deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #7249 from tiaraquan/ap-updates-10-12-22

Browse Source 
New Tenant management blade + service accounts replaced
This commit is contained in:
Tiara Quan 2022-10-12 12:31:15 -07:00 committed by GitHub
commit c98dca6651
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 35 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
View File

@ -31,3 +31,18 @@ After you've completed enrollment in Windows Autopatch, some management settings
## Windows Autopatch configurations
Windows Autopatch deploys, manages and maintains all configurations related to the operation of the service, as described in [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). Don't make any changes to any of the Windows Autopatch configurations.
## Windows Autopatch tenant actions
The **Tenant management** blade can be found by navigating to Tenant administration > Windows Autopatch > **Tenant management**.
> [!IMPORTANT]
> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [first party enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](../references/windows-autopatch-privacy.md#service-accounts), your Global admin must take action in the new Windows Autopatch Tenant management blade to approve the configuration change. To take action or see if you need to take action, visit the Tenant management blade in the Windows Autopatch portal.
The type of banner that appears depends on the severity of the action. Currently, only critical actions are listed.
### Tenant action severity types
| Severity | Description |
| ----- | ----- |
| Critical | You must take action as soon as possible. If no action is taken, the Windows Autopatch service may be affected. |

4
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md
View File

@ -1,5 +1,5 @@
---
title: Windows quality update communications
title: Windows quality and feature update communications
description: This article explains Windows quality update communications
ms.date: 05/30/2022
ms.prod: w11
@ -14,7 +14,7 @@ msreviewer: hathind
# Windows quality update communications
There are three categories of communication that are sent out during a Windows quality update:
There are three categories of communication that are sent out during a Windows quality and feature update:
- [Standard communications](#standard-communications)
- [Communications during release](#communications-during-release)

2
windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
View File

@ -52,7 +52,7 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr
| Enterprise application name | Usage | Permissions |
| ----- | ------ | ----- |
| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This account is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul> |
| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul> |
> [!NOTE]
> Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon.

23
windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
View File

@ -52,7 +52,7 @@ Windows Autopatch uses [Windows 10/11 Enhanced diagnostic data](/windows/privacy
The enhanced diagnostic data setting includes more detailed information about the devices enrolled in Windows Autopatch and their settings, capabilities, and device health. When enhanced diagnostic data is selected, data, including required diagnostic data, are collected. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection) about the Windows 10 diagnostic data setting and data collection.
The diagnostic data terminology will change in future versions of Windows. Windows Autopatch is committed to processing only the data that the service needs. While this will mean the diagnostic level will change to **Optional**, Windows Autopatch will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection).
The diagnostic data terminology will change in future versions of Windows. Windows Autopatch is committed to processing only the data that the service needs. The diagnostic level will change to **Optional**, but Windows Autopatch will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection).
Windows Autopatch only processes and stores system-level data from Windows 10 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' personal data such as chat and browser history, voice, text, or speech data.
@ -60,13 +60,24 @@ For more information about the diagnostic data collection of Microsoft Windows 1
## Tenant access
Windows Autopatch creates and uses guest accounts leveraging just-in-time access functionality when signing into a customer tenant to manage the Windows Autopatch service. To provide additional locked down control, Windows Autopatch maintains a separate conditional access policy to restrict access to these accounts.
Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service.
| Enterprise application name | Usage | Permissions |
| ----- | ----- | ----- |
| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul>|
### Service accounts
> [!IMPORTANT]
> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [first party enterprise application](windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](windows-autopatch-privacy.md#service-accounts), you must take action. To take action or see if you need to take action, visit the [Tenant management blade](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) in the Windows Autopatch portal.
Windows Autopatch creates and uses guest accounts using just-in-time access functionality when signing into a customer tenant to manage the Windows Autopatch service. To provide additional locked down control, Windows Autopatch maintains a separate conditional access policy to restrict access to these accounts.
| Account name | Usage | Mitigating controls |
| ----- | ----- | -----|
| MsAdmin@tenantDomain.onmicrosoft.com | <ul><li>This is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Windows Autopatch devices.</li><li>This account doesn't have interactive login permissions.The account performs operations only through the service.</li></ul> | Audited sign-ins |
| MsAdminInt@tenantDomain.onmicrosoft.com |<ul><li>This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.</li><li>This account is used for interactive login to the customers tenant.</li><li>The use of this account is extremely limited as most operations are exclusively through MsAdmin (non-interactive) account.</li></ul> | <ul><li>Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy</li><li>Audited sign-ins</li</ul> |
| MsTest@tenantDomain.onmicrosoft.com | This is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins |
| MsAdmin@tenantDomain.onmicrosoft.com | <ul><li>This account is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Windows Autopatch devices.</li><li>This account doesn't have interactive sign-in permissions.The account performs operations only through the service.</li></ul> | Audited sign-ins |
| MsAdminInt@tenantDomain.onmicrosoft.com |<ul><li>This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.</li><li>This account is used for interactive login to the customers tenant.</li><li>The use of this account is limited as most operations are exclusively through MsAdmin (non-interactive) account.</li></ul> | <ul><li>Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy</li><li>Audited sign-ins</li</ul> |
| MsTest@tenantDomain.onmicrosoft.com | This account is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins |
## Microsoft Windows Update for Business
@ -90,7 +101,7 @@ Microsoft 365 Apps for enterprise collects and shares data with Windows Autopatc
Windows Autopatch follows a change control process as outlined in our service communication framework.
We notify customers through the Microsoft 365 message center, and the Windows Autopatch admin center of both security incidents and major changes to the service.
We notify customers through the Microsoft 365 message center, and the Windows Autopatch admin center about security incidents and major changes to the service.
Changes to the types of data gathered and where it's stored are considered a material change. We'll provide a minimum of 30 days advanced notice of this change as it's standard practice for Microsoft 365 products and services.