- Windows Components\ActiveX Installer Service\Approved Installation Sites for ActiveX Controls -- Windows Components\ActiveX Installer Service\Establish ActiveX installation policy for sites in Trusted zones -- Windows Components\Application Compatibility\Turn off Application Compatibility Engine -- Windows Components\Application Compatibility\Turn off Program Compatibility Assistant -- Windows Components\Application Compatibility\Turn off Steps Recorder -- Windows Components\Attachment Manager\Notify antivirus programs when opening attachments -- Windows Components\Biometrics\Allow the use of biometrics -- Windows Components\NetMeeting\Disable Whiteboard -- Windows Components\Data Collection and Preview Builds\Configure the Commercial ID -- Windows Components\File Explorer\Display the menu bar in File Explorer -- Windows Components\File History\Turn off File History -- Windows Components\Internet Explorer\Internet Control Panel\Advanced Page\Play animations in web pages -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone\Turn on Cross-Site Scripting Filter -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Turn on Cross-Site Scripting Filter -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Accelerators\Restrict Accelerators to those deployed through Group Policy -- Windows Components\Internet Explorer\Compatibility View\Turn on Internet Explorer 7 Standards Mode -- Windows Components\Location and Sensors\Windows Location Provider\Turn off Windows Location Provider -- Windows Components\Microsoft Account\Block all consumer Microsoft account user authentication -- Windows Components\Microsoft Edge\Configure Autofill -- Windows Components\Microsoft Edge\Allow Developer Tools -- Windows Components\Microsoft Edge\Configure Do Not Track -- Windows Components\Microsoft Edge\Allow InPrivate browsing -- Windows Components\Microsoft Edge\Configure Password Manager -- Windows Components\Microsoft Edge\Configure Pop-up Blocker -- Windows Components\Microsoft Edge\Allow search engine customization -- Windows Components\Microsoft Edge\Configure search suggestions in Address bar -- Windows Components\Microsoft Edge\Set default search engine -- Windows Components\Microsoft Edge\Configure additional search engines -- Windows Components\Microsoft Edge\Configure the Enterprise Mode Site List -- Windows Components\Microsoft Edge\Prevent using Localhost IP address for WebRTC -- Windows Components\Microsoft Edge\Configure Start pages -- Windows Components\Microsoft Edge\Disable lockdown of Start pages -- Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites -- Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\.Net Framework Configuration -- Windows Components\Windows Installer\Prohibit use of Restart Manager -- Windows Components\Desktop Gadgets\Restrict unpacking and installation of gadgets that are not digitally signed. -- Windows Components\Desktop Gadgets\Turn Off user-installed desktop gadgets -- Windows Components\OneDrive\Prevent the usage of OneDrive for file storage -- Windows Components\OneDrive\Prevent the usage of OneDrive for file storage on Windows 8.1 -- Windows Components\OneDrive\Prevent OneDrive files from syncing over metered connections -- Windows Components\OneDrive\Save documents to OneDrive by default -- Windows Components\Smart Card\Allow certificates with no extended key usage certificate attribute -- Windows Components\Smart Card\Turn on certificate propagation from smart card -- Windows Components\Tablet PC\Pen UX Behaviors\Prevent flicks -- Windows Components\BitLocker Drive Encryption\Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507]) -- Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on behavior monitoring -- Windows Components\Microsoft Defender Antivirus\Signature Updates\Define file shares for downloading definition updates -- Windows Components\Microsoft Defender Antivirus\Signature Updates\Turn on scan after signature update -- Windows Components\File Explorer\Display confirmation dialog when deleting files -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Allow OpenSearch queries in File Explorer -- Windows Components\Windows Update\Remove access to use all Windows Update features -- Windows Components\Windows Update\Configure Automatic Updates -- Windows Components\Windows Update\Specify intranet Microsoft update service location -- Windows Components\Windows Update\Automatic Updates detection frequency -- Windows Components\Windows Update\Allow non-administrators to receive update notifications -- Windows Components\Windows Update\Allow Automatic Updates immediate installation -- Windows Components\Windows Update\Turn on recommended updates via Automatic Updates -- Windows Components\Shutdown Options\Turn off legacy remote shutdown interface - - -For a spreadsheet of Group Policy settings included in Windows 10 and Windows Server 2016, see [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=613627). - -## New MDM policies - -Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education include previous Windows Phone settings, and new or enhanced settings for Windows 10, such as: - -- Defender (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education only) - -- Enhanced Bluetooth policies - -- Passport and Hello - -- Device update - -- Hardware-based device health attestation - -- [Kiosk mode](/windows/configuration/set-up-a-device-for-anyone-to-use), start screen, start menu layout - -- Security - -- [VPN](/windows/security/identity-protection/vpn/vpn-profile-options) and enterprise Wi-Fi management - -- Certificate management - -- Windows Tips - -- Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu - -Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](./mdm/policy-configuration-service-provider.md). - -If you use Microsoft Intune for MDM, you can [configure custom policies](/mem/intune/configuration/custom-settings-configure) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](/mem/intune/configuration/custom-settings-windows-10). - -No new [Exchange ActiveSync policies](/exchange/mobile-device-mailbox-policies-exchange-2013-help). For more information, see the [ActiveSync configuration service provider](./mdm/activesync-csp.md) technical reference. - -## Related topics - -[Group Policy Settings Reference Spreadsheet Windows 1803](https://www.microsoft.com/download/details.aspx?id=56946) - -[Manage corporate devices](manage-corporate-devices.md) - -[Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) diff --git a/windows/client-management/oma-dm-protocol-support.md b/windows/client-management/oma-dm-protocol-support.md index d87cd9db0c..521d15c082 100644 --- a/windows/client-management/oma-dm-protocol-support.md +++ b/windows/client-management/oma-dm-protocol-support.md @@ -1,7 +1,7 @@ --- title: OMA DM protocol support description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,9 +9,11 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- - # OMA DM protocol support The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_Protocol-V1_2-20070209-A.pdf). @@ -30,10 +32,8 @@ The following table shows the OMA DM standards that Windows uses. |Nodes|In the OMA DM tree, the following rules apply for the node name:
  • "." can be part of the node name.
  • The node name can't be empty.
  • The node name can't be only the asterisk (`*`) character.| |Provisioning Files|Provisioning XML must be well formed and follow the definition in [SyncML Representation Protocol](https://www.openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf).

    If an XML element that isn't a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
    **Note**
    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
    | |WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This dual-format support is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://www.openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.| -|Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.| +|Handling of large objects|In Windows 10, client support for uploading large objects to the server was added.| - - ## OMA DM protocol common elements Common elements are used by other OMA DM element types. The following table lists the OMA DM common elements used to configure the devices. For more information about OMA DM common elements, see "SyncML Representation Protocol Device Management Usage" (OMA-SyncML-DMRepPro-V1_1_2-20030613-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). @@ -51,7 +51,7 @@ Common elements are used by other OMA DM element types. The following table list |MsgID|Specifies a unique identifier for an OMA DM session message.| |MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.| |RespURI|Specifies the URI that the recipient must use when sending a response to this message.| -|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.
    **Note**
    If the server doesn't notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows 10, the device client returns 2 bytes.
    | +|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.
    **Note**
    If the server doesn't notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows, the device client returns 2 bytes.
    | |Source|Specifies the message source address.| |SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.| |Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.| @@ -68,26 +68,27 @@ A short DM session can be summarized as: A server sends a Get command to a client device to retrieve the contents of one of the nodes of the management tree. The device performs the operation and responds with a Result command that contains the requested contents. A DM session can be divided into two phases: -1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table. -2. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase 2 ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table. + +1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table. +1. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase 2 ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table. The following information shows the sequence of events during a typical DM session. -1. DM client is invoked to call back to the management server

    Enterprise scenario – The device task schedule invokes the DM client. +1. DM client is invoked to call back to the management server

    Enterprise scenario - The device task schedule invokes the DM client. The MO server sends a server trigger message to invoke the DM client. The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.

    Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS. -2. The device sends a message, over an IP connection, to initiate the session. +1. The device sends a message, over an IP connection, to initiate the session. This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level. -3. The DM server responds, over an IP connection (HTTPS). The server sends initial device management commands, if any. +1. The DM server responds, over an IP connection (HTTPS). The server sends initial device management commands, if any. -4. The device responds to server management commands. This message includes the results of performing the specified device management operations. +1. The device responds to server management commands. This message includes the results of performing the specified device management operations. -5. The DM server terminates the session or sends another command. The DM session ends, or Step 4 is repeated. +1. The DM server terminates the session or sends another command. The DM session ends, or Step 4 is repeated. The step numbers don't represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see [OMA Device Management Representation Protocol (DM_RepPro-V1_2-20070209-A)](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/). @@ -97,7 +98,6 @@ If a request includes credentials and the response code to the request is 200, t For more information about Basic or MD5 client authentication, MD5 server authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM_Security-V1_2_1-20080617-A), authentication response code handling and step-by-step samples in OMA Device Management Protocol specification (OMA-TS-DM_Protocol-V1_2_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2_1-20080617-A/). - ## User targeted vs. Device targeted configuration For CSPs and policies that support per user configuration, the MDM server can send user targeted setting values to the device that a MDM-enrolled user is actively logged into. The device notifies the server of the sign-in status via a device alert (1224) with Alert type = in DM pkg\#1. @@ -130,8 +130,6 @@ The following LocURL shows a per user CSP node configuration: `./user/vendor/MSF The following LocURL shows a per device CSP node configuration: `./device/vendor/MSFT/RemoteWipe/DoWipe` - - ## SyncML response status codes When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you're likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification. diff --git a/windows/client-management/on-premise-authentication-device-enrollment.md b/windows/client-management/on-premise-authentication-device-enrollment.md index daf5a628d7..8e72627af0 100644 --- a/windows/client-management/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/on-premise-authentication-device-enrollment.md @@ -1,65 +1,61 @@ --- title: On-premises authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # On-premises authentication device enrollment -This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). -## In this topic - -- [On-premises authentication device enrollment](#on-premises-authentication-device-enrollment) - - [In this topic](#in-this-topic) - - [Discovery service](#discovery-service) - - [Enrollment policy web service](#enrollment-policy-web-service) - - [Enrollment web service](#enrollment-web-service) - -For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). +> [!NOTE] +> For the list of enrollment scenarios not supported in Windows, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). ## Discovery service The discovery web service provides the configuration information necessary for a user to enroll a device with a management service. The service is a restful web service over HTTPS (server authentication only). > [!NOTE] -> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. +> The administrator of the discovery service must create a host with the address `enterpriseenrollment..com`. -The device’s automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc +The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain **enterpriseenrollment** to the domain of the email address, and by appending the path `/EnrollmentServer/Discovery.svc`. For example, if the email address is `sample@contoso.com`, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`. The first request is a standard HTTP GET request. The following example shows a request via HTTP GET to the discovery server given user@contoso.com as the email address. -``` +```http Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc Content Type: unknown Header Byte Count: 153 Body Byte Count: 0 ``` -``` +```http GET /EnrollmentServer/Discovery.svc HTTP/1.1 User-Agent: Windows Phone 8 Enrollment Client Host: EnterpriseEnrollment.contoso.com Pragma: no-cache ``` -``` +```http Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc Content Type: text/html Header Byte Count: 248 Body Byte Count: 0 ``` -``` +```http HTTP/1.1 200 OK Connection: Keep-Alive Pragma: no-cache @@ -68,18 +64,18 @@ Content-Type: text/html Content-Length: 0 ``` -After the device gets a response from the server, the device sends a POST request to enterpriseenrollment.*domain\_name*/EnrollmentServer/Discovery.svc. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to enterpriseenrollment.*domain\_name* to the enrollment server. +After the device gets a response from the server, the device sends a POST request to `enterpriseenrollment./EnrollmentServer/Discovery.svc`. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to `enterpriseenrollment.` enrollment server. The following logic is applied: -1. The device first tries HTTPS. If the server cert is not trusted by the device, the HTTPS fails. -2. If that fails, the device tries HTTP to see whether it is redirected: - - If the device is not redirected, it prompts the user for the server address. - - If the device is redirected, it prompts the user to allow the redirect. +1. The device first tries HTTPS. If the server cert is not trusted by the device, the HTTPS fails. +1. If that fails, the device tries HTTP to see whether it is redirected: + - If the device is not redirected, it prompts the user for the server address. + - If the device is redirected, it prompts the user to allow the redirect. The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address: -``` +```http https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc ``` @@ -124,9 +120,9 @@ If a domain and user name are provided by the user instead of an email address, The discovery response is in the XML format and includes the following fields: -- Enrollment service URL (EnrollmentServiceUrl) – Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. -- Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. -- Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. +- Enrollment service URL (EnrollmentServiceUrl) - Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. +- Authentication policy (AuthPolicy) - Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. +- Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. > [!NOTE] > The HTTP server response must not be chunked; it must be sent as one message. @@ -171,42 +167,42 @@ For the OnPremise authentication policy, the UsernameToken in GetPolicies contai The following example shows the policy web service request. ```xml - - - - http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies - - urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 - - http://www.w3.org/2005/08/addressing/anonymous - - - https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - - - - user@contoso.com - mypassword - - - - - - - - - - - - - + + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies + + urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + + user@contoso.com + mypassword + + + + + + + + + + + + + ``` After the user is authenticated, the web service retrieves the certificate template that the user should enroll with and creates enrollment policies based on the certificate template properties. A sample of the response can be found on MSDN. @@ -301,7 +297,7 @@ This web service implements the MS-WSTEP protocol. It processes the RequestSecur The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on match the certificate template), the client can enroll successfully. -The RequestSecurityToken will use a custom TokenType (http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken), because our enrollment token is more than an X.509 v3 certificate. For more details, see the Response section. +The RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken`), because our enrollment token is more than an X.509 v3 certificate. For more details, see the Response section. The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. @@ -311,11 +307,11 @@ The RST may also specify a number of AdditionalContext items, such as DeviceType The following example shows the enrollment web service request for OnPremise authentication. ```xml - @@ -344,8 +340,8 @@ The following example shows the enrollment web service request for OnPremise aut http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue - DER format PKCS#10 certificate request in Base64 encoding Insterted Here @@ -383,7 +379,6 @@ The following example shows the enrollment web service request for OnPremise aut 7BA748C8-703E-4DF2-A74A-92984117346A - True @@ -396,8 +391,8 @@ The following example shows the enrollment web service request for OnPremise aut The following example shows the enrollment web service response. ```xml - @@ -413,14 +408,15 @@ The following example shows the enrollment web service response. - http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken - - + + B64EncodedSampleBinarySecurityToken - + 0 @@ -440,7 +436,7 @@ The following example shows the enrollment web service response. The following example shows the encoded provisioning XML. -``` +```xml @@ -452,17 +448,17 @@ The following example shows the encoded provisioning XML. - + - - + + - + @@ -505,7 +501,7 @@ The following example shows the encoded provisioning XML. - + @@ -513,7 +509,7 @@ The following example shows the encoded provisioning XML. - ``` diff --git a/windows/client-management/push-notification-windows-mdm.md b/windows/client-management/push-notification-windows-mdm.md index 712795c303..b1094d670f 100644 --- a/windows/client-management/push-notification-windows-mdm.md +++ b/windows/client-management/push-notification-windows-mdm.md @@ -1,84 +1,58 @@ --- title: Push notification support for device management description: The DMClient CSP supports the ability to configure push-initiated device management sessions. -MS-HAID: - - 'p\_phdevicemgmt.push\_notification\_support\_for\_device\_management' - - 'p\_phDeviceMgmt.push\_notification\_windows\_mdm' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 09/22/2017 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- - # Push notification support for device management -The [DMClient CSP](mdm/dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/previous-versions/windows/apps/hh913756(v=win.10)), a management server can request a device to establish a management session with the server through a push notification. A device is provided with a PFN for an application. This provision results in the device getting configured, to support a push to it by the management server. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting). +The [DMClient CSP](mdm/dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/windows/apps/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview), a management server can request a device to establish a management session with the server through a push notification. A device is provided with a PFN for an application. This provision results in the device getting configured, to support a push to it by the management server. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting). To initiate a device management session, the management server must first authenticate with WNS using its SID and client secret. Once authenticated, the server receives a token to initiate a raw push notification for any ChannelURI. When the management server wants to initiate a management session with a device, it can utilize the token and the device ChannelURI, and begin communicating with the device. For more information about how to get push credentials (SID and client secret) and PFN to use in WNS, see [Get WNS credentials and PFN for MDM push notification](#get-wns-credentials-and-pfn-for-mdm-push-notification). -Because a device may not always be connected to the internet, WNS supports caching notifications for delivery to the device once it reconnects. To ensure your notification is cached for delivery, set the X-WNS-Cache-Policy header to Cache. Additionally, if the server wants to send a time-bound raw push notification, the server can use the X-WNS-TTL header that will provide WNS with a time-to-live binding so that the notification will expire after the time has passed. For more information, see [Raw notification overview (Windows Runtime apps)](/previous-versions/windows/apps/jj676791(v=win.10)). +Because a device may not always be connected to the internet, WNS supports caching notifications for delivery to the device once it reconnects. To ensure your notification is cached for delivery, set the X-WNS-Cache-Policy header to Cache. Additionally, if the server wants to send a time-bound raw push notification, the server can use the X-WNS-TTL header that will provide WNS with a time-to-live binding so that the notification will expire after the time has passed. For more information, see [Raw notification overview](/windows/apps/design/shell/tiles-and-notifications/raw-notification-overview). The following restrictions are related to push notifications and WNS: -- Push for device management uses raw push notifications. This restriction means that these raw push notifications don't support or utilize push notification payloads. -- Receipt of push notifications is sensitive to the Battery Saver and Data Sense settings on the device. For example, if the battery drops below certain thresholds, the persistent connection of the device with WNS will be terminated. Additionally, if the user is utilizing Data Sense and has exceeded their monthly allotment of data, the persistent connection of the device with WNS will also be terminated. -- A ChannelURI provided to the management server by the device is only valid for 30 days. The device automatically renews the ChannelURI after 15 days and triggers a management session on successful renewal of the ChannelURI. It's strongly recommended that, during every management session, the management server queries the ChannelURI value to ensure that it has received the latest value. This will ensure that the management server won't attempt to use a ChannelURI that has expired. -- Push isn't a replacement for having a polling schedule. -- WNS reserves the right to block push notifications to your PFN if improper use of notifications is detected. Any devices being managed using this PFN will cease to have push initiated device management support. -- On Windows 10, version 1511 as well as Windows 8 and 8.1, MDM Push may fail to renew the WNS Push channel automatically causing it to expire. It can also potentially hang when setting the PFN for the channel. +- Push for device management uses raw push notifications. This restriction means that these raw push notifications don't support or utilize push notification payloads. +- Receipt of push notifications is sensitive to the Battery Saver and Data Sense settings on the device. For example, if the battery drops below certain thresholds, the persistent connection of the device with WNS will be terminated. Additionally, if the user is utilizing Data Sense and has exceeded their monthly allotment of data, the persistent connection of the device with WNS will also be terminated. +- A ChannelURI provided to the management server by the device is only valid for 30 days. The device automatically renews the ChannelURI after 15 days and triggers a management session on successful renewal of the ChannelURI. It's strongly recommended that, during every management session, the management server queries the ChannelURI value to ensure that it has received the latest value. This will ensure that the management server won't attempt to use a ChannelURI that has expired. +- Push isn't a replacement for having a polling schedule. +- WNS reserves the right to block push notifications to your PFN if improper use of notifications is detected. Any devices being managed using this PFN will cease to have push initiated device management support. - To work around this issue, when a 410 is returned by the WNS server when attempting to send a Push notification to the device the PFN should be set during the next sync session. To prevent the push channel from expiring on older builds, servers can reset the PFN before the channel expires (~30 days). If they’re already running Windows 10, there should be an update available that they can install that should fix the issue. +- In Windows 10, version 1511, we use the following retry logic for the DMClient: -- On Windows 10, version 1511, we use the following retry logic for the DMClient: - - If ExpiryTime is greater than 15 days, a schedule is set for when 15 days are left. - - If ExpiryTime is between now and 15 days, a schedule set for 4 +/- 1 hours from now. - - If ExpiryTime has passed, a schedule is set for 1 day +/- 4 hours from now. - - -- On Windows 10, version 1607, we check for network connectivity before retrying. We don't check for internet connectivity. If network connectivity isn't available, we'll skip the retry and set schedule for 4+/-1 hours to try again. + - If ExpiryTime is greater than 15 days, a schedule is set for when 15 days are left. + - If ExpiryTime is between now and 15 days, a schedule set for 4 +/- 1 hours from now. + - If ExpiryTime has passed, a schedule is set for 1 day +/- 4 hours from now. +- In Windows 10, version 1607 and later, we check for network connectivity before retrying. We don't check for internet connectivity. If network connectivity isn't available, we'll skip the retry and set schedule for 4+/-1 hours to try again. ## Get WNS credentials and PFN for MDM push notification To get a PFN and WNS credentials, you must create a Microsoft Store app. -1. Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account. +1. Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account. +1. Select **Apps and games** under Workspaces. Create a **New product** and select **MSIX or PWA app**. +1. Reserve an app name. +1. Select **Product Identity** under Product Management to view the **Package Family Name (PFN)** of your app. +1. Select **WNS/MPNS** under Product Management. + 1. Click the **App Registration portal** link. A new window opens showing your app in the Azure Portal. + 1. In the Application Registration Portal page, you'll see the properties for the app that you created, such as: + - Application ID + - Application Secrets + - Redirect URIs - ![mdm push notification1.](images/push-notification1.png) -2. Create a new app. - - ![mdm push notification2.](images/push-notification2.png) -3. Reserve an app name. - - ![mdm push notification3.](images/push-notification3.png) -4. Click **Services**. - - ![mdm push notification4.](images/push-notification4.png) -5. Click **Push notifications**. - - ![mdm push notification5.](images/push-notification5.png) -6. Click **Live Services site**. A new window opens for the **Application Registration Portal** page. - - ![mdm push notification6.](images/push-notification6.png) -7. In the **Application Registration Portal** page, you'll see the properties for the app that you created, such as: - - Application ID - - Application Secrets - - Microsoft Store Package SID, Application Identity, and Publisher. - - ![mdm push notification7.](images/push-notification7.png) -8. Click **Save**. -9. Close the **Application Registration Portal** window and go back to the Windows Dev Center Dashboard. -10. Select your app from the list on the left. -11. From the left nav, expand **App management** and then click **App identity**. - - ![mdm push notification10.](images/push-notification10.png) -12. In the **App identity** page, you'll see the **Package Family Name (PFN)** of your app. - -  +For more information see, [Tutorial: Send notifications to Universal Windows Platform apps using Azure Notification Hubs](/azure/notification-hubs/notification-hubs-windows-store-dotnet-get-started-wns-push-notification). diff --git a/windows/client-management/register-your-free-azure-active-directory-subscription.md b/windows/client-management/register-your-free-azure-active-directory-subscription.md deleted file mode 100644 index 2d326ac269..0000000000 --- a/windows/client-management/register-your-free-azure-active-directory-subscription.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Register your free Azure Active Directory subscription -description: Paid subscribers to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, have a free subscription to Azure AD. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 ---- - -# Register your free Azure Active Directory subscription - -If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. Here's a step-by-step guide to register your free Azure AD subscription using an Office 365 Premium Business subscription. - -> **Note**  If you don't have any Microsoft service that comes with a free Azure AD subscription, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. - -  -## Register your free Azure Active Directory subscription - -1. Sign in to the Microsoft 365 admin center at using your organization's account. - - ![screen to register azure-ad](images/azure-ad-add-tenant10.png) - -2. On the **Home** page, click on the Admin tools icon. - - ![screen for registering azure-ad](images/azure-ad-add-tenant11.png) - -3. On the **Admin center** page, under Admin Centers on the left, click **Azure Active Directory**. You're taken to the Azure Active Directory portal. - - ![Azure-AD-updated.](https://user-images.githubusercontent.com/41186174/71594506-e4845300-2b40-11ea-9a08-c21c824e12a4.png) - - - -  - - - - - - diff --git a/windows/client-management/server-requirements-windows-mdm.md b/windows/client-management/server-requirements-windows-mdm.md index c0a307103f..30f628af50 100644 --- a/windows/client-management/server-requirements-windows-mdm.md +++ b/windows/client-management/server-requirements-windows-mdm.md @@ -1,9 +1,6 @@ --- title: Server requirements for using OMA DM to manage Windows devices description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM. -MS-HAID: - - 'p\_phDeviceMgmt.server\_requirements\_for\_oma\_dm' - - 'p\_phDeviceMgmt.server\_requirements\_windows\_mdm' ms.reviewer: manager: aaroncz ms.author: vinpa @@ -12,29 +9,25 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Server requirements for using OMA DM to manage Windows devices The following list shows the general server requirements for using OMA DM to manage Windows devices: -- The OMA DM server must support the OMA DM v1.1.2 or later protocol. +- The OMA DM server must support the OMA DM v1.1.2 or later protocol. -- Secure Sockets Layer (SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate isn't issued by a commercial Certification Authority whose root certificate is pre-installed in the device, you must provision the enterprise root certificate in the device's Root store. +- Secure Sockets Layer (SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate isn't issued by a commercial Certification Authority whose root certificate is pre-installed in the device, you must provision the enterprise root certificate in the device's Root store. -- To authenticate the client at the application level, you must use either Basic or MD5 client authentication. +- To authenticate the client at the application level, you must use either Basic or MD5 client authentication. -- The server MD5 nonce must be renewed in each DM session. The DM client sends the new server nonce for the next session to the server over the Status element in every DM session. +- The server MD5 nonce must be renewed in each DM session. The DM client sends the new server nonce for the next session to the server over the Status element in every DM session. -- The MD5 binary nonce is sent over XML B64 encoded format, but the octal form of the binary data should be used when the service calculates the hash. +- The MD5 binary nonce is sent over XML B64 encoded format, but the octal form of the binary data should be used when the service calculates the hash. For more information about Basic or MD5 client authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM\_Security-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900). -- The server must support HTTPS. - -  - - - - - +- The server must support HTTPS. diff --git a/windows/client-management/structure-of-oma-dm-provisioning-files.md b/windows/client-management/structure-of-oma-dm-provisioning-files.md index 5e5008f0eb..b3724368d3 100644 --- a/windows/client-management/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/structure-of-oma-dm-provisioning-files.md @@ -9,6 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Structure of OMA DM provisioning files @@ -65,17 +68,16 @@ The following example shows the general structure of the XML document sent by th SyncHdr includes the following information: -- Document Type Definition (DTD) and protocol version numbers +- Document Type Definition (DTD) and protocol version numbers -- Session and message identifiers. Each message in the same DM session must have a different MsgID. +- Session and message identifiers. Each message in the same DM session must have a different MsgID. -- Message source and destination Uniform Resource Identifiers (URIs) +- Message source and destination Uniform Resource Identifiers (URIs) -- Credentials for authentication +- Credentials for authentication This information is used to by the client device to properly manage the DM session. - **Code example** The following example shows the header component of a DM message. In this case, OMA DM version 1.2 is used as an example only. @@ -83,7 +85,7 @@ The following example shows the header component of a DM message. In this case, > [!NOTE] > The `` node value for the `` element in the SyncHdr of the device-generated DM package should be the same as the value of ./DevInfo/DevID. For more information about DevID, see [DevInfo configuration service provider](mdm/devinfo-csp.md). -  + ```xml diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml index 74837fc166..9a48d7372f 100644 --- a/windows/client-management/toc.yml +++ b/windows/client-management/toc.yml @@ -5,85 +5,70 @@ items: - name: Mobile device management (MDM) expanded: true items: - - name: Overview + - name: MDM overview + expanded: true items: - - name: MDM overview + - name: What is MDM? href: mdm-overview.md - - name: What's new in MDM enrollment and management + - name: What's new in MDM href: new-in-windows-mdm-enrollment-management.md - - name: Azure Active Directory integration with MDM - href: azure-active-directory-integration-with-mdm.md + - name: Azure Active Directory integration + href: azure-active-directory-integration-with-mdm.md + - name: Transitioning to modern management + href: manage-windows-10-in-your-organization-modern-management.md + - name: Push notification support + href: push-notification-windows-mdm.md + - name: MAM support + href: implement-server-side-mobile-application-management.md + - name: Enroll devices + expanded: false items: - - name: Add an Azure AD tenant and Azure AD subscription - href: add-an-azure-ad-tenant-and-azure-ad-subscription.md - - name: Register your free Azure Active Directory subscription - href: register-your-free-azure-active-directory-subscription.md - - name: Device enrollment - href: mobile-device-enrollment.md - items: - - name: MDM enrollment of Windows devices + - name: Enrollment overview + href: mobile-device-enrollment.md + - name: Manual enrollment href: mdm-enrollment-of-windows-devices.md - - name: "Azure AD and Microsoft Intune: Automatic MDM enrollment" + - name: Automatic enrollment href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md - - name: Enroll a Windows 10 device automatically using Group Policy + - name: Group policy enrollment href: enroll-a-windows-10-device-automatically-using-group-policy.md - name: Bulk enrollment href: bulk-enrollment-using-windows-provisioning-tool.md - - name: Federated authentication device enrollment + - name: Federated authentication enrollment href: federated-authentication-device-enrollment.md - - name: Certificate authentication device enrollment + - name: Certificate authentication enrollment href: certificate-authentication-device-enrollment.md - - name: On-premises authentication device enrollment + - name: On-premises authentication enrollment href: on-premise-authentication-device-enrollment.md - - name: Disconnecting a device from MDM (unenrollment) - href: disconnecting-from-mdm-unenrollment.md - - name: Enterprise settings, policies, and app management - href: windows-mdm-enterprise-settings.md + - name: Manage devices + expanded: false items: - - name: Enterprise app management + - name: Manage settings + href: windows-mdm-enterprise-settings.md + - name: Manage apps href: enterprise-app-management.md - - name: Deploy and configure App-V apps using MDM - href: appv-deploy-and-config.md - - name: Mobile device management (MDM) for device updates + - name: Manage updates href: device-update-management.md - name: Secured-Core PC Configuration Lock href: config-lock.md - name: Certificate renewal href: certificate-renewal-windows-mdm.md - - name: Diagnose MDM failures in Windows 10 - href: diagnose-mdm-failures-in-windows-10.md - - name: Push notification support for device management - href: push-notification-windows-mdm.md - - name: MAM support for device management - href: implement-server-side-mobile-application-management.md + - name: eSIM management + href: esim-enterprise-management.md + - name: Diagnose MDM failures + expanded: false + items: + - name: Collect MDM logs + href: mdm-collect-logs.md + - name: Diagnose MDM enrollment + href: mdm-diagnose-enrollment.md + - name: Known issues + href: mdm-known-issues.md + - name: Unenroll devices + href: disconnecting-from-mdm-unenrollment.md - name: Configuration service provider reference href: mdm/index.yml - name: Client management tools and settings - items: - - name: Windows Tools/Administrative Tools - href: administrative-tools-in-windows-10.md - - name: Use Quick Assist to help users - href: quick-assist.md - - name: Connect to remote Azure Active Directory-joined PC - href: connect-to-remote-aadj-pc.md - - name: Create mandatory user profiles - href: mandatory-user-profile.md - - name: New policies for Windows 10 - href: new-policies-for-windows-10.md - - name: Windows 10 default media removal policy - href: change-default-removal-policy-external-storage-media.md - - name: Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education - href: group-policies-for-enterprise-and-education-editions.md - - name: Manage Device Installation with Group Policy - href: manage-device-installation-with-group-policy.md - - name: Manage the Settings app with Group Policy - href: manage-settings-app-with-group-policy.md - - name: What version of Windows am I running - href: windows-version-search.md - - name: Transitioning to modern management - href: manage-windows-10-in-your-organization-modern-management.md - - name: Windows libraries - href: windows-libraries.md + expanded: true + href: client-tools/toc.yml - name: Troubleshoot Windows clients href: /troubleshoot/windows-client/welcome-windows-client - diff --git a/windows/client-management/understanding-admx-backed-policies.md b/windows/client-management/understanding-admx-backed-policies.md index 344d0eb5a7..dd0861e26c 100644 --- a/windows/client-management/understanding-admx-backed-policies.md +++ b/windows/client-management/understanding-admx-backed-policies.md @@ -1,28 +1,32 @@ --- title: Understanding ADMX policies -description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices. +description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices. ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 03/23/2020 -ms.reviewer: +ms.reviewer: manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Understanding ADMX policies Due to increased simplicity and the ease with which devices can be targeted, enterprise businesses are finding it increasingly advantageous to move their PC management to a cloud-based device management solution. Unfortunately, the modern Windows PC device-management solutions lack the critical policy and app settings configuration capabilities that are supported in a traditional PC management solution. -Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support expanded to allow access of selected set of Group Policy administrative templates (ADMX policies) for Windows PCs via the Policy configuration service provider (CSP). This expanded access ensures that enterprises can keep their devices compliant and prevent the risk on compromising security of their devices managed through the cloud. +Mobile Device Management (MDM) policy configuration support expanded to allow access of selected set of Group Policy administrative templates (ADMX policies) for Windows PCs via the Policy configuration service provider (CSP). This expanded access ensures that enterprises can keep their devices compliant and prevent the risk on compromising security of their devices managed through the cloud. -## Background +## Background In addition to standard MDM policies, the Policy CSP can also handle selected set of ADMX policies. In an ADMX policy, an administrative template contains the metadata of a Windows Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753471(v=ws.10)). ADMX files can either describe operating system (OS) Group Policies that are shipped with Windows or they can describe settings of applications, which are separate from the OS and can usually be downloaded and installed on a PC. Depending on the specific category of the settings that they control (OS or application), the administrative template settings are found in the following two locations in the Local Group Policy Editor: + - OS settings: Computer Configuration/Administrative Templates - Application settings: User Configuration/Administrative Templates @@ -33,26 +37,27 @@ An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policy Windows maps the name and category path of a Group Policy to an MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX policies supported by MDM, see [Policy CSP - ADMX policies](mdm/policy-configuration-service-provider.md). - + -## ADMX files and the Group Policy Editor +## ADMX files and the Group Policy Editor To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrator must use a UI, such as the Group Policy Editor (gpedit.msc), to gather the necessary data. The MDM ISV console UI determines how to gather the needed Group Policy data from the IT administrator. ADMX Group Policies are organized in a hierarchy and can have a scope of machine, user, or both. The Group Policy example in the next section uses a machine-wide Group Policy named "Publishing Server 2 Settings." When this Group Policy is selected, its available states are **Not Configured**, **Enabled**, and **Disabled**. The ADMX file that the MDM ISV uses to determine what UI to display to the IT administrator is the same ADMX file that the client uses for the policy definition. The ADMX file is processed either by the OS at build time or set by the client at OS runtime. In either case, the client and the MDM ISV must be synchronized with the ADMX policy definitions. Each ADMX file corresponds to a Group Policy category and typically contains several policy definitions, each of which represents a single Group Policy. For example, the policy definition for the "Publishing Server 2 Settings" is contained in the appv.admx file, which holds the policy definitions for the Microsoft Application Virtualization (App-V) Group Policy category. Group Policy option button setting: + - If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur: - - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data. - - The MDM client stack receives this data, which causes the Policy CSP to update the device's registry per the ADMX policy definition. + - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data. + - The MDM client stack receives this data, which causes the Policy CSP to update the device's registry per the ADMX policy definition. - If **Disabled** is selected and you click **Apply**, the following events occur: - - The MDM ISV server sets up a Replace SyncML command with a payload set to ``. - - The MDM client stack receives this command, which causes the Policy CSP to either delete the device's registry settings, set the registry keys, or both, per the state change directed by the ADMX policy definition. + - The MDM ISV server sets up a Replace SyncML command with a payload set to ``. + - The MDM client stack receives this command, which causes the Policy CSP to either delete the device's registry settings, set the registry keys, or both, per the state change directed by the ADMX policy definition. - If **Not Configured** is selected and you click **Apply**, the following events occur: - - MDM ISV server sets up a Delete SyncML command. - - The MDM client stack receives this command, which causes the Policy CSP to delete the device's registry settings per the ADMX policy definition. + - MDM ISV server sets up a Delete SyncML command. + - The MDM client stack receives this command, which causes the Policy CSP to delete the device's registry settings per the ADMX policy definition. The following diagram shows the main display for the Group Policy Editor. @@ -72,25 +77,26 @@ For more information about the Group Policy description format, see [Administrat For example, if you search for the string, "Publishing_Server2_Name_Prompt" in both the *Enabling a policy* example and its corresponding ADMX policy definition in the appv.admx file, you'll find the following occurrences: Enabling a policy example: + ```XML `` ``` Appv.admx file: + ```XML ``` - -## ADMX policy examples +## ADMX policy examples The following SyncML examples describe how to set an MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. The functionality that this Group Policy manages isn't important; it's used to illustrate only how an MDM ISV can set an ADMX policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. The payload of the SyncML must be XML-encoded; for this XML encoding, you can use favorite online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +### Enabling a policy -### Enabling a policy +**Payload**: -**Payload** ```XML @@ -104,7 +110,9 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -**Request SyncML** + +**Request SyncML**: + ```XML @@ -138,7 +146,8 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -**Response SyncML** +**Response SyncML**: + ```XML 2 @@ -149,14 +158,16 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -### Disabling a policy +### Disabling a policy + +**Payload**: -**Payload** ```XML ``` -**Request SyncML** +**Request SyncML**: + ```XML @@ -177,9 +188,10 @@ The following SyncML examples describe how to set an MDM policy that is defined -'''' +``` + +**Response SyncML**: -**Response SyncML** ```XML 2 @@ -190,13 +202,13 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -### Setting a policy to not configured +### Setting a policy to not configured -**Payload** +**Payload**: (None) -**Request SyncML** +**Request SyncML**: ```XML @@ -215,7 +227,7 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -**Response SyncML** +**Response SyncML**: ```XML @@ -227,35 +239,31 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -## Sample SyncML for various ADMX elements +## Sample SyncML for various ADMX elements This section describes sample SyncML for the various ADMX elements like Text, Multi-Text, Decimal, Boolean, and List. -### How a Group Policy policy category path and name are mapped to an MDM area and policy name +### How a Group Policy policy category path and name are mapped to an MDM area and policy name -Below is the internal OS mapping of a Group Policy to an MDM area and name. This mapping is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store.  ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User. +Below is the internal OS mapping of a Group Policy to an MDM area and name. This mapping is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store. ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User. `./[Device|User]/Vendor/MSFT/Policy/Config/[config|result]//` The data payload of the SyncML needs to be encoded so that it doesn't conflict with the boilerplate SyncML XML tags. Use this online tool for encoding and decoding the policy data [Coder's Toolbox](https://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii). -**Snippet of manifest for AppVirtualization area:** +**Snippet of manifest for AppVirtualization area**: ```XML -. -. -. + ... -. -. -. + ... ``` The **LocURI** for the above GP policy is: @@ -264,11 +272,11 @@ The **LocURI** for the above GP policy is: To construct SyncML for your area/policy using the samples below, you need to update the **data id** and the **value** in the `` section of the SyncML. The items prefixed with an '&' character are the escape characters needed and can be retained as shown. -### Text Element +### Text Element The `text` element simply corresponds to a string and correspondingly to an edit box in a policy panel display by gpedit.msc. The string is stored in the registry of type REG_SZ. -**ADMX file: inetres.admx** +**ADMX file: inetres.admx**: ```XML @@ -280,7 +288,7 @@ The `text` element simply corresponds to a string and correspondingly to an edit ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -304,9 +312,9 @@ The `text` element simply corresponds to a string and correspondingly to an edit ``` -### MultiText Element +### MultiText Element -The `multiText` element simply corresponds to a REG_MULTISZ registry string and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc.  It's expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: ``) +The `multiText` element simply corresponds to a REG_MULTISZ registry string and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc. It's expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: ``) ```XML ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -345,7 +353,7 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and ``` -### List Element (and its variations) +### List Element (and its variations) The `list` element simply corresponds to a hive of REG_SZ registry strings and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc. How this element is represented in SyncML is as a string containing pairs of strings. Each pair is a REG_SZ name/value key. It's best to apply the policy through gpedit.msc (run as Administrator) and go to the registry hive location and see how the list values are stored. This location will give you an idea of the way the name/value pairs are stored to express it through SyncML. @@ -354,7 +362,7 @@ The `list` element simply corresponds to a hive of REG_SZ registry strings and c Variations of the `list` element are dictated by attributes. These attributes are ignored by the Policy Manager runtime. It's expected that the MDM server manages the name/value pairs. See below for a simple write-up of Group Policy List. -**ADMX file: inetres.admx** +**ADMX file: inetres.admx**: ```XML @@ -366,7 +374,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -389,7 +397,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -### No Elements +### No Elements ```XML @@ -398,7 +406,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -421,7 +429,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -### Enum +### Enum ```XML @@ -455,7 +463,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -477,7 +485,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -### Decimal Element +### Decimal Element ```XML ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -514,7 +522,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -### Boolean Element +### Boolean Element ```XML @@ -540,7 +548,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML diff --git a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md index 5c5b946138..d3ea09a030 100644 --- a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md +++ b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md @@ -1,7 +1,7 @@ --- title: Using PowerShell scripting with the WMI Bridge Provider description: This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,13 +9,15 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Using PowerShell scripting with the WMI Bridge Provider This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). - ## Configuring per-device policy settings This section provides a PowerShell Cmdlet sample script to configure per-device settings through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). If a class supports device settings, there must be a class level qualifier defined for InPartition("local-system"). @@ -42,7 +44,7 @@ The following script describes how to create, enumerate, query, modify, and dele $namespaceName = "root\cimv2\mdm\dmmap" $className = "MDM_Policy_Config01_WiFi02" -# Create a new instance for MDM_Policy_Config01_WiFi02 +# Create a new instance for MDM_Policy_Config01_WiFi02 New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID="./Vendor/MSFT/Policy/Config";InstanceID="WiFi";AllowInternetSharing=1;AllowAutoConnectToWiFiSenseHotspots=0;WLANScanMode=100} # Enumerate all instances available for MDM_Policy_Config01_WiFi02 @@ -84,15 +86,13 @@ class MDM_Policy_User_Config01_Authentication02 }; ``` -> **Note**  If the currently logged on user is trying to access or modify user settings for themselves, it is much easier to use the per-device settings script from the previous section. All PowerShell cmdlets must be executed under an elevated admin command prompt. - -  +> [!NOTE] +> If the currently logged on user is trying to access or modify user settings for themselves, it is much easier to use the per-device settings script from the previous section. All PowerShell cmdlets must be executed under an elevated admin command prompt. If accessing or modifying settings for a different user, then the PowerShell script is more complicated because the WMI Bridge expects the user SID to be set in MI Custom Context, which isn't supported in native PowerShell cmdlets. -> **Note**   All commands must executed under local system. - -  +> [!NOTE] +> All commands must executed under local system. A user SID can be obtained by Windows command `wmic useraccount get name, sid`. The following script example assumes the user SID is S-1-5-21-4017247134-4237859428-3008104844-1001. @@ -220,5 +220,3 @@ catch [Exception] ## Related topics [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) - -  \ No newline at end of file diff --git a/windows/client-management/win32-and-centennial-app-policy-configuration.md b/windows/client-management/win32-and-centennial-app-policy-configuration.md index 830640d4c2..b6502accac 100644 --- a/windows/client-management/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/win32-and-centennial-app-policy-configuration.md @@ -1,33 +1,27 @@ --- title: Win32 and Desktop Bridge app ADMX policy Ingestion -description: Starting in Windows 10, version 1703, you can ingest ADMX files and set those ADMX policies for Win32 and Desktop Bridge apps. +description: Ingest ADMX files and set ADMX policies for Win32 and Desktop Bridge apps. ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 03/23/2020 -ms.reviewer: +ms.reviewer: manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Win32 and Desktop Bridge app ADMX policy Ingestion -## In this section +## Overview -- [Overview](#overview) -- [Ingesting an app ADMX file](#ingesting-an-app-admx-file) -- [URI format for configuring an app policy](#uri-format-for-configuring-an-app-policy) -- [ADMX app policy examples](#admx-backed-app-policy-examples) - - [Enabling an app policy](#enabling-an-app-policy) - - [Disabling an app policy](#disabling-an-app-policy) - - [Setting an app policy to not configured](#setting-an-app-policy-to-not-configured) +You can ingest ADMX files (ADMX ingestion) and set those ADMX policies for Win32 and Desktop Bridge apps by using Windows Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies. -## Overview +Starting from the following Windows versions `Replace` command is supported: -Starting in Windows 10, version 1703, you can ingest ADMX files (ADMX ingestion) and set those ADMX policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies. - -NOTE: Starting from the following Windows 10 version Replace command is supported - Windows 10, version 1903 with KB4512941 and KB4517211 installed - Windows 10, version 1809 with KB4512534 and KB installed - Windows 10, version 1803 with KB4512509 and KB installed @@ -57,17 +51,18 @@ When the ADMX policies are ingested, the registry keys to which each policy is w - software\Microsoft\Edge - Software\Microsoft\EdgeUpdate\ -> [!Warning] +> [!WARNING] > Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still ingest ADMX files and set ADMX policies regardless of whether the device is domain joined or non-domain joined. > [!NOTE] > Settings that cannot be configured using custom policy ingestion have to be set by pushing the appropriate registry keys directly (for example, by using PowerShell script). -## Ingesting an app ADMX file +## Ingesting an app ADMX file The following ADMX file example shows how to ingest a Win32 or Desktop Bridge app ADMX file and set policies from the file. The ADMX file defines eight policies. -**Payload** +**Payload**: + ```XML @@ -201,7 +196,7 @@ The following ADMX file example shows how to ingest a Win32 or Desktop Bridge ap ``` -**Request Syncml** +**Request Syncml**: The ADMX file is escaped and sent in SyncML format through the Policy CSP URI, `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{FileUid or AdmxFileName}`. When the ADMX file is imported, the policy states for each new policy are the same as those in a regular MDM policy: Enabled, Disabled, or Not Configured. @@ -360,12 +355,13 @@ The following example shows an ADMX file in SyncML format: ``` -**Response Syncml** +**Response Syncml**: + ```XML 21102Add200 ``` -### URI format for configuring an app policy +### URI format for configuring an app policy The following example shows how to derive a Win32 or Desktop Bridge app policy name and policy area name: @@ -394,10 +390,9 @@ The following example shows how to derive a Win32 or Desktop Bridge app policy n ``` -As documented in [Policy CSP](mdm/policy-configuration-service-provider.md), the URI format to configure a policy via Policy CSP is: -'./{user or device}/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}'. +As documented in [Policy CSP](mdm/policy-configuration-service-provider.md), the URI format to configure a policy via Policy CSP is: `./{user or device}/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}`. -**User or device policy** +**User or device policy**: In the policy class, the attribute is defined as "User" and the URI is prefixed with `./user`. If the attribute value is "Machine", the URI is prefixed with `./device`. @@ -409,25 +404,28 @@ The policy {AreaName} format is {AppName}~{SettingType}~{CategoryPathFromAdmx}. {CategoryPathFromAdmx} is derived by traversing the parentCategory parameter. In this example, {CategoryPathFromAdmx} is ParentCategoryArea~Category2~Category3. Therefore, {AreaName} is ContosoCompanyApp~ Policy~ ParentCategoryArea~Category2~Category3. Therefore, from the example: + - Class: User - Policy name: L_PolicyPreventRun_1 - Policy area name: ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3 - URI: `./user/Vendor/MSFT/Policy/Config/ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3/L_PolicyPreventRun_1` -## ADMX-backed app policy examples +## ADMX-backed app policy examples The following examples describe how to set an ADMX-ingested app policy. -### Enabling an app policy +### Enabling an app policy + +**Payload**: -**Payload** ```XML ``` -**Request Syncml** +**Request Syncml**: + ```XML @@ -449,19 +447,22 @@ The following examples describe how to set an ADMX-ingested app policy. ``` -**Response SyncML** +**Response SyncML**: + ```XML 21103Replace200 ``` -### Disabling an app policy +### Disabling an app policy + +**Payload**: -**Payload** ```XML ``` -**Request SyncML** +**Request SyncML**: + ```XML @@ -483,18 +484,20 @@ The following examples describe how to set an ADMX-ingested app policy. ``` -**Response SyncML** +**Response SyncML**: + ```XML 21104Replace200 ``` -### Setting an app policy to not configured +### Setting an app policy to not configured -**Payload** +**Payload**: (None) -**Request SyncML** +**Request SyncML**: + ```XML @@ -511,7 +514,8 @@ The following examples describe how to set an ADMX-ingested app policy. ``` -**Response SyncML** +**Response SyncML**: + ```XML 21105Delete200 ``` diff --git a/windows/client-management/windows-mdm-enterprise-settings.md b/windows/client-management/windows-mdm-enterprise-settings.md index c773fbc2ea..82d1bf3135 100644 --- a/windows/client-management/windows-mdm-enterprise-settings.md +++ b/windows/client-management/windows-mdm-enterprise-settings.md @@ -1,32 +1,31 @@ --- -title: Enterprise settings, policies, and app management +title: Enterprise settings and policy management description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow. -MS-HAID: - - 'p\_phdevicemgmt.enterprise\_settings\_\_policies\_\_and\_app\_management' - - 'p\_phDeviceMgmt.windows\_mdm\_enterprise\_settings' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Enterprise settings, policies, and app management +# Enterprise settings and policy management The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://technical.openmobilealliance.org/). -Windows currently supports one MDM server. The DM client that is configured via the enrollment process is granted access to enterprise related settings. Enterprise MDM settings are exposed via various configuration service providers to the DM client. For the list of available configuration service providers, see [Configuration service provider reference](mdm/index.yml). +Enterprise MDM settings are exposed via various configuration service providers to the DM client. For the list of available configuration service providers, see [Configuration service provider reference](mdm/index.yml). -The DM client is configured during the enrollment process to be invoked by the task scheduler to periodically poll the MDM server. +Windows currently supports one MDM server. The DM client that is configured via the enrollment process is granted access to enterprise related settings. The DM client is configured during the enrollment process to be invoked by the task scheduler to periodically poll the MDM server. The following diagram shows the work flow between server and client. ![windows client and server mdm diagram.](images/enterprise-workflow.png) - ## Management workflow This protocol defines an HTTPS-based client/server communication with DM SyncML XML as the package payload that carries management requests and execution results. The configuration request is addressed via a managed object (MO). The settings supported by the managed object are represented in a conceptual tree structure. This logical view of configurable device settings simplifies the way the server addresses the device settings by isolating the implementation details from the conceptual tree structure. @@ -37,15 +36,7 @@ The DM client configuration, company policy enforcement, business application ma Here's a summary of the DM tasks supported for enterprise management: -- Company policy management: Company policies are supported via the Policy CSP allows the enterprise to manage various settings. It enables the management service to configure device lock related policies, disable/enable the storage card, and query the device encryption status. The RemoteWipe CSP allows IT pros to remotely fully wipe the internal user data storage. -- Enterprise application management: This task is addressed via the Enterprise ModernApp Management CSP and several ApplicationManagement-related policies. It's used to install the enterprise token, query installed business application names and versions, etc. This CSP is only accessible by the enterprise service. -- Certificate management: CertificateStore CSP, RootCACertificate CSP, and ClientCertificateInstall CSP are used to install certificates. -- Basic device inventory and asset management: Some basic device information can be retrieved via the DevInfo CSP, DevDetail CSPs and the DeviceStatus CSP. These provide basic device information such as OEM name, device model, hardware version, OS version, processor types, etc. This information is for asset management and device targeting. The NodeCache CSP enables the device to only send out delta inventory settings to the server to reduce over-the-air data usage. The NodeCache CSP is only accessible by the enterprise service. - -  - - - - - - +- **Company policy management**: Company policies are supported via the Policy CSP allows the enterprise to manage various settings. It enables the management service to configure device lock related policies, disable/enable the storage card, and query the device encryption status. The RemoteWipe CSP allows IT pros to remotely fully wipe the internal user data storage. +- **Enterprise application management**: This task is addressed via the Enterprise ModernApp Management CSP and several ApplicationManagement-related policies. It's used to install the enterprise token, query installed business application names and versions, etc. This CSP is only accessible by the enterprise service. +- **Certificate management**: CertificateStore CSP, RootCACertificate CSP, and ClientCertificateInstall CSP are used to install certificates. +- **Basic device inventory and asset management**: Some basic device information can be retrieved via the DevInfo CSP, DevDetail CSPs and the DeviceStatus CSP. These provide basic device information such as OEM name, device model, hardware version, OS version, processor types, etc. This information is for asset management and device targeting. The NodeCache CSP enables the device to only send out delta inventory settings to the server to reduce over-the-air data usage. The NodeCache CSP is only accessible by the enterprise service. diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md deleted file mode 100644 index 0ca2a86f1e..0000000000 --- a/windows/client-management/windows-version-search.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: What version of Windows am I running? -description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. -keywords: Long-Term Servicing Channel, LTSC, LTSB, General Availability Channel, GAC, Windows, version, OS Build -ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library -author: vinaypamnani-msft -ms.author: vinpa -ms.date: 04/30/2018 -ms.reviewer: -manager: aaroncz -ms.topic: troubleshooting -ms.technology: itpro-manage ---- - -# What version of Windows am I running? - -To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. - -## System Properties -Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu - -You'll now see **Edition**, **Version**, and **OS Build** information. Something like this: - -![screenshot of the system properties window for a device running Windows 10.](images/systemcollage.png) - -## Using Keyword Search -You can type the following in the search bar and press **ENTER** to see version details for your device. - -**“winver”** - -![screenshot of the About Windows display text.](images/winver.png) - -**“msinfo”** or **"msinfo32"** to open **System Information**: - -![screenshot of the System Information display text.](images/msinfo32.png) - -## Using Command Prompt or PowerShell -At the Command Prompt or PowerShell interface, type **"systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"** and then press **ENTER** - -![screenshot of system information display text.](images/refcmd.png) - -At the Command Prompt or PowerShell, type **"slmgr /dlv"**, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below: - -![screenshot of software licensing manager.](images/slmgr_dlv.png) - -## What does it all mean? - -The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. It’s important to remember that the LTSC model is primarily for specialized devices. - -In the General Availability Channel, you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows 10 feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment. \ No newline at end of file diff --git a/windows/client-management/wmi-providers-supported-in-windows.md b/windows/client-management/wmi-providers-supported-in-windows.md index 3d701812c0..79a3785540 100644 --- a/windows/client-management/wmi-providers-supported-in-windows.md +++ b/windows/client-management/wmi-providers-supported-in-windows.md @@ -1,10 +1,7 @@ --- -title: WMI providers supported in Windows 10 +title: WMI providers supported in Windows description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI). -MS-HAID: - - 'p\_phdevicemgmt.wmi\_providers\_supported\_in\_windows\_10\_technical\_preview' - - 'p\_phDeviceMgmt.wmi\_providers\_supported\_in\_windows' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -12,11 +9,14 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# WMI providers supported in Windows 10 +# WMI providers supported in Windows -Windows Management Infrastructure (WMI) providers (and the classes they support) are used to manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service. The following subsections show the list WMI MDM classes that are supported in Windows 10. +Windows Management Infrastructure (WMI) providers (and the classes they support) are used to manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service. The following subsections show the list WMI MDM classes that are supported in Windows. > [!NOTE] > Applications installed using WMI classes are not removed when the MDM account is removed from device. @@ -53,137 +53,135 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw ## MDM WMI classes -|Class|Test completed in Windows 10 for desktop| -|--- |--- | -|[**MDM_AppInstallJob**](/previous-versions/windows/desktop/mdmappprov/mdm-appinstalljob)|Currently testing.| -|[**MDM_Application**](/previous-versions/windows/desktop/mdmappprov/mdm-application)|Currently testing.| -|[**MDM_ApplicationFramework**](/previous-versions/windows/desktop/mdmappprov/mdm-applicationframework)|Currently testing.| -|[**MDM_ApplicationSetting**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-applicationsetting)|Currently testing.| -|[**MDM_BrowserSecurityZones**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersecurityzones)|Yes| -|[**MDM_BrowserSettings**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersettings)|Yes| -|[**MDM_Certificate**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificate)|Yes| -|[**MDM_CertificateEnrollment**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificateenrollment)|Yes| -|[**MDM_Client**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-client)|Currently testing.| -|[**MDM_ConfigSetting**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-configsetting)|Yes| -|[**MDM_DeviceRegistrationInfo**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-deviceregistrationinfo)|| -|[**MDM_EASPolicy**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-easpolicy)|Yes| -|[**MDM_MgMtAuthority**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-mgmtauthority)|Yes| -|**MDM_MsiApplication**|| -|**MDM_MsiInstallJob**|| -|[**MDM_RemoteApplication**](/previous-versions/windows/desktop/mdmappprov/mdm-remoteapplication)|Test not started.| -|[**MDM_RemoteAppUseCookie**](/previous-versions/windows/desktop/mdmappprov/mdm-remoteappusercookie)|Test not started.| -|[**MDM_Restrictions**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictions)|Yes| -|[**MDM_RestrictionsUser**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictionsuser)|Test not started.| -|[**MDM_SecurityStatus**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatus)|Yes| -|[**MDM_SideLoader**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-sideloader)|| -|[**MDM_SecurityStatusUser**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatususer)|Currently testing.| -|[**MDM_Updates**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-updates)|Yes| -|[**MDM_VpnApplicationTrigger**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-vpnapplicationtrigger)|Yes| -|**MDM_VpnConnection**|| -|[**MDM_WebApplication**](/previous-versions/windows/desktop/mdmappprov/mdm-webapplication)|Currently testing.| -|[**MDM_WirelessProfile**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofile)|Yes| -|[**MDM_WirelesssProfileXML**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofilexml)|Yes| -|[**MDM_WNSChannel**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnschannel)|Yes| -|[**MDM_WNSConfiguration**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnsconfiguration)|Yes| -|[**MSFT_NetFirewallProfile**](/previous-versions/windows/desktop/wfascimprov/msft-netfirewallprofile)|Yes| -|[**MSFT_VpnConnection**](/previous-versions/windows/desktop/vpnclientpsprov/msft-vpnconnection)|Yes| -|[**SoftwareLicensingProduct**](/previous-versions/windows/desktop/sppwmi/softwarelicensingproduct)|| -|[**SoftwareLicensingService**](/previous-versions/windows/desktop/sppwmi/softwarelicensingservice)|| +| Class | Test completed in Windows 10 | +|-----------------------------------------------------------------------------------------------------------------|------------------------------| +| [**MDM_AppInstallJob**](/previous-versions/windows/desktop/mdmappprov/mdm-appinstalljob) | Currently testing. | +| [**MDM_Application**](/previous-versions/windows/desktop/mdmappprov/mdm-application) | Currently testing. | +| [**MDM_ApplicationFramework**](/previous-versions/windows/desktop/mdmappprov/mdm-applicationframework) | Currently testing. | +| [**MDM_ApplicationSetting**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-applicationsetting) | Currently testing. | +| [**MDM_BrowserSecurityZones**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersecurityzones) | Yes | +| [**MDM_BrowserSettings**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersettings) | Yes | +| [**MDM_Certificate**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificate) | Yes | +| [**MDM_CertificateEnrollment**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificateenrollment) | Yes | +| [**MDM_Client**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-client) | Currently testing. | +| [**MDM_ConfigSetting**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-configsetting) | Yes | +| [**MDM_DeviceRegistrationInfo**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-deviceregistrationinfo) | | +| [**MDM_EASPolicy**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-easpolicy) | Yes | +| [**MDM_MgMtAuthority**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-mgmtauthority) | Yes | +| **MDM_MsiApplication** | | +| **MDM_MsiInstallJob** | | +| [**MDM_RemoteApplication**](/previous-versions/windows/desktop/mdmappprov/mdm-remoteapplication) | Test not started. | +| [**MDM_RemoteAppUseCookie**](/previous-versions/windows/desktop/mdmappprov/mdm-remoteappusercookie) | Test not started. | +| [**MDM_Restrictions**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictions) | Yes | +| [**MDM_RestrictionsUser**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictionsuser) | Test not started. | +| [**MDM_SecurityStatus**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatus) | Yes | +| [**MDM_SideLoader**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-sideloader) | | +| [**MDM_SecurityStatusUser**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatususer) | Currently testing. | +| [**MDM_Updates**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-updates) | Yes | +| [**MDM_VpnApplicationTrigger**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-vpnapplicationtrigger) | Yes | +| **MDM_VpnConnection** | | +| [**MDM_WebApplication**](/previous-versions/windows/desktop/mdmappprov/mdm-webapplication) | Currently testing. | +| [**MDM_WirelessProfile**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofile) | Yes | +| [**MDM_WirelesssProfileXML**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofilexml) | Yes | +| [**MDM_WNSChannel**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnschannel) | Yes | +| [**MDM_WNSConfiguration**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnsconfiguration) | Yes | +| [**MSFT_NetFirewallProfile**](/previous-versions/windows/desktop/wfascimprov/msft-netfirewallprofile) | Yes | +| [**MSFT_VpnConnection**](/previous-versions/windows/desktop/vpnclientpsprov/msft-vpnconnection) | Yes | +| [**SoftwareLicensingProduct**](/previous-versions/windows/desktop/sppwmi/softwarelicensingproduct) | | +| [**SoftwareLicensingService**](/previous-versions/windows/desktop/sppwmi/softwarelicensingservice) | | ### Parental control WMI classes -| Class | Test completed in Windows 10 for desktop | -|--------------------------------------------------------------------------|------------------------------------------| -| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | | -| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | - - +| Class | Test completed in Windows 10 | +|-----------------------------------------------------------------------------------------|------------------------------| +| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | | +| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | ### Win32 WMI classes -| Class | Test completed in Windows 10 for desktop | -|--------------------------------------------------------------------------|------------------------------------------| -[**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) | -[**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) | -[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | Yes -[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | Yes -[**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) | -[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | Yes -[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | Yes -[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | Yes -[**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) | -[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |Yes -[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | Yes -[**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) | -[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | Yes -[**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) | -[**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) | -[**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) | -[**Win32\_Environment**](/windows/win32/cimwin32prov/win32-environment) | -[**Win32\_IDEController**](/windows/win32/cimwin32prov/win32-idecontroller) | -[**Win32\_InfraredDevice**](/windows/win32/cimwin32prov/win32-infrareddevice) | -[**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) | -[**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) | -[**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) | -[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | Yes -[**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) | -[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | Yes -[**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) | -[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | Yes -[**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) | -[**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) | -[**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) | -[**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) | -[**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) | -[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | Yes -[**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) | -[**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) | -[**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) | -[**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) | -[**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) | -[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | Yes -[**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) | -[**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) | -[**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) | -[**Win32\_PortableBattery**](/windows/win32/cimwin32prov/win32-portablebattery) | -[**Win32\_PortResource**](/windows/win32/cimwin32prov/win32-portresource) | -[**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) | -[**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) | -[**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) | -[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | Yes -[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | Yes -[**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) | -[**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) | -[**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) | -[**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) | -[**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) | -[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | Yes -[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | Yes -[**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) | -[**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) | -[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | Yes -[**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) | -[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | Yes -[**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) | -[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | Yes -[**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) | -[**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) | -[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | Yes -[**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) | -**Win32\_WindowsUpdateAgentVersion** | - +| Class | Test completed in Windows 10 | +|---------------------------------------------------------------------------------------------------------|------------------------------| +| [**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) | +| [**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) | +| [**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | Yes | +| [**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | Yes | +| [**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) | +| [**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | Yes | +| [**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | Yes | +| [**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | Yes | +| [**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) | +| [**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) | Yes | +| [**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | Yes | +| [**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) | +| [**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | Yes | +| [**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) | +| [**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) | +| [**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) | +| [**Win32\_Environment**](/windows/win32/cimwin32prov/win32-environment) | +| [**Win32\_IDEController**](/windows/win32/cimwin32prov/win32-idecontroller) | +| [**Win32\_InfraredDevice**](/windows/win32/cimwin32prov/win32-infrareddevice) | +| [**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) | +| [**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) | +| [**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) | +| [**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | Yes | +| [**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) | +| [**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | Yes | +| [**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) | +| [**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | Yes | +| [**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) | +| [**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) | +| [**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) | +| [**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) | +| [**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) | +| [**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | Yes | +| [**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) | +| [**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) | +| [**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) | +| [**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) | +| [**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) | +| [**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | Yes | +| [**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) | +| [**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) | +| [**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) | +| [**Win32\_PortableBattery**](/windows/win32/cimwin32prov/win32-portablebattery) | +| [**Win32\_PortResource**](/windows/win32/cimwin32prov/win32-portresource) | +| [**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) | +| [**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) | +| [**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) | +| [**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | Yes | +| [**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | Yes | +| [**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) | +| [**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) | +| [**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) | +| [**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) | +| [**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) | +| [**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | Yes | +| [**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | Yes | +| [**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) | +| [**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) | +| [**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | Yes | +| [**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) | +| [**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | Yes | +| [**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) | +| [**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | Yes | +| [**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) | +| [**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) | +| [**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | Yes | +| [**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) | +| **Win32\_WindowsUpdateAgentVersion** | ## Related topics [Configuration service provider reference](mdm/index.yml) ## Related Links + [CIM Video Controller](/windows/win32/cimwin32prov/cim-videocontroller) diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md index 37887f4c3d..eed909eb0d 100644 --- a/windows/configuration/wcd/wcd-browser.md +++ b/windows/configuration/wcd/wcd-browser.md @@ -56,7 +56,7 @@ To add a new item under the browser's **Favorites** list: 2. In the **Available customizations** pane, select the friendly name that you created, and in the text field, enter the URL for the item. -For example, to include the corporate Web site to the list of browser favorites, a company called Contoso can specify **Contoso** as the value for the name and "" for the URL. +For example, to include the corporate Web site to the list of browser favorites, a company called Contoso can specify **Contoso** as the value for the name and `http://www.contoso.com` for the URL. ## PartnerSearchCode diff --git a/windows/deployment/do/images/UC_workspace_DO_status.png b/windows/deployment/do/images/UC_workspace_DO_status.png deleted file mode 100644 index fa7550f0f5..0000000000 Binary files a/windows/deployment/do/images/UC_workspace_DO_status.png and /dev/null differ diff --git a/windows/deployment/do/images/addcachenode.png b/windows/deployment/do/images/addcachenode.png deleted file mode 100644 index ea8db2a08a..0000000000 Binary files a/windows/deployment/do/images/addcachenode.png and /dev/null differ diff --git a/windows/deployment/do/images/backicon.png b/windows/deployment/do/images/backicon.png deleted file mode 100644 index 3007e448b1..0000000000 Binary files a/windows/deployment/do/images/backicon.png and /dev/null differ diff --git a/windows/deployment/do/images/doneicon.png b/windows/deployment/do/images/doneicon.png deleted file mode 100644 index d80389f35b..0000000000 Binary files a/windows/deployment/do/images/doneicon.png and /dev/null differ diff --git a/windows/deployment/do/images/ent-mcc-overview.png b/windows/deployment/do/images/ent-mcc-overview.png deleted file mode 100644 index a4e5a4f0ec..0000000000 Binary files a/windows/deployment/do/images/ent-mcc-overview.png and /dev/null differ diff --git a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md index 0d11fcb79e..faf96a6339 100644 --- a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md +++ b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md @@ -28,8 +28,8 @@ ms.localizationpriority: medium | TotalBytesDownloaded | The number of bytes from any source downloaded so far | | PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP | | BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) | -| BytesfromHTTP | Total number of bytes received over HTTP. This represents all HTTP sources, which includes BytesFromCacheServer | -| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) | +| BytesfromHTTP | Total number of bytes received over HTTP. This metric represents all HTTP sources, which includes BytesFromCacheServer | +| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but isn't uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) | | Priority | Priority of the download; values are **foreground** or **background** | | BytesFromCacheServer | Total number of bytes received from cache server (MCC) | | BytesFromLanPeers | Total number of bytes received from peers found on the LAN | @@ -98,9 +98,19 @@ Using the `-Verbose` option returns additional information: - Bytes from CDN (the number of bytes received over HTTP) - Average number of peer connections per download -**Starting in Windows 10, version 2004**, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers. +**Starting in Windows 10, version 2004**, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo`, which returns a real-time list of potential peers per file, including which peers are successfully connected and the total bytes sent or received from each peer. -Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. +| Key | Value | +| --- | --- | +| IP | Peer device IP address | +| PeerType | The type of peer used (LAN/Group/Internet/LinkLocal), determined by the Delivery Optimization Service, except for the LinkLocal option, which uses the DNS-SD protocol. | +| ConnectionEstablished | True/False to indicate if peer is connected | +| BytesSent | Bytes sent to/from the peer on the current connection | +| BytesReceived | Bytes received to/from the peer on the current connection | +| UploadRateBytes | Average value of upload rates on the current connection, over the past 20 seconds | +| DownloadRateBytes | Average value of download rates on the current connection, over the past 20 seconds | + +Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to data from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. #### Manage the Delivery Optimization cache @@ -110,7 +120,7 @@ Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth `set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]` extends expiration for a single specific file in the cache. -You can now "pin" files to keep them persistent in the cache. You can only do this with files that are downloaded in modes 1, 2, or 3. +You can now "pin" files to keep them persistent in the cache, only with files that are downloaded in modes 1, 2, or 3. `set-DeliveryOptimizationStatus -Pin [True] -File ID [FileID]` keeps a specific file in the cache such that it won't be deleted until the expiration date and time (which you set with `set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]`). The file is also excluded from the cache quota calculation. @@ -155,6 +165,6 @@ Using the `-ListConnections` option returns these details about peers: `Get-DeliveryOptimizationLog [-Path ] [-Flush]` -If `Path` is not specified, this cmdlet reads all logs from the DoSvc log directory, which requires administrator permissions. If `Flush` is specified, the cmdlet stops DoSvc before reading logs. +If `Path` isn't specified, this cmdlet reads all logs from the DoSvc log directory, which requires administrator permissions. If `Flush` is specified, the cmdlet stops DoSvc before reading logs. Log entries are written to the PowerShell pipeline as objects. To dump logs to a text file, run `Get-DeliveryOptimizationLog | Set-Content ` or something similar. diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 9fa907d90e..04c0b9e893 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -152,7 +152,7 @@ Try these steps: 4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**, to fix this. > [!NOTE] -> Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers. +> Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of potential peers per file, including which peers are successfully connected and the total bytes sent or received from each peer. ### Clients aren't able to connect to peers offered by the cloud service diff --git a/windows/deployment/images/UC-workspace-overview-blade.PNG b/windows/deployment/images/UC-workspace-overview-blade.PNG deleted file mode 100644 index beb04cdc18..0000000000 Binary files a/windows/deployment/images/UC-workspace-overview-blade.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_00_marketplace_search - Copy.PNG b/windows/deployment/images/UC_00_marketplace_search - Copy.PNG deleted file mode 100644 index dcdf25d38a..0000000000 Binary files a/windows/deployment/images/UC_00_marketplace_search - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_00_marketplace_search.PNG b/windows/deployment/images/UC_00_marketplace_search.PNG deleted file mode 100644 index dcdf25d38a..0000000000 Binary files a/windows/deployment/images/UC_00_marketplace_search.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_01_marketplace_create - Copy.PNG b/windows/deployment/images/UC_01_marketplace_create - Copy.PNG deleted file mode 100644 index 4b34311112..0000000000 Binary files a/windows/deployment/images/UC_01_marketplace_create - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_01_marketplace_create.PNG b/windows/deployment/images/UC_01_marketplace_create.PNG deleted file mode 100644 index 4b34311112..0000000000 Binary files a/windows/deployment/images/UC_01_marketplace_create.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_02_workspace_create - Copy.PNG b/windows/deployment/images/UC_02_workspace_create - Copy.PNG deleted file mode 100644 index ed3eeeebbb..0000000000 Binary files a/windows/deployment/images/UC_02_workspace_create - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_02_workspace_create.PNG b/windows/deployment/images/UC_02_workspace_create.PNG deleted file mode 100644 index ed3eeeebbb..0000000000 Binary files a/windows/deployment/images/UC_02_workspace_create.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_03_workspace_select - Copy.PNG b/windows/deployment/images/UC_03_workspace_select - Copy.PNG deleted file mode 100644 index d00864b861..0000000000 Binary files a/windows/deployment/images/UC_03_workspace_select - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_03_workspace_select.PNG b/windows/deployment/images/UC_03_workspace_select.PNG deleted file mode 100644 index d00864b861..0000000000 Binary files a/windows/deployment/images/UC_03_workspace_select.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_04_resourcegrp_deployment_successful - Copy.PNG b/windows/deployment/images/UC_04_resourcegrp_deployment_successful - Copy.PNG deleted file mode 100644 index 3ea9f57531..0000000000 Binary files a/windows/deployment/images/UC_04_resourcegrp_deployment_successful - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_04_resourcegrp_deployment_successful .PNG b/windows/deployment/images/UC_04_resourcegrp_deployment_successful .PNG deleted file mode 100644 index 3ea9f57531..0000000000 Binary files a/windows/deployment/images/UC_04_resourcegrp_deployment_successful .PNG and /dev/null differ diff --git a/windows/deployment/images/UC_tile_assessing - Copy.PNG b/windows/deployment/images/UC_tile_assessing - Copy.PNG deleted file mode 100644 index 2709763570..0000000000 Binary files a/windows/deployment/images/UC_tile_assessing - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_tile_assessing.PNG b/windows/deployment/images/UC_tile_assessing.PNG deleted file mode 100644 index 2709763570..0000000000 Binary files a/windows/deployment/images/UC_tile_assessing.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_tile_filled - Copy.PNG b/windows/deployment/images/UC_tile_filled - Copy.PNG deleted file mode 100644 index f7e1bab284..0000000000 Binary files a/windows/deployment/images/UC_tile_filled - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_tile_filled.PNG b/windows/deployment/images/UC_tile_filled.PNG deleted file mode 100644 index f7e1bab284..0000000000 Binary files a/windows/deployment/images/UC_tile_filled.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_DO_status - Copy.PNG b/windows/deployment/images/UC_workspace_DO_status - Copy.PNG deleted file mode 100644 index fa7550f0f5..0000000000 Binary files a/windows/deployment/images/UC_workspace_DO_status - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_DO_status.PNG b/windows/deployment/images/UC_workspace_DO_status.PNG deleted file mode 100644 index fa7550f0f5..0000000000 Binary files a/windows/deployment/images/UC_workspace_DO_status.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_FU_status - Copy.PNG b/windows/deployment/images/UC_workspace_FU_status - Copy.PNG deleted file mode 100644 index 14966b1d8a..0000000000 Binary files a/windows/deployment/images/UC_workspace_FU_status - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_FU_status.PNG b/windows/deployment/images/UC_workspace_FU_status.PNG deleted file mode 100644 index 14966b1d8a..0000000000 Binary files a/windows/deployment/images/UC_workspace_FU_status.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_SU_status - Copy.PNG b/windows/deployment/images/UC_workspace_SU_status - Copy.PNG deleted file mode 100644 index 3564c9b6e5..0000000000 Binary files a/windows/deployment/images/UC_workspace_SU_status - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_SU_status.PNG b/windows/deployment/images/UC_workspace_SU_status.PNG deleted file mode 100644 index 3564c9b6e5..0000000000 Binary files a/windows/deployment/images/UC_workspace_SU_status.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_WDAV_status - Copy.PNG b/windows/deployment/images/UC_workspace_WDAV_status - Copy.PNG deleted file mode 100644 index 40dcaef949..0000000000 Binary files a/windows/deployment/images/UC_workspace_WDAV_status - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_WDAV_status.PNG b/windows/deployment/images/UC_workspace_WDAV_status.PNG deleted file mode 100644 index 40dcaef949..0000000000 Binary files a/windows/deployment/images/UC_workspace_WDAV_status.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_home.PNG b/windows/deployment/images/UC_workspace_home.PNG deleted file mode 100644 index 4269eb8c4d..0000000000 Binary files a/windows/deployment/images/UC_workspace_home.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_needs_attention - Copy.png b/windows/deployment/images/UC_workspace_needs_attention - Copy.png deleted file mode 100644 index be8033a9d6..0000000000 Binary files a/windows/deployment/images/UC_workspace_needs_attention - Copy.png and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_needs_attention.png b/windows/deployment/images/UC_workspace_needs_attention.png deleted file mode 100644 index be8033a9d6..0000000000 Binary files a/windows/deployment/images/UC_workspace_needs_attention.png and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_overview_blade - Copy.PNG b/windows/deployment/images/UC_workspace_overview_blade - Copy.PNG deleted file mode 100644 index beb04cdc18..0000000000 Binary files a/windows/deployment/images/UC_workspace_overview_blade - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UR-Azureportal1.PNG b/windows/deployment/images/UR-Azureportal1.PNG deleted file mode 100644 index 2a3f8f1b73..0000000000 Binary files a/windows/deployment/images/UR-Azureportal1.PNG and /dev/null differ diff --git a/windows/deployment/images/UR-Azureportal2.PNG b/windows/deployment/images/UR-Azureportal2.PNG deleted file mode 100644 index e7db8b3787..0000000000 Binary files a/windows/deployment/images/UR-Azureportal2.PNG and /dev/null differ diff --git a/windows/deployment/images/UR-Azureportal3.PNG b/windows/deployment/images/UR-Azureportal3.PNG deleted file mode 100644 index 6645ba95ce..0000000000 Binary files a/windows/deployment/images/UR-Azureportal3.PNG and /dev/null differ diff --git a/windows/deployment/images/UR-Azureportal4.PNG b/windows/deployment/images/UR-Azureportal4.PNG deleted file mode 100644 index 3087797a46..0000000000 Binary files a/windows/deployment/images/UR-Azureportal4.PNG and /dev/null differ diff --git a/windows/deployment/images/UR-driver-issue-detail.png b/windows/deployment/images/UR-driver-issue-detail.png deleted file mode 100644 index 933b2e2346..0000000000 Binary files a/windows/deployment/images/UR-driver-issue-detail.png and /dev/null differ diff --git a/windows/deployment/images/UR-example-feedback.png b/windows/deployment/images/UR-example-feedback.png deleted file mode 100644 index 5a05bb54e1..0000000000 Binary files a/windows/deployment/images/UR-example-feedback.png and /dev/null differ diff --git a/windows/deployment/images/UR-lift-report.jpg b/windows/deployment/images/UR-lift-report.jpg deleted file mode 100644 index f76ce5f481..0000000000 Binary files a/windows/deployment/images/UR-lift-report.jpg and /dev/null differ diff --git a/windows/deployment/images/UR-monitor-main.png b/windows/deployment/images/UR-monitor-main.png deleted file mode 100644 index 83904d3be2..0000000000 Binary files a/windows/deployment/images/UR-monitor-main.png and /dev/null differ diff --git a/windows/deployment/images/UR-update-progress-failed-detail.png b/windows/deployment/images/UR-update-progress-failed-detail.png deleted file mode 100644 index 4e619ae27c..0000000000 Binary files a/windows/deployment/images/UR-update-progress-failed-detail.png and /dev/null differ diff --git a/windows/deployment/images/oobe.jpg b/windows/deployment/images/oobe.jpg deleted file mode 100644 index 53a5dab6bf..0000000000 Binary files a/windows/deployment/images/oobe.jpg and /dev/null differ diff --git a/windows/deployment/images/prov.jpg b/windows/deployment/images/prov.jpg deleted file mode 100644 index 1593ccb36b..0000000000 Binary files a/windows/deployment/images/prov.jpg and /dev/null differ diff --git a/windows/deployment/images/setupmsg.jpg b/windows/deployment/images/setupmsg.jpg deleted file mode 100644 index 12935483c5..0000000000 Binary files a/windows/deployment/images/setupmsg.jpg and /dev/null differ diff --git a/windows/deployment/images/ua-cg-01.png b/windows/deployment/images/ua-cg-01.png deleted file mode 100644 index 4b41bd67ba..0000000000 Binary files a/windows/deployment/images/ua-cg-01.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-02.png b/windows/deployment/images/ua-cg-02.png deleted file mode 100644 index 4cbfaf26d8..0000000000 Binary files a/windows/deployment/images/ua-cg-02.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-03.png b/windows/deployment/images/ua-cg-03.png deleted file mode 100644 index cfad7911bb..0000000000 Binary files a/windows/deployment/images/ua-cg-03.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-04.png b/windows/deployment/images/ua-cg-04.png deleted file mode 100644 index c818d15d02..0000000000 Binary files a/windows/deployment/images/ua-cg-04.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-05.png b/windows/deployment/images/ua-cg-05.png deleted file mode 100644 index a8788f0eb9..0000000000 Binary files a/windows/deployment/images/ua-cg-05.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-06.png b/windows/deployment/images/ua-cg-06.png deleted file mode 100644 index ed983c96c8..0000000000 Binary files a/windows/deployment/images/ua-cg-06.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-07.png b/windows/deployment/images/ua-cg-07.png deleted file mode 100644 index 2aba43be53..0000000000 Binary files a/windows/deployment/images/ua-cg-07.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-08.png b/windows/deployment/images/ua-cg-08.png deleted file mode 100644 index f256b2f097..0000000000 Binary files a/windows/deployment/images/ua-cg-08.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-09-old.png b/windows/deployment/images/ua-cg-09-old.png deleted file mode 100644 index b9aa1cea41..0000000000 Binary files a/windows/deployment/images/ua-cg-09-old.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-09.png b/windows/deployment/images/ua-cg-09.png deleted file mode 100644 index 0150a24ee5..0000000000 Binary files a/windows/deployment/images/ua-cg-09.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-10.png b/windows/deployment/images/ua-cg-10.png deleted file mode 100644 index 54e222338d..0000000000 Binary files a/windows/deployment/images/ua-cg-10.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-11.png b/windows/deployment/images/ua-cg-11.png deleted file mode 100644 index 4e930a5905..0000000000 Binary files a/windows/deployment/images/ua-cg-11.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-12.png b/windows/deployment/images/ua-cg-12.png deleted file mode 100644 index 2fbe11b814..0000000000 Binary files a/windows/deployment/images/ua-cg-12.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-13.png b/windows/deployment/images/ua-cg-13.png deleted file mode 100644 index f04252796e..0000000000 Binary files a/windows/deployment/images/ua-cg-13.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-14.png b/windows/deployment/images/ua-cg-14.png deleted file mode 100644 index 6105fdf4d1..0000000000 Binary files a/windows/deployment/images/ua-cg-14.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-15.png b/windows/deployment/images/ua-cg-15.png deleted file mode 100644 index 009315fc4a..0000000000 Binary files a/windows/deployment/images/ua-cg-15.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-16.png b/windows/deployment/images/ua-cg-16.png deleted file mode 100644 index 6d5b8a84b6..0000000000 Binary files a/windows/deployment/images/ua-cg-16.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-17.png b/windows/deployment/images/ua-cg-17.png deleted file mode 100644 index d66c41917b..0000000000 Binary files a/windows/deployment/images/ua-cg-17.png and /dev/null differ diff --git a/windows/deployment/images/ua-step2-blades.png b/windows/deployment/images/ua-step2-blades.png deleted file mode 100644 index c86f7a4338..0000000000 Binary files a/windows/deployment/images/ua-step2-blades.png and /dev/null differ diff --git a/windows/deployment/images/ua-step2-low-risk.png b/windows/deployment/images/ua-step2-low-risk.png deleted file mode 100644 index 6e9daf0233..0000000000 Binary files a/windows/deployment/images/ua-step2-low-risk.png and /dev/null differ diff --git a/windows/deployment/images/update.jpg b/windows/deployment/images/update.jpg deleted file mode 100644 index d5ba862300..0000000000 Binary files a/windows/deployment/images/update.jpg and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-apps-known-issues.png b/windows/deployment/images/upgrade-analytics-apps-known-issues.png deleted file mode 100644 index ec99ac92cf..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-apps-known-issues.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-apps-no-known-issues.png b/windows/deployment/images/upgrade-analytics-apps-no-known-issues.png deleted file mode 100644 index 9fb09ffd65..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-apps-no-known-issues.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-architecture.png b/windows/deployment/images/upgrade-analytics-architecture.png deleted file mode 100644 index 93d3acba0b..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-architecture.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-create-iedataoptin.png b/windows/deployment/images/upgrade-analytics-create-iedataoptin.png deleted file mode 100644 index 60f5ccbc90..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-create-iedataoptin.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-deploy-eligible.png b/windows/deployment/images/upgrade-analytics-deploy-eligible.png deleted file mode 100644 index 8da91cebc4..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-deploy-eligible.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-drivers-known.png b/windows/deployment/images/upgrade-analytics-drivers-known.png deleted file mode 100644 index 35d61f87c7..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-drivers-known.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-most-active-sites.png b/windows/deployment/images/upgrade-analytics-most-active-sites.png deleted file mode 100644 index 180c5ddced..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-most-active-sites.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-namepub-rollup.PNG b/windows/deployment/images/upgrade-analytics-namepub-rollup.PNG deleted file mode 100644 index 2041f14fd4..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-namepub-rollup.PNG and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-overview.png b/windows/deployment/images/upgrade-analytics-overview.png deleted file mode 100644 index ba02ee0a8c..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-overview.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-pilot.png b/windows/deployment/images/upgrade-analytics-pilot.png deleted file mode 100644 index 1c1de328ea..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-pilot.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-prioritize.png b/windows/deployment/images/upgrade-analytics-prioritize.png deleted file mode 100644 index d6227694c1..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-prioritize.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-query-activex-name.png b/windows/deployment/images/upgrade-analytics-query-activex-name.png deleted file mode 100644 index 5068e7d20e..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-query-activex-name.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG b/windows/deployment/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG deleted file mode 100644 index 4d22cc9353..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-ready-for-windows-status.PNG b/windows/deployment/images/upgrade-analytics-ready-for-windows-status.PNG deleted file mode 100644 index c233db2340..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-ready-for-windows-status.PNG and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-settings.png b/windows/deployment/images/upgrade-analytics-settings.png deleted file mode 100644 index be51cd3418..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-settings.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-site-activity-by-doc-mode.png b/windows/deployment/images/upgrade-analytics-site-activity-by-doc-mode.png deleted file mode 100644 index d1a46f1791..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-site-activity-by-doc-mode.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-site-domain-detail.png b/windows/deployment/images/upgrade-analytics-site-domain-detail.png deleted file mode 100644 index 15a7ee20c4..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-site-domain-detail.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-telemetry.png b/windows/deployment/images/upgrade-analytics-telemetry.png deleted file mode 100644 index bf60935616..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-telemetry.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-unsubscribe.png b/windows/deployment/images/upgrade-analytics-unsubscribe.png deleted file mode 100644 index 402db94d6f..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-unsubscribe.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-process.png b/windows/deployment/images/upgrade-process.png deleted file mode 100644 index b2b77708fc..0000000000 Binary files a/windows/deployment/images/upgrade-process.png and /dev/null differ diff --git a/windows/deployment/images/upgradecfg-fig2-upgrading.png b/windows/deployment/images/upgradecfg-fig2-upgrading.png deleted file mode 100644 index c53de79c29..0000000000 Binary files a/windows/deployment/images/upgradecfg-fig2-upgrading.png and /dev/null differ diff --git a/windows/deployment/images/upgradecfg-fig3-upgrade.png b/windows/deployment/images/upgradecfg-fig3-upgrade.png deleted file mode 100644 index d0c1ceaaf9..0000000000 Binary files a/windows/deployment/images/upgradecfg-fig3-upgrade.png and /dev/null differ diff --git a/windows/deployment/images/upgrademdt-fig2-importedos.png b/windows/deployment/images/upgrademdt-fig2-importedos.png deleted file mode 100644 index 93b92efd93..0000000000 Binary files a/windows/deployment/images/upgrademdt-fig2-importedos.png and /dev/null differ diff --git a/windows/deployment/images/upgrademdt-fig3-tasksequence.png b/windows/deployment/images/upgrademdt-fig3-tasksequence.png deleted file mode 100644 index 1ad66c2098..0000000000 Binary files a/windows/deployment/images/upgrademdt-fig3-tasksequence.png and /dev/null differ diff --git a/windows/deployment/images/upgrademdt-fig4-selecttask.png b/windows/deployment/images/upgrademdt-fig4-selecttask.png deleted file mode 100644 index dcbc73871a..0000000000 Binary files a/windows/deployment/images/upgrademdt-fig4-selecttask.png and /dev/null differ diff --git a/windows/deployment/images/ur-arch-diagram.png b/windows/deployment/images/ur-arch-diagram.png deleted file mode 100644 index 9c1da1227c..0000000000 Binary files a/windows/deployment/images/ur-arch-diagram.png and /dev/null differ diff --git a/windows/deployment/images/ur-overview.PNG b/windows/deployment/images/ur-overview.PNG deleted file mode 100644 index cf9563ece5..0000000000 Binary files a/windows/deployment/images/ur-overview.PNG and /dev/null differ diff --git a/windows/deployment/images/ur-settings.PNG b/windows/deployment/images/ur-settings.PNG deleted file mode 100644 index d1724cb821..0000000000 Binary files a/windows/deployment/images/ur-settings.PNG and /dev/null differ diff --git a/windows/deployment/images/ur-target-version.png b/windows/deployment/images/ur-target-version.png deleted file mode 100644 index 43f0c9aa0c..0000000000 Binary files a/windows/deployment/images/ur-target-version.png and /dev/null differ diff --git a/windows/deployment/images/uwp-dependencies.PNG b/windows/deployment/images/uwp-dependencies.PNG deleted file mode 100644 index 4e2563169f..0000000000 Binary files a/windows/deployment/images/uwp-dependencies.PNG and /dev/null differ diff --git a/windows/deployment/images/uwp-family.PNG b/windows/deployment/images/uwp-family.PNG deleted file mode 100644 index bec731eec4..0000000000 Binary files a/windows/deployment/images/uwp-family.PNG and /dev/null differ diff --git a/windows/deployment/images/uwp-license.PNG b/windows/deployment/images/uwp-license.PNG deleted file mode 100644 index ccb5cf7cf4..0000000000 Binary files a/windows/deployment/images/uwp-license.PNG and /dev/null differ diff --git a/windows/deployment/images/who-owns-pc.png b/windows/deployment/images/who-owns-pc.png deleted file mode 100644 index d3ce1def8d..0000000000 Binary files a/windows/deployment/images/who-owns-pc.png and /dev/null differ diff --git a/windows/deployment/images/win-security-update-status-by-computer.png b/windows/deployment/images/win-security-update-status-by-computer.png deleted file mode 100644 index 720ae898be..0000000000 Binary files a/windows/deployment/images/win-security-update-status-by-computer.png and /dev/null differ diff --git a/windows/deployment/images/win10-set-up-work-or-school.png b/windows/deployment/images/win10-set-up-work-or-school.png deleted file mode 100644 index 0ca83fb0e1..0000000000 Binary files a/windows/deployment/images/win10-set-up-work-or-school.png and /dev/null differ diff --git a/windows/deployment/images/windowsupgradeadditionaloptions.png b/windows/deployment/images/windowsupgradeadditionaloptions.png deleted file mode 100644 index 4fcdb1dd70..0000000000 Binary files a/windows/deployment/images/windowsupgradeadditionaloptions.png and /dev/null differ diff --git a/windows/deployment/planning/images/branch.png b/windows/deployment/planning/images/branch.png deleted file mode 100644 index a7eefed13c..0000000000 Binary files a/windows/deployment/planning/images/branch.png and /dev/null differ diff --git a/windows/deployment/planning/images/chromebook-fig1-googleadmin.png b/windows/deployment/planning/images/chromebook-fig1-googleadmin.png deleted file mode 100644 index b3d42e5ff2..0000000000 Binary files a/windows/deployment/planning/images/chromebook-fig1-googleadmin.png and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-addissue.gif b/windows/deployment/planning/images/dep-win8-e-act-addissue.gif deleted file mode 100644 index dbe6b657bb..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-addissue.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-addsolution.gif b/windows/deployment/planning/images/dep-win8-e-act-addsolution.gif deleted file mode 100644 index 98e6c27ad7..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-addsolution.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-categorize.gif b/windows/deployment/planning/images/dep-win8-e-act-categorize.gif deleted file mode 100644 index 23bae141bc..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-categorize.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-communityexample.gif b/windows/deployment/planning/images/dep-win8-e-act-communityexample.gif deleted file mode 100644 index 111e79a839..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-communityexample.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-createnewdcp.gif b/windows/deployment/planning/images/dep-win8-e-act-createnewdcp.gif deleted file mode 100644 index 7ad0515838..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-createnewdcp.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-delete.gif b/windows/deployment/planning/images/dep-win8-e-act-delete.gif deleted file mode 100644 index 24d6b6cd8f..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-delete.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-deploymentstatus.gif b/windows/deployment/planning/images/dep-win8-e-act-deploymentstatus.gif deleted file mode 100644 index 5f07b13d22..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-deploymentstatus.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-doesnotwork64icon.gif b/windows/deployment/planning/images/dep-win8-e-act-doesnotwork64icon.gif deleted file mode 100644 index a92e0d9525..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-doesnotwork64icon.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-doesnotworkicon.gif b/windows/deployment/planning/images/dep-win8-e-act-doesnotworkicon.gif deleted file mode 100644 index d07dce9b67..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-doesnotworkicon.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-exportdcp.gif b/windows/deployment/planning/images/dep-win8-e-act-exportdcp.gif deleted file mode 100644 index 35fb052076..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-exportdcp.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-exportreportdata.gif b/windows/deployment/planning/images/dep-win8-e-act-exportreportdata.gif deleted file mode 100644 index 924efd2a21..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-exportreportdata.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-filterdata.gif b/windows/deployment/planning/images/dep-win8-e-act-filterdata.gif deleted file mode 100644 index ebb4547df3..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-filterdata.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-filterexampleallapps0activeissues.gif b/windows/deployment/planning/images/dep-win8-e-act-filterexampleallapps0activeissues.gif deleted file mode 100644 index 909cb95436..