From e5f78323e58882a4f882f6ca94d79fd854d7491b Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Wed, 2 Nov 2022 12:16:13 -0700 Subject: [PATCH 01/19] Added article on WDAC script enforcement --- .../TOC.yml | 2 + .../design/script-enforcement.md | 73 +++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 0eee8eff2c..2c063bad24 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -30,6 +30,8 @@ href: allow-com-object-registration-in-windows-defender-application-control-policy.md - name: Use WDAC with .NET hardening href: use-windows-defender-application-control-with-dynamic-code-security.md + - name: Script enforcement with Windows Defender Application Control + href: design/script-enforcement.md - name: Manage packaged apps with WDAC href: manage-packaged-apps-with-windows-defender-application-control.md - name: Use WDAC to control specific plug-ins, add-ins, and modules diff --git a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md new file mode 100644 index 0000000000..4f2a6ad7ec --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md @@ -0,0 +1,73 @@ +--- +title: Understand WDAC script enforcement +description: WDAC script enforcement +keywords: security, malware +ms.prod: windows-client +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: jogeurte +ms.author: jogeurte +ms.manager: jsuther +manager: aaroncz +ms.date: 11/02/2022 +ms.technology: itpro-security +ms.topic: article +ms.localizationpriority: medium +--- + +# Script enforcement with Windows Defender Application Control (WDAC) + +**Applies to:** + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). + +## Script enforcement overview + +By default, script enforcement is enabled for all WDAC policies unless the option **11 Disabled:Script Enforcement** is set in the policy. WDAC script enforcement involves a handshake between an enlightened script host, such as PowerShell, and WDAC. The actual enforcement behavior, however, is handled entirely by the script host. Some script hosts, like the Microsoft HTML Application Host (mshta.exe), simply block all code execution if any WDAC UMCI policy is active. Most script hosts first ask WDAC whether a script should be allowed to run based on the WDAC policies currently active. The script host then either blocks, allows, or changes *how* the script is run to best protect the user and the device. + +WDAC shares the *AppLocker - MSI and Script* event log for all script enforcement events. Whenever a script host asks WDAC if a script should be allowed, an event will be logged with the answer WDAC returned to the script host. For more information on WDAC script enforcement events, see [Understanding Application Control events](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations#windows-applocker-msi-and-script-log). + +> [!IMPORTANT] +> When a script runs that is not allowed by policy, WDAC raises an event indicating that the script was "blocked". However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running. +> +> Also be aware that some script hosts may change how they behave even if a WDAC policy is in audit mode only. You should review the information below for each script host and test thoroughly within your environment to ensure the scripts you need to run are working properly. + +## Enlightened script hosts that are part of Windows + +### PowerShell + +All PowerShell scripts (.ps1), modules (.psm1), and manifests (.psd1) must be allowed by WDAC policy in order to run with Full Language rights. + +Any **dependent modules** that are loaded by an allowed module must also be allowed by WDAC policy, and module functions must be exported explicitly by name. Modules that are exported by default (no export name list) or have wildcards (\*) in their name will fail to load. + +Any PowerShell script that isn't allowed by WDAC policy will still run, but only in Constrained Language Mode. + +PowerShell **dot-sourcing** isn't recommended. Instead, scripts should use PowerShell modules to provide common functionality. If a script file that is allowed by WDAC does try to run dot-sourced script files, those script files must also be allowed by the policy. + +**Interactive PowerShell** will run in Constrained Language Mode if any WDAC UMCI policy is enforced and *any* active WDAC policy enables script enforcement, even if that policy is in audit mode. To run interactive PowerShell with Full Language rights, you must disable script enforcement for *all* policies. + +For more information on PowerShell language modes, see [About Language Modes](/powershell/module/microsoft.powershell.core/about/about_language_modes). + +### VBscript, cscript, and jscript + +All scripts run using the Windows Based Script Host (wscript.exe) or the Microsoft Console Based Script Host (cscript.exe) must be allowed by the WDAC policy. If not, the script will be blocked. + +### Microsoft HTML Application Host (MSHTA) and MSXML + +If any WDAC policy is active that enables script enforcement, even if that policy is in audit mode, all code execution using MSHTA or MSXML will be blocked. + +### COM objects + +WDAC additionally enforces a restricted allowlist for COM objects that can be expanded or further restricted by your WDAC policy. For more information on how to allow or deny COM objects, see [Allow COM object registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy). + +## Scripts that aren't directly controlled by WDAC + +WDAC doesn't directly control code run via the Windows Command Processor (cmd.exe), including .bat/.cmd script files. However, anything that such a batch script tries to run will be subject to WDAC control. If you don't need to run cmd.exe, it's recommended to block it outright or allow it only by exception based on the calling process. See [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules) + +WDAC doesn't control scripts run through an unenlightened script host, such as many 3rd-party Java or Python engines. If your WDAC policy allows an unenlightened script host to run, then you implicitly allow all scripts run through that host. For non-Microsoft script hosts, you should check with the software vendor whether their script hosts are enlightened to WDAC policy. From bbbabae951ecdd8a2fe76238d7d0ed8ee828d137 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Wed, 2 Nov 2022 12:52:59 -0700 Subject: [PATCH 02/19] Updated disabled script enforcement rule option to refer to new topic. --- .../design/script-enforcement.md | 2 +- .../select-types-of-rules-to-create.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md index 4f2a6ad7ec..f3d0be7276 100644 --- a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md @@ -68,6 +68,6 @@ WDAC additionally enforces a restricted allowlist for COM objects that can be ex ## Scripts that aren't directly controlled by WDAC -WDAC doesn't directly control code run via the Windows Command Processor (cmd.exe), including .bat/.cmd script files. However, anything that such a batch script tries to run will be subject to WDAC control. If you don't need to run cmd.exe, it's recommended to block it outright or allow it only by exception based on the calling process. See [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules) +WDAC doesn't directly control code run via the Windows Command Processor (cmd.exe), including .bat/.cmd script files. However, anything that such a batch script tries to run will be subject to WDAC control. If you don't need to run cmd.exe, it's recommended to block it outright or allow it only by exception based on the calling process. See [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules). WDAC doesn't control scripts run through an unenlightened script host, such as many 3rd-party Java or Python engines. If your WDAC policy allows an unenlightened script host to run, then you implicitly allow all scripts run through that host. For non-Microsoft script hosts, you should check with the software vendor whether their script hosts are enlightened to WDAC policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index d955ebfc22..17b9386444 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -67,7 +67,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **8 Required:EV Signers** | This option isn't currently supported. | No | | **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No | | **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | No | -| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes).
NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows without the proper update may have unintended results. | No | +| **11 Disabled:Script Enforcement** | This option disables script enforcement options, covering PowerShell, Windows Based Script Host (wscript.exe), Windows Console Based Script Host (cscript.exe), HTA files run in Microsoft HTML Application Host (mshta.exe), and MSXML. For more information on script enforcement, see [Script enforcement with WDAC](/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement).
NOTE: This option isn't supported on Windows Server 2016 and shouldn't be used on that operating system. | No | | **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | No | | **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes | | **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft's Intelligent Security Graph (ISG). | Yes | From 3b311cfdcdbf7271b25546c170ebbee851ec87c2 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Wed, 2 Nov 2022 13:02:40 -0700 Subject: [PATCH 03/19] Update script-enforcement.md --- .../design/script-enforcement.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md index f3d0be7276..a33a5ba8e1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md @@ -64,7 +64,7 @@ If any WDAC policy is active that enables script enforcement, even if that polic ### COM objects -WDAC additionally enforces a restricted allowlist for COM objects that can be expanded or further restricted by your WDAC policy. For more information on how to allow or deny COM objects, see [Allow COM object registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy). +WDAC additionally enforces a restricted allowlist for COM objects that can be expanded or further restricted by your WDAC policy. COM object enforcement **isn't** affected by option **11 Disabled:Script Enforcement**. For more information on how to allow or deny COM objects, see [Allow COM object registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy). ## Scripts that aren't directly controlled by WDAC From d74869f00295b1a3674acdce450a8cfd01bd937f Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Wed, 2 Nov 2022 16:11:40 -0400 Subject: [PATCH 04/19] endpoint manager rebrand --- windows/deployment/TOC.yml | 8 ++--- .../update/create-deployment-plan.md | 34 +++++++++---------- .../update/deploy-updates-configmgr.md | 2 +- .../update/deployment-service-overview.md | 22 ++++++------ windows/deployment/update/index.md | 8 ++--- .../deployment/update/plan-define-strategy.md | 8 ++--- .../update-compliance-configuration-mem.md | 22 ++++++------ .../update/update-compliance-get-started.md | 28 +++++++-------- .../update-compliance-v2-configuration-mem.md | 22 ++++++------ .../update/update-compliance-v2-enable.md | 4 +-- windows/deployment/update/waas-branchcache.md | 2 +- .../update/waas-manage-updates-wsus.md | 2 +- ...s-servicing-strategy-windows-10-updates.md | 8 ++--- .../windows-10-deployment-posters.md | 6 ++-- .../windows-10-deployment-scenarios.md | 33 ++++++++++-------- 15 files changed, 106 insertions(+), 103 deletions(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 6891986bec..f765d75537 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -198,7 +198,7 @@ href: update/update-compliance-v2-configuration-script.md - name: Configure clients manually href: update/update-compliance-v2-configuration-manual.md - - name: Configure clients with Microsoft Endpoint Manager + - name: Configure clients with Microsoft Intune href: update/update-compliance-v2-configuration-mem.md - name: Use Update Compliance (preview) items: @@ -237,7 +237,7 @@ href: update/update-compliance-configuration-script.md - name: Manually configuring devices for Update Compliance href: update/update-compliance-configuration-manual.md - - name: Configuring devices for Update Compliance in Microsoft Endpoint Manager + - name: Configuring devices for Update Compliance in Microsoft Intune href: update/update-compliance-configuration-mem.md - name: Update Compliance monitoring items: @@ -436,7 +436,7 @@ - name: User State Migration Tool (USMT) technical reference items: - - name: USMT overview topics + - name: USMT overview articles items: - name: USMT overview href: usmt/usmt-overview.md @@ -444,7 +444,7 @@ href: usmt/getting-started-with-the-user-state-migration-tool.md - name: Windows upgrade and migration considerations href: upgrade/windows-upgrade-and-migration-considerations.md - - name: USMT How-to topics + - name: USMT How-to articles items: - name: Exclude Files and Settings href: usmt/usmt-exclude-files-and-settings.md diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md index 17dc7028a8..5263372cb3 100644 --- a/windows/deployment/update/create-deployment-plan.md +++ b/windows/deployment/update/create-deployment-plan.md @@ -20,7 +20,7 @@ ms.technology: itpro-updates A "service management" mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once you use this process for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity. -When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We’ve found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method to separate devices into a deployment timeline. +When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We’ve found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They're simply a method to separate devices into a deployment timeline. At the highest level, each “ring” comprises a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur. @@ -39,7 +39,7 @@ A common ring structure uses three deployment groups: ## How many rings should I have? -There are no definite rules for exactly how many rings to have for your deployments. As mentioned previously, you might want to ensure zero downtime for mission-critical devices by putting them in their own ring. If you have a large organization, you might want to consider assigning devices to rings based on geographic location or the size of rings so that helpdesk resources are more available. Consider the needs of your business and introduce rings that make sense for your organization. +There are no definite rules for exactly how many rings to have for your deployments. As mentioned previously, you might want to ensure zero downtime for mission-critical devices by putting them in their own ring. If you have a large organization, you might want to consider assigning devices to rings based on geographic location. Or assign based on the size of rings so that helpdesk resources are more available. Consider the needs of your business and introduce rings that make sense for your organization. ## Advancing between rings @@ -60,17 +60,17 @@ The purpose of the Preview ring is to evaluate the new features of the update. I ### Who goes in the Preview ring? -The Preview ring users are the most tech savvy and resilient people, who will not lose productivity if something goes wrong. In general, these users are IT pros, and perhaps a few people in the business organization. +The Preview ring users are the most tech savvy and resilient people, who won't lose productivity if something goes wrong. In general, these users are IT pros, and perhaps a few people in the business organization. During your plan and prepare phases, you should focus on the following activities: - Work with Windows Insider Preview builds. - Identify the features and functionality your organization can or wants to use. -- Establish who will use the features and how they will benefit. -- Understand why you are putting out the update. +- Establish who will use the features and how they'll benefit. +- Understand why you're putting out the update. - Plan for usage feedback. -Remember, you are working with pre-release software in the Preview ring and you will be evaluating features and testing the update for a targeted release. +Remember, you're working with pre-release software in the Preview ring and you'll be evaluating features and testing the update for a targeted release. > [!IMPORTANT] > If you are using Windows Insider (pre-release) releases for your preview ring and you are using WSUS or Windows Update for Business, be sure to set the following policies to allow for Preview builds: @@ -80,11 +80,11 @@ Remember, you are working with pre-release software in the Preview ring and you ## Limited ring The purpose of the Limited ring is to validate the update on representative devices across the network. During this period, data, and feedback are generated to enable the decision to move forward to broader deployment. Desktop -Analytics can help with defining a good Limited ring of representative devices and assist in monitoring the deployment. +Analytics can help with defining a good Limited ring of representative devices and help monitor the deployment. ### Who goes in the Limited ring? -The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented, and it's important that the people selected for this ring are using their devices regularly in order to generate the data you will need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don’t have the applications or device drivers that are truly a representative sample of your network. +The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented. It's important that the people selected for this ring are using their devices regularly to generate the data you'll need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don’t have the applications or device drivers that are truly a representative sample of your network. During your pilot and validate phases, you should focus on the following activities: @@ -93,7 +93,7 @@ During your pilot and validate phases, you should focus on the following activit - Assess and act if issues are encountered. - Move forward unless blocked. -When you deploy to the Limited ring, you’ll be able to gather data and react to incidents happening in the environment, quickly addressing any issues that might arise. Ensure you monitor for sufficient adoption within this ring, because your Limited ring represents your organization across the board, and when you achieve sufficient adoption, you can have confidence that your broader deployment will run more smoothly. +When you deploy to the Limited ring, you’ll be able to gather data and react to incidents happening in the environment, quickly addressing any issues that might arise. Ensure you monitor for sufficient adoption within this ring. Your Limited ring represents your organization across the board. When you achieve sufficient adoption, you can have confidence that your broader deployment will run more smoothly. ## Broad deployment @@ -101,7 +101,7 @@ Once the devices in the Limited ring have had a sufficient stabilization period, ### Who goes in the Broad deployment ring? -In most businesses, the Broad ring includes the rest of your organization. Because of the work in the previous ring to vet stability and minimize disruption (with diagnostic data to support your decision) broad deployment can occur relatively quickly. +In most businesses, the Broad ring includes the rest of your organization. Because of the work in the previous ring to vet stability and minimize disruption (with diagnostic data to support your decision), a broad deployment can occur relatively quickly. > [!NOTE] > In some instances, you might hold back on mission-critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows client feature updates to mission critical-devices. @@ -109,19 +109,19 @@ In most businesses, the Broad ring includes the rest of your organization. Becau During the broad deployment phase, you should focus on the following activities: - Deploy to all devices in the organization. -- Work through any final unusual issues that were not detected in your Limited ring. +- Work through any final unusual issues that weren't detected in your Limited ring. ## Ring deployment planning -Previously, we have provided methods for analyzing your deployments, but these have been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We have combined many of these tasks, and more, into a single interface with Desktop Analytics. +Previously, we have provided methods for analyzing your deployments, but these have been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We've combined many of these tasks, and more, into a single interface with Desktop Analytics. -[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Microsoft Endpoint Manager](/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to +[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Configuration Manager](/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to make informed decisions about the readiness of your Windows devices. -In Windows client deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Microsoft Endpoint Manager can help you assess app compatibility with the latest -feature update and create groups that represent the broadest number of hardware and software configurations on the smallest set of devices across your organization. In addition, Desktop Analytics can provide you with a device and software inventory and identify issues, giving you data that equate to actionable decisions. +In Windows client deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Configuration Manager can help you assess app compatibility with the latest +feature update. You can create groups that represent the broadest number of hardware and software configurations on the smallest set of devices across your organization. In addition, Desktop Analytics can provide you with a device and software inventory and identify issues, giving you data that equate to actionable decisions. > [!IMPORTANT] > Desktop Analytics does not support preview (Windows Insider) builds; use Configuration Manager to deploy to your Preview ring. As noted previously, the Preview ring is a small group of devices represents your ecosystem very well in terms of app, driver, and hardware diversity. @@ -130,8 +130,8 @@ feature update and create groups that represent the broadest number of hardware There are two ways to implement a ring deployment plan, depending on how you manage your devices: -- If you are using Configuration Manager: Desktop Analytics provides end-to-end deployment plan integration so that you can also kick off phased deployments within a ring. Learn more about [deployment plans in Desktop Analytics](/mem/configmgr/desktop-analytics/about-deployment-plans). -- If you are using Microsoft Intune, see [Create deployment plans directly in Intune](/mem/intune/fundamentals/planning-guide). +- If you're using Configuration Manager: Desktop Analytics provides end-to-end deployment plan integration so that you can also kick off phased deployments within a ring. Learn more about [deployment plans in Desktop Analytics](/mem/configmgr/desktop-analytics/about-deployment-plans). +- If you're using Microsoft Intune, see [Create deployment plans directly in Intune](/mem/intune/fundamentals/planning-guide). For more about Desktop Analytics, see these articles: diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md index 9fcf8d8e67..a7aa23afba 100644 --- a/windows/deployment/update/deploy-updates-configmgr.md +++ b/windows/deployment/update/deploy-updates-configmgr.md @@ -18,4 +18,4 @@ ms.technology: itpro-updates - Windows 10 - Windows 11 -See the Microsoft Endpoint Manager [documentation](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates. +See the [Microsoft Configuration Manager documentation](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates. diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index fbb54dd2d2..5ae667d595 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -44,16 +44,16 @@ Windows Update for Business comprises three elements: - Deployment service APIs to approve and schedule specific updates – available through the Microsoft Graph and associated SDKs (including PowerShell) - Update Compliance to monitor update deployment – available through the Azure Marketplace -Unlike existing client policy, the deployment service does not interact with devices directly. The service is native to the cloud and all operations take place between various Microsoft services. It creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an IT Pro. +Unlike existing client policy, the deployment service doesn't interact with devices directly. The service is native to the cloud and all operations take place between various Microsoft services. It creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an IT Pro. :::image type="content" source="media/wufbds-interaction-small.png" alt-text="Process described in following text."::: Using the deployment service typically follows a common pattern: -1. IT Pro uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app or a more complete management solution such as Microsoft Endpoint Manager. +1. IT Pro uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app or a more complete management solution such as Microsoft Intune. 