From e4e46f2a2d92129a15392a4a4056f78ad2c9ca3d Mon Sep 17 00:00:00 2001 From: illfated Date: Sun, 8 Mar 2020 22:32:47 +0100 Subject: [PATCH 1/5] Update wufb-compliancedeadlines.md: pencil edits **Description:** Based on the newly merged PR #6165, it seems useful to make a couple of minor edits to improve readability slightly and to avoid unintended capitalization other than brand names and start of a sentence. **Changes proposed:** - Remove "For" where the lines already contain sentence starting caps and apply consistency to copying section headings to the link text. - Whitespace adjustments: - "Trim Trailing Space" (remove blanks at end-of-line) - Remove 10 redundant blank lines - Add MD indent marker compatibility spacing in the Note blob - Add MD indent marker compatibility spacing to "Applies to:" Use either the Rich diff view or the Hide whitespace changes feature. **Ticket closure or reference:** Ref. PR #6165 --- .../update/wufb-compliancedeadlines.md | 62 ++++++++----------- 1 file changed, 26 insertions(+), 36 deletions(-) diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index 41edd21e70..67b6e07ec0 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -6,30 +6,29 @@ ms.mktglfcycl: manage author: jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.reviewer: +ms.reviewer: manager: laurawi ms.topic: article --- -# Enforcing compliance deadlines for updates +# Enforcing compliance deadlines for updates ->Applies to: Windows 10 +> Applies to: Windows 10 -Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions. +Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions. The compliance options have changed for devices on Windows 10, version 1709 and above: - [For Windows 10, version 1709 and above](#for-windows-10-version-1709-and-above) -- [For prior to Windows 10, version 1709](#prior-to-windows-10-version-1709) - +- [Prior to Windows 10, version 1709](#prior-to-windows-10-version-1709) ## For Windows 10, version 1709 and above With a current version of Windows 10, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and above: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings: -- Update/ConfigureDeadlineForFeatureUpdates -- Update/ConfigureDeadlineForQualityUpdates -- Update/ConfigureDeadlineGracePeriod -- Update/ConfigureDeadlineNoAutoReboot +- Update/ConfigureDeadlineForFeatureUpdates +- Update/ConfigureDeadlineForQualityUpdates +- Update/ConfigureDeadlineGracePeriod +- Update/ConfigureDeadlineNoAutoReboot This policy starts the countdown for the update installation deadline from when the update is published, instead of starting with the "restart pending" state as the older policies did. @@ -37,23 +36,19 @@ The policy also includes a configurable grace period to allow, for example, user Further, the policy includes the option to opt out of automatic restarts until the deadline is reached by presenting the "engaged restart experience" until the deadline has actually expired. At this point the device will automatically schedule a restart regardless of active hours. - - ### Policy setting overview |Policy|Description | |-|-| -| (For Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | Similar to the older "Specify deadline before auto-restart for update installation," but starts the deadline countdown from when the update was published. Also introduces a configurable grace period and the option to opt out of automatic restarts until the deadline is reached. | +| (Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | Similar to the older "Specify deadline before auto-restart for update installation," but starts the deadline countdown from when the update was published. Also introduces a configurable grace period and the option to opt out of automatic restarts until the deadline is reached. | - - -### Suggested configurations +### Suggested configurations |Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days| |-|-|-|-|-| -|(For Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 7 | 2 | +|(Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 7 | 2 | -When **Specify deadlines for automatic updates and restarts** is set (For Windows 10, version 1709 and above): +When **Specify deadlines for automatic updates and restarts** is set (Windows 10, version 1709 and above): - **While restart is pending, before the deadline occurs:** @@ -68,7 +63,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window ![The notification users get for an impending restart 15 minutes prior to restart](images/wufb-restart-imminent-warning.png) - **If the restart is still pending after the deadline passes:** - + - Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching: ![The notification users get for an approaching restart deadline](images/wufb-pastdeadline-restart-warning.png) @@ -80,22 +75,21 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window ## Prior to Windows 10, version 1709 - -Two compliance flows are available: +Two compliance flows are available: - [Deadline only](#deadline-only) - [Deadline with user engagement](#deadline-with-user-engagement) -### Deadline only +### Deadline only -This flow only enforces the deadline where the device will attempt to silently restart outside of active hours before the deadline is reached. Once the deadline is reached the user is prompted with either a confirmation button or a restart now option. +This flow only enforces the deadline where the device will attempt to silently restart outside of active hours before the deadline is reached. Once the deadline is reached the user is prompted with either a confirmation button or a restart now option. #### End-user experience -Once the device is in the pending restart state, it will attempt to restart the device during non-active hours. This is known as the auto-restart period, and by default it does not require user interaction to restart the device. +Once the device is in the pending restart state, it will attempt to restart the device during non-active hours. This is known as the auto-restart period, and by default it does not require user interaction to restart the device. ->[!NOTE] ->Deadlines are enforced from pending restart state (for example, when the device has completed the installation and download from Windows Update). +> [!NOTE] +> Deadlines are enforced from pending restart state (for example, when the device has completed the installation and download from Windows Update). #### Policy overview @@ -104,9 +98,6 @@ Once the device is in the pending restart state, it will attempt to restart the |Specify deadline before auto-restart for update installation|Governs the update experience once the device has entered pending restart state. It specifies a deadline, in days, to enforce compliance (such as imminent installation).| |Configure Auto-restart warning notification schedule for updates|Configures the reminder notification and the warning notification for a scheduled installation. The user can dismiss a reminder, but not the warning.