diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 47941cff18..243b2d34c9 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -705,6 +705,21 @@ "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set", "redirect_document_id": false }, + { + "source_path": "store-for-business/device-guard-signing-portal.md", + "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business", + "redirect_document_id": false + }, + { + "source_path": "store-for-business/add-unsigned-app-to-code-integrity-policy.md", + "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control", + "redirect_document_id": false + }, + { + "source_path": "store-for-business/sign-code-integrity-policy-with-device-guard-signing.md", + "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering", + "redirect_document_id": false + }, { "source_path": "windows/security/threat-protection/device-guard/device-guard-deployment-guide.md", "redirect_url": "/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide", diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index f7ea182a40..654b8d7eca 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -134,7 +134,6 @@ The following applications can also run on Windows 11 SE, and can be deployed us | Respondus Lockdown Browser | 2.0.9.00 | Win32 | Respondus | | Safe Exam Browser | 3.3.2.413 | Win32 | Safe Exam Browser | | Senso.Cloud | 2021.11.15.0 | Win32 | Senso.Cloud | -| Smoothwall monitor | 2.8.0 | Win32 | Smoothwall Ltd | | SuperNova Magnifier & Screen Reader | 21.02 | Win32 | Dolphin Computer Access | | SuperNova Magnifier & Speech | 21.02 | Win32 | Dolphin Computer Access | | VitalSourceBookShelf | 10.2.26.0 | Win32 | VitalSource Technologies Inc | diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md deleted file mode 100644 index a8b8b8d0a5..0000000000 --- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md +++ /dev/null @@ -1,119 +0,0 @@ ---- -title: Add unsigned app to code integrity policy (Windows 10) -description: When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. -ms.assetid: 580E18B1-2FFD-4EE4-8CC5-6F375BE224EA -ms.reviewer: -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: store, security -ms.author: cmcatee -author: cmcatee-MSFT -manager: scotv -ms.topic: conceptual -ms.localizationpriority: medium -ms.date: 07/21/2021 ---- - -# Add unsigned app to code integrity policy - -> [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). - -> [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. -> -> Following are the major changes we are making to the service: -> -> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download at [https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/). -> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. -> -> The following functionality will be available via these PowerShell cmdlets: -> -> - Get a CI policy -> - Sign a CI policy -> - Sign a catalog -> - Download root cert -> - Download history of your signing operations -> -> For any questions, please contact us at DGSSMigration@microsoft.com. - -**Applies to** - -- Windows 10 - -When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies. - -## Create a code integrity policy based on a reference device - -To add an unsigned app to a code integrity policy, your code integrity policy must be created from golden image machine. For more information, see [Create a Device Guard code integrity policy based on a reference device](/windows/device-security/device-guard/device-guard-deployment-guide). - -## Create catalog files for your unsigned app - -Creating catalog files starts the process for adding an unsigned app to a code integrity policy. - -Before you get started, be sure to review these best practices and requirements: - -### Requirements - -- You'll use Package Inspector during this process. -- Only perform this process with a code integrity policy running in audit mode. You should not perform this process on a system running an enforced Device Guard policy. - -### Best practices - -- **Naming convention** -- Using a naming convention makes it easier to find deployed catalog files. We'll use \*-Contoso.cat as the naming convention in this topic. For more information, see the section Inventorying catalog files by using Microsoft Endpoint Manager in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). -- **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create-a-code-integrity-policy-based-on-a-reference-device) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted. - -Copy the commands for each step into an elevated Windows PowerShell session. You'll use Package Inspector to find and trust all binaries in the app. - -### To create catalog files for your unsigned app - -1. Start Package Inspector to scan the C drive. - - `PackageInspector.exe Start C:` - -2. Copy the installation media to the C drive. - - Copying the installation media to the C drive ensures that Package Inspector finds and catalogs the installer. If you skip this step, the code integrity policy may trust the application to run, but not trust it to be installed. - -3. Install and start the app. - - All binaries that are used while Package Inspector is running will be part of the catalog files. After the installation, start the app and make sure that any product updates are installed and any downloadable content was found during the scan. Then, close and restart the app to make sure that the scan found all binaries. - -4. Stop the scan and create definition and catalog files. - - After app install is complete, stop the Package Inspector scan and create catalog and definition files on your desktop. - - `$ExamplePath=$env:userprofile+"\Desktop"` - - `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"` - - `$CatDefName=$ExamplePath+"\LOBApp.cdf"` - - `PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName` - -The Package Inspector scan catalogs the hash values for each binary file that is finds. If the app that was scanned are updated, do this process again to trust the new binaries hash values. - -After you're done, the files are saved to your desktop. You still need to sign the catalog file so that it will be trusted within the code integrity policy. - -## Catalog signing with Device Guard signing portal - -To sign catalog files with the Device Guard signing portal, you need to be signed up with the Microsoft Store for Business. - -Catalog signing is a vital step to adding your unsigned apps to your code integrity policy. - -### To sign a catalog file with Device Guard signing portal - -1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). -2. Click **Settings**, click **Store settings**, and then click **Device Guard**. -3. Click **Upload** to upload your unsigned catalog files. These are the catalog files you created earlier in [Create catalog files for your unsigned app](#create-catalog-files-for-your-unsigned-app). -4. After the files are uploaded, click **Sign** to sign the catalog files. -5. Click Download to download each item: - - signed catalog file - - default policy - - root certificate for your organization - - When you use the Device Guard signing portal to sign a catalog file, the signing certificate is added to the default policy. When you download the signed catalog file, you should also download the default policy and merge this code integrity policy with your existing code integrity policies to protect machines running the catalog file. You need to do this step to trust and run your catalog files. For more information, see the Merging code integrity policies in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). - -6. Open the root certificate that you downloaded, and follow the steps in **Certificate Import wizard** to install the certificate in your machine's certificate store. -7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with Microsoft Endpoint Manager in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md deleted file mode 100644 index b74d000f43..0000000000 --- a/store-for-business/device-guard-signing-portal.md +++ /dev/null @@ -1,201 +0,0 @@ ---- -title: Device Guard signing (Windows 10) -description: Device Guard signing is a Device Guard feature that is available in the Microsoft Store for Business and Microsoft Store for Education. -ms.assetid: 8D9CD2B9-5FC6-4C3D-AA96-F135AFEEBB78 -ms.reviewer: -manager: dansimp -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: store, security -author: TrudyHa -ms.author: TrudyHa -ms.topic: conceptual -ms.localizationpriority: medium -ms.date: 07/21/2021 ---- - -# Device Guard signing - -**Applies to** - -- Windows 10 - -> [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). - -> [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. -> -> Following are the major changes we are making to the service: -> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. -> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. -> -> The following functionality will be available via these PowerShell cmdlets: -> - Get a CI policy -> - Sign a CI policy -> - Sign a catalog -> - Download root cert -> - Download history of your signing operations -> -> For any questions, please contact us at DGSSMigration@microsoft.com. - -Device Guard signing is a Device Guard feature that gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files. - -Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features use new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called configurable code integrity, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines. Also, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing allows organizations to trust individual third-party applications. For more information, see [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). - -## In this section - -| Topic | Description | -| ----- | ----------- | -| [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md) | When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies. | -| [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md) | Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal. | - -## Device Guard Signing Service (v2) PowerShell Commands - -> [!NOTE] -> [.. common ..] are parameters common across all commands that are documented below the command definitions. - -**Get-DefaultPolicy** Gets the default .xml policy file associated with the current tenant. - -- Usage: - - ```powershell - Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..] - ``` - -- Parameters: - - **OutFile** - string, mandatory - The filename where the default policy file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten (note: create the folder first). - - **PassThru** - switch, optional - If present, returns an XmlDocument object returning the default policy file. - -- Command running time: - - The average running time is under 20 seconds but may be up to 3 minutes. - -**Get-RootCertificate** Gets the root certificate for the current tenant. All Authenticode and policy signing certificates will eventually chain up to this root certificate. - -- Usage: - - ```powershell - Get-RootCertificate -OutFile filename [-PassThru] [.. common ..] - ``` - -- Parameters: - - **OutFile** - string, mandatory - The filename where the root certificate file should be persisted to disk. The file name should be a .cer file. If the file already exists, it will be overwritten (note: create the folder first). - - **PassThru** - switch, optional - If present, returns an X509Certificate2 object returning the default policy file. - -- Command running time: - - The average running time is under 20 seconds but may be up to 3 minutes. - -**Get-SigningHistory** Gets information for the latest 100 files signed by the current tenant. Results are returned as a collection with elements in reverse chronological order (most recent to least recent). - -- Usage: - - ```powershell - Get-SigningHistory -OutFile filename [-PassThru] [.. common ..] - ``` - -- Parameters: - - **OutFile** - string, mandatory - The filename where the signing history file should be persisted to disk. The file name should be a .xml file. If the file already exists, it will be overwritten (note: create the folder first). - - **PassThru** - switch, optional - If present, returns XML objects returning the XML file. - -- Command running time: - - The average running time is under 10 seconds. - -**Submit-SigningJob** Submits a file to the service for signing and timestamping. The module supports valid file type for Authenticode signing is Catalog file (.cat). Valid file type for policy signing is binary policy files with the extension (.bin) that have been created via the ConvertFrom-CiPolicy cmdlet. Otherwise, binary policy file may not be deployed properly. - -- Usage: - - ```powershell - Submit-SigningJob -InFile filename -OutFile filename [-NoTimestamp][- TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..] - ``` - -- Parameters: - - **InFile** - string, mandatory - The file to be signed. This should be a file of the types described in description above (.cat or .bin). - - **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten. (note: create the folder first) - - **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only. - - **TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](/windows/msix/package/signing-package-overview#timestamping). - - **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build rocess the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command. - -**Submit-SigningV1MigrationPolicy** Submits a file to the service for signing and timestamping. The only valid file type for policy -signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration. - -- Usage: - - ```powershell - Submit-SigningV1MigrationPolicy -InFile filename -OutFile filename [-NoTimestamp][-TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..] - ``` - -- Parameters: - - **InFile** - string, mandatory - The file to be signed. This should be a file of the types described in description above (.bin). - - **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten. - - > [!NOTE] - > Create the folder first. - - **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only. - - **TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](/windows/msix/package/signing-package-overview#timestamping). - - **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build process the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command. - -- Command running time: - - The average running time is under 20 seconds but may be up to 3 minutes. - -**Common parameters [.. common ..]** - -In addition to cmdlet-specific parameters, each cmdlet understands the following common parameters. - -- Usage: - - ```powershell - ... [-NoPrompt] [-Credential $creds] [-AppId AppId] [-Verbose] - ``` - -- Parameters: - - **NoPrompt** - switch, optional - If present, indicates that the script is running in a headless - environment and that all UI should be suppressed. If UI must be displayed (e.g., for - authentication) when the switch is set, the operation will instead fail. - - **Credential + AppId** - PSCredential - A login credential (username and password) and AppId. - - -## File and size limits -When you're uploading files for Device Guard signing, there are a few limits for files and file size: - -| Description | Limit | -|-------------------------------------------------------|----------| -| Maximum size for a policy or catalog file | 3.5 MB | -| Maximum size for multiple files (uploaded in a group) | 4 MB | -| Maximum number of files per upload | 15 files | - -## File types -Catalog and policy files have required files types. - -| File | Required file type | -|---------------|--------------------| -| catalog files | .cat | -| policy files | .bin | - -## Store for Business roles and permissions -Signing code integrity policies and access to Device Guard portal requires the Device Guard signer role. - -## Device Guard signing certificates -All certificates generated by the Device Guard signing service are unique per customer and are independent of the Microsoft production code signing certificate authorities. All Certification Authority (CA) keys are stored within the cryptographic boundary of Federal Information Processing Standards (FIPS) publication 140-2 compliant hardware security modules. After initial generation, root certificate keys and top level CA keys are removed from the online signing service, encrypted, and stored offline. diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md deleted file mode 100644 index f9fdb79f49..0000000000 --- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: Sign code integrity policy with Device Guard signing (Windows 10) -description: Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal. -ms.assetid: 63B56B8B-2A40-44B5-B100-DC50C43D20A9 -ms.reviewer: -manager: dansimp -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: store, security -author: TrudyHa -ms.author: TrudyHa -ms.topic: conceptual -ms.localizationpriority: medium -ms.date: 07/21/2021 ---- - -# Sign code integrity policy with Device Guard signing - -> [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Endpoint Manager integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). - - -> [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. -> -> Following are the major changes we are making to the service: -> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. -> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. -> -> The following functionality will be available via these PowerShell cmdlets: -> - Get a CI policy -> - Sign a CI policy -> - Sign a catalog -> - Download root cert -> - Download history of your signing operations -> -> For any questions, please contact us at DGSSMigration@microsoft.com. - - -**Applies to** - -- Windows 10 - -Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal. - -## Sign your code integrity policy -Before you get started, be sure to review these best practices: - -**Best practices** - -- Test your code integrity policies on a group of devices before deploying them to a large group of devices. -- Use rule options 9 and 10 during testing. For more information, see the section Code integrity policy rules in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). - -**To sign a code integrity policy** - -1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, click **Store settings**, and then click **Device Guard**. -3. Click **Upload** to upload your code integrity policy. -4. After the files are uploaded, click **Sign** to sign the code integrity policy. -5. Click **Download** to download the signed code integrity policy. - - When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then resign the policy. diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md index 8de2e95ad4..49b08e601c 100644 --- a/windows/deployment/do/delivery-optimization-endpoints.md +++ b/windows/deployment/do/delivery-optimization-endpoints.md @@ -34,4 +34,4 @@ This article lists the endpoints that need to be allowed through the firewall to | *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com | HTTP / 80 | Xbox | | Microsoft Configuration Manager Distribution Point | | *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com | HTTP / 80 | Device Update | [Complete list](/azure/iot-hub-device-update/) of endpoints for Device Update updates. | Microsoft Configuration Manager Distribution Point | | *.do.dsp.mp.microsoft.com | HTTP / 80
HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../do/waas-delivery-optimization-faq.yml) of endpoints for Delivery Optimization only. | Microsoft Connected Cache Managed in Azure | -| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com | AMQP / 5671
MQTT / 8883
HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Microsoft Connected Cache Managed in Azure | +| *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com, github.com | AMQP / 5671
MQTT / 8883
HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Microsoft Connected Cache Managed in Azure | diff --git a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md index f97aed1785..cec9cc3df6 100644 --- a/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md +++ b/windows/deployment/do/images/elixir_ux/readme-elixir-ux-files.md @@ -3,7 +3,7 @@ title: Don't Remove images under do/images/elixir_ux - used by Azure portal Diag manager: aaroncz description: Elixir images read me file keywords: updates, downloads, network, bandwidth -ms.prod: w10 +ms.prod: windows-client ms.mktglfcycl: deploy audience: itpro author: nidos diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md index 83d2df61da..f95dde786a 100644 --- a/windows/deployment/do/mcc-enterprise-appendix.md +++ b/windows/deployment/do/mcc-enterprise-appendix.md @@ -2,7 +2,7 @@ title: Appendix manager: aaroncz description: Appendix on Microsoft Connected Cache (MCC) for Enterprise and Education. -ms.prod: w10 +ms.prod: windows-client author: amymzhou ms.author: amyzhou ms.localizationpriority: medium @@ -12,6 +12,24 @@ ms.topic: article # Appendix +## Steps to obtain an Azure Subscription ID + + +[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)] + +### Troubleshooting + +If you're not able to sign up for a Microsoft Azure subscription with the **Account belongs to a directory that cannot be associated with an Azure subscription. Please sign in with a different account.** error, see the following articles: +- [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription). +- [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up). + +## Installing on VMWare + +We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMWare. To do so, there are a couple of additional configurations to be made: + +1. Ensure that you're using ESX. In the VM settings, turn on the option **Expose hardware assisted virtualization to the guest OS**. +1. Using the HyperV Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**. + ## Diagnostics Script If you're having issues with your MCC, we included a diagnostics script. The script collects all your logs and zips them into a single file. You can then send us these logs via email for the MCC team to debug. @@ -33,17 +51,6 @@ To run this script: 1. [Email the MCC team](mailto:mccforenterprise@microsoft.com?subject=Debugging%20Help%20Needed%20for%20MCC%20for%20Enterprise) and attach this file asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during out debugging process. -## Steps to obtain an Azure Subscription ID - - -[!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)] - -## Troubleshooting - -If you're not able to sign up for a Microsoft Azure subscription with the error: **Account belongs to a directory that cannot be associated with an Azure subscription. Please sign in with a different account.** See [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription). - -Also see [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up). - ## IoT Edge runtime The Azure IoT Edge runtime enables custom and cloud logic on IoT Edge devices. @@ -58,14 +65,6 @@ communication operations. The runtime performs several functions: For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge). -## EFLOW - -- [What is Azure IoT Edge for Linux on Windows](/azure/iot-edge/iot-edge-for-linux-on-windows) -- [Install Azure IoT Edge for Linux on Windows](/azure/iot-edge/how-to-provision-single-device-linux-on-windows-symmetric#install-iot-edge) -- [PowerShell functions for Azure IoT Edge for Linux on Windows](/azure/iot-edge/reference-iot-edge-for-linux-on-windows-functions) -- EFLOW FAQ and Support: [Support · Azure/iotedge-eflow Wiki (github.com)](https://github.com/Azure/iotedge-eflow/wiki/Support#how-can-i-apply-updates-to-eflow) -- [Now ready for Production: Linux IoT Edge Modules on Windows - YouTube](https://www.youtube.com/watch?v=pgqVCg6cxVU&ab_channel=MicrosoftIoTDevelopers) - ## Routing local Windows Clients to an MCC ### Get the IP address of your MCC using ifconfig @@ -115,3 +114,10 @@ To verify that the Delivery Optimization client can download content using MCC, :::image type="content" source="./images/ent-mcc-delivery-optimization-activity.png" alt-text="Screenshot of the Delivery Optimization Activity Monitor."::: +## EFLOW + +- [What is Azure IoT Edge for Linux on Windows](/azure/iot-edge/iot-edge-for-linux-on-windows) +- [Install Azure IoT Edge for Linux on Windows](/azure/iot-edge/how-to-provision-single-device-linux-on-windows-symmetric#install-iot-edge) +- [PowerShell functions for Azure IoT Edge for Linux on Windows](/azure/iot-edge/reference-iot-edge-for-linux-on-windows-functions) +- EFLOW FAQ and Support: [Support · Azure/iotedge-eflow Wiki (github.com)](https://github.com/Azure/iotedge-eflow/wiki/Support#how-can-i-apply-updates-to-eflow) +- [Now ready for Production: Linux IoT Edge Modules on Windows - YouTube](https://www.youtube.com/watch?v=pgqVCg6cxVU&ab_channel=MicrosoftIoTDevelopers) \ No newline at end of file diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md index 74ef198811..cfca05d872 100644 --- a/windows/deployment/do/mcc-enterprise-deploy.md +++ b/windows/deployment/do/mcc-enterprise-deploy.md @@ -2,7 +2,7 @@ title: Deploying your cache node manager: dougeby description: How to deploy Microsoft Connected Cache (MCC) for Enterprise and Education cache node -ms.prod: w10 +ms.prod: windows-client author: amymzhou ms.localizationpriority: medium ms.author: amyzhou diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md index 705448742b..d18c687dae 100644 --- a/windows/deployment/do/mcc-enterprise-prerequisites.md +++ b/windows/deployment/do/mcc-enterprise-prerequisites.md @@ -2,7 +2,7 @@ title: Requirements for Microsoft Connected Cache (MCC) for Enterprise and Education manager: dougeby description: Overview of requirements for Microsoft Connected Cache (MCC) for Enterprise and Education. -ms.prod: w10 +ms.prod: windows-client author: amymzhou ms.localizationpriority: medium ms.author: amyzhou @@ -26,6 +26,9 @@ ms.topic: article The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions. 2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. + + > [!NOTE] + > Azure VMs are not currently supported. If you'd like to install your cache node on VMWare, see the [Appendix](mcc-enterprise-appendix.md) for a few additional configurations. **EFLOW Requires Hyper-V support** - On Windows client, enable