diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index d62b5b232d..1b75bd9a6b 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -542,7 +542,7 @@ Value type is integer. Supported values: > [!Warning] > This policy is in preview mode only and therefore not meant or recommended for production purposes. -"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML). +"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass. > [!Note] > Web Sign-in is only supported on Azure AD Joined PCs. diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 61558a2ca2..c23eade407 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -740,19 +740,13 @@ In Windows 10, you can configure this policy setting to decide what level of dia The following list shows the supported values for Windows 10 version 1809 and older: -- 0 – (**Security**) Sends information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Microsoft Defender. - **Note:** This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), Hololens 2, and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. -- 1 – (**Basic**) Sends the same data as a value of 0, plus additional basic device info, including quality-related data, app compatibility, and app usage data. -- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows, Windows Server, System Center, and apps are used, how they perform, and advanced reliability data. -- 3 – (**Full**) Sends the same data as a value of 2, plus all data necessary to identify and fix problems with devices. +- 0 – (**Security**) This turns Windows diagnostic data off. + **Note**: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 IoT Core (IoT Core), HoloLens 2, and Windows Server 2016 (and later versions). Using this setting on other devices editions of Windows is equivalent to setting the value of 1. +- 1 – (**Required**) Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. +- 2 – (**Enhanced**) Sends the same data as a value of 1, plus additional insights, including how Windows apps are used, how they perform, and advanced reliability data, such as limited crash dumps. +- 3 – (**Optional**) Sends the same data as a value of 2, plus additional data necessary to identify and fix problems with devices such as enhanced error logs. -Most restricted value is 0. - -The following list shows the supported values for Windows 10 version 19H1 and later: - -- **Diagnostic data off** - No Windows diagnostic data sent. -- **Required (Basic)** - Minimum data required to keep the device secure, up to date, and performing as expected. -- **Optional (Full)** - Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users. +Most restrictive value is 0. \ No newline at end of file + diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index e3accdee77..771a7648f8 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -53,7 +53,7 @@ Use **Peer Cache** to help manage deployment of content to clients in remote loc If you're deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. -%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini +**%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini** ``` [SetupConfig] @@ -62,7 +62,7 @@ Priority=Normal You can use the new [Run Scripts](/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. -``` +```powershell #Parameters Param( [string] $PriorityValue = "Normal" @@ -91,6 +91,7 @@ foreach ($k in $iniSetupConfigKeyValuePair.Keys) #Write content to file New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force +<# Disclaimer Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without @@ -100,162 +101,164 @@ Microsoft, its authors, or anyone else involved in the creation, production, or for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script or documentation, even if Microsoft has been advised of the possibility of such damages. +#> ``` ->[!NOTE] ->If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. +> [!NOTE] +> If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. ## Manually deploy feature updates The following sections provide the steps to manually deploy a feature update. ### Step 1: Specify search criteria for feature updates -There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. +There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. 3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: - - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. + - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English. -4. Save the search for future use. +4. Save the search for future use. -### Step 2: Download the content for the feature update(s) -Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. +### Step 2: Download the content for the feature updates +Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. -1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. -2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download. +1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. +2. Choose the **feature update(s)** to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**. - The **Download Software Updates Wizard** opens. -3. On the **Deployment Package** page, configure the following settings: - **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: - - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. - - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. - - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. + The **Download Software Updates Wizard** opens. +3. On the **Deployment Package** page, configure the following settings: + **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: + - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. + - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. + - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. - >[!NOTE] - >The deployment package source location that you specify cannot be used by another software deployment package. + > [!NOTE] + > The deployment package source location that you specify cannot be used by another software deployment