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-filterexampleallapps0activeissues.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-filterexampleallapps0issues.gif b/windows/deployment/planning/images/dep-win8-e-act-filterexampleallapps0issues.gif deleted file mode 100644 index 178095998f..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-filterexampleallapps0issues.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-filterexampleallappswissues.gif b/windows/deployment/planning/images/dep-win8-e-act-filterexampleallappswissues.gif deleted file mode 100644 index 824bcd764a..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-filterexampleallappswissues.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-filterexamplecategory.gif b/windows/deployment/planning/images/dep-win8-e-act-filterexamplecategory.gif deleted file mode 100644 index 2621c7e2b5..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-filterexamplecategory.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-filterexampleforissueswsolutions.gif b/windows/deployment/planning/images/dep-win8-e-act-filterexampleforissueswsolutions.gif deleted file mode 100644 index 40b8e61815..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-filterexampleforissueswsolutions.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-filterexampleforspecificsolutions.gif b/windows/deployment/planning/images/dep-win8-e-act-filterexampleforspecificsolutions.gif deleted file mode 100644 index 74c2687b0b..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-filterexampleforspecificsolutions.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-greenworks64icon.gif b/windows/deployment/planning/images/dep-win8-e-act-greenworks64icon.gif deleted file mode 100644 index a69b282a37..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-greenworks64icon.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-greenworksicon.gif b/windows/deployment/planning/images/dep-win8-e-act-greenworksicon.gif deleted file mode 100644 index 73626ccdcf..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-greenworksicon.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-help.gif b/windows/deployment/planning/images/dep-win8-e-act-help.gif deleted file mode 100644 index 6ce522acba..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-help.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-home.gif b/windows/deployment/planning/images/dep-win8-e-act-home.gif deleted file mode 100644 index 0555779689..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-home.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-info64icon.gif b/windows/deployment/planning/images/dep-win8-e-act-info64icon.gif deleted file mode 100644 index b4593fd6d1..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-info64icon.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-infoicon.gif b/windows/deployment/planning/images/dep-win8-e-act-infoicon.gif deleted file mode 100644 index 6ef158023c..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-infoicon.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-minorissues64icon.gif b/windows/deployment/planning/images/dep-win8-e-act-minorissues64icon.gif deleted file mode 100644 index 8842896029..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-minorissues64icon.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-minorissuesicon.png b/windows/deployment/planning/images/dep-win8-e-act-minorissuesicon.png deleted file mode 100644 index ea4d0588a6..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-minorissuesicon.png and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-moveupanddown.gif b/windows/deployment/planning/images/dep-win8-e-act-moveupanddown.gif deleted file mode 100644 index 06a357b04e..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-moveupanddown.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-open.gif b/windows/deployment/planning/images/dep-win8-e-act-open.gif deleted file mode 100644 index 430bc23095..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-open.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-prioritize.gif b/windows/deployment/planning/images/dep-win8-e-act-prioritize.gif deleted file mode 100644 index 8327888637..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-prioritize.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-reactivate-resolved-issue.gif b/windows/deployment/planning/images/dep-win8-e-act-reactivate-resolved-issue.gif deleted file mode 100644 index 4a647114a4..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-reactivate-resolved-issue.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-refresh.gif b/windows/deployment/planning/images/dep-win8-e-act-refresh.gif deleted file mode 100644 index 1e9cd7e6aa..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-refresh.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-riskassessment.gif b/windows/deployment/planning/images/dep-win8-e-act-riskassessment.gif deleted file mode 100644 index 74c9e784e2..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-riskassessment.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-save.gif b/windows/deployment/planning/images/dep-win8-e-act-save.gif deleted file mode 100644 index 50691cc5c8..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-save.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-savereport.gif b/windows/deployment/planning/images/dep-win8-e-act-savereport.gif deleted file mode 100644 index 00395ee6dd..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-savereport.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-sendandreceive.gif b/windows/deployment/planning/images/dep-win8-e-act-sendandreceive.gif deleted file mode 100644 index 9272a99a14..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-sendandreceive.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-sendandreceiveicon.gif b/windows/deployment/planning/images/dep-win8-e-act-sendandreceiveicon.gif deleted file mode 100644 index 7e38cf8108..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-sendandreceiveicon.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-l-act-communityworkflowdiagram.jpg b/windows/deployment/planning/images/dep-win8-l-act-communityworkflowdiagram.jpg deleted file mode 100644 index 95f3fdb690..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-l-act-communityworkflowdiagram.jpg and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-l-act-supportedtopologies.jpg b/windows/deployment/planning/images/dep-win8-l-act-supportedtopologies.jpg deleted file mode 100644 index fd03081e46..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-l-act-supportedtopologies.jpg and /dev/null differ diff --git a/windows/deployment/planning/images/deploy-win-10-school-figure1.png b/windows/deployment/planning/images/deploy-win-10-school-figure1.png deleted file mode 100644 index 66113dcce1..0000000000 Binary files a/windows/deployment/planning/images/deploy-win-10-school-figure1.png and /dev/null differ diff --git a/windows/deployment/planning/images/deploy-win-10-school-figure2.png b/windows/deployment/planning/images/deploy-win-10-school-figure2.png deleted file mode 100644 index 0227f8dbaa..0000000000 Binary files a/windows/deployment/planning/images/deploy-win-10-school-figure2.png and /dev/null differ diff --git a/windows/deployment/planning/images/deploy-win-10-school-figure3.png b/windows/deployment/planning/images/deploy-win-10-school-figure3.png deleted file mode 100644 index 1b39b5cc14..0000000000 Binary files a/windows/deployment/planning/images/deploy-win-10-school-figure3.png and /dev/null differ diff --git a/windows/deployment/planning/images/deploy-win-10-school-figure4.png b/windows/deployment/planning/images/deploy-win-10-school-figure4.png deleted file mode 100644 index 09552a448a..0000000000 Binary files a/windows/deployment/planning/images/deploy-win-10-school-figure4.png and /dev/null differ diff --git a/windows/deployment/planning/images/deploy-win-10-school-figure5.png b/windows/deployment/planning/images/deploy-win-10-school-figure5.png deleted file mode 100644 index 550386f1ce..0000000000 Binary files a/windows/deployment/planning/images/deploy-win-10-school-figure5.png and /dev/null differ diff --git a/windows/deployment/planning/images/deploy-win-10-school-figure6.png b/windows/deployment/planning/images/deploy-win-10-school-figure6.png deleted file mode 100644 index 09552a448a..0000000000 Binary files a/windows/deployment/planning/images/deploy-win-10-school-figure6.png and /dev/null differ diff --git a/windows/deployment/planning/images/deploy-win-10-school-figure7.png b/windows/deployment/planning/images/deploy-win-10-school-figure7.png deleted file mode 100644 index 8e7581007a..0000000000 Binary files a/windows/deployment/planning/images/deploy-win-10-school-figure7.png and /dev/null differ diff --git a/windows/deployment/planning/images/fig2-locallyconfig.png b/windows/deployment/planning/images/fig2-locallyconfig.png deleted file mode 100644 index d2fe9820da..0000000000 Binary files a/windows/deployment/planning/images/fig2-locallyconfig.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbus-fig1-manuallyset.png b/windows/deployment/planning/images/wuforbus-fig1-manuallyset.png deleted file mode 100644 index 2f684c32ff..0000000000 Binary files a/windows/deployment/planning/images/wuforbus-fig1-manuallyset.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig10-sccmconsole.png b/windows/deployment/planning/images/wuforbusiness-fig10-sccmconsole.png deleted file mode 100644 index 5e43f36403..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig10-sccmconsole.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig11-intune.png b/windows/deployment/planning/images/wuforbusiness-fig11-intune.png deleted file mode 100644 index 8006085bf1..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig11-intune.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig12a-updates.png b/windows/deployment/planning/images/wuforbusiness-fig12a-updates.png deleted file mode 100644 index 078d60b745..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig12a-updates.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig13a-upgrades.png b/windows/deployment/planning/images/wuforbusiness-fig13a-upgrades.png deleted file mode 100644 index 432e0d8711..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig13a-upgrades.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig2-gp.png b/windows/deployment/planning/images/wuforbusiness-fig2-gp.png deleted file mode 100644 index d748cd0dc9..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig2-gp.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig3-mdm.png b/windows/deployment/planning/images/wuforbusiness-fig3-mdm.png deleted file mode 100644 index 90900dee9d..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig3-mdm.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig4-localpoleditor.png b/windows/deployment/planning/images/wuforbusiness-fig4-localpoleditor.png deleted file mode 100644 index 0c6a1a0265..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig4-localpoleditor.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig5-deferupgrade.png b/windows/deployment/planning/images/wuforbusiness-fig5-deferupgrade.png deleted file mode 100644 index 591ba04c8a..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig5-deferupgrade.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig6-pause.png b/windows/deployment/planning/images/wuforbusiness-fig6-pause.png deleted file mode 100644 index d19ef0e013..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig6-pause.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig7-validationgroup.png b/windows/deployment/planning/images/wuforbusiness-fig7-validationgroup.png deleted file mode 100644 index ebd28fb689..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig7-validationgroup.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig8a-chooseupdates.png b/windows/deployment/planning/images/wuforbusiness-fig8a-chooseupdates.png deleted file mode 100644 index ce8a59a910..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig8a-chooseupdates.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig9-dosettings.jpg b/windows/deployment/planning/images/wuforbusiness-fig9-dosettings.jpg deleted file mode 100644 index 04c3558d41..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig9-dosettings.jpg and /dev/null differ diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index edf0aba102..d20d9c067f 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -1,49 +1,53 @@ --- -title: Windows 10 Pro in S mode -description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers? +title: Windows Pro in S mode +description: Overview of Windows Pro and Enterprise in S mode. ms.localizationpriority: high ms.prod: windows-client manager: aaroncz author: frankroj ms.author: frankroj -ms.topic: article -ms.date: 11/23/2022 +ms.topic: conceptual +ms.date: 04/26/2023 ms.technology: itpro-deploy --- -# Windows 10 in S mode - What is it? +# Windows Pro in S mode -S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS. +S mode is a configuration that's available on all Windows Editions, and it's enabled at the time of manufacturing. Windows can be switched out of S mode at any time, as shown in the picture below. However, the switch is a one-time operation, and can only be undone by a wipe and reload of the operating system. -![Configuration and features of S mode.](images/smodeconfig.png) +:::image type="content" source="images/smodeconfig.png" alt-text="Table listing the capabilities of S mode across the different Windows editions."::: ## S mode key features ### Microsoft-verified security -With Windows 10 in S mode, you'll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they're Microsoft-verified for security. You can also feel secure when you're online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware. +With Windows in S mode, you'll find your favorite applications in the Microsoft Store, where they're Microsoft-verified for security. You can also feel secure when you're online. Microsoft Edge, your default browser, gives you protection against phishing and socially-engineered malware. ### Performance that lasts -Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you'll enjoy a smooth, responsive experience, whether you're streaming HD video, opening apps, or being productive on the go. +Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. You'll enjoy a smooth, responsive experience, whether you're streaming videos, opening apps, or being productive on the go. ### Choice and flexibility -Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don't find exactly what you want, you can easily [switch out of S mode](./windows-10-pro-in-s-mode.md) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below. +Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don't find exactly what you want, you can easily [switch out of S mode](./windows-10-pro-in-s-mode.md) to Windows Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below. -![Switching out of S mode flow chart.](images/s-mode-flow-chart.png) +:::image type="content" source="images/s-mode-flow-chart.png" alt-text="Switching out of S mode flow chart."::: ## Deployment -Windows 10 in S mode is built for [modern management](/windows/client-management/manage-windows-10-in-your-organization-modern-management), which means using [Windows Autopilot](/mem/autopilot/windows-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired. +Windows in S mode is built for [modern management](/windows/client-management/manage-windows-10-in-your-organization-modern-management), which means using [Windows Autopilot](/mem/autopilot/windows-autopilot) for deployment, and a Mobile Device Management (MDM) solution for management, like Microsoft Intune. + +Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic device that can only be used to join the company Azure AD tenant or Active Directory domain. Policies are then deployed automatically through MDM, to customize the device to the user and the desired environment. + +For the devices that are shipped in S mode, you can either keep them in S mode, use Windows Autopilot to switch them out of S mode during the first run process, or later using MDM, if desired. ## Keep line of business apps functioning with Desktop Bridge -Worried about your line of business apps not working in S mode? [Desktop Bridge](/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode. +[Desktop Bridge](/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating the apps, you can distribute them through an MDM solution like Microsoft Intune. ## Repackage Win32 apps into the MSIX format -The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through the MSIX Packaging Tool interactively and obtain an MSIX package that you can install on your device and upload to the Microsoft Store. The MSIX Packaging Tool is another way to get your apps ready to run on Windows 10 in S mode. +The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through the MSIX Packaging Tool interactively, and obtain an MSIX package that you can deploy through and MDM solution like Microsoft Intune. The MSIX Packaging Tool is another way to get your apps ready to run on Windows in S mode. ## Related links diff --git a/windows/deployment/update/images/ActionCenterXML.jpg b/windows/deployment/update/images/ActionCenterXML.jpg deleted file mode 100644 index b9832b2708..0000000000 Binary files a/windows/deployment/update/images/ActionCenterXML.jpg and /dev/null differ diff --git a/windows/deployment/update/images/AppsXML.jpg b/windows/deployment/update/images/AppsXML.jpg deleted file mode 100644 index ecc1869bb5..0000000000 Binary files a/windows/deployment/update/images/AppsXML.jpg and /dev/null differ diff --git a/windows/deployment/update/images/AppsXML.png b/windows/deployment/update/images/AppsXML.png deleted file mode 100644 index 3981543264..0000000000 Binary files a/windows/deployment/update/images/AppsXML.png and /dev/null differ diff --git a/windows/deployment/update/images/ButtonsXML.jpg b/windows/deployment/update/images/ButtonsXML.jpg deleted file mode 100644 index 238eca7e68..0000000000 Binary files a/windows/deployment/update/images/ButtonsXML.jpg and /dev/null differ diff --git a/windows/deployment/update/images/CSPRunnerXML.jpg b/windows/deployment/update/images/CSPRunnerXML.jpg deleted file mode 100644 index 071b316a9e..0000000000 Binary files a/windows/deployment/update/images/CSPRunnerXML.jpg and /dev/null differ diff --git a/windows/deployment/update/images/CreateSolution-Part1-Marketplace.png b/windows/deployment/update/images/CreateSolution-Part1-Marketplace.png deleted file mode 100644 index 25793516c2..0000000000 Binary files a/windows/deployment/update/images/CreateSolution-Part1-Marketplace.png and /dev/null differ diff --git a/windows/deployment/update/images/CreateSolution-Part2-Create.png b/windows/deployment/update/images/CreateSolution-Part2-Create.png deleted file mode 100644 index ec63f20402..0000000000 Binary files a/windows/deployment/update/images/CreateSolution-Part2-Create.png and /dev/null differ diff --git a/windows/deployment/update/images/CreateSolution-Part3-Workspace.png b/windows/deployment/update/images/CreateSolution-Part3-Workspace.png deleted file mode 100644 index 1d74aa39d0..0000000000 Binary files a/windows/deployment/update/images/CreateSolution-Part3-Workspace.png and /dev/null differ diff --git a/windows/deployment/update/images/CreateSolution-Part4-WorkspaceSelected.png b/windows/deployment/update/images/CreateSolution-Part4-WorkspaceSelected.png deleted file mode 100644 index 7a3129f467..0000000000 Binary files a/windows/deployment/update/images/CreateSolution-Part4-WorkspaceSelected.png and /dev/null differ diff --git a/windows/deployment/update/images/CreateSolution-Part5-GoToResource.png b/windows/deployment/update/images/CreateSolution-Part5-GoToResource.png deleted file mode 100644 index c3cb382097..0000000000 Binary files a/windows/deployment/update/images/CreateSolution-Part5-GoToResource.png and /dev/null differ diff --git a/windows/deployment/update/images/DO-absolute-bandwidth.png b/windows/deployment/update/images/DO-absolute-bandwidth.png deleted file mode 100644 index a13d5393e6..0000000000 Binary files a/windows/deployment/update/images/DO-absolute-bandwidth.png and /dev/null differ diff --git a/windows/deployment/update/images/ICDstart-option.PNG b/windows/deployment/update/images/ICDstart-option.PNG deleted file mode 100644 index 1ba49bb261..0000000000 Binary files a/windows/deployment/update/images/ICDstart-option.PNG and /dev/null differ diff --git a/windows/deployment/update/images/MenuItemsXML.png b/windows/deployment/update/images/MenuItemsXML.png deleted file mode 100644 index cc681250bb..0000000000 Binary files a/windows/deployment/update/images/MenuItemsXML.png and /dev/null differ diff --git a/windows/deployment/update/images/OMS-after-adding-solution.jpg b/windows/deployment/update/images/OMS-after-adding-solution.jpg deleted file mode 100644 index f3a5d855ff..0000000000 Binary files a/windows/deployment/update/images/OMS-after-adding-solution.jpg and /dev/null differ diff --git a/windows/deployment/update/images/SAC_vid_crop.jpg b/windows/deployment/update/images/SAC_vid_crop.jpg deleted file mode 100644 index 9d08215fc9..0000000000 Binary files a/windows/deployment/update/images/SAC_vid_crop.jpg and /dev/null differ diff --git a/windows/deployment/update/images/SettingsXML.png b/windows/deployment/update/images/SettingsXML.png deleted file mode 100644 index 98a324bdea..0000000000 Binary files a/windows/deployment/update/images/SettingsXML.png and /dev/null differ diff --git a/windows/deployment/update/images/StartGrid.jpg b/windows/deployment/update/images/StartGrid.jpg deleted file mode 100644 index 36136f3201..0000000000 Binary files a/windows/deployment/update/images/StartGrid.jpg and /dev/null differ diff --git a/windows/deployment/update/images/StartGridPinnedApps.jpg b/windows/deployment/update/images/StartGridPinnedApps.jpg deleted file mode 100644 index fbade52f53..0000000000 Binary files a/windows/deployment/update/images/StartGridPinnedApps.jpg and /dev/null differ diff --git a/windows/deployment/update/images/TilesXML.png b/windows/deployment/update/images/TilesXML.png deleted file mode 100644 index cec52bbbf7..0000000000 Binary files a/windows/deployment/update/images/TilesXML.png and /dev/null differ diff --git a/windows/deployment/update/images/WA-data-flow-v1.png b/windows/deployment/update/images/WA-data-flow-v1.png deleted file mode 100644 index 072502b2c7..0000000000 Binary files a/windows/deployment/update/images/WA-data-flow-v1.png and /dev/null differ diff --git a/windows/deployment/update/images/WA-device-enrollment.png b/windows/deployment/update/images/WA-device-enrollment.png deleted file mode 100644 index 06408def68..0000000000 Binary files a/windows/deployment/update/images/WA-device-enrollment.png and /dev/null differ diff --git a/windows/deployment/update/images/WIP-detail.png b/windows/deployment/update/images/WIP-detail.png deleted file mode 100644 index 96b0a90280..0000000000 Binary files a/windows/deployment/update/images/WIP-detail.png and /dev/null differ diff --git a/windows/deployment/update/images/WIP.png b/windows/deployment/update/images/WIP.png deleted file mode 100644 index ee7f30c014..0000000000 Binary files a/windows/deployment/update/images/WIP.png and /dev/null differ diff --git a/windows/deployment/update/images/WIP2-sterile.png b/windows/deployment/update/images/WIP2-sterile.png deleted file mode 100644 index 7cc35cde75..0000000000 Binary files a/windows/deployment/update/images/WIP2-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/WIP2.PNG b/windows/deployment/update/images/WIP2.PNG deleted file mode 100644 index 87255177e0..0000000000 Binary files a/windows/deployment/update/images/WIP2.PNG and /dev/null differ diff --git a/windows/deployment/update/images/WIP4Biz_Prompts.png b/windows/deployment/update/images/WIP4Biz_Prompts.png deleted file mode 100644 index 37acadde3a..0000000000 Binary files a/windows/deployment/update/images/WIP4Biz_Prompts.png and /dev/null differ diff --git a/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png b/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png deleted file mode 100644 index d093eff951..0000000000 Binary files a/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/WIPNEW1.PNG b/windows/deployment/update/images/WIPNEW1.PNG deleted file mode 100644 index 29e14d5411..0000000000 Binary files a/windows/deployment/update/images/WIPNEW1.PNG and /dev/null differ diff --git a/windows/deployment/update/images/WIPNEW2-sterile.png b/windows/deployment/update/images/WIPNEW2-sterile.png deleted file mode 100644 index 1ee1148c8f..0000000000 Binary files a/windows/deployment/update/images/WIPNEW2-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/WIPNEW2.PNG b/windows/deployment/update/images/WIPNEW2.PNG deleted file mode 100644 index af7a8c84b7..0000000000 Binary files a/windows/deployment/update/images/WIPNEW2.PNG and /dev/null differ diff --git a/windows/deployment/update/images/WIPNEWMAIN-sterile.png b/windows/deployment/update/images/WIPNEWMAIN-sterile.png deleted file mode 100644 index a210aa9ed1..0000000000 Binary files a/windows/deployment/update/images/WIPNEWMAIN-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/WIPNEWMAIN.PNG b/windows/deployment/update/images/WIPNEWMAIN.PNG deleted file mode 100644 index b56da2b409..0000000000 Binary files a/windows/deployment/update/images/WIPNEWMAIN.PNG and /dev/null differ diff --git a/windows/deployment/update/images/WIPappID-sterile.png b/windows/deployment/update/images/WIPappID-sterile.png deleted file mode 100644 index e7b5ae5571..0000000000 Binary files a/windows/deployment/update/images/WIPappID-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/WIPappID.PNG b/windows/deployment/update/images/WIPappID.PNG deleted file mode 100644 index 49ea2bc99c..0000000000 Binary files a/windows/deployment/update/images/WIPappID.PNG and /dev/null differ diff --git a/windows/deployment/update/images/WIPmain.PNG b/windows/deployment/update/images/WIPmain.PNG deleted file mode 100644 index adb905255d..0000000000 Binary files a/windows/deployment/update/images/WIPmain.PNG and /dev/null differ diff --git a/windows/deployment/update/images/WRH-message-history-example.png b/windows/deployment/update/images/WRH-message-history-example.png deleted file mode 100644 index 1aa35aca9b..0000000000 Binary files a/windows/deployment/update/images/WRH-message-history-example.png and /dev/null differ diff --git a/windows/deployment/update/images/WRH-view-message-history.png b/windows/deployment/update/images/WRH-view-message-history.png deleted file mode 100644 index 20b85e33c0..0000000000 Binary files a/windows/deployment/update/images/WRH-view-message-history.png and /dev/null differ diff --git a/windows/deployment/update/images/admin-tools-folder.png b/windows/deployment/update/images/admin-tools-folder.png deleted file mode 100644 index 4831204f73..0000000000 Binary files a/windows/deployment/update/images/admin-tools-folder.png and /dev/null differ diff --git a/windows/deployment/update/images/admin-tools.png b/windows/deployment/update/images/admin-tools.png deleted file mode 100644 index 1470cffdd5..0000000000 Binary files a/windows/deployment/update/images/admin-tools.png and /dev/null differ diff --git a/windows/deployment/update/images/allow-rdp.png b/windows/deployment/update/images/allow-rdp.png deleted file mode 100644 index 55c13b53bc..0000000000 Binary files a/windows/deployment/update/images/allow-rdp.png and /dev/null differ diff --git a/windows/deployment/update/images/analytics-architecture.png b/windows/deployment/update/images/analytics-architecture.png deleted file mode 100644 index 1b537c1c9b..0000000000 Binary files a/windows/deployment/update/images/analytics-architecture.png and /dev/null differ diff --git a/windows/deployment/update/images/app-detail.png b/windows/deployment/update/images/app-detail.png deleted file mode 100644 index c06ced4864..0000000000 Binary files a/windows/deployment/update/images/app-detail.png and /dev/null differ diff --git a/windows/deployment/update/images/app-health-dashboard.png b/windows/deployment/update/images/app-health-dashboard.png deleted file mode 100644 index d8daee44ed..0000000000 Binary files a/windows/deployment/update/images/app-health-dashboard.png and /dev/null differ diff --git a/windows/deployment/update/images/app-reliability-app-OS-version.png b/windows/deployment/update/images/app-reliability-app-OS-version.png deleted file mode 100644 index c281dcc316..0000000000 Binary files a/windows/deployment/update/images/app-reliability-app-OS-version.png and /dev/null differ diff --git a/windows/deployment/update/images/app-reliability-app-detail.png b/windows/deployment/update/images/app-reliability-app-detail.png deleted file mode 100644 index 8c402bb91f..0000000000 Binary files a/windows/deployment/update/images/app-reliability-app-detail.png and /dev/null differ diff --git a/windows/deployment/update/images/app-reliability-event-history.png b/windows/deployment/update/images/app-reliability-event-history.png deleted file mode 100644 index f28ab02908..0000000000 Binary files a/windows/deployment/update/images/app-reliability-event-history.png and /dev/null differ diff --git a/windows/deployment/update/images/app-reliability-main.png b/windows/deployment/update/images/app-reliability-main.png deleted file mode 100644 index abbcc72690..0000000000 Binary files a/windows/deployment/update/images/app-reliability-main.png and /dev/null differ diff --git a/windows/deployment/update/images/app-reliability-tab.png b/windows/deployment/update/images/app-reliability-tab.png deleted file mode 100644 index 17eae401f4..0000000000 Binary files a/windows/deployment/update/images/app-reliability-tab.png and /dev/null differ diff --git a/windows/deployment/update/images/app-reliability-trend-view.png b/windows/deployment/update/images/app-reliability-trend-view.png deleted file mode 100644 index 2d26df93d3..0000000000 Binary files a/windows/deployment/update/images/app-reliability-trend-view.png and /dev/null differ diff --git a/windows/deployment/update/images/app-reliability.png b/windows/deployment/update/images/app-reliability.png deleted file mode 100644 index 47ecf49431..0000000000 Binary files a/windows/deployment/update/images/app-reliability.png and /dev/null differ diff --git a/windows/deployment/update/images/app-v-in-adk.png b/windows/deployment/update/images/app-v-in-adk.png deleted file mode 100644 index a36ef9f00f..0000000000 Binary files a/windows/deployment/update/images/app-v-in-adk.png and /dev/null differ diff --git a/windows/deployment/update/images/apprule.png b/windows/deployment/update/images/apprule.png deleted file mode 100644 index ec5417849a..0000000000 Binary files a/windows/deployment/update/images/apprule.png and /dev/null differ diff --git a/windows/deployment/update/images/appwarning.png b/windows/deployment/update/images/appwarning.png deleted file mode 100644 index 877d8afebd..0000000000 Binary files a/windows/deployment/update/images/appwarning.png and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-LA-wkspcsumm.PNG b/windows/deployment/update/images/azure-portal-LA-wkspcsumm.PNG deleted file mode 100644 index cd44ab666c..0000000000 Binary files a/windows/deployment/update/images/azure-portal-LA-wkspcsumm.PNG and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-LA-wkspcsumm_sterile.png b/windows/deployment/update/images/azure-portal-LA-wkspcsumm_sterile.png deleted file mode 100644 index 9308673481..0000000000 Binary files a/windows/deployment/update/images/azure-portal-LA-wkspcsumm_sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-LAfav.PNG b/windows/deployment/update/images/azure-portal-LAfav.PNG deleted file mode 100644 index 8ad9f63fd0..0000000000 Binary files a/windows/deployment/update/images/azure-portal-LAfav.PNG and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-LAfav1.png b/windows/deployment/update/images/azure-portal-LAfav1.png deleted file mode 100644 index 1c01cc7509..0000000000 Binary files a/windows/deployment/update/images/azure-portal-LAfav1.png and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-LAmain-sterile.png b/windows/deployment/update/images/azure-portal-LAmain-sterile.png deleted file mode 100644 index 1cdeffa2b7..0000000000 Binary files a/windows/deployment/update/images/azure-portal-LAmain-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-LAmain-wkspc-subname-sterile.png b/windows/deployment/update/images/azure-portal-LAmain-wkspc-subname-sterile.png deleted file mode 100644 index afdfbb2d21..0000000000 Binary files a/windows/deployment/update/images/azure-portal-LAmain-wkspc-subname-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-LAmain.PNG b/windows/deployment/update/images/azure-portal-LAmain.PNG deleted file mode 100644 index 1cebfa9b8c..0000000000 Binary files a/windows/deployment/update/images/azure-portal-LAmain.PNG and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-LAsearch.PNG b/windows/deployment/update/images/azure-portal-LAsearch.PNG deleted file mode 100644 index 1d446241d5..0000000000 Binary files a/windows/deployment/update/images/azure-portal-LAsearch.PNG and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-UR-settings.png b/windows/deployment/update/images/azure-portal-UR-settings.png deleted file mode 100644 index 67ace993e8..0000000000 Binary files a/windows/deployment/update/images/azure-portal-UR-settings.png and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-create-resource-boxes.png b/windows/deployment/update/images/azure-portal-create-resource-boxes.png deleted file mode 100644 index b15bec2265..0000000000 Binary files a/windows/deployment/update/images/azure-portal-create-resource-boxes.png and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-create-resource.PNG b/windows/deployment/update/images/azure-portal-create-resource.PNG deleted file mode 100644 index 0f1b962e07..0000000000 Binary files a/windows/deployment/update/images/azure-portal-create-resource.PNG and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal1.PNG b/windows/deployment/update/images/azure-portal1.PNG deleted file mode 100644 index f4c2aff38a..0000000000 Binary files a/windows/deployment/update/images/azure-portal1.PNG and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal1_allserv.png b/windows/deployment/update/images/azure-portal1_allserv.png deleted file mode 100644 index 63e1bcbad3..0000000000 Binary files a/windows/deployment/update/images/azure-portal1_allserv.png and /dev/null differ diff --git a/windows/deployment/update/images/backicon.png b/windows/deployment/update/images/backicon.png deleted file mode 100644 index 3007e448b1..0000000000 Binary files a/windows/deployment/update/images/backicon.png and /dev/null differ diff --git a/windows/deployment/update/images/champs.png b/windows/deployment/update/images/champs.png deleted file mode 100644 index ea719bc251..0000000000 Binary files a/windows/deployment/update/images/champs.png and /dev/null differ diff --git a/windows/deployment/update/images/checklistbox.gif b/windows/deployment/update/images/checklistbox.gif deleted file mode 100644 index cbcf4a4f11..0000000000 Binary files a/windows/deployment/update/images/checklistbox.gif and /dev/null differ diff --git a/windows/deployment/update/images/choose-package.png b/windows/deployment/update/images/choose-package.png deleted file mode 100644 index 2bf7a18648..0000000000 Binary files a/windows/deployment/update/images/choose-package.png and /dev/null differ diff --git a/windows/deployment/update/images/config-policy.png b/windows/deployment/update/images/config-policy.png deleted file mode 100644 index b9cba70af6..0000000000 Binary files a/windows/deployment/update/images/config-policy.png and /dev/null differ diff --git a/windows/deployment/update/images/config-source.png b/windows/deployment/update/images/config-source.png deleted file mode 100644 index 58938bacf7..0000000000 Binary files a/windows/deployment/update/images/config-source.png and /dev/null differ diff --git a/windows/deployment/update/images/configconflict.png b/windows/deployment/update/images/configconflict.png deleted file mode 100644 index 011a2d76e7..0000000000 Binary files a/windows/deployment/update/images/configconflict.png and /dev/null differ diff --git a/windows/deployment/update/images/connect-aad.png b/windows/deployment/update/images/connect-aad.png deleted file mode 100644 index 8583866165..0000000000 Binary files a/windows/deployment/update/images/connect-aad.png and /dev/null differ diff --git a/windows/deployment/update/images/copy-to-change.png b/windows/deployment/update/images/copy-to-change.png deleted file mode 100644 index 21aa250c0c..0000000000 Binary files a/windows/deployment/update/images/copy-to-change.png and /dev/null differ diff --git a/windows/deployment/update/images/copy-to-path.png b/windows/deployment/update/images/copy-to-path.png deleted file mode 100644 index 1ef00fc86b..0000000000 Binary files a/windows/deployment/update/images/copy-to-path.png and /dev/null differ diff --git a/windows/deployment/update/images/copy-to.PNG b/windows/deployment/update/images/copy-to.PNG deleted file mode 100644 index dad84cedc8..0000000000 Binary files a/windows/deployment/update/images/copy-to.PNG and /dev/null differ diff --git a/windows/deployment/update/images/cortana-about-me.png b/windows/deployment/update/images/cortana-about-me.png deleted file mode 100644 index 32c1ccefab..0000000000 Binary files a/windows/deployment/update/images/cortana-about-me.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-add-reminder.png b/windows/deployment/update/images/cortana-add-reminder.png deleted file mode 100644 index 3f03528e11..0000000000 Binary files a/windows/deployment/update/images/cortana-add-reminder.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-chicago-weather.png b/windows/deployment/update/images/cortana-chicago-weather.png deleted file mode 100644 index 9273bf201b..0000000000 Binary files a/windows/deployment/update/images/cortana-chicago-weather.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-complete-send-email-coworker-mic.png b/windows/deployment/update/images/cortana-complete-send-email-coworker-mic.png deleted file mode 100644 index 3238c8d31d..0000000000 Binary files a/windows/deployment/update/images/cortana-complete-send-email-coworker-mic.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-connect-crm.png b/windows/deployment/update/images/cortana-connect-crm.png deleted file mode 100644 index c70c42f75e..0000000000 Binary files a/windows/deployment/update/images/cortana-connect-crm.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-connect-o365.png b/windows/deployment/update/images/cortana-connect-o365.png deleted file mode 100644 index df1ffa449b..0000000000 Binary files a/windows/deployment/update/images/cortana-connect-o365.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-connect-uber.png b/windows/deployment/update/images/cortana-connect-uber.png deleted file mode 100644 index 724fecb5b5..0000000000 Binary files a/windows/deployment/update/images/cortana-connect-uber.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-crm-screen.png b/windows/deployment/update/images/cortana-crm-screen.png deleted file mode 100644 index ded5d80a59..0000000000 Binary files a/windows/deployment/update/images/cortana-crm-screen.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-feedback.png b/windows/deployment/update/images/cortana-feedback.png deleted file mode 100644 index 6e14018c98..0000000000 Binary files a/windows/deployment/update/images/cortana-feedback.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-final-reminder.png b/windows/deployment/update/images/cortana-final-reminder.png deleted file mode 100644 index f114e058e5..0000000000 Binary files a/windows/deployment/update/images/cortana-final-reminder.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-meeting-specific-time.png b/windows/deployment/update/images/cortana-meeting-specific-time.png deleted file mode 100644 index a108355133..0000000000 Binary files a/windows/deployment/update/images/cortana-meeting-specific-time.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-meeting-tomorrow.png b/windows/deployment/update/images/cortana-meeting-tomorrow.png deleted file mode 100644 index 13273b6600..0000000000 Binary files a/windows/deployment/update/images/cortana-meeting-tomorrow.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-newyork-weather.png b/windows/deployment/update/images/cortana-newyork-weather.png deleted file mode 100644 index b3879737be..0000000000 Binary files a/windows/deployment/update/images/cortana-newyork-weather.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-o365-screen.png b/windows/deployment/update/images/cortana-o365-screen.png deleted file mode 100644 index ba06dd6de5..0000000000 Binary files a/windows/deployment/update/images/cortana-o365-screen.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-place-reminder.png b/windows/deployment/update/images/cortana-place-reminder.png deleted file mode 100644 index 89ccdab3e3..0000000000 Binary files a/windows/deployment/update/images/cortana-place-reminder.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-create-report.png b/windows/deployment/update/images/cortana-powerbi-create-report.png deleted file mode 100644 index a22789d72a..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-create-report.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-expand-nav.png b/windows/deployment/update/images/cortana-powerbi-expand-nav.png deleted file mode 100644 index c8b47943f9..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-expand-nav.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-field-selection.png b/windows/deployment/update/images/cortana-powerbi-field-selection.png deleted file mode 100644 index 8aef58c23a..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-field-selection.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-getdata-samples.png b/windows/deployment/update/images/cortana-powerbi-getdata-samples.png deleted file mode 100644 index 3bfa4792df..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-getdata-samples.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-getdata.png b/windows/deployment/update/images/cortana-powerbi-getdata.png deleted file mode 100644 index 55b7b61589..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-getdata.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-myreport.png b/windows/deployment/update/images/cortana-powerbi-myreport.png deleted file mode 100644 index cc04d9c6f0..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-myreport.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-pagesize.png b/windows/deployment/update/images/cortana-powerbi-pagesize.png deleted file mode 100644 index fd1c1ef917..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-pagesize.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-report-qna.png b/windows/deployment/update/images/cortana-powerbi-report-qna.png deleted file mode 100644 index d17949aa8a..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-report-qna.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-retail-analysis-dashboard.png b/windows/deployment/update/images/cortana-powerbi-retail-analysis-dashboard.png deleted file mode 100644 index 5b94a2e2fc..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-retail-analysis-dashboard.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-retail-analysis-dataset.png b/windows/deployment/update/images/cortana-powerbi-retail-analysis-dataset.png deleted file mode 100644 index b2ffec3b70..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-retail-analysis-dataset.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-retail-analysis-sample.png b/windows/deployment/update/images/cortana-powerbi-retail-analysis-sample.png deleted file mode 100644 index e3b61dcaa2..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-retail-analysis-sample.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-search.png b/windows/deployment/update/images/cortana-powerbi-search.png deleted file mode 100644 index 88a8b40296..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-search.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-settings.png b/windows/deployment/update/images/cortana-powerbi-settings.png deleted file mode 100644 index 0f51229895..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-settings.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-redmond-weather.png b/windows/deployment/update/images/cortana-redmond-weather.png deleted file mode 100644 index 7e8adc1929..0000000000 Binary files a/windows/deployment/update/images/cortana-redmond-weather.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-reminder-edit.png b/windows/deployment/update/images/cortana-reminder-edit.png deleted file mode 100644 index 79cc280947..0000000000 Binary files a/windows/deployment/update/images/cortana-reminder-edit.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-reminder-list.png b/windows/deployment/update/images/cortana-reminder-list.png deleted file mode 100644 index 1f57fc0f05..0000000000 Binary files a/windows/deployment/update/images/cortana-reminder-list.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-reminder-mic.png b/windows/deployment/update/images/cortana-reminder-mic.png deleted file mode 100644 index 46a18e8e0b..0000000000 Binary files a/windows/deployment/update/images/cortana-reminder-mic.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-reminder-pending-mic.png b/windows/deployment/update/images/cortana-reminder-pending-mic.png deleted file mode 100644 index 159d408e0a..0000000000 Binary files a/windows/deployment/update/images/cortana-reminder-pending-mic.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-reminder-pending.png b/windows/deployment/update/images/cortana-reminder-pending.png deleted file mode 100644 index a6b64b5621..0000000000 Binary files a/windows/deployment/update/images/cortana-reminder-pending.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-send-email-coworker-mic.png b/windows/deployment/update/images/cortana-send-email-coworker-mic.png deleted file mode 100644 index 0cfa8fb731..0000000000 Binary files a/windows/deployment/update/images/cortana-send-email-coworker-mic.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-send-email-coworker.png b/windows/deployment/update/images/cortana-send-email-coworker.png deleted file mode 100644 index 40ce18bdca..0000000000 Binary files a/windows/deployment/update/images/cortana-send-email-coworker.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-weather-multipanel.png b/windows/deployment/update/images/cortana-weather-multipanel.png deleted file mode 100644 index e8db031744..0000000000 Binary files a/windows/deployment/update/images/cortana-weather-multipanel.png and /dev/null differ diff --git a/windows/deployment/update/images/crash-hang-detail.png b/windows/deployment/update/images/crash-hang-detail.png deleted file mode 100644 index 3a6447329c..0000000000 Binary files a/windows/deployment/update/images/crash-hang-detail.png and /dev/null differ diff --git a/windows/deployment/update/images/csp-placeholder.png b/windows/deployment/update/images/csp-placeholder.png deleted file mode 100644 index fe6bcf4720..0000000000 Binary files a/windows/deployment/update/images/csp-placeholder.png and /dev/null differ diff --git a/windows/deployment/update/images/cspinicd.png b/windows/deployment/update/images/cspinicd.png deleted file mode 100644 index a60ad9e2bf..0000000000 Binary files a/windows/deployment/update/images/cspinicd.png and /dev/null differ diff --git a/windows/deployment/update/images/csptable.png b/windows/deployment/update/images/csptable.png deleted file mode 100644 index ee210cad69..0000000000 Binary files a/windows/deployment/update/images/csptable.png and /dev/null differ diff --git a/windows/deployment/update/images/deploymentworkflow.png b/windows/deployment/update/images/deploymentworkflow.png deleted file mode 100644 index b665a0bfea..0000000000 Binary files a/windows/deployment/update/images/deploymentworkflow.png and /dev/null differ diff --git a/windows/deployment/update/images/dev-health-main-tile-sterile.png b/windows/deployment/update/images/dev-health-main-tile-sterile.png deleted file mode 100644 index afe19b622e..0000000000 Binary files a/windows/deployment/update/images/dev-health-main-tile-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/dev-health-main-tile.png b/windows/deployment/update/images/dev-health-main-tile.png deleted file mode 100644 index 850b558512..0000000000 Binary files a/windows/deployment/update/images/dev-health-main-tile.png and /dev/null differ diff --git a/windows/deployment/update/images/device-crash-history.png b/windows/deployment/update/images/device-crash-history.png deleted file mode 100644 index 69f98f1d67..0000000000 Binary files a/windows/deployment/update/images/device-crash-history.png and /dev/null differ diff --git a/windows/deployment/update/images/device-crash-history2-sterile.png b/windows/deployment/update/images/device-crash-history2-sterile.png deleted file mode 100644 index e5a70f2d7d..0000000000 Binary files a/windows/deployment/update/images/device-crash-history2-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/device-crash-history2.PNG b/windows/deployment/update/images/device-crash-history2.PNG deleted file mode 100644 index 646afb4091..0000000000 Binary files a/windows/deployment/update/images/device-crash-history2.PNG and /dev/null differ diff --git a/windows/deployment/update/images/device-reliability-crash-count.png b/windows/deployment/update/images/device-reliability-crash-count.png deleted file mode 100644 index 7dd0a2d660..0000000000 Binary files a/windows/deployment/update/images/device-reliability-crash-count.png and /dev/null differ diff --git a/windows/deployment/update/images/device-reliability-device-count.png b/windows/deployment/update/images/device-reliability-device-count.png deleted file mode 100644 index ba937d49e9..0000000000 Binary files a/windows/deployment/update/images/device-reliability-device-count.png and /dev/null differ diff --git a/windows/deployment/update/images/device-reliability-event1001-PSoutput.png b/windows/deployment/update/images/device-reliability-event1001-PSoutput.png deleted file mode 100644 index 323e0e3878..0000000000 Binary files a/windows/deployment/update/images/device-reliability-event1001-PSoutput.png and /dev/null differ diff --git a/windows/deployment/update/images/device-reliability.png b/windows/deployment/update/images/device-reliability.png deleted file mode 100644 index af8bb1d247..0000000000 Binary files a/windows/deployment/update/images/device-reliability.png and /dev/null differ diff --git a/windows/deployment/update/images/device-reliability2-sterile.png b/windows/deployment/update/images/device-reliability2-sterile.png deleted file mode 100644 index bff4878fa3..0000000000 Binary files a/windows/deployment/update/images/device-reliability2-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/device-reliability2.PNG b/windows/deployment/update/images/device-reliability2.PNG deleted file mode 100644 index 9af6d971b0..0000000000 Binary files a/windows/deployment/update/images/device-reliability2.PNG and /dev/null differ diff --git a/windows/deployment/update/images/doneicon.png b/windows/deployment/update/images/doneicon.png deleted file mode 100644 index d80389f35b..0000000000 Binary files a/windows/deployment/update/images/doneicon.png and /dev/null differ diff --git a/windows/deployment/update/images/driver-deeper-detail.png b/windows/deployment/update/images/driver-deeper-detail.png deleted file mode 100644 index 0437e555a1..0000000000 Binary files a/windows/deployment/update/images/driver-deeper-detail.png and /dev/null differ diff --git a/windows/deployment/update/images/driver-detail-1-sterile.png b/windows/deployment/update/images/driver-detail-1-sterile.png deleted file mode 100644 index 03551d5783..0000000000 Binary files a/windows/deployment/update/images/driver-detail-1-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/driver-detail-1.PNG b/windows/deployment/update/images/driver-detail-1.PNG deleted file mode 100644 index deeb998493..0000000000 Binary files a/windows/deployment/update/images/driver-detail-1.PNG and /dev/null differ diff --git a/windows/deployment/update/images/driver-detail-2-sterile.png b/windows/deployment/update/images/driver-detail-2-sterile.png deleted file mode 100644 index 66023722b3..0000000000 Binary files a/windows/deployment/update/images/driver-detail-2-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/driver-detail-2.PNG b/windows/deployment/update/images/driver-detail-2.PNG deleted file mode 100644 index 71f16697f5..0000000000 Binary files a/windows/deployment/update/images/driver-detail-2.PNG and /dev/null differ diff --git a/windows/deployment/update/images/driver-detail.png b/windows/deployment/update/images/driver-detail.png deleted file mode 100644 index ab391f5adb..0000000000 Binary files a/windows/deployment/update/images/driver-detail.png and /dev/null differ diff --git a/windows/deployment/update/images/event_1001.png b/windows/deployment/update/images/event_1001.png deleted file mode 100644 index e4f4604c2b..0000000000 Binary files a/windows/deployment/update/images/event_1001.png and /dev/null differ diff --git a/windows/deployment/update/images/export-mgt-desktop.png b/windows/deployment/update/images/export-mgt-desktop.png deleted file mode 100644 index 13349c3b4e..0000000000 Binary files a/windows/deployment/update/images/export-mgt-desktop.png and /dev/null differ diff --git a/windows/deployment/update/images/export-mgt-mobile.png b/windows/deployment/update/images/export-mgt-mobile.png deleted file mode 100644 index 6a74c23e59..0000000000 Binary files a/windows/deployment/update/images/export-mgt-mobile.png and /dev/null differ diff --git a/windows/deployment/update/images/express-settings.png b/windows/deployment/update/images/express-settings.png deleted file mode 100644 index 99e9c4825a..0000000000 Binary files a/windows/deployment/update/images/express-settings.png and /dev/null differ diff --git a/windows/deployment/update/images/fig1-deferupgrades.png b/windows/deployment/update/images/fig1-deferupgrades.png deleted file mode 100644 index f8c52b943e..0000000000 Binary files a/windows/deployment/update/images/fig1-deferupgrades.png and /dev/null differ diff --git a/windows/deployment/update/images/fig2-deploymenttimeline.png b/windows/deployment/update/images/fig2-deploymenttimeline.png deleted file mode 100644 index a8061d2f15..0000000000 Binary files a/windows/deployment/update/images/fig2-deploymenttimeline.png and /dev/null differ diff --git a/windows/deployment/update/images/fig3-overlaprelease.png b/windows/deployment/update/images/fig3-overlaprelease.png deleted file mode 100644 index 58747a35cf..0000000000 Binary files a/windows/deployment/update/images/fig3-overlaprelease.png and /dev/null differ diff --git a/windows/deployment/update/images/funfacts.png b/windows/deployment/update/images/funfacts.png deleted file mode 100644 index 71355ec370..0000000000 Binary files a/windows/deployment/update/images/funfacts.png and /dev/null differ diff --git a/windows/deployment/update/images/genrule.png b/windows/deployment/update/images/genrule.png deleted file mode 100644 index 1d68f1ad0b..0000000000 Binary files a/windows/deployment/update/images/genrule.png and /dev/null differ diff --git a/windows/deployment/update/images/gp-branch.png b/windows/deployment/update/images/gp-branch.png deleted file mode 100644 index 997bcc830a..0000000000 Binary files a/windows/deployment/update/images/gp-branch.png and /dev/null differ diff --git a/windows/deployment/update/images/gp-exclude-drivers.png b/windows/deployment/update/images/gp-exclude-drivers.png deleted file mode 100644 index 0010749139..0000000000 Binary files a/windows/deployment/update/images/gp-exclude-drivers.png and /dev/null differ diff --git a/windows/deployment/update/images/gp-feature.png b/windows/deployment/update/images/gp-feature.png deleted file mode 100644 index b862d545d4..0000000000 Binary files a/windows/deployment/update/images/gp-feature.png and /dev/null differ diff --git a/windows/deployment/update/images/gp-quality.png b/windows/deployment/update/images/gp-quality.png deleted file mode 100644 index d7ff30172d..0000000000 Binary files a/windows/deployment/update/images/gp-quality.png and /dev/null differ diff --git a/windows/deployment/update/images/health-summary.png b/windows/deployment/update/images/health-summary.png deleted file mode 100644 index 906b0a2189..0000000000 Binary files a/windows/deployment/update/images/health-summary.png and /dev/null differ diff --git a/windows/deployment/update/images/icd-adv-shared-pc.PNG b/windows/deployment/update/images/icd-adv-shared-pc.PNG deleted file mode 100644 index a8da5fa78a..0000000000 Binary files a/windows/deployment/update/images/icd-adv-shared-pc.PNG and /dev/null differ diff --git a/windows/deployment/update/images/icd-school.PNG b/windows/deployment/update/images/icd-school.PNG deleted file mode 100644 index e6a944a193..0000000000 Binary files a/windows/deployment/update/images/icd-school.PNG and /dev/null differ diff --git a/windows/deployment/update/images/icd-simple.PNG b/windows/deployment/update/images/icd-simple.PNG deleted file mode 100644 index 7ae8a1728b..0000000000 Binary files a/windows/deployment/update/images/icd-simple.PNG and /dev/null differ diff --git a/windows/deployment/update/images/icdbrowse.png b/windows/deployment/update/images/icdbrowse.png deleted file mode 100644 index 53c91074c7..0000000000 Binary files a/windows/deployment/update/images/icdbrowse.png and /dev/null differ diff --git a/windows/deployment/update/images/identitychoices.png b/windows/deployment/update/images/identitychoices.png deleted file mode 100644 index 9a69c04f20..0000000000 Binary files a/windows/deployment/update/images/identitychoices.png and /dev/null differ diff --git a/windows/deployment/update/images/ignite-land.jpg b/windows/deployment/update/images/ignite-land.jpg deleted file mode 100644 index 7d0837af47..0000000000 Binary files a/windows/deployment/update/images/ignite-land.jpg and /dev/null differ diff --git a/windows/deployment/update/images/launchicon.png b/windows/deployment/update/images/launchicon.png deleted file mode 100644 index d469c68a2c..0000000000 Binary files a/windows/deployment/update/images/launchicon.png and /dev/null differ diff --git a/windows/deployment/update/images/license-terms.png b/windows/deployment/update/images/license-terms.png deleted file mode 100644 index 8dd34b0a18..0000000000 Binary files a/windows/deployment/update/images/license-terms.png and /dev/null differ diff --git a/windows/deployment/update/images/lockdownapps.png b/windows/deployment/update/images/lockdownapps.png deleted file mode 100644 index ad928d87bc..0000000000 Binary files a/windows/deployment/update/images/lockdownapps.png and /dev/null differ diff --git a/windows/deployment/update/images/lockscreen.png b/windows/deployment/update/images/lockscreen.png deleted file mode 100644 index 68c64e15ec..0000000000 Binary files a/windows/deployment/update/images/lockscreen.png and /dev/null differ diff --git a/windows/deployment/update/images/lockscreenpolicy.png b/windows/deployment/update/images/lockscreenpolicy.png deleted file mode 100644 index 30b6a7ae9d..0000000000 Binary files a/windows/deployment/update/images/lockscreenpolicy.png and /dev/null differ diff --git a/windows/deployment/update/images/login-health-detail-faillure.png b/windows/deployment/update/images/login-health-detail-faillure.png deleted file mode 100644 index 10b59a01d0..0000000000 Binary files a/windows/deployment/update/images/login-health-detail-faillure.png and /dev/null differ diff --git a/windows/deployment/update/images/login-health-detail-failure.png b/windows/deployment/update/images/login-health-detail-failure.png deleted file mode 100644 index 76865225a1..0000000000 Binary files a/windows/deployment/update/images/login-health-detail-failure.png and /dev/null differ diff --git a/windows/deployment/update/images/login-health-detail.png b/windows/deployment/update/images/login-health-detail.png deleted file mode 100644 index 45867cefc5..0000000000 Binary files a/windows/deployment/update/images/login-health-detail.png and /dev/null differ diff --git a/windows/deployment/update/images/login-health.png b/windows/deployment/update/images/login-health.png deleted file mode 100644 index e250351fb5..0000000000 Binary files a/windows/deployment/update/images/login-health.png and /dev/null differ diff --git a/windows/deployment/update/images/mdm-diag-report-powershell.PNG b/windows/deployment/update/images/mdm-diag-report-powershell.PNG deleted file mode 100644 index 86f5b49211..0000000000 Binary files a/windows/deployment/update/images/mdm-diag-report-powershell.PNG and /dev/null differ diff --git a/windows/deployment/update/images/mdm.png b/windows/deployment/update/images/mdm.png deleted file mode 100644 index 8ebcc00526..0000000000 Binary files a/windows/deployment/update/images/mdm.png and /dev/null differ diff --git a/windows/deployment/update/images/mobile-start-layout.png b/windows/deployment/update/images/mobile-start-layout.png deleted file mode 100644 index d1055d6c87..0000000000 Binary files a/windows/deployment/update/images/mobile-start-layout.png and /dev/null differ diff --git a/windows/deployment/update/images/oma-uri-shared-pc.png b/windows/deployment/update/images/oma-uri-shared-pc.png deleted file mode 100644 index 68f9fa3b32..0000000000 Binary files a/windows/deployment/update/images/oma-uri-shared-pc.png and /dev/null differ diff --git a/windows/deployment/update/images/oobe.jpg b/windows/deployment/update/images/oobe.jpg deleted file mode 100644 index 53a5dab6bf..0000000000 Binary files a/windows/deployment/update/images/oobe.jpg and /dev/null differ diff --git a/windows/deployment/update/images/outdated_incomplete.png b/windows/deployment/update/images/outdated_incomplete.png deleted file mode 100644 index 61d9343b05..0000000000 Binary files a/windows/deployment/update/images/outdated_incomplete.png and /dev/null differ diff --git a/windows/deployment/update/images/outdated_outdated.png b/windows/deployment/update/images/outdated_outdated.png deleted file mode 100644 index 761d9066c2..0000000000 Binary files a/windows/deployment/update/images/outdated_outdated.png and /dev/null differ diff --git a/windows/deployment/update/images/package.png b/windows/deployment/update/images/package.png deleted file mode 100644 index f5e975e3e9..0000000000 Binary files a/windows/deployment/update/images/package.png and /dev/null differ diff --git a/windows/deployment/update/images/packageaddfileandregistrydata-global.png b/windows/deployment/update/images/packageaddfileandregistrydata-global.png deleted file mode 100644 index 775e290a36..0000000000 Binary files a/windows/deployment/update/images/packageaddfileandregistrydata-global.png and /dev/null differ diff --git a/windows/deployment/update/images/packageaddfileandregistrydata-stream.png b/windows/deployment/update/images/packageaddfileandregistrydata-stream.png deleted file mode 100644 index 0e1205c62b..0000000000 Binary files a/windows/deployment/update/images/packageaddfileandregistrydata-stream.png and /dev/null differ diff --git a/windows/deployment/update/images/packageaddfileandregistrydata.png b/windows/deployment/update/images/packageaddfileandregistrydata.png deleted file mode 100644 index 603420e627..0000000000 Binary files a/windows/deployment/update/images/packageaddfileandregistrydata.png and /dev/null differ diff --git a/windows/deployment/update/images/phoneprovision.png b/windows/deployment/update/images/phoneprovision.png deleted file mode 100644 index 01ada29ac9..0000000000 Binary files a/windows/deployment/update/images/phoneprovision.png and /dev/null differ diff --git a/windows/deployment/update/images/policytocsp.png b/windows/deployment/update/images/policytocsp.png deleted file mode 100644 index 80ca76cb62..0000000000 Binary files a/windows/deployment/update/images/policytocsp.png and /dev/null differ diff --git a/windows/deployment/update/images/powericon.png b/windows/deployment/update/images/powericon.png deleted file mode 100644 index b497ff859d..0000000000 Binary files a/windows/deployment/update/images/powericon.png and /dev/null differ diff --git a/windows/deployment/update/images/priv-telemetry-levels.png b/windows/deployment/update/images/priv-telemetry-levels.png deleted file mode 100644 index 9581cee54d..0000000000 Binary files a/windows/deployment/update/images/priv-telemetry-levels.png and /dev/null differ diff --git a/windows/deployment/update/images/prov.jpg b/windows/deployment/update/images/prov.jpg deleted file mode 100644 index 1593ccb36b..0000000000 Binary files a/windows/deployment/update/images/prov.jpg and /dev/null differ diff --git a/windows/deployment/update/images/provisioning-csp-assignedaccess.png b/windows/deployment/update/images/provisioning-csp-assignedaccess.png deleted file mode 100644 index 14d49cdd89..0000000000 Binary files a/windows/deployment/update/images/provisioning-csp-assignedaccess.png and /dev/null differ diff --git a/windows/deployment/update/images/rapid-calendar.png b/windows/deployment/update/images/rapid-calendar.png deleted file mode 100644 index b088cbbf5b..0000000000 Binary files a/windows/deployment/update/images/rapid-calendar.png and /dev/null differ diff --git a/windows/deployment/update/images/rdp.png b/windows/deployment/update/images/rdp.png deleted file mode 100644 index ac088d0b06..0000000000 Binary files a/windows/deployment/update/images/rdp.png and /dev/null differ diff --git a/windows/deployment/update/images/reliability-perspective.png b/windows/deployment/update/images/reliability-perspective.png deleted file mode 100644 index 58e812dafa..0000000000 Binary files a/windows/deployment/update/images/reliability-perspective.png and /dev/null differ diff --git a/windows/deployment/update/images/reliability-perspective2.PNG b/windows/deployment/update/images/reliability-perspective2.PNG deleted file mode 100644 index 978cacc4f5..0000000000 Binary files a/windows/deployment/update/images/reliability-perspective2.PNG and /dev/null differ diff --git a/windows/deployment/update/images/resetdevice.png b/windows/deployment/update/images/resetdevice.png deleted file mode 100644 index 4e265c3f8d..0000000000 Binary files a/windows/deployment/update/images/resetdevice.png and /dev/null differ diff --git a/windows/deployment/update/images/security-only-update.png b/windows/deployment/update/images/security-only-update.png deleted file mode 100644 index 9ed3d0f791..0000000000 Binary files a/windows/deployment/update/images/security-only-update.png and /dev/null differ diff --git a/windows/deployment/update/images/servicing-cadence.png b/windows/deployment/update/images/servicing-cadence.png deleted file mode 100644 index cb79ff70be..0000000000 Binary files a/windows/deployment/update/images/servicing-cadence.png and /dev/null differ diff --git a/windows/deployment/update/images/servicing-previews.png b/windows/deployment/update/images/servicing-previews.png deleted file mode 100644 index 0914b555ba..0000000000 Binary files a/windows/deployment/update/images/servicing-previews.png and /dev/null differ diff --git a/windows/deployment/update/images/settings-table.png b/windows/deployment/update/images/settings-table.png deleted file mode 100644 index ada56513fc..0000000000 Binary files a/windows/deployment/update/images/settings-table.png and /dev/null differ diff --git a/windows/deployment/update/images/settingsicon.png b/windows/deployment/update/images/settingsicon.png deleted file mode 100644 index 0ad27fc558..0000000000 Binary files a/windows/deployment/update/images/settingsicon.png and /dev/null differ diff --git a/windows/deployment/update/images/setupmsg.jpg b/windows/deployment/update/images/setupmsg.jpg deleted file mode 100644 index 12935483c5..0000000000 Binary files a/windows/deployment/update/images/setupmsg.jpg and /dev/null differ diff --git a/windows/deployment/update/images/sign-in-prov.png b/windows/deployment/update/images/sign-in-prov.png deleted file mode 100644 index 55c9276203..0000000000 Binary files a/windows/deployment/update/images/sign-in-prov.png and /dev/null differ diff --git a/windows/deployment/update/images/solution-bundle.png b/windows/deployment/update/images/solution-bundle.png deleted file mode 100644 index 70cec8d8f4..0000000000 Binary files a/windows/deployment/update/images/solution-bundle.png and /dev/null differ diff --git a/windows/deployment/update/images/spotlight.png b/windows/deployment/update/images/spotlight.png deleted file mode 100644 index 515269740b..0000000000 Binary files a/windows/deployment/update/images/spotlight.png and /dev/null differ diff --git a/windows/deployment/update/images/spotlight2.png b/windows/deployment/update/images/spotlight2.png deleted file mode 100644 index 27401c1a2b..0000000000 Binary files a/windows/deployment/update/images/spotlight2.png and /dev/null differ diff --git a/windows/deployment/update/images/start-pinned-app.png b/windows/deployment/update/images/start-pinned-app.png deleted file mode 100644 index e1e4a24a00..0000000000 Binary files a/windows/deployment/update/images/start-pinned-app.png and /dev/null differ diff --git a/windows/deployment/update/images/startannotated.png b/windows/deployment/update/images/startannotated.png deleted file mode 100644 index d46f3a70c2..0000000000 Binary files a/windows/deployment/update/images/startannotated.png and /dev/null differ diff --git a/windows/deployment/update/images/starticon.png b/windows/deployment/update/images/starticon.png deleted file mode 100644 index fa8cbdff10..0000000000 Binary files a/windows/deployment/update/images/starticon.png and /dev/null differ diff --git a/windows/deployment/update/images/startlayoutpolicy.jpg b/windows/deployment/update/images/startlayoutpolicy.jpg deleted file mode 100644 index d3c8d054fe..0000000000 Binary files a/windows/deployment/update/images/startlayoutpolicy.jpg and /dev/null differ diff --git a/windows/deployment/update/images/starttemplate.jpg b/windows/deployment/update/images/starttemplate.jpg deleted file mode 100644 index 900eed08c5..0000000000 Binary files a/windows/deployment/update/images/starttemplate.jpg and /dev/null differ diff --git a/windows/deployment/update/images/sysprep-error.png b/windows/deployment/update/images/sysprep-error.png deleted file mode 100644 index aa004efbb6..0000000000 Binary files a/windows/deployment/update/images/sysprep-error.png and /dev/null differ diff --git a/windows/deployment/update/images/taskbar-blank.png b/windows/deployment/update/images/taskbar-blank.png deleted file mode 100644 index 185027f2fd..0000000000 Binary files a/windows/deployment/update/images/taskbar-blank.png and /dev/null differ diff --git a/windows/deployment/update/images/taskbar-default-plus.png b/windows/deployment/update/images/taskbar-default-plus.png deleted file mode 100644 index 8afcebac09..0000000000 Binary files a/windows/deployment/update/images/taskbar-default-plus.png and /dev/null differ diff --git a/windows/deployment/update/images/taskbar-default-removed.png b/windows/deployment/update/images/taskbar-default-removed.png deleted file mode 100644 index b3ff924e9f..0000000000 Binary files a/windows/deployment/update/images/taskbar-default-removed.png and /dev/null differ diff --git a/windows/deployment/update/images/taskbar-default.png b/windows/deployment/update/images/taskbar-default.png deleted file mode 100644 index 41c6c72258..0000000000 Binary files a/windows/deployment/update/images/taskbar-default.png and /dev/null differ diff --git a/windows/deployment/update/images/taskbar-generic.png b/windows/deployment/update/images/taskbar-generic.png deleted file mode 100644 index 6d47a6795a..0000000000 Binary files a/windows/deployment/update/images/taskbar-generic.png and /dev/null differ diff --git a/windows/deployment/update/images/taskbar-region-defr.png b/windows/deployment/update/images/taskbar-region-defr.png deleted file mode 100644 index 6d707b16f4..0000000000 Binary files a/windows/deployment/update/images/taskbar-region-defr.png and /dev/null differ diff --git a/windows/deployment/update/images/taskbar-region-other.png b/windows/deployment/update/images/taskbar-region-other.png deleted file mode 100644 index fab367ef7a..0000000000 Binary files a/windows/deployment/update/images/taskbar-region-other.png and /dev/null differ diff --git a/windows/deployment/update/images/taskbar-region-usuk.png b/windows/deployment/update/images/taskbar-region-usuk.png deleted file mode 100644 index 6bba65ee81..0000000000 Binary files a/windows/deployment/update/images/taskbar-region-usuk.png and /dev/null differ diff --git a/windows/deployment/update/images/taskbarSTARTERBLANK.png b/windows/deployment/update/images/taskbarSTARTERBLANK.png deleted file mode 100644 index e206bdc196..0000000000 Binary files a/windows/deployment/update/images/taskbarSTARTERBLANK.png and /dev/null differ diff --git a/windows/deployment/update/images/temp-azure-portal-soltn-setting.png b/windows/deployment/update/images/temp-azure-portal-soltn-setting.png deleted file mode 100644 index 33175c7590..0000000000 Binary files a/windows/deployment/update/images/temp-azure-portal-soltn-setting.png and /dev/null differ diff --git a/windows/deployment/update/images/trust-package.png b/windows/deployment/update/images/trust-package.png deleted file mode 100644 index 8a293ea4da..0000000000 Binary files a/windows/deployment/update/images/trust-package.png and /dev/null differ diff --git a/windows/deployment/update/images/twain.png b/windows/deployment/update/images/twain.png deleted file mode 100644 index 53cd5eadc7..0000000000 Binary files a/windows/deployment/update/images/twain.png and /dev/null differ diff --git a/windows/deployment/update/images/uev-adk-select-uev-feature.png b/windows/deployment/update/images/uev-adk-select-uev-feature.png deleted file mode 100644 index 1556f115c0..0000000000 Binary files a/windows/deployment/update/images/uev-adk-select-uev-feature.png and /dev/null differ diff --git a/windows/deployment/update/images/uev-archdiagram.png b/windows/deployment/update/images/uev-archdiagram.png deleted file mode 100644 index eae098e666..0000000000 Binary files a/windows/deployment/update/images/uev-archdiagram.png and /dev/null differ diff --git a/windows/deployment/update/images/uev-checklist-box.gif b/windows/deployment/update/images/uev-checklist-box.gif deleted file mode 100644 index 8af13c51d1..0000000000 Binary files a/windows/deployment/update/images/uev-checklist-box.gif and /dev/null differ diff --git a/windows/deployment/update/images/uev-deployment-preparation.png b/windows/deployment/update/images/uev-deployment-preparation.png deleted file mode 100644 index b665a0bfea..0000000000 Binary files a/windows/deployment/update/images/uev-deployment-preparation.png and /dev/null differ diff --git a/windows/deployment/update/images/uev-generator-process.png b/windows/deployment/update/images/uev-generator-process.png deleted file mode 100644 index e16cedd0a7..0000000000 Binary files a/windows/deployment/update/images/uev-generator-process.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-assessment.png b/windows/deployment/update/images/update-compliance-wdav-assessment.png deleted file mode 100644 index 266c5b7210..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-assessment.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-overview.png b/windows/deployment/update/images/update-compliance-wdav-overview.png deleted file mode 100644 index 977478fb74..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-overview.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-prot-status.png b/windows/deployment/update/images/update-compliance-wdav-prot-status.png deleted file mode 100644 index 2c6c355ca4..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-prot-status.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png b/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png deleted file mode 100644 index 733bfb6ae7..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png b/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png deleted file mode 100644 index d914960a7a..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png b/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png deleted file mode 100644 index 7d8021b02e..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-filter.png b/windows/deployment/update/images/update-compliance-wdav-status-filter.png deleted file mode 100644 index cd500c2cb3..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-status-filter.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-log.png b/windows/deployment/update/images/update-compliance-wdav-status-log.png deleted file mode 100644 index 30e2e2352f..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-status-log.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-query.png b/windows/deployment/update/images/update-compliance-wdav-status-query.png deleted file mode 100644 index c7d1a436fe..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-status-query.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-threat-status.png b/windows/deployment/update/images/update-compliance-wdav-threat-status.png deleted file mode 100644 index ada9c09bbf..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-threat-status.png and /dev/null differ diff --git a/windows/deployment/update/images/upgrade-analytics-unsubscribe.png b/windows/deployment/update/images/upgrade-analytics-unsubscribe.png deleted file mode 100644 index 402db94d6f..0000000000 Binary files a/windows/deployment/update/images/upgrade-analytics-unsubscribe.png and /dev/null differ diff --git a/windows/deployment/update/images/video-snip.PNG b/windows/deployment/update/images/video-snip.PNG deleted file mode 100644 index 35317ee027..0000000000 Binary files a/windows/deployment/update/images/video-snip.PNG and /dev/null differ diff --git a/windows/deployment/update/images/w10servicing-f1-branches.png b/windows/deployment/update/images/w10servicing-f1-branches.png deleted file mode 100644 index ac4a549aed..0000000000 Binary files a/windows/deployment/update/images/w10servicing-f1-branches.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-auto-update-policy.PNG b/windows/deployment/update/images/waas-auto-update-policy.PNG deleted file mode 100644 index 52a1629cbf..0000000000 Binary files a/windows/deployment/update/images/waas-auto-update-policy.PNG and /dev/null differ diff --git a/windows/deployment/update/images/waas-do-fig1.png b/windows/deployment/update/images/waas-do-fig1.png deleted file mode 100644 index 2a2b6872e9..0000000000 Binary files a/windows/deployment/update/images/waas-do-fig1.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-do-fig2.png b/windows/deployment/update/images/waas-do-fig2.png deleted file mode 100644 index cc42b328eb..0000000000 Binary files a/windows/deployment/update/images/waas-do-fig2.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-do-fig3.png b/windows/deployment/update/images/waas-do-fig3.png deleted file mode 100644 index d9182d3b20..0000000000 Binary files a/windows/deployment/update/images/waas-do-fig3.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-do-fig4.png b/windows/deployment/update/images/waas-do-fig4.png deleted file mode 100644 index a66741ed90..0000000000 Binary files a/windows/deployment/update/images/waas-do-fig4.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-mcc-diag-overview.png b/windows/deployment/update/images/waas-mcc-diag-overview.png deleted file mode 100644 index bd5c4ee8d9..0000000000 Binary files a/windows/deployment/update/images/waas-mcc-diag-overview.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-overview-patch.png b/windows/deployment/update/images/waas-overview-patch.png deleted file mode 100644 index 6ac0a03227..0000000000 Binary files a/windows/deployment/update/images/waas-overview-patch.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-restart-policy.PNG b/windows/deployment/update/images/waas-restart-policy.PNG deleted file mode 100644 index 936f9aeb08..0000000000 Binary files a/windows/deployment/update/images/waas-restart-policy.PNG and /dev/null differ diff --git a/windows/deployment/update/images/waas-rings.png b/windows/deployment/update/images/waas-rings.png deleted file mode 100644 index 041a59ce87..0000000000 Binary files a/windows/deployment/update/images/waas-rings.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig1.png b/windows/deployment/update/images/waas-sccm-fig1.png deleted file mode 100644 index 6bf2b1c621..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig1.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig10.png b/windows/deployment/update/images/waas-sccm-fig10.png deleted file mode 100644 index ad3b5c922f..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig10.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig11.png b/windows/deployment/update/images/waas-sccm-fig11.png deleted file mode 100644 index 6c4f905630..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig11.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig12.png b/windows/deployment/update/images/waas-sccm-fig12.png deleted file mode 100644 index 87464dd5f1..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig12.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig2.png b/windows/deployment/update/images/waas-sccm-fig2.png deleted file mode 100644 index c83e7bc781..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig2.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig3.png b/windows/deployment/update/images/waas-sccm-fig3.png deleted file mode 100644 index dcbc83b8ff..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig3.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig4.png b/windows/deployment/update/images/waas-sccm-fig4.png deleted file mode 100644 index 782c5ca6ef..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig4.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig5.png b/windows/deployment/update/images/waas-sccm-fig5.png deleted file mode 100644 index cb399a6c6f..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig5.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig6.png b/windows/deployment/update/images/waas-sccm-fig6.png deleted file mode 100644 index 77dd02d61e..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig6.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig7.png b/windows/deployment/update/images/waas-sccm-fig7.png deleted file mode 100644 index a74c7c8133..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig7.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig8.png b/windows/deployment/update/images/waas-sccm-fig8.png deleted file mode 100644 index 2dfaf75ddf..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig8.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig9.png b/windows/deployment/update/images/waas-sccm-fig9.png deleted file mode 100644 index 311d79dc94..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig9.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-strategy-fig1a.png b/windows/deployment/update/images/waas-strategy-fig1a.png deleted file mode 100644 index 7a924c43bc..0000000000 Binary files a/windows/deployment/update/images/waas-strategy-fig1a.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-aad-classicaad.png b/windows/deployment/update/images/waas-wipfb-aad-classicaad.png deleted file mode 100644 index 424f4bca0a..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-aad-classicaad.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-aad-classicenable.png b/windows/deployment/update/images/waas-wipfb-aad-classicenable.png deleted file mode 100644 index 9cc78c2736..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-aad-classicenable.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-aad-consent.png b/windows/deployment/update/images/waas-wipfb-aad-consent.png deleted file mode 100644 index aeb78e5ddf..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-aad-consent.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-aad-error.png b/windows/deployment/update/images/waas-wipfb-aad-error.png deleted file mode 100644 index 83e6ca9974..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-aad-error.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-aad-newaad.png b/windows/deployment/update/images/waas-wipfb-aad-newaad.png deleted file mode 100644 index 87a6f5e750..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-aad-newaad.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-aad-newdirectorybutton.png b/windows/deployment/update/images/waas-wipfb-aad-newdirectorybutton.png deleted file mode 100644 index 9da18db5d1..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-aad-newdirectorybutton.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-aad-newenable.png b/windows/deployment/update/images/waas-wipfb-aad-newenable.png deleted file mode 100644 index f9bbe57b26..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-aad-newenable.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-aad-newusersettings.png b/windows/deployment/update/images/waas-wipfb-aad-newusersettings.png deleted file mode 100644 index ab28da5cbc..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-aad-newusersettings.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-accounts.png b/windows/deployment/update/images/waas-wipfb-accounts.png deleted file mode 100644 index 27387e3e7b..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-accounts.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-change-user.png b/windows/deployment/update/images/waas-wipfb-change-user.png deleted file mode 100644 index bf6fe39beb..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-change-user.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-policy1.png b/windows/deployment/update/images/waas-wipfb-policy1.png deleted file mode 100644 index 1fc89ecd2f..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-policy1.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-work-account.jpg b/windows/deployment/update/images/waas-wipfb-work-account.jpg deleted file mode 100644 index 4b34385b18..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-work-account.jpg and /dev/null differ diff --git a/windows/deployment/update/images/waas-wsus-fig1.png b/windows/deployment/update/images/waas-wsus-fig1.png deleted file mode 100644 index 14bf35958a..0000000000 Binary files a/windows/deployment/update/images/waas-wsus-fig1.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wsus-fig2.png b/windows/deployment/update/images/waas-wsus-fig2.png deleted file mode 100644 index 167774a6c9..0000000000 Binary files a/windows/deployment/update/images/waas-wsus-fig2.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-broad.png b/windows/deployment/update/images/waas-wufb-gp-broad.png deleted file mode 100644 index 92b71c8936..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-broad.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-cb2-settings.png b/windows/deployment/update/images/waas-wufb-gp-cb2-settings.png deleted file mode 100644 index ae6ed4d856..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-cb2-settings.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-cb2.png b/windows/deployment/update/images/waas-wufb-gp-cb2.png deleted file mode 100644 index 006a8c02d3..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-cb2.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-cbb1-settings.png b/windows/deployment/update/images/waas-wufb-gp-cbb1-settings.png deleted file mode 100644 index c9e1029b8b..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-cbb1-settings.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-cbb2-settings.png b/windows/deployment/update/images/waas-wufb-gp-cbb2-settings.png deleted file mode 100644 index e5aff1cc89..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-cbb2-settings.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-cbb2q-settings.png b/windows/deployment/update/images/waas-wufb-gp-cbb2q-settings.png deleted file mode 100644 index 33a02165c6..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-cbb2q-settings.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-create.png b/windows/deployment/update/images/waas-wufb-gp-create.png deleted file mode 100644 index d74eec4b2e..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-create.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-edit-defer.png b/windows/deployment/update/images/waas-wufb-gp-edit-defer.png deleted file mode 100644 index c697b42ffd..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-edit-defer.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-edit.png b/windows/deployment/update/images/waas-wufb-gp-edit.png deleted file mode 100644 index 1b8d21a175..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-edit.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-scope-cb2.png b/windows/deployment/update/images/waas-wufb-gp-scope-cb2.png deleted file mode 100644 index fcacdbea57..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-scope-cb2.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-scope.png b/windows/deployment/update/images/waas-wufb-gp-scope.png deleted file mode 100644 index a04d8194df..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-scope.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-intune-cb2a.png b/windows/deployment/update/images/waas-wufb-intune-cb2a.png deleted file mode 100644 index 3e8c1ce19e..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-intune-cb2a.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-intune-cbb1a.png b/windows/deployment/update/images/waas-wufb-intune-cbb1a.png deleted file mode 100644 index bc394fe563..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-intune-cbb1a.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-intune-cbb2a.png b/windows/deployment/update/images/waas-wufb-intune-cbb2a.png deleted file mode 100644 index a980e0e43a..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-intune-cbb2a.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-intune-step11a.png b/windows/deployment/update/images/waas-wufb-intune-step11a.png deleted file mode 100644 index 7291484c93..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-intune-step11a.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-intune-step19a.png b/windows/deployment/update/images/waas-wufb-intune-step19a.png deleted file mode 100644 index de132abd28..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-intune-step19a.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-intune-step2a.png b/windows/deployment/update/images/waas-wufb-intune-step2a.png deleted file mode 100644 index 9a719b8fda..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-intune-step2a.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-intune-step7a.png b/windows/deployment/update/images/waas-wufb-intune-step7a.png deleted file mode 100644 index daa96ba18c..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-intune-step7a.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-policy-pause.png b/windows/deployment/update/images/waas-wufb-policy-pause.png deleted file mode 100644 index b8ea2c8df9..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-policy-pause.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-settings-defer.jpg b/windows/deployment/update/images/waas-wufb-settings-defer.jpg deleted file mode 100644 index 5e6c58a101..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-settings-defer.jpg and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-update-compliance.png b/windows/deployment/update/images/waas-wufb-update-compliance.png deleted file mode 100644 index 0c1bbaea7c..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-update-compliance.png and /dev/null differ diff --git a/windows/deployment/update/images/who-owns-pc.png b/windows/deployment/update/images/who-owns-pc.png deleted file mode 100644 index d3ce1def8d..0000000000 Binary files a/windows/deployment/update/images/who-owns-pc.png and /dev/null differ diff --git a/windows/deployment/update/images/wifisense-grouppolicy.png b/windows/deployment/update/images/wifisense-grouppolicy.png deleted file mode 100644 index 1142d834bd..0000000000 Binary files a/windows/deployment/update/images/wifisense-grouppolicy.png and /dev/null differ diff --git a/windows/deployment/update/images/wifisense-registry.png b/windows/deployment/update/images/wifisense-registry.png deleted file mode 100644 index cbb1fa8347..0000000000 Binary files a/windows/deployment/update/images/wifisense-registry.png and /dev/null differ diff --git a/windows/deployment/update/images/wifisense-settingscreens.png b/windows/deployment/update/images/wifisense-settingscreens.png deleted file mode 100644 index cbb6903177..0000000000 Binary files a/windows/deployment/update/images/wifisense-settingscreens.png and /dev/null differ diff --git a/windows/deployment/update/images/win10-mobile-mdm-fig1.png b/windows/deployment/update/images/win10-mobile-mdm-fig1.png deleted file mode 100644 index 6ddac1df99..0000000000 Binary files a/windows/deployment/update/images/win10-mobile-mdm-fig1.png and /dev/null differ diff --git a/windows/deployment/update/images/win10servicing-fig2-featureupgrade.png b/windows/deployment/update/images/win10servicing-fig2-featureupgrade.png deleted file mode 100644 index e4dc76b44f..0000000000 Binary files a/windows/deployment/update/images/win10servicing-fig2-featureupgrade.png and /dev/null differ diff --git a/windows/deployment/update/images/win10servicing-fig3.png b/windows/deployment/update/images/win10servicing-fig3.png deleted file mode 100644 index 688f92b173..0000000000 Binary files a/windows/deployment/update/images/win10servicing-fig3.png and /dev/null differ diff --git a/windows/deployment/update/images/win10servicing-fig4-upgradereleases.png b/windows/deployment/update/images/win10servicing-fig4-upgradereleases.png deleted file mode 100644 index 961c8bebe2..0000000000 Binary files a/windows/deployment/update/images/win10servicing-fig4-upgradereleases.png and /dev/null differ diff --git a/windows/deployment/update/images/win10servicing-fig5.png b/windows/deployment/update/images/win10servicing-fig5.png deleted file mode 100644 index dc4b2fc5b2..0000000000 Binary files a/windows/deployment/update/images/win10servicing-fig5.png and /dev/null differ diff --git a/windows/deployment/update/images/win10servicing-fig6.png b/windows/deployment/update/images/win10servicing-fig6.png deleted file mode 100644 index 4cdc5f9c6f..0000000000 Binary files a/windows/deployment/update/images/win10servicing-fig6.png and /dev/null differ diff --git a/windows/deployment/update/images/win10servicing-fig7.png b/windows/deployment/update/images/win10servicing-fig7.png deleted file mode 100644 index 0a9a851449..0000000000 Binary files a/windows/deployment/update/images/win10servicing-fig7.png and /dev/null differ diff --git a/windows/deployment/update/images/windows-10-management-cyod-byod-flow.png b/windows/deployment/update/images/windows-10-management-cyod-byod-flow.png deleted file mode 100644 index 6121e93832..0000000000 Binary files a/windows/deployment/update/images/windows-10-management-cyod-byod-flow.png and /dev/null differ diff --git a/windows/deployment/update/images/windows-10-management-gp-intune-flow.png b/windows/deployment/update/images/windows-10-management-gp-intune-flow.png deleted file mode 100644 index c9e3f2ea31..0000000000 Binary files a/windows/deployment/update/images/windows-10-management-gp-intune-flow.png and /dev/null differ diff --git a/windows/deployment/update/images/windows-10-management-range-of-options.png b/windows/deployment/update/images/windows-10-management-range-of-options.png deleted file mode 100644 index e4de546709..0000000000 Binary files a/windows/deployment/update/images/windows-10-management-range-of-options.png and /dev/null differ diff --git a/windows/deployment/update/images/windows-update-workflow.png b/windows/deployment/update/images/windows-update-workflow.png deleted file mode 100644 index e597eaec2a..0000000000 Binary files a/windows/deployment/update/images/windows-update-workflow.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-distribute.png b/windows/deployment/update/images/wsfb-distribute.png deleted file mode 100644 index d0482f6ebe..0000000000 Binary files a/windows/deployment/update/images/wsfb-distribute.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-firstrun.png b/windows/deployment/update/images/wsfb-firstrun.png deleted file mode 100644 index 2673567a1e..0000000000 Binary files a/windows/deployment/update/images/wsfb-firstrun.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-inventory-viewlicense.png b/windows/deployment/update/images/wsfb-inventory-viewlicense.png deleted file mode 100644 index 9fafad1aff..0000000000 Binary files a/windows/deployment/update/images/wsfb-inventory-viewlicense.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-inventory.png b/windows/deployment/update/images/wsfb-inventory.png deleted file mode 100644 index b060fb30e4..0000000000 Binary files a/windows/deployment/update/images/wsfb-inventory.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-inventoryaddprivatestore.png b/windows/deployment/update/images/wsfb-inventoryaddprivatestore.png deleted file mode 100644 index bb1152e35b..0000000000 Binary files a/windows/deployment/update/images/wsfb-inventoryaddprivatestore.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-landing.png b/windows/deployment/update/images/wsfb-landing.png deleted file mode 100644 index beae0b52af..0000000000 Binary files a/windows/deployment/update/images/wsfb-landing.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-licenseassign.png b/windows/deployment/update/images/wsfb-licenseassign.png deleted file mode 100644 index 5904abb3b9..0000000000 Binary files a/windows/deployment/update/images/wsfb-licenseassign.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-licensedetails.png b/windows/deployment/update/images/wsfb-licensedetails.png deleted file mode 100644 index 53e0f5c935..0000000000 Binary files a/windows/deployment/update/images/wsfb-licensedetails.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-licensereclaim.png b/windows/deployment/update/images/wsfb-licensereclaim.png deleted file mode 100644 index 9f94cd3600..0000000000 Binary files a/windows/deployment/update/images/wsfb-licensereclaim.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-manageinventory.png b/windows/deployment/update/images/wsfb-manageinventory.png deleted file mode 100644 index 9a544ddc21..0000000000 Binary files a/windows/deployment/update/images/wsfb-manageinventory.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-offline-distribute-mdm.png b/windows/deployment/update/images/wsfb-offline-distribute-mdm.png deleted file mode 100644 index ec0e77a9a9..0000000000 Binary files a/windows/deployment/update/images/wsfb-offline-distribute-mdm.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-onboard-1.png b/windows/deployment/update/images/wsfb-onboard-1.png deleted file mode 100644 index 012e91a845..0000000000 Binary files a/windows/deployment/update/images/wsfb-onboard-1.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-onboard-2.png b/windows/deployment/update/images/wsfb-onboard-2.png deleted file mode 100644 index 2ff98fb1f7..0000000000 Binary files a/windows/deployment/update/images/wsfb-onboard-2.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-onboard-3.png b/windows/deployment/update/images/wsfb-onboard-3.png deleted file mode 100644 index ed9a61d353..0000000000 Binary files a/windows/deployment/update/images/wsfb-onboard-3.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-onboard-4.png b/windows/deployment/update/images/wsfb-onboard-4.png deleted file mode 100644 index d99185ddc6..0000000000 Binary files a/windows/deployment/update/images/wsfb-onboard-4.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-onboard-5.png b/windows/deployment/update/images/wsfb-onboard-5.png deleted file mode 100644 index 68049f4425..0000000000 Binary files a/windows/deployment/update/images/wsfb-onboard-5.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-onboard-7.png b/windows/deployment/update/images/wsfb-onboard-7.png deleted file mode 100644 index 38b7348b21..0000000000 Binary files a/windows/deployment/update/images/wsfb-onboard-7.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-online-distribute-mdm.png b/windows/deployment/update/images/wsfb-online-distribute-mdm.png deleted file mode 100644 index 4b0f7cbf3a..0000000000 Binary files a/windows/deployment/update/images/wsfb-online-distribute-mdm.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-paid-app-temp.png b/windows/deployment/update/images/wsfb-paid-app-temp.png deleted file mode 100644 index 89e3857d07..0000000000 Binary files a/windows/deployment/update/images/wsfb-paid-app-temp.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-permissions-assignrole.png b/windows/deployment/update/images/wsfb-permissions-assignrole.png deleted file mode 100644 index de2e1785ba..0000000000 Binary files a/windows/deployment/update/images/wsfb-permissions-assignrole.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-private-store-gpo.PNG b/windows/deployment/update/images/wsfb-private-store-gpo.PNG deleted file mode 100644 index 5e7fe44ec2..0000000000 Binary files a/windows/deployment/update/images/wsfb-private-store-gpo.PNG and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-privatestore.png b/windows/deployment/update/images/wsfb-privatestore.png deleted file mode 100644 index 74c9f1690d..0000000000 Binary files a/windows/deployment/update/images/wsfb-privatestore.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-privatestoreapps.png b/windows/deployment/update/images/wsfb-privatestoreapps.png deleted file mode 100644 index 1ddb543796..0000000000 Binary files a/windows/deployment/update/images/wsfb-privatestoreapps.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-renameprivatestore.png b/windows/deployment/update/images/wsfb-renameprivatestore.png deleted file mode 100644 index c6db282581..0000000000 Binary files a/windows/deployment/update/images/wsfb-renameprivatestore.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-settings-mgmt.png b/windows/deployment/update/images/wsfb-settings-mgmt.png deleted file mode 100644 index 2a7b590d19..0000000000 Binary files a/windows/deployment/update/images/wsfb-settings-mgmt.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-settings-permissions.png b/windows/deployment/update/images/wsfb-settings-permissions.png deleted file mode 100644 index 63d04d270b..0000000000 Binary files a/windows/deployment/update/images/wsfb-settings-permissions.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-wsappaddacct.png b/windows/deployment/update/images/wsfb-wsappaddacct.png deleted file mode 100644 index 5c0bd9a4ce..0000000000 Binary files a/windows/deployment/update/images/wsfb-wsappaddacct.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-wsappprivatestore.png b/windows/deployment/update/images/wsfb-wsappprivatestore.png deleted file mode 100644 index 9c29e7604c..0000000000 Binary files a/windows/deployment/update/images/wsfb-wsappprivatestore.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-wsappsignin.png b/windows/deployment/update/images/wsfb-wsappsignin.png deleted file mode 100644 index c2c2631a94..0000000000 Binary files a/windows/deployment/update/images/wsfb-wsappsignin.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-wsappworkacct.png b/windows/deployment/update/images/wsfb-wsappworkacct.png deleted file mode 100644 index 5eb9035124..0000000000 Binary files a/windows/deployment/update/images/wsfb-wsappworkacct.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-do.png b/windows/deployment/update/images/wufb-do.png deleted file mode 100644 index 8d6c9d0b8a..0000000000 Binary files a/windows/deployment/update/images/wufb-do.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-feature-engaged-notification.png b/windows/deployment/update/images/wufb-feature-engaged-notification.png deleted file mode 100644 index 0e3bd19e61..0000000000 Binary files a/windows/deployment/update/images/wufb-feature-engaged-notification.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-feature-notification.png b/windows/deployment/update/images/wufb-feature-notification.png deleted file mode 100644 index 0e3bd19e61..0000000000 Binary files a/windows/deployment/update/images/wufb-feature-notification.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-feature-update-deadline-notification.png b/windows/deployment/update/images/wufb-feature-update-deadline-notification.png deleted file mode 100644 index 0e3bd19e61..0000000000 Binary files a/windows/deployment/update/images/wufb-feature-update-deadline-notification.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-feature-update-engaged-notification.png b/windows/deployment/update/images/wufb-feature-update-engaged-notification.png deleted file mode 100644 index 6173803a90..0000000000 Binary files a/windows/deployment/update/images/wufb-feature-update-engaged-notification.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-groups.png b/windows/deployment/update/images/wufb-groups.png deleted file mode 100644 index 13cdea04b0..0000000000 Binary files a/windows/deployment/update/images/wufb-groups.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-pause-feature.png b/windows/deployment/update/images/wufb-pause-feature.png deleted file mode 100644 index afeac43e29..0000000000 Binary files a/windows/deployment/update/images/wufb-pause-feature.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-qual.png b/windows/deployment/update/images/wufb-qual.png deleted file mode 100644 index 4a93408522..0000000000 Binary files a/windows/deployment/update/images/wufb-qual.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-quality-engaged-notification.png b/windows/deployment/update/images/wufb-quality-engaged-notification.png deleted file mode 100644 index 432f9f89b7..0000000000 Binary files a/windows/deployment/update/images/wufb-quality-engaged-notification.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-quality-notification.png b/windows/deployment/update/images/wufb-quality-notification.png deleted file mode 100644 index 0e3bd19e61..0000000000 Binary files a/windows/deployment/update/images/wufb-quality-notification.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-wave-deployment.png b/windows/deployment/update/images/wufb-wave-deployment.png deleted file mode 100644 index 34ff0bf6cf..0000000000 Binary files a/windows/deployment/update/images/wufb-wave-deployment.png and /dev/null differ diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md index b132951a59..342b6d4210 100644 --- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md +++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md @@ -5,25 +5,42 @@ manager: aaroncz ms.technology: itpro-updates ms.prod: windows-client ms.topic: include -ms.date: 03/15/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium --- +Accessing Windows Update for Business reports typcially requires permissions from multiple sources including: -To enroll into Windows Update for Business reports, edit configuration settings, display and edit the workbook, and view the **Windows** tab in the **Software Updates** page from the [Microsoft 365 admin center](https://admin.microsoft.com) use one of the following roles: +- [Azure Active Directory (Azure AD)](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports +- [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace +- [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain Azure AD roles access to sign in -- [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator) -- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) -- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) - - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center -- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Intune role - - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center +**Roles that can enroll into Windows Update for Business reports** -To display the workbook and view the **Windows** tab in the **Software Updates** page [Microsoft 365 admin center](https://admin.microsoft.com) use the following role: - - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader) +To [enroll](../wufb-reports-enable.md#bkmk_enroll) into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles: -**Log Analytics permissions**: +- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) Azure AD role +- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) Azure AD role +- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) Azure AD role +- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Microsoft Intune role + - Microsoft Intune RBAC roles don't allow access to the Microsoft 365 admin center + +**Azure roles that allow access to the Log Analytics workspace** + +The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions for the workspace: -The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query data, users must have one of the following roles, or the equivalent permissions: -- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used to edit and write queries - [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data +- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if creating a new workspace or write access is needed + +Examples of commonly assigned roles for Windows Update for Business reports users: + +| Roles | Enroll though the workbook | Enroll through Microsoft 365 admin center | Display the workbook | Microsoft 365 admin center access | Create Log Analytics workspace | +| --- | --- | --- | --- | --- | --- | +| Intune Administrator + Log Analytics Contributor | Yes | Yes | Yes | Yes | Yes | +| Windows Update deployment administrator + Log Analytics reader | Yes | Yes | Yes | Yes| No | +| Policy and profile manager (Intune role)+ Log Analytics reader | Yes | No | Yes | No | No | +| Log Analytics reader | No | No | Yes | No | No| +| [Global reader](/azure/active-directory/roles/permissions-reference#global-reader) + Log Analytics reader | No | No | Yes | Yes | No | + +> [!NOTE] +> The Azure AD roles discussed in this article for the Microsoft 365 admin center access apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status). diff --git a/windows/deployment/update/olympia/images/1-1.png b/windows/deployment/update/olympia/images/1-1.png deleted file mode 100644 index ee06527529..0000000000 Binary files a/windows/deployment/update/olympia/images/1-1.png and /dev/null differ diff --git a/windows/deployment/update/olympia/images/1-3.png b/windows/deployment/update/olympia/images/1-3.png deleted file mode 100644 index 807e895aa5..0000000000 Binary files a/windows/deployment/update/olympia/images/1-3.png and /dev/null differ diff --git a/windows/deployment/update/olympia/images/1-4.png b/windows/deployment/update/olympia/images/1-4.png deleted file mode 100644 index 3e63d1c078..0000000000 Binary files a/windows/deployment/update/olympia/images/1-4.png and /dev/null differ diff --git a/windows/deployment/update/olympia/images/2-3.png b/windows/deployment/update/olympia/images/2-3.png deleted file mode 100644 index 7006da4179..0000000000 Binary files a/windows/deployment/update/olympia/images/2-3.png and /dev/null differ diff --git a/windows/deployment/update/olympia/images/2-4.png b/windows/deployment/update/olympia/images/2-4.png deleted file mode 100644 index 677679a000..0000000000 Binary files a/windows/deployment/update/olympia/images/2-4.png and /dev/null differ diff --git a/windows/deployment/update/olympia/images/2-5.png b/windows/deployment/update/olympia/images/2-5.png deleted file mode 100644 index cfec6f7ce0..0000000000 Binary files a/windows/deployment/update/olympia/images/2-5.png and /dev/null differ diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index dd358bb8a2..0c088b2aee 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -11,7 +11,7 @@ ms.collection: - highpri - tier2 ms.technology: itpro-updates -ms.date: 03/09/2023 +ms.date: 04/25/2023 --- # Manage additional Windows Update settings @@ -35,6 +35,8 @@ You can use Group Policy settings or mobile device management (MDM) to configure | [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 | | [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All | | | [Windows Update notifications display organization name](#display-organization-name-in-windows-update-notifications)