2. The chosen tool conveys your approval, scheduling, and device selection information to the deployment service. 3. The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates. -The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as Microsoft Endpoint Manager. +The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as Microsoft Intune. ## Prerequisites @@ -78,9 +78,9 @@ Additionally, your organization must have one of the following subscriptions: To use the deployment service, you use a management tool built on the platform, script common actions using PowerShell, or build your own application. -### Using Microsoft Endpoint Manager +### Using Microsoft Intune -Microsoft Endpoint Manager integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates). +Intune integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates). ### Scripting common actions using PowerShell @@ -92,7 +92,7 @@ Microsoft Graph makes deployment service APIs available through. Get started wit - Learning path: [Microsoft Graph Fundamentals](/training/paths/m365-msgraph-fundamentals/) - Learning path: [Build apps with Microsoft Graph](/training/paths/m365-msgraph-associate/) -Once you are familiar with Microsoft Graph development, see [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) for more. +Once you're familiar with Microsoft Graph development, see [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) for more. ## Deployment protections @@ -107,9 +107,9 @@ The deployment service allows any update to be deployed over a period of days or 3. Start deploying to earlier waves to build coverage of device attributes present in the population. 4. Continue deploying at a uniform rate until all waves are complete and all devices are updated. -This built-in piloting capability complements your existing ring structure and provides another support for reducing and managing risk during an update. Unlike tools such as Desktop Analytics, this capability is intended to operate within each ring. The deployment service does not provide a workflow for creating rings themselves. +This built-in piloting capability complements your existing ring structure and provides another support for reducing and managing risk during an update. Unlike tools such as Desktop Analytics, this capability is intended to operate within each ring. The deployment service doesn't provide a workflow for creating rings themselves. -You should continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and additional protections within each ring. +You should continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and other protections within each ring. ### Safeguard holds against likely and known issues @@ -139,9 +139,9 @@ To enroll devices in Windows Update for Business cloud processing, set the **All | GPO for Windows 10, version 1809 or later: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow WUfB Cloud Processing** | `\Policies\Microsoft\Windows\DataCollection\AllowWUfBCloudProcessing` | | MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | `\Microsoft\PolicyManager\current\device\System\AllowWUfBCloudProcessing` | -Following is an example of setting the policy using Microsoft Endpoint Manager: +Following is an example of setting the policy using Intune: -1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). +1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Devices** > **Configuration profiles** > **Create profile**. @@ -175,7 +175,7 @@ Follow these suggestions for the best results with the service. ### General -Avoid using different channels to manage the same resources. If you use Microsoft Endpoint Manager along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it. +Avoid using different channels to manage the same resources. If you use Microsoft Intune along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it. ## Next steps diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index c2470f7d69..9a3ff8f9c3 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -20,14 +20,14 @@ ms.technology: itpro-updates > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. The Windows as a service model is focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. Deploying new versions of Windows is simpler than ever before: Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Ultimately, this model replaces the need for traditional Windows deployment projects, which can be disruptive and costly, and spreads the required effort out into a continuous updating process, reducing the overall effort required to maintain Windows client devices in your environment. In addition, with the Windows client operating system, organizations have the chance to try out “flighted” builds of Windows as Microsoft develops them, gaining insight into new features and the ability to provide continual feedback about them. +Windows as a service provides a new way to think about building, deploying, and servicing the Windows operating system. The Windows as a service model is focused on continually providing new capabilities and updates while maintaining a high level of hardware and software compatibility. Deploying new versions of Windows is simpler than ever before: Microsoft releases new features two to three times per year rather than the traditional upgrade cycle where new features are only made available every few years. Ultimately, this model replaces the need for traditional Windows deployment projects, which can be disruptive and costly. It spreads out the required effort into a continuous updating process, reducing the overall effort required to maintain Windows client devices in your environment. In addition, with the Windows client operating system, organizations have the chance to try out “flighted” builds of Windows as Microsoft develops them, gaining insight into new features and the ability to provide continual feedback about them. ## In this section -| Topic | Description| +| Article | Description| | --- | --- | | [Quick guide to Windows as a service](waas-quick-start.md) | Provides a brief summary of the key points for the servicing model for Windows client. | | [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows client; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. | @@ -39,8 +39,8 @@ Windows as a service provides a new way to think about building, deploying, and | [Deploy Windows client updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows client updates. | | [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | Explains how to use Configuration Manager to manage Windows client updates. | | [Manage device restarts after updates](waas-restart.md) | Explains how to manage update related device restarts. | -| [Manage additional Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update | +| [Manage more Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update | | [Windows Insider Program for Business](/windows-insider/business/register) | Explains how the Windows Insider Program for Business works and how to become an insider. | >[!TIP] ->For disaster recovery scenarios and bare-metal deployments of Windows client, you still can use traditional imaging software such as Microsoft Endpoint Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows client images is similar to deploying previous versions of Windows. +>For disaster recovery scenarios and bare-metal deployments of Windows client, you still can use traditional imaging software such as Microsoft Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows client images is similar to deploying previous versions of Windows. diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md index 1b47a96842..cacb1535bc 100644 --- a/windows/deployment/update/plan-define-strategy.md +++ b/windows/deployment/update/plan-define-strategy.md @@ -22,13 +22,13 @@ Traditionally, organizations treated the deployment of operating system updates Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an extra 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. -Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, and so you might choose to update annually. The 18/30 month lifecycle cadence lets you allow some portion of your environment to move faster while a majority can move less quickly. +We encourage you to deploy every available release and maintain a fast cadence for some portion of your environment. We also recognize that you might have a large number of devices, and a need for little or no disruption. So, you might choose to update annually. The 18/30 month lifecycle cadence lets you allow some portion of your environment to move faster while a majority can move less quickly. ## Calendar approaches -You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates. +You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they'll stop receiving the monthly security updates. ### Annual -Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Manager and Microsoft 365 Apps release cycles: +Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Configuration Manager and Microsoft 365 Apps release cycles: [ ![Calendar showing an annual update cadence.](images/annual-calendar.png) ](images/annual-calendar.png#lightbox) @@ -36,7 +36,7 @@ This approach provides approximately 12 months of use from each feature update b This cadence might be most suitable for you if any of these conditions apply: -- You are just starting your journey with the Windows 10 servicing process. If you are unfamiliar with new processes that support Windows 10 servicing, moving from a project happening once every three to five years to a twice-a-year feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost. +- You're just starting your journey with the Windows 10 servicing process. If you're unfamiliar with new processes that support Windows 10 servicing, moving from a project happening once every three to five years to a twice-a-year feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost. - You want to wait and see how successful other companies are at adopting a Windows 10 feature update. diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md index 7bc1ee3016..14cdbb3299 100644 --- a/windows/deployment/update/update-compliance-configuration-mem.md +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -1,8 +1,8 @@ --- -title: Configuring Microsoft Endpoint Manager devices for Update Compliance +title: Configuring Microsoft Intune devices for Update Compliance ms.reviewer: manager: aczechowski -description: Configuring devices that are enrolled in Endpoint Manager for Update Compliance +description: Configuring devices that are enrolled in Intune for Update Compliance ms.prod: windows-client author: mestew ms.author: mstewart @@ -12,17 +12,17 @@ ms.topic: article ms.technology: itpro-updates --- -# Configuring Microsoft Endpoint Manager devices for Update Compliance +# Configuring Microsoft Intune devices for Update Compliance **Applies to** - Windows 10 - Windows 11 -This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within Microsoft Endpoint Manager itself. Configuring devices for Update Compliance in Microsoft Endpoint Manager breaks down to the following steps: +This article is specifically targeted at configuring devices enrolled to [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) for Update Compliance, within Microsoft Intune itself. Configuring devices for Update Compliance in Microsoft Intune breaks down to the following steps: 1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured. -1. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). +1. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). > [!TIP] > If you need to troubleshoot client enrollment, consider deploying the [configuration script](#deploy-the-configuration-script) as a Win32 app to a few devices and reviewing the logs it creates. Additional checks are performed with the script to ensure devices are correctly configured. @@ -31,26 +31,26 @@ This article is specifically targeted at configuring devices enrolled to [Micros Take the following steps to create a configuration profile that will set required policies for Update Compliance: -1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**. +1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices/Windows/Configuration profiles**. 1. On the **Configuration profiles** view, select **Create a profile**. 1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates". 1. For **Template name**, select **Custom**, and then press **Create**. -1. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. -1. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). +1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. +1. On the **Configuration settings** page, you'll be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). 1. If you don't already have it, get your Commercial ID. For steps, see [Get your CommmercialID](update-compliance-get-started.md#get-your-commercialid). 1. Add a setting for **Commercial ID** with the following values: - **Name**: Commercial ID - **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace. - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID` - **Data type**: String - - **Value**: *Set this to your Commercial ID* + - **Value**: *Set this value to your Commercial ID* 1. Add a setting configuring the **Windows Diagnostic Data level** for devices: - **Name**: Allow Telemetry - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry` - **Data type**: Integer - **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*). - 1. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this is not disabled, users of each device can potentially override the diagnostic data level of devices such that data will not be available for those devices in Update Compliance: + 1. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this setting isn't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance: - **Name**: Disable Telemetry opt-in interface - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx` @@ -82,4 +82,4 @@ Take the following steps to create a configuration profile that will set require The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is a useful tool for properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). -When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices. +When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices that will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices. diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index c8bd25539d..6879689613 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -21,13 +21,13 @@ ms.technology: itpro-updates - Windows 10 - Windows 11 -This topic introduces the high-level steps required to enroll to the Update Compliance solution and configure devices to send data to it. The following steps cover the enrollment and device configuration workflow. +This article introduces the high-level steps required to enroll to the Update Compliance solution and configure devices to send data to it. The following steps cover the enrollment and device configuration workflow. 1. Ensure you can [meet the requirements](#update-compliance-prerequisites) to use Update Compliance. 2. [Add Update Compliance](#add-update-compliance-to-your-azure-subscription) to your Azure subscription. 3. [Configure devices](#enroll-devices-in-update-compliance) to send data to Update Compliance. -After adding the solution to Azure and configuring devices, it can take some time before all devices appear. For more information, see the [enrollment section](#enroll-devices-in-update-compliance). Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization. +After you add the solution to Azure and configuring devices, it can take some time before all devices appear. For more information, see the [enrollment section](#enroll-devices-in-update-compliance). Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization. ## Update Compliance prerequisites @@ -36,30 +36,30 @@ After adding the solution to Azure and configuring devices, it can take some tim Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites: -- **Compatible operating systems and editions**: Update Compliance works only with Windows 10 or Windows 11 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 or Windows 11 Enterprise edition, as well as [Windows 10 Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows client version and is not currently compatible with Windows Server, Surface Hub, IoT, or other versions. -- **Compatible Windows client servicing channels**: Update Compliance supports Windows client devices on the General Availability Channel and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview devices, but does not currently provide detailed deployment insights for them. +- **Compatible operating systems and editions**: Update Compliance works only with Windows 10 or Windows 11 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 or Windows 11 Enterprise edition, and [Windows 10 Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions. +- **Compatible Windows client servicing channels**: Update Compliance supports Windows client devices on the General Availability Channel and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview devices, but doesn't currently provide detailed deployment insights for them. - **Diagnostic data requirements**: Update Compliance requires devices to send diagnostic data at *Required* level (previously *Basic*). Some queries in Update Compliance require devices to send diagnostic data at *Optional* level (previously *Full*) for Windows 11 devices or *Enhanced* level for Windows 10 devices. To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). -- **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md). -- **Showing device names in Update Compliance**: For Windows 10, version 1803 or later, device names will not appear in Update Compliance unless you individually opt-in devices by using policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md). +- **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These endpoints are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md). +- **Showing device names in Update Compliance**: For Windows 10, version 1803 or later, device names won't appear in Update Compliance unless you individually opt-in devices by using policy. The steps are outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md). - **Azure AD device join** or **hybrid Azure AD join**: All devices enrolled in Update Compliance must meet all prerequisites for enabling Windows diagnostic data processor configuration, including the Azure AD join requirement. This prerequisite will be enforced for Update Compliance starting on October 15, 2022. ## Add Update Compliance to your Azure subscription -Update Compliance is offered as an Azure Marketplace application that is linked to a new or existing [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. Note that, for the following steps, you must have either an Owner or Contributor [Azure role](/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-roles) as a minimum in order to add the solution. +Update Compliance is offered as an Azure Marketplace application that is linked to a new or existing [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. For the following steps, you must have either an Owner or Contributor [Azure role](/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-roles) as a minimum in order to add the solution. -To configure this, follow these steps: -1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You might need to login to your Azure subscription to access this. +Use the following steps: +1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You might need to sign in to your Azure subscription to access this page. 2. Select **Get it now**. 3. Choose an existing or configure a new Log Analytics Workspace, ensuring it is in a **Compatible Log Analytics region** from the following table. Although an Azure subscription is required, you won't be charged for ingestion of Update Compliance data. - [Desktop Analytics](/sccm/desktop-analytics/overview) users should use the same workspace for Update Compliance. - [Azure Update Management](/azure/automation/automation-intro#update-management) users should use the same workspace for Update Compliance. 4. After your workspace is configured and selected, select **Create**. You'll receive a notification when the solution has been successfully created. -Once the solution is in place, you can leverage one of the following Azure roles with Update Compliance: +Once the solution is in place, you can use one of the following Azure roles with Update Compliance: -- To edit and write queries we recommend the [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role. +- To edit and write queries, we recommend the [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role. -- To read and only view data we recommend the [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role. +- To read and only view data, we recommend the [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role. |Compatible Log Analytics regions | | ------------------------------- | @@ -115,8 +115,8 @@ A `CommercialID` is a globally unique identifier assigned to a specific Log Anal Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are a few steps to follow when enrolling devices to Update Compliance: 1. Check the policies, services, and other device enrollment requirements in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). -2. If you use [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), you can follow the enrollment process documented at [Configuring devices for Update Compliance in Microsoft Endpoint Manager](update-compliance-configuration-mem.md). -3. Finally, you should run the [Update Compliance Configuration Script](update-compliance-configuration-script.md) on all devices to ensure they are appropriately configured and troubleshoot any enrollment issues. +2. If you use [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), you can follow the enrollment process documented at [Configuring devices for Update Compliance in Microsoft Intune](update-compliance-configuration-mem.md). +3. Finally, you should run the [Update Compliance Configuration Script](update-compliance-configuration-script.md) on all devices to ensure they're appropriately configured and troubleshoot any enrollment issues. After you configure devices, diagnostic data they send will begin to be associated with your Azure AD organization ("tenant"). However, enrolling to Update Compliance doesn't influence the rate at which required data is uploaded from devices. Device connectivity to the internet and generally how active the device is highly influences how long it will take before the device appears in Update Compliance. Devices that are active and connected to the internet daily can expect to be fully uploaded within one week (usually less than 72 hours). Devices that are less active can take up to two weeks before data is fully available. diff --git a/windows/deployment/update/update-compliance-v2-configuration-mem.md b/windows/deployment/update/update-compliance-v2-configuration-mem.md index a5285184bd..919105c1de 100644 --- a/windows/deployment/update/update-compliance-v2-configuration-mem.md +++ b/windows/deployment/update/update-compliance-v2-configuration-mem.md @@ -1,8 +1,8 @@ --- -title: Configuring Microsoft Endpoint Manager devices for Update Compliance (preview) +title: Configuring Microsoft Intune devices for Update Compliance (preview) ms.reviewer: manager: dougeby -description: Configuring devices that are enrolled in Endpoint Manager for Update Compliance (preview) +description: Configuring devices that are enrolled in Intune for Update Compliance (preview) ms.prod: windows-client author: mestew ms.author: mstewart @@ -13,16 +13,16 @@ ms.date: 08/24/2022 ms.technology: itpro-updates --- -# Configuring Microsoft Endpoint Manager devices for Update Compliance (preview) +# Configuring Microsoft Intune devices for Update Compliance (preview) -***(Applies to: Windows 11 & Windows 10 managed by [Microsoft Endpoint Manager](/mem/endpoint-manager-overview))*** +***(Applies to: Windows 11 & Windows 10 managed by [Microsoft Intune](/mem/intune/fundamentals/what-is-intune)*** > [!Important] > - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center). > - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. -This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within Microsoft Endpoint Manager itself. Configuring devices for Update Compliance in Microsoft Endpoint Manager breaks down to the following steps: +This article is specifically targeted at configuring devices enrolled to [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) for Update Compliance. Configuring devices for Update Compliance in Microsoft Intune breaks down to the following steps: 1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll. The configuration profile contains settings for all the Mobile Device Management (MDM) policies that must be configured. 1. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. For more information, see [Use Update Compliance](update-compliance-v2-use.md). @@ -38,7 +38,7 @@ Create a configuration profile that will set the required policies for Update Co ### Settings catalog -1. Go to the Admin portal in Endpoint Manager and navigate to **Devices** > **Windows** > **Configuration profiles**. +1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**. 1. On the **Configuration profiles** view, select **Create profile**. 1. Select **Platform**="Windows 10 and later" and **Profile type**="Settings Catalog", and then select **Create**. 1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. @@ -50,12 +50,12 @@ Create a configuration profile that will set the required policies for Update Co - **Value**: Basic (*Basic is the minimum value, but it can be safely set to a higher value*) - **Setting**: Allow Update Compliance Processing - **Value**: Enabled - 1. (*Recommended, but not required*) Add settings for **disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance: + 1. (*Recommended, but not required*) Add settings for **disabling devices' Diagnostic Data opt-in settings interface**. If these settings aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance: - **Setting**: Configure Telemetry Opt In Change Notification - **Value**: Disable telemetry change notifications - **Setting**: Configure Telemetry Opt In Settings Ux - **Value**: Disable Telemetry opt-in Settings - 1. (*Recommended, but not required*) Allow device name to be sent in Windows Diagnostic Data. If this policy is disabled, the device name won't be sent and won't be visible in Update Compliance: + 1. (*Recommended, but not required*) Allow device name to be sent in Windows Diagnostic Data. If this policy is disabled, then the device name won't be sent and won't be visible in Update Compliance: - **Setting**: Allow device name to be sent in Windows diagnostic data - **Value**: Allowed @@ -64,7 +64,7 @@ Create a configuration profile that will set the required policies for Update Co ### Custom OMA URI based profile -1. Go to the Admin portal in Endpoint Manager and navigate to **Devices** > **Windows** > **Configuration profiles**. +1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Windows** > **Configuration profiles**. 1. On the **Configuration profiles** view, select **Create profile**. 1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates". 1. For **Template name**, select **Custom**, and then select **Create**. @@ -89,7 +89,7 @@ Create a configuration profile that will set the required policies for Update Co - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing` - **Data type**: Integer - **Value**: 16 - 1. (*Recommended, but not required*) Add settings for **disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance: + 1. (*Recommended, but not required*) Add settings for **disabling devices' Diagnostic Data opt-in settings interface**. If these settings aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance: - **Name**: Disable Telemetry opt-in interface - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx` @@ -110,7 +110,7 @@ Create a configuration profile that will set the required policies for Update Co The [Update Compliance Configuration Script](update-compliance-v2-configuration-script.md) is a useful tool for properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). -When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in deployment mode as a Win32 app to all Update Compliance devices. +When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices that will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in deployment mode as a Win32 app to all Update Compliance devices. ## Next steps diff --git a/windows/deployment/update/update-compliance-v2-enable.md b/windows/deployment/update/update-compliance-v2-enable.md index 5cfd3e874b..f28d271083 100644 --- a/windows/deployment/update/update-compliance-v2-enable.md +++ b/windows/deployment/update/update-compliance-v2-enable.md @@ -29,7 +29,7 @@ After verifying the [prerequisites](update-compliance-v2-prerequisites.md) are m 1. Configure the clients to send data to Update compliance. You can configure clients in the following three ways: - Use a [script](update-compliance-v2-configuration-script.md) - - Use [Microsoft Endpoint Manager](update-compliance-v2-configuration-mem.md) + - Use [Microsoft Intune](update-compliance-v2-configuration-mem.md) - Configure [manually](update-compliance-v2-configuration-manual.md) > [!IMPORTANT] @@ -85,4 +85,4 @@ Once you've added Update Compliance to a workspace in your Azure subscription an - [Configure clients with a script](update-compliance-v2-configuration-script.md) - [Configure clients manually](update-compliance-v2-configuration-manual.md) -- [Configure clients with Microsoft Endpoint Manager](update-compliance-v2-configuration-mem.md) +- [Configure clients with Microsoft Intune](update-compliance-v2-configuration-mem.md) diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index 4440295877..235adb34ea 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -22,7 +22,7 @@ ms.technology: itpro-updates > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. +BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. - Distributed Cache mode operates like the [Delivery Optimization](../do/waas-delivery-optimization.md) feature in Windows client: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 5ae4fcf47b..57b7d86ab1 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -22,7 +22,7 @@ ms.technology: itpro-updates > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Manager provides. +WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Configuration Manager provides. When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 11. diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index 043aeee54a..b5be3068c1 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -1,5 +1,5 @@ --- -title: Prepare servicing strategy for Windows client updates +title: Prepare a servicing strategy for Windows client updates description: A strong Windows client deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. ms.prod: windows-client author: aczechowski @@ -12,7 +12,7 @@ ms.collection: m365initiative-coredeploy ms.technology: itpro-updates --- -# Prepare servicing strategy for Windows client updates +# Prepare a servicing strategy for Windows client updates **Applies to** @@ -26,10 +26,10 @@ ms.technology: itpro-updates Here’s an example of what this process might look like: - **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the General Availability Channel. Typically, this population would be a few test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program for Business. -- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the General Availability Channel can offer. For those devices, install the Enterprise LTSC edition to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. +- **Identify excluded devices.** For some organizations, special-purpose devices, like devices that control factory or medical equipment or run ATMs, require a stricter, less frequent feature update cycle than the General Availability Channel can offer. For those devices, install the Enterprise LTSC edition to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. - **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible. - **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download an .admx package and copy it to their [Central Store](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) (or to the [PolicyDefinitions](/previous-versions/dotnet/articles/bb530196(v=msdn.10)) directory in the SYSVOL folder of a domain controller if not using a Central Store). You can manage new group policies from the latest release of Windows by using Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) -- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Manager to manage your Windows updates, you can continue using those products to manage Windows 10 or Windows 11 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. Multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools). +- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 or Windows 11 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. Multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools). - **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those apps that are the most business critical. Because the expectation is that application compatibility with new versions of Windows will be high, only the most business-critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](/mem/configmgr/desktop-analytics/overview). diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md index 773a95767f..d7d8c65cc3 100644 --- a/windows/deployment/windows-10-deployment-posters.md +++ b/windows/deployment/windows-10-deployment-posters.md @@ -1,6 +1,6 @@ --- title: Windows 10 deployment process posters -description: View and download Windows 10 deployment process flows for Microsoft Endpoint Manager and Windows Autopilot. +description: View and download Windows 10 deployment process flows for Microsoft Configuration Manager and Windows Autopilot. ms.reviewer: manager: aaroncz author: frankroj @@ -17,7 +17,7 @@ ms.date: 10/31/2022 **Applies to** - Windows 10 -The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Endpoint Configuration Manager. +The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Configuration Manager. ## Deploy Windows 10 with Autopilot @@ -25,7 +25,7 @@ The Windows Autopilot poster is two pages in portrait mode (11x17). Select the i [![Deploy Windows 10 with Autopilot.](./media/windows10-autopilot-flowchart.png)](https://download.microsoft.com/download/8/4/b/84b5e640-8f66-4b43-81a9-1c3b9ea18eda/Windows10AutopilotFlowchart.pdf) -## Deploy Windows 10 with Microsoft Endpoint Configuration Manager +## Deploy Windows 10 with Microsoft Configuration Manager The Configuration Manager poster is one page in landscape mode (17x11). Select the image to download a PDF version. diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index 688b1b94b5..fdf36b188b 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -16,7 +16,7 @@ ms.date: 10/31/2022 - Windows 10 -To successfully deploy the Windows 10 operating system in your organization, it's important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. +To successfully deploy the Windows 10 operating system in your organization, it's important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Key tasks include choosing among these scenarios and understanding the capabilities and limitations of each. ## Deployment categories @@ -60,7 +60,7 @@ The following tables summarize various Windows 10 deployment scenarios. The scen ## Modern deployment methods -Modern deployment methods embrace both traditional on-premises and cloud services to deliver a simple, streamlined, cost effective deployment experience. +Modern deployment methods embrace both traditional on-premises and cloud services to deliver a simple, streamlined, and cost effective deployment experience. ### Windows Autopilot @@ -70,15 +70,18 @@ For more information about Windows Autopilot, see [Overview of Windows Autopilot ### In-place upgrade -For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 uses the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. An in-place upgrade requires the least IT effort, because there's no need for any complex deployment infrastructure. +For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 uses the Windows installation program (Setup.exe) is to perform an in-place upgrade. An in-place upgrade: -Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. Control is accomplished by using tools like Microsoft Endpoint Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. +- Automatically preserves all data, settings, applications, and drivers from the existing operating system version +- Requires the least IT effort, because there's no need for any complex deployment infrastructure + +Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. Control is accomplished by using tools like Microsoft Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences. The in-place upgrade process is designed to be reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by using the automatically created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications don't need to be reinstalled as part of the process. -Because existing applications are preserved through the process, the upgrade process uses the standard Windows installation media image (Install.wim); custom images aren't needed and can't be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) +Existing applications are preserved through the process. So, the upgrade process uses the standard Windows installation media image (Install.wim). Custom images aren't needed and can't be used because the upgrade process is unable to deal with conflicts between apps in the old and new operating system. (For example, Contoso Timecard 1.0 in Windows 7 and Contoso Timecard 3.0 in the Windows 10 image.) -Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. +Scenarios that support in-place upgrade with some other procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. - **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 doesn't require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. @@ -92,9 +95,9 @@ There are some situations where you can't use in-place upgrade; in these situati - Windows To Go and Boot from VHD installations. The upgrade process is unable to upgrade these installations. Instead, new installations would need to be performed. -- Updating existing images. While it might be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image, doing so isn't supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail. +- Updating existing images. It can be tempting to try to upgrade existing Windows 7, Windows 8, or Windows 8.1 images to Windows 10 by installing the old image, upgrading it, and then recapturing the new Windows 10 image. But, it's not supported. Preparing an upgraded OS via `Sysprep.exe` before capturing an image isn't supported and won't work. When `Sysprep.exe` detects the upgraded OS, it will fail. -- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS; if using dual-boot or multi-boot systems with multiple operating systems (not using virtual machines for the second and subsequent operating systems), additional care should be taken. +- Dual-boot and multi-boot systems. The upgrade process is designed for devices running a single OS. If you use dual-boot or multi-boot systems with multiple operating systems (not using virtual machines for the second and subsequent operating systems), then extra care should be taken. ## Dynamic provisioning @@ -106,17 +109,17 @@ The goal of dynamic provisioning is to take a new PC out of the box, turn it on, Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation). -### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment +### Azure Active Directory (Azure AD) join with automatic mobile device management (MDM) enrollment -In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). +In this scenario, the organization member just needs to provide their work or school user ID and password. The device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no other user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). ### Provisioning package configuration -Using the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through various means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). +When you use the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through various means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm). -These scenarios can be used to enable "choose your own device" (CYOD) programs where the organization's users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). +These scenarios can be used to enable "choose your own device" (CYOD) programs. With these programs, organization users can pick their own PC and aren't restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios). -While the initial Windows 10 release includes various provisioning settings and deployment mechanisms, provisioning settings and deployment mechanisms will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for additional features through the Windows Feedback app or through their Microsoft Support contacts. +While the initial Windows 10 release includes various provisioning settings and deployment mechanisms, provisioning settings and deployment mechanisms will continue to be enhanced and extended based on feedback from organizations. As with all Windows features, organizations can submit suggestions for more features through the Windows Feedback app or through their Microsoft Support contacts. ## Traditional deployment: @@ -144,7 +147,7 @@ The deployment process for the new machine scenario is as follows: 4. Install other applications (as part of the task sequence). -After taking these steps, the computer is ready for use. +After you follow these steps, the computer is ready for use. ### Computer refresh @@ -164,7 +167,7 @@ The deployment process for the wipe-and-load scenario is as follows: 6. Restore the user state. -After taking these steps, the machine is ready for use. +After you follow these steps, the machine is ready for use. ### Computer replace From 663f8d18c3d433dd5784d97306f2513d8323a677 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Wed, 2 Nov 2022 14:38:31 -0700 Subject: [PATCH 05/19] Update script-enforcement.md --- .../design/script-enforcement.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md index a33a5ba8e1..083cc7b560 100644 --- a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md @@ -44,13 +44,13 @@ WDAC shares the *AppLocker - MSI and Script* event log for all script enforcemen All PowerShell scripts (.ps1), modules (.psm1), and manifests (.psd1) must be allowed by WDAC policy in order to run with Full Language rights. -Any **dependent modules** that are loaded by an allowed module must also be allowed by WDAC policy, and module functions must be exported explicitly by name. Modules that are exported by default (no export name list) or have wildcards (\*) in their name will fail to load. +Any **dependent modules** that are loaded by an allowed module must also be allowed by WDAC policy, and module functions must be exported explicitly by name when WDAC is enforced. Modules that do not specify any exported functions (no export name list) will still load but no module functions will be accessible. Modules that use wildcards (\*) in their name will fail to load. Any PowerShell script that isn't allowed by WDAC policy will still run, but only in Constrained Language Mode. PowerShell **dot-sourcing** isn't recommended. Instead, scripts should use PowerShell modules to provide common functionality. If a script file that is allowed by WDAC does try to run dot-sourced script files, those script files must also be allowed by the policy. -**Interactive PowerShell** will run in Constrained Language Mode if any WDAC UMCI policy is enforced and *any* active WDAC policy enables script enforcement, even if that policy is in audit mode. To run interactive PowerShell with Full Language rights, you must disable script enforcement for *all* policies. +WDAC will put **Interactive PowerShell** into Constrained Language Mode if any WDAC UMCI policy is enforced and *any* active WDAC policy enables script enforcement, even if that policy is in audit mode. To run interactive PowerShell with Full Language rights, you must disable script enforcement for *all* policies. For more information on PowerShell language modes, see [About Language Modes](/powershell/module/microsoft.powershell.core/about/about_language_modes). From e2e6b68ed5df9e9392b98ba7554d3c09f66fa6d0 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Wed, 2 Nov 2022 14:43:59 -0700 Subject: [PATCH 06/19] Update script-enforcement.md --- .../design/script-enforcement.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md index 083cc7b560..5a4f9be3f6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md @@ -50,7 +50,7 @@ Any PowerShell script that isn't allowed by WDAC policy will still run, but only PowerShell **dot-sourcing** isn't recommended. Instead, scripts should use PowerShell modules to provide common functionality. If a script file that is allowed by WDAC does try to run dot-sourced script files, those script files must also be allowed by the policy. -WDAC will put **Interactive PowerShell** into Constrained Language Mode if any WDAC UMCI policy is enforced and *any* active WDAC policy enables script enforcement, even if that policy is in audit mode. To run interactive PowerShell with Full Language rights, you must disable script enforcement for *all* policies. +WDAC will put **interactive PowerShell** into Constrained Language Mode if any WDAC UMCI policy is enforced and *any* active WDAC policy enables script enforcement, even if that policy is in audit mode. To run interactive PowerShell with Full Language rights, you must disable script enforcement for *all* policies. For more information on PowerShell language modes, see [About Language Modes](/powershell/module/microsoft.powershell.core/about/about_language_modes). From 417d44cf12a9199ad1305ec5a1b33a96de7e94c8 Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Wed, 2 Nov 2022 18:31:47 -0400 Subject: [PATCH 07/19] endpoint manager rebrand --- .../deploy/windows-autopatch-admin-contacts.md | 2 +- ...ndows-autopatch-device-registration-overview.md | 2 +- .../windows-autopatch-post-reg-readiness-checks.md | 8 ++++---- .../deploy/windows-autopatch-register-devices.md | 14 +++++++------- .../windows-autopatch-deregister-devices.md | 4 ++-- .../operate/windows-autopatch-fu-overview.md | 4 ++-- ...dows-autopatch-microsoft-365-apps-enterprise.md | 2 +- .../operate/windows-autopatch-support-request.md | 6 +++--- .../operate/windows-autopatch-unenroll-tenant.md | 2 +- .../operate/windows-autopatch-update-management.md | 6 +++--- .../windows-autopatch-wqu-communications.md | 2 +- .../operate/windows-autopatch-wqu-overview.md | 2 +- .../prepare/windows-autopatch-enroll-tenant.md | 4 ++-- .../prepare/windows-autopatch-fix-issues.md | 2 +- .../references/windows-autopatch-privacy.md | 2 +- .../demonstrate-deployment-on-vm.md | 8 ++++---- 16 files changed, 35 insertions(+), 35 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md index 4e13034d35..d3cf70f023 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md @@ -35,7 +35,7 @@ Your admin contacts will receive notifications about support request updates and **To add admin contacts:** -1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). +1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Under **Tenant administration** in the **Windows Autopatch** section, select **Admin contacts**. 1. Select **+Add**. 1. Enter the contact details including name, email, phone number and preferred language. For a support ticket, the ticket's primary contact's preferred language will determine the language used for email communications. diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index 10d9c81172..d1e52e4ced 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -44,7 +44,7 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto | ----- | ----- | | **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. | | **Step 2: Add devices** | IT admin adds devices through direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group. | -| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function hourly discovers devices previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Endpoint Manager-Intune and Azure AD when registering devices into its service.
