From f11a0afcd89331b02aff2c1202a2c1c702cbe45e Mon Sep 17 00:00:00 2001 From: Maurice Daly Date: Tue, 23 Aug 2022 00:31:16 +0100 Subject: [PATCH 1/2] Added Settings Catalog and Device Name optional setting With the recommendation to use the settings catalog as much as possible, instructions on how to configure update compliance settings should be included for both OMA-URI and settings catalog. I have also added the optional setting to include the device name in the UC logs in both. --- .../update-compliance-v2-configuration-mem.md | 41 ++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-v2-configuration-mem.md b/windows/deployment/update/update-compliance-v2-configuration-mem.md index 1dabf9b1e5..6b5add34d9 100644 --- a/windows/deployment/update/update-compliance-v2-configuration-mem.md +++ b/windows/deployment/update/update-compliance-v2-configuration-mem.md @@ -29,7 +29,40 @@ This article is specifically targeted at configuring devices enrolled to [Micros ## Create a configuration profile -Take the following steps to create a configuration profile that will set required policies for Update Compliance: +Take the following steps to create a configuration profile that will set required policies for Update Compliance. + +**Note:** There are two profile types that can be used to create an Update Compliance configuration profile, these being the settings catalog, or custom (OMA-URL). Below each of these profile types are covered. + +### Settings Catalog + +1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**. +1. On the **Configuration profiles** view, select **Create a profile**. +1. Select **Platform**="Windows 10 and later" and **Profile type**="Settings Catalog", and then press **Create**. +1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. +1. On the **Configuration settings** page, you'll be adding multiple settings from the System category + + 1. Using the Settings Picker, select the System category, then add the following settings and values: + - **Setting**: Allow Commercial Data Pipeline + - **Value**: Enabled + - **Setting**: Allow device name to be sent in Windows diagnostic data (*optional setting if you wish to view device names in the UC logs) + - **Value**: Allowed + - **Setting**: Allow Telemetry + - **Value**: Basic (*all that is required is basic, but it can be safely set to a higher value*) + - **Setting**: Allow Update Compliance Processing + - **Value**: Enabled + 1. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this isn't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance: + - **Setting**: Configure Telemetry Opt In Settings Ux + - **Value**: Disable Telemetry opt-in Settings. + - **Setting**: Configure Telemetry Opt In Change Notification + - **Value**: Disable telemetry change notifications. + 1. (*Optional*) Include the device name in the Update Compliance logs data. If this isn't enabled, you will not be able to filter by device name in logs: + - **Setting**: Allow device name to be sent in Windows diagnostic data + - **Value**: Enabled + +1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. +1. Review and select **Create**. + +## Custom OMA URI based profile 1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**. 1. On the **Configuration profiles** view, select **Create a profile**. @@ -68,6 +101,12 @@ Take the following steps to create a configuration profile that will set require - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline` - **Data type**: Integer - **Value**: 1 + 1. (*Optional*) Include the device name in the Update Compliance logs data. If this isn't enabled, you will not be able to filter by device name in logs: + - **Name**: Allow Device Name In DiagnosticData + - **Description**: This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or don't configure this policy setting, then device name won't be sent to Microsoft as part of Windows diagnostic data. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData` + - **Data type**: Integer + - **Value**: 1 1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. 1. Review and select **Create**. From 09dd11b2f33ad3fcf1df40db6d3cf58796b8a98b Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 24 Aug 2022 14:30:57 -0700 Subject: [PATCH 2/2] minor style edits, then decided to rearrange some itmes while I was editing --- .../update-compliance-v2-configuration-mem.md | 88 +++++++++---------- 1 file changed, 40 insertions(+), 48 deletions(-) diff --git a/windows/deployment/update/update-compliance-v2-configuration-mem.md b/windows/deployment/update/update-compliance-v2-configuration-mem.md index 6b5add34d9..765128a9dc 100644 --- a/windows/deployment/update/update-compliance-v2-configuration-mem.md +++ b/windows/deployment/update/update-compliance-v2-configuration-mem.md @@ -9,7 +9,7 @@ ms.author: mstewart ms.localizationpriority: medium ms.collection: M365-analytics ms.topic: article -ms.date: 06/06/2022 +ms.date: 08/24/2022 --- # Configuring Microsoft Endpoint Manager devices for Update Compliance (preview) @@ -29,87 +29,79 @@ This article is specifically targeted at configuring devices enrolled to [Micros ## Create a configuration profile -Take the following steps to create a configuration profile that will set required policies for Update Compliance. +Create a configuration profile that will set the required policies for Update Compliance. There are two profile types that can be used to create a configuration profile for Update Compliance: +- The [settings catalog](#settings-catalog) +- [Template](#custom-oma-uri-based-profile) for a custom OMA URI based profile -**Note:** There are two profile types that can be used to create an Update Compliance configuration profile, these being the settings catalog, or custom (OMA-URL). Below each of these profile types are covered. +### Settings catalog -### Settings Catalog - -1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**. -1. On the **Configuration profiles** view, select **Create a profile**. -1. Select **Platform**="Windows 10 and later" and **Profile type**="Settings Catalog", and then press **Create**. +1. Go to the Admin portal in Endpoint Manager and navigate to **Devices** > **Windows** > **Configuration profiles**. +1. On the **Configuration profiles** view, select **Create profile**. +1. Select **Platform**="Windows 10 and later" and **Profile type**="Settings Catalog", and then select **Create**. 