deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-23 10:47:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update windows-autopatch-changes-to-tenant.md

Browse Source 
Moved the Windows Autopatch enterprise application section to the top, and moved the Service principal to be part of it (H3).
This commit is contained in:
Tiara Quan 2022-11-01 11:41:23 -07:00 committed by GitHub
parent 0139eada2f
commit bf368e4f1c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
View File

@ -1,7 +1,7 @@
---
title: Changes made at tenant enrollment
description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch
ms.date: 08/08/2022
ms.date: 11/02/2022
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
@ -19,7 +19,20 @@ The following configuration details are provided as information to help you unde
> [!IMPORTANT]
> The service manages and maintains the following configuration items. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service.
## Service principal
## Windows Autopatch enterprise applications
Enterprise applications are applications (software) that a business uses to do its work.
Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service.
| Enterprise application name | Usage | Permissions |
| ----- | ------ | ----- |
| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul> |
> [!NOTE]
> Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon.
### Service principal
Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is:
@ -42,19 +55,6 @@ Windows Autopatch will create Azure Active Directory groups that are required to
| Modern Workplace Roles - Service Reader | AllusersgrantedaccesstoModernWorkplaceServiceReaderRole |
| Windows Autopatch Device Registration | Group for automaticdeviceregistrationforWindowsAutopatch |
## Windows Autopatch enterprise applications
Enterprise applications are applications (software) that a business uses to do its work.
Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service.
| Enterprise application name | Usage | Permissions |
| ----- | ------ | ----- |
| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul> |
> [!NOTE]
> Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon.
## Device configuration policies
- Windows Autopatch - Set MDM to Win Over GPO