  1. Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:
    1. **AzureADDeviceID**
    2. **OperatingSystem**
    3. **DisplayName (Device name)**
    4. **AccountEnabled**
    5. **RegistrationDateTime**
    6. **ApproximateLastSignInDateTime**
  2. In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.
| +| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function hourly discovers devices previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Azure AD when registering devices into its service.
  1. Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:
    1. **AzureADDeviceID**
    2. **OperatingSystem**
    3. **DisplayName (Device name)**
    4. **AccountEnabled**
    5. **RegistrationDateTime**
    6. **ApproximateLastSignInDateTime**
  2. In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.
| | **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:
  1. **Serial number, model, and manufacturer.**
    1. Checks if the serial number already exists in the Windows Autopatch’s managed device database.
  2. **If the device is Intune-managed or not.**
    1. Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.
      1. If **yes**, it means this device is enrolled into Intune.
      2. If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
    2. **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.
      1. Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
      2. A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
    3. **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
  3. **If the device is a Windows device or not.**
    1. Windows Autopatch looks to see if the device is a Windows and corporate-owned device.
      1. **If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.
      2. **If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.
  4. **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
    1. **Enterprise**
    2. **Pro**
    3. **Pro Workstation**
  5. **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
    1. **Only managed by Intune.**
      1. If the device is only managed by Intune, the device is marked as Passed all prerequisites.
    2. **Co-managed by both Configuration Manager and Intune.**
      1. If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
        1. **Windows Updates Policies**
        2. **Device Configuration**
        3. **Office Click to Run**
      2. If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.
| | **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:
  1. If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.
  2. If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.
| | **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to one of the following deployment ring groups:
  1. **Modern Workplace Devices-Windows Autopatch-First**
    1. The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD group (Modern Workplace Devices-Windows Autopatch-Test). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
  2. **Modern Workplace Devices-Windows Autopatch-Fast**
  3. **Modern Workplace Devices-Windows Autopatch-Broad**
| diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md index e5c4617772..985c852e6f 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md @@ -49,7 +49,7 @@ Windows Autopatch has three tabs within its Devices blade. Each tab is designed | Tab | Description | | ----- | ----- | | Ready | This tab only lists devices with the **Active** status. Devices with the **Active** status successfully:
  • Passed the prerequisite checks.
  • Registered with Windows Autopatch.
This tab also lists devices that have passed all postdevice registration readiness checks. | -| Not ready | This tab only lists devices with the **Readiness failed** and **Inactive** status.
  • **Readiness failed status**: Devices that didn’t pass one or more post-device registration readiness checks.
  • **Inactive**: Devices that haven’t communicated with the Microsoft Endpoint Manager-Intune service in the last 28 days.
| +| Not ready | This tab only lists devices with the **Readiness failed** and **Inactive** status.
  • **Readiness failed status**: Devices that didn’t pass one or more post-device registration readiness checks.
  • **Inactive**: Devices that haven’t communicated with the Microsoft Intune service in the last 28 days.
| | Not registered | Only lists devices with the **Prerequisite failed** status in it. Devices with the **Prerequisite failed** status didn’t pass one or more prerequisite checks during the device registration process. | ## Details about the post-device registration readiness checks @@ -67,9 +67,9 @@ The following list of post-device registration readiness checks is performed in | Check | Description | | ----- | ----- | | **Windows OS build, architecture, and edition** | Checks to see if devices support Windows 1809+ build (10.0.17763), 64-bit architecture and either Pro or Enterprise SKUs. | -| **Windows update policies managed via Microsoft Endpoint Manager-Intune** | Checks to see if devices have Windows Updates policies managed via Microsoft Endpoint Manager-Intune (MDM). | -| **Windows update policies managed via Group Policy Object (GPO)** | Checks to see if devices have Windows update policies managed via GPO. Windows Autopatch doesn’t support Windows update policies managed via GPOs. Windows update must be managed via Microsoft Endpoint Manager-Intune. | -| **Microsoft Office update policy managed via Group Policy Object (GPO)** | Checks to see if devices have Microsoft Office updates policies managed via GPO. Windows Autopatch doesn’t support Microsoft Office update policies managed via GPOs. Office updates must be managed via Microsoft Endpoint Manager-Intune or another Microsoft Office policy management method where Office update bits are downloaded directly from the Office Content Delivery Network (CDN). | +| **Windows update policies managed via Microsoft Intune** | Checks to see if devices have Windows Updates policies managed via Microsoft Intune (MDM). | +| **Windows update policies managed via Group Policy Object (GPO)** | Checks to see if devices have Windows update policies managed via GPO. Windows Autopatch doesn’t support Windows update policies managed via GPOs. Windows update must be managed via Microsoft Intune. | +| **Microsoft Office update policy managed via Group Policy Object (GPO)** | Checks to see if devices have Microsoft Office updates policies managed via GPO. Windows Autopatch doesn’t support Microsoft Office update policies managed via GPOs. Office updates must be managed via Microsoft Intune or another Microsoft Office policy management method where Office update bits are downloaded directly from the Office Content Delivery Network (CDN). | | **Windows Autopatch network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that Windows Autopatch services must be able to reach for the various aspects of the Windows Autopatch service. | | **Microsoft Teams network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that devices with Microsoft Teams must be able to reach for software updates management. | | **Microsoft Edge network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that devices with Microsoft Edge must be able to reach for software updates management. | diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 4d7fb522a0..1b10c3bc96 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -71,9 +71,9 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set - Windows 10 (1809+)/11 Enterprise or Professional editions (only x64 architecture). - Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported). -- Managed by Microsoft Endpoint Manager. +- Managed by Microsoft Intune. - [Already enrolled into Microsoft Intune](/mem/intune/user-help/enroll-windows-10-device) and/or [Configuration Manager co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#configuration-manager-co-management-requirements). - - Must switch the following Microsoft Endpoint Manager-Configuration Manager [co-management workloads](/mem/configmgr/comanage/how-to-switch-workloads) to Microsoft Endpoint Manager-Intune (either set to Pilot Intune or Intune): + - Must switch the following Microsoft Configuration Manager [co-management workloads](/mem/configmgr/comanage/how-to-switch-workloads) to Microsoft Intune (either set to Pilot Intune or Intune): - Windows updates policies - Device configuration - Office Click-to-run @@ -102,7 +102,7 @@ See all possible device readiness statuses in Windows Autopatch: | ----- | ----- | ----- | | Active | Devices with this status successfully passed all prerequisite checks and then successfully registered with Windows Autopatch. Additionally, devices with this status successfully passed all post-device registration readiness checks. | Ready | | Readiness failed | Devices with this status haven't passed one or more post-device registration readiness checks. These devices aren't ready to have one or more software update workloads managed by Windows Autopatch. | Not ready | -| Inactive | Devices with this status haven't communicated with Microsoft Endpoint Manager-Intune in the last 28 days. | Not ready | +| Inactive | Devices with this status haven't communicated with Microsoft Intune in the last 28 days. | Not ready | | Pre-requisites failed | Devices with this status haven't passed one or more pre-requisite checks and haven't successfully registered with Windows Autopatch | Not registered | ## Built-in roles required for device registration @@ -116,7 +116,7 @@ A role defines the set of permissions granted to users assigned to that role. Yo For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control). > [!NOTE] -> The Modern Workplace Intune Admin role is a custom created role during the Windows Autopatch tenant enrollment process. This role can assign administrators to Endpoint Manager roles, and allows you to create and configure custom Endpoint Manager roles. +> The Modern Workplace Intune Admin role is a custom created role during the Windows Autopatch tenant enrollment process. This role can assign administrators to Intune roles, and allows you to create and configure custom Intune roles. ## Details about the device registration process @@ -134,7 +134,7 @@ Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID **To register devices with Windows Autopatch:** -1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). +1. Go to the [Microsoft Intune admin center](https://endpoint.microsoft.com/). 2. Select **Devices** from the left navigation menu. 3. Under the **Windows Autopatch** section, select **Devices**. 4. Select either the **Ready** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. @@ -154,7 +154,7 @@ Windows 365 Enterprise gives IT admins the option to register devices with the W **To register new Windows 365 Cloud PC devices with Windows Autopatch from the Windows 365 Provisioning Policy:** -1. Go to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. +1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. In the left pane, select **Devices**. 1. Navigate to Provisioning > **Windows 365**. 1. Select Provisioning policies > **Create policy**. @@ -211,7 +211,7 @@ There's a few more device management lifecycle scenarios to consider when planni ### Device refresh -If a device was previously registered into the Windows Autopatch service, but it needs to be reimaged, you must run one of the device provisioning processes available in Microsoft Endpoint Manager to reimage the device. +If a device was previously registered into the Windows Autopatch service, but it needs to be reimaged, you must run one of the device provisioning processes available in Microsoft Intune to reimage the device. The device will be rejoined to Azure AD (either Hybrid or Azure AD-only). Then, re-enrolled into Intune as well. No further action is required from you or the Windows Autopatch service, because the Azure AD device ID record of that device remains the same. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md index 52448ca4c5..15b45c91d4 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md @@ -18,7 +18,7 @@ To avoid end-user disruption, device deregistration in Windows Autopatch only de **To deregister a device:** -1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). +1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Windows Autopatch** in the left navigation menu. 1. Select **Devices**. 1. In either **Ready** or **Not ready** tab, select the device(s) you want to deregister. @@ -42,7 +42,7 @@ You can hide unregistered devices you don't expect to be remediated anytime soon **To hide unregistered devices:** -1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). +1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Windows Autopatch** in the left navigation menu. 1. Select **Devices**. 1. In the **Not ready** tab, select an unregistered device or a group of unregistered devices you want to hide then select **Status == All**. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index 244d0ad114..023003d400 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -73,7 +73,7 @@ When releasing a feature update, there are two policies that are configured by t During a release, the service modifies the Modern Workplace DSS policy to change the target version for a specific ring in Intune. That change is deployed to devices and updates the devices prior to the update deadline. -To understand how devices will react to the change in the Modern Workplace DSS policy, it's important to understand how deferral, deadline, and grace periods effect devices. +To understand how devices will react to the change in the Modern Workplace DSS policy, it's important to understand how deferral, deadline, and grace periods affect devices. | Policy | Description | | ----- | ----- | @@ -93,7 +93,7 @@ To allow customers to test Windows 11 in their environment, there's a separate D ## Pausing and resuming a release -You can pause or resume a Windows feature update from the Release management tab in Microsoft Endpoint Manager. +You can pause or resume a Windows feature update from the Release management tab in the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). ## Rollback diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md index 4386ab7205..3089035470 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md @@ -85,7 +85,7 @@ Since quality updates are bundled together into a single release in the [Monthly [Servicing profiles](/deployoffice/admincenter/servicing-profile) is a feature in the [Microsoft 365 Apps admin center](https://config.office.com/) that provides controlled update management of monthly Office updates, including controls for user and device targeting, scheduling, rollback, and reporting. -A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management. +A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management. However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [software update workload](windows-autopatch-update-management.md#software-update-workloads), see the Device eligibility section of each respective software update workload. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md index a6b6ffc78b..ab63a52ddf 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md @@ -25,7 +25,7 @@ Support requests are triaged and responded to as they're received. **To submit a new support request:** -1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant administration** menu. +1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant administration** menu. 1. In the **Windows Autopatch** section, select **Support requests**. 1. In the **Support requests** section, select **+ New support request**. 1. Enter your question(s) and/or a description of the problem. @@ -42,7 +42,7 @@ You can see the summary status of all your support requests. At any time, you ca **To view all your active support requests:** -1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant Administration** menu. +1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu. 1. In the **Windows Autopatch** section, select **Support request**. 1. From this view, you can export the summary view or select any case to view the details. @@ -52,7 +52,7 @@ You can edit support request details, for example, updating the primary case con **To edit support request details:** -1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant Administration** menu. +1. Sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu. 1. In the **Windows Autopatch** section, select **Support request**. 1. In the **Support requests** section, use the search bar or filters to find the case you want to edit. 1. Select the case to open the request's details. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md index a92c0fbdef..ec414612c4 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md @@ -41,7 +41,7 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro | ----- | ----- | | Updates | After the Windows Autopatch service is unenrolled, we’ll no longer provide updates to your devices. You must ensure that your devices continue to receive updates through your own policies to ensure they're secure and up to date. | | Optional Windows Autopatch configuration | Windows Autopatch won’t remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you don’t wish to use these policies for your devices after unenrollment, you may safely delete them. For more information, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). | -| Microsoft Endpoint Manager roles | After unenrollment, you may safely remove the Modern Workplace Intune Admin role. | +| Microsoft Intune roles | After unenrollment, you may safely remove the Modern Workplace Intune Admin role. | ## Unenroll from Windows Autopatch diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index c3548183a3..549d7d5bba 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -64,7 +64,7 @@ The Windows Autopatch deployment ring calculation happens during the [device reg | Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:
  • **0–500** devices: minimum **one** device.
  • **500–5000** devices: minimum **five** devices.
  • **5000+** devices: minimum **50** devices.
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | | First | **1%** | The First ring is the first group of production users to receive a change.

This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| | Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

| -| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.| +| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.| ## Moving devices in between deployment rings @@ -72,7 +72,7 @@ If you want to move separate devices to different deployment rings, after Window **To move devices in between deployment rings:** -1. In Microsoft Endpoint Manager, select **Devices** in the left pane. +1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane. 2. In the **Windows Autopatch** section, select **Devices**. 3. In the **Ready** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify. 4. Select **Device actions** from the menu. @@ -82,7 +82,7 @@ If you want to move separate devices to different deployment rings, after Window When the assignment is complete, the **Ring assigned by** column changes to **Admin** (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment. > [!NOTE] -> You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.

