diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000000..deb2888417 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,39 @@ + + + +## Why + + + +- Closes #[Issue Number] + +## Changes + + + + \ No newline at end of file diff --git a/education/windows/tutorial-school-deployment/enroll-autopilot.md b/education/windows/tutorial-school-deployment/enroll-autopilot.md index d4333d8625..a64a7590e3 100644 --- a/education/windows/tutorial-school-deployment/enroll-autopilot.md +++ b/education/windows/tutorial-school-deployment/enroll-autopilot.md @@ -92,7 +92,7 @@ While Intune for Education offers simple options for Autopilot configurations, m An Enrollment Status Page (ESP) is a greeting page displayed to users while enrolling or signing in for the first time to Windows devices. The ESP displays provisioning progress, showing applications and profiles installation status. -:::image type="content" source="./images/win11-oobe-esp.png" alt-text="Windows OOBE - enrollment status page" border="false"::: +:::image type="content" source="./images/win11-oobe-esp.gif" alt-text="Windows OOBE - enrollment status page animation." border="false"::: > [!NOTE] > Some Windows Autopilot deployment profiles **require** the ESP to be configured. diff --git a/education/windows/tutorial-school-deployment/enroll-package.md b/education/windows/tutorial-school-deployment/enroll-package.md index acfb5e06ff..35f640ae75 100644 --- a/education/windows/tutorial-school-deployment/enroll-package.md +++ b/education/windows/tutorial-school-deployment/enroll-package.md @@ -57,10 +57,9 @@ For more information, see [Install Windows Configuration Designer][WIN-1], which ## Enroll devices with the provisioning package To provision Windows devices with provisioning packages, insert the USB stick containing the package during the out-of-box experience. The devices will read the content of the package, join Azure AD and automatically enroll in Intune. +All settings defined in the package and in Intune will be applied to the device, and the device will be ready to use. -:::image type="content" source="./images/win11-oobe-ppkg.png" alt-text="Windows 11 OOBE - enrollment with provisioning package." border="false"::: - -:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false"::: +:::image type="content" source="./images/win11-oobe-ppkg.gif" alt-text="Windows 11 OOBE - enrollment with provisioning package animation." border="false"::: ________________________________________________________ ## Next steps diff --git a/education/windows/tutorial-school-deployment/images/intune-education-apps.png b/education/windows/tutorial-school-deployment/images/intune-education-apps.png index 5b6599de3e..ca344cf5cf 100644 Binary files a/education/windows/tutorial-school-deployment/images/intune-education-apps.png and b/education/windows/tutorial-school-deployment/images/intune-education-apps.png differ diff --git a/education/windows/tutorial-school-deployment/images/remote-actions.png b/education/windows/tutorial-school-deployment/images/remote-actions.png index 5a3f95bc51..cfbd12f2da 100644 Binary files a/education/windows/tutorial-school-deployment/images/remote-actions.png and b/education/windows/tutorial-school-deployment/images/remote-actions.png differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif b/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif new file mode 100644 index 0000000000..fa2e4c3aeb Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-esp.png b/education/windows/tutorial-school-deployment/images/win11-oobe-esp.png deleted file mode 100644 index 73efb59230..0000000000 Binary files a/education/windows/tutorial-school-deployment/images/win11-oobe-esp.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif b/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif new file mode 100644 index 0000000000..2defd5c1ce Binary files /dev/null and b/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif differ diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.png b/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.png deleted file mode 100644 index 7de484934b..0000000000 Binary files a/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.png and /dev/null differ diff --git a/education/windows/tutorial-school-deployment/set-up-azure-ad.md b/education/windows/tutorial-school-deployment/set-up-azure-ad.md index c134a1a846..efe5fa2545 100644 --- a/education/windows/tutorial-school-deployment/set-up-azure-ad.md +++ b/education/windows/tutorial-school-deployment/set-up-azure-ad.md @@ -133,7 +133,7 @@ To configure your school's branding: :::image type="content" source="images/entra-branding.png" alt-text="Configure Azure AD branding from Microsoft Entra admin center." lightbox="images/entra-branding.png"::: 1. To adjust the school tenant's name displayed during OOBE, select **Azure Active Directory** > **Overview** > **Properties** 1. In the **Name** field, enter the school district or organization's name > **Save** - :::image type="content" alt-text="Configure Azure AD tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png"::: + :::image type="content" alt-text="Configure Azure AD tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png" lightbox="images/entra-tenant-name.png"::: For