mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-22 13:53:39 +00:00
Merge https://github.com/microsoftdocs/windows-itpro-docs into autopilot
This commit is contained in:
Greg Lindsay
@ -15,13 +15,13 @@ ms.topic: article
|
||||
|
||||
# Windows Autopilot for white glove deployment
|
||||
|
||||
**Applies to: Windows 10, version 1903**
|
||||
**Applies to: Windows 10, version 1903** (preview)
|
||||
|
||||
Windows Autopilot enables organizations to easily provision new devices - leveraging the preinstalled OEM image and drivers with a simple process that can be performed by the end user to help get their device business-ready.
|
||||
|
||||
|
||||
|
||||
Windows Autopilot can also provide a <I>white glove</I> service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster.
|
||||
Windows Autopilot can also provide a <I>white glove</I> service that enables partners or IT staff to pre-provision a Windows 10 PC so that it is fully configured and business-ready. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster.
|
||||
|
||||
With **Windows Autopilot for white glove deployment**, the provisioning process is split. The time-consuming portions are performed by IT, partners, or OEMs. The end user simply completes a few neceesary settings and polices and then they can begin using their device.
|
||||
|
||||
@ -34,7 +34,7 @@ Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove
|
||||
In addition to [Windows Autopilot requirements](windows-autopilot-requirements.md), Windows Autopilot for white glove deployment adds the following:
|
||||
|
||||
- Windows 10, version 1903 or later is required.
|
||||
- An Intune subscription with additional flighted features that are not yet available publicly is currently required. Note: This feature will change soon from flighted to preview. Prior to this feature switching to preview status, attempts to perform white glove deployment without t flighted features will fail with an Intune enrollment error.
|
||||
- An Intune subscription.
|
||||
- Physical devices that support TPM 2.0 and device attestation; virtual machines are not supported. The white glove provisioning process leverages Windows Autopilot self-deploying capabilities, hence the TPM 2.0 requirements.
|
||||
- Physical devices with Ethernet connectivity; Wi-fi connectivity is not supported due to the requirement to choose a language, locale, and keyboard to make that Wi-fi connection; doing that in a pre-provisioning process could prevent the user from choosing their own language, locale, and keyboard when they receive the device.
|
||||
|
||||
@ -49,12 +49,12 @@ If these scenarios cannot be completed, Windows Autopilot for white glove deploy
|
||||
|
||||
To enable white glove deployment, an additional Autopilot profile setting must be configured:
|
||||
|
||||
>[!TIP]
|
||||
>To see the white glove deployment Autopilot profile setting, use this URL to access the Intune portal: https://portal.azure.com/?microsoft_intune_enrollment_enableWhiteGlove=true. This is a temporary requirement.
|
||||
|
||||
|
||||
|
||||
The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed. **Note**: other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users.
|
||||
The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune. That includes certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed.
|
||||
|
||||
>[!NOTE]
|
||||
>Other user-targeted policies will not apply until the user signs into the device. To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users.
|
||||
|
||||
## Scenarios
|
||||
|
||||
@ -82,16 +82,16 @@ Regardless of the scenario, the process to be performed by the technician is the
|
||||
|
||||
|
||||
- Click **Provision** to begin the provisioning process.
|
||||
|
||||
If the pre-provisioning process completes successfully:
|
||||
- A green status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
|
||||
|
||||
- Click **Reseal** to shut the device down. At that point, the device can be shipped to the end user.
|
||||
|
||||
If the pre-provisioning process fails:
|
||||
- A red status screen will be displayed with information about the device, including the same details presented previously (e.g. Autopilot profile, organization name, assigned user, QR code), as well as the elapsed time for the pre-provisioning steps.
|
||||
- Diagnostic logs can be gathered from the device, and then it can be reset to start the process over again.
|
||||
|
||||
|
||||
|
||||
### User flow
|
||||
|
||||
If the pre-provisioning process completed successfully and the device was resealed, it can be delivered to the end user to complete the normal Windows Autopilot user-driven process. They will perform a standard set of steps:
|
||||
|
||||
@ -0,0 +1,86 @@
|
||||
---
|
||||
title: Create and manage roles for role-based access control
|
||||
description: Create roles and define the permissions assigned to the role as part of the role-based access control implementation
|
||||
keywords: user roles, roles, access rbac
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Create and manage roles for role-based access control
|
||||
**Applies to:**
|
||||
|
||||
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-roles-abovefoldlink)
|
||||
|
||||
## Create roles and assign the role to an Azure Active Directory group
|
||||
The following steps guide you on how to create roles in Windows Defender Security Center. It assumes that you have already created Azure Active Directory user groups.
|
||||
|
||||
1. In the navigation pane, select **Settings > Roles**.
|
||||
|
||||
2. Click **Add role**.
|
||||
|
||||
3. Enter the role name, description, and permissions you'd like to assign to the role.
|
||||
|
||||
- **Role name**
|
||||
- **Description**
|
||||
- **Permissions**
|
||||
- **View data** - Users can view information in the portal.
|
||||
- **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
|
||||
- **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions.
|
||||
- **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups.
|
||||
|
||||
>[!NOTE]
|
||||
>This setting is only available in the Windows Defender ATP administrator (default) role.
|
||||
|
||||
- **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
|
||||
|
||||
4. Click **Next** to assign the role to an Azure AD group.
|
||||
|
||||
5. Use the filter to select the Azure AD group that you'd like to add to this role.
|
||||
|
||||
6. Click **Save and close**.
|
||||
|
||||
7. Apply the configuration settings.
|
||||
|
||||
|
||||
After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role that you just created.
|
||||
|
||||
|
||||
>[!NOTE]
|
||||
>The Windows Defender ATP administrator (default) role has administrator permissions with exclusive access to all machine groups. Administrator permissions cannot be assigned to any other role.
|
||||
|
||||
|
||||
## Edit roles
|
||||
|
||||
1. Select the role you'd like to edit.
|
||||
|
||||
2. Click **Edit**.
|
||||
|
||||
3. Modify the details or the groups that are assigned to the role.
|
||||
|
||||
4. Click **Save and close**.
|
||||
|
||||
## Delete roles
|
||||
|
||||
1. Select the role you'd like to delete.
|
||||
|
||||
2. Click the drop-down button and select **Delete role**.
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
- [User basic permissions to access the portal](basic-permissions.md)
|
||||
- [Create and manage machine groups](machine-groups.md)
|
||||
Reference in New Issue
Block a user