If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Endpoint Manager-Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). +> You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.

If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). > [!WARNING] > Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md index 5633916a46..ffb70992db 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md @@ -34,7 +34,7 @@ Communications are posted to Message center, Service health dashboard, and the W ## Communications during release -The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the Microsoft Endpoint Manager portal shortly after Autopatch becomes aware of the new information. +The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) shortly after Autopatch becomes aware of the new information. There are some circumstances where Autopatch will need to change the release schedule based on new information. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md index b4fc0d3673..d922d4a3cc 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md @@ -72,7 +72,7 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win If we pause the release, a policy will be deployed which prevents devices from updating while the issue is investigated. Once the issue is resolved, the release will be resumed. -You can pause or resume a Windows quality update from the Release management tab in Microsoft Endpoint Manager. +You can pause or resume a Windows quality update from the Release management tab in the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). ## Incidents and outages diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md index 140d728afa..2616f22559 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md @@ -30,14 +30,14 @@ To start using the Windows Autopatch service, ensure you meet the [Windows Autop > [!IMPORTANT] > The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you'll no longer be able to access the tool again. -The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements). +The Readiness assessment tool checks the settings in [Microsoft Intune](#microsoft-intune-settings) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements). **To access and run the Readiness assessment tool:** > [!IMPORTANT] > You must be a Global Administrator to run the Readiness assessment tool. -1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). +1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. In the left pane, select Tenant administration and then navigate to Windows Autopatch > **Tenant enrollment**. > [!IMPORTANT] diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md index 77a8ae20a5..4b87f046dd 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -32,7 +32,7 @@ For each check, the tool will report one of four possible results: ## Microsoft Intune settings -You can access Intune settings at the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). +You can access Intune settings at the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). ### Unlicensed admins diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md index 49f08db4a3..c5163c949a 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md @@ -26,7 +26,7 @@ The sources include Azure Active Directory (Azure AD), Microsoft Intune, and Mic | ------ | ------ | | [Microsoft Windows 10/11 Enterprise](/windows/windows-10/) | Management of device setup experience, managing connections to other services, and operational support for IT pros. | | [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) | Uses Windows 10 Enterprise diagnostic data to provide additional information on Windows 10/11 update. | -| [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) | Device management and to keep your data secure. The following data sources fall under Microsoft Endpoint Manager:

  • [Microsoft Azure Active Directory](/azure/active-directory/): Authentication and identification of all user accounts.
  • [Microsoft Intune](/mem/intune/): Distributing device configurations, device management and application management.
+| [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) | Device management and to keep your data secure. The following endpoint management data sources are used:
  • [Microsoft Azure Active Directory](/azure/active-directory/): Authentication and identification of all user accounts.
  • [Microsoft Intune](/mem/intune/): Distributing device configurations, device management and application management.
| [Windows Autopatch](https://endpoint.microsoft.com/#home) | Data provided by the customer or generated by the service during running of the service. | | [Microsoft 365 Apps for enterprise](https://www.microsoft.com/microsoft-365/enterprise/compare-office-365-plans)| Management of Microsoft 365 Apps. | diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index a5a019d47b..14d1e1698a 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -86,7 +86,7 @@ If you already have Hyper-V and a Windows 10 VM, you can skip directly to the [C - [Create app in Intune](#create-app-in-intune) - [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile) - [Add Microsoft 365 Apps](#add-microsoft-365-apps) - - [Create app in Microsoft Endpoint Manager](#create-app-in-microsoft-endpoint-manager) + - [Create app in Microsoft Intune](#create-app-in-microsoft-intune) - [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile-1) - [Glossary](#glossary) @@ -398,7 +398,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B ### Autopilot registration using Intune -1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**. +1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**. ![Intune device import.](images/enroll1.png) @@ -603,7 +603,7 @@ To use the device (or VM) for other purposes after completion of this lab, you n ### Delete (deregister) Autopilot device -You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), log into the Microsoft Endpoint Manager admin center, then go to **Intune > Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu. +You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), sign into the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), then go to **Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu. > [!div class="mx-imgBorder"] > ![Delete device step 1.](images/delete-device1.png) @@ -805,7 +805,7 @@ For more information on adding apps to Intune, see [Intune Standalone - Win32 ap ### Add Microsoft 365 Apps -#### Create app in Microsoft Endpoint Manager +#### Create app in Microsoft Intune Sign in to the Azure portal and select **Intune**. From c609a38969b9fe297c867b7cf27483fb52f9ba33 Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Wed, 2 Nov 2022 18:47:05 -0400 Subject: [PATCH 08/19] Typo --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 1b10c3bc96..eff03275a8 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -134,7 +134,7 @@ Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID **To register devices with Windows Autopatch:** -1. Go to the [Microsoft Intune admin center](https://endpoint.microsoft.com/). +1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Devices** from the left navigation menu. 3. Under the **Windows Autopatch** section, select **Devices**. 4. Select either the **Ready** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. From aa7229435ecbc1e8ef0031494a8ce737d89eafbf Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Wed, 2 Nov 2022 19:48:34 -0400 Subject: [PATCH 09/19] endpoint manager rebrand --- windows/hub/index.yml | 12 ++++----- ...s-to-windows-diagnostic-data-collection.md | 14 +++++----- .../ltsc/whats-new-windows-10-2015.md | 2 +- .../ltsc/whats-new-windows-10-2021.md | 4 +-- ...ts-new-windows-10-version-1507-and-1511.md | 2 +- .../whats-new-windows-10-version-1903.md | 2 +- .../whats-new-windows-10-version-1909.md | 6 ++--- .../whats-new-windows-10-version-2004.md | 6 ++--- .../whats-new-windows-10-version-20H2.md | 2 +- .../whats-new-windows-10-version-21H2.md | 2 +- windows/whats-new/windows-11-overview.md | 26 +++++++++---------- windows/whats-new/windows-11-plan.md | 4 +-- windows/whats-new/windows-11-prepare.md | 8 +++--- 13 files changed, 44 insertions(+), 46 deletions(-) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 0794c284fd..7e8837ad3c 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -230,19 +230,17 @@ additionalContent: - title: Other resources items: - - title: Microsoft Endpoint Manager + - title: Microsoft endpoint management with Intune links: - - text: Microsoft Endpoint Manager documentation - url: /mem - - text: Overview of Microsoft Endpoint Manager + - text: Intune is a family of products url: /mem/endpoint-manager-overview - - text: Getting started with Microsoft Endpoint Manager - url: /mem/endpoint-manager-getting-started + - text: What is Microsoft Intune? + url: /mem/what-is-intune - text: Microsoft Endpoint Manager simplifies upgrades to Windows 11 url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/endpoint-manager-simplifies-upgrades-to-windows-11/ba-p/2771886 - text: Understanding readiness for Windows 11 with Microsoft Endpoint Manager url: https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/understanding-readiness-for-windows-11-with-microsoft-endpoint/ba-p/2770866 - - text: Microsoft Endpoint Manager blog + - text: Microsoft endpoint management blog url: https://aka.ms/memblog - title: Windows 365 links: diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 13b8872c26..48eab123cc 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -17,7 +17,7 @@ ms.topic: conceptual - Windows 10, version 1903 and later - Windows Server 2022 -Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we have moved our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either **Required** or **Optional**. We believe this will provide our customers with a simpler experience – information should be easier to find, easier to understand, and easier to act upon through the tools we provide. +Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. As part of this effort, we've moved our major products and services to a model where data sent back to Microsoft from customer devices will be classified as either **Required** or **Optional**. We believe this change will provide our customers with a simpler experience – information should be easier to find, easier to understand, and easier to act upon through the tools we provide. This article is meant for IT administrators and explains the changes Windows is making to align to the new data collection taxonomy. These changes are focused in two areas: @@ -26,7 +26,7 @@ This article is meant for IT administrators and explains the changes Windows is ## Summary of changes -In Windows 10, version 1903 and later, you will see taxonomy updates in both the **Out-of-box-experience** (OOBE) and the **Diagnostics & feedback** privacy settings page. These changes are explained in the section named **Taxonomy** changes. +In Windows 10, version 1903 and later, you'll see taxonomy updates in both the **Out-of-box-experience** (OOBE) and the **Diagnostics & feedback** privacy settings page. These changes are explained in the section named **Taxonomy** changes. Additionally, starting in Windows 11 and Windows Server 2022, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. We’re also clarifying the Security diagnostic data level to reflect its behavior more accurately by changing it to **Diagnostic data off**. All these changes are explained in the section named **Behavioral changes**. @@ -42,9 +42,9 @@ Starting in Windows 10, version 1903 and later, both the **Out-of-Box-Experience ## Behavioral changes -Starting in Windows 11 and Windows Server 2022, we’re simplifying the Windows diagnostic data controls by moving from four diagnostic data settings to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded to a supported version of the operating system, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. +Starting in Windows 11 and Windows Server 2022, we’re simplifying the Windows diagnostic data controls by moving from four diagnostic data settings to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they're upgraded to a supported version of the operating system, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that use enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. -Additionally, you will see the following policy changes in Windows Server 2022, Windows 11, and Windows Holographic, version 21H1 (HoloLens 2): +Additionally, you'll see the following policy changes in Windows Server 2022, Windows 11, and Windows Holographic, version 21H1 (HoloLens 2): | Policy type | Current policy | Renamed policy | | --- | --- | --- | @@ -65,9 +65,9 @@ For more info, see [Configure Windows diagnostic data in your organization](conf ## Services that rely on Enhanced diagnostic data -Customers who use services that depend on Windows diagnostic data, such as Microsoft Managed Desktop or Desktop Analytics, may be impacted by the behavioral changes when they are released. These services will be updated to address these changes and guidance will be published on how to configure them properly. +Customers who use services that depend on Windows diagnostic data, such as Microsoft Managed Desktop or Desktop Analytics, may be impacted by the behavioral changes when they're released. These services will be updated to address these changes and guidance will be published on how to configure them properly. -The following provides information on the current configurations: +The following articles provide information on the current configurations: - [Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/device-policies#windows-diagnostic-data) - [Desktop Analytics](/mem/configmgr/desktop-analytics/overview) @@ -95,7 +95,7 @@ For Windows devices with diagnostic data turned on and that are joined to an [Az - [Update Compliance](/windows/deployment/update/update-compliance-monitor) - [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview) - [Microsoft Managed Desktop](/managed-desktop/intro/) -- [Endpoint analytics (in Microsoft Endpoint Manager)](/mem/analytics/overview) +- [Endpoint analytics (in Microsoft Intune)](/mem/analytics/overview) *(Additional licensing requirements may apply to use these services.)* diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index cddd5c8950..b9156bc86a 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -273,7 +273,7 @@ By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows - **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth efficient. -- **Use with existing tools** such as Microsoft Endpoint Manager and the [Enterprise Mobility Suite](/enterprise-mobility-security). +- **Use with existing tools** such as Microsoft Intune and the [Enterprise Mobility Suite](/enterprise-mobility-security). Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, and provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Endpoint Configuration Manager](/configmgr). diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index a6bb2fa385..c04c33fd31 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -161,9 +161,9 @@ Windows Hello enhancements include: ## Cloud Services -### Microsoft Endpoint Manager +### Microsoft Intune family of products -Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797). +Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). ### Configuration Manager diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index f96c6387bf..2f0d7cfea7 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -324,7 +324,7 @@ By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows - **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth efficient. -- **Use with existing tools** such as Microsoft Endpoint Manager and the [Enterprise Mobility Suite](/enterprise-mobility-security). +- **Use with existing tools** such as Microsoft Intune and the [Enterprise Mobility Suite](/enterprise-mobility-security). Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, and provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Endpoint Configuration Manager](/configmgr). diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index 048526a784..49112ccb86 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -42,7 +42,7 @@ This article lists new and updated features and content that are of interest to ## Servicing -- [**Delivery Optimization**](/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These new policies now support Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon! +- [**Delivery Optimization**](/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These new policies now support Microsoft 365 Apps for enterprise updates and Intune content. - [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically sign in as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device backed up and run normally. diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index 6c1efb18d1..b3350031c0 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -29,7 +29,7 @@ If you're updating from an older version of Windows 10 (version 1809 or earlier) ### Windows Server Update Services (WSUS) -Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. Microsoft Endpoint Manager version 1906 or later is required. For more information, see [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054). +Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. Microsoft Configuration Manager version 1906 or later is required. For more information, see [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054). The Windows 10, version 1909 enablement package will be available on WSUS as [KB4517245](https://support.microsoft.com/kb/4517245), which can be deployed on existing deployments of Windows 10, version 1903. @@ -69,9 +69,9 @@ Windows Virtual Desktop is a comprehensive desktop and app virtualization servic ## Deployment -#### Microsoft Endpoint Manager +### Microsoft Intune family of products -Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797). +Configuration Manager, Intune, Desktop Analytics, Co-Management, and the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) are now part of the [Microsoft endpoint management services](/mem/endpoint-manager-overview). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). ### Windows 10 Pro and Enterprise in S mode diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md index ce5cb2cd4b..9baa6d915f 100644 --- a/windows/whats-new/whats-new-windows-10-version-2004.md +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -76,7 +76,7 @@ With this release, you can configure [Windows Autopilot user-driven](/windows/de If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this skip was only supported with self-deploying profiles. -### Microsoft Endpoint Manager +### Microsoft Configuration Manager An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364). @@ -100,7 +100,7 @@ For the latest information about MDT, see the [MDT release notes](/mem/configmgr Windows PowerShell cmdlets have been improved: -- **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peak behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent). +- **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peek behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent). - **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections. - **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting. @@ -243,7 +243,7 @@ Examples include: - Monitor panel testing and validation - Independent Hardware Vendor (IHV) driver testing and validation -To prevent Windows from using a display, choose Settings > Display and click Advanced display settings. Select a display to view or change, and then set the Remove display from desktop setting to On. The display will now be available for a specialized use. +To prevent Windows from using a display, choose Settings > Display and select Advanced display settings. Select a display to view or change, and then set the Remove display from desktop setting to On. The display will now be available for a specialized use. ## Desktop Analytics diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md index 3a35dafa98..431769b672 100644 --- a/windows/whats-new/whats-new-windows-10-version-20H2.md +++ b/windows/whats-new/whats-new-windows-10-version-20H2.md @@ -69,7 +69,7 @@ Activities are grouped into the following phases: **Plan** > **Prepare** > **Dep Enhancements to Windows Autopilot since the last release of Windows 10 include: - [Windows Autopilot for HoloLens](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopilot-for-hololens-2/ba-p/1371494): Set up HoloLens 2 devices with Windows Autopilot for HoloLens 2 self-deploying mode. - [Windows Autopilot with co-management](/mem/configmgr/comanage/quickstart-autopilot): Co-management and Autopilot together can help you reduce cost and improve the end user experience. -- Enhancements to Windows Autopilot deployment reporting are in preview. From the Microsoft Endpoint Manager admin center (endpoint.microsoft.com), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Click **Autopilot deployment (preview)**. +- Enhancements to Windows Autopilot deployment reporting are in preview. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Select **Autopilot deployment (preview)**. ### Windows Assessment and Deployment Toolkit (ADK) diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md index 3e965fd0a1..64749cbbee 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H2.md +++ b/windows/whats-new/whats-new-windows-10-version-21H2.md @@ -51,7 +51,7 @@ For more information, and what GPU compute support means for you, see the [GPU a The [KB5005101 September 1, 2021 update](https://support.microsoft.com/topic/september-1-2021-kb5005101-os-builds-19041-1202-19042-1202-and-19043-1202-preview-82a50f27-a56f-4212-96ce-1554e8058dc1) includes about 1400 CSPs that were made available to MDM providers. -These CSPs are built in to Windows 10, version 21H2. These settings are available in Endpoint Manager in the [Settings Catalog](/mem/intune/configuration/settings-catalog). [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) also includes these GPOs in its analysis. +These CSPs are built in to Windows 10, version 21H2. These settings are available in Microsoft Intune in the [Settings Catalog](/mem/intune/configuration/settings-catalog). [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) also includes these GPOs in its analysis. For more information on the CSPs, see the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md index 19c319c011..6576712f31 100644 --- a/windows/whats-new/windows-11-overview.md +++ b/windows/whats-new/windows-11-overview.md @@ -24,7 +24,7 @@ Windows 11 is the next client operating system, and includes features that organ It offers innovations focused on enhancing end-user productivity, and is designed to support today's hybrid work environment. -Your investments in update and device management are carried forward. For example, many of the same apps and tools can be used in Windows 11. Many of the same security settings and policies can be applied to Windows 11 devices, including PCs. You can use Windows Autopilot with a zero touch deployment to enroll your Windows devices in Microsoft Endpoint Manager. You can also use newer features, such as Azure Virtual Desktop and Windows 365 on your Windows 11 devices. +Your investments in update and device management are carried forward. For example, many of the same apps and tools can be used in Windows 11. Many of the same security settings and policies can be applied to Windows 11 devices, including PCs. You can use Windows Autopilot with a zero touch deployment to enroll your Windows devices in Microsoft Intune. You can also use newer features, such as Azure Virtual Desktop and Windows 365 on your Windows 11 devices. This article lists what's new, and some of the features & improvements. For more information on what's new for OEMs, see [What's new in manufacturing, customization, and design](/windows-hardware/get-started/what-s-new-in-windows). @@ -40,7 +40,7 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur For more information, see [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines). -- **Microsoft Defender Antivirus** is built into Windows, and helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If you use Endpoint Manager to manage devices, then you can create policies based on threat levels in Microsoft Defender for Endpoint. +- **Microsoft Defender Antivirus** is built into Windows, and helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If you use Intune to manage devices, then you can create policies based on threat levels in Microsoft Defender for Endpoint. For more information, see: @@ -54,15 +54,15 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur - **Windows Hello for Business** helps protect users and identities. It replaces passwords, and uses a PIN or biometric that stays locally on the device. Device manufacturers are including more secure hardware features, such as IR cameras and TPM chips. These features are used with Windows Hello for Business to help protect user identities on your organization devices. - As an admin, going passwordless help secures user identities. The Windows OS, Azure AD, and Endpoint Manager work together to remove passwords, create more secure policies, and help enforce compliance. + As an admin, going passwordless help secures user identities. The Windows OS, Azure AD, and Intune work together to remove passwords, create more secure policies, and help enforce compliance. For more information, see: - [Windows Hello for Business Overview](/windows/security/identity-protection/hello-for-business/hello-overview) - [Trusted Platform Module Technology Overview](/windows/security/information-protection/tpm/trusted-platform-module-overview) - - [Integrate Windows Hello for Business with Endpoint Manager](/mem/intune/protect/windows-hello) + - [Integrate Windows Hello for Business with Intune](/mem/intune/protect/windows-hello) -For more information on the security features you can configure, manage, and enforce using Endpoint Manager, see [Protect data and devices with Microsoft Endpoint Manager](/mem/intune/protect/device-protect). +For more information on the security features you can configure, manage, and enforce using Intune, see [Protect data and devices with Microsoft Intune](/mem/intune/protect/device-protect). ## Easier access to new services, and services you already use @@ -74,9 +74,9 @@ For more information on the security features you can configure, manage, and enf :::image type="content" source="./images/windows-11-whats-new/windows-11-taskbar-microsoft-teams.png" alt-text="On the Windows 11 taskbar, select the camera chat icon to start a Microsoft Teams call."::: - This version of Microsoft Teams is for personal accounts. For organization accounts, such as `user@contoso.com`, you can deploy the Microsoft Teams app using MDM policy, such as Endpoint Manager. For more information, see: + This version of Microsoft Teams is for personal accounts. For organization accounts, such as `user@contoso.com`, you can deploy the Microsoft Teams app using MDM policy, such as Intune. For more information, see: - - [Get started with Microsoft Endpoint Manager](/mem/endpoint-manager-getting-started) + - [What is Intune?](/mem/intune/fundamentals/what-is-intune) - [Add Microsoft 365 apps to Windows 10 devices with Microsoft Intune](/mem/intune/apps/apps-add-office365) - [Install Microsoft Teams using Microsoft Endpoint Configuration Manager](/microsoftteams/msi-deployment) @@ -158,9 +158,9 @@ For more information on the security features you can configure, manage, and enf In the **Settings** app > **Apps**, users can manage some of the app settings. For example, they can get apps anywhere, but let the user know if there's a comparable app in the Microsoft Store. They can also choose which apps start when they sign in. - Using an MDM provider, like Endpoint Manager, you can create policies that also manage some app settings. For a list of settings, see [App Store in Endpoint Manager](/mem/intune/configuration/device-restrictions-windows-10#app-store). + Using an MDM provider, like Intune, you can create policies that also manage some app settings. For a list of settings, see [App Store in Intune](/mem/intune/configuration/device-restrictions-windows-10#app-store). -- If you manage devices using Endpoint Manager, then you might be familiar with the **Company Portal app**. Starting with Windows 11, the Company Portal is your private app repository for your organization apps. For more information, see [Private app repository in Windows 11](/windows/application-management/private-app-repository-mdm-company-portal-windows-11). +- If you manage devices using Intune, then you might be familiar with the **Company Portal app**. Starting with Windows 11, the Company Portal is your private app repository for your organization apps. For more information, see [Private app repository in Windows 11](/windows/application-management/private-app-repository-mdm-company-portal-windows-11). For public and retail apps, continue using the Microsoft Store. @@ -183,7 +183,7 @@ For more information on the security features you can configure, manage, and enf To save system resources, Microsoft Edge uses sleeping tabs. Users can configure these settings, and more, in `edge://settings/system`. - Using Group Policy or an MDM provider, such as Endpoint Manager, you can configure some Microsoft Edge settings. For more information, see [Microsoft Edge - Policies](/deployedge/microsoft-edge-policies) and [Configure Microsoft Edge policy settings](/mem/intune/configuration/administrative-templates-configure-edge). + Using Group Policy or an MDM provider, such as Intune, you can configure some Microsoft Edge settings. For more information, see [Microsoft Edge - Policies](/deployedge/microsoft-edge-policies) and [Configure Microsoft Edge policy settings](/mem/intune/configuration/administrative-templates-configure-edge). ## Deployment and servicing @@ -197,15 +197,15 @@ For more information on the security features you can configure, manage, and enf If you have a global or remote workforce, then Autopilot might be the right option to install the OS, and get it ready for use. For more information, see [Overview of Windows Autopilot](/mem/autopilot/windows-autopilot). -- **Microsoft Endpoint Manager** is a mobile application management (MAM) and mobile device management (MDM) provider. It helps manage devices, and manage apps on devices in your organization. You configure policies, and then deploy these policies to users and groups. You can create and deploy policies that install apps, configure device features, enforce PIN requirements, block compromised devices, and more. +- **Microsoft Intune** is a mobile application management (MAM) and mobile device management (MDM) provider. It helps manage devices, and manage apps on devices in your organization. You configure policies, and then deploy these policies to users and groups. You can create and deploy policies that install apps, configure device features, enforce PIN requirements, block compromised devices, and more. - If you use Group Policy to manage your Windows 10 devices, then you can also use Group Policy to manage Windows 11 devices. In Endpoint Manager, there are [administrative templates](/mem/intune/configuration/administrative-templates-windows) and the [settings catalog](/mem/intune/configuration/settings-catalog) that include many of the same policies. [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) analyze your on-premises group policy objects. + If you use Group Policy to manage your Windows 10 devices, then you can also use Group Policy to manage Windows 11 devices. In Intune, there are [administrative templates](/mem/intune/configuration/administrative-templates-windows) and the [settings catalog](/mem/intune/configuration/settings-catalog) that include many of the same policies. [Group Policy analytics](/mem/intune/configuration/group-policy-analytics) analyze your on-premises group policy objects. - **Windows Updates and Delivery optimization** helps manage updates, and manage features on your devices. Starting with Windows 11, the OS feature updates are installed annually. For more information on servicing channels, and what they are, see [Servicing channels](/windows/deployment/update/waas-overview#servicing-channels). Like Windows 10, Windows 11 will receive monthly quality updates. - You have options to install updates on your Windows devices, including Endpoint Manager, Group Policy, Windows Server Update Services (WSUS), and more. For more information, see [Assign devices to servicing channels](/windows/deployment/update/waas-servicing-channels-windows-10-updates). + You have options to install updates on your Windows devices, including Intune, Group Policy, Windows Server Update Services (WSUS), and more. For more information, see [Assign devices to servicing channels](/windows/deployment/update/waas-servicing-channels-windows-10-updates). Some updates are large, and use bandwidth. Delivery optimization helps reduce bandwidth consumption. It shares the work of downloading the update packages with multiple devices in your deployment. Windows 11 updates are smaller, as they only pull down source files that are different. You can create policies that configure delivery optimization settings. For example, set the maximum upload and download bandwidth, set caching sizes, and more. diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index 8184fe2b9e..7262d639de 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -71,7 +71,7 @@ The recommended method to determine if your infrastructure, deployment processes As you plan your endpoint management strategy for Windows 11, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows: - Create a [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview) (CMG) to manage Configuration Manager clients over the internet. -- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the Microsoft Endpoint Manager admin center. +- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune. This concurrent management allows you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview). For more information on the benefits of these approaches, see [Cloud Attach Your Future: The Big 3](https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664). @@ -104,7 +104,7 @@ If you run into compatibility issues or want to ensure that your organization's **App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows 11 can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. -**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) (currently in private preview) is a service that allows you to validate your apps across various Windows features and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. +**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) is a service that allows you to validate your apps across various Windows features and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form. You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows 11. diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 7cf00b9522..1d156a6983 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -56,13 +56,13 @@ The tools that you use for core workloads during Windows 10 deployments can stil ## Cloud-based management -If you aren’t already taking advantage of cloud-based management capabilities, like those available in [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Endpoint Manager can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting user privacy. +If you aren’t already taking advantage of cloud-based management capabilities, like those available in the [Microsoft Intune family of products](/mem/endpoint-manager-overview), it's worth considering. In addition to consolidating device management and endpoint security into a single platform, Microsoft Intune can better support the diverse bring-your-own-device (BYOD) ecosystem that is increasingly the norm with hybrid work scenarios. It can also enable you to track your progress against compliance and business objectives, while protecting user privacy. -The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them: +The following are some common use cases and the corresponding Microsoft Intune capabilities that support them: - **Provision and pre-configure new Windows 11 devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows 11 devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. The [Windows Autopilot diagnostics page](/mem/autopilot/windows-autopilot-whats-new#preview-windows-autopilot-diagnostics-page) is new feature that is available when you use in Windows Autopilot to deploy Windows 11. - **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows 11 and Windows 10. You can also use app protection policies to require multifactor authentication (MFA) for specific apps. -- **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows 11 by using Microsoft Endpoint Manager. +- **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows 11 by using Microsoft Intune. If you're exclusively using an on-premises device management solution (for example, Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date. @@ -97,7 +97,7 @@ Regardless of the method you choose, you have the benefit of free Microsoft supp #### Analytics and assessment tools -If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you'll have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows 11 upgrade. +If you use Microsoft Intune and have onboarded devices to Endpoint analytics, you'll have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows 11 upgrade. [Desktop Analytics](/mem/configmgr/desktop-analytics/overview) doesn't support Windows 11. You must use [Endpoint analytics](/mem/analytics/overview). From 33a8f1e471743b8824ef5a72f20fbf6866588c69 Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Thu, 3 Nov 2022 11:29:17 -0400 Subject: [PATCH 10/19] Endpoint manager rebrand --- windows/security/cloud.md | 4 +- .../credential-guard-manage.md | 36 +-- .../hello-aad-join-cloud-only-deploy.md | 8 +- .../hello-for-business/hello-faq.yml | 14 +- .../hello-feature-pin-reset.md | 32 +-- .../hello-hybrid-aadj-sso-base.md | 160 ++++++------ .../hello-hybrid-aadj-sso-cert.md | 234 +++++++++--------- .../hello-hybrid-cloud-kerberos-trust.md | 22 +- ...ccount-control-security-policy-settings.md | 18 +- ...r-device-encryption-overview-windows-10.md | 8 +- ...e-vpn-and-wip-policy-using-intune-azure.md | 8 +- .../create-wip-policy-using-intune-azure.md | 2 +- .../how-to-disable-wip.md | 2 +- .../overview-create-wip-policy-configmgr.md | 12 +- .../overview-create-wip-policy.md | 10 +- .../protect-enterprise-data-using-wip.md | 30 +-- 16 files changed, 302 insertions(+), 298 deletions(-) diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 213647487d..0c96ff69db 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -23,9 +23,9 @@ Windows 11 includes the cloud services that are listed in the following table:
Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [Mobile device management](/windows/client-management/mdm/). | +| Mobile device management (MDM) and Microsoft Intune | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [Mobile device management](/windows/client-management/mdm/). | | Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).| -| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). | +| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).

