From 5f13583ff5b73766b3cf8ae44a172f4cf1b48936 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Tue, 14 May 2019 10:44:54 -0500 Subject: [PATCH 01/10] Update user-roles-windows-defender-advanced-threat-protection.md --- ...-roles-windows-defender-advanced-threat-protection.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index ab60042a21..c68c954776 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -59,6 +59,10 @@ The following steps guide you on how to create roles in Windows Defender Securit After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role that you just created. +>[!NOTE] +>The Windows Defender ATP administrator (default) role has administrator permissions. The administrator permissions cannot be assigned >to any other role. On>groups assigned the Windows Defender ATP administrator role have access to all machine groups. + + ## Edit roles 1. Select the role you'd like to edit. @@ -76,6 +80,7 @@ After creating roles, you'll need to create a machine group and provide access t 2. Click the drop-down button and select **Delete role**. -##Related topic + +## Related topic - [User basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md) -- [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) From 9d4c6f334383da0079c3ca9ac277acbb521a3600 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Tue, 14 May 2019 10:49:36 -0500 Subject: [PATCH 02/10] Update user-roles-windows-defender-advanced-threat-protection.md --- .../user-roles-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index c68c954776..70a52291c3 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -60,7 +60,7 @@ After creating roles, you'll need to create a machine group and provide access t >[!NOTE] ->The Windows Defender ATP administrator (default) role has administrator permissions. The administrator permissions cannot be assigned >to any other role. On>groups assigned the Windows Defender ATP administrator role have access to all machine groups. +>The Windows Defender ATP administrator (default) role has administrator permissions. The administrator permissions cannot be assigned to any other role. On groups assigned the Windows Defender ATP administrator role have access to all machine groups. ## Edit roles From 0ab4221d704838e08108f0fdc2fb6a8e41128842 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 27 May 2019 12:05:21 -0500 Subject: [PATCH 03/10] Update windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../user-roles-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index 70a52291c3..58b35c2ec2 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -60,7 +60,7 @@ After creating roles, you'll need to create a machine group and provide access t >[!NOTE] ->The Windows Defender ATP administrator (default) role has administrator permissions. The administrator permissions cannot be assigned to any other role. On groups assigned the Windows Defender ATP administrator role have access to all machine groups. +>The Windows Defender ATP administrator (default) role has administrator permissions. The administrator permissions cannot be assigned to any other role. On groups assigned, the Windows Defender ATP administrator role has access to all machine groups. ## Edit roles From ffcc924230dc23cedf5dc50a941d1368838ef701 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 27 May 2019 12:05:34 -0500 Subject: [PATCH 04/10] Update windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../user-roles-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index 58b35c2ec2..27c96c095f 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -81,6 +81,6 @@ After creating roles, you'll need to create a machine group and provide access t -## Related topic +## Related topics - [User basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md) - [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) From 1497bf3aab2e94b45bfb6b795701c7739c120e2f Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Tue, 28 May 2019 08:29:04 -0500 Subject: [PATCH 05/10] Update user-roles-windows-defender-advanced-threat-protection.md --- .../user-roles-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index 27c96c095f..d20e9fe3e2 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -60,7 +60,7 @@ After creating roles, you'll need to create a machine group and provide access t >[!NOTE] ->The Windows Defender ATP administrator (default) role has administrator permissions. The administrator permissions cannot be assigned to any other role. On groups assigned, the Windows Defender ATP administrator role has access to all machine groups. +>The Windows Defender ATP administrator (default) role has administrator permissions. Administrator permissions cannot be assigned to any other role. Only those who are assigned the Windows Defender ATP administrator role, has access to all machine groups. ## Edit roles From fceb77a74a11a6dcda2076de1cc00a01263cbdf2 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 29 May 2019 18:20:47 -0500 Subject: [PATCH 06/10] Update windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../user-roles-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index d20e9fe3e2..e9e4a5a090 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -60,7 +60,7 @@ After creating roles, you'll need to create a machine group and provide access t >[!NOTE] ->The Windows Defender ATP administrator (default) role has administrator permissions. Administrator permissions cannot be assigned to any other role. Only those who are assigned the Windows Defender ATP administrator role, has access to all machine groups. +>The Windows Defender ATP administrator (default) role has administrator permissions with exclusive access to all machine groups. Administrator permissions cannot be assigned to any other role. ## Edit roles From ac3bc9460a48140b99f82dbbd5df8b579f89a98e Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 29 May 2019 18:28:12 -0500 Subject: [PATCH 07/10] Update windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../user-roles-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index e9e4a5a090..62d5742ecc 