package. - >[!IMPORTANT] - >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. + > [!IMPORTANT] + > The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. - >[!IMPORTANT] - >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. + > [!IMPORTANT] + > You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. - Click **Next**. -4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). + Click **Next**. +4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). - >[!NOTE] - >The Distribution Points page is available only when you create a new software update deployment package. -5. On the **Distribution Settings** page, specify the following settings: + > [!NOTE] + > The Distribution Points page is available only when you create a new software update deployment package. +5. On the **Distribution Settings** page, specify the following settings: - - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. - - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios). - - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: - - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. + - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. + - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios). + - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: + - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. - - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. - - For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). - Click **Next**. -6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: + - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. + + For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). + Click **Next**. +6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. - - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. - - >[!NOTE] - >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. - Click **Next**. -7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. -8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. -9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. + > [!NOTE] + > When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + + Click **Next**. +7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. +8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. +9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. #### To monitor content status -1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. -2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. -3. Select the feature update package that you previously identified to download the feature updates. +1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. +2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. +3. Select the feature update package that you previously identified to download the feature updates. 4. On the **Home** tab, in the Content group, click **View Status**. -### Step 3: Deploy the feature update(s) -After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). +### Step 3: Deploy the feature update(s) +After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. 3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. - The **Deploy Software Updates Wizard** opens. -4. On the General page, configure the following settings: - - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** - - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. - - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. - - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. - - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. -5. On the Deployment Settings page, configure the following settings: + The **Deploy Software Updates Wizard** opens. +4. On the General page, configure the following settings: + - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** + - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. + - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. + - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. + - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. +5. On the Deployment Settings page, configure the following settings: - - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. - - >[!IMPORTANT] - > After you create the software update deployment, you cannot later change the type of deployment. - - >[!NOTE] - >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. + - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. - - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. + > [!IMPORTANT] + > After you create the software update deployment, you cannot later change the type of deployment. - >[!WARNING] - >Before you can use this option, computers and networks must be configured for Wake On LAN. + > [!NOTE] + > A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. - - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. + - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. + + > [!WARNING] + > Before you can use this option, computers and networks must be configured for Wake On LAN. + + - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. 6. On the Scheduling page, configure the following settings: - - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. - - >[!NOTE] - >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. + - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. - - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: - - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. - - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. - - >[!NOTE] - >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. + > [!NOTE] + > When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. - - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. + - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: + - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. + - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. - >[!NOTE] - >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](/sccm/core/clients/deploy/about-client-settings#computer-agent). -7. On the User Experience page, configure the following settings: - - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. - - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](/sccm/core/clients/manage/collections/use-maintenance-windows). - - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. + > [!NOTE] + > You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. - >[!IMPORTANT] - >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. - - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. + - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. - >[!NOTE] - >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. - - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. -8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. + > [!NOTE] + > The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](/sccm/core/clients/deploy/about-client-settings#computer-agent). +7. On the User Experience page, configure the following settings: + - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. + - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](/sccm/core/clients/manage/collections/use-maintenance-windows). + - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. - >[!NOTE] - >You can review recent software updates alerts from the Software Updates node in the Software Library workspace. -9. On the Download Settings page, configure the following settings: - - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. - - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. - - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). + > [!IMPORTANT] + > Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. + - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. + + > [!NOTE] + > When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. + - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. +8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + > [!NOTE] + > You can review recent software updates alerts from the Software Updates node in the Software Library workspace. +9. On the Download Settings page, configure the following settings: + - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. + - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. + - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. - - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. + - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. - >[!NOTE] - >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios). -10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. -11. Click **Next** to deploy the feature update(s). + > [!NOTE] + > Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source priority](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#content-source-priority). +10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. +11. Click **Next** to deploy the feature update(s). ### Step 4: Monitor the deployment status + After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: -1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. -2. Click the software update group or software update for which you want to monitor the deployment status. -3. On the **Home** tab, in the **Deployment** group, click **View Status**. \ No newline at end of file +1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. +2. Click the software update group or software update for which you want to monitor the deployment status. +3. On the **Home** tab, in the **Deployment** group, click **View Status**. diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md index aefc6bdaaf..01de3567bf 100644 --- a/windows/deployment/update/update-compliance-configuration-mem.md +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -1,5 +1,5 @@ --- -title: Configuring for Update Compliance in Microsoft Endpoint Manager +title: Configuring Microsoft Endpoint Manager devices for Update Compliance ms.reviewer: manager: laurawi description: Configuring devices that are enrolled in Endpoint Manager for Update Compliance @@ -36,10 +36,11 @@ Take the following steps to create a configuration profile that will set require 4. For **Template name**, select **Custom**, and then press **Create**. 5. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. 6. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). - 1. Add a setting for **Commercial ID**, with the following values: + 1. If you don't already have it, get your Commercial ID. For steps, see [Get your CommmercialID](update-compliance-get-started.md#get-your-commercialid). + 2. Add a setting for **Commercial ID** ) with the following values: - **Name**: Commercial ID - **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace. - - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialID` + - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID` - **Data type**: String - **Value**: *Set this to your Commercial ID* 2. Add a setting configuring the **Windows Diagnostic Data level** for devices: diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 7f1681e846..23b3637f84 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -276,11 +276,6 @@ The following fields are available: - **DatasourceApplicationFile_20H1Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_21H1Setup** The total number of objects of this type present on this device. -- **DatasourceApplicationFile_21H2** The total number of objects of this type present on this device. -- **DatasourceApplicationFile_21H2Setup** The total number of objects of this type present on this device. -- **DatasourceApplicationFile_CO21H2** The total number of objects of this type present on this device. -- **DatasourceApplicationFile_CO21H2Setup** The total number of objects of this type present on this device. -- **DatasourceApplicationFile_CU22H2Setup** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS1** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS2** The total number of objects of this type present on this device. - **DatasourceApplicationFile_RS3** The total number of objects of this type present on this device. @@ -294,11 +289,6 @@ The following fields are available: - **DatasourceDevicePnp_20H1Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_21H1Setup** The total number of objects of this type present on this device. -- **DatasourceDevicePnp_21H2** The total number of objects of this type present on this device. -- **DatasourceDevicePnp_21H2Setup** The total number of objects of this type present on this