    *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered | +| | [Allow Windows updates to install before initial user sign-in](#allow-windows-updates-to-install-before-initial-user-sign-in) (registry only)| Windows 11 version 22H2 with 2023-04 Cumulative Update Preview, or a later cumulative update | + >[!IMPORTANT] >Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**. @@ -47,7 +49,7 @@ Admins have a lot of flexibility in configuring how their devices scan and recei [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) allows admins to point devices to an internal Microsoft update service location, while [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) gives them the option to restrict devices to just that internal update service. [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) controls how frequently devices scan for updates. -You can make custom device groups that'll work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that were not signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location). +You can make custom device groups that will work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that weren't signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location). Finally, to make sure the updating experience is fully controlled by the admins, you can [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) for users. @@ -61,10 +63,10 @@ This setting lets you specify a server on your network to function as an interna To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service. If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them. -If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. +If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates isn't disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service. -The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service does not provide download Urls in the update metadata for files which are present on the alternate download server. +The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service doesn't provide download Urls in the update metadata for files that are present on the alternate download server. >[!NOTE] >If the "Configure Automatic Updates" policy is disabled, then this policy has no effect. @@ -109,7 +111,7 @@ Use **Computer Configuration\Administrative Templates\Windows Components\Windows Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service. This allows admins to configure device groups that will receive different updates from sources like WSUS or Configuration Manager. This Group Policy setting can be found under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Enable client-side targeting**. -If the setting is set to **Enabled**, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer. +If the setting is set to **Enabled**, the specified target group information is sent to the intranet Microsoft update service, which uses it to determine which updates should be deployed to this computer. If the setting is set to **Disabled** or **Not Configured**, no target group information will be sent to the intranet Microsoft update service. If the intranet Microsoft update service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified. @@ -123,8 +125,8 @@ This policy setting allows you to manage whether Automatic Updates accepts updat To configure this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows update\Allow signed updates from an intranet Microsoft update service location**. -If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. -If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft. +If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. +If you disable or don't configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft. >[!NOTE] >Updates from a service other than an intranet Microsoft update service must always be signed by Microsoft and are not affected by this policy setting. @@ -136,7 +138,7 @@ To configure this policy with MDM, use [AllowNonMicrosoftSignedUpdate](/windows/ To add more flexibility to the update process, settings are available to control update installation. -[Configure Automatic Updates](#configure-automatic-updates) offers four different options for automatic update installation, while [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) makes sure drivers are not installed with the rest of the received updates. +[Configure Automatic Updates](#configure-automatic-updates) offers four different options for automatic update installation, while [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) makes sure drivers aren't installed with the rest of the received updates. ### Do not include drivers with Windows Updates @@ -144,7 +146,7 @@ Allows admins to exclude Windows Update drivers during updates. To configure this setting in Group Policy, use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not include drivers with Windows Updates**. Enable this policy to not include drivers with Windows quality updates. -If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification. +If you disable or don't configure this policy, Windows Update will include updates that have a Driver classification. ### Configure Automatic Updates @@ -156,13 +158,13 @@ Under **Computer Configuration\Administrative Templates\Windows Components\Windo **2 - Notify for download and auto install** - When Windows finds updates that apply to this device, users will be notified that updates are ready to be downloaded. After going to **Settings > Update & security > Windows Update**, users can download and install any available updates. -**3 - Auto download and notify for Install** - Windows finds updates that apply to the device and downloads them in the background (the user is not notified or interrupted during this process). When the downloads are complete, users will be notified that they are ready to install. After going to **Settings > Update & security > Windows Update**, users can install them. +**3 - Auto download and notify for Install** - Windows finds updates that apply to the device and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to **Settings > Update & security > Windows Update**, users can install them. **4 - Auto download and schedule the install** - Specify the schedule using the options in the Group Policy Setting. For more information about this setting, see [Schedule update installation](waas-restart.md#schedule-update-installation). -**5 - Allow local admin to choose setting** - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators will not be allowed to disable the configuration for Automatic Updates. This option is not available in any Windows 10 or later versions. +**5 - Allow local admin to choose setting** - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates. This option isn't available in any Windows 10 or later versions. -**7 - Notify for install and notify for restart** (Windows Server 2016 and later only) - With this option, when Windows finds updates that apply to this device, they will be downloaded, then users will be notified that updates are ready to be installed. Once updates are installed, a notification will be displayed to users to restart the device. +**7 - Notify for install and notify for restart** (Windows Server 2016 and later only) - With this option, when Windows finds updates that apply to this device, they'll be downloaded, then users will be notified that updates are ready to be installed. Once updates are installed, a notification will be displayed to users to restart the device. If this setting is set to **Disabled**, any updates that are available on Windows Update must be downloaded and installed manually. To do this, users must go to **Settings > Update & security > Windows Update**. @@ -173,7 +175,7 @@ If this setting is set to **Not Configured**, an administrator can still configu > [!NOTE] > Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require you to reinstall the operating system. Microsoft cannot guarantee that these problems can be resolved. Modify the registry at your own risk. -In an environment that does not have Active Directory deployed, you can edit registry settings to configure group policies for Automatic Update. +In an environment that doesn't have Active Directory deployed, you can edit registry settings to configure group policies for Automatic Update. To do this, follow these steps: @@ -203,7 +205,7 @@ To do this, follow these steps: * **4**: Automatically download and scheduled installation. - * **5**: Allow local admin to select the configuration mode. This option is not available for Windows 10 or later versions. + * **5**: Allow local admin to select the configuration mode. This option isn't available for Windows 10 or later versions. * **7**: Notify for install and notify for restart. (Windows Server 2016 and later only) @@ -230,7 +232,7 @@ To do this, follow these steps: * NoAutoRebootWithLoggedOnUsers (REG_DWORD): - **0** (false) or **1** (true). If set to **1**, Automatic Updates does not automatically restart a computer while users are logged on. + **0** (false) or **1** (true). If set to **1**, Automatic Updates doesn't automatically restart a computer while users are logged on. > [!NOTE] > This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions. @@ -264,7 +266,7 @@ The organization name appears automatically for Windows 11 clients that are asso To disable displaying the organization name in Windows Update notifications, add or modify the following in the registry: - **Registry key**: `HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsUpdate\Orchestrator\Configurations` - - **DWORD value name**: UsoDisableAADJAttribution + - **DWORD value name**: UsoDisableAADJAttribution - **Value data:** 1 The following PowerShell script is provided as an example to you: @@ -280,3 +282,17 @@ if (!(Test-Path $registryPath)) New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null ``` + +## Allow Windows updates to install before initial user sign-in +*(Starting in Windows 11, version 22H2 with 2023-04 Cumulative Update Preview, or a later cumulative update)* + +On new devices, Windows Update doesn't begin installing background updates until a user has completed the Out of Box Experience (OOBE) and signs in for the first time. In many cases, the user signs in immediately after completing the OOBE. However, some VM-based solutions provision a device and automate the first user experience. These VMs may not be immediately assigned to a user so they won't see an initial sign-in until several days later. + +In scenarios where initial sign-in is delayed, setting the following registry values allow devices to begin background update work before a user first signs in: + +- **Registry key**: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator +- **DWORD value name**: ScanBeforeInitialLogonAllowed +- **Value data**: 1 + +> [!Warning] +> This value is designed to be used only for scenarios with a deferred initial user sign in. Setting this value on devices where initial user sign in isn't delayed could have a detrimental effect on performance since it may allow update work to occur as the user is signing in for the first time. diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md index 0ba338dd97..8d7b1f616c 100644 --- a/windows/deployment/update/wufb-reports-admin-center.md +++ b/windows/deployment/update/wufb-reports-admin-center.md @@ -7,7 +7,7 @@ author: mestew ms.author: mstewart ms.localizationpriority: medium ms.topic: article -ms.date: 11/15/2022 +ms.date: 04/26/2023 ms.technology: itpro-updates --- @@ -25,20 +25,14 @@ The **Software updates** page has following tabs to assist you in monitoring upd :::image type="content" source="media/37063317-admin-center-software-updates.png" alt-text="Screenshot of the Microsoft 365 admin center displaying the software updates page with the Windows tab selected." lightbox="media/37063317-admin-center-software-updates.png"::: -## Permissions - - -[!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)] - -> [!NOTE] -> These permissions for the Microsoft 365 admin center apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status). - ## Limitations Windows Update for Business reports is a Windows service hosted in Azure that uses Windows diagnostic data. Windows Update for Business reports is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers since it doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). ## Get started +After verifying that you've met the [prerequisites and permissions](wufb-reports-prerequisites.md) for Windows Update for Business reports, enroll using the instructions below if needed: + [!INCLUDE [Onboarding Windows Update for Business reports through the Microsoft 365 admin center](./includes/wufb-reports-onboard-admin-center.md)] diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index 9de81e8e55..580d459ff8 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -40,9 +40,9 @@ Windows Update for Business reports uses the following Delivery Optimization ter - If bandwidth savings are <= 60%, a *Warning* icon is displayed - When bandwidth savings are <10%, an *Error* icon is displayed. - **Configurations**: Based on the DownloadMode configuration set via MDM, Group Policy, or end-user via the user interface. -- **P2P Device Count**: The device count is determined by the number of devices configured to use peering. +- **P2P Device Count**: The device count is the number of devices configured to use peering. - **Microsoft Connected Cache (MCC)**: Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. For more information, see [Microsoft Connected Cache overview](../do/waas-microsoft-connected-cache.md). -- **MCC Device Count**: The device count is determined by the number of devices that have received bytes from the cache server, for supported content types. +- **MCC Device Count**: The device count is the number of devices that have received bytes from the cache server, for supported content types. - **Total # of Devices**: The total number of devices with activity in last 28 days. - **LAN Bytes**: Bytes delivered from LAN peers. - **Group Bytes**: Bytes from Group peers. If a device is using Group DownloadMode, Delivery Optimization will first look for peers on the LAN and then in the Group. Therefore, if bytes are delivered from LAN peers, they'll be calculated in 'LAN Bytes'. @@ -89,7 +89,7 @@ There are several calculated values that appear on the Delivery Optimization rep ## Mapping GroupID -In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of decoded to encoded GroupIDs using the following PowerShell example: +In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of original to encoded GroupIDs using the following PowerShell example: ```powershell $text = "" ; @@ -164,3 +164,6 @@ A row in UCDOStatus represents data downloaded by a combination of a single devi - **What does the data in UCDOAggregatedStatus table represent?** A row in UCDOAggregatedStatus represents data summarized at the tenant level (AzureADTenantID) for each content type (ContentType). + +- **How are BytesFromCache calculated when there's a Connected Cache server used by my ISP?** +If there's a Connected Cache server at the ISP level, BytesFromCache will filter out any bytes coming the ISP's Connected Cache. diff --git a/windows/deployment/update/wufb-reports-enable.md b/windows/deployment/update/wufb-reports-enable.md index a02c8ece15..df307acd3d 100644 --- a/windows/deployment/update/wufb-reports-enable.md +++ b/windows/deployment/update/wufb-reports-enable.md @@ -6,7 +6,7 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.topic: article -ms.date: 11/15/2022 +ms.date: 04/26/2023 ms.technology: itpro-updates --- diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md index fa6514d687..f9951294d8 100644 --- a/windows/deployment/update/wufb-reports-prerequisites.md +++ b/windows/deployment/update/wufb-reports-prerequisites.md @@ -6,7 +6,7 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.topic: article -ms.date: 03/15/2023 +ms.date: 04/26/2023 ms.technology: itpro-updates --- @@ -25,7 +25,6 @@ Before you begin the process of adding Windows Update for Business reports to yo - The Log Analytics workspace must be in a [supported region](#log-analytics-regions) - Data in the **Driver update** tab of the [workbook](wufb-reports-workbook.md) is only available for devices that receive driver and firmware updates from the [Windows Update for Business deployment service](deployment-service-overview.md) - ## Permissions [!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)] diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md index 12318c9c53..34cab456db 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md @@ -6,7 +6,7 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.topic: reference -ms.date: 06/06/2022 +ms.date: 04/24/2023 ms.technology: itpro-updates --- @@ -37,7 +37,7 @@ Update Event that combines the latest client-based data with the latest service- | **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)| `Azure`| | | **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this value would correspond to the full build (10.0.14393.385). | | **TargetBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `18363` | Integer of the Major portion of Build. | -| **TargetKBNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `4524570` | KB Article. | +| **TargetKBNumber** | [string](/azure/kusto/query/scalar-data-types/string) | `KB4524570` | KB Article. | | **TargetRevisionNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `836` | Integer or the minor (or revision) portion of the build. | | **TargetVersion** | [int](/azure/kusto/query/scalar-data-types/int) | `1909` | The target operating system version, such as 1909. | | **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | @@ -50,3 +50,4 @@ Update Event that combines the latest client-based data with the latest service- | **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. | | **UpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the update | | **UpdateSource** | [string](/azure/kusto/query/scalar-data-types/string) | `UUP` | The source of the update such as UUP, MUv6, Media | + \ No newline at end of file diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md index 53396697ce..9756777253 100644 --- a/windows/deployment/update/wufb-reports-workbook.md +++ b/windows/deployment/update/wufb-reports-workbook.md @@ -6,7 +6,7 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.topic: article -ms.date: 04/12/2023 +ms.date: 04/26/2023 ms.technology: itpro-updates --- @@ -97,7 +97,6 @@ The **Update deployment status** table displays the quality updates for each ope The **Device status** group for quality updates contains the following items: - **OS build number**: Chart containing a count of devices by OS build that are getting security updates. -- **Target version**: Chart containing how many devices by operating system version that are getting security updates. - **Device alerts**: Chart containing the count of active device errors and warnings for quality updates. - **Device compliance status**: Table containing a list of devices getting security updates and update installation information including active alerts for the devices. - This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index ec97a45acf..7abdacbadc 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -38,52 +38,112 @@ href: deploy/windows-autopatch-device-registration-overview.md - name: Register your devices href: deploy/windows-autopatch-register-devices.md + - name: Windows Autopatch groups experience + href: + items: + - name: Windows Autopatch groups overview + href: deploy/windows-autopatch-groups-overview.md + - name: Manage Windows Autopatch groups + href: deploy/windows-autopatch-groups-manage-autopatch-groups.md - name: Post-device registration readiness checks href: deploy/windows-autopatch-post-reg-readiness-checks.md - name: Operate href: items: - - name: Software update management - href: operate/windows-autopatch-update-management.md + - name: Windows Autopatch groups experience + href: items: - - name: Windows updates - href: + - name: Software update management + href: operate/windows-autopatch-groups-update-management.md items: - - name: Customize Windows Update settings - href: operate/windows-autopatch-windows-update.md - - name: Windows quality updates - href: operate/windows-autopatch-windows-quality-update-overview.md + - name: Windows updates + href: items: - - name: Windows quality update end user experience - href: operate/windows-autopatch-windows-quality-update-end-user-exp.md - - name: Windows quality update signals - href: operate/windows-autopatch-windows-quality-update-signals.md - - name: Windows quality update communications - href: operate/windows-autopatch-windows-quality-update-communications.md - - name: Windows quality update reports - href: operate/windows-autopatch-windows-quality-update-reports-overview.md + - name: Customize Windows Update settings + href: operate/windows-autopatch-groups-windows-update.md + - name: Windows quality updates + href: operate/windows-autopatch-groups-windows-quality-update-overview.md items: - - name: Summary dashboard - href: operate/windows-autopatch-windows-quality-update-summary-dashboard.md - - name: All devices report - href: operate/windows-autopatch-windows-quality-update-all-devices-report.md - - name: All devices report—historical - href: operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md - - name: Eligible devices report—historical - href: operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md - - name: Ineligible devices report—historical - href: operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md - - name: Windows feature updates - href: operate/windows-autopatch-windows-feature-update-overview.md + - name: Windows quality update end user experience + href: operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md + - name: Windows quality update signals + href: operate/windows-autopatch-groups-windows-quality-update-signals.md + - name: Windows quality update communications + href: operate/windows-autopatch-groups-windows-quality-update-communications.md + - name: Windows feature updates + href: operate/windows-autopatch-groups-windows-feature-update-overview.md + items: + - name: Manage Windows feature updates + href: operate/windows-autopatch-groups-manage-windows-feature-update-release.md + - name: Windows quality and feature update reports + href: operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md + items: + - name: Windows quality update reports + href: items: - - name: Windows feature update end user experience - href: operate/windows-autopatch-windows-feature-update-end-user-exp.md - - name: Microsoft 365 Apps for enterprise - href: operate/windows-autopatch-microsoft-365-apps-enterprise.md - - name: Microsoft Edge - href: operate/windows-autopatch-edge.md - - name: Microsoft Teams - href: operate/windows-autopatch-teams.md + - name: Summary dashboard + href: operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md + - name: Quality update status report + href: operate/windows-autopatch-groups-windows-quality-update-status-report.md + - name: Quality update trending report + href: operate/windows-autopatch-groups-windows-quality-update-trending-report.md + - name: Windows feature update reports + href: + items: + - name: Summary dashboard + href: operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md + - name: Feature update status report + href: operate/windows-autopatch-groups-windows-feature-update-status-report.md + - name: Feature update trending report + href: operate/windows-autopatch-groups-windows-feature-update-trending-report.md + - name: Windows quality and feature update device alerts + href: operate/windows-autopatch-device-alerts.md + - name: Classic experience + href: + items: + - name: Software update management + href: operate/windows-autopatch-update-management.md + items: + - name: Windows updates + href: + items: + - name: Customize Windows Update settings + href: operate/windows-autopatch-windows-update.md + - name: Windows quality updates + href: operate/windows-autopatch-windows-quality-update-overview.md + items: + - name: Windows quality update end user experience + href: operate/windows-autopatch-windows-quality-update-end-user-exp.md + - name: Windows quality update signals + href: operate/windows-autopatch-windows-quality-update-signals.md + - name: Windows quality update communications + href: operate/windows-autopatch-windows-quality-update-communications.md + - name: Windows quality update reports + href: operate/windows-autopatch-windows-quality-update-reports-overview.md + items: + - name: Summary dashboard + href: operate/windows-autopatch-windows-quality-update-summary-dashboard.md + - name: All devices report + href: operate/windows-autopatch-windows-quality-update-all-devices-report.md + - name: All devices report—historical + href: operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md + - name: Eligible devices report—historical + href: operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md + - name: Ineligible devices report—historical + href: operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md + - name: Windows feature updates + href: operate/windows-autopatch-windows-feature-update-overview.md + items: + - name: Windows feature update end user experience + href: operate/windows-autopatch-windows-feature-update-end-user-exp.md + - name: Microsoft 365 Apps for enterprise + href: operate/windows-autopatch-microsoft-365-apps-enterprise.md + - name: Microsoft Edge + href: operate/windows-autopatch-edge.md + - name: Microsoft Teams + href: operate/windows-autopatch-teams.md + - name: Policy health and remediation + href: operate/windows-autopatch-policy-health-and-remediation.md - name: Maintain the Windows Autopatch environment href: operate/windows-autopatch-maintain-environment.md - name: Submit a support request @@ -104,6 +164,8 @@ href: references/windows-autopatch-microsoft-365-policies.md - name: Changes made at tenant enrollment href: references/windows-autopatch-changes-to-tenant.md + - name: Windows Autopatch groups public preview addendum + href: references/windows-autopatch-groups-public-preview-addendum.md - name: What's new href: items: diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index 55898ea671..3dab9cc693 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -1,7 +1,7 @@ --- title: Device registration overview description: This article provides an overview on how to register devices in Autopatch -ms.date: 10/5/2022 +ms.date: 05/02/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -18,19 +18,21 @@ Windows Autopatch must [register your existing devices](windows-autopatch-regist The Windows Autopatch device registration process is transparent for end-users because it doesn’t require devices to be reset. -The overall device registration process is: +The overall device registration process is as follows: :::image type="content" source="../media/windows-autopatch-device-registration-overview.png" alt-text="Overview of the device registration process" lightbox="../media/windows-autopatch-device-registration-overview.png"::: -1. IT admin reviews [Windows Autopatch device registration pre-requisites](windows-autopatch-register-devices.md#prerequisites-for-device-registration) prior to register devices with Windows Autopatch. -2. IT admin identifies devices to be managed by Windows Autopatch and adds them into the **Windows Autopatch Device Registration** Azure Active Directory (AD) group. -1. Windows Autopatch then: +1. IT admin reviews [Windows Autopatch device registration prerequisites](windows-autopatch-register-devices.md#prerequisites-for-device-registration) prior to register devices with Windows Autopatch. +2. IT admin identifies devices to be managed by Windows Autopatch through either adding: + 1. The devices into the Windows Autopatch Device Registration (classic) Azure Active Directory (AD) group. + 2. Device-based Azure AD groups as part of the [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md) or the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md). +3. Windows Autopatch then: 1. Performs device readiness prior registration (prerequisite checks). - 1. Calculates the deployment ring distribution. - 1. Assigns devices to one of the deployment rings based on the previous calculation. - 1. Assigns devices to other Azure AD groups required for management. - 1. Marks devices as active for management so it can apply its update deployment policies. -1. IT admin then monitors the device registration trends and the update deployment reports. + 2. Calculates the deployment ring distribution. + 3. Assigns devices to one of the deployment rings based on the previous calculation. + 4. Assigns devices to other Azure AD groups required for management. + 5. Marks devices as active for management so it can apply its update deployment policies. +4. IT admin then monitors the device registration trends and the update deployment reports. For more information about the device registration workflow, see the [Detailed device registration workflow diagram](#detailed-device-registration-workflow-diagram) section for more technical details behind the Windows Autopatch device registration process. @@ -43,14 +45,14 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto | Step | Description | | ----- | ----- | | **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. | -| **Step 2: Add devices** | IT admin adds devices through direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group. | -| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function hourly discovers devices previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Azure AD when registering devices into its service.
    1. Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:
      1. **AzureADDeviceID**
      2. **OperatingSystem**
      3. **DisplayName (Device name)**
      4. **AccountEnabled**
      5. **RegistrationDateTime**
      6. **ApproximateLastSignInDateTime**
    2. In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.
    | +| **Step 2: Add devices** | IT admin adds devices through Direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group when using the:
    • [Classic device registration method](../deploy/windows-autopatch-register-devices.md#classic-device-registration-method), or
    • Adding existing device-based Azure AD groups while [creating](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group)/[editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) Custom Autopatch groups, or [editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) the Default Autopatch group
    | +| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function discovers devices (hourly) that were previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group or from Azure AD groups used with Autopatch groups in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Azure AD when registering devices into its service.
    1. Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:
      1. **AzureADDeviceID**
      2. **OperatingSystem**
      3. **DisplayName (Device name)**
      4. **AccountEnabled**
      5. **RegistrationDateTime**
      6. **ApproximateLastSignInDateTime**
    2. In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.
    | | **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:
    1. **Serial number, model, and manufacturer.**
      1. Checks if the serial number already exists in the Windows Autopatch’s managed device database.
    2. **If the device is Intune-managed or not.**
      1. Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.
        1. If **yes**, it means this device is enrolled into Intune.
        2. If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
      2. **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.
        1. Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
        2. A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
      3. **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
    3. **If the device is a Windows device or not.**
      1. Windows Autopatch looks to see if the device is a Windows and corporate-owned device.
        1. **If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.
        2. **If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.
    4. **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
      1. **Enterprise**
      2. **Pro**
      3. **Pro Workstation**
    5. **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
      1. **Only managed by Intune.**
        1. If the device is only managed by Intune, the device is marked as Passed all prerequisites.
      2. **Co-managed by both Configuration Manager and Intune.**
        1. If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
          1. **Windows Updates Policies**
          2. **Device Configuration**
          3. **Office Click to Run**
        2. If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.
    | | **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:
    1. If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.
    2. If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.
    | -| **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to one of the following deployment ring groups:
    1. **Modern Workplace Devices-Windows Autopatch-First**
      1. The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD group (Modern Workplace Devices-Windows Autopatch-Test). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
    2. **Modern Workplace Devices-Windows Autopatch-Fast**
    3. **Modern Workplace Devices-Windows Autopatch-Broad**
    | +| **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to two deployment ring sets, the first one being the service-based deployment ring set represented by the following Azure AD groups:
    1. **Modern Workplace Devices-Windows Autopatch-First**
      1. The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD group (**Modern Workplace Devices-Windows Autopatch-Test**). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
    2. **Modern Workplace Devices-Windows Autopatch-Fast**
    3. **Modern Workplace Devices-Windows Autopatch-Broad**
      4. Then the second deployment ring set, the software updates-based deployment ring set represented by the following Azure AD groups:
      • **Windows Autopatch - Ring1**
        • The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD groups (**Windows Autopatch - Test**). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
      • **Windows Autopatch - Ring2**
        • **Windows Autopatch - Ring3**
    | | **Step 7: Assign devices to an Azure AD group** | Windows Autopatch also assigns devices to the following Azure AD groups when certain conditions apply:
    1. **Modern Workplace Devices - All**
      1. This group has all devices managed by Windows Autopatch.
    2. **Modern Workplace Devices - Virtual Machine**
      1. This group has all **virtual devices** managed by Windows Autopatch.
      | -| **Step 8: Post-device registration** | In post-device registration, three actions occur:
      1. Windows Autopatch adds devices to its managed database.
      2. Flags devices as **Active** in the **Ready** tab.
      3. The Azure AD device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension’s allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.
        1. The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.
        | -| **Step 9: Review device registration status** | IT admins review the device registration status in both the **Ready** and **Not registered** tabs.
        1. If the device was **successfully registered**, the device shows up in the **Ready** tab.
        2. If **not**, the device shows up in the **Not registered** tab.
        | +| **Step 8: Post-device registration** | In post-device registration, three actions occur:
        1. Windows Autopatch adds devices to its managed database.
        2. Flags devices as **Active** in the **Registered** tab.
        3. The Azure AD device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension’s allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.
          1. The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.
          | +| **Step 9: Review device registration status** | IT admins review the device registration status in both the **Registered** and **Not registered** tabs.
          1. If the device was **successfully registered**, the device shows up in the **Registered** tab.
          2. If **not**, the device shows up in the **Not registered** tab.
          | | **Step 10: End of registration workflow** | This is the end of the Windows Autopatch device registration workflow. | ## Detailed prerequisite check workflow diagram @@ -58,3 +60,118 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto As described in **step #4** in the previous [Detailed device registration workflow diagram](#detailed-device-registration-workflow-diagram), the following diagram is a visual representation of the prerequisite construct for the Windows Autopatch device registration process. The prerequisite checks are sequentially performed. :::image type="content" source="../media/windows-autopatch-prerequisite-check-workflow-diagram.png" alt-text="Detailed prerequisite check workflow diagram" lightbox="../media/windows-autopatch-prerequisite-check-workflow-diagram.png"::: + +## Windows Autopatch deployment rings + +During the tenant enrollment process, Windows Autopatch creates two different deployment ring sets: + +- [Service-based deployment ring set](../deploy/windows-autopatch-groups-overview.md#service-based-deployment-rings) +- [Software update-based deployment ring set](../deploy/windows-autopatch-groups-overview.md#software-based-deployment-rings) + +The following four Azure AD assigned groups are used to organize devices for the service-based deployment ring set: + +| Service-based deployment ring | Description | +| ----- | ----- | +| Modern Workplace Devices-Windows Autopatch-Test | Deployment ring for testing service-based configuration, app deployments prior production rollout | +| Modern Workplace Devices-Windows Autopatch-First | First production deployment ring for early adopters. | +| Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption | +| Modern Workplace Devices-Windows Autopatch-Broad | Final deployment ring for broad rollout into the organization | + +The five Azure AD assigned groups that are used to organize devices for the software update-based deployment ring set within the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition): + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

          The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


          **To opt-in to use Windows Autopatch groups:**
          1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
          2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
          3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
          + +| Software updates-based deployment ring | Description | +| ----- | ----- | +| Windows Autopatch - Test | Deployment ring for testing software updates-based deployments prior production rollout. | +| Windows Autopatch - Ring1 | First production deployment ring for early adopters. | +| Windows Autopatch - Ring2 | Fast deployment ring for quick rollout and adoption. | +| Windows Autopatch - Ring3 | Final deployment ring for broad rollout into the organization. | +| Windows Autopatch - Last | Optional deployment ring for specialized devices or VIP/executives that must receive software update deployments after it’s well tested with early and general populations in an organization. | + +In the software-based deployment ring set, each deployment ring has a different set of update deployment policies to control the updates rollout. + +> [!CAUTION] +> Adding or importing devices directly into any of these groups isn't supported. Doing so might affect the Windows Autopatch service. To move devices between these groups, see [Moving devices in between deployment rings](#moving-devices-in-between-deployment-rings). + +> [!IMPORTANT] +> Windows Autopatch device registration doesn't assign devices to the Test deployment rings of either the service-based (**Modern Workplace Devices-Windows Autopatch-Test**), or software updates-based (**Windows Autopatch – Test and Windows Autopatch – Last**) in the Default Autopatch group. This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments. + +During the device registration process, Windows Autopatch assigns each device to a [service-based and software-update based deployment ring](../deploy/windows-autopatch-groups-overview.md#service-based-versus-software-update-based-deployment-rings) so that the service has the proper representation of device diversity across your organization. + +The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment. + +> [!NOTE] +> You can't create additional deployment rings or use your own rings for devices managed by the Windows Autopatch service. + +## Default deployment ring calculation logic + +The Windows Autopatch deployment ring calculation occurs during the device registration process and it applies to both the [service-based and the software update-based deployment ring sets](../deploy/windows-autopatch-groups-overview.md#service-based-versus-software-update-based-deployment-rings): + +- If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is First **(5%)**, Fast **(15%)**, remaining devices go to the Broad ring **(80%)**. +- If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**. + +> [!NOTE] +> You can customize the deployment ring calculation logic by editing the Default Autopatch group. + +| Deployment ring | Default device balancing percentage | Description | +| ----- | ----- | ----- | +| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:
          • **0–500** devices: minimum **one** device.
          • **500–5000** devices: minimum **five** devices.
          • **5000+** devices: minimum **50** devices.
          Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | +| First | **1%** | The First ring is the first group of production users to receive a change.

          This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

          Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| +| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

          The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

          | +| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.| +| Last | **zero** | The Last ring is intended to be used for either specialized devices or devices that belong to VIP/executives in an organization. Windows Autopatch doesn't automatically add devices to this deployment ring. | + +## Software update-based to service-based deployment ring mapping + +There’s a one-to-one mapping in between the service-based and software updates-based deployment rings introduced with Autopatch groups. This mapping is intended to help move devices in between deployment rings for other software update workloads that don’t yet support Autopatch groups such as Microsoft 365 Apps and Microsoft Edge. + +| If moving a device to | The device also moves to | +| ----- | ----- | +| Windows Autopatch – Test | Modern Workplace Devices-Windows Autopatch-Test | +| Windows Autopatch – Ring1 | Modern Workplace Devices-Windows Autopatch-First | +| Windows Autopatch – Ring2 | Modern Workplace Devices-Windows Autopatch-Fast | +| Windows Autopatch – Ring3 | Modern Workplace Devices-Windows Autopatch-Broad | +| Windows Autopatch – Last | Modern Workplace Devices-Windows Autopatch-Broad | + +If your Autopatch groups have more than five deployment rings, and you must move devices to deployment rings after Ring3. For example, ``. The devices will be moved to **Modern Workplace Devices-Windows Autopatch-Broad**. + +## Moving devices in between deployment rings + +If you want to move devices to different deployment rings (either service or software update-based), after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Registered** tab. + +**To move devices in between deployment rings:** + +> [!NOTE] +> You can only move devices to other deployment rings when they're in an active state in the **Registered** tab. + +1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane. +1. In the **Windows Autopatch** section, select **Devices**. +1. In the **Registered** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify. +1. Select **Device actions** from the menu. +1. Select **Assign device group**. A fly-in opens. +1. Use the dropdown menu to select the deployment ring to move devices to, and then select Save. The Ring assigned by column will change to Pending. +1. When the assignment is complete, the **Ring assigned by** column changes to Admin (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment. + +If you don't see the Ring assigned by column change to **Pending** in Step 5, check to see whether the device exists in Microsoft Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). + +> [!WARNING] +> Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings. + +## Automated deployment ring remediation functions + +Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch – Test** and **Windows Autopatch – Last** rings, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: + +- Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or +- An issue occurred which prevented devices from getting a deployment ring assigned during the device registration process. + +There are two automated deployment ring remediation functions: + +| Function | Description | +| ----- | ----- | +| Check device deployment ring membership | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch – Test and Windows Autopatch – Last** rings). | +| Multi-deployment ring device remediator | Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch – Test** and **Windows Autopatch – Last** rings). If a device is part of multiple deployment rings, Windows Autopatch randomly removes the device until the device is only part of one deployment ring. | + +> [!IMPORTANT] +> Windows Autopatch automated deployment ring functions don’t assign or remove devices to or from the following deployment rings:
        4. **Modern Workplace Devices-Windows Autopatch-Test**
        5. **Windows Autopatch – Test**
        6. **Windows Autopatch – Last**
          7. diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md new file mode 100644 index 0000000000..e1c138aaca --- /dev/null +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -0,0 +1,173 @@ +--- +title: Manage Windows Autopatch groups +description: This article explains how to manage Autopatch groups +ms.date: 05/03/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Manage Windows Autopatch groups (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

          The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


          **To opt-in to use Windows Autopatch groups:**
          1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
          2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
          3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
          + +Autopatch groups help Microsoft Cloud-Managed services meet organizations where they are in their update management journey. + +Autopatch groups is a logical container or unit that groups several [Azure AD groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates policy for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates). + +## Autopatch groups prerequisites + +Before you start managing Autopatch groups, ensure you’ve met the following prerequisites: + +- Review [Windows Autopatch groups overview documentation](../deploy/windows-autopatch-groups-overview.md) to understand [key benefits](../deploy/windows-autopatch-groups-overview.md#key-benefits), [concepts](../deploy/windows-autopatch-groups-overview.md#key-concepts) and [common ways to use Autopatch groups](../deploy/windows-autopatch-groups-overview.md#common-ways-to-use-autopatch-groups) within your organization. +- Ensure the following [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) are created in your tenant: + - Modern Workplace Update Policy [Test]-[Windows Autopatch] + - Modern Workplace Update Policy [First]-[Windows Autopatch] + - Modern Workplace Update Policy [Fast]-[Windows Autopatch] + - Modern Workplace Update Policy [Broad]-[Windows Autopatch] +- Ensure the following [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) are created in your tenant: + - Windows Autopatch – DSS Policy [Test] + - Windows Autopatch – DSS Policy [First] + - Windows Autopatch – DSS Policy [Fast] + - Windows Autopatch – DSS Policy [Broad] +- Ensure the following Azure AD assigned groups are in your tenant before using Autopatch groups. **Don’t** modify the Azure AD group membership types (Assigned or Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups and causes the Autopatch groups feature and other service-related operations to not work properly. + - Modern Workplace Devices-Windows Autopatch-Test + - Modern Workplace Devices-Windows Autopatch-First + - Modern Workplace Devices-Windows Autopatch-Fast + - Modern Workplace Devices-Windows Autopatch-Broad + - Windows Autopatch – Test + - Windows Autopatch – Ring1 + - Windows Autopatch – Ring2 + - Windows Autopatch – Ring3 + - Windows Autopatch – Last +- Additionally, **don't** modify the Azure AD group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. + - For more information, see [assign an owner of member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) on how to remediate Azure Azure AD group ownership. +- Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won’t work properly. Autopatch uses app-only auth to: + - Read device attributes to successfully register devices. + - Manage all configurations related to the operation of the service. +- Make sure that all device-based Azure AD groups you intend to use with Autopatch groups are created prior to using the feature. + - Review your existing Azure AD group dynamic queries and direct device memberships to avoid having device membership overlaps in between device-based Azure AD groups that are going to be used with Autopatch groups. This can help prevent device conflicts within an Autopatch group or across several Autopatch groups. **Autopatch groups doesn't support user-based Azure AD groups**. +- Ensure devices used with your existing Azure AD groups meet [device registration prerequisite checks](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) when being registered with the service. Autopatch groups register devices on your behalf, and devices can be moved to **Registered** or **Not registered** tabs in the Devices blade accordingly. + +> [!TIP] +> [Update rings](/mem/intune/protect/windows-10-update-rings) and [feature updates](/mem/intune/protect/windows-10-feature-updates) for Windows 10 and later policies that are created and managed by Windows Autopatch can be restored using the [Policy health](../operate/windows-autopatch-policy-health-and-remediation.md) feature. For more information on remediation actions, see [restore Windows update policies](../operate/windows-autopatch-policy-health-and-remediation.md#restore-windows-update-policies). + +> [!NOTE] +> During the public preview, Autopatch groups opt-in page will show a banner to let you know when one or more prerequisites are failing. Once you remediate the issue to meet the prerequisites, it can take up to an hour for your tenant to have the "Use preview" button available. + +## Create a Custom Autopatch group + +> [!NOTE] +> The Default Autopatch group is recommended for organizations that can meet their business needs using the pre-configured five deployment ring composition. + +**To create a Custom Autopatch group:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** from the left navigation menu. +1. Under the **Windows Autopatch** section, select **Release management**. +1. In the **Release management** blade, select **Autopatch groups (preview)**. +1. Only during the public preview: + 1. Review the [Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md) and the [Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md). + 1. Select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Autopatch groups. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites). +1. In the **Autopatch groups** blade, select **Create**. +1. In **Basics** page, enter a **name** and a **description** then select **Next: Deployment rings**. + 1. Enter up to 64 characters for the Autopatch group name and 150 characters maximum for the description. The Autopatch group name is appended to both the update rings and the DSS policy names that get created once the Custom Autopatch group is created. +1. In **Deployment rings** page, select **Add deployment ring** to add the number of deployment rings to the Custom Autopatch group. +1. Each new deployment ring added must have either an Azure AD device group assigned to it, or an Azure AD group that is dynamically distributed across your deployments rings using defined percentages. + 1. In the **Dynamic groups** area, select **Add groups** to select one or more existing device-based Azure AD groups to be used for Dynamic group distribution. + 1. In the **Dynamic group distribution** column, select the desired deployment ring checkbox. Then, either: + 1. Enter the percentage of devices that should be added from the Azure AD groups selected in step 9. The percentage calculation for devices must equal to 100%, or + 1. Select **Apply default dynamic group distribution** to use the default values. +1. In the **Assigned group** column, select **Add group to ring** to add an existing Azure AD group to any of the defined deployment rings. The **Test** and **Last** deployment rings only support Assigned group distribution. These deployment rings don't support Dynamic distribution. +1. Select **Next: Windows Update settings**. +1. Select the **horizontal ellipses (…)** > **Manage deployment cadence** to [customize your gradual rollout of Windows quality and feature updates](../operate/windows-autopatch-windows-update.md). Select **Save**. +1. Select the **horizontal ellipses (…)** > **Manage notifications** to customize the end-user experience when receiving Windows updates. Select **Save**. +1. Select **Review + create** to review all changes made. +1. Once the review is done, select **Create** to save your custom Autopatch group. + +> [!CAUTION] +> A device-based Azure AD group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Azure AD group that’s been already used, you'll receive an error that prevents you from finish creating or editing the Autopatch group (Default or Custom). + +> [!IMPORTANT] +> Windows Autopatch creates the device-based Azure AD assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience. + +## Edit the Default or a Custom Autopatch group + +**To edit either the Default or a Custom Autopatch group:** + +1. Select the **horizontal ellipses (…)** > **Edit** for the Autopatch group you want to edit. +1. You can only modify the **description** of the Default or a Custom Autopatch group. You **can’t** modify the name. Once the description is modified, select **Next: Deployment rings**. +1. Make the necessary changes in the **Deployment rings** page, then select **Next: Windows Update settings**. +1. Make the necessary changes in the **Windows Update settings** page, then select **Next: Review + save**. +1. Select **Review + create** to review all changes made. +1. Once the review is done, select **Save** to finish editing the Autopatch group. + +> [!IMPORTANT] +> Windows Autopatch creates the device-based Azure AD assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience. + +## Delete a Custom Autopatch group + +You **can’t** delete the Default Autopatch group. However, you can delete a Custom Autopatch group. + +**To delete a Custom Autopatch group:** + +1. Select the **horizontal ellipses (…)** > **Delete** for the Custom Autopatch group you want to delete. +1. Select **Yes** to confirm you want to delete the Custom Autopatch group. + +> [!CAUTION] +> You can’t delete a Custom Autopatch group when it’s being used as part of one or more active or paused feature update releases. However, you can delete a Custom Autopatch group when the release for either Windows quality or feature updates have either the **Scheduled** or **Paused** statuses. + +## Manage device conflict scenarios when Autopatch groups + +Overlap in device membership is a common scenario when working with device-based Azure AD groups since sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Azure AD groups. + +Since Autopatch groups allow you to use your existing Azure AD groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that may occur. + +> [!CAUTION] +> A device-based Azure AD group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Azure AD group that’s been already used, you'll receive an error that prevents you from creating or editing the Autopatch group (Default or Custom). + +### Device conflict in deployment rings within an Autopatch group + +Autopatch groups uses the following logic to solve device conflicts on your behalf within an Autopatch group: + +| Step | Description | +| ----- | ----- | +| Step 1: Checks for the deployment ring distribution type (**Assigned** or **Dynamic**) that the device belongs to. | For example, if a device is part of one deployment ring with **Dynamic** distribution (Ring3), and one deployment ring with **Assigned** distribution (Test,) within the same Autopatch group, the deployment ring with **Assigned** distribution (Test) takes precedence over the one with the **Dynamic** distribution type (Ring3). | +| Step 2: Checks for deployment ring ordering when device belongs to one or more deployment ring with the same distribution type (**Assigned** or **Dynamic**) | For example, if a device is part of one deployment ring with **Assigned** distribution (Test), and in another deployment ring with **Assigned** distribution (Ring3) within the **same** Autopatch group, the deployment ring that comes later (Ring3) takes precedence over the deployment ring that comes earlier (Test) in the deployment ring order. | + +> [!IMPORTANT] +> When a device belongs to a deployment ring that has combined distribution types (**Assigned** and **Dynamic**), and a deployment ring that has only the **Dynamic** distribution type, the deployment ring with the combined distribution types takes precedence over the one with only the **Dynamic** distribution. If a device belongs to two deployment rings that have combined distribution types (**Assigned** and **Dynamic**), the deployment ring that comes later takes precedence over the deployment ring that comes earlier in the deployment ring order. + +### Device conflict across different Autopatch groups + +Device conflict across different deployment rings in different Autopatch groups may occur, review the following examples about how the Windows Autopatch services handles the following scenarios: + +#### Default to Custom Autopatch group device conflict + +| Conflict scenario | Conflict resolution | +| ----- | ----- | +| You, the IT admin at Contoso Ltd., starts using only the Default Autopatch group, but later decides to create an Autopatch group called “Marketing”.

          However, you notice that the same devices that belong to the deployment rings in the Default Autopatch group are now also part of the new deployment rings in the Marketing Autopatch group.

          | Autopatch groups automatically resolve this conflict on your behalf.

          In this example, devices that belong to the deployment rings as part of the “Marketing” Autopatch group take precedence over devices that belong to the deployment ring in the Default Autopatch group, because you, the IT admin, demonstrated clear intent on managing deployment rings using a Custom Autopatch group outside the Default Autopatch group.

          | + +#### Custom to Custom Autopatch group device conflict + +| Conflict scenario | Conflict resolution | +| ----- | ----- | +| You, the IT admin at Contoso Ltd., are using several Custom Autopatch groups. While navigating through devices in the Windows Autopatch Devices blade (**Not ready** tab), you notice that the same device is part of different deployment rings across several different Custom Autopatch groups. | You must resolve this conflict.

          Autopatch groups informs you about the device conflict in the **Devices** > **Not ready** tab. You’re required to manually indicate which of the existing Custom Autopatch groups the device should exclusively belong to.

          | + +#### Device conflict prior device registration + +When you create or edit the Custom or Default Autopatch group, Windows Autopatch checks if the devices that are part of the Azure AD groups, used in Autopatch groups’ deployment rings, are registered with the service. + +| Conflict scenario | Conflict resolution | +| ----- | ----- | +| Devices are in the Custom-to-Custom Autopatch group device conflict scenario | You must resolve this conflict.

          Devices will fail to register with the service and will be sent to the **Not registered** tab. You’re required to make sure the Azure AD groups that are used with the Custom Autopatch groups don’t have device membership overlaps.

          | + +#### Device conflict post device registration + +Autopatch groups will keep monitoring for all device conflict scenarios listed in the [Manage device conflict scenarios when using Autopatch groups](#manage-device-conflict-scenarios-when-autopatch-groups) section even after devices were successfully registered with the service. diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md new file mode 100644 index 0000000000..730fc16ec4 --- /dev/null +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md @@ -0,0 +1,253 @@ +--- +title: Windows Autopatch groups overview +description: This article explains what Autopatch groups are +ms.date: 05/03/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Windows Autopatch groups overview (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

          The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


          **To opt-in to use Windows Autopatch groups:**
          1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
          2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
          3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
          + +As organizations move to a managed-service model where Microsoft manages update processes on their behalf, they’re challenged with having the right representation of their organizational structures followed by their own deployment cadence. Windows Autopatch groups helps organizations manage updates in a way that makes sense for their businesses with no extra cost or unplanned disruptions. + +## What are Windows Autopatch groups? + +Autopatch groups is a logical container or unit that groups several [Azure AD groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates). + +## Key benefits + +Autopatch groups help Microsoft Cloud-Managed services meet organizations where they are in their update management journey. Key benefits include: + +| Benefit | Description | +| ----- | ----- | +| Replicating your organizational structure | You can set up Autopatch groups to replicate your organizational structures represented by your existing device-based Azure AD group targeting logic. | +| Having a flexible number of deployments | Autopatch groups give you the flexibility of having the right number of deployment rings that work within your organization. You can set up to 15 deployment rings per Autopatch group. | +| Deciding which device(s) belong to deployment rings | Along with using your existing device-based Azure AD groups and choosing the number of deployment rings, you can also decide which devices belong to deployment rings during the device registration process when setting up Autopatch groups. | +| Choosing the deployment cadence | You choose the right software update deployment cadence for your business. | + +## High-level architecture diagram overview + +:::image type="content" source="../media/windows-autopatch-groups-high-level-architecture-diagram.png" alt-text="Overview of the device registration process" lightbox="../media/windows-autopatch-groups-high-level-architecture-diagram.png"::: + +Autopatch groups is a function app that is part of the device registration micro service within the Windows Autopatch service. The following table explains the high-level workflow: + +| Step | Description | +| ----- | ----- | +| Step 1: Create an Autopatch group | Create an Autopatch group. | +| Step 2: Windows Autopatch uses Microsoft Graph to create Azure AD and policy assignments | Windows Autopatch service uses Microsoft Graph to coordinate the creation of:
          • Azure AD groups
          • Software update policy assignments with other Microsoft services, such as Azure AD, Intune, and Windows Update for Business (WUfB) based on IT admin choices when you create or edit an Autopatch group.
          | +| Step 3: Intune assigns software update policies | Once Azure AD groups are created in the Azure AD service, Intune is used to assign the software update policies to these groups and provide the number of devices that need the software update policies to the Windows Update for Business (WUfB) service. | +| Step 4: Windows Update for Business responsibilities | Windows Update for Business (WUfB) is the service responsible for:
          • Delivering those update policies
          • Retrieving update deployment statuses back from devices
          • Sending back the status information to Microsoft Intune, and then to the Windows Autopatch service
          | + +## Key concepts + +There are a few key concepts to be familiar with before using Autopatch groups. + +### About the Default Autopatch group + +> [!NOTE] +> The Default Autopatch group is recommended for organizations that can meet their business needs using the pre-configured five deployment ring composition. + +The Default Autopatch group uses Windows Autopatch’s default update management process recommendation. The Default Autopatch group contains: + +- A set of **[five deployment rings](#default-deployment-ring-composition)** +- A default update deployment cadence for both [Windows quality](../operate/windows-autopatch-groups-windows-quality-update-overview.md) and [feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md). + +The Default Autopatch group is intended to serve organizations that are looking to: + +- Enroll into the service +- Align to Windows Autopatch’s default update management process without requiring additional customizations. + +The Default Autopatch group **can’t** be deleted or renamed. However, you can customize its deployment ring composition to add and/or remove deployment rings, and you can also customize the update deployment cadences for each deployment ring within it. + +#### Default deployment ring composition + +By default, the following [software update-based deployment rings](#software-based-deployment-rings), represented by Azure AD assigned groups, are used: + +- Windows Autopatch – Test +- Windows Autopatch – Ring1 +- Windows Autopatch – Ring2 +- Windows Autopatch – Ring3 +- Windows Autopatch – Last + +**Windows Autopatch – Test** and **Last** can be only used as **Assigned** device distributions. **Windows Autopatch – Ring1**, **Ring2** and **Ring3** can be used with either **Assigned** or **Dynamic** device distributions, or have a combination of both device distribution types. + +> [!TIP] +> For more information about the differences between **Assigned** and **Dynamic** deployment ring distribution types, see [about deployment rings](#about-deployment-rings). Only deployment rings that are placed in between the **Test** and the **Last** deployment rings can be used with the **Dynamic** deployment ring distributions. + +> [!CAUTION] +> These and other Azure AD assigned groups created by Autopatch groups **can't** be missing in your tenant, otherwise, Autopatch groups might not function properly. + +The **Last** deployment ring, the fifth deployment ring in the Default Autopatch group, is intended to provide coverage for scenarios where a group of specialized devices and/or VIP/Executive users. They must receive software update deployments after the organization’s general population to mitigate disruptions to your organization’s critical businesses. + +#### Default update deployment cadences + +The Default Autopatch group provides a default update deployment cadence for its deployment rings except for the **Last** (fifth) deployment ring. + +##### Update rings policy for Windows 10 and later + +Autopatch groups set up the [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) for each of its deployment rings in the Default Autopatch group. See the following default policy values: + +| Policy name | Azure AD group assignment | Quality updates deferral in days | Feature updates deferral in days | Feature updates uninstall window in days | Deadline for quality updates in days | Deadline for feature updates in days | Grace period | Auto restart before deadline | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch Update Policy - default - Test | Windows Autopatch - Test | 0 | 0 | 30 | 0 | 5 | 0 | Yes | +| Windows Autopatch Update Policy - default - Ring1 | Windows Autopatch - Ring1 | 1 | 0 | 30 | 2 | 5 |2 | Yes | +| Windows Autopatch Update Policy - default - Ring2 | Windows Autopatch - Ring2 | 6 | 0 | 30 | 2 | 5 | 2 | Yes | +| Windows Autopatch Update Policy - default - Ring3 | Windows Autopatch - Ring3 | 9 | 0 | 30 | 5 | 5 | 2 | Yes | +| Windows Autopatch Update Policy - default - Last | Windows Autopatch - Last | 11 | 0 | 30 | 3 | 5 | 2 | Yes | + +##### Feature update policy for Windows 10 and later + +Autopatch groups set up the [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates) for each of its deployment rings in the Default Autopatch group, see the following default policy values: + +| Policy name | Azure AD group assignment |Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch - DSS Policy [Test] | Windows Autopatch - Test | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | May 8, 2023; 7:00PM | +| Windows Autopatch - DSS Policy [Ring1] | Windows Autopatch - Ring1 | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | May 8, 2023; 7:00PM | +| Windows Autopatch - DSS Policy [Ring2] | Windows Autopatch - Ring2 | Windows 10 20H2 | Make update available as soon as possible | December 14, 2022 | December 21, 2022 | 1 | May 8, 2023; 7:00PM | +| Windows Autopatch - DSS Policy [Ring3] | Windows Autopatch - Ring3 | Windows 10 20H2 | Make update available as soon as possible | December 15, 2022 | December 29, 2022 | 1 | May 8, 2023; 7:00PM | +| Windows Autopatch - DSS Policy [Last] | Windows Autopatch - Last | Windows 10 20H2 | Make update available as soon as possible | December 15, 2022 | December 29, 2022 | 1 | May 8, 2023; 7:00PM | + +### About Custom Autopatch groups + +> [!NOTE] +> The [Default Autopatch group](#about-the-default-autopatch-group) is recommended for organizations that can meet their business needs using the pre-configured five deployment ring composition. + +Custom Autopatch groups are intended to help organizations that require a more precise representation of their organization's structures along with their own update deployment cadence in the service. + +By default, a Custom Autopatch group has the Test and Last deployment rings automatically present. For more information, see [Test and Last deployment rings](#about-the-test-and-last-deployment-rings). + +### About deployment rings + +Deployment rings make it possible for an Autopatch group to have software update deployments sequentially delivered in a gradual rollout within the Autopatch group. + +Windows Autopatch aligns with Azure AD and Intune terminology for device group management. There are two types of deployment ring group distribution in Autopatch groups: + +| Deployment ring distribution | Description | +| ----- | ----- | +| Dynamic | You can use one or more device-based Azure AD groups, either dynamic query-based or assigned to use in your deployment ring composition.

          Azure AD groups that are used with the Dynamic distribution type can be used to distribute devices across several deployment rings based on percentage values that can be customized.

          | +| Assigned | You can use one single device-based Azure AD group, either dynamic query-based, or assigned to use in your deployment ring composition. | +| Combination of Dynamic and Assigned | To provide a greater level of flexibility when working on deployment ring compositions, you can combine both device distribution types in Autopatch groups.

          The combination of Dynamic and Assigned device distribution is **not** supported for the Test and Last deployment ring in Autopatch groups.

          | + +#### About the Test and Last deployment rings + +Both the **Test** and **Last** deployment rings are default deployment rings that are automatically present in the Default Autopatch group and Custom Autopatch groups. These default deployment rings provide the recommended minimum number of deployment rings that an Autopatch group should have. + +If you only keep Test and Last deployment rings in your Default Autopatch group, or you don't add more deployment rings when creating a Custom Autopatch group, the Test deployment ring can be used as the pilot deployment ring and Last can be used as the production deployment ring. + +> [!IMPORTANT] +> Both the **Test** and **Last** deployment rings **can't** be removed or renamed from the Default or Custom Autopatch groups. Autopatch groups don't support the use of one single deployment ring as part of its deployment ring composition because you need at least two deployment rings for their gradual rollout. If you must implement a specific scenario with a single deployment ring, and gradual rollout isn’t required, consider managing these devices outside Windows Autopatch. + +> [!TIP] +> Both the **Test** and **Last** deployment rings only support one single Azure AD group assignment at a time. If you need to assign more than one Azure AD group, you can nest the other Azure AD groups under the ones you plan to use with the **Test** and **Last** deployment rings. Only one level of Azure AD group nesting is supported. + +#### Service-based versus software update-based deployment rings + +Autopatch groups creates two different layers. Each layer contains its own deployment ring set. + +> [!IMPORTANT] +> Both service-based and software update-based deployment ring sets are, by default, assigned to devices that successfully register with Windows Autopatch. + +##### Service-based deployment rings + +The service-based deployment ring set is exclusively used to keep Windows Autopatch updated with both service and device-level configuration policies, apps and APIs needed for core functions of the service. + +The following are the Azure AD assigned groups that represent the service-based deployment rings. These groups cannot be deleted or renamed: + +- Modern Workplace Devices-Windows Autopatch-Test +- Modern Workplace Devices-Windows Autopatch-First +- Modern Workplace Devices-Windows Autopatch-Fast +- Modern Workplace Devices-Windows Autopatch-Broad + +> [!CAUTION] +> **Don’t** modify the Azure AD group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly.

          Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Azure AD group created by Autopatch groups.

          + +##### Software-based deployment rings + +The software-based deployment ring set is exclusively used with software update management policies, such as the Windows update ring and feature update policies, in the Default Windows Autopatch group. + +The following are the Azure AD assigned groups that represent the software updates-based deployment rings. These groups cannot be deleted or renamed: + +- Windows Autopatch - Test +- Windows Autopatch – Ring1 +- Windows Autopatch – Ring2 +- Windows Autopatch – Ring3 +- Windows Autopatch – Last + +> [!IMPORTANT] +> Additional Azure AD assigned groups are created and added to list when you add more deployment rings to the Default Autopatch group. + +> [!CAUTION] +> **Don’t** modify the Azure AD group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly.

          Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Azure AD group created by Autopatch groups.

          + +### About device registration + +Autopatch groups register devices with the Windows Autopatch service when you either [create](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) or [edit a Custom Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group), and/or when you [edit the Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to use your existing Azure AD groups instead of the Windows Autopatch Device Registration group provided by the service. + +## Common ways to use Autopatch groups + +The following are three common uses for using Autopatch groups. + +### Use case #1 + +> [!NOTE] +> The [Default Autopatch group](#about-the-default-autopatch-group) is recommended for organizations that can meet their business needs using the pre-configured five deployment ring composition. + +| Scenario | Solution | +| ----- | ----- | +| You’re working as the IT admin at Contoso Ltd. And manage several Microsoft and non-Microsoft cloud services. You don’t have extra time to spend setting up and managing several Autopatch groups.

          Your organization currently operates its update management by using five deployment rings, but there’s an opportunity to have flexible deployment cadences if it’s pre-communicated to your end-users.

          | If you don’t have thousands of devices to manage, use the Default Autopatch group for your organization. You can edit the Default Autopatch group to include additional deployment rings and/or slightly modify some of its default deployment cadences.

          The Default Autopatch group is pre-configured and doesn’t require extra configurations when registering devices with the Windows Autopatch service.

          The following is a visual representation of a gradual rollout for the Default Autopatch group pre-configured and fully managed by the Windows Autopatch service.

          | + +:::image type="content" source="../media/autopatch-groups-default-autopatch-group.png" alt-text="Default Autopatch group" lightbox="../media/autopatch-groups-default-autopatch-group.png"::: + +### Use case #2 + +| Scenario | Solution | +| ----- | ----- | +| You’re working as the IT admin at Contoso Ltd. Your organization needs to plan a gradual rollout of software updates within specific critical business units or departments to help mitigate the risk of end-user disruption. | You can create a Custom Autopatch group for each of your business units, for example, the finance department and breakdown the deployment ring composition per the different user personas or based on how critical certain user groups can be for the department and subsequently for the business.

          The following is a visual representation of a gradual rollout for Contoso’s Finance department.

          | + +:::image type="content" source="../media/autopatch-groups-finance-department-example.png" alt-text="Finance department example" lightbox="../media/autopatch-groups-finance-department-example.png"::: + +> [!IMPORTANT] +> Once Autopatch groups are setup, the release of either Windows quality or feature updates will be deployed sequentially through its deployment rings. + +### Use case #3 + +| Scenario | Solution | +| ----- | ----- | +| You’re working as the IT admin at Contoso Ltd. Your branch location in Chicago needs to plan a gradual rollout of software updates within specific departments to make sure the Chicago office doesn’t experience disruptions in its operations. | You can create a Custom Autopatch group for the branch location in Chicago and breakdown the deployment ring composition per the departments within the branch location.

          The following is a visual representation of a gradual rollout for the Contoso Chicago branch location.

          | + +:::image type="content" source="../media/autopatch-groups-contoso-chicago-example.png" alt-text="Contoso Chicago example" lightbox="../media/autopatch-groups-contoso-chicago-example.png"::: + +> [!IMPORTANT] +> Once Autopatch groups are setup, the release of either Windows quality or feature updates will be deployed sequentially through its deployment rings. + +## Supported configurations + +The following configurations are supported when using Autopatch groups. + +### Software update workloads + +Autopatch groups works with the following software update workloads: + +- [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md) +- [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md) + +> [!IMPORTANT] +> [Microsoft Edge](../operate/windows-autopatch-edge.md) and [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) are supported through the (classic) service-based deployment rings. Other software update workloads aren’t currently supported. + +### Maximum number of Autopatch groups + +Windows Autopatch will support up to 50 Autopatch groups in your tenant. You can create up to 49 [Custom Autopatch groups](#about-custom-autopatch-groups) in addition to the [Default Autopatch group](#about-the-default-autopatch-group). Each Autopatch group supports up to 15 deployment rings. + +> [!TIP] +> If you reach the maximum number of Autopatch groups supported (50), and try to create more Custom Autopatch groups, the "**Create**" option in the Autopatch groups blade will be greyed out. + +To manage your Autopatch groups, see [Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md). diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index fcc1e157cf..55ddc49938 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices description: This article details how to register devices in Autopatch -ms.date: 02/03/2023 +ms.date: 05/01/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -20,14 +20,25 @@ Before Microsoft can manage your devices in Windows Autopatch, you must have dev Windows Autopatch can take over software update management control of devices that meet software-based prerequisites as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes the following software update workloads: -- [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) -- [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md) -- [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) -- [Microsoft Edge updates](../operate/windows-autopatch-edge.md) -- [Microsoft Teams updates](../operate/windows-autopatch-teams.md) +- Windows quality updates + - [Autopatch groups experience](../operate/windows-autopatch-groups-windows-quality-update-overview.md) + - [Classic experience](../operate/windows-autopatch-windows-quality-update-overview.md) +- Windows feature updates + - [Autopatch groups experience](../operate/windows-autopatch-groups-windows-feature-update-overview.md) + - [Classic experience](../operate/windows-autopatch-windows-feature-update-overview.md) +- The following software update workloads use the Classic experience: + - [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) + - [Microsoft Edge updates](../operate/windows-autopatch-edge.md) + - [Microsoft Teams updates](../operate/windows-autopatch-teams.md) ### About the use of an Azure AD group to register devices +Windows Autopatch provides two methods of registering devices with its service, the [Classic](#classic-device-registration-method) and the Autopatch groups device registration method. + +#### Classic device registration method + +This method is intended to help organizations that don’t require the use of [Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or additional customizations to the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) to register devices. + You must choose what devices to manage with Windows Autopatch by adding them to the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can be added using the following methods: - Direct membership @@ -36,17 +47,31 @@ You must choose what devices to manage with Windows Autopatch by adding them to Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. -> [!NOTE] -> Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the **Ready** or **Not ready** tab to register devices on demand. +You can also use the **Discover devices** button in either the Registered or Not ready tab to register devices on demand. The **Discover devices** button scans for devices to be registered in the **Windows Autopatch Device Registration** or any other Azure AD group used with either the Default or Custom Autopatch groups. -#### Supported scenarios when nesting other Azure AD groups +#### Windows Autopatch groups device registration method + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

          The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


          **To opt-in to use Windows Autopatch groups:**
          1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
          2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
          3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
          + +This method is intended to help organizations that require the use of [Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or additional customizations to the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group). + +When you either create/edit a Custom Autopatch group or edit the Default Autopatch group to add or remove deployment rings, the device-based Azure AD groups you use when setting up your deployment rings are scanned to see if devices need to be registered with the Windows Autopatch service. + +If devices aren’t registered, Autopatch groups starts the device registration process by using your existing device-based Azure AD groups instead of the Windows Autopatch Device Registration group. + +For more information, see [create Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) and [edit Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to register devices using the Autopatch groups device registration method. + +##### Supported scenarios when nesting other Azure AD groups Windows Autopatch also supports the following Azure AD nested group scenarios: Azure AD groups synced up from: -- On-premises Active Directory groups (Windows Server AD). -- [Configuration Manager collections](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync). +- On-premises Active Directory groups (Windows Server AD) +- [Configuration Manager collections](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync) + +The Azure AD groups apply to both the [Classic](#classic-device-registration-method) and the [Autopatch group device registration](#windows-autopatch-groups-device-registration-method) methods. > [!WARNING] > It isn't recommended to sync Configuration Manager collections straight to the **Windows Autopatch Device Registration** Azure AD group. Use a different Azure AD group when syncing Configuration Manager collections to Azure AD groups then you can nest this or these groups into the **Windows Autopatch Device Registration** Azure AD group. @@ -63,10 +88,13 @@ In the dual state, you end up having two Azure AD device records with different It's recommended to detect and clean up stale devices in Azure AD before registering devices with Windows Autopatch, see [How To: Manage state devices in Azure AD](/azure/active-directory/devices/manage-stale-devices). > [!WARNING] -> If you don't clean up stale devices in Azure AD before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the **Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed)** pre-requisite check in the **Not ready** tab because it's expected that these stale Azure AD devices are not enrolled into the Intune service anymore. +> If you don't clean up stale devices in Azure AD before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the **Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed)** pre-requisite check in the **Not ready** tab because it's expected that these stale Azure AD devices aren't enrolled into the Intune service anymore. ## Prerequisites for device registration +> [!IMPORTANT] +> The following prerequisites apply to both the [Classic](#classic-device-registration-method) and the [Autopatch groups device registration](#windows-autopatch-groups-device-registration-method) methods. + To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites: - Windows 10 (1809+)/11 Enterprise or Professional editions (only x64 architecture). @@ -83,31 +111,34 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set > [!NOTE] > Windows Autopatch doesn't support device emulators that don't generate the serial number, model and manufacturer information. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** prerequisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch. -> [!NOTE] -> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions). +> [!IMPORTANT] +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. For more information, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md). -## About the Ready, Not ready and Not registered tabs +## About the Registered, Not ready and Not registered tabs -Windows Autopatch has three tabs within its device blade. Each tab is designed to provide a different set of device readiness statuses so IT admin knows where to go to monitor, and fix potential device health issues. +> [!IMPORTANT] +> Devices registered through either the [Classic](#classic-device-registration-method) or the [Autopatch groups device registration method](#windows-autopatch-groups-device-registration-method) can appear in the Registered, Not ready, or Not registered tabs. When devices successfully register with the service, the devices are listed in the Registered tab. However, even if the device(s)is successfully registered, they can be part of Not ready tab. If devices fail to register, the devices are listed in the Not registered tab. + +Windows Autopatch has three tabs within its device blade. Each tab is designed to provide a different set of device readiness statuses so the IT admin knows where to go to monitor, and fix potential device health issues. | Device blade tab | Purpose | Expected device readiness status | | ----- | ----- | ----- | -| Ready | The purpose of this tab is to show devices that were successfully registered with the Windows Autopatch service. | Active | +| Registered | The purpose of this tab is to show devices that were successfully registered with the Windows Autopatch service. | Active | | Not ready | The purpose of this tab is to help you identify and remediate devices that failed to pass one or more post-device registration readiness checks. Devices showing up in this tab were successfully registered with Windows Autopatch. However, these devices aren't ready to have one or more software update workloads managed by the service. | Readiness failed and/or Inactive | -| Not registered | The purpose of this tab is to help you identify and remediate devices that don't meet one or more prerequisite checks to successfully register with the Windows Autopatch service. | Pre-requisites failed | +| Not registered | The purpose of this tab is to help you identify and remediate devices that don't meet one or more prerequisite checks to successfully register with the Windows Autopatch service. | Prerequisites failed | ## Device readiness statuses -See all possible device readiness statuses in Windows Autopatch: +The following are the possible device readiness statuses in Windows Autopatch: | Readiness status | Description | Device blade tab | | ----- | ----- | ----- | -| Active | Devices with this status successfully passed all prerequisite checks and then successfully registered with Windows Autopatch. Additionally, devices with this status successfully passed all post-device registration readiness checks. | Ready | +| Active | Devices with this status successfully passed all prerequisite checks and then successfully registered with Windows Autopatch. Additionally, devices with this status successfully passed all post-device registration readiness checks. | Registered | | Readiness failed | Devices with this status haven't passed one or more post-device registration readiness checks. These devices aren't ready to have one or more software update workloads managed by Windows Autopatch. | Not ready | | Inactive | Devices with this status haven't communicated with Microsoft Intune in the last 28 days. | Not ready | -| Pre-requisites failed | Devices with this status haven't passed one or more pre-requisite checks and haven't successfully registered with Windows Autopatch | Not registered | +| Prerequisites failed | Devices with this status haven't passed one or more prerequisite checks and haven't successfully registered with Windows Autopatch | Not registered | ## Built-in roles required for device registration @@ -120,7 +151,7 @@ For more information, see [Azure AD built-in roles](/azure/active-directory/role If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Azure AD groups created during the [tenant enrollment](../prepare/windows-autopatch-enroll-tenant.md) process: -| Role | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions | +| Azure AD Group name | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions | | ----- | ----- | ----- | ----- | ----- | ----- | | Modern Workplace Roles - Service Administrator | Yes | Yes | Yes | Yes | Yes | | Modern Workplace Roles - Service Reader | No | Yes | Yes | Yes | No | @@ -133,30 +164,36 @@ If you want to assign less-privileged user accounts to perform specific tasks in Registering your devices with Windows Autopatch does the following: 1. Makes a record of devices in the service. -2. Assign devices to the [deployment rings](../operate/windows-autopatch-update-management.md) and other groups required for software update management. +2. Assign devices to the [two deployment ring sets](../deploy/windows-autopatch-groups-overview.md#about-deployment-rings) and other groups required for software update management. For more information, see [Device registration overview](../deploy/windows-autopatch-device-registration-overview.md). -## Steps to register devices +## Steps to register devices using the classic method + +> [!IMPORTANT] +> For more information, see [Create Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) and [Edit Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) on how to register devices using the Autopatch groups device registration method. + +Any device (either physical or virtual) that contains an Azure AD device ID, can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices should be registered with Windows Autopatch from the Windows 365 provisioning policy. + +For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads). -Any device (either physical or virtual) that contains an Azure AD device ID, can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices should be registered with Windows Autopatch from the Windows 365 provisioning policy. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads). Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID, these devices can be added into the **Windows Autopatch Device Registration** Azure group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group. -**To register devices with Windows Autopatch:** +**To register devices with Windows Autopatch using the classic method:** 1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Devices** from the left navigation menu. 3. Under the **Windows Autopatch** section, select **Devices**. -4. Select either the **Ready** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. +4. Select either the **Registered** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. 5. Add either devices through direct membership, or other Azure AD dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group. > [!NOTE] -> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not registered** tabs. +> The **Windows Autopatch Device Registration** hyperlink is in the center of the Registered tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Registered** and **Not registered** tabs. Once devices or other Azure AD groups (either dynamic or assigned) containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch's device discovery hourly function discovers these devices, and runs software-based prerequisite checks to try to register them with its service. > [!TIP] -> You can also use the **Discover Devices** button in either one of the **Ready**, **Not ready**, or **Not registered** device blade tabs to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. On demand means you don't have to wait for Windows Autopatch to discover devices from the Azure AD group on your behalf. +> You can also use the **Discover Devices** button in either one of the **Registered**, **Not ready**, or **Not registered** device blade tabs to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. On demand means you don't have to wait for Windows Autopatch to discover devices from the Azure AD group on your behalf. ### Windows Autopatch on Windows 365 Enterprise Workloads @@ -177,11 +214,14 @@ Windows 365 Enterprise gives IT admins the option to register devices with the W For more information, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy). +> [!IMPORTANT] +> Starting in May 2023, Windows 365 Cloud PC devices are assigned to two deployment ring sets, the service-based and the software-based deployment rings. Additionally, once registered with Windows Autopatch, Windows 365 Cloud PC devices are automatically added to the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group). For more information, see [service-based versus software update-based deployment ring sets](../deploy/windows-autopatch-groups-overview.md#service-based-versus-software-update-based-deployment-rings). + ### Windows Autopatch on Azure Virtual Desktop workloads -Windows Autopatch is available for your Azure Virtual Desktop workloads. Enterprise admins can provision their Azure Virtual Desktop workloads to be managed by Windows Autopatch using the existing [device registration process](#steps-to-register-devices). +Windows Autopatch is available for your Azure Virtual Desktop workloads. Enterprise admins can provision their Azure Virtual Desktop workloads to be managed by Windows Autopatch using the existing device registration process. -Windows Autopatch provides the same scope of service with virtual machines as it does with [physical devices](#steps-to-register-devices). However, Windows Autopatch defers any Azure Virtual Desktop specific support to [Azure support](#contact-support-for-device-registration-related-incidents), unless otherwise specified. +Windows Autopatch provides the same scope of service with virtual machines as it does with [physical devices](#steps-to-register-devices-using-the-classic-method). However, Windows Autopatch defers any Azure Virtual Desktop specific support to [Azure support](#contact-support-for-device-registration-related-incidents), unless otherwise specified. #### Prerequisites @@ -199,7 +239,7 @@ The following Azure Virtual Desktop features aren’t supported: #### Deploy Autopatch on Azure Virtual Desktop -Azure Virtual Desktop workloads can be registered into Windows Autopatch by using the same method as your [physical devices](#steps-to-register-devices). For more information, see [Register your devices](#steps-to-register-devices). +Azure Virtual Desktop workloads can be registered into Windows Autopatch by using the same method as your [physical devices](#steps-to-register-devices-using-the-classic-method). For ease of deployment, we recommend nesting a dynamic device group in your Autopatch device registration group. The dynamic device group would target the **Name** prefix defined in your session host, but **exclude** any Multi-Session Session Hosts. For example: diff --git a/windows/deployment/windows-autopatch/media/autopatch-groups-contoso-chicago-example.png b/windows/deployment/windows-autopatch/media/autopatch-groups-contoso-chicago-example.png new file mode 100644 index 0000000000..44580586e9 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/autopatch-groups-contoso-chicago-example.png differ diff --git a/windows/deployment/windows-autopatch/media/autopatch-groups-default-autopatch-group.png b/windows/deployment/windows-autopatch/media/autopatch-groups-default-autopatch-group.png new file mode 100644 index 0000000000..73a32e8635 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/autopatch-groups-default-autopatch-group.png differ diff --git a/windows/deployment/windows-autopatch/media/autopatch-groups-finance-department-example.png b/windows/deployment/windows-autopatch/media/autopatch-groups-finance-department-example.png new file mode 100644 index 0000000000..259dcafcdf Binary files /dev/null and b/windows/deployment/windows-autopatch/media/autopatch-groups-finance-department-example.png differ diff --git a/windows/deployment/windows-autopatch/media/autopatch-groups-manage-feature-release-case-1.png b/windows/deployment/windows-autopatch/media/autopatch-groups-manage-feature-release-case-1.png new file mode 100644 index 0000000000..fe35744633 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/autopatch-groups-manage-feature-release-case-1.png differ diff --git a/windows/deployment/windows-autopatch/media/autopatch-groups-manage-feature-release-case-2.png b/windows/deployment/windows-autopatch/media/autopatch-groups-manage-feature-release-case-2.png new file mode 100644 index 0000000000..bd2b2ec92c Binary files /dev/null and b/windows/deployment/windows-autopatch/media/autopatch-groups-manage-feature-release-case-2.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png index a2e0785741..f77684b8c4 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png index f5a8284a8c..abd0c884b1 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-groups-high-level-architecture-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-groups-high-level-architecture-diagram.png new file mode 100644 index 0000000000..1be4b61b37 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-groups-high-level-architecture-diagram.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png b/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png deleted file mode 100644 index 17b51a71f8..0000000000 Binary files a/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png and /dev/null differ diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md new file mode 100644 index 0000000000..789a3b23e3 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md @@ -0,0 +1,103 @@ +--- +title: Device alerts +description: Provide notifications and information about the necessary steps to keep your devices up to date. +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: adnich +--- + +# Device alerts (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

          The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


          **To opt-in to use Windows Autopatch groups:**
          1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
          2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
          3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
          + +Windows Autopatch and Windows Updates use Device alerts to provide notifications and information about the necessary steps to keep your devices up to date. In Windows Autopatch reporting, every device is provided with a section for alerts. If no alerts are listed, no action is needed. Navigate to **Reports** > **Quality update status** or **Feature update status** > **Device** > select the **Device alerts** column. The provided information will help you understand: + +- The action(s) that have either been performed by Microsoft and/or Windows Autopatch to keep the device properly updated. +- The actions you must perform so the device can properly be updated. + +> [!NOTE] +> At any given point, one or both of these actions can be present in your tenant. + +## Windows Autopatch alerts + +Windows Autopatch alerts are alerts specific to the Windows Autopatch service. These alerts include: + +- [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) +- [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) + +## Windows quality and feature update alerts + +These alerts represent data reported to the Windows Update service related to Windows quality and feature updates. These alerts can help identify actions that must be performed if an update doesn't apply as expected. Alerts are only provided by device that actively reports to the Windows Update service. + +## Customer and Microsoft Actions + +Windows Autopatch assigns alerts to either Microsoft Action or Customer Action. These assignments give a clear understanding of who has the responsibility to remediate the alert. + +| Assignment | Description | +| ----- | ----- | +| Microsoft Action | Refers to the responsibility of the Windows Autopatch service to remediate. The actions are performed by Windows Autopatch automatically. | +| Customer Action | Refers to your responsibility to carry out the appropriate action(s) to resolve the reported alert. | + +## Alert resolutions + +Alert resolutions are provided through the Windows Update service and provide the reason why an update didn’t perform as expected. The recommended actions are general recommendations and if additional assistance is needed, [submit a support request](../operate/windows-autopatch-support-request.md) + +| Alert message | Description | Windows Autopatch recommendation(s) | +| ----- | ----- | ----- | +| `CancelledByUser` | User canceled the update | The Windows Update service has reported the update was canceled by the user.