the Hyper-V feature diff --git a/windows/deployment/do/mcc-enterprise-update-uninstall.md b/windows/deployment/do/mcc-enterprise-update-uninstall.md index 60d0df68e3..c9e523b662 100644 --- a/windows/deployment/do/mcc-enterprise-update-uninstall.md +++ b/windows/deployment/do/mcc-enterprise-update-uninstall.md @@ -2,7 +2,7 @@ title: Update or uninstall Microsoft Connected Cache for Enterprise and Education manager: dougeby description: Details on updating or uninstalling Microsoft Connected Cache (MCC) for Enterprise and Education. -ms.prod: w10 +ms.prod: windows-client author: amymzhou ms.localizationpriority: medium ms.author: amyzhou diff --git a/windows/deployment/do/mcc-isp-cache-node-configuration.md b/windows/deployment/do/mcc-isp-cache-node-configuration.md index ae5404b2ae..3add251a38 100644 --- a/windows/deployment/do/mcc-isp-cache-node-configuration.md +++ b/windows/deployment/do/mcc-isp-cache-node-configuration.md @@ -3,7 +3,7 @@ title: Cache node configuration manager: aaroncz description: Configuring a cache node on Azure portal keywords: updates, downloads, network, bandwidth -ms.prod: w10 +ms.prod: windows-client ms.mktglfcycl: deploy audience: itpro author: amyzhou diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md index e41c225b67..3793fb5ba7 100644 --- a/windows/deployment/do/mcc-isp-create-provision-deploy.md +++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md @@ -3,7 +3,7 @@ title: Create, provision, and deploy the cache node in Azure portal manager: aaroncz description: Instructions for creating, provisioning, and deploying Microsoft Connected Cache for ISP on Azure portal keywords: updates, downloads, network, bandwidth -ms.prod: w10 +ms.prod: windows-client ms.mktglfcycl: deploy audience: itpro author: nidos @@ -98,9 +98,8 @@ There are five IDs that the device provisioning script takes as input in order t |---|---| | Customer ID | A unique alphanumeric ID that the cache nodes are associated with. | | Cache node ID | The unique alphanumeric ID of the cache node being provisioned. | -| Customer Key | The unique alphanumeric ID that provides secure authentication of the cache node to Delivery Optimization services. | -| Cache node name | The name of the cache node. | -| Tenant ID | The unique ID associated with the Azure account. | +| Customer key | The unique alphanumeric ID that provides secure authentication of the cache node to Delivery Optimization services. | +| Registration key | Single use device registration key used by Microsoft Delivery Optimization services. | :::image type="content" source="images/mcc-isp-deploy-cache-node-numbered.png" alt-text="Screenshot of the server provisioning tab within cache node configuration in Azure portal."::: diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml index 19f6da7226..a50448410d 100644 --- a/windows/deployment/do/mcc-isp-faq.yml +++ b/windows/deployment/do/mcc-isp-faq.yml @@ -8,13 +8,12 @@ metadata: author: amymzhou ms.author: amymzhou manager: aaroncz - audience: ITPro ms.collection: - M365-security-compliance - highpri ms.topic: faq ms.date: 09/30/2022 - ms.custom: seo-marvel-apr2020 + ms.prod: windows-client title: Microsoft Connected Cache Frequently Asked Questions summary: | **Applies to** diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md index 352d4402b4..f771550548 100644 --- a/windows/deployment/do/mcc-isp-signup.md +++ b/windows/deployment/do/mcc-isp-signup.md @@ -3,7 +3,7 @@ title: Operator sign up and service onboarding manager: aaroncz description: Service onboarding for Microsoft Connected Cache for ISP keywords: updates, downloads, network, bandwidth -ms.prod: w10 +ms.prod: windows-client ms.mktglfcycl: deploy audience: itpro author: nidos @@ -22,9 +22,17 @@ ms.topic: article This article details the process of signing up for Microsoft Connected Cache for Internet Service Providers (public preview). +## Prerequisites + +Before you begin sign up, ensure you have the following components: +- **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You will need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, [visit this page](https://azure.microsoft.com/offers/ms-azr-0003p/). +- **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal. +- **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email. +- **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed Ubuntu 20.04 LTS. + ## Resource creation and sign up process -1. Navigate to the [Azure portal](https://www.portal.azure.com). In the top search bar, search for **Microsoft Connected Cache**. +1. Navigate to the [Azure portal](https://www.portal.azure.com). Select **Create a Resource**. Then, search for **Microsoft Connected Cache**. :::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace."::: diff --git a/windows/deployment/do/mcc-isp-support.md b/windows/deployment/do/mcc-isp-support.md index a321ac671c..98f791e422 100644 --- a/windows/deployment/do/mcc-isp-support.md +++ b/windows/deployment/do/mcc-isp-support.md @@ -3,7 +3,7 @@ title: Support and troubleshooting manager: aaroncz description: Troubleshooting issues for Microsoft Connected Cache for ISP keywords: updates, downloads, network, bandwidth -ms.prod: w10 +ms.prod: windows-client audience: itpro author: nidos ms.localizationpriority: medium diff --git a/windows/deployment/do/mcc-isp-update.md b/windows/deployment/do/mcc-isp-update.md index c6bdfe27c8..abe18781c3 100644 --- a/windows/deployment/do/mcc-isp-update.md +++ b/windows/deployment/do/mcc-isp-update.md @@ -3,7 +3,7 @@ title: Update or uninstall your cache node manager: aaroncz description: How to update or uninstall your cache node keywords: updates, downloads, network, bandwidth -ms.prod: w10 +ms.prod: windows-client ms.mktglfcycl: deploy audience: itpro author: amyzhou diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md index 22f8b3de86..0769116c88 100644 --- a/windows/deployment/do/mcc-isp-verify-cache-node.md +++ b/windows/deployment/do/mcc-isp-verify-cache-node.md @@ -3,7 +3,7 @@ title: Verify cache node functionality and monitor health and performance manager: aaroncz description: How to verify the functionality of a cache node keywords: updates, downloads, network, bandwidth -ms.prod: w10 +ms.prod: windows-client ms.mktglfcycl: deploy audience: itpro author: amyzhou diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md index 6cb5ab9b45..97ee999b1e 100644 --- a/windows/deployment/do/mcc-isp-vm-performance.md +++ b/windows/deployment/do/mcc-isp-vm-performance.md @@ -3,7 +3,7 @@ title: Enhancing VM performance manager: aaroncz description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs keywords: updates, downloads, network, bandwidth -ms.prod: w10 +ms.prod: windows-client ms.mktglfcycl: deploy audience: itpro author: amyzhou diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 0fe613a87a..89d2d5567f 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -4,7 +4,7 @@ metadata: description: The following is a list of frequently asked questions for Delivery Optimization. ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.reviewer: aaroncz - ms.prod: m365-security + ms.prod: windows-client ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 5ae667d595..538331acaa 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -35,14 +35,14 @@ The service is privacy focused and backed by leading industry compliance certifi ## How it works -The deployment service complements existing Windows Update for Business capabilities, including existing device policies and [Update Compliance](update-compliance-monitor.md). +The deployment service complements existing Windows Update for Business capabilities, including existing device policies and [Windows Update for Businesss reports](wufb-reports-overview.md). :::image type="content" source="media/wufbds-product-large.png" alt-text="Elements in following text."::: Windows Update for Business comprises three elements: - Client policy to govern update experiences and timing – available through Group Policy and CSPs - Deployment service APIs to approve and schedule specific updates – available through the Microsoft Graph and associated SDKs (including PowerShell) -- Update Compliance to monitor update deployment – available through the Azure Marketplace +- Windows Update for Business reports to monitor update deployment Unlike existing client policy, the deployment service doesn't interact with devices directly. The service is native to the cloud and all operations take place between various Microsoft services. It creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an IT Pro. diff --git a/windows/deployment/update/includes/wufb-reports-recommend.md b/windows/deployment/update/includes/wufb-reports-recommend.md index 7a8c702ba0..94e46ac38f 100644 --- a/windows/deployment/update/includes/wufb-reports-recommend.md +++ b/windows/deployment/update/includes/wufb-reports-recommend.md @@ -5,10 +5,10 @@ manager: aaroncz ms.prod: w10 ms.collection: M365-modern-desktop ms.topic: include -ms.date: 11/04/2022 +ms.date: 12/05/2022 ms.localizationpriority: medium --- > [!Important] -> If you're using Update Compliance, it's highly recommended that you start transitioning to Windows Update for Business reports. For more information, see [Windows Update for Business reports overview](..