more information, see [Add branding to your directory][AAD-5]. diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md index ebd9cc6e9a..a75509b502 100644 --- a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md +++ b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md @@ -78,7 +78,7 @@ To disable Windows Hello for Business at the tenant level: 1. Ensure that **Configure Windows Hello for Business** is set to **disabled** 1. Select **Save** -:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center" border="true"::: +:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center." border="true" lightbox="./images/whfb-disable.png"::: For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4]. diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 32691a8669..b740384ed0 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -38,6 +38,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run | Application | Supported version | App Type | Vendor | | --- | --- | --- | --- | |AirSecure |8.0.0 |Win32 |AIR| +|Alertus Desktop |5.4.44.0 |Win32 | Alertus technologies| |Brave Browser |1.34.80|Win32 |Brave| |Bulb Digital Portfolio |0.0.7.0|Store|Bulb| |Cisco Umbrella |3.0.110.0 |Win32 |Cisco| @@ -56,27 +57,30 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run |Google Chrome |102.0.5005.115|Win32 |Google| |Illuminate Lockdown Browser |2.0.5 |Win32 |Illuminate Education| |Immunet |7.5.0.20795 |Win32 |Immunet| +|Impero Backdrop Client |4.4.86 |Win32 |Impero Software| |JAWS for Windows |2022.2112.24 |Win32 |Freedom Scientific| |Kite Student Portal |8.0.3.0 |Win32 |Dynamic Learning Maps| |Kortext |2.3.433.0 |Store |Kortext| |Kurzweil 3000 Assistive Learning |20.13.0000 |Win32 |Kurzweil Educational Systems| |LanSchool |9.1.0.46 |Win32 |Stoneware| |Lightspeed Smart Agent |2.6.2 |Win32 |Lightspeed Systems| +|MetaMoJi ClassRoom |3.12.4.0 |Store |MetaMoJi Corporation| |Microsoft Connect |10.0.22000.1 |Store |Microsoft| |Mozilla Firefox |99.0.1 |Win32 |Mozilla| |NAPLAN |2.5.0 |Win32 |NAP| +|Netref Student |22.2.0 |Win32 |NetRef| |NetSupport Manager |12.01.0011 |Win32 |NetSupport| |NetSupport Notify |5.10.1.215 |Win32 |NetSupport| |NetSupport School |14.00.0011 |Win32 |NetSupport| |NextUp Talker |1.0.49 |Win32 |NextUp Technologies| |NonVisual Desktop Access |2021.3.1 |Win32 |NV Access| -|NWEA Secure Testing Browser |5.4.300.0 |Win32 |NWEA| +|NWEA Secure Testing Browser |5.4.356.0 |Win32 |NWEA| |Pearson TestNav |1.10.2.0 |Store |Pearson| |Questar Secure Browser |4.8.3.376 |Win32 |Questar, Inc| |ReadAndWriteForWindows |12.0.60.0 |Win32 |Texthelp Ltd.| |Remote Desktop client (MSRDC) |1.2.3213.0 |Win32 |Microsoft| |Remote Help |3.8.0.12 |Win32 |Microsoft| -|Respondus Lockdown Browser |2.0.8.05 |Win32 |Respondus| +|Respondus Lockdown Browser |2.0.9.00 |Win32 |Respondus| |Safe Exam Browser |3.3.2.413 |Win32 |Safe Exam Browser| |Secure Browser |14.0.0 |Win32 |Cambium Development| |Senso.Cloud |2021.11.15.0 |Win32|Senso.Cloud| diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md index 7c8c46580d..a78fb7d156 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/manage-device-installation-with-group-policy.md @@ -18,8 +18,8 @@ ms.topic: article - Windows 11 - Windows Server 2022 - ## Summary + By using Windows operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy. ## Introduction @@ -60,7 +60,6 @@ It's more difficult for users to make unauthorized copies of company data if use You can ensure that users install only those devices that your technical support team is trained and equipped to support. This benefit reduces support costs and user confusion. - ## Scenario Overview The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy.. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site. @@ -90,7 +89,6 @@ This scenario, although similar to scenario #2, brings another layer of complexi In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the ‘prevent’ functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. - ## Technology Review The following sections provide a brief overview of the core technologies discussed in this guide and give background information that is necessary to understand the scenarios. @@ -126,14 +124,14 @@ Hardware IDs are the identifiers that provide the exact match between a device a Windows uses these identifiers to select a driver if the operating system can't find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they're generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device. -When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see How Setup Selects Drivers in the Microsoft Docs library. +When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see [How Windows selects a driver package for a device](/windows-hardware/drivers/install/how-windows-selects-a-driver-for-a-device). > [!NOTE] > For more information about the driver installation process, see the "Technology review" section of the Step-by-Step Guide to Driver Signing and Staging. Some physical devices create one or more logical devices when they're installed. Each logical device might handle part of the functionality of the physical device. For example, a multi-function device, such as an