If there's a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). | | Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | ## Next steps diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 9d8bb4a982..3ef2c7372f 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -25,7 +25,7 @@ appliesto: ## Default Enablement -Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below. +Starting in **Windows 11 Enterprise, version 22H2** and **Windows 11 Education, version 22H2**, compatible systems have Windows Defender Credential Guard turned on by default. This feature changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below. ### Requirements for automatic enablement @@ -34,7 +34,7 @@ Windows Defender Credential Guard will be enabled by default when a PC meets the |Component|Requirement| |---|---| |Operating System|**Windows 11 Enterprise, version 22H2** or **Windows 11 Education, version 22H2**| -|Existing Windows Defender Credential Guard Requirements|Only devices which meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.| +|Existing Windows Defender Credential Guard Requirements|Only devices that meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.| |Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2 and Windows 11 Education 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default. > [!NOTE] @@ -55,7 +55,7 @@ The same set of procedures used to enable Windows Defender Credential Guard on p ### Enable Windows Defender Credential Guard by using Group Policy -You can use Group Policy to enable Windows Defender Credential Guard. This will add and enable the virtualization-based security features for you if needed. +You can use Group Policy to enable Windows Defender Credential Guard. When enabled, it will add and enable the virtualization-based security features for you if needed. 1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**. @@ -73,32 +73,32 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will To enforce processing of the group policy, you can run `gpupdate /force`. -### Enable Windows Defender Credential Guard by using Microsoft Endpoint Manager +### Enable Windows Defender Credential Guard by using Microsoft Intune -1. From **Microsoft Endpoint Manager admin center**, select **Devices**. +1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices**. 1. Select **Configuration Profiles**. 1. Select **Create Profile** > **Windows 10 and later** > **Settings catalog** > **Create**. - 1. Configuration settings: In the settings picker select **Device Guard** as category and add the needed settings. + 1. Configuration settings: In the settings picker, select **Device Guard** as category and add the needed settings. > [!NOTE] > Enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock. > [!TIP] -> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Endpoint Manager](/mem/intune/protect/endpoint-security-account-protection-profile-settings). +> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings). ### Enable Windows Defender Credential Guard by using the registry -If you don't use Group Policy, you can enable Windows Defender Credential Guard by using the registry. Windows Defender Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems. +If you don't use Group Policy, you can enable Windows Defender Credential Guard by using the registry. Windows Defender Credential Guard uses virtualization-based security features that have to be enabled first on some operating systems. #### Add the virtualization-based security features -Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped. +Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security isn't necessary and this step can be skipped. -If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security. -You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM). +If you're using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security. +To enable, use the Control Panel or the Deployment Image Servicing and Management tool (DISM). > [!NOTE] > If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you. @@ -201,9 +201,9 @@ DG_Readiness_Tool_v3.6.ps1 -Ready > [!NOTE] > For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features. -- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised, which is why we recommend turning on Credential Guard as early as possible. +- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard won't help to secure a device or identity that has already been compromised. So, we recommend turning on Credential Guard as early as possible. -- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: +- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. You can use security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: - **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials. @@ -213,13 +213,13 @@ DG_Readiness_Tool_v3.6.ps1 -Ready - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**. - - **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard. + - **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel isn't running; continuing without Windows Defender Credential Guard. - **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\] - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] -- You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs > Microsoft > Windows > Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you are running with a TPM, the TPM PCR mask value will be something other than 0. +- You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs > Microsoft > Windows > Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you're running with a TPM, the TPM PCR mask value will be something other than 0. - You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command: @@ -238,9 +238,9 @@ DG_Readiness_Tool_v3.6.ps1 -Ready ## Disable Windows Defender Credential Guard -Windows Defender Credential Guard can be disabled via several methods explained below, depending on how the feature was enabled. For devices that had Windows Defender Credential Guard automatically enabled in the 22H2 update and did not have it enabled prior to the update, it is sufficient to [disable via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy). +Windows Defender Credential Guard can be disabled via several methods explained below, depending on how the feature was enabled. For devices that had Windows Defender Credential Guard automatically enabled in the 22H2 update and didn't have it enabled prior to the update, it's sufficient to [disable via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy). -If Windows Defender Credential Guard was enabled with UEFI Lock, the procedure described in [Disabling Windows Defender Credential Guard with UEFI Lock](#disabling-windows-defender-credential-guard-with-uefi-lock) must be followed. Note that the default enablement change in eligible 22H2 devices does **not** use a UEFI Lock. +If Windows Defender Credential Guard was enabled with UEFI Lock, the procedure described in [Disabling Windows Defender Credential Guard with UEFI Lock](#disabling-windows-defender-credential-guard-with-uefi-lock) must be followed. The default enablement change in eligible 22H2 devices does **not** use a UEFI Lock. If Windows Defender Credential Guard was enabled via Group Policy without UEFI Lock, Windows Defender Credential Guard should be [disabled via Group Policy](#disabling-windows-defender-credential-guard-using-group-policy). @@ -262,7 +262,7 @@ If Windows Defender Credential Guard was enabled via Group Policy and without UE ### Disabling Windows Defender Credential Guard using Registry Keys -If Windows Defender Credential Guard was enabled without UEFI Lock and without Group Policy, it is sufficient to edit the registry keys as described below to disable Windows Defender Credential Guard. +If Windows Defender Credential Guard was enabled without UEFI Lock and without Group Policy, it's sufficient to edit the registry keys as described below to disable Windows Defender Credential Guard. 1. Change the following registry settings to 0: diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index b488757dd8..738c5d164a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -27,7 +27,7 @@ You may wish to disable the automatic Windows Hello for Business enrollment prom ## Prerequisites -Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business enrollment process. +Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you'll be guided through the MFA registration as part of the Windows Hello for Business enrollment process. The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#azure-ad-cloud-only-deployment). @@ -37,7 +37,7 @@ Check and view this setting with the following MSOnline PowerShell command: `Get-MsolDomainFederationSettings –DomainName ` -To disable this setting, run the following command. Note that this change impacts ALL Azure AD MFA scenarios for this federated domain. +To disable this setting, run the following command. This change impacts ALL Azure AD MFA scenarios for this federated domain. `Set-MsolDomainFederationSettings -DomainName -SupportsMfa $false` @@ -55,11 +55,11 @@ We recommend that you disable or manage Windows Hello for Business provisioning The following method explains how to disable Windows Hello for Business enrollment without Intune. -1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. +1. Sign into the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. 3. If you don't want to enable Windows Hello for Business during device enrollment, select **Disabled** for **Configure Windows Hello for Business**. - When disabled, users cannot provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. + When disabled, users can't provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business. > [!NOTE] > This policy is only applied during new device enrollments. For currently enrolled devices, you can [set the same settings in a device configuration policy](hello-manage-in-organization.md). diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 88115dc1cb..91cd2ed308 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -47,11 +47,11 @@ sections: Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates. - - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Configuration Manager? + - question: Can I deploy Windows Hello for Business by using Microsoft Configuration Manager? answer: | Windows Hello for Business deployments using Configuration Manager should follow the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](/configmgr/protect/deploy-use/windows-hello-for-business-settings). - - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Manager Intune? + - question: Can I deploy Windows Hello for Business by using Microsoft Intune? answer: | Windows Hello for Business deployments using Intune allow for a great deal of flexibility in deployment. For more information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). @@ -155,11 +155,11 @@ sections: - question: Where is Windows Hello biometrics data stored? answer: | - When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). + When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). - question: What is the format used to store Windows Hello biometrics data on the device? answer: | - Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (e.g., face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it’s stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash. + Windows Hello biometrics data is stored on the device as an encrypted template database. The data from the biometrics sensor (like face camera or fingerprint reader) creates a data representation—or graph—that is then encrypted before it’s stored on the device. Each biometrics sensor on the device which is used by Windows Hello (face or fingerprint) will have its own biometric database file where template data is stored. Each biometrics database file is encrypted with unique, randomly generated key that is encrypted to the system using AES encryption producing an SHA256 hash. - question: Who has access on Windows Hello biometrics data? answer: | @@ -167,11 +167,11 @@ sections: - question: When is Windows Hello biometrics database file created? How is a user enrolled into Windows Hello face or fingerprint authentication? answer: | - Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method (e.g. pin). Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start** > **Settings** > **Accounts** > **Sign-in** options. Or just click on **Go to Sign-in options**. To enroll into Windows Hello, user can go to **Start** > **Settings** > **Accounts** > **Sign-in** options, select the Windows Hello method that they want to set up, and then select **Set up**. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can by policy request users to enroll into Windows Hello during autopilot or during initial setup of the device. Admins can disallow users to enroll into biometrics via Windows hello for business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users. + Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method, like a pin. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start** > **Settings** > **Accounts** > **Sign-in** options. Or just select on **Go to Sign-in options**. To enroll into Windows Hello, user can go to **Start** > **Settings** > **Accounts** > **Sign-in** options, select the Windows Hello method that they want to set up, and then select **Set up**. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can by policy request users to enroll into Windows Hello during autopilot or during initial setup of the device. Admins can disallow users to enroll into biometrics via Windows hello for business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users. - question: When is Windows Hello biometrics database file deleted? How can a user be unenrolled from Windows Hello face or fingerprint authentication? answer: | - To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start** > **Settings** > **Accounts** > **Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will unenroll the user from Windows Hello biometrics auth and will also delete the associated biometrics template database file. For more details see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/en-us/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy). + To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start** > **Settings** > **Accounts** > **Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will unenroll the user from Windows Hello biometrics auth and will also delete the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/en-us/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy). - question: What about any diagnostic data coming out when WHFB is enabled? answer: | @@ -187,7 +187,7 @@ sections: - question: Can I wear a mask to enroll or unlock using Windows Hello face authentication? answer: | - Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this topic further. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, consider unenrolling from face authentication and only using PIN or fingerprint. + Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this article further. Remove a mask if you're wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, consider unenrolling from face authentication and only using PIN or fingerprint. - question: What's the difference between Windows Hello and Windows Hello for Business? answer: | diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index af6c28cb74..d44b2c01e7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -35,7 +35,7 @@ There are two forms of PIN reset called destructive and non-destructive. Destruc - Reset from settings - Windows 10, version 1703 or later, Windows 11 - Reset above Lock - Windows 10, version 1709 or later, Windows 11 -Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users do not have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider. +Destructive and non-destructive PIN reset use the same steps for initiating a PIN reset. If users have forgotten their PINs, but have an alternate sign-in method, they can navigate to Sign-in options in *Settings* and initiate a PIN reset from the PIN options. If users don't have an alternate way to sign into their devices, PIN reset can also be initiated from the Windows lock screen in the PIN credential provider. >[!IMPORTANT] @@ -52,16 +52,16 @@ Destructive and non-destructive PIN reset use the same steps for initiating a PI For Azure AD-joined devices: -1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon. +1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon. 1. Select **I forgot my PIN** from the PIN credential provider. -1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (e.g., Password, PIN, Security key). +1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (like Password, PIN, Security key). 1. Follow the instructions provided by the provisioning process. 1. When finished, unlock your desktop using your newly created PIN. For Hybrid Azure AD-joined devices: -1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon. +1. If the PIN credential provider isn't selected, expand the **Sign-in options** link, and select the PIN pad icon. 1. Select **I forgot my PIN** from the PIN credential provider. 1. Enter your password and press enter. 1. Follow the instructions provided by the provisioning process. @@ -70,19 +70,19 @@ For Hybrid Azure AD-joined devices: > [!NOTE] > Key trust on hybrid Azure AD-joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work. -You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations). +You may find that PIN reset from settings only works post login. Also, the "lock screen" PIN reset function won't work if you have any matching limitation of self-service password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations). ## Non-Destructive PIN reset **Requirements:** - Azure Active Directory -- Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. +- Windows 10, version 1709 to 1809, Enterprise Edition. There's no licensing requirement for this feature since version 1903. - Hybrid Windows Hello for Business deployment - Azure AD registered, Azure AD joined, and Hybrid Azure AD joined -When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory. +When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally. The key is added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it's then cleared from memory. Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the **Microsoft PIN Reset Service** which enables users to reset their forgotten PIN without requiring re-enrollment. @@ -95,10 +95,10 @@ Using Group Policy, Microsoft Intune or a compatible MDM solution, you can confi |Category|Destructive PIN Reset|Non-Destructive PIN Reset| |--- |--- |--- | |**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| -|**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.| +|**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There isn't any licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.| |**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust| |**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| -|**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it is only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.| +|**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it's only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.| |**Additional Configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group *Policy\MDM*.| |**MSA/Enterprise**|MSA and Enterprise|Enterprise only.| @@ -117,13 +117,13 @@ Before you can remotely reset PINs, you must register two applications in your A #### Connect Azure Active Directory with the PIN Reset Service 1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant. -1. After you have logged in, select **Accept** to give consent to the **PIN Reset Service** to access your organization. +1. After you've logged in, select **Accept** to give consent to the **PIN Reset Service** to access your organization. ![PIN reset service application in Azure.](images/pinreset/pin-reset-service-prompt.png) #### Connect Azure Active Directory with the PIN Reset Client 1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using a Global Administrator account you use to manage your Azure Active Directory tenant. -1. After you have logged in, select **Accept** to give consent for the **PIN Reset Client** to access your organization. +1. After you've logged in, select **Accept** to give consent for the **PIN Reset Client** to access your organization. ![PIN reset client application in Azure.](images/pinreset/pin-reset-client-prompt.png) #### Confirm that the two PIN Reset service principals are registered in your tenant @@ -141,7 +141,7 @@ Before you can remotely reset PINs, your devices must be configured to enable PI You can configure Windows devices to use the **Microsoft PIN Reset Service** using Microsoft Intune. -1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com). +1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Devices** > **Configuration profiles** > **Create profile**. 1. Enter the following properties: - **Platform**: Select **Windows 10 and later**. @@ -163,7 +163,7 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi >[!NOTE] > You can also configure PIN recovery from the **Endpoint security** blade: -> 1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com). +> 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). > 1. Select **Endpoint security** > **Account protection** > **Create Policy**. #### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) @@ -236,11 +236,11 @@ The _PIN reset_ configuration can be viewed by running [**dsregcmd /status**](/a - Azure AD joined devices -The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that can be reached during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset. +The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that can be reached during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, then this policy should be set. When set, it ensures that authentication pages from that identity provider can be used during Azure AD joined PIN reset. ### Configure Web Sign-in Allowed URLs using Microsoft Intune -1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) +1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) 1. Select **Devices** > **Configuration profiles** > **Create profile** 1. Enter the following properties: - **Platform**: Select **Windows 10 and later** @@ -266,7 +266,7 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au > [!NOTE] > For Azure Government, there is a known issue with PIN reset on Azure AD Joined devices failing. When the user attempts to launch PIN reset, the PIN reset UI shows an error page that says, "We can't open that page right now." The ConfigureWebSignInAllowedUrls policy can be used to work around this issue. If you are experiencing this problem and you are using Azure US Government cloud, set **login.microsoftonline.us** as the value for the ConfigureWebSignInAllowedUrls policy. -## Related topics +## Related articles - [Windows Hello for Business](hello-identity-verification.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index a4c55e0fdd..37f7b13e82 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -21,23 +21,23 @@ appliesto: # Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business ## Prerequisites -Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices. Unlike hybrid Azure AD-joined devices, Azure AD-joined devices do not have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices. +Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices. Unlike hybrid Azure AD-joined devices, Azure AD-joined devices don't have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices. - Azure Active Directory Connect synchronization - Device Registration - Certificate Revocation List (CRL) Distribution Point (CDP) - 2016 Domain Controllers - Domain Controller certificate -- Network infrastructure in place to reach your on-premises domain controller. If the machines are external, this can be achieved using any VPN solution. +- Network infrastructure in place to reach your on-premises domain controller. If the machines are external, you can use any VPN solution. ### Azure Active Directory Connect synchronization -Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect). +Azure AD join, and hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you're using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect). If you upgraded your Active Directory schema to the Windows Server 2016 schema after installing Azure AD Connect, run Azure AD Connect and run **Refresh directory schema** from the list of tasks. ![Azure AD Connect Schema Refresh.](images/aadj/aadconnectschema.png) ### Azure Active Directory Device Registration -A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration. A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory. For more information about device registration, read [Introduction to device management in Azure Active Directory](/azure/active-directory/devices/overview). +A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration. A user can't provision Windows Hello for Business unless the device from which they're trying to provision has registered with Azure Active Directory. For more information about device registration, read [Introduction to device management in Azure Active Directory](/azure/active-directory/devices/overview). You can use the **dsregcmd.exe** command to determine if your device is registered to Azure Active Directory. ![dsregcmd output.](images/aadj/dsregcmd.png) @@ -48,24 +48,24 @@ Certificates issued by a certificate authority can be revoked. When a certifica ![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png) -The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory. You can determine this because the value in the URL begins with **ldap**. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Azure Active Directory-joined devices and users on Azure Active Directory-joined devices cannot read data from Active Directory, and certificate validation does not provide an opportunity to authenticate prior to reading the certificate revocation list. This becomes a circular problem as the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user cannot read Active Directory because they have not authenticated. +The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory. The value in the URL begins with **ldap**. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Azure Active Directory-joined devices and users on Azure Active Directory-joined devices can't read data from Active Directory, and certificate validation doesn't provide an opportunity to authenticate prior to reading the certificate revocation list. The authentication becomes a circular problem. The user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user can't read Active Directory because they haven't authenticated. -To resolve this issue, the CRL distribution point must be a location that is accessible by Azure Active Directory-joined devices that does not require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS). +To resolve this issue, the CRL distribution point must be a location that is accessible by Azure Active Directory-joined devices that doesn't require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS). -If your CRL distribution point does not list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first in the list of distribution points. +If your CRL distribution point doesn't list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first in the list of distribution points. > [!NOTE] > If your CA has published both the Base and the Delta CRL, please make sure you have included publishing the Delta CRL in the HTTP path. Include web server to fetch the Delta CRL by allowing double escaping in the (IIS) web server. ### Windows Server 2016 Domain Controllers -If you are interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers. Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key. What do we mean by adequate? We are glad you asked. Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. +If you're interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers. Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key. What do we mean by adequate? We're glad you asked. Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. -If you are interested in configuring your environment to use the Windows Hello for Business certificate rather than key, then you are the right place. The same certificate configuration on the domain controllers is needed, whether you are using Windows Server 2016 domain controllers or domain controllers running earlier versions of Windows Server. You can simply ignore the Windows Server 2016 domain controller requirement. +If you're interested in configuring your environment to use the Windows Hello for Business certificate rather than key, then you're the right place. The same certificate configuration on the domain controllers is needed, whether you're using Windows Server 2016 domain controllers or domain controllers running earlier versions of Windows Server. You can ignore the Windows Server 2016 domain controller requirement. ### Domain Controller Certificates -Certificate authorities write CRL distribution points in certificates as they are issued. If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CRL distribution point. The domain controller certificate is one the critical components of Azure AD-joined devices authenticating to Active Directory +Certificate authorities write CRL distribution points in certificates as they're issued. If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CRL distribution point. The domain controller certificate is one the critical components of Azure AD-joined devices authenticating to Active Directory #### Why does Windows need to validate the domain controller certificate? @@ -79,7 +79,7 @@ Windows Hello for Business enforces the strict KDC validation security feature w - The domain controller's certificate's signature hash algorithm is **sha256**. - The domain controller's certificate's public key is **RSA (2048 Bits)**. -Authenticating from a Hybrid Azure AD joined device to a domain using Windows Hello for Business does not enforce that the domain controller certificate includes the **KDC Authentication** EKU. If you are adding Azure AD-joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the **KDC Authentication** EKU. If you need to update your domain controller certificate to include the **KDC Authentication** EKU, follow the instructions in [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md) +Authenticating from a Hybrid Azure AD joined device to a domain using Windows Hello for Business doesn't enforce that the domain controller certificate includes the **KDC Authentication** EKU. If you're adding Azure AD-joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the **KDC Authentication** EKU. If you need to update your domain controller certificate to include the **KDC Authentication** EKU, follow the instructions in [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md) > [!Tip] > If you are using Windows Server 2008, **Kerberos Authentication** is not the default template, so make sure to use the correct template when issuing or re-issuing the certificate. @@ -88,7 +88,7 @@ Authenticating from a Hybrid Azure AD joined device to a domain using Windows He Use this set of procedures to update your certificate authority that issues your domain controller certificates to include an http-based CRL distribution point. -Steps you will perform include: +Steps you'll perform include: - [Configure Internet Information Services to host CRL distribution point](#configure-internet-information-services-to-host-crl-distribution-point) - [Prepare a file share to host the certificate revocation list](#prepare-a-file-share-to-host-the-certificate-revocation-list) @@ -99,40 +99,40 @@ Steps you will perform include: ### Configure Internet Information Services to host CRL distribution point -You need to host your new certificate revocation list of a web server so Azure AD-joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps is just one and may be useful for those unfamiliar with adding a new CRL distribution point. +You need to host your new certificate revocation list of a web server so Azure AD-joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps are just one and may be useful for admins unfamiliar with adding a new CRL distribution point. > [!IMPORTANT] > Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate. Clients should access the distribution point using http. #### Installing the Web Server -1. Sign-in to your server as a local administrator and start **Server Manager** if it did not start during your sign in. -2. Click the **Local Server** node in the navigation pane. Click **Manage** and click **Add Roles and Features**. -3. In the **Add Role and Features Wizard**, click **Server Selection**. Verify the selected server is the local server. Click **Server Roles**. Select the check box next to **Web Server (IIS)**. -4. Click **Next** through the remaining options in the wizard, accepting the defaults, and install the Web Server role. +1. Sign-in to your server as a local administrator and start **Server Manager** if it didn't start during your sign in. +2. Select the **Local Server** node in the navigation pane. Select **Manage** and select **Add Roles and Features**. +3. In the **Add Role and Features Wizard**, select **Server Selection**. Verify the selected server is the local server. Select **Server Roles**. Select the check box next to **Web Server (IIS)**. +4. Select **Next** through the remaining options in the wizard, accepting the defaults, and install the Web Server role. #### Configure the Web Server 1. From **Windows Administrative Tools**, Open **Internet Information Services (IIS) Manager**. -2. Expand the navigation pane to show **Default Web Site**. Select and then right-click **Default Web site** and click **Add Virtual Directory...**. -3. In the **Add Virtual Directory** dialog box, type **cdp** in **alias**. For physical path, type or browse for the physical file location where you will host the certificate revocation list. For this example, the path **c:\cdp** is used. Click **OK**. +2. Expand the navigation pane to show **Default Web Site**. Select and then right-click **Default Web site** and select **Add Virtual Directory...**. +3. In the **Add Virtual Directory** dialog box, type **cdp** in **alias**. For physical path, type or browse for the physical file location where you'll host the certificate revocation list. For this example, the path **c:\cdp** is used. Select **OK**. ![Add Virtual Directory.](images/aadj/iis-add-virtual-directory.png) > [!NOTE] > Make note of this path as you will use it later to configure share and file permissions. -4. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Directory Browsing** in the content pane. Click **Enable** in the details pane. +4. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Directory Browsing** in the content pane. Select **Enable** in the details pane. 5. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Configuration Editor**. 6. In the **Section** list, navigate to **system.webServer/security/requestFiltering**. ![IIS Configuration Editor requestFiltering.](images/aadj/iis-config-editor-requestFiltering.png) - In the list of named value-pairs in the content pane, configure **allowDoubleEscaping** to **True**. Click **Apply** in the actions pane. + In the list of named value-pairs in the content pane, configure **allowDoubleEscaping** to **True**. Select **Apply** in the actions pane. ![IIS Configuration Editor double escaping.](images/aadj/iis-config-editor-allowDoubleEscaping.png) 7. Close **Internet Information Services (IIS) Manager**. #### Create a DNS resource record for the CRL distribution point URL 1. On your DNS server or from an administrative workstation, open **DNS Manager** from **Administrative Tools**. -2. Expand **Forward Lookup Zones** to show the DNS zone for your domain. Right-click your domain name in the navigation pane and click **New Host (A or AAAA)...**. -3. In the **New Host** dialog box, type **crl** in **Name**. Type the IP address of the web server you configured in **IP Address**. Click **Add Host**. Click **OK** to close the **DNS** dialog box. Click **Done**. +2. Expand **Forward Lookup Zones** to show the DNS zone for your domain. Right-click your domain name in the navigation pane and select **New Host (A or AAAA)...**. +3. In the **New Host** dialog box, type **crl** in **Name**. Type the IP address of the web server you configured in **IP Address**. Select **Add Host**. Select **OK** to close the **DNS** dialog box. Select **Done**. ![Create DNS host record.](images/aadj/dns-new-host-dialog.png) 4. Close the **DNS Manager**. @@ -143,37 +143,37 @@ These procedures configure NTFS and share permissions on the web server to allow #### Configure the CDP file share 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). -2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**. -3. Select **Share this folder**. Type **cdp$** in **Share name**. Click **Permissions**. +2. Right-click the **cdp** folder and select **Properties**. Select the **Sharing** tab. Select **Advanced Sharing**. +3. Select **Share this folder**. Type **cdp$** in **Share name**. Select **Permissions**. ![cdp sharing.](images/aadj/cdp-sharing.png) -4. In the **Permissions for cdp$** dialog box, click **Add**. -5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**, and then click **OK**. -7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then click **Check Names**. Click **OK**. -8. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**. +4. In the **Permissions for cdp$** dialog box, select **Add**. +5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, select **Object Types**. In the **Object Types** dialog box, select **Computers**, and then select **OK**. +7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then select **Check Names**. Select **OK**. +8. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Select **OK**. ![CDP Share Permissions.](images/aadj/cdp-share-permissions.png) -9. In the **Advanced Sharing** dialog box, click **OK**. +9. In the **Advanced Sharing** dialog box, select **OK**. > [!Tip] > Make sure that users can access **\\\Server FQDN\sharename**. #### Disable Caching 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). -2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**. -3. Click **Caching**. Select **No files or programs from the shared folder are available offline**. +2. Right-click the **cdp** folder and select **Properties**. Select the **Sharing** tab. Select **Advanced Sharing**. +3. Select **Caching**. Select **No files or programs from the shared folder are available offline**. ![CDP disable caching.](images/aadj/cdp-disable-caching.png) -4. Click **OK**. +4. Select **OK**. #### Configure NTFS permission for the CDP folder 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). -2. Right-click the **cdp** folder and click **Properties**. Click the **Security** tab. -3. On the **Security** tab, click Edit. -5. In the **Permissions for cdp** dialog box, click **Add**. +2. Right-click the **cdp** folder and select **Properties**. Select the **Security** tab. +3. On the **Security** tab, select Edit. +5. In the **Permissions for cdp** dialog box, select **Add**. ![CDP NTFS Permissions.](images/aadj/cdp-ntfs-permissions.png) -6. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**. Click **OK**. -7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then click **Check Names**. Click **OK**. -8. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**. -9. Click **Close** in the **cdp Properties** dialog box. +6. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, select **Object Types**. In the **Object Types** dialog box, select **Computers**. Select **OK**. +7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then select **Check Names**. Select **OK**. +8. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Select **OK**. +9. Select **Close** in the **cdp Properties** dialog box. ### Configure the new CRL distribution point and Publishing location in the issuing certificate authority @@ -183,17 +183,17 @@ The web server is ready to host the CRL distribution point. Now, configure the #### Configure the CRL distribution Point 1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**. -2. In the navigation pane, right-click the name of the certificate authority and click **Properties** -3. Click **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list. -4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, `` or `` (do not forget the trailing forward slash). +2. In the navigation pane, right-click the name of the certificate authority and select **Properties** +3. Select **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list. +4. On the **Extensions** tab, select **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, `` or `` (don't forget the trailing forward slash). ![CDP New Location dialog box.](images/aadj/cdp-extension-new-location.png) -5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. -6. Type **.crl** at the end of the text in **Location**. Click **OK**. +5. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**. +6. Type **.crl** at the end of the text in **Location**. Select **OK**. 7. Select the CDP you just created. ![CDP complete http.](images/aadj/cdp-extension-complete-http.png) 8. Select **Include in CRLs. Clients use this to find Delta CRL locations**. 9. Select **Include in the CDP extension of issued certificates**. -10. Click **Apply** save your selections. Click **No** when ask to restart the service. +10. Select **Apply** save your selections. Select **No** when ask to restart the service. > [!NOTE] > Optionally, you can remove unused CRL distribution points and publishing locations. @@ -201,43 +201,43 @@ The web server is ready to host the CRL distribution point. Now, configure the #### Configure the CRL publishing location 1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**. -2. In the navigation pane, right-click the name of the certificate authority and click **Properties** -3. Click **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list. -4. On the **Extensions** tab, click **Add**. Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share). For example, **\\\app\cdp$\\** (do not forget the trailing backwards slash). -5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. -6. Type **.crl** at the end of the text in **Location**. Click **OK**. +2. In the navigation pane, right-click the name of the certificate authority and select **Properties** +3. Select **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list. +4. On the **Extensions** tab, select **Add**. Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share). For example, **\\\app\cdp$\\** (don't forget the trailing backwards slash). +5. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**. Select **\** from the **Variable** list and select **Insert**. +6. Type **.crl** at the end of the text in **Location**. Select **OK**. 7. Select the CDP you just created.
![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png) 8. Select **Publish CRLs to this location**. 9. Select **Publish Delta CRLs to this location**. -10. Click **Apply** save your selections. Click **Yes** when ask to restart the service. Click **OK** to close the properties dialog box. +10. Select **Apply** save your selections. Select **Yes** when ask to restart the service. Select **OK** to close the properties dialog box. ### Publish a new CRL 1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**. -2. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and click **Publish** +2. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and select **Publish** ![Publish a New CRL.](images/aadj/publish-new-crl.png) -3. In the **Publish CRL** dialog box, select **New CRL** and click **OK**. +3. In the **Publish CRL** dialog box, select **New CRL** and select **OK**. #### Validate CDP Publishing Validate your new CRL distribution point is working. -1. Open a web browser. Navigate to http://crl.[yourdomain].com/cdp. You should see two files created from publishing your new CRL. +1. Open a web browser. Navigate to `http://crl.[yourdomain].com/cdp`. You should see two files created from publishing your new CRL. ![Validate the new CRL.](images/aadj/validate-cdp-using-browser.png) ### Reissue domain controller certificates -With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate does not have the updated CRL distribution point. +With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate doesn't have the updated CRL distribution point. 1. Sign-in a domain controller using administrative credentials. 2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer. -3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, select the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. +3. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, select the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. ![Certificate Manager Personal store.](images/aadj/certlm-personal-store.png) -4. Right-click the selected certificate. Hover over **All Tasks** and then select **Renew Certificate with New Key...**. In the **Certificate Enrollment** wizard, click **Next**. +4. Right-click the selected certificate. Hover over **All Tasks** and then select **Renew Certificate with New Key...**. In the **Certificate Enrollment** wizard, select **Next**. ![Renew with New key.](images/aadj/certlm-renew-with-new-key.png) -5. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available. Click **Enroll**. -6. After the enrollment completes, click **Finish** to close the wizard. +5. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available. Select **Enroll**. +6. After the enrollment completes, select **Finish** to close the wizard. 7. Repeat this procedure on all your domain controllers. > [!NOTE] @@ -250,16 +250,16 @@ With the CA properly configured with a valid HTTP-based CRL distribution point, 1. Sign-in a domain controller using administrative credentials. 2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer. -3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. -4. Click the **Details** tab. Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list. Select **CRL Distribution Point**. -5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Click **OK**.
+3. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. +4. Select the **Details** tab. Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list. Select **CRL Distribution Point**. +5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Select **OK**.
![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png) ## Configure and Assign a Trusted Certificate Device Configuration Profile -Your domain controllers have new certificate that include the new CRL distribution point. Next, you need your enterprise root certificate so you can deploy it to Azure AD-joined devices. Deploying the enterprise root certificates to the device, ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD-joined devices do not trust domain controller certificates and authentication fails. +Your domain controllers have new certificates that include the new CRL distribution point. Next, you need your enterprise root certificate so you can deploy it to Azure AD-joined devices. When you deploy the enterprise root certificates to the device, it ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD-joined devices don't trust domain controller certificates and authentication fails. -Steps you will perform include: +Steps you'll perform include: - [Export Enterprise Root certificate](#export-enterprise-root-certificate) - [Create and Assign a Trust Certificate Device Configuration Profile](#create-and-assign-a-trust-certificate-device-configuration-profile) @@ -267,30 +267,30 @@ Steps you will perform include: 1. Sign-in a domain controller using administrative credentials. 2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer. -3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. -4. Click the **Certification Path** tab. In the **Certification path** view, select the top most node and click **View Certificate**. +3. In the navigation pane, expand **Personal**. Select **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**. +4. Select the **Certification Path** tab. In the **Certification path** view, select the topmost node and select **View Certificate**. ![Certificate Path.](images/aadj/certlm-cert-path-tab.png) -5. In the new **Certificate** dialog box, click the **Details** tab. Click **Copy to File**. +5. In the new **Certificate** dialog box, select the **Details** tab. Select **Copy to File**. ![Details tab and copy to file.](images/aadj/certlm-root-cert-details-tab.png) -6. In the **Certificate Export Wizard**, click **Next**. -7. On the **Export File Format** page of the wizard, click **Next**. -8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box.
+6. In the **Certificate Export Wizard**, select **Next**. +7. On the **Export File Format** page of the wizard, select **Next**. +8. On the **File to Export** page in the wizard, type the name and location of the root certificate and select **Next**. Select **Finish** and then select **OK** to close the success dialog box.
![Export root certificate.](images/aadj/certlm-export-root-certificate.png) -9. Click **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager**. +9. Select **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager**. ### Create and Assign a Trust Certificate Device Configuration Profile A **Trusted Certificate** device configuration profile is how you deploy trusted certificates to Azure AD-joined devices. -1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**. -2. Click **Device configuration**. In the **Device Configuration** blade, click **Create profile**. +1. Sign-in to the [Microsoft Azure portal](https://portal.azure.com) and select **Microsoft Intune**. +2. Select **Device configuration**. In the **Device Configuration** blade, select **Create profile**. ![Intune Create Profile.](images/aadj/intune-create-device-config-profile.png) -3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Click **Configure**. -4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate). Click **OK**. Click **Create**. +3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Select **Configure**. +4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate). Select **OK**. Select **Create**. ![Intune Trusted Certificate Profile.](images/aadj/intune-create-trusted-certificate-profile.png) -5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**. +5. In the **Enterprise Root Certificate** blade, select **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Select **Save**. ![Intune Profile assignment.](images/aadj/intune-device-config-enterprise-root-assignment.png) -6. Sign out of the Microsoft Azure Portal. +6. Sign out of the Microsoft Azure portal. > [!NOTE] > After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same. @@ -298,14 +298,14 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted Sign-in a workstation with access equivalent to a _domain user_. -1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). +1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Devices**. 3. Choose **Enroll devices**. 4. Select **Windows enrollment**. 5. Under **Windows enrollment**, select **Windows Hello for Business**. ![Create Windows Hello for Business Policy.](images/aadj/MEM.png) 6. Select **Enabled** from the **Configure Windows Hello for Business** list. -7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys. +7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and doesn't allow fall back to software-based keys. 8. Enter the desired **Minimum PIN length** and **Maximum PIN length**. > [!IMPORTANT] > The default minimum PIN length for Windows Hello for Business on Windows 10 and Windows 11 is six. Microsoft Intune defaults the minimum PIN length to four, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to six. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 2d0fd8eb2a..e174d9b3b2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -25,7 +25,7 @@ If you plan to use certificates for on-premises single-sign on, then follow thes > [!IMPORTANT] > Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue. -Steps you will perform include: +Steps you'll perform include: - [Prepare Azure AD Connect](#prepare-azure-ad-connect) - [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account) @@ -46,7 +46,7 @@ You need to install and configure additional infrastructure to provide Azure AD- The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority. -The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion). +The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers, and use Microsoft Intune to load balance then (in round-robin fashion). The Network Device Enrollment Service (NDES) server role can issue up to three unique certificate templates. The server role accomplishes this by mapping the purpose of the certificate request to a configured certificate template. The certificate request purpose has three options: @@ -74,9 +74,9 @@ Sign-in to computer running Azure AD Connect with access equivalent to _local ad 1. Open **Synchronization Services** from the **Azure AD Connect** folder. -2. In the **Synchronization Service Manager**, click **Help** and then click **About**. +2. In the **Synchronization Service Manager**, select **Help** and then select **About**. -3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version. +3. If the version number isn't **1.1.819** or later, then upgrade Azure AD Connect to the latest version. ### Verify the onPremisesDistinguishedName attribute is synchronized @@ -89,7 +89,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync > [!NOTE] > To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted. -3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You will now be prompted for delegated permissions consent. +3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You'll now be prompted for delegated permissions consent. 4. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Azure Active Directory. Select **Run query**. @@ -106,7 +106,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,userPrincipalName,onPremisesDistinguishedName ``` -5. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute is not synchronized the value will be **null**. +5. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**. #### Response