\wufb-reports-overview.md). +> Update Compliance is [deprecated](/windows/whats-new/deprecated-features) and is no longer accepting new onboarding requests. Update Compliance has been replaced by [Windows Update for Business reports](..\wufb-reports-overview.md). If you're currently using Update Compliance, you can continue to use it, but you can't change your `CommercialID`. Support for Update Compliance will end on March 31, 2023 when the service will be [retired](/windows/whats-new/feature-lifecycle#terminology). diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index 352013a1ea..20901707ab 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -33,7 +33,7 @@ Windows as a service provides a new way to think about building, deploying, and | [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows client; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. | | [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. | | [Assign devices to servicing branches for Windows client updates](waas-servicing-channels-windows-10-updates.md) | Explains how to assign devices to the General Availability Channel for feature and quality updates, and how to enroll devices in Windows Insider. | -| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Update Compliance to monitor and manage Windows Updates on devices in your organization. | +| [Monitor Windows Updates with Windows Update for Business reports](wufb-reports-overview.md) | Explains how to use Windows Update for Business reports to monitor and manage Windows Updates on devices in your organization. | | [Optimize update delivery](../do/waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. | | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. | | [Deploy Windows client updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows client updates. | diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md index dfe7420469..258308e290 100644 --- a/windows/deployment/update/safeguard-holds.md +++ b/windows/deployment/update/safeguard-holds.md @@ -31,9 +31,9 @@ IT admins managing updates using the [Windows Update for Business deployment ser ## Am I affected by a safeguard hold? -IT admins can use [Update Compliance](update-compliance-monitor.md) to monitor various update health metrics for devices in their organization. Update Compliance provides a [Safeguard Holds report](/windows/deployment/update/update-compliance-safeguard-holds), as well as [queries in the Feature Update Status report](/windows/deployment/update/update-compliance-feature-update-status), to provide you insight into the safeguard holds that are preventing devices from updating or upgrading. +IT admins can use [Windows Update for Business reports](wufb-reports-overview.md) to monitor various update health metrics for devices in their organization. The reports provide a list of [active Safeguard Holds](wufb-reports-workbook.md#bkmk_update-group-feature) to provide you insight into the safeguard holds that are preventing devices from updating or upgrading. -The Update Compliance reports identify safeguard holds by their 8-digit identifiers. For safeguard holds associated with publicly discussed known issues, you can find additional details about the issue on the [Windows release health](/windows/release-health/) dashboard by searching for the safeguard hold ID on the **Known issues** page for the relevant release. +Windows Update for Business reports identifies safeguard holds by their 8-digit identifiers. For safeguard holds associated with publicly discussed known issues, you can find additional details about the issue on the [Windows release health](/windows/release-health/) dashboard by searching for the safeguard hold ID on the **Known issues** page for the relevant release. On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message: @@ -48,4 +48,4 @@ We recommend that you do not attempt to manually update until issues have been r > [!CAUTION] > Opting out of a safeguard hold can put devices at risk from known performance issues. We strongly recommend that you complete robust testing to ensure the impact is acceptable before opting out. -With that in mind, IT admins who stay informed with [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) and the [Windows release health](/windows/release-health/) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically. +With that in mind, IT admins who stay informed with [Windows Update for Business reports](wufb-reports-overview.md) and the [Windows release health](/windows/release-health/) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically. diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 7adaefb575..0195b12fc5 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -50,8 +50,11 @@ Before you begin the process to add Update Compliance to your Azure subscription Update Compliance is offered as an Azure Marketplace application that is linked to a new or existing [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. For the following steps, you must have either an Owner or Contributor [Azure role](/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-roles) as a minimum in order to add the solution. -Use the following steps: -1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You might need to sign in to your Azure subscription to access this page. +> [!IMPORTANT] +> Update Compliance is deprecated and no longer accepting any new onboarding requests. The instructions below are listed for verification and troubleshooting purposes only for existing Updates Compliance users. Update Compliance has been replaced by [Windows Update for Business reports](wufb-reports-overview.md) for monitoring compliance of updates. + + +1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/). The solution was published by Microsoft and named **WaaSUpdateInsights**. 2. Select **Get it now**. 3. Choose an existing or configure a new Log Analytics Workspace, ensuring it is in a **Compatible Log Analytics region** from the following table. Although an Azure subscription is required, you won't be charged for ingestion of Update Compliance data. - [Desktop Analytics](/sccm/desktop-analytics/overview) users should use the same workspace for Update Compliance. diff --git a/windows/deployment/update/wufb-reports-configuration-intune.md b/windows/deployment/update/wufb-reports-configuration-intune.md index dd24c62801..3b785a552a 100644 --- a/windows/deployment/update/wufb-reports-configuration-intune.md +++ b/windows/deployment/update/wufb-reports-configuration-intune.md @@ -9,7 +9,7 @@ ms.author: mstewart ms.localizationpriority: medium ms.collection: M365-analytics ms.topic: article -ms.date: 11/15/2022 +ms.date: 12/05/2022 ms.technology: itpro-updates --- @@ -102,8 +102,12 @@ Create a configuration profile that will set the required policies for Windows U The [Windows Update for Business reports Configuration Script](wufb-reports-configuration-script.md) is a useful tool for properly enrolling devices in Windows Update for Business reports, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Windows Update for Business reports](wufb-reports-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). +> [!NOTE] +> Using the script is optional when configuring devices through Intune. The script can be leveraged as a troubleshooting tool to ensure that devices are properly configured for Windows Update for Business reports. + When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in pilot mode to a subset of devices that you can access. After following this guidance, you can deploy the configuration script in deployment mode as a Win32 app to all Windows Update for Business reports devices. + ## Next steps [Use Windows Update for Business reports](wufb-reports-use.md) diff --git a/windows/deployment/update/wufb-reports-help.md b/windows/deployment/update/wufb-reports-help.md index df48a582a8..2016970ddf 100644 --- a/windows/deployment/update/wufb-reports-help.md +++ b/windows/deployment/update/wufb-reports-help.md @@ -51,8 +51,8 @@ You can open support requests directly from the Azure portal. If the **Help + S - **Issue type** - ***Technical*** - **Subscription** - Select the subscription used for Windows Update for Business reports - **Service** - ***My services*** - - **Service type** - ***Monitoring and Management*** - - **Problem type** - ***Windows Update for Business reports*** + - **Service type** - Select ***Windows Update for Business reports*** under ***Monitoring and Management*** + 1. Based on the information you provided, you'll be shown some **Recommended solutions** you can use to try to resolve the problem. 