          It's recommended to work with the end user to allow updates to execute as scheduled.

          | +| `DamagedMedia` | The update file or hard drive is damaged | The Windows Update service has indicated the update payload might be damaged or corrupt.

          It's recommended to run `Chkdsk /F` on the device with administrator privileges, then retry the update. For more information, see [chkdsk](/windows-server/administration/windows-commands/chkdsk?tabs=event-viewer).

          | +| `DeploymentConflict` | Device is in more than one deployment of the same update type. Only the first deployment assigned is effective. | The Windows Update service has reported a policy conflict.

          For more information, see the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).

          If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `DeviceRegistrationInvalidAzureADDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Azure AD Device ID. | The Windows Update service has reported a device registration issue.

          For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).

          If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `DeviceRegistrationInvalidGlobalDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Global Device ID. |The Windows Update service has reported that the MSA Service may be disabled preventing Global Device ID assignment.

          Check that the MSA Service is running or able to run on device.

          If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `DeviceRegistrationIssue` | The device isn't able to register or authenticate properly with Windows Update. | The Windows Update service has reported a device registration issue.

          For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).

          If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `DeviceRegistrationNoTrustType` | The device isn't able to register or authenticate properly with Windows Update because it can't establish Trust. | The Windows Update service has reported a device registration issue.

          For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).

          If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `DiskFull` | The installation couldn't be completed because the Windows partition is full. | The Windows Update service has reported there's insufficient disk space to perform the update. Free up disk space on the Windows partition and retry the installation.

          For more information, see [Free up space for Windows Updates](/windows/free-up-space-for-windows-updates-429b12ba-f514-be0b-4924-ca6d16fa1d65#:~:text=Here%E2%80%99s%20how%20to%20get%20more%20storage%20space%20on,to%20Windows%20needs%20space%20to%20update.%20More%20items).

          | +| `DownloadCancelled` | Windows Update couldn't download the update because the update server stopped the connection. | The Windows Update service has reported an issue with your update server. Validate your network is working and retry the download. If the alert persists, review your network configuration to make sure that this computer can access the internet.

          For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).

          | +| `DownloadConnectionIssue` | Windows Update couldn't connect to the update server and the update couldn't download. | The Windows Update service has reported an issue connecting to Windows Update. Review your network configuration, and to make sure that this computer can access the internet and Windows Update Online.

          For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

          If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `DownloadCredentialsIssue` | Windows Update couldn't download the file because the Background Intelligent Transfer Service (BITS) couldn't connect to the internet. A proxy server or firewall on your network might require credentials. | The Windows Update service Windows has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client. Retry the download.

          Review your network configuration to make sure that this computer can access the internet. Validate and/or allowlist Windows Update and Delivery Optimization endpoint.

          For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

          If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `DownloadIssue` | There was an issue downloading the update. | The Windows Update service has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client.

          For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

          If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `DownloadIssueServiceDisabled` | There was a problem with the Background Intelligent Transfer Service (BITS). The BITS service or a service it depends on might be disabled. | The Windows Updates service has reported that the BITS service is disabled. In the local client services, make sure that the Background Intelligent Transfer Service is enabled. If the service isn't running, try starting it manually. For more information, see [Issues with BITS](/security-updates/WindowsUpdateServices/18127392).

          If it will not start, check the event log for errors or [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `DownloadTimeout` | A timeout occurred while Windows tried to contact the update service or the server containing the update's payload. | The Windows Update service has reported it attempted to download the payload and the connection timed out.

          Retry downloading the payload. If not successful, review your network configuration to make sure that this computer can access the internet.

          For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5). | +| `EndOfService` | The device is on a version of Windows that has passed its end of service date. | Windows Update service has reported the current version is past End of Service. Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).

          For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).

          | +| `EndOfServiceApproaching` | The device is on a version of Windows that is approaching its end of service date. | Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).

          For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).

          | +| `FailureResponseThreshold` | The failure response threshold setting was met for a deployment to which the device belongs. | The Windows Update service has reported the client has hit the Failure Response Threshold. Consider pausing the deployment and assess for issues. If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md). | +| `FileNotFound` | The downloaded update files can't be found. The Disk Cleanup utility or a non-Microsoft software cleaning tool might have removed the files during cleanup. | Windows Update has reported that the update files couldn't be found, download the update again, and then retry the installation.

          This can often occur with third party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).

          If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `Incompatible` | The system doesn't meet the minimum requirements to install the update. | The Windows Update service has reported the update is incompatible with this device for more details please review the `ScanResult.xml` file in the `C:\WINDOWS\PANTHER folder for "Block Type=Hard`.

          If this is occurring on a Windows Autopatch managed device, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `IncompatibleArchitecture` | This update is for a different CPU architecture. | The Windows Update service has reported the update architecture doesn't match the destination architecture, make sure the target operating system architecture matches the host operating system architecture.

          This is **not** typical for Windows Update based environments.

          If this is occurring on a Windows Autopatch managed device, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `IncompatibleServicingChannel` | Device is in a servicing channel that is incompatible with a deployment to which the device belongs. | The Windows Update service has reported the servicing channel on the client isn't compatible with the targeted payload.

          We recommend configuring the device's servicing channel to the [Semi-Annual Enterprise Channel](/windows-server/get-started/servicing-channels-comparison#semi-annual-channel).

          | +| `InstallAccessDenied` | Installer doesn't have permission to access or replace a file. The installer might have tried to replace a file that an antivirus, anti-malware, or a backup program is currently scanning. | The Windows Update service has reported it couldn't access the necessary system locations, ensure no other service has a lock or handle on the windows update client folders and retry the installation.

          This can often occur with third party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).

          | +| `InstalledCancelled` | The installation was canceled. | The Windows Update service has reported the update was canceled by the user.

          It's recommended to work with the end user to allow updates to execute as scheduled.

          If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `InstallFileLocked` | Installer couldn't access a file that is already in use. The installer might have tried to replace a file that an antivirus, anti-malware, or backup program is currently scanning. | The Windows Update service has reported it couldn't access the necessary system locations.

          Check the files under the `%SystemDrive%\$Windows.~bt` directory and retry the installation.

          This can often occur with third party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).

          If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `InstallIssue` | There was an issue installing the update. | The Windows Update service has reported the update installation has failed.

          If the alert persists, run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges, then retry the update.

          For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.

          If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `InstallIssueRedirection` | A known folder that doesn't support redirection to another drive might have been redirected to another drive. | The Windows Update service has reported that the Windows Update file location may be redirected to an invalid location. Check your Windows Installation, and retry the update.

          If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `InstallMissingInfo` | Windows Update doesn't have the information it needs about the update to finish the installation. | The Windows Update service has reported that another update may have replaced the one you're trying to install. Check the update, and then try reinstalling it. | +| `InstallOutOfMemory` | The installation couldn't be completed because Windows ran out of memory. | The Windows Update service has reported the system doesn't have sufficient system memory to perform the update.

          Restart Windows, then try the installation again.

          If it still fails, allocate more memory to the device, or increase the size of the virtual memory pagefile(s). For more information, see [How to determine the appropriate page file size for 64-bit versions of Windows](/troubleshoot/windows-client/performance/how-to-determine-the-appropriate-page-file-size-for-64-bit-versions-of-windows).

          | +| `InstallSetupError` | Windows Setup encountered an error while installing. | The Windows Update service has reported an error during installation.Review the last reported HEX error code in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) to further investigate.

          If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `PolicyConflict` | There are client policies (MDM, GP) that conflict with Windows Update settings. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).

          If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `PolicyConflictDeferral` | The Deferral Policy configured on the device is preventing the update from installing. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).

          If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `PolicyConflictPause` | Updates are paused on the device, preventing the update from installing. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).

          If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

          | +| `PostRestartIssue` | Windows Update couldn't determine the results of installing the update. The error is usually false, and the update probably succeeded. | The Windows Update Service has reported the update you're trying to install isn't available.

          No action is required.

          If the update is still available, retry the installation.

          | +| `RollbackInitiated` | A rollback was started on this device, indicating a catastrophic issue occurred during the Windows Setup install process. | The Windows Update service has reported a failure with the update. Run the Setup Diagnostics Tool on the Device or review the HEX error in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md). **Don’t** retry the installation until the impact is understood.

          For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).

          | +| `SafeguardHold` | Update can't install because of a known Safeguard Hold. | The Windows Update Service has reported a [Safeguard Hold](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds) which applies to this device.

          For more information about safeguards, see [Windows 10/11 release information for the affected version(s)](/windows/release-health/release-information).

          | +| `UnexpectedShutdown` | The installation was stopped because a Windows shutdown or restart was in progress. | The Windows Update service has reported Windows was unexpectedly restarted during the update process.

          No action is necessary the update should retry when windows is available.

          If the alert persists, ensure the device remains on during Windows installation.

          | +| `VersionMismatch` | Device is on a version of Windows that wasn't intended by Windows Update. | The Windows Update service has reported that the version of Windows wasn't intended.

          Confirm whether the device is on the intended version.

          | +| `WindowsRepairRequired` | The current version of Windows needs to be repaired before it can be updated. | The Windows Update service has indicated that the service is in need of repair. Run the Startup Repair Tool on this device.

          For more information, see [Windows boot issues – troubleshooting](/troubleshoot/windows-client/performance/windows-boot-issues-troubleshooting#method-1-startup-repair-tool).

          | +| `WUBusy` | Windows Update can't do this task because it's busy. | The Windows Update service has reported that Windows Update is busy. No action is needed. Restart Windows should and retry the installation. | +| `WUComponentMissing` | Windows Update might be missing a component, or the update file might be damaged. | The Windows Update service has reported key components for windows update are missing.

          Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges, to repair these components. Then retry the update.

          For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.

          | +| `WUDamaged` | Windows Update or the update file might be damaged. | The Windows Update service has reported key components for windows update are missing.

          Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges to repair these components. Then retry the update.

          For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.

          | +| `WUDecryptionIssue` | Windows Update couldn't decrypt the encrypted update file because it couldn't find the proper key. | The Windows Update service has reported it couldn't decrypt the update payload.

          This alert could be a network transit error and may be resolved on its own. If the alert persists, validate any network Riverbeds, Application or http proxies and retry.

          | +| `WUDiskError` | Windows Update encountered an error while reading or writing to the system drive. | The Windows Update service has reported an alert reading or writing to the system disk. This alert is often a client issue with the target system. We recommend running the Windows Update Troubleshooter on the device. Retry the installation.

          For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/windows/windows-update-troubleshooter-19bc41ca-ad72-ae67-af3c-89ce169755dd).

          | +| `WUIssue` | Windows Update couldn't understand the metadata provided by the update service. This error usually indicates a problem with the update. | The Windows Update service has reported an issue with the Update payload. This could be a transient alert.

          If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

          | + +## Additional resources + +- [Troubleshoot problems updating Windows](https://support.microsoft.com/windows/troubleshoot-problems-updating-windows-188c2b0f-10a7-d72f-65b8-32d177eb136c) +- [How to use the PC Health Check app](https://support.microsoft.com/windows/how-to-use-the-pc-health-check-app-9c8abd9b-03ba-4e67-81ef-36f37caa7844) +- [Windows Update Troubleshooter](https://support.microsoft.com/windows/windows-update-troubleshooter-19bc41ca-ad72-ae67-af3c-89ce169755dd) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md new file mode 100644 index 0000000000..5552fe0c6d --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md @@ -0,0 +1,213 @@ +--- +title: Manage Windows feature update releases +description: This article explains how you can manage Windows feature updates with Autopatch groups +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Manage Windows feature update releases: Windows Autopatch groups experience (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

          The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


          **To opt-in to use Windows Autopatch groups:**
          1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
          2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
          3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
          + +You can create custom releases for Windows feature update deployments in Windows Autopatch. + +## Before you begin + +Before you start managing custom Windows feature update releases, consider the following: + +- If you’re planning on using either the [Default or Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#key-concepts) ensure: + - The Default Autopatch group has all deployment rings and deployment cadences you need. + - You have created all your Custom Autopatch groups prior to creating custom releases. +- Review [Windows feature update prerequisites](/mem/intune/protect/windows-10-feature-updates#prerequisites). +- Review the [Windows feature updates policy limitations](/mem/intune/protect/windows-10-feature-updates#limitations-for-feature-updates-for-windows-10-and-later-policy). + +## About the auto-populate automation for release phases + +By default, the deployment rings of each Autopatch group will be sequentially assigned to a phase. For example, the first deployment ring of each Autopatch group is assigned to Phase 1, and the second deployment ring of each Autopatch group is assigned to Phase 2, etc. + +The following table explains the auto-populating assignment of your deployments rights if you have two Autopatch groups. One Autopatch group is named Finance and the other is named Marketing; each Autopatch group has four (Finance) and five (Marketing) deployment rings respectively. + +| Phases | Finance | Marketing +| ----- | ----- | ----- | +| Phase 1 | Test | Test | +| Phase 2 | Ring1 | Ring1 | +| Phase 3 | Ring2 | Ring2 | +| Phase 4 | Last | Ring3 | + +If the Autopatch groups are edited after a release is created (Active status), the changes to the Autopatch group won’t be reflected unless you create a new custom release. + +If you wish to change the auto-populating assignment of your deployment rings to release phases, you can do so by adding, removing, or editing the auto-populated phases. + +### More information about the completion date of a phase + +The goal completion date of a phase is calculated using the following formula: + +` + ( – 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days).` + +This formula is only applicable for **Deadline-driven** not for Scheduled-driven deployment cadences. For more information, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md). + +> [!IMPORTANT] +> By default, both the **Deadline for feature updates** and the **Grace period** values are set by Windows Autopatch in every [Update rings for Windows 10 and later policy](/mem/intune/protect/windows-10-update-rings) created by Autopatch groups. + +### How to use the Windows feature update blade + +Use the Windows feature update blade to check in the overall status of the [default release](../operate/windows-autopatch-groups-windows-feature-update-overview.md#default-release) and the custom ones you create. + +**To access the Windows feature update blade:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** from the left navigation menu. +1. Under the **Windows Autopatch** section, select **Release management**. +1. In the **Release management** blade, under the **Release schedule** tab, select **Windows feature updates**. +1. In the **Windows feature updates** blade, you can see all the information about the releases. The columns are described in the following table: + +| Status | Description | +| ----- | ----- | +| Release name | Name of the release | +| Version to deploy | Version to deploy for the applicable release or phase | +| Status | Status of the applicable release or phase:
          • Scheduled
          • Active
          • Inactive
          • Paused
          • Canceled
          | +| First deployment |
          • The date the deployment for the applicable release or phase will begin.
          • Feature update policy for Windows 10 and later is created 24 hours prior to the first deployment date. The service automation runs twice a day at 4:00AM and 4:00PM (UTC).
          • Not all devices within a phase will be offered the feature update on the same date when using gradual rollout.
          | +| Goal completion date | The date the devices within the release or phases are expected to finish updating. The completion date is calculated using the following formula:

          ` + ( - 1) * Days in between groups (7) + Deadline for feature updates (5) + Grace Period (2)`

          | + +#### About release and phase statuses + +##### Release statuses + +A release is made of one or more phases. The release status is based on the calculation and consolidation of each phase status. + +The release statuses are described in the following table: + +| Release status | Definition | Options | +| ----- | ----- | ----- | +| Scheduled | Release is scheduled and not all phases have yet created its Windows feature update policies |
          • Releases with the **Scheduled status** can't be canceled but can have its deployment cadence edited as not all phases have yet created its Windows feature update policies.
          • Autopatch groups and its deployment rings that belong to a **Scheduled** release can't be assigned to another release.
          | +| Active | All phases in the release are active. This means all phases have reached their first deployment date, which created the Windows feature update policies. |
          • Release can be paused but can't be edited or canceled since the Windows feature update policy was already created for its phases.
          • Autopatch groups and their deployment rings can be assigned to another release.
          | +| Inactive | All the Autopatch groups within the release have been assigned to a new release. As a result, the Windows feature update policies were unassigned from all phases from within the release. |
          • Release can be viewed as a historical record.
          • Releases can't be deleted, edited, or canceled.
          | +| Paused | All phases in the release are paused. The release will remain paused until you resume it. |
          • Releases with Paused status can't be edited or canceled since the Windows feature update policy was already created for its phases.
          • Release can be resumed.
          | + +##### Phase statuses + +A phase is made of one or more Autopatch group deployment rings. Each phase reports its status to its release. + +> [!IMPORTANT] +> The determining factor that makes a phase status transition from **Scheduled** to **Active** is when the service automatically creates the Windows feature update policy for each Autopatch group deployment ring. Additionally, the phase status transition from **Active** to **Inactive** occurs when Windows feature update policies are unassigned from the Autopatch groups that belong to a phase. This can happen when an Autopatch group and its deployment rings are re-used as part of a new release. + +| Phase status | Definition | +| ----- | ----- | +| Scheduled | The phase is scheduled but hasn’t reached its first deployment date yet. The Windows feature update policy hasn’t been created for the respective phase yet. | +| Active | The first deployment date has been reached. The Windows feature update policy has been created for the respective phase. | +| Inactive | All Autopatch groups within the phase were re-assigned to a new release. All Windows feature update policies were unassigned from the Autopatch groups. | +| Paused | Phase is paused. You must resume the phase. | + +#### Details about Windows feature update policies + +Windows Autopatch creates one Windows feature update policy per phase using the following naming convention: + +`Windows Autopatch – DSS policy – – Phase ` + +These policies can be viewed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +The following table is an example of the Windows feature update policies that were created for phases within a release: + +| Policy name | Feature update version | Rollout options | First deployment date| Final deployment date availability | Day between groups | Support end date | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch - DSS Policy - My feature update release – Phase 1 | Windows 10 21H2 | Make update available as soon as possible | April 24, 2023 | April 24, 2023 | N/A | June 10, 2024 | +| Windows Autopatch - DSS Policy - My feature update release – Phase 2 | Windows 10 21H2 | Make update available as soon as possible | June 26, 2023 | July 17, 2023 | 7 | June 10, 2024 | +| Windows Autopatch - DSS Policy - My feature update release – Phase 3 | Windows 10 21H2 | Make update available as soon as possible | July 24, 2023 | August 14, 2023 | 7 | June 10, 2024 | +| Windows Autopatch - DSS Policy - My feature update release – Phase 4 | Windows 10 21H2 | Make update available as soon as possible | August 28, 2023 | September 10, 2023 | 7 | June 10, 2024 | +| Windows Autopatch - DSS Policy - My feature update release – Phase 5 | Windows 10 21H2 | Make update available as soon as possible | September 25, 2023 | October 16, 2023 | 7 | June 10, 2024 | + +## Create a custom release + +**To create a custom release:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** from the left navigation menu. +1. Under the **Windows Autopatch** section, select **Release management**. +1. In the **Release management** blade, select **Release schedule**, then **Windows feature updates**. +1. In the **Windows feature updates** blade, select **New release**. +1. In the **Basics** page: + 1. Enter a **Name** for the custom release. + 2. Select the **Version** to deploy. + 3. Enter a **Description** for the custom release. + 4. Select **Next**. +1. In the **Autopatch groups** page, choose one or more existing Autopatch groups you want to include in the custom release, then select Next. +1. You can't choose Autopatch groups that are already part of an existing custom release. Select **Autopatch groups assigned to other releases** to review existing assignments. +1. In the Release phases page, review the number of auto-populated phases. You can Edit, Delete and Add phase based on your needs. Once you’re ready, select **Next**. **Before you proceed to the next step**, all deployment rings must be assigned to a phase, and all phases must have deployment rings assigned. +1. In the **Release schedule** page, choose **First deployment date**, and the number of **Gradual rollout groups**, then select **Next**. **You can only select the next day**, not the current day, as the first deployment date. The service creates feature update policy for Windows 10 and later twice a day at 4:00AM and 4:00PM (UTC) and can’t guarantee that the release will start at the current day given the UTC variance across the globe. + 1. The **Goal completion date** only applies to the [Deadline-driven deployment cadence type](../operate/windows-autopatch-groups-windows-update.md#deadline-driven). The Deadline-drive deployment cadence type can be specified when you configure the Windows Updates settings during the Autopatch group creation/editing flow. + 2. Additionally, the formula for the goal completion date is ` + ( – 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days)`. +1. In the **Review + create** page, review all settings. Once you’re ready, select **Create**. + +## Edit a release + +> [!NOTE] +> Only custom releases that have the **Scheduled** status can be edited. A release phase can only be edited prior to reaching its first deployment date. Additionally, you can only edit the deployment dates when editing a release. + +**To edit a custom release:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** from the left navigation menu. +1. Under the **Windows Autopatch** section, select **Release management**. +1. In the **Release schedule** tab, select **Windows feature updates**. +1. In the **Windows feature updates** blade, select the **horizontal ellipses (…)** > Edit to customize your gradual rollout of your feature updates release, then select **Save**. + 1. Only the release schedule can be customized when using the edit function. You can't add or remove Autopatch groups or modify the phase order when editing a release. +1. Select **Review + Create**. +1. Select **Apply** to save your changes. + +## Pause and resume a release + +> [!CAUTION] +> You should only pause and resume [Windows quality](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) and [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. + +> [!IMPORTANT] +> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates. For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned). + +**To pause or resume a release:** + +> [!NOTE] +> If you've paused an update, the specified release will have the **Paused** status. The Windows Autopatch service can't overwrite IT admin's pause. You must select **Resume** to resume the update. The **Paused by Service Pause** status **only** applies to Windows quality updates. Windows Autopatch doesn't pause Windows feature updates on your behalf. + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** from the left navigation menu. +1. Under the **Windows Autopatch** section, select **Release management**. +1. In the **Release schedule** tab, select **Windows feature updates**. +1. In the **Windows feature updates** blade, select the **horizontal ellipses (…)** > **Pause** or **Resume** to pause or resume your feature updates release. +1. Select a reason from the dropdown menu. +1. Optional. Enter details about why you're pausing or resuming the selected update. +1. If you're resuming an update, you can select one or more deployment rings. +1. Select **Pause deployment** or **Resume deployment** to save your changes. + +## Cancel a release + +> [!IMPORTANT] +> You can only cancel a release under the Scheduled status. You cannot cancel a release under the **Active**, **Inactive** or **Paused** statuses. + +**To cancel a release:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** from the left navigation menu. +1. Under the **Windows Autopatch** section, select **Release management**. +1. In the **Release schedule** tab, select **Windows feature updates**. +1. In the **Windows feature updates** blade, select the **horizontal ellipses (…)** > **Cancel** to cancel your feature updates release. +1. Select a reason for cancellation from the dropdown menu. +1. Optional. Enter details about why you're pausing or resuming the selected update. +1. Select **Cancel deployment** to save your changes. + +## Roll back a release + +> [!CAUTION] +> Do **not** use Microsoft Intune’s end-user flows to rollback Windows feature update deployments for Windows Autopatch managed devices. If you need assistance with rolling back deployments, [submit a support request](../operate/windows-autopatch-support-request.md). + +Windows Autopatch **doesn’t** support the rollback of Windows feature updates through its end-user experience flows. + +## Contact support + +If you’re experiencing issues related to Windows feature update deployments, [submit a support request](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md new file mode 100644 index 0000000000..e6730c53fb --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md @@ -0,0 +1,61 @@ +--- +title: Software update management for Autopatch groups +description: This article provides an overview of how updates are handled with Autopatch groups +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: overview +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Software update management: Windows Autopatch groups experience (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

          The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


          **To opt-in to use Windows Autopatch groups:**
          1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
          2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
          3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
          + +Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates on your behalf. + +## Software update workloads + +| Software update workload | Description | +| ----- | ----- | +| Windows quality update | Windows Autopatch uses four deployment rings to manage Windows quality updates. For more detailed information, see:
          • [Windows Autopatch groups experience](../operate/windows-autopatch-groups-windows-quality-update-overview.md)
          • [Classic experience](../operate/windows-autopatch-windows-quality-update-overview.md) | +| Windows feature update | Windows Autopatch uses four deployment rings to manage Windows feature updates. For more detailed information, see:
            • [Windows Autopatch groups experience](windows-autopatch-groups-windows-feature-update-overview.md)
            • [Classic experience](windows-autopatch-windows-feature-update-overview.md)
            | +| Anti-virus definition | Updated with each scan. | +| Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). This software update workload uses the classic experience. | +| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). This software update workload uses the classic experience. | +| Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). This software update workload uses the classic experience. | + +## Autopatch groups + +Autopatch groups help Microsoft Cloud-Managed services meet all organizations where they are at in their update management journey. + +Autopatch groups is a logical container that groups several [Azure AD groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as Windows Update rings and feature update policies, together. + +For more information on key benefits and how to use Autopatch groups, see [Autopatch groups overview](../deploy/windows-autopatch-groups-overview.md). + +## Windows quality updates + +Windows Autopatch deploys the [Monthly security update releases](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month. + +To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. For more information, see [Windows quality updates overview](../operate/windows-autopatch-groups-windows-quality-update-overview.md). + +## Windows feature updates + +You’re in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version. + +The Window feature update release management experience makes it easier and less expensive for you to keep your Windows devices up to date. You can focus on running your core businesses while Windows Autopatch runs update management on your behalf. + +For more information, see [Windows feature updates overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md). + +## Reports + +Using [Windows quality and feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md), you can monitor and remediate Windows Autopatch managed devices that are Not up to Date and resolve any device alerts to bring Windows Autopatch managed devices back into compliance. + +## Policy health and remediation + +Windows Autopatch deploys Intune policies for Windows quality and feature update management. Windows Update policies must remain healthy for devices to receive Windows updates and stay up to date. We continuously monitor the health of the policies and raise alerts and provide remediation actions. For more information, see [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) and [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md new file mode 100644 index 0000000000..ef25e4b933 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md @@ -0,0 +1,169 @@ +--- +title: Windows feature updates overview with Autopatch groups +description: This article explains how Windows feature updates are managed with Autopatch groups +ms.date: 05/03/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Windows feature updates overview: Autopatch groups experience (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

            The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


            **To opt-in to use Windows Autopatch groups:**
            1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
            2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
            3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
            + +Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation. + +Windows feature updates consist of: + +- Keeping Windows devices protected against behavioral issues. +- Providing new features to boost end-user productivity. + +Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date. You can focus on running your core businesses while Windows Autopatch runs update management on your behalf. + +## Service level objective + +Windows Autopatch’s service level objective for Windows feature updates aims to keep **95%** of eligible devices on the targeted Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) for its default and global releases maintained by the service, and custom releases created and managed by you. + +## Device eligibility criteria + +Windows Autopatch’s device eligibility criteria for Windows feature updates aligns with [Windows Update for Business and Microsoft Intune’s device eligibility criteria](/mem/intune/protect/windows-10-feature-updates#prerequisites). + +> [!IMPORTANT] +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. + +## Key benefits + +- Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date. You can focus on running your core businesses while Windows Autopatch runs update management on your behalf. +- You’re in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version. + - Combined with custom releases, Autopatch Groups gives your organization great control and flexibility to help you plan your gradual rollout in a way that works for your organization. +- Simplified end-user experience with rich controls for gradual rollouts, deployment cadence and speed. +- No need to manually modify the default Windows feature update policies (default release) to be on the Windows OS version your organization is currently ready for. +- Allows for scenarios where you can deploy a single release across several Autopatch groups and its deployment rings. + +## Key concepts + +- A release is made of one or more deployment phases and contains the required OS version to be gradually rolled out throughout its deployment phases. +- A phase (deployment phase) is made of one or more Autopatch group deployment rings. A phase: + - Works as an additional layer of deployment cadence settings that can be defined by IT admins (only for Windows feature updates) on top of Autopatch group deployment rings (Windows update rings policies). + - Deploys Windows feature updates across one or more Autopatch groups. +- There are three types of releases: + - Default + - Global + - Custom + +### Default release + +Windows Autopatch’s default Windows feature update release is a service-driven release that enforces the minimum Windows OS version currently serviced by the Windows servicing channels for the deployment rings in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group). + +> [!TIP] +> Windows Autopatch allows you to [create custom Windows feature update releases](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#create-a-custom-release). + +When devices are registered by manually adding them to the Windows Autopatch Device Registration Azure AD assigned group, devices are assigned to deployment rings as part of the default Autopatch group. Each deployment ring has its own Windows feature update policy assigned to them. This is intended to minimize unexpected Windows OS upgrades once new devices register with the service. + +The policies: + +- Contain the minimum Windows 10 version currently serviced by the [Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). The current minimum Windows OS version is **Windows 10 21H2**. +- Set a bare minimum Windows OS version required by the service once devices are registered with the service. + +If the device is registered with Windows Autopatch, and the device is: + +- Below the service's currently targeted Windows feature update, that device will be automatically upgraded to the service's target version when the device meets the [device eligibility criteria](#device-eligibility-criteria). +- On, or above the currently targeted Windows feature update version, there won't be any Windows OS upgrades available to that device. + +#### Policy configuration for the default release + +If your tenant is enrolled with Windows Autopatch, you can see the following default policies created by the service in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431): + +| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch – DSS Policy [Test] | Windows 10 21H2 | Make update available as soon as possible | May 9, 2023 | N/A | N/A | June 10, 2024 | +| Windows Autopatch – DSS Policy [Ring1] | Windows 10 21H2 | Make update available as soon as possible | May 16, 2023 | N/A | N/A | June 10, 2024 | +| Windows Autopatch – DSS Policy [Ring2] | Windows 10 21H2 | Make update available as soon as possible | May 23, 2023 | N/A | N/A | June 10, 2024 | +| Windows Autopatch – DSS Policy [Ring3] | Windows 10 21H2 | Make update available as soon as possible | May 30, 2023 | N/A | N/A | June 10, 2024 | + +> [!NOTE] +> Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually). + +### Global release + +Windows Autopatch’s global Windows feature update release is a service-driven release. Like the [default release](#default-release), the Global release enforces the [minimum Windows OS version currently serviced by the Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). + +There are two scenarios that the Global release is used: + +| Scenario | Description | +| ----- | ----- | +| Scenario #1 | You assign Azure AD groups to be used with the deployment ring (Last) or you add additional deployment rings when you customize the [Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group).

            A global Windows feature update policy is automatically assigned behind the scenes to the newly added deployment rings or when you assigned Azure AD groups to the deployment ring (Last) in the Default Autopatch group.

            | +| Scenario #2 | You create new [Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group).

            The global Windows feature policy is automatically assigned behind the scenes to all deployment rings as part of the Custom Autopatch groups you create.

            | + +#### Policy configuration values + +See the following table on how Windows Autopatch configures the values for its global Windows feature update policy. If your tenant is enrolled with Windows Autopatch, you can see the following default policies created by the service in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431): + +| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch – Global DSS Policy [Test] | Windows 10 21H2 | Make update available as soon as possible | N/A | N/A | N/A | June 10, 2024 | + +> [!NOTE] +> Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to be a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually). + +### Differences between the default and global Windows feature update policies + +> [!IMPORTANT] +> Once you create a custom Windows feature update release, both the global and the default Windows feature update policies are unassigned from Autopatch group’s deployment rings behind the scenes. + +The differences in between the global and the default Windows feature update policy values are: + +| Default Windows feature update policy | Global Windows feature update policy | +| ----- | ----- | +|
            • Set by default with the Default Autopatch group and assigned to Test, Ring1, Ring2, Ring3. The default policy isn't automatically assigned to the Last ring in the Default Autopatch group.
            • The Windows Autopatch service keeps its minimum Windows OS version updated following the recommendation of minimum Windows OS version [currently serviced by the Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2).
            |
            • Set by default and assigned to all new deployment rings added as part of the Default Autopatch group customization.
            • Set by default and assigned to all deployment rings created as part of Custom Autopatch groups.
            + +### Custom release + +A custom release is the release that you create to tell Windows Autopatch how you want the service to manage Windows OS upgrades on your behalf. + +Custom releases gives you flexibility to do Windows OS upgrades on your pace, but still relying on Windows Autopatch to give you insights of how your OS upgrades are going and additional deployment controls through the Windows feature updates release management experience. + +When a custom release is created and assigned to Autopatch groups, either the default or global releases are unassigned to avoid feature update policy for Windows 10 and later conflicts. + +For more information on how to create a custom release, see [Manage Windows feature update release](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#create-a-custom-release). + +### About Windows Update rings policies + +Feature update policies work with Windows Update rings policies. Windows Update rings policies are created for each deployment ring for the [Default or a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#key-concepts) based on the deployment settings you define. The policy name convention is `Windows Autopatch Update Policy – `. + +The following table details the default Windows Update rings policy values that affect either the default or custom Windows feature updates releases: + +| Policy name | Azure AD group assignment | Quality updates deferral in days | Feature updates deferral in days | Feature updates uninstall window in days | Deadline for quality updates in days | Deadline for feature updates in days | Grace period | Auto restart before deadline | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch Update Policy - default - Test | Windows Autopatch - Test | 0 | 0 | 30 | 0 | 5 | 0 | Yes | +| Windows Autopatch Update Policy - default - Ring1 | Windows Autopatch - Ring1 | 1 | 0 | 30 | 2 | 5 |2 | Yes | +| Windows Autopatch Update Policy - default - Ring2 | Windows Autopatch - Ring2 | 6 | 0 | 30 | 2 | 5 | 2 | Yes | +| Windows Autopatch Update Policy - default - Ring3 | Windows Autopatch - Ring3 | 9 | 0 | 30 | 5 | 5 | 2 | Yes | +| Windows Autopatch Update Policy - default - Last | Windows Autopatch - Last | 11 | 0 | 30 | 3 | 5 | 2 | Yes | + +> [!IMPORTANT] +> When you create a custom Windows feature update release, new Windows feature update policies are:
            • Created corresponding to the settings you defined while creating the release.
            • Assigned to the Autopatch group’s deployment rings you select to be included in the release.
            + +## Common ways to manage releases + +### Use case #1 + +| Scenario | Solution | +| ----- | ----- | +| You’re working as the IT admin at Contoso Ltd., and you need to gradually rollout of Windows 11’s latest version to several business units across your organization. | Custom Windows feature update releases deliver OS upgrades horizontally, through phases, to one or more Autopatch groups.
            Phases:
            • Set your organization’s deployment cadence.
            • Work like deployment rings on top of Autopatch group’s deployment rings. Phases group one or more deployment rings across one or more Autopatch groups.

            See the following visual for a representation of Phases with custom releases. | + +:::image type="content" source="../media/autopatch-groups-manage-feature-release-case-1.png" alt-text="Manage Windows feature update release use case one" lightbox="../media/autopatch-groups-manage-feature-release-case-1.png"::: + +### Use case #2 + +| Scenario | Solution | +| ----- | ----- | +| You’re working as the IT admin at Contoso Ltd. and your organization isn’t ready to upgrade its devices to either Windows 11 or the newest Windows 10 OS versions due to conflicting project priorities within your organization.

            However, you want to keep Windows Autopatch managed devices supported and receiving monthly updates that are critical to security and the health of the Windows ecosystem.

            | Default Windows feature update releases deliver the minimum Windows OS upgrade vertically to each Windows Autopatch group (either [Default](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [Custom](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)). The Default Windows Autopatch group is pre-configured with the [default Windows feature update release](#default-release) and no additional configuration is required from IT admins as Autopatch manages the default release on your behalf.

            If you decide to edit the default Windows Autopatch group to add additional deployment rings, these rings receive a [global Windows feature update policy](#global-release) set to offer the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) to devices. Every custom Autopatch group you create gets a [global Windows feature update policy](#global-release) that enforces the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2).

            See the following visual for a representation of default releases.

            | + +:::image type="content" source="../media/autopatch-groups-manage-feature-release-case-2.png" alt-text="Manage Windows feature update release use case two" lightbox="../media/autopatch-groups-manage-feature-release-case-2.png"::: diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md new file mode 100644 index 0000000000..fc177682b7 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md @@ -0,0 +1,76 @@ +--- +title: Feature update status report +description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Feature update status report (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

            The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


            **To opt-in to use Windows Autopatch groups:**
            1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
            2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
            3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
            + +The Feature update status report provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.  + +**To view the Feature update status report:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows feature updates (preview)**. +1. Select the **Reports** tab. +1. Select **Feature update status**. + +## Report information + +### Default columns + +The following information is available as default columns in the Feature update status report: + +| Column name | Description | +| ----- | ----- | +| Device name | The name of the device. | +| Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. | +| Update status | The current update status for the device. For more information, see [Windows feature update statuses](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses). | +| Pause status | The current pause status whether Customer or Service initiated. For more information, see [Pause and resume a release](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#pause-and-resume-a-release). | +| Current version | The current version or build number of the device. For more information, see [Windows Versions](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). | +| Readiness | The device readiness evaluation status. For more information, see [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md). | +| Alerts | The summary of any alerts affecting the device. For more information, see [Device alerts](../operate/windows-autopatch-device-alerts.md). | + +### Optional columns + +The following information is available as optional columns in the Feature update status report: + +| Column name | Description | +| ----- | ----- | +| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device | +| Serial number | The current Intune recorded serial number for the device | +| Intune last check in time | The last time the device checked in to Intune | +| Service State | The Service State provided from Windows Update | +| Service Substate | The Service Substate provided from Windows Update | +| Client State | The Client State provided from Windows Update | +| Client Substate | The Client Substate provided from Windows Update | +| Servicing Channel | The Servicing Channel provided from Windows Update | +| User Last Logged On | The last user who logged on as reported from Intune | +| Primary User UPN | The Primary User UPN as reported from Intune | +| Hex Error Code | The hex error provided from Windows Update | + +> [!NOTE] +> The Service State, Service Substate, Client State, Client Substate, Servicing Channel, and Hex Error Code columns may not display any values. These columns are supplemental and might not display for all devices + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Search | Use to search by device name, Azure AD device ID or serial number | +| Sort | Select the **column headings** to sort the report data in ascending and descending order. | +| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | +| Filter | Select either the **Add filters** or at the top of the report to filter the results. | +| Columns | Select a column to add or remove the column from the report. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md new file mode 100644 index 0000000000..63c6483b4d --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md @@ -0,0 +1,52 @@ +--- +title: Windows feature update summary dashboard +description: Provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Windows feature update summary dashboard (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

            The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


            **To opt-in to use Windows Autopatch groups:**
            1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
            2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
            3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
            + +The summary dashboard provides a broader view of the current Windows OS update status for all devices registered with Windows Autopatch. + +The first part of the summary dashboard provides you with an all-devices trend report where you can follow the deployment trends within your organization. You can view if updates were successfully installed, failing, in progress, not ready or have their Windows feature update paused. + +**To view a generated summary dashboard for your Windows feature update deployments:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Reports** from the left navigation menu. +1. Under the **Windows Autopatch** section, select **Windows feature updates (preview)**. + +## Report information + +The following information is available in the summary dashboard: + +| Column name | Description | +| ----- | ----- | +| Release | The release name and its phases. For more information, see [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md). | +| Version to deploy | The version being deployed to the device based on which Windows feature update release the device is assigned. | +| Device count | Total device count per Autopatch group or deployment ring. | +| Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | +| Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | +| In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). | +| Paused | Total device count reporting the status of the pause whether it’s Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | +| Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Refresh | The option to **Refresh** the summary dashboard is available at the top of the page. This process will ensure that the summary dashboard view is updated to the latest available dataset from within the last 24-hour period. | +| Summary links | Each column represents the summary of included devices. Select the hyperlinked number to produce a filtered report in a new browser tab. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md new file mode 100644 index 0000000000..d6c6955600 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md @@ -0,0 +1,42 @@ +--- +title: Feature update trending report +description: Provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days. +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Feature update trending report (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

            The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


            **To opt-in to use Windows Autopatch groups:**
            1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
            2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
            3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
            + +Windows Autopatch provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days. + +**To view the Feature update trending report:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows feature updates (public preview)**. +1. Select the **Reports** tab. +1. Select **Feature update trending**. + +> [!NOTE] +> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page. + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. | +| By percentage | Select **by percentage** to show your trending graphs and indicators by percentage. | +| By device count | Select **by device count** to show your trending graphs and indicators by numeric value. | + +For a description of the displayed device status trends, see [Windows feature update statuses](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md new file mode 100644 index 0000000000..8f10b41042 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md @@ -0,0 +1,109 @@ +--- +title: Windows quality and feature update reports overview with Windows Autopatch Groups experience +description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch groups +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: adnich +--- + +# Windows quality and feature update reports overview: Windows Autopatch groups experience (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

            The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


            **To opt-in to use Windows Autopatch groups:**
            1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
            2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
            3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
            + +## Windows quality reports + +The Windows quality reports provide you with information about: + +Quality update device readiness +Device update health +Device update alerts +Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch. + +The Windows quality report types are organized into the following focus areas: + +| Focus area | Description | +| ----- | ----- | +| Organizational | The [Summary dashboard](../operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md) provide the current update status summary for all devices.