1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. -1. On the **Configuration settings** page, you'll be adding multiple settings from the System category - - 1. Using the Settings Picker, select the System category, then add the following settings and values: +1. On the **Configuration settings** page, you'll be adding multiple settings from the **System** category. Using the **Settings picker**, select the **System** category, then add the following settings and values: + 1. Required settings for Update Compliance: - **Setting**: Allow Commercial Data Pipeline - - **Value**: Enabled - - **Setting**: Allow device name to be sent in Windows diagnostic data (*optional setting if you wish to view device names in the UC logs) - - **Value**: Allowed + - **Value**: Enabled - **Setting**: Allow Telemetry - - **Value**: Basic (*all that is required is basic, but it can be safely set to a higher value*) + - **Value**: Basic (*Basic is the minimum value, but it can be safely set to a higher value*) - **Setting**: Allow Update Compliance Processing - **Value**: Enabled - 1. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this isn't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance: - - **Setting**: Configure Telemetry Opt In Settings Ux - - **Value**: Disable Telemetry opt-in Settings. + 1. (*Recommended, but not required*) Add settings for **disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance: - **Setting**: Configure Telemetry Opt In Change Notification - - **Value**: Disable telemetry change notifications. - 1. (*Optional*) Include the device name in the Update Compliance logs data. If this isn't enabled, you will not be able to filter by device name in logs: + - **Value**: Disable telemetry change notifications + - **Setting**: Configure Telemetry Opt In Settings Ux + - **Value**: Disable Telemetry opt-in Settings + 1. (*Recommended, but not required*) Allow device name to be sent in Windows Diagnostic Data. If this policy is disabled, the device name won't be sent and won't be visible in Update Compliance: - **Setting**: Allow device name to be sent in Windows diagnostic data - - **Value**: Enabled + - **Value**: Allowed 1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. -1. Review and select **Create**. +1. Review the settings and then select **Create**. -## Custom OMA URI based profile +### Custom OMA URI based profile -1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**. -1. On the **Configuration profiles** view, select **Create a profile**. +1. Go to the Admin portal in Endpoint Manager and navigate to **Devices** > **Windows** > **Configuration profiles**. +1. On the **Configuration profiles** view, select **Create profile**. 1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates". -1. For **Template name**, select **Custom**, and then press **Create**. +1. For **Template name**, select **Custom**, and then select **Create**. 1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. 1. On the **Configuration settings** page, you'll be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md). - + + 1. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance: + - **Name**: Allow commercial data pipeline + - **Description**: Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline` + - **Data type**: Integer + - **Value**: 1 1. Add a setting configuring the **Windows Diagnostic Data level** for devices: - **Name**: Allow Telemetry - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry` - **Data type**: Integer - - **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*). - 1. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this isn't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance: - - **Name**: Disable Telemetry opt-in interface - - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting. - - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx` - - **Data type**: Integer - - **Value**: 1 - 1. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance: - - **Name**: Allow device name in Diagnostic Data - - **Description**: Allows device name in Diagnostic Data. - - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData` - - **Data type**: Integer - - **Value**: 1 + - **Value**: 1 (*1 is the minimum value meaning basic, but it can be safely set to a higher value*). 1. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance: - **Name**: Allow Update Compliance Processing - **Description**: Opts device data into Update Compliance processing. Required to see data. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing` - **Data type**: Integer - **Value**: 16 - 1. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance: - - **Name**: Allow commercial data pipeline - - **Description**: Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device. - - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline` + 1. (*Recommended, but not required*) Add settings for **disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance: + - **Name**: Disable Telemetry opt-in interface + - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx` - **Data type**: Integer - **Value**: 1 - 1. (*Optional*) Include the device name in the Update Compliance logs data. If this isn't enabled, you will not be able to filter by device name in logs: - - **Name**: Allow Device Name In DiagnosticData - - **Description**: This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or don't configure this policy setting, then device name won't be sent to Microsoft as part of Windows diagnostic data. + 1. (*Recommended, but not required*) Add a setting to **Allow device name in diagnostic data**; otherwise, the device name won't be in Update Compliance: + - **Name**: Allow device name in Diagnostic Data + - **Description**: Allows device name in Diagnostic Data. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData` - **Data type**: Integer - **Value**: 1 + 1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. -1. Review and select **Create**. +1. Review the settings and then select **Create**. ## Deploy the configuration script