1. Complete the **Additional details** tab and then create the request on the **Review + create** tab. diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md index b0b1ba2611..518b93c468 100644 --- a/windows/deployment/usmt/usmt-migrate-user-accounts.md +++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md @@ -66,7 +66,7 @@ Links to detailed explanations of commands are available in the [Related article LoadState.exe \\server\share\migration\mystore /i:MigDocs.xml /i:MigApp.xml ``` -## To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain +## To migrate two domain accounts (User1 and User2) and move both accounts from the Contoso domain to the Fabrikam domain Links to detailed explanations of commands are available in the [Related articles](#related-articles) section. @@ -83,7 +83,7 @@ Links to detailed explanations of commands are available in the [Related article 4. Enter the following `LoadState.exe ` command line in a command prompt window: ```cmd - LoadState.exe \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml + LoadState.exe \\server\share\migration\mystore /mu:contoso\user1:fabrikam\user1 /mu:contoso\user2:fabrikam\user2 /i:MigDocs.xml /i:MigApp.xml ``` ## Related articles diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md index c0fe80dccc..32807ff581 100644 --- a/windows/deployment/wds-boot-support.md +++ b/windows/deployment/wds-boot-support.md @@ -27,9 +27,9 @@ When you PXE-boot from a WDS server that uses the **boot.wim** file from install ## Deployment scenarios affected -The table below provides support details for specific deployment scenarios (Boot Image Version). +The table below provides support details for specific deployment scenarios. Boot.wim is the `boot.wim` file obtained from the Windows source files for each specified version of Windows. -||Windows 10|Windows Server 2016|Windows Server 2019|Windows Server 2022|Windows 11| +|Windows Version being deployed |Boot.wim from Windows 10|Boot.wim from Windows Server 2016|Boot.wim from Windows Server 2019|Boot.wim from Windows Server 2022|Boot.wim from Windows 11| |--- |--- |--- |--- |--- |--- | |**Windows 10**|Supported, using a boot image from matching or newer version.|Supported, using a boot image from Windows 10, version 1607 or later.|Supported, using a boot image from Windows 10, version 1809 or later.|Not supported.|Not supported.| |**Windows Server 2016**|Supported, using a boot image from Windows 10, version 1607 or later.|Supported.|Not supported.|Not supported.|Not supported.| diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index f2950818eb..5d1978ac7a 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -50,6 +50,19 @@ href: operate/windows-autopatch-wqu-end-user-exp.md - name: Windows quality update signals href: operate/windows-autopatch-wqu-signals.md + - name: Windows quality update reports + href: operate/windows-autopatch-wqu-reports-overview.md + items: + - name: Summary dashboard + href: operate/windows-autopatch-wqu-summary-dashboard.md + - name: All devices report + href: operate/windows-autopatch-wqu-all-devices-report.md + - name: All devices report—historical + href: operate/windows-autopatch-wqu-all-devices-historical-report.md + - name: Eligible devices report—historical + href: operate/windows-autopatch-wqu-eligible-devices-historical-report.md + - name: Ineligible devices report—historical + href: operate/windows-autopatch-wqu-ineligible-devices-historical-report.md - name: Windows feature updates href: operate/windows-autopatch-fu-overview.md items: @@ -86,4 +99,9 @@ - name: Privacy href: references/windows-autopatch-privacy.md - name: Windows Autopatch preview addendum - href: references/windows-autopatch-preview-addendum.md \ No newline at end of file + href: references/windows-autopatch-preview-addendum.md + - name: What's new + href: + items: + - name: What's new 2022 + href: whats-new/windows-autopatch-whats-new-2022.md \ No newline at end of file diff --git a/windows/deployment/windows-autopatch/index.yml b/windows/deployment/windows-autopatch/index.yml index ee3fd80449..fe94531f9b 100644 --- a/windows/deployment/windows-autopatch/index.yml +++ b/windows/deployment/windows-autopatch/index.yml @@ -7,12 +7,12 @@ metadata: title: Windows Autopatch documentation # Required; page title displayed in search results. Include the brand. < 60 chars. description: Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. # Required; article description that is displayed in search results. < 160 chars. keywords: device, app, update, management - ms.service: w11 #Required; service per approved list. service slug assigned to your service by ACOM. ms.topic: landing-page # Required author: tiaraquan #Required; your GitHub user alias, with correct capitalization. ms.author: tiaraquan #Required; microsoft alias of author; optional team alias. ms.date: 05/30/2022 #Required; mm/dd/yyyy format. ms.custom: intro-hub-or-landing + ms.prod: windows-client ms.collection: - highpri diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-historical-report.png b/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-historical-report.png new file mode 100644 index 0000000000..4a7cf97197 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-historical-report.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-report.png b/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-report.png new file mode 100644 index 0000000000..31350b563f Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-all-devices-report.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-eligible-devices-historical-report.png b/windows/deployment/windows-autopatch/media/windows-autopatch-eligible-devices-historical-report.png new file mode 100644 index 0000000000..cb56852f3d Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-eligible-devices-historical-report.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-ineligible-devices-historical-report.png b/windows/deployment/windows-autopatch/media/windows-autopatch-ineligible-devices-historical-report.png new file mode 100644 index 0000000000..2aeacfd0d5 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-ineligible-devices-historical-report.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-summary-dashboard.png b/windows/deployment/windows-autopatch/media/windows-autopatch-summary-dashboard.png new file mode 100644 index 0000000000..82cb1b1fcd Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-summary-dashboard.png differ diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index 023003d400..fbf827b7a7 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -31,7 +31,7 @@ For a device to be eligible for Windows feature updates as a part of Windows Aut | Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). | | Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). | | Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). | -| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy) | +| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers) | ## Windows feature update releases diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md new file mode 100644 index 0000000000..3808dd45a7 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md @@ -0,0 +1,40 @@ +--- +title: All devices report—historical +description: Provides a visual representation of the update status trend for all devices over the last 90 days. +ms.date: 12/01/2022 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: adnich +--- + +# All devices report—historical + +The historical All devices report provides a visual representation of the update status trend for all devices over the last 90 days. + +**To view the historical All devices report:** + +1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. +1. Select the **Reports** tab. +1. Select **All devices report—historical**. + +:::image type="content" source="../media/windows-autopatch-all-devices-historical-report.png" alt-text="All devices—historical report" lightbox="../media/windows-autopatch-all-devices-historical-report.png"::: + +> [!NOTE] +> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page. + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | +| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. | + +For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md new file mode 100644 index 0000000000..5536a42c04 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md @@ -0,0 +1,56 @@ +--- +title: All devices report +description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices. +ms.date: 12/01/2022 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: adnich +--- + +# All devices report + +The All devices report provides a per device view of the current update status for all Windows Autopatch enrolled devices. + +**To view the All devices report:** + +1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. +1. Select the **Reports** tab. +1. Select **All devices report**. + +:::image type="content" source="../media/windows-autopatch-all-devices-report.png" alt-text="All devices report" lightbox="../media/windows-autopatch-all-devices-report.png"::: + +> [!NOTE] +> The data in this report is refreshed every 24 hours. The last refreshed on date/time can be seen at the top of the page. + +## Report information + +The following information is available in the All devices report: + +| Column name | Description | +| ----- | ----- | +| Device name | The name of the device. | +| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device. | +| Serial number | The current Intune recorded serial number for the device. | +| Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. | +| Update status | The current update status for the device (see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses)). | +| Update sub status | The current update sub status for the device (see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses)) | +| OS version | The current version of Windows installed on the device. | +| OS revision | The current revision of Windows installed on the device. | +| Intune last check in time | The last time the device checked in to Intune. | + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Search | Use to search by device name, Azure AD device ID or serial number | +| Sort | Select the **column headings** to sort the report data in ascending and descending order. | +| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | +| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate report**. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md new file mode 100644 index 0000000000..4e4e383213 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md @@ -0,0 +1,40 @@ +--- +title: Eligible devices report—historical +description: Provides a visual representation of the update status trend for all eligible devices to receive quality updates over the last 90 days. +ms.date: 12/01/2022 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: adnich +--- + +# Eligible devices report—historical + +The historical Eligible devices report provides a visual representation of the update status trend for all eligible devices to receive quality updates over the last 90 days. + +**To view the historical Eligible devices report:** + +1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. +1. Select the **Reports** tab. +1. Select **Eligible devices report—historical**. + +:::image type="content" source="../media/windows-autopatch-eligible-devices-historical-report.png" alt-text="Eligible devices—historical report" lightbox="../media/windows-autopatch-eligible-devices-historical-report.png"::: + +> [!NOTE] +> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page. + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | +| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. | + +For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md new file mode 100644 index 0000000000..733ee98e88 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md @@ -0,0 +1,43 @@ +--- +title: Ineligible devices report—historical +description: Provides a visual representation of why devices have been ineligible to receive quality updates over the last 90 days. +ms.date: 12/01/2022 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: adnich +--- + +# Ineligible devices report—historical + +The historical Ineligible devices report provides a visual representation of why devices have been ineligible to receive quality updates over the last 90 days. + +> [!NOTE] +> Devices must have at least six hours of usage, with at least two hours being continuous. You may see an increase in the number of ineligible devices when the widget refreshes every second Tuesday of each month. + +**To view the historical Ineligible devices report:** + +1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. +1. Select the **Reports** tab. +1. Select **Ineligible devices report—historical**. + +:::image type="content" source="../media/windows-autopatch-ineligible-devices-historical-report.png" alt-text="Ineligible devices—historical report" lightbox="../media/windows-autopatch-ineligible-devices-historical-report.png"::: + +> [!NOTE] +> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page. + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | +| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. | + +For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md index d922d4a3cc..f2d4f477af 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md @@ -31,7 +31,7 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut | Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). | | Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). | | Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). | -| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy) | +| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers) | ## Windows quality update releases diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md new file mode 100644 index 0000000000..739953b809 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md @@ -0,0 +1,110 @@ +--- +title: Windows quality update reports +description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch +ms.date: 12/01/2022 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: adnich +--- + +# Windows quality update reports + +The Windows quality update reports provide you information about: + +- Quality update device eligibility +- Device update health +- Device update trends + +Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch. + +The report types are organized into the following focus areas: + +| Focus area | Description | +| ----- | ----- | +| Operational detail | | +| Device trends | | + +## Who can access the reports? + +Users with the following permissions can access the reports: + +- Global Administrator +- Intune Service Administrator +- Administrators assigned to an Intune role with read permissions + +## About data latency + +The data source for these reports is the [Windows diagnostic data](../references/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 24 hours. + +## Windows quality update statuses + +The following statuses are used throughout the Windows Autopatch reporting suite to describe the quality update status for devices: + +- [Healthy devices](#healthy-devices) +- [Not Up to Date (Microsoft Action)](#not-up-to-date-microsoft-action) +- [Ineligible Devices (Customer Action)](#ineligible-devices-customer-action) + +Each status has its own set of sub statuses to further describe the status. + +### Healthy devices + +Healthy devices are devices that meet all of the following prerequisites: + +- [Prerequisites](../prepare/windows-autopatch-prerequisites.md) +- [Prerequisites for device registration](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) +- [Windows quality update device eligibility](../operate/windows-autopatch-wqu-overview.md#device-eligibility) + +> [!NOTE] +> Healthy devices will remain with the **In Progress** status for the 21-day service level objective period. Devices which are **Paused** are also considered healthy. + +| Sub status | Description | +| ----- | ----- | +| Up to Date | Devices are up to date with the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases). | +| In Progress | Devices are currently installing the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases). | +| Paused | Devices that are currently paused due to a Windows Autopatch or customer-initiated Release Management pause. For more information, see [Pausing and resuming a release](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release). | + +### Not Up to Date (Microsoft Action) + +Not Up to Date means a device isn’t up to date when the: + +- Quality update is more than a month out of date, or the device is on last month’s quality update +- Device is more than 21 days overdue from the last release. + +> [!NOTE] +> Microsoft Action refers to the responsibility of the Windows Autopatch Service Engineering Team to carry out the appropriate action to resolve the reported device state. Windows Autopatch aims to keep at least [95% of eligible devices on the latest Windows quality update 21 days after release](../operate/windows-autopatch-wqu-overview.md#service-level-objective). + +| Sub status | Description | +| ----- | ----- | +| No Heartbeat | The Windows Update service hasn’t been able to connect to this device. The service can’t offer the update to that device. | +| Not Offered | The Windows Update service hasn’t offered the update to that device. | +| Policy Blocking Update | This device has a policy that is blocking the update, such as a deferral or pause policy. Devices are only in this state after the 21-day threshold. | +| In Progress—Stuck | This device has downloaded the update but is getting stuck in a loop during the install process. The update isn’t complete. | +| Other | This device isn't up to date and isn’t reporting back data from the client. | + +### Ineligible Devices (Customer Action) + +Customer Action refers to the responsibility of the designated customer IT administrator to carry out the appropriate action to resolve the reported device sub status. + +Within each 24-hour reporting period, devices that are ineligible are updated with one of the following sub statuses. + +| Sub status | Description | +| ----- | ----- | +| Insufficient Usage | Devices must have at least six hours of usage, with at least two hours being continuous. | +| Low Connectivity | Devices must have a steady internet connection, and access to [Windows update endpoints](../prepare/windows-autopatch-configure-network.md). | +| Out of Disk Space | Devices must have more than one GB (GigaBytes) of free storage space. | +| Not Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. | +| Not On Supported on Windows Edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [prerequisites](../prepare/windows-autopatch-prerequisites.md). | +| Not On Supported Windows Build | Devices must be on a Windows build supported by Windows Autopatch. For more information, see [prerequisites](../prepare/windows-autopatch-prerequisites.md). | +| Intune Sync Older Than 5 Days | Devices must have checked with Intune within the last five days. | + +## Data export + +Select **Export devices** to export data for each report type. + +> [!NOTE] +> You can’t export Windows Autopatch report data using Microsoft Graph RESTful web API. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md new file mode 100644 index 0000000000..735136be22 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md @@ -0,0 +1,44 @@ +--- +title: Summary dashboard +description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch. +ms.date: 12/01/2022 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: adnich +--- + +# Summary dashboard + +The Summary dashboard provides a summary view of the current update status for all devices enrolled into Windows Autopatch. + +**To view the current update status for all your enrolled devices:** + +1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. + +:::image type="content" source="../media/windows-autopatch-summary-dashboard.png" alt-text="Summary dashboard" lightbox="../media/windows-autopatch-summary-dashboard.png"::: + +> [!NOTE] +> The data in this report is refreshed every 24 hours. The last refreshed on date/time can be seen at the top of the page. + +## Report information + +The following information is available in the Summary dashboard: + +| Column name | Description | +| ----- | ----- | +| Windows quality update status | The device update state. For more information, see [Windows quality update status](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses). | +| Devices | The number of devices showing as applicable for the state. | + +## Report options + +The following option is available: + +| Option | Description | +| ----- | ----- | +| Refresh | The option to **Refresh** the Summary dashboard is available at the top of the page. This process will ensure that the Summary dashboard view is updated to the latest available dataset from within the last 24-hour period. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md index 667c755524..1c19a4bac4 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md @@ -1,7 +1,7 @@ --- title: Windows update policies description: This article explains Windows update policies in Windows Autopatch -ms.date: 07/07/2022 +ms.date: 12/02/2022 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +msreviewer: adnich --- # Windows update policies @@ -109,8 +109,9 @@ Window Autopatch deploys mobile device management (MDM) policies to configure de | [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | Update/ActiveHoursEnd | This policy controls the end of the protected window where devices won't reboot.

Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. | | [Active hours max range](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange) | Update/ActiveHoursMaxRange | Allows the IT admin to specify the max active hours range.

This value sets the maximum number of active hours from the start time. Supported values are from eight through to 18. | -### Group policy +### Group policy and other policy managers -Group policy takes precedence over mobile device management (MDM) policies. For Windows quality updates, if any group policies are detected which modify the following hive in the registry, the device will be ineligible for management: +Group policy as well as other policy managers can take precedence over mobile device management (MDM) policies. For Windows quality updates, if any policies or configurations are detected which modify the following hives in the registry, the device could become ineligible for management: -`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState` +- `HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState` +- `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate` diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 7f5b4cf23e..b9f94b3dc8 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -2,7 +2,7 @@ metadata: title: Windows Autopatch - Frequently Asked Questions (FAQ) description: Answers to frequently asked questions about Windows Autopatch. - ms.prod: w11 + ms.prod: windows-client ms.topic: faq ms.date: 08/26/2022 audience: itpro diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index fa58f8fac2..f7420e1f3e 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -34,7 +34,15 @@ Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-b | License | ID | GUID number | | ----- | ----- | ------| | [Microsoft 365 E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3 | 05e9a617-0261-4cee-bb44-138d3ef5d965 | +| [Microsoft 365 E3 (500 seats minimum_HUB)](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | Microsoft_365_E3 | 0c21030a-7e60-4ec7-9a0f-0042e0e0211a | +| [Microsoft 365 E3 - Unattended License](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3_RPA1 | c2ac2ee4-9bb1-47e4-8541-d689c7e83371 | | [Microsoft 365 E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5 | 06ebc4ee-1bb5-47dd-8120-11324bc54e06 | +| [Microsoft 365 E5 (500 seats minimum)_HUB](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | Microsoft_365_E5 | db684ac5-c0e7-4f92-8284-ef9ebde75d33 | +| [Microsoft 365 E5 with calling minutes](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5_CALLINGMINUTES | a91fc4e0-65e5-4266-aa76-4037509c1626 | +| [Microsoft 365 E5 without audio conferencing](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5_NOPSTNCONF | cd2925a3-5076-4233-8931-638a8c94f773 | +| [Microsoft 365 E5 without audio conferencing (500 seats minimum)_HUB](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | Microsoft_365_E5_without_Audio_Conferencing | 2113661c-6509-4034-98bb-9c47bd28d63c | +| [TEST - Microsoft 365 E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3_TEST | 23a55cbc-971c-4ba2-8bae-04cd13d2f4ad | +| [TEST - Microsoft 365 E5 without audio conferencing](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5_NOPSTNCONF_TEST | 1362a0d9-b3c2-4112-bf1a-7a838d181c0f | | [Windows 10/11 Enterprise E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E3 | 6a0f6da5-0b87-4190-a6ae-9bb5a2b9546a | | [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 | | [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 | diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index f14ae95741..ce916ff862 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -1,7 +1,7 @@ --- title: Changes made at tenant enrollment description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch -ms.date: 11/02/2022 +ms.date: 12/01/2022 ms.prod: windows-client ms.technology: itpro-updates ms.topic: reference @@ -60,8 +60,8 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | -| Windows Autopatch - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

Assigned to:

| | | -| Windows Autopatch - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop and Telemetry settings for Windows devices.

Assigned to:

||