            The [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) provides the current update status of all devices at the device level. | +| Device trends | The [Quality update trending report](../operate/windows-autopatch-groups-windows-quality-update-trending-report.md) provides the update status trend of all devices over the last 90 days. | + +## Windows feature update reports + +The Windows feature update reports monitor the health and activity of your deployments and help you understand if your devices are maintaining update compliance targets. + +If update deployments aren’t successful, Windows Autopatch provides information on update deployment failures and who needs to remediate. Certain update deployment failures might require either Windows Autopatch to act on your behalf or you to fix the issue. + +The Windows feature update report types are organized into the following focus areas: + +| Focus area | Description | +| ----- | ----- | +| Organizational | The [Summary dashboard](../operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md) provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. | +| Operational | The [Feature update status report](../operate/windows-autopatch-groups-windows-feature-update-status-report.md) provides a per device view of the current Windows OS update status for all devices registered with Windows Autopatch. | +| Device trends | The [Quality update trending report](../operate/windows-autopatch-groups-windows-feature-update-trending-report.md) provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days. | + +## Who can access the reports? + +Users with the following permissions can access the reports: + +- Global Administrator +- Intune Service Administrator +- Global Reader +- Services Support Administrator + +## About data latency + +The data source for these reports is Windows [diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 48 hours. + +## Windows quality and feature update statuses + +The following statuses are used throughout the Windows Autopatch reporting suite to describe the quality update status for devices: + +- [Up to Date devices](#up-to-date-devices) +- [Not up to Date devices](#not-up-to-date-devices) +- [Not Ready devices](#not-ready-devices) + +Each status has its own set of sub statuses to further describe the status. + +### Up to Date devices + +Up to date devices are devices that meet all of the following prerequisites: + +- [Prerequisites](../prepare/windows-autopatch-prerequisites.md) +- [Prerequisites for device registration](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) +- [Windows quality and feature update device readiness](../deploy/windows-autopatch-post-reg-readiness-checks.md) +- [Post-device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) +- Have applied the current monthly cumulative updates + +> [!NOTE] +> [Up to Date devices](#up-to-date-devices) will remain with the **In Progress** status for the 21-day service level objective period until the device either applies the current monthly cumulative update or receives an [alert](../operate/windows-autopatch-device-alerts.md). If the device receives an alert, the device’s status will change to [Not up to Date](#not-up-to-date-devices). + +#### Up to Date sub statuses + +| Sub status | Description | +| ----- | ----- | +| In Progress | Devices are currently installing the latest [quality update](../operate/windows-autopatch-groups-windows-quality-update-overview.md#release-schedule) or [feature update](../operate/windows-autopatch-groups-windows-feature-update-overview.md#default-release) deployed through the Windows Autopatch release schedule. | +| Paused | Devices that are currently paused due to a Windows Autopatch or customer-initiated Release management pause. For more information, see pausing and resuming a [Windows quality update](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) or [Windows feature update](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#pause-and-resume-a-release). | + +### Not up to Date devices + +Not Up to Date means a device isn’t up to date when the: + +- Quality or feature update is out of date, or the device is on the previous update. +- Device is more than 21 days overdue from the last release. +- Device has an [alert](../operate/windows-autopatch-device-alerts.md) resulting in an error and action must be taken. + +### Not Ready devices + +Not Ready refers to the responsibility of the designated IT administrator to carry out the appropriate action to resolve the reported device sub status. + +Within each 24-hour reporting period, devices that are Not Ready are reevaluated using the [Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md). + +## Data export + +Select **Export devices** to export data for each report type. Only selected columns will be exported. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md new file mode 100644 index 0000000000..cd1653f964 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md @@ -0,0 +1,69 @@ +--- +title: Windows quality update communications for Autopatch groups +description: This article explains Windows quality update communications for Autopatch groups +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: hathind +--- + +# Windows quality update communications: Windows Autopatch groups experience (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

            The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


            **To opt-in to use Windows Autopatch groups:**
            1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
            2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
            3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
            + + +There are three categories of communication that are sent out during a Windows quality and feature update: + +- [Standard communications](#standard-communications) +- [Communications during release](#communications-during-release) +- [Incident communications](#incident-communications) + +Communications are posted to, as appropriate for the type of communication, to the: + +- Message center +- Service health dashboard +- Windows Autopatch messages section of the Microsoft Intune admin center + +:::image type="content" source="../media/update-communications.png" alt-text="Update communications timeline" lightbox="../media/update-communications.png"::: + +## Standard communications + +| Communication | Location | Timing | Description | +| ----- | ----- | ----- | ----- | +| Release schedule |
            • Messages blade
            • Email sent to your specified [admin contacts](../deploy/windows-autopatch-admin-contacts.md)
                • | At least seven days prior to the second Tuesday of the month| Notification of the planned release window for each ring. | +| Release start | Same as release schedule | The second Tuesday of every month. | Notification that the update is now being released into your environment. | +| Release summary | Same as release schedule | The fourth Tuesday of every month. | Informs you of the percentage of eligible devices that were patched during the release. | + +### Opt out of receiving emails for standard communications + +> [!IMPORTANT] +> This feature is in **public preview**. This feature is being actively developed and may not be complete. You can test and use these features in production environments and provide feedback. + +If you don't want to receive standard communications for Windows Updates releases via email, you can choose to opt out. + +**To opt out of receiving emails for standard communications:** + +1. Go to the **[Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)**. +2. Go to **Windows Autopatch** > **Tenant administration** > select **Admin contacts**. +3. Select the admin contact you want to opt out for. +4. Select **Edit Contact**. +5. Clear the **Send me emails for Windows update releases and status** checkbox in the fly-in pane. +6. Select **Save** to apply the changes. + +## Communications during release + +The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) shortly after Autopatch becomes aware of the new information. + +There are some circumstances where Autopatch will need to change the release schedule based on new information. + +For example, new threat intelligence may require us to expedite a release, or we may pause due to user experience concerns. If the schedule of a quality update is changed, paused, resumed, or expedited, we'll inform you as quickly as possible so that you can adapt to the new information. + +## Incident communications + +Despite the best intentions, every service should plan for failure and success. When there's an incident, timely and transparent communication is key to building and maintaining your trust. If insufficient numbers of devices have been updated to meet the service level objective, devices will experience an interruption to productivity, and an incident will be raised. Microsoft will update the status of the incident at least once every 24 hours. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md new file mode 100644 index 0000000000..25705531f4 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md @@ -0,0 +1,69 @@ +--- +title: Windows quality update end user experience for Autopatch groups +description: This article explains the Windows quality update end user experience using the Autopatch groups exp +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: adnich +--- + +# Windows quality update end user experience: Windows Autopatch groups experience (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

                The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


                **To opt-in to use Windows Autopatch groups:**
                1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
                2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
                3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
                + +## User notifications + +In this section we'll review what an end user would see in the following three scenarios: + +1. Typical update experience +2. Quality update deadline forces an update +3. Quality update grace period + +> [!NOTE] +> The "It's almost time to restart" and "Your organization requires your device to restart" notifications won't disappear until the user interacts with the notification. + +### Typical update experience + +The Windows quality update is published and devices in the Broad ring have a deferral period of nine days. Devices will wait nine days before downloading the latest quality update. + +Once the deferral period has passed, the device will download the update and notify the end user that updates are ready to install. The end user can either: + +- Restart immediately to install the updates +- Schedule the installation, or +- Snooze the device will attempt to install outside of [active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart). + +In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline. + +:::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience" lightbox="../media/windows-quality-typical-update-experience.png"::: + +### Quality update deadline forces an update + +In the following example, the user: + +- Ignores the notification and selects snooze. +- Further notifications are received, which the user ignores. +- The device is unable to install the updates outside of active hours. + +The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the [active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart) and force a restart to complete the update installation. The user will receive a 15-minute warning, after which, the device will install the update and restart. + +:::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update" lightbox="../media/windows-quality-force-update.png"::: + +### Quality update grace period + +In the following example, the user is on holiday and the device is offline beyond the quality update deadline. The user then returns to work and the device is turned back on. + +Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification. + +:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period" lightbox="../media/windows-quality-update-grace-period.png"::: + +## Minimize user disruption due to updates + +Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. By default, [Active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart) are configured dynamically based on device usage patterns. Device restarts occur outside of active hours until the deadline is reached. + +Windows Autopatch understands the importance of not disrupting critical devices but also updating the devices quickly. If you wish to configure a specific installation time or [Active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart), use the [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md), and select the [**ScheduledInstall**](../operate/windows-autopatch-groups-windows-update.md#scheduled-install) option. Using this option removes the deadline enforced for a device restart. Devices with this configuration will also **not** be counted towards the [service level objective](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md new file mode 100644 index 0000000000..559e317784 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md @@ -0,0 +1,133 @@ +--- +title: Windows quality updates overview with Autopatch groups experience +description: This article explains how Windows quality updates are managed with Autopatch groups +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Windows quality updates: Windows Autopatch groups experience (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

                The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


                **To opt-in to use Windows Autopatch groups:**
                1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
                2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
                3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
                + +Windows Autopatch deploys the [Monthly security update releases](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month. + +To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. There are three primary policies that are used to control Windows quality updates: + +| Policy | Description | +| ----- | ----- | +| [Deferrals](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) | Deferral policies delay the time the update is offered to the device by a specific number of days. The "offer" date for Windows quality updates is equal to the number of days specified in the deferral policy after the second Tuesday of each month. | +| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. | +| [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. | + +For devices in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), Windows Autopatch configures these policies differently across deployment rings to gradually release the update. Devices in the Test ring receive changes first and devices in the Last ring receive changes last. For more information about the Test and Last deployment rings, see [About the Test and Last deployment rings in Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-the-test-and-last-deployment-rings). With Windows Autopatch groups you can also customize the [Default Deployment Group’s deployment ring composition](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition) to add and/or remove deployment rings and can customize the update deployment cadences for each deployment ring. To learn more about customizing Windows Quality updates deployment cadence, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md). + +> [!IMPORTANT] +> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed. These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective). + +## Service level objective + +Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. Note that devices that have cadence type set to Schedule install won't be eligible for Windows quality update SLO. For more information about the Schedule Install cadence type, see [Deployment cadence types](../operate/windows-autopatch-groups-windows-update.md#deployment-cadence). + +> [!IMPORTANT] +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. + +## Release management + +> [!NOTE] +> To access the Release management blade, you must have the correct [role-based access control](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration). + +In the Release management blade, you can: + +- Track the [Windows quality update schedule](#release-schedule). +- [Turn off expedited Windows quality updates](#turn-off-service-driven-expedited-quality-update-releases). +- Review release announcements and knowledge based articles for regular and [Out of Band (OOB) Windows quality updates](#out-of-band-releases). + +### Release schedule + +For each [deployment ring](windows-autopatch-update-management.md#windows-autopatch-deployment-rings), the **Release schedule** tab contains: + +- The status of the update. Releases will appear as **Active**. The update schedule is based on the values of the [Windows 10 Update Ring policies](/mem/intune/protect/windows-update-for-business-configure), which have been configured on your behalf. +- The date the update is available. +- The target completion date of the update. +- In the **Release schedule** tab, you can either [**Pause** and/or **Resume**](#pause-and-resume-a-release) a Windows quality update release. + +### Expedited releases + +Threat and vulnerability information about a new revision of Windows becomes available on the second Tuesday of each month. Windows Autopatch assesses that information shortly afterwards. If the service determines that it's critical to security, it may be expedited. The quality update is also evaluated on an ongoing basis throughout the release and Windows Autopatch may choose to expedite at any time during the release. + +When running an expedited release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update quickly. + +| Release type | Group | Deferral | Deadline | Grace period | +| ----- | ----- | ----- | ----- | ----- | +| Expedited release | All devices | 0 | 1 | 1 | + +#### Turn off service-driven expedited quality update releases + +Windows Autopatch provides the option to turn off of service-driven expedited quality updates. + +By default, the service expedites quality updates as needed. For those organizations seeking greater control, you can disable expedited quality updates for Windows Autopatch-enrolled devices using Microsoft Intune. + +**To turn off service-driven expedited quality updates:** + +1. Go to **[Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**. +2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited quality updates** setting. + +> [!NOTE] +> Windows Autopatch doesn't allow customers to request expedited releases. + +### Out of Band releases + +Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule. + +For the deployment rings that have passed quality updates deferral date, the OOB release schedule will be expedited and deployed on the same day. For the deployment rings that have deferral upcoming, OOBs will be released as per the set deferral dates. + +**To view deployed Out of Band quality updates:** + +1. Go to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**. +2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates. You can also view the schedules for OOB update releases in the Release Schedule tab. + +> [!NOTE] +> Announcements abd OOB update schedules will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused. + +### Pause and resume a release + +> [!CAUTION] +> You should only pause and resume [Windows quality](#pause-and-resume-a-release) and [Windows feature updates](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#pause-and-resume-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. + +The service-level pause is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft. + +If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-groups-windows-quality-update-signals.md), we may decide to pause that release. + +> [!IMPORTANT] +> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

                For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

                + +**To pause or resume a Windows quality update:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** from the left navigation menu. +1. Under the **Windows Autopatch** section, select **Release management**. +1. In the **Release management** blade, got to the **Release schedule** tab and select **Windows quality updates**. +1. Select the Autopatch group that you want to pause or resume. Select either: **Pause** or **Resume**. Alternatively, you can select the **horizontal ellipses (...)** of the Autopatch group you want to pause or resume. Select, **Pause** or **Resume** from the dropdown menu. +1. Select a reason from the dropdown menu. +1. Optional. Enter details about why you're pausing or resuming the selected update. +1. If you're resuming an update, you can select one or more deployment rings. +1. Select **Okay**. + +The three following statuses are associated with paused quality updates: + +| Status | Description | +| ----- | ------ | +| Paused by Service | If the Windows Autopatch service has paused an update, the release will have the **Paused by Service** status. The Paused by Service only applies to rings that aren't Paused by the Tenant. | +| Paused by Tenant | If you've paused an update, the release will have the **Paused by Tenant** status. The Windows Autopatch service can't overwrite a tenant pause. You must select **Resume** to resume the update. | + +## Remediating Not ready and/or Not up to Date devices + +To ensure your devices receive Windows quality updates, Windows Autopatch provides information on how you can [remediate Windows Autopatch device alerts](../operate/windows-autopatch-device-alerts.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md new file mode 100644 index 0000000000..556a292eb3 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md @@ -0,0 +1,62 @@ +--- +title: Windows quality update release signals with Autopatch groups +description: This article explains the Windows quality update release signals with Autopatch groups +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: hathind +--- + +# Windows quality update signals: Windows Autopatch groups experience (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

                The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


                **To opt-in to use Windows Autopatch groups:**
                1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
                2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
                3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
                + +Windows Autopatch monitors a specific set of signals and aims to release the monthly security update both quickly and safely. The service doesn't comprehensively monitor every use case in Windows. + +If there's a scenario that is critical to your business, which isn't monitored by Windows Autopatch, you're responsible for testing and taking any follow-up actions, like requesting to pause the release. + +## Pre-release signals + +Before being released to the Test ring in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), Windows Autopatch reviews several data sources to determine if we need to send any customer advisories or need to pause the update. Situations where Windows Autopatch doesn't release an update to the Test ring are seldom occurrences. + +| Pre-release signal | Description | +| ----- | ----- | +| Windows Payload Review | The contents of the monthly security update release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-groups-windows-quality-update-communications.md#communications-during-release) will be sent out. | +| Optional non-security preview release review - Internal Signals | Windows Autopatch reviews active incidents associated with the previous optional non-security preview release to understand potential risks in the monthly security update release. | +| Optional non-security preview release review - Social Signals | Windows Autopatch monitors social signals to better understand potential risks associated with the monthly security update release. | + +## Early signals + +The update is released to the Test ring in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) on the second Tuesday of the month. Those test devices will update, allowing you to conduct early testing of critical scenarios in your environment. There are also several Microsoft internal signals that are monitored throughout the release. + +| Device reliability signal | Description | Microsoft will | +| ----- | ----- | ----- | +| Security Risk Profile | As soon as the update is released, the criticality of the security content is assessed. |
                • Consider expediting the release
                • Update customers with a risk profile
                +| B-Release - Internal Signals | Windows Autopatch reviews any active incidents associated with the current release. |
                • Determine if a customer advisory is necessary
                • Pause the release if there's significant user impact
                | +| B-Release - Social Signals | Windows Autopatch monitors social signals to understand risks associated with the release. | Determine if a customer advisory is necessary | + +## Device reliability signals + +Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service. + +The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices in your tenant have upgraded to the new version. + +As more devices update, the confidence of the analysis increases and gives us a clearer picture of release quality. If we determine that the user experience is impaired, Autopatch will either post a customer advisory or pause the release, depending on the criticality of the update. + +Autopatch monitors the following reliability signals: + +| Device reliability signal | Description | +| ----- | ----- | +| Blue screens | These events are highly disruptive to end users. These events are closely monitored. | +| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known limitation with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. | +| Microsoft Office reliability | Tracks the number of Office crashes and freezes per application per device. | +| Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. | +| Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. | + +When the update is released to the First ring in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), the service crosses the 500 device threshold. Therefore, Autopatch can detect regressions that are common to all customers. At this point in the release, we'll decide if we need to expedite the release schedule or pause for all customers. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md new file mode 100644 index 0000000000..4cd9aa18af --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md @@ -0,0 +1,79 @@ +--- +title: Quality update status report +description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices with Autopatch groups. +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: adnich +--- + +# Quality update status report (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

                The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


                **To opt-in to use Windows Autopatch groups:**
                1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
                2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
                3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
                + +The Quality update status report provides a per device view of the current update status for all Windows Autopatch enrolled devices. + +**To view the Quality update status report:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**. +1. Select the **Reports** tab. +1. Select **Quality update status**. + +> [!NOTE] +> The data in this report is refreshed every 24 hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency). + +## Report information + +### Default columns + +The following information is available as default columns in the Quality update status report: + +| Column name | Description | +| ----- | ----- | +| Device name | The name of the device. | +| Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. | +| Update status | The current update status for the device. For more information, see [Windows quality update statuses](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses). | +| Pause status | The current pause status whether Customer or Service initiated. For more information, see [Pause and resume a release](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release). | +| Current version | The current version or build number of the device. For more information, see [Windows Versions](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). | +| Readiness | The device readiness evaluation status. For more information, see [Post registration device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md). | +| Alerts | The summary of any alerts affecting the device. For more information, see [Device alerts](../operate/windows-autopatch-device-alerts.md). | + +### Optional columns + +The following information is available as optional columns in the Quality update status report: + +| Column name | Description | +| ----- | ----- | +| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device | +| Serial number | The current Intune recorded serial number for the device | +| Intune last check in time | The last time the device checked in to Intune | +| Service State | The Service State provided from Windows Update | +| Service Substate | The Service Substate provided from Windows Update | +| Client State | The Client State provided from Windows Update | +| Client Substate | The Client Substate provided from Windows Update | +| Servicing Channel | The Servicing Channel provided from Windows Update | +| User Last Logged On | The last user who logged on as reported from Intune | +| Primary User UPN | The Primary User UPN as reported from Intune | +| Hex Error Code | The hex error provided from Windows Update | + +> [!NOTE] +> The Service State, Service Substate, Client State, Client Substate, Servicing Channel, and Hex Error Code columns may not display any values. These columns are supplemental and might not display for all devices + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Search | Use to search by device name, Azure AD device ID or serial number | +| Sort | Select the **column headings** to sort the report data in ascending and descending order. | +| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | +| Filter | Select either the **Add filters** or at the top of the report to filter the results. | +| Columns | Select a column to add or remove the column from the report. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md new file mode 100644 index 0000000000..31ca5e6fac --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md @@ -0,0 +1,51 @@ +--- +title: Windows quality update summary dashboard +description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch with Autopatch groups +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: adnich +--- + +# Windows quality update summary dashboard (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

                The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


                **To opt-in to use Windows Autopatch groups:**
                1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
                2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
                3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
                + +The summary dashboard provides a summary view of the current update status for all devices enrolled into Windows Autopatch. + +**To view the current update status for all your enrolled devices:** + +1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**. + +> [!NOTE] +> The data in this report is refreshed every 24 hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency). + +## Report information + +The following information is available in the summary dashboard: + +| Column name | Description | +| ----- | ----- | +| Autopatch group | The Autopatch group and deployment ring. For more information, see [Windows Autopatch groups](../deploy/windows-autopatch-groups-overview.md). | +| Device count | Total device count per Autopatch group or deployment ring. | +| Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | +| Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | +| In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). | +| Paused | Total device count reporting the status of the pause whether it’s Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | +| Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Refresh | The option to **Refresh** the summary dashboard is available at the top of the page. This process will ensure that the summary dashboard view is updated to the latest available dataset from within the last 24-hour period. | +| Summary links | Each column represents the summary of included devices. Select the hyperlinked number to produce a filtered report in a new browser tab. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md new file mode 100644 index 0000000000..935bb616af --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md @@ -0,0 +1,42 @@ +--- +title: Quality update trending report +description: Provides a visual representation of the update status trend for all devices over the last 90 days with Autopatch groups. +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: adnich +--- + +# Quality update trending report (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

                The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


                **To opt-in to use Windows Autopatch groups:**
                1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
                2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
                3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
                + +The Quality update trending report provides a visual representation of the update status trend for all devices over the last 90 days. + +**To view the Quality update trending report:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. +1. Select the **Reports** tab. +1. Select **Quality update trending**. + +> [!NOTE] +> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page. + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. | +| By percentage | Select **by percentage** to show your trending graphs and indicators by percentage. | +| By device count | Select **by device count** to show your trending graphs and indicators by numeric value. | + +For a description of the displayed device status trends, see [Windows quality update statuses](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md new file mode 100644 index 0000000000..7d03bd8c1e --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md @@ -0,0 +1,125 @@ +--- +title: Customize Windows Update settings Autopatch groups experience +description: How to customize Windows Updates with Autopatch groups +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: rekhanr +--- + +# Customize Windows Update settings: Autopatch groups experience (public preview) + +> [!IMPORTANT] +> This feature is in **public preview**. The feature is being actively developed, and may not be complete. You can test and use these features in production environments and provide feedback. + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

                The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


                **To opt-in to use Windows Autopatch groups:**
                1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
                2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
                3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
                + +You can customize the Windows Update deployment schedule for each deployment ring in Windows Autopatch groups per your business and organizational needs. This capability is allowed for both [Default](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) and [Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups). However, we recommend that you remain within service defined boundaries to maintain compliance. + +When the deployment cadence is customized, Windows Autopatch will override our service defaults with your preferred deployment cadence. Depending on the selected options, devices with [customized schedules](#scheduled-install) may not count towards the Windows Autopatch [Windows quality update service level objective](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective). + +## Deployment cadence + +### Cadence types + +For each tenant, at the deployment ring level, there are two cadence types to configure and manage your Windows Update deployments for all the devices in those deployment rings: + +- [Deadline-driven](#deadline-driven) +- [Scheduled install](#scheduled-install) + +> [!NOTE] +> Windows Autopatch uses the [Update rings policy for Windows 10 and later in Microsoft Intune](/mem/intune/protect/windows-10-update-rings) to apply either **Deadline-driven** or **Scheduled install** cadence types. Microsoft Intune implements [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) using the settings available in the [Update policy CSP](/windows/client-management/mdm/policy-csp-update). + +#### Deadline-driven + +With the deadline-drive cadence type, you can control and customize the deferral, deadline, and grace period to meet your specific business needs and organizational requirements. + +There are certain limits that Windows Autopatch defines and you'll only be able to make changes with those boundaries. The following boundaries are implemented so that Windows Autopatch can maintain update compliance. + +| Boundary | Description | +| ----- | ----- | +| Deferrals and deadlines | Windows Autopatch will enforce that deadline plus deferral days for a deployment ring to be less than or equal to 14 days. | +| Grace period | The permitted customization range is zero to seven days. | + +> [!NOTE] +> The configured grace period will apply to both Windows quality updates and Windows feature updates. + +Each deployment ring can be scheduled independent of the others, and there are no dependencies that the previous deployment ring must be scheduled before the next ring. Further, if the cadence type is set as **Deadline-driven**, the automatic update behavior setting, **Reset to default** in the Windows Update for Business policy, will be applied. + +It's possible for you to change the cadence from the Windows Autopatch Release management blade while update deployments are in progress. Windows Autopatch will abide by the principle to always respect your preferences over service-defined values. + +However, if an update has already started for a particular deployment ring, Windows Autopatch won't be able to change the cadence for that ring during that ongoing update cycle. The changes will only be effective in the next update cycle. + +#### Scheduled install + +> [!NOTE] +>If you select the Schedule install cadence type, the devices in that ring won’t be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective). + +While the Windows Autopatch default options will meet the majority of the needs for regular users with corporate devices, we understand there are devices that run critical activities and can only receive Windows Updates at specific times. The **Scheduled install** cadence type will minimize disruptions by preventing forced restarts and interruptions to critical business activities for end users. Upon selecting the **Scheduled install** cadence type, any previously set deadlines and grace periods will be removed. Devices will only update and restart according to the time specified. + +If other applications force a device to restart outside of the specified time and a Windows Update is pending a restart, the Windows Update will complete its installation at this time. For this reason, ensure that you consider your update and restart scenarios for devices running business critical activities, or restart sensitive workloads before using the Scheduled Install option. + +> [!NOTE] +> The compliance deadline and grace period for Windows quality updates won't be configured for the Scheduled Install cadence type. + +Devices **must** be active and available at the time when the device is scheduled for installation to ensure the optimal experience. If the device is consistently unavailable during the scheduled install time, the device can remain unprotected and unsecured, or the device may have the Windows Update scan and install during active hours. + +##### Scheduled install types + +> [!NOTE] +> For devices with **Active hours** configured, if the device is consistently unavailable, Windows will attempt to keep the devices up to date, including installation of updates during Active hours.

                For Windows 10 devices, Windows Update can start 30 minutes prior to the specified install time. If the installation start time is specified at 2:00 AM, some of the devices may start the installation 30 mins prior.

                + +The Scheduled install cadence has two options: + +| Option | Description | +| ----- | ----- | +| Active hours | The period (daily) that the user normally does their work, or the device is busy performing business critical actions.

                The time outside of active hours is when the device is available for Windows to perform an update and restart the device (daily). The max range for Active hours is 18 hours. The six-hour period outside of the active hours is the deployment period, when Windows Update for Business will scan, install and restart the device.

                +| Schedule install and restart | Use this option to prevent the service from installing Windows Updates except during the specified start time. You can specify the following occurrence options:
                • Weekly
                • Bi-weekly
                • Monthly

                Select a time when the device has low activity for the updates to complete. Ensure that the Windows Update has three to four hours to complete the installation and restart the device.

                | + +> [!NOTE] +> Changes made in one deployment ring won't impact other rings in your tenant.

                Configured **Active hours** and **Scheduled install and restart** options will apply to both Windows quality updates and Windows feature updates.

                + +### User notifications + +In addition to the cadence type, you can also manage the end user notification settings. End users will receive all update notifications by default. For critical devices or devices where notifications need to be hidden, use the **Manage notifications** option to configure notifications. For each tenant, at the deployment ring level, there are four options for you to configure end user update notification settings: + +- Not configured +- Use the default Windows Update notifications +- Turn off all notifications excluding restart warnings +- Turn off all notifications including restart warnings + +For more information, see [Windows Update settings you can manage with Intune update ring policies for Windows 10/11 devices](/mem/intune/protect/windows-update-settings). + +## Customize the Windows Update deployment cadence + +> [!IMPORTANT] +> The Windows update setting customizations can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to apply new software update settings.

                For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

                + +**To customize the Windows Update deployment cadence:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +2. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release settings** select **Autopatch groups**. Select the **horizontal ellipses (…)** > **Edit** for the Autopatch group you want to edit. +3. Select the **horizontal ellipses (…)** across each ring to manage the deployment cadence or notification settings. +4. Select **Next** to navigate to the Windows update settings page. The page lists the existing settings for each of the deployment rings in the Autopatch group. +5. Select [**Manage deployment cadence**](#cadence-types) to customize Windows Update settings. + 1. Select one of the cadence types for the ring: + 1. Select **Deadline-driven** to configure the deferral, deadline, and grace periods. This option will enforce forced restarts based on the selected deadline and grace period. In the event you want to switch back to the service recommended defaults, for each of the settings, select the option tagged as "default". + 1. Select **Scheduled install** to opt-out of deadline-based forced restart. + 1. Select either **Active hours** or **Schedule install and restart time**. + 2. Select **Save**. +6. Select **Manage notifications**. A fly-in pane opens. + 1. Select one of following [Windows Update restart notifications](#user-notifications) for your devices that are part of the selected deployment ring. By default, Windows Autopatch recommends that you enable all notifications. + 1. Not configured + 1. Use the default Windows Update notifications + 1. Turn off all notifications excluding restart warnings + 1. Turn off all notifications included restart warnings + 1. Select **Save** once you select the preferred setting. +7. Repeat the same process to customize each of the rings. Once done, select **Next**. +8. In **Review + apply**, you’ll be able to review the selected settings for each of the rings. +9. Select **Apply** to apply the changes to the ring policy. Once the settings are applied, the saved changes can be verified in the **Release schedule** tab. The Windows quality update schedule on the **Release schedule** tab will be updated as per the customized settings. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md new file mode 100644 index 0000000000..803ffa0560 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md @@ -0,0 +1,106 @@ +--- +title: policy health and remediation +description: Describes what Autopatch does it detects policies in the tenant are either missing or modified to states that affect the service +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: rekhanr +--- + +# Policy health and remediation (public preview) + +> [!IMPORTANT] +> This feature is in **public preview**. This feature is being actively developed and may not be complete. You can test and use these features in production environments and provide feedback. + +Windows Autopatch uses Microsoft Intune policies to set configurations and deliver the service. Windows Autopatch continuously monitors the policies and maintains all configurations related to the operation of the service. + +> [!IMPORTANT] +> Don't change, edit, add to, or remove any of the Windows Autopatch policies or groups. Doing so can cause unintended configuration changes and impact the Windows Autopatch service. For more information about Windows Autopatch configurations, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). + +When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch will raise alerts and detailed recommended actions to ensure healthy operation of the service. + +IT admins must respond to the service-generated alerts to ensure that Autopatch services can be delivered, and devices remain eligible for the service. + +With this feature, IT admins can: + +- View alerts, in line with the features you commonly use: + - Windows Update related alerts in the Release management blade. + - Device configuration alerts in the **Tenant management** > **Alert actions** tab. +- Initiate action for the Autopatch service to restore policies without having to raise an incident. +- Initiate action for the Autopatch service to restore the deployment rings without having to raise an incident. + +> [!NOTE] +> You can rename your policies to meet your organization’s requirements. Do **not** rename the underlying Autopatch deployment groups. + +## Check policy health + +Alerts are raised when deployment rings don't have the required policies and the settings that impact devices within the ring. The remediation actions from the displayed alerts are intended to keep the deployment rings in a healthy state. Devices in each ring may continue to report different states, including errors and conflicts. This occurs due to multiple policies targeted at the same device or other conditions on the device. Policy conflicts and other device errors aren't addressed by these alerts. + +## Built-in roles required for remediation actions + +The minimum role required to restore configurations is **Intune Service Administrator**. You can also perform these actions in the Global administrator role. + +## Restore device configuration policy + +**To initiate remediation action for device configuration alerts:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Tenant administration** > **Tenant management** > **Alerts**. +1. Select **Restore missing policy** to launch the workflow. +1. Review the message and select **Restore policy**. +1. If the **Change modified policy alert** appears, select this alert to launch the workflow. +1. Select **Submit changes** to restore to service required values. + +There will be an alert for each policy that is missing or has deviated from the service defined values. + +## Restore Windows update policies + +**To initiate remediation actions for Windows quality update policies:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release schedule** > **Windows quality updates** > **Status**. +1. Select **Policy Error** to launch the Policy error workflow. +1. Review the message: + 1. If this is a missing policy error, select **Restore policy** to complete the workflow. + 2. If this is a modified policy, select **Submit changes** to restore to service required values. + +**To initiate remediation actions for Windows feature update policies:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release schedule** > **Windows feature updates** > **Status**. +1. Select **Policy Error** to launch the Policy error workflow. +1. Review the message. + 1. If this is a missing policy error, select **Restore policy** to complete the workflow. + 2. If this is a modified policy, select **Submit changes** to restore to service required values. + +## Restore deployment groups + +**To initiate remediation action for missing groups:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Tenant administration** > **Tenant management** > **Alerts**. +1. Select **Restore missing group** to launch the workflow. +1. Review the message and select **Restore group**. + +When a missing deployment group is restored, the policies will be reassigned back to the deployment groups. In the Release management blade, the service will raise a Policy Error that you'll need to complete to repair Windows Update policies. Due to the asynchronous run of service detectors, it may take up to four (4) hours for this error to be displayed. + +> [!NOTE] +> While Windows Autopatch continuously monitors the policies, all policy alerts are raised within four (4) hours of detection.

                Alerts will remain active until an IT admin completes the action to restore them to a healthy state.

                + +There are no Autopatch reports for policy alerts and actions at this time. + +## Use audit logs to track actions in Microsoft Intune + +You can review audit logs in Intune to review the activities completed on the tenant. + +**To review audit logs in Intune:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Tenant administration** > **Audit logs**. + +The entries with enterprise application name, Modern Workplace Management, are the actions requested by Windows Autopatch. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md index 10b2232d41..95b3391bd5 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows feature updates description: This article explains how Windows feature updates are managed in Autopatch -ms.date: 02/17/2023 +ms.date: 05/02/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -85,7 +85,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym > You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). > [!IMPORTANT] -> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

                For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

                +> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

                For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

                **To pause or resume a Windows feature update:** diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md index 974c419ebd..f12b686427 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality updates description: This article explains how Windows quality updates are managed in Autopatch -ms.date: 02/17/2023 +ms.date: 05/02/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -33,8 +33,8 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut | Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../references/windows-autopatch-windows-update-unsupported-policies.md). | | Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](../references/windows-autopatch-windows-update-unsupported-policies.md#group-policy-and-other-policy-managers) | -> [!NOTE] -> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions). +> [!IMPORTANT] +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. ## Windows quality update releases @@ -86,6 +86,9 @@ When running an expedited release, the regular goal of 95% of devices in 21 days | Standard release | Test

                First

                Fast

                Broad | 0

                1

                6

                9 | 0

                2

                2

                5 | 0

                2

                2

                2 | | Expedited release | All devices | 0 | 1 | 1 | +> [!IMPORTANT] +> Expedited updates **don't** work with devices under the [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/). For more information, see [expedite Windows quality updates in Microsoft Intune](/mem/intune/protect/windows-10-expedite-updates). + #### Turn off service-driven expedited quality update releases Windows Autopatch provides the option to turn off of service-driven expedited quality updates. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md index 9f3d420192..50453deea1 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md @@ -1,7 +1,7 @@ --- title: Customize Windows Update settings description: This article explains how to customize Windows Updates in Windows Autopatch -ms.date: 03/08/2023 +ms.date: 05/02/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -30,6 +30,9 @@ For each tenant, at the deployment ring level, there are two cadence types to co - [Deadline-driven](#deadline-driven) - [Scheduled install](#scheduled-install) +> [!NOTE] +> Windows Autopatch uses the [Update rings policy for Windows 10 and later in Microsoft Intune](/mem/intune/protect/windows-10-update-rings) to apply either **Deadline-driven** or **Scheduled install** cadence types. Microsoft Intune implements [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) using the settings available in the [Update policy CSP](/windows/client-management/mdm/policy-csp-update). + #### Deadline-driven With the deadline-drive cadence type, you can control and customize the deferral, deadline, and grace period to meet your specific business needs and organizational requirements. @@ -92,6 +95,9 @@ For more information, see [Windows Update settings you can manage with Intune up ## Customize the Windows Update deployment cadence +> [!IMPORTANT] +> The Windows update setting customizations can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to apply new software update settings.

                For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

                + **To customize the Windows Update deployment cadence:** 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md index d185fe21d6..3525a20488 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md @@ -45,8 +45,8 @@ This article outlines your responsibilities and Windows Autopatch's responsibili | [Turn on or off expedited Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases) | :heavy_check_mark: | :x: | | [Allow or block Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates) | :heavy_check_mark: | :x: | | [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | :heavy_check_mark: | :x: | -| [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md#steps-to-register-devices) | :heavy_check_mark: | :x: | -| [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-ready-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: | +| [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md#steps-to-register-devices-using-the-classic-method) | :heavy_check_mark: | :x: | +| [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-registered-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: | | [Automatically assign devices to First, Fast & Broad deployment rings at device registration](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :x: | :heavy_check_mark: | | [Manually override device assignments to First, Fast & Broad deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings) | :heavy_check_mark: | :x: | | [Remediate devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade) | :heavy_check_mark: | :x: | diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md index 7e202554d2..4ca771cece 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md @@ -52,7 +52,6 @@ The following are the Microsoft Intune settings: | Check | Description | | ----- | ----- | | Deployment rings for Windows 10 or later | Verifies that Intune's deployment rings for Windows 10 or later policy doesn't target all users or all devices. Policies of this type shouldn't target any Windows Autopatch devices. For more information, see [Configure deployment rings for Windows 10 and later in Intune](/mem/intune/protect/windows-10-update-rings). | -| Unlicensed admin | Verifies that this setting is enabled to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. For more information, see [Unlicensed admins in Microsoft Intune](/mem/intune/fundamentals/unlicensed-admins). | ### Azure Active Directory settings diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md index a180a874ec..413d997112 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -37,14 +37,6 @@ For each check, the tool will report one of four possible results: You can access Intune settings at the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -### Unlicensed admins - -This setting must be turned on to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. - -| Result | Meaning | -| ----- | ----- | -| Not ready | Allow access to unlicensed admins should be turned on. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.

                For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). | - ### Update rings for Windows 10 or later Your "Update rings for Windows 10 or later" policy in Intune must not target any Windows Autopatch devices. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index c2f86d2ca3..1808dd285c 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -1,7 +1,7 @@ --- title: Prerequisites description: This article details the prerequisites needed for Windows Autopatch -ms.date: 02/17/2023 +ms.date: 04/24/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -44,23 +44,26 @@ Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-b | [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 | | [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 | -The following Windows OS 10 editions, 1809+ builds and architecture are supported in Windows Autopatch: +The following Windows 10 editions, build version and architecture are supported to be [registered](../deploy/windows-autopatch-register-devices.md) with Windows Autopatch: - Windows 10 (1809+)/11 Pro - Windows 10 (1809+)/11 Enterprise - Windows 10 (1809+)/11 Pro for Workstations +> [!IMPORTANT] +> While Windows Autopatch supports registering devices below the [minimum Windows OS version enforced by the service](../operate/windows-autopatch-windows-feature-update-overview.md#enforcing-a-minimum-windows-os-version), once registered, devices are automatically offered with the [minimum windows OS version](../operate/windows-autopatch-windows-feature-update-overview.md#enforcing-a-minimum-windows-os-version). The devices must be on a [minimum Windows OS currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) by the [Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) to keep receiving monthly security updates that are critical to security and the health Windows. + > [!NOTE] -> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions). +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. ## Configuration Manager co-management requirements Windows Autopatch fully supports co-management. The following co-management requirements apply: - Use a currently supported [Configuration Manager version](/mem/configmgr/core/servers/manage/updates#supported-versions). -- ConfigMgr must be [cloud-attached with Intune (co-management)](/mem/configmgr/cloud-attach/overview) and must have the following co-management workloads enabled: - - Set the [Windows Update policies workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune. - - Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune. - - Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune. +- Configuration Manager must be [cloud-attached with Intune (co-management)](/mem/configmgr/cloud-attach/overview) and must have the following co-management workloads enabled and set to either **Pilot Intune** or **Intune**: + - [Windows Update policies workload](/mem/configmgr/comanage/workloads#windows-update-policies) + - [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) + - [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) For more information, see [paths to co-management](/mem/configmgr/comanage/quickstart-paths). diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index bf23950f18..a1fd2c87e2 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -74,10 +74,10 @@ The following groups target Windows Autopatch configurations to devices and mana | Policy name | Policy description | OMA | Value | | ----- | ----- | ----- | ----- | -| Modern Workplace Update Policy [Test]-[Windows Autopatch | Windows Update for Business Configuration for the Test Ring

                Assigned to:

                • Modern Workplace Devices-Windows Autopatch-Test
                |
                • QualityUpdatesDeferralPeriodInDays
                • FeatureUpdatesDeferralPeriodInDays
                • FeatureUpdatesRollbackWindowInDays
                • BusinessReadyUpdatesOnly
                • AutomaticUpdateMode
                • InstallTime
                • DeadlineForFeatureUpdatesInDays
                • DeadlineForQualityUpdatesInDays
                • DeadlineGracePeriodInDays
                • PostponeRebootUntilAfterDeadline
                • DriversExcluded
                |
                • 0
                • 0
                • 30
                • All
                • WindowsDefault
                • 3
                • 5
                • 0
                • 0
                • False
                • False
                  • | -| Modern Workplace Update Policy [First]-[Windows Autopatch] | Windows Update for Business Configuration for the First Ring

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-First
                  |
                  • QualityUpdatesDeferralPeriodInDays
                  • FeatureUpdatesDeferralPeriodInDays
                  • FeatureUpdatesRollbackWindowInDays
                  • BusinessReadyUpdatesOnly
                  • AutomaticUpdateMode
                  • InstallTime
                  • DeadlineForFeatureUpdatesInDays
                  • DeadlineForQualityUpdatesInDays
                  • DeadlineGracePeriodInDays
                  • PostponeRebootUntilAfterDeadline
                  • DriversExcluded
                  |
                  • 1
                  • 0
                  • 30
                  • All
                  • WindowsDefault
                  • 3
                  • 5
                  • 2
                  • 2
                  • False
                  • False
                    • | -| Modern Workplace Update Policy [Fast]-[Windows Autopatch] | Windows Update for Business Configuration for the Fast Ring

                    Assigned to:

                    • Modern Workplace Devices-Windows Autopatch-Fast
                    |
                    • QualityUpdatesDeferralPeriodInDays
                    • FeatureUpdatesDeferralPeriodInDays
                    • FeatureUpdatesRollbackWindowInDays
                    • BusinessReadyUpdatesOnly
                    • AutomaticUpdateMode
                    • InstallTime
                    • DeadlineForFeatureUpdatesInDays
                    • DeadlineForQualityUpdatesInDays
                    • DeadlineGracePeriodInDays
                    • PostponeRebootUntilAfterDeadline
                    • DriversExcluded
                    |
                    • 6
                    • 0
                    • 30
                    • All
                    • WindowsDefault
                    • 3
                    • 5
                    • 2
                    • 2
                    • False
                    • False
                      • | -| Modern Workplace Update Policy [Broad]-[Windows Autopatch] | Windows Update for Business Configuration for the Broad Ring

                      Assigned to:

                      • Modern Workplace Devices-Windows Autopatch-Broad
                      |
                      • QualityUpdatesDeferralPeriodInDays
                      • FeatureUpdatesDeferralPeriodInDays
                      • FeatureUpdatesRollbackWindowInDays
                      • BusinessReadyUpdatesOnly
                      • AutomaticUpdateMode
                      • InstallTime
                      • DeadlineForFeatureUpdatesInDays
                      • DeadlineForQualityUpdatesInDays
                      • DeadlineGracePeriodInDays
                      • PostponeRebootUntilAfterDeadline
                      • DriversExcluded
                      |
                      • 9
                      • 0
                      • 30
                      • All
                      • WindowsDefault
                      • 3
                      • 5
                      • 5
                      • 2
                      • False
                      • False
                        • | +| Modern Workplace Update Policy [Test]-[Windows Autopatch | Windows Update for Business Configuration for the Test Ring

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-Test
                        |
                        • MicrosoftProductUpdates
                        • EnablePrereleasebuilds
                        • UpgradetoLatestWin11
                        • QualityUpdatesDeferralPeriodInDays
                        • FeatureUpdatesDeferralPeriodInDays
                        • FeatureUpdatesRollbackWindowInDays
                        • BusinessReadyUpdatesOnly
                        • AutomaticUpdateMode
                        • InstallTime
                        • DeadlineForFeatureUpdatesInDays
                        • DeadlineForQualityUpdatesInDays
                        • DeadlineGracePeriodInDays
                        • PostponeRebootUntilAfterDeadline
                        • DriversExcluded
                        • RestartChecks
                        • SetDisablePauseUXAccess
                        • SetUXtoCheckforUpdates
                        |
                        • Allow
                        • Not Configured
                        • No
                        • 0
                        • 0
                        • 30
                        • All
                        • WindowsDefault
                        • 3
                        • 5
                        • 0
                        • 0
                        • False
                        • False
                        • Allow
                        • Disable
                        • Enable
                          • | +| Modern Workplace Update Policy [First]-[Windows Autopatch] | Windows Update for Business Configuration for the First Ring

                          Assigned to:

                          • Modern Workplace Devices-Windows Autopatch-First
                          |
                          • MicrosoftProductUpdates
                          • EnablePrereleasebuilds
                          • UpgradetoLatestWin11
                          • QualityUpdatesDeferralPeriodInDays
                          • FeatureUpdatesDeferralPeriodInDays
                          • FeatureUpdatesRollbackWindowInDays
                          • BusinessReadyUpdatesOnly
                          • AutomaticUpdateMode
                          • InstallTime
                          • DeadlineForFeatureUpdatesInDays
                          • DeadlineForQualityUpdatesInDays
                          • DeadlineGracePeriodInDays
                          • PostponeRebootUntilAfterDeadline
                          • DriversExcluded
                          • RestartChecks
                          • SetDisablePauseUXAccess
                          • SetUXtoCheckforUpdates
                          |
                          • Allow
                          • Not Configured
                          • No
                          • 1
                          • 0
                          • 30
                          • All
                          • WindowsDefault
                          • 3
                          • 5
                          • 2
                          • 2
                          • False
                          • False
                          • Allow
                          • Disable
                          • Enable
                            • | +| Modern Workplace Update Policy [Fast]-[Windows Autopatch] | Windows Update for Business Configuration for the Fast Ring

                            Assigned to:

                            • Modern Workplace Devices-Windows Autopatch-Fast
                            |
                            • MicrosoftProductUpdates
                            • EnablePrereleasebuilds
                            • UpgradetoLatestWin11
                            • QualityUpdatesDeferralPeriodInDays
                            • FeatureUpdatesDeferralPeriodInDays
                            • FeatureUpdatesRollbackWindowInDays
                            • BusinessReadyUpdatesOnly
                            • AutomaticUpdateMode
                            • InstallTime
                            • DeadlineForFeatureUpdatesInDays
                            • DeadlineForQualityUpdatesInDays
                            • DeadlineGracePeriodInDays
                            • PostponeRebootUntilAfterDeadline
                            • DriversExcluded
                            • RestartChecks
                            • SetDisablePauseUXAccess
                            • SetUXtoCheckforUpdates
                            |
                            • Allow
                            • Not Configured
                            • No
                            • 6
                            • 0
                            • 30
                            • All
                            • WindowsDefault
                            • 3
                            • 5
                            • 2
                            • 2
                            • False
                            • False
                            • Allow
                            • Disable
                            • Enable
                              • | +| Modern Workplace Update Policy [Broad]-[Windows Autopatch] | Windows Update for Business Configuration for the Broad Ring

                              Assigned to:

                              • Modern Workplace Devices-Windows Autopatch-Broad
                              |
                              • MicrosoftProductUpdates
                              • EnablePrereleasebuilds
                              • UpgradetoLatestWin11
                              • QualityUpdatesDeferralPeriodInDays
                              • FeatureUpdatesDeferralPeriodInDays
                              • FeatureUpdatesRollbackWindowInDays
                              • BusinessReadyUpdatesOnly
                              • AutomaticUpdateMode
                              • InstallTime
                              • DeadlineForFeatureUpdatesInDays
                              • DeadlineForQualityUpdatesInDays
                              • DeadlineGracePeriodInDays
                              • PostponeRebootUntilAfterDeadline
                              • DriversExcluded
                              • RestartChecks
                              • SetDisablePauseUXAccess
                              • SetUXtoCheckforUpdates
                              |
                              • Allow
                              • Not Configured
                              • No
                              • 9
                              • 0
                              • 30
                              • All
                              • WindowsDefault
                              • 3
                              • 5
                              • 5
                              • 2
                              • False
                              • False
                              • Allow
                              • Disable
                              • Enable
                                • | ## Windows feature update policies diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-groups-public-preview-addendum.md b/windows/deployment/windows-autopatch/references/windows-autopatch-groups-public-preview-addendum.md new file mode 100644 index 0000000000..29795eceb9 --- /dev/null +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-groups-public-preview-addendum.md @@ -0,0 +1,29 @@ +--- +title: Autopatch groups Public Preview Addendum +description: Addendum for Windows Autopatch groups public preview +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Windows Autopatch groups Public Preview Addendum + +**This is the Autopatch groups Public Preview Addendum ("Addendum") to the Microsoft Product Terms’ Universal License Terms for Online Services** (as provided at: [Microsoft Product Terms](https://www.microsoft.com/licensing/terms/product/ForallOnlineServices/all) (the "**Product Terms**")) is entered into between Microsoft Corporation, a Washington corporation having its principal place of business at One Microsoft Way, Redmond, Washington, USA 98052-6399 (or based on where Customer lives, one of Microsoft's affiliates) ("**Microsoft**"), and you ("**Customer**"). + +For good and valuable consideration, the receipt and sufficiency of which is acknowledged, the parties agree as follows: + +Microsoft desires to preview the Autopatch groups service it is developing ("**Autopatch groups Preview**”) in order to evaluate it. Customer would like to particulate this Autopatch groups Preview under the Product Terms and this Addendum. Autopatch groups Preview consists of features and services that are in preview, beta, or other pre-release form. Autopatch groups Preview is subject to the "preview" terms set forth in the Product Terms’ Universal License Terms for Online Services. + +## Definitions + +Capitalized terms used but not defined herein have the meanings given in the Product Terms. + +## Data Handling + +Autopatch groups Preview integrates Customer Data from other Products, including Windows, Microsoft Intune, Azure Active Directory, and Office (collectively for purposes of this provision "Windows Autopatch Input Services"). Once Customer Data from Windows Autopatch Input Services is integrated into Autopatch groups Preview, only the Product Terms and [DPA provisions](https://www.microsoft.com/licensing/terms/product/Glossary/all) applicable to Autopatch groups Preview apply to that data. diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index 22a90e7d70..a279da8f47 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -1,7 +1,7 @@ --- title: What's new 2023 description: This article lists the 2023 feature releases and any corresponding Message center post numbers. -ms.date: 04/11/2023 +ms.date: 05/01/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: whats-new @@ -18,12 +18,48 @@ This article lists new and updated feature releases, and service releases, with Minor corrections such as typos, style, or formatting issues aren't listed. +## May 2023 + +### May 2023 feature release + +| Article | Description | +| ----- | ----- | +| [Device registration overview](../deploy/windows-autopatch-device-registration-overview.md) | Updated article to include Windows Autopatch groups. The Windows Autopatch groups feature is in public preview | +| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Updated article to include Windows Autopatch groups. The Windows Autopatch groups feature is in public preview | +| [Windows Autopatch groups overview](../deploy/windows-autopatch-groups-overview.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Software update management](../operate/windows-autopatch-groups-update-management.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows quality update overview](../operate/windows-autopatch-groups-windows-quality-update-overview.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows quality update end user experience](../operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows quality update signals](../operate/windows-autopatch-groups-windows-quality-update-signals.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows quality update communications](../operate/windows-autopatch-groups-windows-quality-update-communications.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Manage Windows feature update](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows quality and feature update reports overview](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows quality update summary dashboard](../operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows quality update trending report](../operate/windows-autopatch-groups-windows-quality-update-trending-report.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows feature update summary dashboard](../operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows feature update status report](../operate/windows-autopatch-groups-windows-feature-update-status-report.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows feature update trending report](../operate/windows-autopatch-groups-windows-feature-update-trending-report.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows quality and feature update device alerts](../operate/windows-autopatch-device-alerts.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) | Add new Policy health and remediation feature. This feature is in public preview | +| [Windows Autopatch groups public preview addendum](../references/windows-autopatch-groups-public-preview-addendum.md) | Added addendum for the Windows Autopatch groups public preview | + ## April 2023 +### April feature releases or updates + +| Article | Description | +| ----- | ----- | +| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated the [Deployment rings for Windows 10 and later](../references/windows-autopatch-changes-to-tenant.md#deployment-rings-for-windows-10-and-later) section | + ### April 2023 service release | Message center post number | Description | | ----- | ----- | +| [MC542842](https://admin.microsoft.com/adminportal/home#/MessageCenter) | April 2023 Windows Autopatch baseline configuration update | | [MC538728](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Update: Windows Autopatch quality updates release communication | | [MC536881](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Take action: Review Windows Autopatch Tenant management blade for potential action required to prevent inactive status | diff --git a/windows/deployment/windows-autopilot/images/all-groups.png b/windows/deployment/windows-autopilot/images/all-groups.png deleted file mode 100644 index 6ae904ed62..0000000000 Binary files a/windows/deployment/windows-autopilot/images/all-groups.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/allow-white-glove-oobe.png b/windows/deployment/windows-autopilot/images/allow-white-glove-oobe.png deleted file mode 100644 index 0f458e9306..0000000000 Binary files a/windows/deployment/windows-autopilot/images/allow-white-glove-oobe.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/ap-ts-1.png b/windows/deployment/windows-autopilot/images/ap-ts-1.png deleted file mode 100644 index 5f4c33fd51..0000000000 Binary files a/windows/deployment/windows-autopilot/images/ap-ts-1.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/ap-ts.png b/windows/deployment/windows-autopilot/images/ap-ts.png deleted file mode 100644 index 7c343176d0..0000000000 Binary files a/windows/deployment/windows-autopilot/images/ap-ts.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-aad-configure.jpg b/windows/deployment/windows-autopilot/images/autopilot-aad-configure.jpg deleted file mode 100644 index 3a16c0f219..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-aad-configure.jpg and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.jpg b/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.jpg deleted file mode 100644 index 3a8f1578cb..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.jpg and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.png b/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.png deleted file mode 100644 index 1533f68c7c..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-devices-add.jpg b/windows/deployment/windows-autopilot/images/autopilot-devices-add.jpg deleted file mode 100644 index 137b6ca431..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-devices-add.jpg and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-intune-profile-add.jpg b/windows/deployment/windows-autopilot/images/autopilot-intune-profile-add.jpg deleted file mode 100644 index bc4bed8920..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-intune-profile-add.jpg and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-intune-profile-assign.jpg b/windows/deployment/windows-autopilot/images/autopilot-intune-profile-assign.jpg deleted file mode 100644 index 7604382113..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-intune-profile-assign.jpg and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-intune-profile-configure.jpg b/windows/deployment/windows-autopilot/images/autopilot-intune-profile-configure.jpg deleted file mode 100644 index c3c5307ce4..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-intune-profile-configure.jpg and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-intune-sync.jpg b/windows/deployment/windows-autopilot/images/autopilot-intune-sync.jpg deleted file mode 100644 index a2717c68be..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-intune-sync.jpg and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-oobe.jpg b/windows/deployment/windows-autopilot/images/autopilot-oobe.jpg deleted file mode 100644 index bb2d641155..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-oobe.jpg and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-reset-customlogin.png b/windows/deployment/windows-autopilot/images/autopilot-reset-customlogin.png deleted file mode 100644 index d86cb57895..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-reset-customlogin.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-reset-lockscreen.png b/windows/deployment/windows-autopilot/images/autopilot-reset-lockscreen.png deleted file mode 100644 index f6fa6d3467..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-reset-lockscreen.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/bitlocker-encryption.png b/windows/deployment/windows-autopilot/images/bitlocker-encryption.png deleted file mode 100644 index 96e2d94fb3..0000000000 Binary files a/windows/deployment/windows-autopilot/images/bitlocker-encryption.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/choice.png b/windows/deployment/windows-autopilot/images/choice.png deleted file mode 100644 index 881744eec5..0000000000 Binary files a/windows/deployment/windows-autopilot/images/choice.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/connector-fail.png b/windows/deployment/windows-autopilot/images/connector-fail.png deleted file mode 100644 index 2d8abb5785..0000000000 Binary files a/windows/deployment/windows-autopilot/images/connector-fail.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/csp1.png b/windows/deployment/windows-autopilot/images/csp1.png deleted file mode 100644 index 81e59080c8..0000000000 Binary files a/windows/deployment/windows-autopilot/images/csp1.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/csp2.png b/windows/deployment/windows-autopilot/images/csp2.png deleted file mode 100644 index 06cc80fe95..0000000000 Binary files a/windows/deployment/windows-autopilot/images/csp2.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/csp3.png b/windows/deployment/windows-autopilot/images/csp3.png deleted file mode 100644 index 8b0647e4b4..0000000000 Binary files a/windows/deployment/windows-autopilot/images/csp3.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/csp3a.png b/windows/deployment/windows-autopilot/images/csp3a.png deleted file mode 100644 index 3fb1291370..0000000000 Binary files a/windows/deployment/windows-autopilot/images/csp3a.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/csp3b.png b/windows/deployment/windows-autopilot/images/csp3b.png deleted file mode 100644 index c2034c1ebc..0000000000 Binary files a/windows/deployment/windows-autopilot/images/csp3b.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/csp4.png b/windows/deployment/windows-autopilot/images/csp4.png deleted file mode 100644 index ddada725b2..0000000000 Binary files a/windows/deployment/windows-autopilot/images/csp4.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/csp5.png b/windows/deployment/windows-autopilot/images/csp5.png deleted file mode 100644 index f43097c62b..0000000000 Binary files a/windows/deployment/windows-autopilot/images/csp5.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/csp6.png b/windows/deployment/windows-autopilot/images/csp6.png deleted file mode 100644 index 8b0647e4b4..0000000000 Binary files a/windows/deployment/windows-autopilot/images/csp6.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/csp7.png b/windows/deployment/windows-autopilot/images/csp7.png deleted file mode 100644 index 608128e5ab..0000000000 Binary files a/windows/deployment/windows-autopilot/images/csp7.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/delete-device3.png b/windows/deployment/windows-autopilot/images/delete-device3.png deleted file mode 100644 index a2daa1c39a..0000000000 Binary files a/windows/deployment/windows-autopilot/images/delete-device3.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/delete-device4.png b/windows/deployment/windows-autopilot/images/delete-device4.png deleted file mode 100644 index c0119fbc39..0000000000 Binary files a/windows/deployment/windows-autopilot/images/delete-device4.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/delete-device5.png b/windows/deployment/windows-autopilot/images/delete-device5.png deleted file mode 100644 index 33b539d33c..0000000000 Binary files a/windows/deployment/windows-autopilot/images/delete-device5.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/delete-device6.png b/windows/deployment/windows-autopilot/images/delete-device6.png deleted file mode 100644 index 23cbcb7c44..0000000000 Binary files a/windows/deployment/windows-autopilot/images/delete-device6.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/delete-device7.png b/windows/deployment/windows-autopilot/images/delete-device7.png deleted file mode 100644 index dcdeee5205..0000000000 Binary files a/windows/deployment/windows-autopilot/images/delete-device7.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/deployment-profiles.png b/windows/deployment/windows-autopilot/images/deployment-profiles.png deleted file mode 100644 index 7888da55d1..0000000000 Binary files a/windows/deployment/windows-autopilot/images/deployment-profiles.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/deployment-profiles2.png b/windows/deployment/windows-autopilot/images/deployment-profiles2.png deleted file mode 100644 index 6ff9fbb89e..0000000000 Binary files a/windows/deployment/windows-autopilot/images/deployment-profiles2.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/device-import.png b/windows/deployment/windows-autopilot/images/device-import.png deleted file mode 100644 index 3be4cff996..0000000000 Binary files a/windows/deployment/windows-autopilot/images/device-import.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/device2.png b/windows/deployment/windows-autopilot/images/device2.png deleted file mode 100644 index 6f7d1a5df0..0000000000 Binary files a/windows/deployment/windows-autopilot/images/device2.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/device3.png b/windows/deployment/windows-autopilot/images/device3.png deleted file mode 100644 index adf9c7a875..0000000000 Binary files a/windows/deployment/windows-autopilot/images/device3.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/devices.png b/windows/deployment/windows-autopilot/images/devices.png deleted file mode 100644 index a5b0dd1899..0000000000 Binary files a/windows/deployment/windows-autopilot/images/devices.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/dfci.png b/windows/deployment/windows-autopilot/images/dfci.png deleted file mode 100644 index 6c68ed8b80..0000000000 Binary files a/windows/deployment/windows-autopilot/images/dfci.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/enabled-device.png b/windows/deployment/windows-autopilot/images/enabled-device.png deleted file mode 100644 index 96dc935309..0000000000 Binary files a/windows/deployment/windows-autopilot/images/enabled-device.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/enrollment-status-page.png b/windows/deployment/windows-autopilot/images/enrollment-status-page.png deleted file mode 100644 index 9bb550c20b..0000000000 Binary files a/windows/deployment/windows-autopilot/images/enrollment-status-page.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/esp-config.png b/windows/deployment/windows-autopilot/images/esp-config.png deleted file mode 100644 index eb9f94661f..0000000000 Binary files a/windows/deployment/windows-autopilot/images/esp-config.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/esp-settings.png b/windows/deployment/windows-autopilot/images/esp-settings.png deleted file mode 100644 index df0fe655e9..0000000000 Binary files a/windows/deployment/windows-autopilot/images/esp-settings.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/hh.png b/windows/deployment/windows-autopilot/images/hh.png deleted file mode 100644 index 98fbc3cd7b..0000000000 Binary files a/windows/deployment/windows-autopilot/images/hh.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/hwid-csv.png b/windows/deployment/windows-autopilot/images/hwid-csv.png deleted file mode 100644 index ac177e0b5a..0000000000 Binary files a/windows/deployment/windows-autopilot/images/hwid-csv.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/image1.png b/windows/deployment/windows-autopilot/images/image1.png deleted file mode 100644 index e5bd9e3cba..0000000000 Binary files a/windows/deployment/windows-autopilot/images/image1.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/image2.png b/windows/deployment/windows-autopilot/images/image2.png deleted file mode 100644 index 9790d50b35..0000000000 Binary files a/windows/deployment/windows-autopilot/images/image2.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/import-vm.png b/windows/deployment/windows-autopilot/images/import-vm.png deleted file mode 100644 index 5fb97cda5d..0000000000 Binary files a/windows/deployment/windows-autopilot/images/import-vm.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/include-group.png b/windows/deployment/windows-autopilot/images/include-group.png deleted file mode 100644 index fb7bca7efa..0000000000 Binary files a/windows/deployment/windows-autopilot/images/include-group.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/include-group2.png b/windows/deployment/windows-autopilot/images/include-group2.png deleted file mode 100644 index 585d006bac..0000000000 Binary files a/windows/deployment/windows-autopilot/images/include-group2.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/intune-devices.png b/windows/deployment/windows-autopilot/images/intune-devices.png deleted file mode 100644 index bc29c76511..0000000000 Binary files a/windows/deployment/windows-autopilot/images/intune-devices.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/landing.png b/windows/deployment/windows-autopilot/images/landing.png deleted file mode 100644 index 13dea20b07..0000000000 Binary files a/windows/deployment/windows-autopilot/images/landing.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/mdm-config.png b/windows/deployment/windows-autopilot/images/mdm-config.png deleted file mode 100644 index 0b2dd14a53..0000000000 Binary files a/windows/deployment/windows-autopilot/images/mdm-config.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/mdm-intune.png b/windows/deployment/windows-autopilot/images/mdm-intune.png deleted file mode 100644 index db9b144fad..0000000000 Binary files a/windows/deployment/windows-autopilot/images/mdm-intune.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/msfb-manage2.png b/windows/deployment/windows-autopilot/images/msfb-manage2.png deleted file mode 100644 index 406aaf5948..0000000000 Binary files a/windows/deployment/windows-autopilot/images/msfb-manage2.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/msfb-manage3.png b/windows/deployment/windows-autopilot/images/msfb-manage3.png deleted file mode 100644 index bf5fb1ccf9..0000000000 Binary files a/windows/deployment/windows-autopilot/images/msfb-manage3.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/new-group.png b/windows/deployment/windows-autopilot/images/new-group.png deleted file mode 100644 index c18c1865f6..0000000000 Binary files a/windows/deployment/windows-autopilot/images/new-group.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/notepad.png b/windows/deployment/windows-autopilot/images/notepad.png deleted file mode 100644 index 0f243f95d6..0000000000 Binary files a/windows/deployment/windows-autopilot/images/notepad.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/pc-01a.png b/windows/deployment/windows-autopilot/images/pc-01a.png deleted file mode 100644 index a3d0f4cdea..0000000000 Binary files a/windows/deployment/windows-autopilot/images/pc-01a.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/pc-01b.png b/windows/deployment/windows-autopilot/images/pc-01b.png deleted file mode 100644 index 07eda6e4bb..0000000000 Binary files a/windows/deployment/windows-autopilot/images/pc-01b.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/pwd.png b/windows/deployment/windows-autopilot/images/pwd.png deleted file mode 100644 index c9b0e7837c..0000000000 Binary files a/windows/deployment/windows-autopilot/images/pwd.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/reset.png b/windows/deployment/windows-autopilot/images/reset.png deleted file mode 100644 index 0619b7fa03..0000000000 Binary files a/windows/deployment/windows-autopilot/images/reset.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/sc.png b/windows/deployment/windows-autopilot/images/sc.png deleted file mode 100644 index bb326e6406..0000000000 Binary files a/windows/deployment/windows-autopilot/images/sc.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/sc1.png b/windows/deployment/windows-autopilot/images/sc1.png deleted file mode 100644 index 380887a45c..0000000000 Binary files a/windows/deployment/windows-autopilot/images/sc1.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/self-deploy-welcome.png b/windows/deployment/windows-autopilot/images/self-deploy-welcome.png deleted file mode 100644 index 3ab1e4b304..0000000000 Binary files a/windows/deployment/windows-autopilot/images/self-deploy-welcome.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/up-1.PNG b/windows/deployment/windows-autopilot/images/up-1.PNG deleted file mode 100644 index c1284c53d2..0000000000 Binary files a/windows/deployment/windows-autopilot/images/up-1.PNG and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/up-2.PNG b/windows/deployment/windows-autopilot/images/up-2.PNG deleted file mode 100644 index 4891a3873a..0000000000 Binary files a/windows/deployment/windows-autopilot/images/up-2.PNG and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/up-3.PNG b/windows/deployment/windows-autopilot/images/up-3.PNG deleted file mode 100644 index 8b1e356f92..0000000000 Binary files a/windows/deployment/windows-autopilot/images/up-3.PNG and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/update-flow.png b/windows/deployment/windows-autopilot/images/update-flow.png deleted file mode 100644 index c90f54e96c..0000000000 Binary files a/windows/deployment/windows-autopilot/images/update-flow.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/update1.png b/windows/deployment/windows-autopilot/images/update1.png deleted file mode 100644 index 83d98a29b5..0000000000 Binary files a/windows/deployment/windows-autopilot/images/update1.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/update2.png b/windows/deployment/windows-autopilot/images/update2.png deleted file mode 100644 index 04dbcaddc1..0000000000 Binary files a/windows/deployment/windows-autopilot/images/update2.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/update3.png b/windows/deployment/windows-autopilot/images/update3.png deleted file mode 100644 index 851adb58ec..0000000000 Binary files a/windows/deployment/windows-autopilot/images/update3.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/wg01.png b/windows/deployment/windows-autopilot/images/wg01.png deleted file mode 100644 index fa08be3f48..0000000000 Binary files a/windows/deployment/windows-autopilot/images/wg01.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/wg02.png b/windows/deployment/windows-autopilot/images/wg02.png deleted file mode 100644 index 5de01d6803..0000000000 Binary files a/windows/deployment/windows-autopilot/images/wg02.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/wg03.png b/windows/deployment/windows-autopilot/images/wg03.png deleted file mode 100644 index 89ac12747c..0000000000 Binary files a/windows/deployment/windows-autopilot/images/wg03.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/wg04.png b/windows/deployment/windows-autopilot/images/wg04.png deleted file mode 100644 index a59ea766b7..0000000000 Binary files a/windows/deployment/windows-autopilot/images/wg04.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/wg05.png b/windows/deployment/windows-autopilot/images/wg05.png deleted file mode 100644 index cea36fb6bd..0000000000 Binary files a/windows/deployment/windows-autopilot/images/wg05.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/wg06.png b/windows/deployment/windows-autopilot/images/wg06.png deleted file mode 100644 index 68cd29c24d..0000000000 Binary files a/windows/deployment/windows-autopilot/images/wg06.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/wg07.png b/windows/deployment/windows-autopilot/images/wg07.png deleted file mode 100644 index bc5a81bb3f..0000000000 Binary files a/windows/deployment/windows-autopilot/images/wg07.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/white-glove-result.png b/windows/deployment/windows-autopilot/images/white-glove-result.png deleted file mode 100644 index de3701e76d..0000000000 Binary files a/windows/deployment/windows-autopilot/images/white-glove-result.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/windows_glyph.png b/windows/deployment/windows-autopilot/images/windows_glyph.png deleted file mode 100644 index 3a41d4dfb1..0000000000 Binary files a/windows/deployment/windows-autopilot/images/windows_glyph.png and /dev/null differ diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md index 976780994e..82b280bbf7 100644 --- a/windows/privacy/Microsoft-DiagnosticDataViewer.md +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -40,7 +40,7 @@ Using the Diagnostic Data Viewer for PowerShell requires administrative (elevate ### Install the Diagnostic Data Viewer for PowerShell >[!IMPORTANT] - >It is recommended to visit the documentation on [Getting Started](/powershell/gallery/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module. + >It is recommended to visit the documentation on [Getting Started](/powershell/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module. To install the newest version of the Diagnostic Data Viewer PowerShell module, run the following command within an elevated PowerShell session: ```powershell diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 4984e4e28e..63adeb04ea 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -23,6 +23,12 @@ href: information-protection/tpm/tpm-fundamentals.md - name: How Windows uses the TPM href: information-protection/tpm/how-windows-uses-the-tpm.md + - name: Manage TPM commands + href: information-protection/tpm/manage-tpm-commands.md + - name: Manager TPM Lockout + href: information-protection/tpm/manage-tpm-lockout.md + - name: Change the TPM password + href: information-protection/tpm/change-the-tpm-owner-password.md - name: TPM Group Policy settings href: information-protection/tpm/trusted-platform-module-services-group-policy-settings.md - name: Back up the TPM recovery information to AD DS @@ -33,6 +39,7 @@ href: information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md - name: TPM recommendations href: information-protection/tpm/tpm-recommendations.md + - name: Hardware-based root of trust href: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md - name: System Guard Secure Launch and SMM protection diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 23537daa14..e63b129275 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -2,7 +2,7 @@ title: Windows Hello errors during PIN creation description: When you set up Windows Hello, you may get an error during the Create a work PIN step. ms.topic: troubleshooting -ms.date: 03/31/2023 +ms.date: 04/24/2023 --- # Windows Hello errors during PIN creation @@ -22,7 +22,7 @@ When a user encounters an error when creating the work PIN, advise the user to t 1. Try to create the PIN again. Some errors are transient and resolve themselves. 2. Sign out, sign in, and try to create the PIN again. 3. Reboot the device and then try to create the PIN again. -4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a device, go to **Settings** > **System** > **About** > select **Disconnect from organization**. +4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a device, go to **Settings > System > About > Disconnect from organization**. If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance. @@ -31,21 +31,21 @@ If the error occurs again, check the error code against the following table to s | 0x80090005 | NTE\_BAD\_DATA | Unjoin the device from Azure AD and rejoin. | | 0x8009000F | The container or key already exists. | Unjoin the device from Azure AD and rejoin. | | 0x80090011 | The container or key was not found. | Unjoin the device from Azure AD and rejoin. | -| 0x80090029 | TPM is not set up. | Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. | +| 0x80090029 | TPM is not set up. | Sign on with an administrator account. Select **Start**, type `tpm.msc`, and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. | | 0x8009002A | NTE\_NO\_MEMORY | Close programs which are taking up memory and try again. | | 0x80090031 | NTE\_AUTHENTICATION\_IGNORED | Reboot the device. If the error occurs again after rebooting, [reset the TPM](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd851452(v=ws.11)) or run [Clear-TPM](/powershell/module/trustedplatformmodule/clear-tpm). | | 0x80090035 | Policy requires TPM and the device does not have TPM. | Change the Windows Hello for Business policy to not require a TPM. | | 0x80090036 | User canceled an interactive dialog. | User will be asked to try again. | | 0x801C0003 | User is not authorized to enroll. | Check if the user has permission to perform the operation​. | -| 0x801C000E | Registration quota reached. | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](/azure/active-directory/devices/device-management-azure-portal). | +| 0x801C000E | Registration quota reached. | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](/azure/active-directory/devices/device-management-azure-portal). | | 0x801C000F | Operation successful, but the device requires a reboot. | Reboot the device. | | 0x801C0010 | The AIK certificate is not valid or trusted. | Sign out and then sign in again. | | 0x801C0011 | The attestation statement of the transport key is invalid. | Sign out and then sign in again. | | 0x801C0012 | Discovery request is not in a valid format. | Sign out and then sign in again. | -| 0x801C0015 | The device is required to be joined to an Active Directory domain. | ​Join the device to an Active Directory domain. | -| 0x801C0016 | The federation provider configuration is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the file is not empty. | -| 0x801C0017 | ​The federation provider domain is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the FPDOMAINNAME element is not empty. | -| 0x801C0018 | The federation provider client configuration URL is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the CLIENTCONFIG element contains a valid URL. | +| 0x801C0015 | The device is required to be joined to an Active Directory domain. | Join the device to an Active Directory domain. | +| 0x801C0016 | The federation provider configuration is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the file is not empty. | +| 0x801C0017 | The federation provider domain is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the FPDOMAINNAME element is not empty. | +| 0x801C0018 | The federation provider client configuration URL is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the CLIENTCONFIG element contains a valid URL. | | 0x801C03E9 | Server response message is invalid | Sign out and then sign in again. | | 0x801C03EA | Server failed to authorize user or device. | Check if the token is valid and user has permission to register Windows Hello for Business keys. | | 0x801C03EB | Server response http status is not valid | Sign out and then sign in again. | @@ -53,10 +53,11 @@ If the error occurs again, check the error code against the following table to s | 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed.

                                -or-

                                Token was not found in the Authorization header.

                                -or-

                                Failed to read one or more objects.

                                -or-

                                The request sent to the server was invalid.

                                -or-

                                User does not have permissions to join to Azure AD. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure AD and rejoin.
                                Allow user(s) to join to Azure AD under Azure AD Device settings. | 0x801C03EE | Attestation failed. | Sign out and then sign in again. | | 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. | -| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Azure Active Directory and the Primary SMTP address are the same in the proxy address. +| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Azure Active Directory and the Primary SMTP address are the same in the proxy address. | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | +| 0x801C0451 | User token switch account. | Delete the Web Account Manager token broker files located in `%LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts\*.*\` and reboot.| | 0xC00000BB | Your PIN or this option is temporarily unavailable. | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client cannot verify the KDC certificate CRL. Use a different login method.| ## Errors with unknown mitigation @@ -72,7 +73,7 @@ For errors listed in this table, contact Microsoft Support for assistance. | 0x80090020 | NTE\_FAIL | | 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. | | 0x8009002D | NTE\_INTERNAL\_ERROR | -| 0x801C0001 | ​ADRS server response is not in a valid format. | +| 0x801C0001 | ADRS server response is not in a valid format. | | 0x801C0002 | Server failed to authenticate the user. | | 0x801C0006 | Unhandled exception from server. | | 0x801C000B | Redirection is needed and redirected location is not a well known server. | @@ -88,13 +89,3 @@ For errors listed in this table, contact Microsoft Support for assistance. | 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request Azure Active Directory token for provisioning. Unable to enroll a device to use a PIN for login. | | 0xCAA30193 | HTTP 403 Request Forbidden: it means request left the device, however either Server, proxy or firewall generated this response. | -## Related topics - -- [Windows Hello for Business](hello-identity-verification.md) -- [How Windows Hello for Business works](hello-how-it-works.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Event ID 300 - Windows Hello successfully created](/troubleshoot/windows-client/user-profiles-and-logon/event-id-300-windows-hello-successfully-created-in-windows-10) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md new file mode 100644 index 0000000000..facc36e2eb --- /dev/null +++ b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md @@ -0,0 +1,66 @@ +--- +title: Change the TPM owner password (Windows) +description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. +ms.prod: windows-client +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.topic: conceptual +ms.date: 04/26/2023 +ms.technology: itpro-security +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 + - ✅ Windows Server 2022 + - ✅ Windows Server 2019 + - ✅ Windows Server 2016 +--- + +# Change the TPM owner password + +This article for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. + +## About the TPM owner password + +Starting with Windows 10, version 1607, Windows doesn't retain the TPM owner password when provisioning the TPM. The password is set to a random high entropy value and then discarded. + +> [!IMPORTANT] +> +> Although the TPM owner password isn't retained starting with Windows 10, version 1607, you can change a default registry key to retain it. However, we strongly recommend that you don't make this change. To retain the TPM owner password, under the registry key of +> +> `HKLM\Software\Policies\Microsoft\TPM` +> +> create a `REG_DWORD` value of `OSManagedAuthLevel` and set it to `4`. +> +> For Windows versions newer than Windows 10 1703, the default value for this key is 5. A value of 5 means: +> +> - **TPM 2.0**: Keep the lockout authorization. +> - **TPM 1.2**: Discard the Full TPM owner authorization and retain only the Delegated authorization. +> +> Unless the registry key value is changed from 5 to 4 before the TPM is provisioned, the owner password isn't saved. + +Only one owner password exists for each TPM. The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. The TPM owner password also allows manipulation of the TPM dictionary attack logic. Windows takes ownership of the TPM as part of the provisioning process on each boot. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it. + +Without the owner password, you can still perform all the preceding actions with a physical presence confirmation from UEFI. + +### Other TPM management options + +Instead of changing your owner password, you can also use the following options to manage your TPM: + +- **Clear the TPM** - If you want to invalidate all of the existing keys that have been created since you took ownership of the TPM, you can clear it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). + +- **Turn off the TPM** - With TPM 1.2 and Windows 10, versions 1507 and 1511, you can turn off the TPM. Turn off the TPM if you want to keep all existing keys and data intact and disable the services that are provided by the TPM. For more info, see [Turn off the TPM](initialize-and-configure-ownership-of-the-tpm.md#turn-off-the-tpm). + +## Changing the TPM owner password + +With Windows 10, version 1507 or 1511, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password. + +To change to a new TPM owner password, in `TPM.msc`, select **Change Owner Password**, and follow the instructions. It prompts to provide the owner password file or to type the password. Then you can create a new password, either automatically or manually, and save the password in a file or as a printout. + +## Use the TPM cmdlets + +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule). + +## Related articles + +- [Trusted Platform Module](trusted-platform-module-top-node.md) diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md new file mode 100644 index 0000000000..24f72081df --- /dev/null +++ b/windows/security/information-protection/tpm/manage-tpm-commands.md @@ -0,0 +1,83 @@ +--- +title: Manage TPM commands (Windows) +description: This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. +ms.prod: windows-client +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.topic: conceptual +ms.date: 04/26/2023 +ms.technology: itpro-security +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 + - ✅ Windows Server 2022 + - ✅ Windows Server 2019 + - ✅ Windows Server 2016 +--- + +# Manage TPM commands + +This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. + +After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. The list can be created and applied to all computers in a domain by using Group Policy, or a list can be created for individual computers by using the TPM MMC. Because some hardware vendors might provide additional commands or the Trusted Computing Group may decide to add commands in the future, the TPM MMC also supports the ability to block new commands. + +The following procedures describe how to manage the TPM command lists. You must be a member of the local Administrators group. + +## Block TPM commands by using the Local Group Policy Editor + +1. Open the Local Group Policy Editor (gpedit.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. + + > [!NOTE] + > + > Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS). + +1. In the console tree, under **Computer Configuration**, expand **Administrative Templates**, and then expand **System**. + +1. Under **System**, select **Trusted Platform Module Services**. + +1. In the details pane, double-click **Configure the list of blocked TPM commands**. + +1. Select **Enabled**, and then select **Show**. + +1. For each command that you want to block, select **Add**, enter the command number, and then select **OK**. + + > [!NOTE] + > + > For a list of commands, see links in the [TPM Specification](https://www.trustedcomputinggroup.org/tpm-main-specification/). + +1. After you have added numbers for each command that you want to block, select **OK** twice. + +1. Close the Local Group Policy Editor. + +## Block or allow TPM commands by using the TPM MMC + +1. Open the TPM MMC (tpm.msc) + +1. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. + +1. In the console tree, select **Command Management**. A list of TPM commands is displayed. + +1. In the list, select a command that you want to block or allow. + +1. Under **Actions**, select **Block Selected Command** or **Allow Selected Command** as needed. If **Allow Selected Command** is unavailable, that command is currently blocked by Group Policy. + +## Block new commands + +1. Open the TPM MMC (tpm.msc). + + If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. + +1. In the console tree, select **Command Management**. A list of TPM commands is displayed. + +1. In the **Action** pane, select **Block New Command**. The **Block New Command** dialog box is displayed. + +1. In the **Command Number** text box, type the number of the new command that you want to block, and then select **OK**. The command number you entered is added to the blocked list. + +## Use the TPM cmdlets + +You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatformModule PowerShell cmdlets](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true). + +## Related articles + +- [Trusted Platform Module](trusted-platform-module-top-node.md) diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md new file mode 100644 index 0000000000..d89f660756 --- /dev/null +++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md @@ -0,0 +1,90 @@ +--- +title: Manage TPM lockout (Windows) +description: This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. +ms.prod: windows-client +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.topic: conceptual +ms.date: 04/26/2023 +ms.technology: itpro-security +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 + - ✅ Windows Server 2022 + - ✅ Windows Server 2019 + - ✅ Windows Server 2016 +--- +# Manage TPM lockout + +This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. + +## About TPM lockout + +The TPM locks itself to prevent tampering or malicious attacks. TPM lockout often lasts for a variable amount of time or until the computer is turned off. While the TPM is in lockout mode, it generally returns an error message when it receives commands that require an authorization value. One exception is that the TPM always allows the owner at least one attempt to reset the TPM lockout when it is in lockout mode. + +Windows takes ownership of the TPM ownership upon first boot. By default, Windows doesn't retain the TPM owner password. + +In some cases, encryption keys are protected by a TPM by requiring a valid authorization value to access the key. A common example is configuring BitLocker Drive Encryption to use the TPM plus PIN key protector. In this scenario, the user must type the correct PIN during the boot process to access the volume encryption key protected by the TPM. To prevent malicious users or software from discovering authorization values, TPMs implement protection logic. The protection logic is designed to slow or stop responses from the TPM if it detects that an entity might be trying to guess authorization values. + +### TPM 1.2 + +The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM 1.2 devices implement different protection mechanisms and behavior. In general, the TPM chip takes exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. These delays can prevent them from using the TPM for a period of time. + +### TPM 2.0 + +TPM 2.0 devices have standardized lockout behavior which Windows configures. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 10 minutes. This configuration means that every continuous 10 minutes of powered on operation without an event causes the counter to decrease by 1. + +If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner's authorization. This value is no longer retained by default starting with Windows 10 version 1607 and higher. + +## Reset the TPM lockout by using the TPM MMC + +> [!NOTE] +> +> This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password isn't available in Windows 10 starting with version 1607 and higher. + +The following procedure explains the steps to reset the TPM lockout by using the TPM MMC. + +### Reset the TPM lockout + +1. Open the TPM MMC (tpm.msc). + +1 In the **Action** pane, select **Reset TPM Lockout** to start the Reset TPM Lockout Wizard. + +1. Choose one of the following methods to enter the TPM owner password: + + - If you saved your TPM owner password to a `.tpm` file, select **I have the owner password file**, and then type the path to the file, or select **Browse** to navigate to the file location. + + - If you want to manually enter your TPM owner password, select **I want to enter the owner password**, and then type the password in the text box provided. + + > [!NOTE] + > + > If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it. + +## Use Group Policy to manage TPM lockout settings + +The TPM Group Policy settings in the following list are located at: + +**Computer Configuration** > **Administrative Templates** > **System** > **Trusted Platform Module Services** + +- [Standard User Lockout Duration](trusted-platform-module-services-group-policy-settings.md#standard-user-lockout-duration) + + This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for TPM commands that require authorization. An authorization failure occurs each time a user sends a command to the TPM and receives an error message that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, the user is prevented from sending commands to the TPM that require authorization. + +- [Standard User Individual Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#standard-user-individual-lockout-threshold) + + This policy setting allows you to manage the maximum number of authorization failures for the TPM for each user. This value is the maximum number of authorization failures that each user can have before the user isn't allowed to send commands to the TPM that require authorization. If the number of authorization failures equals the duration that is set for the policy setting, the user is prevented from sending commands to the TPM that require authorization. + +- [Standard User Total Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#standard-user-total-lockout-threshold) + + This policy setting allows you to manage the maximum number of authorization failures for the TPM for all standard users. If the total number of authorization failures for all users equals the duration that is set for the policy, all users are prevented from sending commands to the TPM that require authorization. + +For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals.md#anti-hammering). + +## Use the TPM cmdlets + +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/). + +## Related articles + +- [Trusted Platform Module](trusted-platform-module-top-node.md) diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index 98746150c6..ea8fbab15b 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -179,8 +179,7 @@ The most common values: | 28 | Enc-tkt-in-skey | No information. | | 29 | Unused | - | | 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field hasn't passed. The ticket to be renewed is passed in the padata field as part of the authentication header. | -| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Shouldn't be in use, because postdated tickets aren't supported by KILE. | -| ## Table 4. Kerberos encryption types | | | +| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Shouldn't be in use, because postdated tickets aren't supported by KILE. | - **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used for issued TGS. @@ -252,7 +251,7 @@ The table below contains the list of the most common error codes for this event: | 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after the user-supplied checksum in the Authenticator MUST be verified against the contents of the request, and the message MUST be rejected if the checksums don't match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum isn't collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). | | 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. | | 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. | -| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.
                                Multiple recent password changes hanven't propagated.
                                Crypto subsystem error caused by running out of memory.
                                SPN too long.
                                SPN has too many parts. | +| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.
                                Multiple recent password changes haven't propagated.
                                Crypto subsystem error caused by running out of memory.
                                SPN too long.
                                SPN has too many parts. | | 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that doesn't understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. | | 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when user’s smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) isn't trusted by the domain controller. | | 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client doesn't possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. | diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index d40726923d..f0fd6be3e9 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -159,6 +159,16 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f ``` +**To gray out the memory integrity UI and display the message "This setting is managed by your administrator"** +```console +reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f +``` + +**To let memory integrity UI behave normally (Not grayed out)** +```console +reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /t REG_DWORD /d 2 /f +``` + #### For Windows 10 version 1511 and earlier Recommended settings (to enable memory integrity, without UEFI Lock): diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 4f3fd11f90..85a59f77d7 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -628,7 +628,7 @@ For more details, expand each product section.
    • -## Cryprtographic algorithms +## Cryptographic algorithms The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate.\ For more details, expand each algorithm section. @@ -1779,4 +1779,4 @@ SMB3 can be FIPS 140 compliant, if Windows is configured to operate in FIPS 140 [sp-3615]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3615.pdf [sp-3644]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3644.pdf [sp-3651]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3651.pdf -[sp-3690]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3690.pdf \ No newline at end of file +[sp-3690]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3690.pdf diff --git a/windows/security/threat-protection/security-policy-settings/TOC.yml b/windows/security/threat-protection/security-policy-settings/TOC.yml index 1e4b1fa586..df9030461f 100644 --- a/windows/security/threat-protection/security-policy-settings/TOC.yml +++ b/windows/security/threat-protection/security-policy-settings/TOC.yml @@ -1,22 +1,22 @@ - name: Security policy settings href: security-policy-settings.md - items: + items: - name: Administer security policy settings href: administer-security-policy-settings.md - items: + items: - name: Network List Manager policies href: network-list-manager-policies.md - name: Configure security policy settings href: how-to-configure-security-policy-settings.md - name: Security policy settings reference href: security-policy-settings-reference.md - items: + items: - name: Account Policies href: account-policies.md - items: + items: - name: Password Policy href: password-policy.md - items: + items: - name: Enforce password history href: enforce-password-history.md - name: Maximum password age @@ -31,7 +31,7 @@ href: store-passwords-using-reversible-encryption.md - name: Account Lockout Policy href: account-lockout-policy.md - items: + items: - name: Account lockout duration href: account-lockout-duration.md - name: Account lockout threshold @@ -40,7 +40,7 @@ href: reset-account-lockout-counter-after.md - name: Kerberos Policy href: kerberos-policy.md - items: + items: - name: Enforce user logon restrictions href: enforce-user-logon-restrictions.md - name: Maximum lifetime for service ticket @@ -55,7 +55,7 @@ href: audit-policy.md - name: Security Options href: security-options.md - items: + items: - name: "Accounts: Administrator account status" href: accounts-administrator-account-status.md - name: "Accounts: Block Microsoft accounts" @@ -92,6 +92,8 @@ href: devices-restrict-floppy-access-to-locally-logged-on-user-only.md - name: "Domain controller: Allow server operators to schedule tasks" href: domain-controller-allow-server-operators-to-schedule-tasks.md + - name: "Domain controller: LDAP server channel binding token requirements" + href: domain-controller-ldap-server-channel-binding-token-requirements.md - name: "Domain controller: LDAP server signing requirements" href: domain-controller-ldap-server-signing-requirements.md - name: "Domain controller: Refuse machine account password changes" @@ -250,7 +252,7 @@ href: secpol-advanced-security-audit-policy-settings.md - name: User Rights Assignment href: user-rights-assignment.md - items: + items: - name: Access Credential Manager as a trusted caller href: access-credential-manager-as-a-trusted-caller.md - name: Access this computer from the network diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md new file mode 100644 index 0000000000..24614ad5c4 --- /dev/null +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md @@ -0,0 +1,90 @@ +--- +title: Domain controller LDAP server channel binding token requirements +description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server channel binding token requirements security policy setting. +ms.reviewer: waynmc +ms.author: waynmc +ms.prod: windows-client +ms.localizationpriority: medium +author: vinaypamnani-msft +manager: aaroncz +ms.topic: conceptual +ms.date: 04/26/2023 +ms.technology: itpro-security +--- + +# Domain controller: LDAP server channel binding token requirements + +**Applies to**: + +- Windows Server + +This article describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server channel binding token requirements** security policy setting. + +## Reference + +This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate channel bindings (EPA). + +Unsigned/Unprotected network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the example of an LDAP server, a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower this risk in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks difficult. + +- If channel binding is set to Always, LDAP clients who don't support channel bindings will be rejected. +- If channel binding is set to when supported, only incorrect channel bindings will be blocked, and clients who don't support channel binding can continue to connect via LDAP over TLS. + +CBT or EPA is used with TLS sessions when a SASL authentication method is used to authenticate the user. SASL means you use NTLM or Kerberos for user authentication. LDAP Simple Bind over TLS doesn't offer channel binding token protection and is therefore not recommended. + +### Possible values + +- **Never**: No channel binding validation is performed. This is the behavior of all servers that haven't been updated. +- **When Supported**: Clients that advertise support for Channel Binding Tokens must provide the correct token when authenticating over TLS/SSL connections; clients that don't advertise such support and/or don't use TLS/SSL connections aren't impacted. This is an intermediate option that allows for application compatibility. +- **Always**: All clients must provide channel binding information over LDAPS. The server rejects LDAPS authentication requests from clients that don't do so. + +### Best practices + +We recommend that you set **Domain controller: LDAP server channel binding token requirements** to **Always**. Clients that don't support LDAP channel binding will be unable to execute LDAP queries against the domain controllers. + +### Location + +Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + +### Default values + +The following table lists the actual and effective default values for this policy. Default values are also listed on the policy's property page. + +| Server type or GPO | Default value | +|--------------------------------------------|---------------| +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Not defined | +| DC Effective Default Settings | None | +| Member Server Effective Default Settings | None | +| Client Computer Effective Default Settings | None | + +## Policy management + +This section describes features and tools that are available to help you manage this policy. + +### Restart requirement + +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. + +## Security considerations + +This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + +### Vulnerability + +Unsigned/Unprotected network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Regarding LDAP servers, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks difficult. + +### Countermeasure + +Configure the **Domain controller: LDAP server channel binding token requirements** setting to **Always**. + +### Potential impact + +Client devices that don't support LDAP channel binding can't run LDAP queries against the domain controllers. + +## Related articles + +- [Security Options](security-options.md) +- [LDAP session security settings and requirements after ADV190023 is installed](/troubleshoot/windows-server/identity/ldap-session-security-settings-requirements-adv190023) +- [2020 LDAP channel binding and LDAP signing requirements for Windows (KB4520412)](https://support.microsoft.com/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a) +- [KB4034879: Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure](https://support.microsoft.com/topic/kb4034879-use-the-ldapenforcechannelbinding-registry-entry-to-make-ldap-authentication-over-ssl-tls-more-secure-e9ecfa27-5e57-8519-6ba3-d2c06b21812e) diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index 644f65163a..abd3fc56ae 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -40,7 +40,7 @@ There may come a time when you want to remove one or more WDAC policies, or remo > > The replacement policy must have the same PolicyId as the one it's replacing and a version that's equal to or greater than the existing policy. The replacement policy must also include \. > -> To take effect, this policy must be signed with a certificate included in the \ section of the original policy you want to replace. +> To take effect, this policy must be signed with a certificate included in the \ section of the original policy you want to replace. > > You must then restart the computer so that the UEFI protection of the policy is deactivated. ***Failing to do so will result in a boot start failure.*** @@ -107,58 +107,53 @@ For **single policy format WDAC policies**, in addition to the two locations abo Then restart the computer. -#### Sample script - -
    - Expand this section to see a sample script to delete a single WDAC policy +#### Sample script to delete a single WDAC policy ```powershell - # Set PolicyId GUID to the PolicyId from your WDAC policy XML - $PolicyId = "{PolicyId GUID}" +# Set PolicyId GUID to the PolicyId from your WDAC policy XML +$PolicyId = "{PolicyId GUID}" - # Initialize variables - $SinglePolicyFormatPolicyId = "{A244370E-44C9-4C06-B551-F6016E563076}" - $SinglePolicyFormatFileName = "\SiPolicy.p7b" - $MountPoint = $env:SystemDrive+"\EFIMount" - $SystemCodeIntegrityFolderRoot = $env:windir+"\System32\CodeIntegrity" - $EFICodeIntegrityFolderRoot = $MountPoint+"\EFI\Microsoft\Boot" - $MultiplePolicyFilePath = "\CiPolicies\Active\"+$PolicyId+".cip" +# Initialize variables +$SinglePolicyFormatPolicyId = "{A244370E-44C9-4C06-B551-F6016E563076}" +$SinglePolicyFormatFileName = "\SiPolicy.p7b" +$MountPoint = $env:SystemDrive+"\EFIMount" +$SystemCodeIntegrityFolderRoot = $env:windir+"\System32\CodeIntegrity" +$EFICodeIntegrityFolderRoot = $MountPoint+"\EFI\Microsoft\Boot" +$MultiplePolicyFilePath = "\CiPolicies\Active\"+$PolicyId+".cip" - # Mount the EFI partition - $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0] - if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force } - mountvol $MountPoint $EFIPartition +# Mount the EFI partition +$EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0] +if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force } +mountvol $MountPoint $EFIPartition - # Check if the PolicyId to be removed is the system reserved GUID for single policy format. - # If so, the policy may exist as both SiPolicy.p7b in the policy path root as well as - # {GUID}.cip in the CiPolicies\Active subdirectory - if ($PolicyId -eq $SinglePolicyFormatPolicyId) {$NumFilesToDelete = 4} else {$NumFilesToDelete = 2} - - $Count = 1 - while ($Count -le $NumFilesToDelete) +# Check if the PolicyId to be removed is the system reserved GUID for single policy format. +# If so, the policy may exist as both SiPolicy.p7b in the policy path root as well as +# {GUID}.cip in the CiPolicies\Active subdirectory +if ($PolicyId -eq $SinglePolicyFormatPolicyId) {$NumFilesToDelete = 4} else {$NumFilesToDelete = 2} + +$Count = 1 +while ($Count -le $NumFilesToDelete) +{ + + # Set the $PolicyPath to the file to be deleted, if exists + Switch ($Count) { - - # Set the $PolicyPath to the file to be deleted, if exists - Switch ($Count) - { - 1 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$MultiplePolicyFilePath} - 2 {$PolicyPath = $EFICodeIntegrityFolderRoot+$MultiplePolicyFilePath} - 3 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$SinglePolicyFormatFileName} - 4 {$PolicyPath = $EFICodeIntegrityFolderRoot+$SinglePolicyFormatFileName} - } - - # Delete the policy file from the current $PolicyPath - Write-Host "Attempting to remove $PolicyPath..." -ForegroundColor Cyan - if (Test-Path $PolicyPath) {Remove-Item -Path $PolicyPath -Force -ErrorAction Continue} - - $Count = $Count + 1 + 1 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$MultiplePolicyFilePath} + 2 {$PolicyPath = $EFICodeIntegrityFolderRoot+$MultiplePolicyFilePath} + 3 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$SinglePolicyFormatFileName} + 4 {$PolicyPath = $EFICodeIntegrityFolderRoot+$SinglePolicyFormatFileName} } - # Dismount the EFI partition - mountvol $MountPoint /D -``` + # Delete the policy file from the current $PolicyPath + Write-Host "Attempting to remove $PolicyPath..." -ForegroundColor Cyan + if (Test-Path $PolicyPath) {Remove-Item -Path $PolicyPath -Force -ErrorAction Continue} -
    + $Count = $Count + 1 +} + +# Dismount the EFI partition +mountvol $MountPoint /D +``` > [!NOTE] > You must run the script as administrator to remove WDAC policies on your computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 68be5afd9a..e8331a7fcf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -113,9 +113,7 @@ If you wish to use this blocklist policy on Windows Server 2016, locate the deny The blocklist policy below includes "Allow all" rules for both kernel and user mode that make it safe to deploy as a standalone WDAC policy. On Windows versions 1903 and above, Microsoft recommends converting this policy to multiple policy format using the *Set-CiPolicyIdInfo* cmdlet with the *-ResetPolicyId* switch. Then, you can deploy it as a Base policy side-by-side with any other policies in your environment. To instead add these rules to an existing Base policy, you can merge the policy below using the *Merge-CIPolicy* cmdlet. If merging into an existing policy that includes an explicit allowlist, you should first remove the two "Allow all" rules and their corresponding FileRuleRefs from the sample policy below. -
    -
    - Expand this section to see the WDAC policy XML +**WDAC policy XML**: ```xml @@ -183,7 +181,7 @@ The blocklist policy below includes "Allow all" rules for both kernel and user m - + @@ -893,8 +891,8 @@ The blocklist policy below includes "Allow all" rules for both kernel and user m - - + + @@ -1512,8 +1510,6 @@ The blocklist policy below includes "Allow all" rules for both kernel and user m ``` -
    - ## More information - [Merge WDAC policies](merge-windows-defender-application-control-policies.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 54c82d24ae..161e563a19 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: +ms.collection: - highpri - tier3 author: jgeurten @@ -61,14 +61,39 @@ Customers who always want the most up-to-date driver blocklist can also use Wind ## Blocking vulnerable drivers using WDAC -Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events. +Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking [this list of drivers](#vulnerable-driver-blocklist-xml) within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events. > [!IMPORTANT] > Microsoft also recommends enabling Attack Surface Reduction (ASR) rule [**Block abuse of exploited vulnerable signed drivers**](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) to prevent an application from writing a vulnerable signed driver to disk. The ASR rule doesn't block a driver already existing on the system from loading, however enabling **Microsoft vulnerable driver blocklist** or applying this WDAC policy will prevent the existing driver from loading. -
    -
    - Expand this section to see the blocklist WDAC policy XML +## Steps to download and apply the vulnerable driver blocklist binary + +If you prefer to apply the [vulnerable driver blocklist](#vulnerable-driver-blocklist-xml) exactly as shown, follow these steps: + +1. Download the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) +2. Download and extract the [vulnerable driver blocklist binaries](https://aka.ms/VulnerableDriverBlockList) +3. Select either the audit only version or the enforced version and rename the file to SiPolicy.p7b +4. Copy SiPolicy.p7b to %windir%\system32\CodeIntegrity +5. Run the WDAC policy refresh tool you downloaded in Step 1 above to activate and refresh all WDAC policies on your computer + +To check that the policy was successfully applied on your computer: + +1. Open Event Viewer +2. Browse to **Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational** +3. Select **Filter Current Log...** +4. Replace "<All Event IDs>" with "3099" and select OK. +5. Look for a 3099 event where the PolicyNameBuffer and PolicyIdBuffer match the Name and Id PolicyInfo settings found at the bottom of the blocklist WDAC Policy XML in this article. NOTE: Your computer may have more than one 3099 event if other WDAC policies are also present. + +> [!NOTE] +> If any vulnerable drivers are already running that would be blocked by the policy, you must reboot your computer for those drivers to be blocked. Running processes aren't shutdown when activating a new WDAC policy without reboot. + +## Vulnerable driver blocklist XML + +> [!IMPORTANT] +> The policy listed below contains **Allow All** rules. If your version of Windows supports WDAC multiple policies, we recommend deploying this policy alongside any existing WDAC policies. If you do plan to merge this policy with another policy, you may need to remove the **Allow All** rules before merging it if the other policy applies an explicit allow list. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations). + +> [!NOTE] +> To use this policy with Windows Server 2016, you must convert the policy XML on a device running a newer operating system. ```xml @@ -642,11 +667,11 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + - + @@ -1079,7 +1104,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -1213,7 +1238,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -1228,7 +1253,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -1238,7 +1263,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -1402,7 +1427,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -1811,8 +1836,8 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - + + @@ -1837,7 +1862,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -1849,7 +1874,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -1894,7 +1919,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -2879,35 +2904,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- ``` -
    - -> [!NOTE] -> The policy listed above contains **Allow All** rules. If your version of Windows supports WDAC multiple policies, we recommend deploying this policy alongside any existing WDAC policies. If you do plan to merge this policy with another policy, you may need to remove the **Allow All** rules before merging it if the other policy applies an explicit allow list. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations). - -> [!NOTE] -> To use the policy above with Windows Server 2016, you must convert the policy XML on a device running a newer operating system. - -## Steps to download and apply the vulnerable driver blocklist binary - -If you prefer to apply the vulnerable driver blocklist exactly as shown above, follow these steps: - -1. Download the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) -2. Download and extract the [vulnerable driver blocklist binaries](https://aka.ms/VulnerableDriverBlockList) -3. Select either the audit only version or the enforced version and rename the file to SiPolicy.p7b -4. Copy SiPolicy.p7b to %windir%\system32\CodeIntegrity -5. Run the WDAC policy refresh tool you downloaded in Step 1 above to activate and refresh all WDAC policies on your computer - -To check that the policy was successfully applied on your computer: - -1. Open Event Viewer -2. Browse to **Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational** -3. Select **Filter Current Log...** -4. Replace "<All Event IDs>" with "3099" and select OK. -5. Look for a 3099 event where the PolicyNameBuffer and PolicyIdBuffer match the Name and Id PolicyInfo settings found at the bottom of the blocklist WDAC Policy XML in this article. NOTE: Your computer may have more than one 3099 event if other WDAC policies are also present. - -> [!NOTE] -> If any vulnerable drivers are already running that would be blocked by the policy, you must reboot your computer for those drivers to be blocked. Running processes aren't shutdown when activating a new WDAC policy without reboot. - ## More information - [Merge Windows Defender Application Control policies](/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies) diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index e9790d83e9..e9dc1bb0cc 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -5,7 +5,7 @@ ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa manager: aaroncz -ms.collection: +ms.collection: - highpri - tier2 ms.topic: article @@ -53,7 +53,7 @@ To create a configuration file: To use a configuration file, double-click it to start Windows Sandbox according to its settings. You can also invoke it via the command line as shown here: ```batch -C:\Temp> MyConfigFile.wsb +C:\Temp> MyConfigFile.wsb ``` ## Keywords, values, and limits @@ -80,6 +80,7 @@ Enables or disables networking in the sandbox. You can disable network access to `value` Supported values: + - *Enable*: Enables networking in the sandbox. - *Disable*: Disables networking in the sandbox. - *Default*: This value is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC. @@ -93,12 +94,12 @@ An array of folders, each representing a location on the host machine that will ```xml - - absolute path to the host folder - absolute path to the sandbox folder - value + + absolute path to the host folder + absolute path to the sandbox folder + value - + ... @@ -110,8 +111,7 @@ An array of folders, each representing a location on the host machine that will *ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*. - -> [!NOTE] +> [!NOTE] > Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host. ### Logon command @@ -136,13 +136,14 @@ Enables or disables audio input to the sandbox. `value` Supported values: + - *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox will be able to receive audio input from the user. Applications that use a microphone may require this capability. - *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting. - *Default*: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled. > [!NOTE] > There may be security implications of exposing host audio input to the container. - + ### Video input Enables or disables video input to the sandbox. @@ -150,7 +151,8 @@ Enables or disables video input to the sandbox. `value` Supported values: -- *Enable*: Enables video input in the sandbox. + +- *Enable*: Enables video input in the sandbox. - *Disable*: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox. - *Default*: This value is the default value for video input support. Currently, this default value denotes that video input is disabled. Applications that use video input may not function properly in the sandbox. @@ -164,6 +166,7 @@ Applies more security settings to the sandbox Remote Desktop client, decreasing `value` Supported values: + - *Enable*: Runs Windows sandbox in Protected Client mode. If this value is set, the sandbox runs with extra security mitigations enabled. - *Disable*: Runs the sandbox in standard mode without extra security mitigations. - *Default*: This value is the default value for Protected Client mode. Currently, this default value denotes that the sandbox doesn't run in Protected Client mode. @@ -178,6 +181,7 @@ Enables or disables printer sharing from the host into the sandbox. `value` Supported values: + - *Enable*: Enables sharing of host printers into the sandbox. - *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host. - *Default*: This value is the default value for printer redirection support. Currently, this default value denotes that printer redirection is disabled. @@ -189,8 +193,9 @@ Enables or disables sharing of the host clipboard with the sandbox. `value` Supported values: + - *Enable*: Enables sharing of the host clipboard with the sandbox. -- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted. +- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted. - *Default*: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*. ### Memory in MB @@ -202,6 +207,7 @@ Specifies the amount of memory that the sandbox can use in megabytes (MB). If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount. ## Example 1 + The following config file can be used to easily test the downloaded files inside the sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started. ### Downloads.wsb @@ -233,7 +239,7 @@ With the Visual Studio Code installer script already mapped into the sandbox, th ### VSCodeInstall.cmd -Download vscode to `downloads` folder and run from `downloads` folder +Download vscode to `downloads` folder and run from `downloads` folder. ```batch REM Download Visual Studio Code @@ -264,3 +270,41 @@ C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes ``` + +## Example 3 + +The following config file runs a PowerShell script as a logon command to swap the primary mouse button for left-handed users. + +`C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file. + +### SwapMouse.ps1 + +Create a powershell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`. + +```powershell +[Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null + +$SwapButtons = Add-Type -MemberDefinition @' +[DllImport("user32.dll")] +public static extern bool SwapMouseButton(bool swap); +'@ -Name "NativeMethods" -Namespace "PInvoke" -PassThru + +$SwapButtons::SwapMouseButton(!([System.Windows.Forms.SystemInformation]::MouseButtonsSwapped)) +``` + +### SwapMouse.wsb + +```xml + + + + C:\sandbox + C:\sandbox + True + + + + powershell.exe -ExecutionPolicy Bypass -File C:\sandbox\SwapMouse.ps1 + + +``` diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index 6e2f83d198..74e81b1a05 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -5,7 +5,7 @@ ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa manager: aaroncz -ms.collection: +ms.collection: - highpri - tier2 ms.topic: article @@ -22,6 +22,7 @@ A sandbox is temporary. When it's closed, all the software and files and the sta Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment. Windows Sandbox has the following properties: + - **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a VHD. - **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows. - **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application. @@ -32,13 +33,17 @@ Windows Sandbox has the following properties: > Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking). ## Prerequisites - -- Windows 10 Pro, Enterprise or Education build 18305 or Windows 11 (*Windows Sandbox is currently not supported on Windows Home edition*) -- AMD64 or (as of [Windows 11 Build 22483](https://blogs.windows.com/windows-insider/2021/10/20/announcing-windows-11-insider-preview-build-22483/)) ARM64 architecture + +- Windows 10, version 1903 and later, or Windows 11 +- Windows Pro, Enterprise or Education edition +- ARM64 (for Windows 11, version 22H2 and later) or AMD64 architecture - Virtualization capabilities enabled in BIOS - At least 4 GB of RAM (8 GB recommended) - At least 1 GB of free disk space (SSD recommended) -- At least two CPU cores (four cores with hyperthreading recommended) +- At least two CPU cores (four cores with hyper-threading recommended) + +> [!NOTE] +> Windows Sandbox is currently not supported on Windows Home edition ## Installation @@ -59,7 +64,7 @@ Windows Sandbox has the following properties: > [!NOTE] > To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command: - > + > > ```powershell > Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online > ``` @@ -67,9 +72,10 @@ Windows Sandbox has the following properties: 4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time. > [!NOTE] - > Windows Sandbox does not adhere to the mouse settings of the host system, so if the host system is set to use a right-handed mouse, you should apply these settings in Windows Sandbox manually. + > Windows Sandbox does not adhere to the mouse settings of the host system, so if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. For an example, see [Example 3](windows-sandbox-configure-using-wsb-file.md#example-3). + +## Usage -## Usage 1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window. 2. Run the executable file or installer inside the sandbox.