all-in-one scanner/fax/printer, might have a different device identification string for each function. -When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you didn't allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see Device Identification Strings in Microsoft Docs. +When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you didn't allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see [Device identification strings](/windows-hardware/drivers/install/device-identification-strings). #### Device setup classes @@ -143,7 +141,7 @@ When you use device Classes to allow or prevent users from installing drivers, y For example, a multi-function device, such as an all-in-one scanner/fax/printer, has a GUID for a generic multi-function device, a GUID for the printer function, a GUID for the scanner function, and so on. The GUIDs for the individual functions are "child nodes" under the multi-function device GUID. To install a child node, Windows must also be able to install the parent node. You must allow installation of the device setup class of the parent GUID for the multi-function device in addition to any child GUIDs for the printer and scanner functions. -For more information, see [Device Setup Classes](/windows-hardware/drivers/install/overview-of-device-setup-classes) in Microsoft Docs. +For more information, see [Device Setup Classes](/windows-hardware/drivers/install/overview-of-device-setup-classes). This guide doesn't depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices. @@ -154,14 +152,13 @@ The following two links provide the complete list of Device Setup Classes. ‘Sy #### ‘Removable Device’ Device type -Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. - +Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. ### Group Policy Settings for Device Installation Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. -Device Installation section in Group Policy is a set of policies that control which device could or couldn't be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more information, see Group Policy Object Editor Technical Reference. +Device Installation section in Group Policy is a set of policies that control which device could or couldn't be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more information, see [Group Policy Object Editor](/previous-versions/windows/desktop/Policy/group-policy-object-editor). The following passages are brief descriptions of the Device Installation policies that are used in this guide. @@ -210,12 +207,9 @@ This policy setting will change the evaluation order in which Allow and Prevent > If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below. - + ![Device Installation policies flow chart.](images/device-installation-flowchart.png)
_Device Installation policies flow chart_ - - - ## Requirements for completing the scenarios ### General @@ -259,7 +253,7 @@ To find device identification strings using Device Manager 3. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped. 4. Find the “Printers” section and find the target printer - + ![Selecting the printer in Device Manager.](images/device-installation-dm-printer-by-device.png)
_Selecting the printer in Device Manager_ 5. Double-click the printer and move to the ‘Details’ tab. @@ -273,7 +267,7 @@ To find device identification strings using Device Manager ![Compatible ID.](images/device-installation-dm-printer-compatible-ids.png)
_HWID and Compatible ID_ > [!TIP] - > You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil) in Microsoft Docs. + > You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil). ### Getting device identifiers using PnPUtil @@ -316,7 +310,7 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Disable all previous Device Installation policies, except ‘Apply layered order of evaluation’—although the policy is disabled in default, this policy is recommended to be enabled in most practical applications. +2. Disable all previous Device Installation policies, except ‘Apply layered order of evaluation’—although the policy is disabled in default, this policy is recommended to be enabled in most practical applications. 3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters @@ -333,7 +327,7 @@ Getting the right device identifier to prevent it from being installed: - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use) -3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market: +3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market: > Printers\ > Class = Printer\ @@ -347,7 +341,7 @@ Creating the policy to prevent all printers from being installed: 1. Open Group Policy Object Editor—either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. -2. Navigate to the Device Installation Restriction page: +2. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions @@ -625,12 +619,12 @@ These devices are internal devices on the machine that define the USB port conne > [!IMPORTANT] > Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. See below for the list: -> -> PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/ +> +> PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/ > USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/ > USB\USB20_HUB (for Generic USB Hubs)/ -> -> Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices. +> +> Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices. > > Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done. diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 97ff6341d2..1334adc13d 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -754,7 +754,7 @@ ADMX Info: This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of required startup key information. This setting is applied when you turn on BitLocker. -The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see the BitLocker Drive Encryption Deployment Guide on Microsoft Docs. +The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see [BitLocker recovery guide](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan). In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. @@ -843,7 +843,7 @@ ADMX Info: This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker. -The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see the BitLocker Drive Encryption Deployment Guide on Microsoft Docs. +The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see [BitLocker recovery guide](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan). In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index ef76b0c2fb..c92b313661 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -213,6 +213,12 @@ manager: aaroncz
InternetExplorer/EnableExtendedIEModeHotkeys
+
+ InternetExplorer/EnableGlobalWindowListInIEMode +
+
+ InternetExplorer/HideInternetExplorer11RetirementNotification +
InternetExplorer/IncludeAllLocalSites
@@ -612,6 +618,9 @@ manager: aaroncz
InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls
+
+ InternetExplorer/ResetZoomForDialogInIEMode +
InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses
@@ -4423,6 +4432,115 @@ ADMX Info: +
+ + +**InternetExplorer/EnableGlobalWindowListInIEMode** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications. +The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser. + +- If you enable this policy, Internet Explorer mode will use the global window list. + +- If you disable or don’t configure this policy, Internet Explorer mode will continue to maintain a separate window list. + + + +The following list shows the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP Friendly name: *Enable global window list in Internet Explorer mode* +- GP name: *EnableGlobalWindowListInIEMode* +- GP path: *Windows Components/Internet Explorer/Main* +- GP ADMX file name: *inetres.admx* + + + + +
+ + +**InternetExplorer/HideInternetExplorer11RetirementNotification** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|No| +|Windows SE|No|No| +|Business|Yes|No| +|Enterprise|Yes|No| +|Education|Yes|No| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +This policy setting allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default, the Notification bar is displayed in Internet Explorer 11. + +- If you enable this policy setting, the notification bar will not be displayed in Internet Explorer 11. + +- If you disable, or do not configure, this policy setting, the notification bar will be displayed in Internet Explorer 11. + + + +The following list shows the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP Friendly name: *Hide Internet Explorer 11 retirement notification* +- GP name: *DisableIEAppDeprecationNotification* +- GP path: *Windows Components/Internet Explorer/Main* +- GP ADMX file name: *inetres.admx* + + + +
**InternetExplorer/IncludeAllLocalSites** @@ -11161,6 +11279,60 @@ ADMX Info:
+ +**InternetExplorer/ResetZoomForDialogInIEMode** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +This policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode. + +- If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page. + +- If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page. + + + +The following list shows the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP Friendly name: *Reset zoom to default for HTML dialogs in Internet Explorer mode* +- GP name: *ResetZoomForDialogInIEMode* +- GP path: *Windows Components/Internet Explorer/Main* +- GP ADMX file name: *inetres.admx* + + + + +
+ **InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses** diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index 3e4b126512..933279aeb0 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -160,12 +160,12 @@ Here is a list of CSPs supported on Windows 10 Enterprise: - [Maps CSP](/windows/client-management/mdm/maps-csp) - [NAP CSP](/windows/client-management/mdm/filesystem-csp) - [NAPDEF CSP](/windows/client-management/mdm/napdef-csp) -- [NodeCache CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723265) +- [NodeCache CSP](https://go.microsoft.com/fwlink/p/?LinkId=723265) - [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp) - [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) -- [PolicyManager CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723418) +- [PolicyManager CSP](https://go.microsoft.com/fwlink/p/?LinkId=723418) - [Provisioning CSP](/windows/client-management/mdm/provisioning-csp) -- [Proxy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723372) +- [Proxy CSP](https://go.microsoft.com/fwlink/p/?LinkId=723372) - [PXLOGICAL CSP](/windows/client-management/mdm/pxlogical-csp) - [Registry CSP](/windows/client-management/mdm/registry-csp) - [RemoteFind CSP](/windows/client-management/mdm/remotefind-csp) diff --git a/windows/deployment/update/update-compliance-v2-help.md b/windows/deployment/update/update-compliance-v2-help.md index 871ce3464e..e1fccf14ec 100644 --- a/windows/deployment/update/update-compliance-v2-help.md +++ b/windows/deployment/update/update-compliance-v2-help.md @@ -86,7 +86,7 @@ If you create an issue for something not related to documentation, Microsoft wil - [Product questions (using Microsoft Q&A)](/answers/products/) - [Support requests](#open-a-microsoft-support-case) for Update Compliance -To share feedback on the fundamental docs.microsoft.com platform, see [Docs feedback](https://aka.ms/sitefeedback). The platform includes all of the wrapper components such as the header, table of contents, and right menu. Also how the articles render in the browser, such as the font, alert boxes, and page anchors. +To share feedback about the Microsoft Docs platform, see [Microsoft Docs feedback](https://aka.ms/sitefeedback). The platform includes all of the wrapper components such as the header, table of contents, and right menu. Also how the articles render in the browser, such as the font, alert boxes, and page anchors. ## Troubleshooting tips diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index 1d55fce3d7..ede51bee83 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -1,7 +1,7 @@ --- title: Device registration overview description: This article provides and overview on how to register devices in Autopatch -ms.date: 07/28/2022 +ms.date: 09/07/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -44,12 +44,12 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto | **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. | | **Step 2: Add devices** | IT admin adds devices through direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group. | | **Step 3: Discover devices** | The Windows Autopatch Discover Devices function hourly discovers devices previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Endpoint Manager-Intune and Azure AD when registering devices into its service.
  1. Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:
    1. **AzureADDeviceID**
    2. **OperatingSystem**
    3. **DisplayName (Device name)**
    4. **AccountEnabled**
    5. **RegistrationDateTime**
    6. **ApproximateLastSignInDateTime**
  2. In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.
| -| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:
  1. **Serial number, model, and manufacturer.**
    1. Checks if the serial number already exists in the Windows Autopatch’s managed device database.
  2. **If the device is Intune-managed or not.**
    1. Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.
      1. If **yes**, it means this device is enrolled into Intune.
      2. If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
    2. **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.
      1. Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not ready** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
      2. A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
    3. **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
  3. **If the device is a Windows device or not.**
    1. Windows Autopatch looks to see if the Azure AD device ID has an Intune device ID associated with it.
      1. **If yes**, it means this device is enrolled into Intune.
      2. **If not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
  4. **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
    1. **Enterprise**
    2. **Pro**
    3. **Pro Workstation**
  5. **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
    1. **Only managed by Intune.**
      1. If the device is only managed by Intune, the device is marked as Passed all prerequisites.
    2. **Co-managed by both Configuration Manager and Intune.**
      1. If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
        1. **Windows Updates Policies**
        2. **Device Configuration**
        3. **Office Click to Run**
      2. If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not Ready** tab.
| +| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:
  1. **Serial number, model, and manufacturer.**
    1. Checks if the serial number already exists in the Windows Autopatch’s managed device database.
  2. **If the device is Intune-managed or not.**
    1. Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.
      1. If **yes**, it means this device is enrolled into Intune.
      2. If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
    2. **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.
      1. Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
      2. A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
    3. **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
  3. **If the device is a Windows device or not.**
    1. Windows Autopatch looks to see if the Azure AD device ID has an Intune device ID associated with it.
      1. **If yes**, it means this device is enrolled into Intune.
      2. **If not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
  4. **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
    1. **Enterprise**
    2. **Pro**
    3. **Pro Workstation**
  5. **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
    1. **Only managed by Intune.**
      1. If the device is only managed by Intune, the device is marked as Passed all prerequisites.
    2. **Co-managed by both Configuration Manager and Intune.**
      1. If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
        1. **Windows Updates Policies**
        2. **Device Configuration**
        3. **Office Click to Run**
      2. If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.
| | **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:
  1. If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.
  2. If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.
| | **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to one of the following deployment ring groups:
  1. **Modern Workplace Devices-Windows Autopatch-First**
    1. The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD group (Modern Workplace Devices-Windows Autopatch-Test). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
  2. **Modern Workplace Devices-Windows Autopatch-Fast**
  3. **Modern Workplace Devices-Windows Autopatch-Broad**
| | **Step 7: Assign devices to an Azure AD group** | Windows Autopatch also assigns devices to the following Azure AD groups when certain conditions apply:
  1. **Modern Workplace Devices - All**
    1. This group has all devices managed by Windows Autopatch.
  2. When registering **Windows 10 devices**, use **Modern Workplace Devices Dynamic - Windows 10**
    1. This group has all devices managed by Windows Autopatch and that have Windows 10 installed.
  3. When registering **Windows 11 devices**, use **Modern Workplace Devices Dynamic - Windows 11**
    1. This group has all devices managed by Windows Autopatch and that have Windows 11 installed.
  4. When registering **virtual devices**, use **Modern Workplace Devices - Virtual Machine**
    1. This group has all virtual devices managed by Windows Autopatch.
    | | **Step 8: Post-device registration** | In post-device registration, three actions occur:
    1. Windows Autopatch adds devices to its managed database.
    2. Flags devices as **Active** in the **Ready** tab.
    3. The Azure AD device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension’s allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.
      1. The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.
      | -| **Step 9: Review device registration status** | IT admins review the device registration status in both the **Ready** and **Not ready** tabs.
      1. If the device was **successfully registered**, the device shows up in the **Ready** tab.
      2. If **not**, the device shows up in the **Not ready** tab.
      | +| **Step 9: Review device registration status** | IT admins review the device registration status in both the **Ready** and **Not registered** tabs.
      1. If the device was **successfully registered**, the device shows up in the **Ready** tab.
      2. If **not**, the device shows up in the **Not registered** tab.
      | | **Step 10: End of registration workflow** | This is the end of the Windows Autopatch device registration workflow. | ## Detailed prerequisite check workflow diagram diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index fb3df8f46b..ddd32f7d97 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices description: This article details how to register devices in Autopatch -ms.date: 08/08/2022 +ms.date: 09/07/2022 ms.prod: w11 ms.technology: windows ms.topic: how-to @@ -28,7 +28,13 @@ Windows Autopatch can take over software update management control of devices th ### About the use of an Azure AD group to register devices -You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. +You must choose what devices to manage with Windows Autopatch by adding them to the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can be added using the following methods: + +- Direct membership +- Nesting other Azure AD dynamic/assigned groups +- [Bulk add/import group members](/azure/active-directory/enterprise-users/groups-bulk-import-members) + +Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. > [!NOTE] > Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the **Ready** or **Not ready** tab to register devices on demand. @@ -78,14 +84,26 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set For more information, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md). -## About the Ready and Not ready tabs +## About the Ready, Not ready and Not registered tabs -Windows Autopatch introduces a new user interface to help IT admins detect and troubleshoot device readiness statuses seamlessly with actionable in-UI device readiness reports for unregistered devices or unhealthy devices. +Windows Autopatch has three tabs within its device blade. Each tab is designed to provide a different set of device readiness status so IT admin knows where to go to monitor, and troubleshoot potential device health issues. -| Tab | Purpose | -| ----- | ----- | -| Ready | The purpose of the Ready tab is to show devices that were successfully registered to the Windows Autopatch service. | -| Not ready | The purpose