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -82,5 +82,5 @@ After creating roles, you'll need to create a machine group and provide access t ## Related topics -- [User basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md) +- [User basic permissions to access the portal](basic-permissions.md) - [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) From 4367b6fdb1785ad0b7a03c99eaa8eb3f3159d884 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 29 May 2019 18:28:27 -0500 Subject: [PATCH 08/10] Update windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../user-roles-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index 62d5742ecc..17cd72f54c 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -83,4 +83,4 @@ After creating roles, you'll need to create a machine group and provide access t ## Related topics - [User basic permissions to access the portal](basic-permissions.md) -- [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) +- [Create and manage machine groups](machine-groups.md) From c30ca570df2f5f1b25497466f9d5777b64145e47 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 29 May 2019 18:40:18 -0500 Subject: [PATCH 09/10] Rename user-roles-windows-defender-advanced-threat-protection.md to user-roles.md --- ...ndows-defender-advanced-threat-protection.md => user-roles.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename windows/security/threat-protection/windows-defender-atp/{user-roles-windows-defender-advanced-threat-protection.md => user-roles.md} (100%) diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/windows-defender-atp/user-roles.md From a9e5ac5ee637b31b23d5e7a3a7eaf78b63f283b9 Mon Sep 17 00:00:00 2001 From: Michael Niehaus Date: Wed, 29 May 2019 19:00:29 -0700 Subject: [PATCH 10/10] Update white-glove.md Updated doc to reflect that flighted features are no longer required, feature is now in public preview. Fixed some formatting issues. --- .../windows-autopilot/white-glove.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md index 88ac95d477..5e871a2c28 100644 --- a/windows/deployment/windows-autopilot/white-glove.md +++ b/windows/deployment/windows-autopilot/white-glove.md @@ -15,13 +15,13 @@ ms.topic: article # Windows Autopilot for white glove deployment -**Applies to: Windows 10, version 1903** +**Applies to: Windows 10, version 1903** (preview) Windows Autopilot enables organizations to easily provision new devices - leveraging the preinstalled OEM image and drivers with a simple process that can be performed by the end user to help get their device business-ready. ![OEM](images/wg01.png) -Windows Autopilot can also provide a white glove service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready​. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster. +Windows Autopilot can also provide a white glove service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster. With **Windows Autopilot for white glove deployment**, the provisioning process is split. The time-consuming portions are performed by IT, partners, or OEMs. The end user simply completes a few neceesary settings and polices and then they can begin using their device. @@ -34,7 +34,7 @@ Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove In addition to [Windows Autopilot requirements](windows-autopilot-requirements.md), Windows Autopilot for white glove deployment adds the following: - Windows 10, version 1903 or later is required. -- An Intune subscription with additional flighted features that are not yet available publicly is currently required. Note: This feature will change soon from flighted to preview. Prior to this feature switching to preview status, attempts to perform white glove deployment without t flighted features will fail with an Intune enrollment error. +- An Intune subscription. - Physical devices that support TPM 2.0 and device attestation; virtual machines are not supported. The white glove provisioning process leverages Windows Autopilot self-deploying capabilities, hence the TPM 2.0 requirements. - Physical devices with Ethernet connectivity; Wi-fi connectivity is not supported due to the requirement to choose a language, locale, and keyboard to make that Wi-fi connection; doing that in a pre-provisioning process could prevent the user from choosing their own language, locale, and keyboard when they receive the device. @@ -49,12 +49,12 @@ If these scenarios cannot be completed, Windows Autopilot for white glove deploy To enable white glove deployment, an additional Autopilot profile setting must be configured: ->[!TIP] ->To see the white glove deployment Autopilot profile setting, use this URL to access the Intune portal: https://portal.azure.com/?microsoft_intune_enrollment_enableWhiteGlove=true. This is a temporary requirement. - ![allow white glove](images/allow-white-glove-oobe.png) -The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed. **Note**: other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users. +The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed. + +>[!NOTE] +>Other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users. ## Scenarios @@ -82,16 +82,16 @@ Regardless of the scenario, the process to be performed by the technician is the ![landing](images/landing.png) - Click **Provision** to begin the provisioning process. + If the pre-provisioning process completes successfully: - A green status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps. + ![white-glove-result](images/white-glove-result.png) - Click **Reseal** to shut the device down. At that point, the device can be shipped to the end user. If the pre-provisioning process fails: - A red status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps. - Diagnostic logs can be gathered from the device, and then it can be reset to start the process over again. - ![white-glove-result](images/white-glove-result.png) - ### User flow If the pre-provisioning process completed successfully and the device was resealed, it can be delivered to the end user to complete the normal Windows Autopilot user-driven process. They will perform a standard set of steps: