From fe02ec18bda268fc95d5bd8aef619085f31cf197 Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Mon, 1 Aug 2022 13:27:14 -0700 Subject: [PATCH 01/45] HoloLens Insider policies --- ...es-in-policy-csp-supported-by-hololens2.md | 13 +- .../mdm/policy-csp-mixedreality.md | 125 +++++++++++++++++- 2 files changed, 136 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 61da8064e2..d1871f71e8 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 06/06/2022 +ms.date: 08/01/2022 --- # Policies in Policy CSP supported by HoloLens 2 @@ -52,12 +52,16 @@ ms.date: 06/06/2022 - [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment) - [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) - [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) 9 +- MixedReality/AllowCaptivePortalBeforeSignIn Insider - [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) 11 - [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9 - [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#mixedreality-configuremovingplatform) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) +- MixedReality/DisableNCSIPassivePolling Insider - [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) 9 - [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#mixedreality-headtrackingmode) 9 - [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) 9 +- MixedReality/SkipCalibrationDuringFirstExperience Insider +- MixedReality/SkipTrainingDuringFirstExperience Insider - [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#mixedreality-visitorautologon) 10 - [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) 9 - [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) 9 @@ -67,6 +71,7 @@ ms.date: 06/06/2022 - [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) 9 - [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) 9 - [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) +- [Privacy/DisablePrivacyExperience](./policy-csp-privacy#privacy-disableprivacyexperience) Insider - [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#privacy-letappsaccessaccountinfo) - [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) - [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps) @@ -96,6 +101,11 @@ ms.date: 06/06/2022 - [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) - [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) 9 - [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) +- [Storage/AllowStorageSenseGlobal](.policy-csp-storage#storage-allowstoragesenseglobal) Insider +- [Storage/AllowStorageSenseTemporaryFilesCleanup](.policy-csp-storage#storage-allowstoragesensetemporaryfilescleanup) Insider +- [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](.policy-csp-storage#storage-configstoragesensecloudcontentdehydrationthreshold) Insider +- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](.policy-csp-storage#storage-configstoragesensedownloadscleanupthreshold) Insider +- [Storage/ConfigStorageSenseGlobalCadence](.policy-csp-storage#storage-configstoragesenseglobalcadence) Insider - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline) - [System/AllowLocation](policy-csp-system.md#system-allowlocation) - [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard) @@ -140,6 +150,7 @@ Footnotes: - 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes-2004#windows-holographic-version-20h2) - 10 - Available in [Windows Holographic, version 21H1](/hololens/hololens-release-notes#windows-holographic-version-21h1) - 11 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2) +- Insider - Available in our current [HoloLens Insider builds](/hololens/hololens-insider). ## Related topics diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index b0f1607d6b..1b9a4cf774 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -22,6 +22,9 @@ manager: dansimp
MixedReality/AADGroupMembershipCacheValidityInDays
+
+ MixedReality/AllowCaptivePortalBeforeSignIn +
MixedReality/AutoLogonUser
@@ -31,6 +34,9 @@ manager: dansimp
MixedReality/ConfigureMovingPlatform
+
+ MixedReality/DisableNCSIPassivePolling +
MixedReality/FallbackDiagnostics
@@ -40,6 +46,12 @@ manager: dansimp
MixedReality/MicrophoneDisabled
+
+ MixedReality/SkipCalibrationDuringFirstExperience +
+
+ MixedReality/SkipTrainingDuringFirstExperience +
MixedReality/VisitorAutoLogon
@@ -78,6 +90,33 @@ Steps to use this policy correctly:
+ +**MixedReality/AllowCaptivePortalBeforeSignIn** + + + +|Windows Edition|Supported| +|--- |--- | +|HoloLens (first gen) Development Edition|No| +|HoloLens (first gen) Commercial Suite|No| +|HoloLens 2|Yes| + +> [!NOTE] +> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + + +This new feature is an opt-in policy that IT Admins can enable to help with the setup of new devices in new areas or new users. When this policy is turned on it allows a captive portal on the sign-in screen, which allows a user to enter credentials to connect to the Wi-Fi access point. If enabled, sign in will implement similar logic as OOBE to display captive portal if necessary. + +MixedReality/AllowCaptivePortalBeforeSignIn + +The OMA-URI of new policy: ./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowCaptivePortalBeforeSignIn + +Bool value + + + + + **MixedReality/AutoLogonUser** @@ -204,7 +243,7 @@ The following list shows the supported values: -This policy controls the behavior of moving platform feature on Hololens 2, that is, whether it's turned off / on, or it can be toggled by a user. It should only be used by customers who intend to use Hololens 2 in moving environments with low dynamic motion. For background information, see [HoloLens 2 Moving Platform Mode | Microsoft Docs](/hololens/hololens2-moving-platform#:~:text=Why%20Moving%20Platform%20Mode%20is%20Necessary%20HoloLens%20needs%2csimilar%20pieces%20of%20information%20from%20two%20separate%20sources:). +This policy controls the behavior of moving platform feature on HoloLens 2, that is, whether it's turned off / on, or it can be toggled by a user. It should only be used by customers who intend to use HoloLens 2 in moving environments with low dynamic motion. For background information, see [HoloLens 2 Moving Platform Mode | Microsoft Docs](/hololens/hololens2-moving-platform#:~:text=Why%20Moving%20Platform%20Mode%20is%20Necessary%20HoloLens%20needs%2csimilar%20pieces%20of%20information%20from%20two%20separate%20sources:). @@ -222,6 +261,34 @@ Supported value is Integer.