device. -- **DatasourceDevicePnp_CO21H2** The total number of objects of this type present on this device. -- **DatasourceDevicePnp_CO21H2Setup** The total number of objects of this type present on this device. -- **DatasourceDevicePnp_CU22H2Setup** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS1** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS2** The total number of objects of this type present on this device. - **DatasourceDevicePnp_RS3** The total number of objects of this type present on this device. @@ -315,11 +305,6 @@ The following fields are available: - **DatasourceDriverPackage_20H1Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_21H1Setup** The total number of objects of this type present on this device. -- **DatasourceDriverPackage_21H2** The total number of objects of this type present on this device. -- **DatasourceDriverPackage_21H2Setup** The total number of objects of this type present on this device. -- **DatasourceDriverPackage_CO21H2** The total number of objects of this type present on this device. -- **DatasourceDriverPackage_CO21H2Setup** The total number of objects of this type present on this device. -- **DatasourceDriverPackage_CU22H2Setup** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS1** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS2** The total number of objects of this type present on this device. - **DatasourceDriverPackage_RS3** The total number of objects of this type present on this device. @@ -336,11 +321,6 @@ The following fields are available: - **DataSourceMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoBlock_21H2** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoBlock_CO21H2** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoBlock_CO21H2Setup** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoBlock_CU22H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -354,11 +334,6 @@ The following fields are available: - **DataSourceMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPassive_21H2** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPassive_CO21H2** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPassive_CO21H2Setup** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPassive_CU22H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -372,11 +347,6 @@ The following fields are available: - **DataSourceMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPostUpgrade_CO21H2** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPostUpgrade_CO21H2Setup** The total number of objects of this type present on this device. -- **DataSourceMatchingInfoPostUpgrade_CU22H2Setup** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -391,11 +361,6 @@ The following fields are available: - **DatasourceSystemBios_20H1Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1** The total number of objects of this type present on this device. - **DatasourceSystemBios_21H1Setup** The total number of objects of this type present on this device. -- **DatasourceSystemBios_21H2** The total number of objects of this type present on this device. -- **DatasourceSystemBios_21H2Setup** The total number of objects of this type present on this device. -- **DatasourceSystemBios_CO21H2** The total number of objects of this type present on this device. -- **DatasourceSystemBios_CO21H2Setup** The total number of objects of this type present on this device. -- **DatasourceSystemBios_CU22H2Setup** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS1** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS2** The total number of objects of this type present on this device. - **DatasourceSystemBios_RS3** The total number of objects of this type present on this device. @@ -412,11 +377,6 @@ The following fields are available: - **DecisionApplicationFile_20H1Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1** The total number of objects of this type present on this device. - **DecisionApplicationFile_21H1Setup** The total number of objects of this type present on this device. -- **DecisionApplicationFile_21H2** The total number of objects of this type present on this device. -- **DecisionApplicationFile_21H2Setup** The total number of objects of this type present on this device. -- **DecisionApplicationFile_CO21H2** The total number of objects of this type present on this device. -- **DecisionApplicationFile_CO21H2Setup** The total number of objects of this type present on this device. -- **DecisionApplicationFile_CU22H2Setup** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS1** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS2** The total number of objects of this type present on this device. - **DecisionApplicationFile_RS3** The total number of objects of this type present on this device. @@ -430,11 +390,6 @@ The following fields are available: - **DecisionDevicePnp_20H1Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1** The total number of objects of this type present on this device. - **DecisionDevicePnp_21H1Setup** The total number of objects of this type present on this device. -- **DecisionDevicePnp_21H2** The total number of objects of this type present on this device. -- **DecisionDevicePnp_21H2Setup** The total number of objects of this type present on this device. -- **DecisionDevicePnp_CO21H2** The total number of objects of this type present on this device. -- **DecisionDevicePnp_CO21H2Setup** The total number of objects of this type present on this device. -- **DecisionDevicePnp_CU22H2Setup** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS1** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS2** The total number of objects of this type present on this device. - **DecisionDevicePnp_RS3** The total number of objects of this type present on this device. @@ -451,11 +406,6 @@ The following fields are available: - **DecisionDriverPackage_20H1Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1** The total number of objects of this type present on this device. - **DecisionDriverPackage_21H1Setup** The total number of objects of this type present on this device. -- **DecisionDriverPackage_21H2** The total number of objects of this type present on this device. -- **DecisionDriverPackage_21H2Setup** The total number of objects of this type present on this device. -- **DecisionDriverPackage_CO21H2** The total number of objects of this type present on this device. -- **DecisionDriverPackage_CO21H2Setup** The total number of objects of this type present on this device. -- **DecisionDriverPackage_CU22H2Setup** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS1** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS2** The total number of objects of this type present on this device. - **DecisionDriverPackage_RS3** The total number of objects of this type present on this device. @@ -472,11 +422,6 @@ The following fields are available: - **DecisionMatchingInfoBlock_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_21H1Setup** The total number of objects of this type present on this device. -- **DecisionMatchingInfoBlock_21H2** The total number of objects of this type present on this device. -- **DecisionMatchingInfoBlock_21H2Setup** The total number of objects of this type present on this device. -- **DecisionMatchingInfoBlock_CO21H2** The total number of objects of this type present on this device. -- **DecisionMatchingInfoBlock_CO21H2Setup** The total number of objects of this type present on this device. -- **DecisionMatchingInfoBlock_CU22H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoBlock_RS3** The total number of objects of this type present on this device. @@ -490,11 +435,6 @@ The following fields are available: - **DecisionMatchingInfoPassive_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_21H1Setup** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPassive_21H2** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPassive_21H2Setup** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPassive_CO21H2** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPassive_CO21H2Setup** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPassive_CU22H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPassive_RS3** The total number of objects of this type present on this device. @@ -508,11 +448,6 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_20H1Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_21H1Setup** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPostUpgrade_21H2** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPostUpgrade_21H2Setup** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPostUpgrade_CO21H2** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPostUpgrade_CO21H2Setup** The total number of objects of this type present on this device. -- **DecisionMatchingInfoPostUpgrade_CU22H2Setup** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS2** The total number of objects of this type present on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total number of objects of this type present on this device. @@ -526,11 +461,6 @@ The following fields are available: - **DecisionMediaCenter_20H1Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1** The total number of objects of this type present on this device. - **DecisionMediaCenter_21H1Setup** The total number of objects of this type present on this device. -- **DecisionMediaCenter_21H2** The total number of objects of this type present on this device. -- **DecisionMediaCenter_21H2Setup** The total number of objects of this type present on this device. -- **DecisionMediaCenter_CO21H2** The total number of objects of this type present on this device. -- **DecisionMediaCenter_CO21H2Setup** The total number of objects of this type present on this device. -- **DecisionMediaCenter_CU22H2Setup** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS1** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS2** The total number of objects of this type present on this device. - **DecisionMediaCenter_RS3** The total number of objects of this type present on this device. @@ -540,11 +470,6 @@ The following fields are available: - **DecisionMediaCenter_TH2** The total number of objects of this type present on this device. - **DecisionSModeState_20H1** The total number of objects of this type present on this device. - **DecisionSModeState_21H1** The total number of objects of this type present on this device. -- **DecisionSModeState_21H2** The total number of objects of this type present on this device. -- **DecisionSModeState_21H2Setup** The total number of objects of this type present on this device. -- **DecisionSModeState_CO21H2** The total number of objects of this type present on this device. -- **DecisionSModeState_CO21H2Setup** The total number of objects of this type present on this device. -- **DecisionSModeState_CU22H2Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_19ASetup** The total number of objects of this type present on this device. - **DecisionSystemBios_19H1** The total number of objects of this type present on this device. - **DecisionSystemBios_19H1Setup** The total number of objects of this type present on this device. @@ -552,11 +477,6 @@ The following fields are available: - **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1** The total number of objects of this type present on this device. - **DecisionSystemBios_21H1Setup** The total number of objects of this type present on this device. -- **DecisionSystemBios_21H2** The total number of objects of this type present on this device. -- **DecisionSystemBios_21H2Setup** The total number of objects of this type present on this device. -- **DecisionSystemBios_CO21H2** The total number of objects of this type present on this device. -- **DecisionSystemBios_CO21H2Setup** The total number of objects of this type present on this device. -- **DecisionSystemBios_CU22H2Setup** The total number of objects of this type present on this device. - **DecisionSystemBios_RS1** The total number of objects of this type present on this device. - **DecisionSystemBios_RS2** The total number of objects of this type present on this device. - **DecisionSystemBios_RS3** The total number of objects of this type present on this device. @@ -569,49 +489,20 @@ The following fields are available: - **DecisionSystemBios_TH2** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_20H1** The total number of objects of this type present on this device. - **DecisionSystemDiskSize_21H1** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_21H2** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_21H2Setup** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_CO21H2** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_CO21H2Setup** The total number of objects of this type present on this device. -- **DecisionSystemDiskSize_CU22H2Setup** The total number of objects of this type present on this device. - **DecisionSystemMemory_20H1** The total number of objects of this type present on this device. - **DecisionSystemMemory_21H1** The total number of objects of this type present on this device. -- **DecisionSystemMemory_21H2** The total number of objects of this type present on this device. -- **DecisionSystemMemory_21H2Setup** The total number of objects of this type present on this device. -- **DecisionSystemMemory_CO21H2** The total number of objects of this type present on this device. -- **DecisionSystemMemory_CO21H2Setup** The total number of objects of this type present on this device. -- **DecisionSystemMemory_CU22H2Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessor_RS2** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_20H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuCores_21H1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_21H2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_21H2Setup** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_CO21H2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_CO21H2Setup** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuCores_CU22H2Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_20H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuModel_21H1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_21H2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_CO21H2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_CO21H2Setup** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuModel_CU22H2Setup** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_20H1** The total number of objects of this type present on this device. - **DecisionSystemProcessorCpuSpeed_21H1** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_21H2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_21H2Setup** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_CO21H2** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_CO21H2Setup** The total number of objects of this type present on this device. -- **DecisionSystemProcessorCpuSpeed_CU22H2Setup** The total number of objects of this type present on this device. - **DecisionTest_19H1** The total number of objects of this type present on this device. - **DecisionTest_20H1** The total number of objects of this type present on this device. - **DecisionTest_20H1Setup** The total number of objects of this type present on this device. - **DecisionTest_21H1** The total number of objects of this type present on this device. - **DecisionTest_21H1Setup** The total number of objects of this type present on this device. -- **DecisionTest_21H2** The total number of objects of this type present on this device. -- **DecisionTest_21H2Setup** The total number of objects of this type present on this device. -- **DecisionTest_CO21H2** The total number of objects of this type present on this device. -- **DecisionTest_CO21H2Setup** The total number of objects of this type present on this device. -- **DecisionTest_CU22H2Setup** The total number of objects of this type present on this device. - **DecisionTest_RS1** The total number of objects of this type present on this device. - **DecisionTest_RS2** The total number of objects of this type present on this device. - **DecisionTest_RS3** The total number of objects of this type present on this device. @@ -621,18 +512,8 @@ The following fields are available: - **DecisionTest_TH2** The total number of objects of this type present on this device. - **DecisionTpmVersion_20H1** The total number of objects of this type present on this device. - **DecisionTpmVersion_21H1** The total number of objects of this type present on this device. -- **DecisionTpmVersion_21H2** The total number of objects of this type present on this device. -- **DecisionTpmVersion_21H2Setup** The total number of objects of this type present on this device. -- **DecisionTpmVersion_CO21H2** The total number of objects of this type present on this device. -- **DecisionTpmVersion_CO21H2Setup** The total number of objects of this type present on this device. -- **DecisionTpmVersion_CU22H2Setup** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_20H1** The total number of objects of this type present on this device. - **DecisionUefiSecureBoot_21H1** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_21H2** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_21H2Setup** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_CO21H2** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_CO21H2Setup** The total number of objects of this type present on this device. -- **DecisionUefiSecureBoot_CU22H2Setup** The total number of objects of this type present on this device. - **InventoryApplicationFile** The total number of objects of this type present on this device. - **InventoryDeviceContainer** The total number of objects of this type present on this device. - **InventoryDevicePnp** The total number of objects of this type present on this device. @@ -662,11 +543,6 @@ The following fields are available: - **Wmdrm_20H1Setup** The total number of objects of this type present on this device. - **Wmdrm_21H1** The total number of objects of this type present on this device. - **Wmdrm_21H1Setup** The total number of objects of this type present on this device. -- **Wmdrm_21H2** The total number of objects of this type present on this device. -- **Wmdrm_21H2Setup** The total number of objects of this type present on this device. -- **Wmdrm_CO21H2** The total number