of the Not ready tab is to help you identify and remediate devices that don't meet the pre-requisite checks to register into the Windows Autopatch service. This tab only shows devices that didn't successfully register into Windows Autopatch. | +| Device blade tab | Purpose | Expected device readiness status | +| ----- | ----- | ----- | +| Ready | The purpose of this tab is to show devices that were successfully registered with the Windows Autopatch service. | Active | +| Not ready | The purpose of this tab is to help you identify and remediate devices that failed to pass one or more post-device registration readiness checks. Devices showing up in this tab were successfully registered with Windows Autopatch. However, these devices aren't ready to have one or more software update workloads managed by the service. | Readiness failed and/or Inactive | +| Not registered | The purpose of this tab is to help you identify and remediate devices that don't meet one or more prerequisite checks to successfully register with the Windows Autopatch service. | Pre-requisites failed | + +## Device readiness statuses + +See all possible device readiness statuses in Windows Autopatch: + +| Readiness status | Description | Device blade tab | +| ----- | ----- | ----- | +| Active | Devices with this status successfully passed all prerequisite checks and subsequently successfully registered with Windows Autopatch. Additionally, devices with this status successfully passed all post-device registration readiness checks. | Ready | +| Readiness failed | Devices with this status haven't passed one or more post-device registration readiness checks. These devices aren't ready to have one or more software update workloads managed by Windows Autopatch. | Not ready | +| Inactive | Devices with this status haven't communicated with Microsoft Endpoint Manager-Intune in the last 28 days. | Not ready | +| Pre-requisites failed | Devices with this status haven't passed one or more pre-requisite checks and haven't successfully registered with Windows Autopatch | Not registered | ## Built-in roles required for device registration @@ -119,16 +137,16 @@ Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID 1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Devices** from the left navigation menu. 3. Under the **Windows Autopatch** section, select **Devices**. -4. Select either the **Ready** or the **Not ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. +4. Select either the **Ready** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. 5. Add either devices through direct membership, or other Azure AD dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group. > [!NOTE] -> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not ready** tabs. +> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not registered** tabs. Once devices or other Azure AD groups (either dynamic or assigned) containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch's device discovery hourly function discovers these devices, and runs software-based prerequisite checks to try to register them with its service. > [!TIP] -> You can also use the **Discover Devices** button in either the **Ready** or **Not ready** tab to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. +> You can also use the **Discover Devices** button in either one of the **Ready**, **Not ready**, or **Not registered** device blade tabs to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. On demand means you don't have to wait for Windows Autopatch to discover devices from the Azure AD group on your behalf. ### Windows Autopatch on Windows 365 Enterprise Workloads diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index 982440f7ea..3169d13cff 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -40,6 +40,9 @@ During the [tenant enrollment process](../prepare/windows-autopatch-enroll-tenan Each deployment ring has a different set of update deployment policies to control the updates rollout. +> [!WARNING] +> Adding or importing devices into any of these groups directly is not supported and doing so might cause an unexpected impact on the Windows Autopatch service. To move devices between these groups, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). + > [!IMPORTANT] > Windows Autopatch device registration doesn't assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments. @@ -58,7 +61,7 @@ The Windows Autopatch deployment ring calculation happens during the [device reg | Deployment ring | Default device balancing percentage | Description | | ----- | ----- | ----- | -| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:
      Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | +| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:
      Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | | First | **1%** | The First ring is the first group of production users to receive a change.

      This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

      Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| | Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

      The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

      | | Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.| @@ -80,7 +83,10 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad > [!NOTE] > You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.