| - - - #### Suggested configuration |Policy|Location|3-day compliance|5-day compliance|7-day compliance| @@ -129,13 +120,13 @@ Notification users get for a feature update deadline: ![The notification users get for an impending feature update deadline](images/wufb-feature-notification.png) -### Deadline with user engagement +### Deadline with user engagement -This flow provides the end user with prompts to select a time to restart the device before the deadline is reached. If the device is unable to restart at the time specified by the user or the time selected is outside the deadline, the device will restart the next time it is active. +This flow provides the end user with prompts to select a time to restart the device before the deadline is reached. If the device is unable to restart at the time specified by the user or the time selected is outside the deadline, the device will restart the next time it is active. #### End-user experience -Before the deadline the device will be in two states: auto-restart period and engaged-restart period. During the auto-restart period the device will silently try to restart outside of active hours. If the device can't find an idle moment to restart, then the device will go into engaged-restart. The end user, at this point, can select a time that they would like the device to try to restart. Both phases happen before the deadline; once that deadline has passed then the device will restart at the next available time. +Before the deadline the device will be in two states: auto-restart period and engaged-restart period. During the auto-restart period the device will silently try to restart outside of active hours. If the device can't find an idle moment to restart, then the device will go into engaged-restart. The end user, at this point, can select a time that they would like the device to try to restart. Both phases happen before the deadline; once that deadline has passed then the device will restart at the next available time. #### Policy overview @@ -144,15 +135,15 @@ Before the deadline the device will be in two states: auto-restart period and en |Specify engaged restart transition and notification schedule for updates|Governs how the user will be impacted by the pending restart. Transition days, first starts out in Auto-Restart where the device will find an idle moment to restart the device. After 2 days engaged restart will commence and the user will be able to choose a time| |Configure Auto-restart required notification for updates|Governs the notifications during the Auto-Restart period. During Active hours, the user will be notified that the device is trying to restart. They will have the option to confirm or dismiss the notification| -#### Suggested configuration +#### Suggested configuration |Policy| Location| 3-day compliance| 5-day compliance| 7-day compliance | |-|-|-|-|-| |Specify engaged restart transition and notification schedule for updates|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Engaged restart transition and notification schedule for updates|State: Enabled
**Transition** (Days): 2
**Snooze** (Days): 2
**Deadline** (Days): 3|State: Enabled
**Transition** (Days): 2
**Snooze** (Days): 2
**Deadline** (Days): 4|State: Enabled
**Transition** (Days): 2
**Snooze** (Days): 2
**Deadline** (Days): 5| -#### Controlling notification experience for engaged deadline +#### Controlling notification experience for engaged deadline -|Policy| Location |Suggested Configuration +|Policy| Location |Suggested Configuration |-|-|-| |Configure Auto-restart required notification for updates |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Auto-restart required notification for updates|State: Enabled
**Method**: 2- User| @@ -174,4 +165,3 @@ Notification users get for a feature update deadline: ![The notification users get for an impending feature update deadline](images/wufb-feature-update-deadline-notification.png) - From a214733faa111e1898c853da2cedd39856b6a745 Mon Sep 17 00:00:00 2001 From: alons8 <61512160+alons8@users.noreply.github.com> Date: Sun, 3 May 2020 17:09:22 +0300 Subject: [PATCH 2/5] Update configure-microsoft-threat-experts.md --- .../configure-microsoft-threat-experts.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 9698e75980..b38735478f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -71,7 +71,8 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. >[!NOTE] ->Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. +>- Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. +>- You will need to have the “Manage security settings” permission in the Security Center portal to be able to submit a “Consult a threat expert” inquiry. 1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an investigation request. From 7d7f715b5df0f67ba03eb61651abe38827e0c29f Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 4 May 2020 09:12:10 -0700 Subject: [PATCH 3/5] Update windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../configure-microsoft-threat-experts.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index b38735478f..a399a88f76 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -70,7 +70,7 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert ## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. ->[!NOTE] +> [!NOTE] >- Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. >- You will need to have the “Manage security settings” permission in the Security Center portal to be able to submit a “Consult a threat expert” inquiry. @@ -131,4 +131,3 @@ It is crucial to respond in a timely manner to keep the investigation moving. ## Related topic - [Microsoft Threat Experts overview](microsoft-threat-experts.md) - From 8ae85e7b6d4d4ffb4caed8dd2221e9432eb762e9 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 4 May 2020 09:12:22 -0700 Subject: [PATCH 4/5] Update windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../configure-microsoft-threat-experts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index a399a88f76..e58b459840 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -71,7 +71,7 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. > [!NOTE] ->- Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. +> - Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. >- You will need to have the “Manage security settings” permission in the Security Center portal to be able to submit a “Consult a threat expert” inquiry. 1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an investigation request. From 302336f55eeeb84fd8c95262d2190f35e1640256 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 4 May 2020 09:12:31 -0700 Subject: [PATCH 5/5] Update windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../configure-microsoft-threat-experts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index e58b459840..1ae1fc060d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -72,7 +72,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w > [!NOTE] > - Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. ->- You will need to have the “Manage security settings” permission in the Security Center portal to be able to submit a “Consult a threat expert” inquiry. +> - You will need to have the "Manage security settings" permission in the Security Center portal to be able to submit a "Consult a threat expert" inquiry. 1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an investigation request.