of objects of this type present on this device. -- **Wmdrm_CO21H2Setup** The total number of objects of this type present on this device. -- **Wmdrm_CU22H2Setup** The total number of objects of this type present on this device. - **Wmdrm_RS1** The total number of objects of this type present on this device. - **Wmdrm_RS2** The total number of objects of this type present on this device. - **Wmdrm_RS3** The total number of objects of this type present on this device. diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 692cfa0a09..9514d43951 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -50,7 +50,7 @@ Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience ## Behaviorial changes -In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be migrated to the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see the section named, **Services that rely on Enhanced diagnostic data**, later in this topic. Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see the section named **Configure a Windows 10 device to limit crash dumps and logs**. For more information on services that rely on Enhanced diagnostic data, see **Services that rely on Enhanced diagnostic data**. +In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see the section named, **Services that rely on Enhanced diagnostic data**, later in this topic. Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see the section named **Configure a Windows 10 device to limit crash dumps and logs**. For more information on services that rely on Enhanced diagnostic data, see **Services that rely on Enhanced diagnostic data**. Additionally, you will see the following policy changes in an upcoming release of Windows 10: diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md index 4f7f59f8ff..5a04348f87 100644 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ b/windows/security/threat-protection/intelligence/ransomware-malware.md @@ -26,9 +26,9 @@ The trend towards increasingly sophisticated malware behavior, highlighted by th Most ransomware infections start with: -* Email messages with attachments that try to install ransomware. +- Email messages with attachments that try to install ransomware. -* Websites hosting [exploit kits](exploits-malware.md) that attempt to use vulnerabilities in web browsers and other software to install ransomware. +- Websites hosting [exploit kits](exploits-malware.md) that attempt to use vulnerabilities in web browsers and other software to install ransomware. Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption algorithms like RSA or RC4. @@ -38,11 +38,11 @@ Ransomware is one of the most lucrative revenue channels for cybercriminals, so Sophisticated ransomware like **Spora**, **WannaCrypt** (also known as WannaCry), and **Petya** (also known as NotPetya) spread to other computers via network shares or exploits. -* Spora drops ransomware copies in network shares. +- Spora drops ransomware copies in network shares. -* WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers. +- WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers. -* A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks. +- A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks. Older ransomware like **Reveton** (nicknamed "Police Trojan" or "Police ransomware") locks screens instead of encrypting files. They display a full screen image and then disable Task Manager. The files are safe, but they're effectively inaccessible. The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and a fine needs to be paid. @@ -52,16 +52,26 @@ Ransomware like **Cerber** and **Locky** search for and encrypt specific file ty ## How to protect against ransomware - Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. Large organizations are high value targets and attackers can demand bigger ransoms. +Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. Large organizations are high value targets because attackers can demand bigger ransoms. -We recommend: +To provide the best protection against ransomware attacks, Microsoft recommends that you: -* Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite. +- Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite. -* Apply the latest updates to your operating systems and apps. +- Apply the latest updates to your operating systems and apps. -* Educate your employees so they can identify social engineering and spear-phishing attacks. +- Educate your employees so they can identify social engineering and spear-phishing attacks. -* [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom. +- [Implement controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom. -For more general tips, see [prevent malware infection](prevent-malware-infection.md). \ No newline at end of file +For more general tips, see [prevent malware infection](prevent-malware-infection.md). + +## Human-operated ransomware + +Unlike auto-spreading ransomware like WannaCry or NotPetya, human-operated ransomware is the result of active and ongoing attacks that target an organization rather than a single device. Cybercriminals use their knowledge of common system and security misconfigurations and vulnerabilities to infiltrate the organization, navigate the enterprise network, adapt to the environment, and exploit its weaknesses as they go. + +Hallmarks of these human-operated ransomware attacks typically include credential theft and lateral movement and can result in deployment of ransomware payloads to high business impact resources that attackers choose. Once deployed, the attackers contact the organization with their ransom demands. + +The same primary prevention techniques described in this article should be implemented to prevent human-operated ransomware. For additional preventative measures against human-operated ransomware, see this [article](/security/compass/human-operated-ransomware). + +See [this blog post](https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/) from the Microsoft 365 Defender Threat Intelligence Team for more information and attack chain analysis of actual human-operated ransomware attacks.