      If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Endpoint Manager-Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). - + +> [!WARNING] +> Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings. + ## Automated deployment ring remediation functions Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 8b42365ad6..e5fa5a92ef 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -51,7 +51,7 @@ sections: - [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.) - question: What are the licensing requirements for Windows Autopatch? answer: | - - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). + - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). - [Azure AD Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) (for Co-management) - [Microsoft Intune](/mem/intune/fundamentals/licenses) (includes Configuration Manager 2010 or greater via co-management) - question: Are there hardware requirements for Windows Autopatch? @@ -76,12 +76,13 @@ sections: - question: What systems does Windows Autopatch update? answer: | - Windows 10/11 quality updates: Windows Autopatch manages all aspects of update rings. + - Windows 10/11 feature updates: Windows Autopatch manages all aspects of update rings. - Microsoft 365 Apps for enterprise updates: All devices registered for Windows Autopatch will receive updates from the Monthly Enterprise Channel. - Microsoft Edge: Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel and will provide support for issues with Microsoft Edge updates. - Microsoft Teams: Windows Autopatch allows eligible devices to benefit from the standard automatic update channels and will provide support for issues with Teams updates. - question: What does Windows Autopatch do to ensure updates are done successfully? answer: | - For Windows quality updates, updates are applied to device in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task. + For Windows quality updates, updates are applied to devices in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task. - question: What happens if there's an issue with an update? answer: | Autopatch relies on the following capabilities to help resolve update issues: diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index ab4daa7fe2..4ca89f1b2d 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -29,10 +29,10 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Modern Workplace-All | All Modern Workplace users | | Modern Workplace - Windows 11 Pre-Release Test Devices | Device group for Windows 11 Pre-Release testing. | | Modern Workplace Devices-All | All Modern Workplace devices | -| Modern Workplace Devices-Windows Autopatch-Test | Immediate ring for device rollout | -| Modern Workplace Devices-Windows Autopatch-First | First production ring for early adopters | -| Modern Workplace Devices-Windows Autopatch-Fast | Fast ring for quick rollout and adoption | -| Modern Workplace Devices-Windows Autopatch-Broad | Final ring for broad rollout into an organization | +| Modern Workplace Devices-Windows Autopatch-Test | Deployment ring for testing update deployments prior production rollout | +| Modern Workplace Devices-Windows Autopatch-First | First production deployment ring for early adopters | +| Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption | +| Modern Workplace Devices-Windows Autopatch-Broad | Final deployment ring for broad rollout into the organization | | Modern Workplace Devices Dynamic - Windows 10 | Microsoft Managed Desktop Devices with Windows 10

      Group Rule:


      Exclusions: | | Modern Workplace Devices Dynamic - Windows 11 | Microsoft Managed Desktop Devices with Windows 11

      Group Rule:


      Exclusions: | | Modern Workplace Roles - Service Administrator | All users granted access to Modern Workplace Service Administrator Role | diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml index e518d55a86..a90c978811 100644 --- a/windows/privacy/index.yml +++ b/windows/privacy/index.yml @@ -45,17 +45,17 @@ productDirectory: # Card - title: Windows 11 required diagnostic data # imageSrc should be square in ratio with no whitespace - imageSrc: https://docs.microsoft.com/media/common/i_extend.svg + imageSrc: /media/common/i_extend.svg summary: Learn more about basic Windows diagnostic data events and fields collected. url: required-windows-11-diagnostic-events-and-fields.md # Card - title: Windows 10 required diagnostic data - imageSrc: https://docs.microsoft.com/media/common/i_build.svg + imageSrc: /media/common/i_build.svg summary: See what changes Windows is making to align to the new data collection taxonomy url: required-windows-diagnostic-data-events-and-fields-2004.md # Card - title: Optional diagnostic data - imageSrc: https://docs.microsoft.com/media/common/i_get-started.svg + imageSrc: /media/common/i_get-started.svg summary: Get examples of the types of optional diagnostic data collected from Windows url: windows-diagnostic-data.md @@ -181,4 +181,4 @@ additionalContent: - text: Support for GDPR Accountability on Service Trust Portal url: https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted # footer (optional) - # footer: "footertext [linktext](/footerfile)" \ No newline at end of file + # footer: "footertext [linktext](/footerfile)" diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index 3f1a94a7ad..59695ee06d 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -2,8 +2,8 @@ title: Microsoft Defender SmartScreen overview description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. ms.prod: m365-security -author: mjcaparas -ms.author: macapara +author: dansimp +ms.author: dansimp ms.localizationpriority: high ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index e30b2c517a..b7d7521a48 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -3,13 +3,13 @@ title: Script rules in AppLocker (Windows) description: This article describes the file formats and available default rules for the script rule collection. ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f ms.reviewer: -ms.author: macapara +ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: mjcaparas +author: dansimp manager: dansimp audience: ITPro ms.collection: M365-security-compliance diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md index f99766832e..005c1ddcc2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md @@ -3,13 +3,13 @@ title: Understand AppLocker enforcement settings (Windows) description: This topic describes the AppLocker enforcement settings for rule collections. ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e ms.reviewer: -ms.author: macapara +ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: mjcaparas +author: dansimp manager: dansimp audience: ITPro ms.collection: M365-security-compliance