+ +**MixedReality/DisableNCSIPassivePolling** + + + +|Windows Edition|Supported| +|--- |--- | +|HoloLens (first gen) Development Edition|No| +|HoloLens (first gen) Commercial Suite|No| +|HoloLens 2|Yes| + + + +> [!NOTE] +> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + + +Wi-Fi auto recovery is enabled on HoloLens 2 by default. In some cases you may want your devices to not automatically reconnect. This may be because you have a preferred network you want to keep your devices on, you find yourself reconnecting to an access point that doesn't have internet, or you want to keep those devices offline in specific areas. For those cases we've enabled a new policy that you can opt to use to keep your devices from automatically reconnecting back to your access points. + +The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/DisableNCSIPassivePolling` + +- Bool value + + + + +
+ **MixedReality/FallbackDiagnostics** @@ -352,6 +419,62 @@ The following list shows the supported values:
+ +**MixedReality/SkipCalibrationDuringFirstExperience** + + + +|Windows Edition|Supported| +|--- |--- | +|HoloLens (first gen) Development Edition|No| +|HoloLens (first gen) Commercial Suite|No| +|HoloLens 2|Yes| + + + +> [!NOTE] +> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + + +Skips the calibration experience on HoloLens 2 devices when setting up a new user in the Out of Box Experience (OOBE) or when adding a new user to the device. The user will still be able to calibrate their device from the Settings app. + +The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/SkipCalibrationDuringFirstExperience` + +- Bool value + + + + +
+ + +**MixedReality/SkipTrainingDuringFirstExperience** + + + +|Windows Edition|Supported| +|--- |--- | +|HoloLens (first gen) Development Edition|No| +|HoloLens (first gen) Commercial Suite|No| +|HoloLens 2|Yes| + + + +> [!NOTE] +> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + + +On HoloLens 2 devices, skips the training experience of interactions with the humming bird and start menu training when setting up a new user in the Out of Box Experience (OOBE) or when adding a new user to the device. The user will still be able to learn these movement controls from the Tips app. + +The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/SkipTrainingDuringFirstExperience` + +- Bool value + + + + +
+ **MixedReality/VolumeButtonDisabled** From 2a099c8434e4e2f2ea28cf23cf8d9a9a51bdc058 Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Mon, 1 Aug 2022 13:34:54 -0700 Subject: [PATCH 02/45] checklist and table --- ...es-in-policy-csp-supported-by-hololens2.md | 20 ++++++------ .../mdm/policy-csp-mixedreality.md | 32 +++++++++++++++++++ 2 files changed, 42 insertions(+), 10 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index d1871f71e8..36eb8cf224 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -52,16 +52,16 @@ ms.date: 08/01/2022 - [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment) - [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) - [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) 9 -- MixedReality/AllowCaptivePortalBeforeSignIn Insider +- [MixedReality/AllowCaptivePortalBeforeSignIn](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforesignin) Insider - [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) 11 - [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9 - [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#mixedreality-configuremovingplatform) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) -- MixedReality/DisableNCSIPassivePolling Insider +- [MixedReality/DisableNCSIPassivePolling](./policy-csp-mixedreality.md#mixedreality-disablencispassivepolling) Insider - [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) 9 - [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#mixedreality-headtrackingmode) 9 - [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) 9 -- MixedReality/SkipCalibrationDuringFirstExperience Insider -- MixedReality/SkipTrainingDuringFirstExperience Insider +- [MixedReality/SkipCalibrationDuringFirstExperience](./policy-csp-mixedreality.md#mixedreality-skipcalibrationduringfirstexperience) Insider +- [MixedReality/SkipTrainingDuringFirstExperience](./policy-csp-mixedreality.md#mixedreality-skiptrainingduringfirstexperience) Insider - [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#mixedreality-visitorautologon) 10 - [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) 9 - [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) 9 @@ -71,7 +71,7 @@ ms.date: 08/01/2022 - [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) 9 - [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) 9 - [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) -- [Privacy/DisablePrivacyExperience](./policy-csp-privacy#privacy-disableprivacyexperience) Insider +- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#privacy-disableprivacyexperience) Insider - [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#privacy-letappsaccessaccountinfo) - [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) - [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps) @@ -101,11 +101,11 @@ ms.date: 08/01/2022 - [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) - [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) 9 - [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) -- [Storage/AllowStorageSenseGlobal](.policy-csp-storage#storage-allowstoragesenseglobal) Insider -- [Storage/AllowStorageSenseTemporaryFilesCleanup](.policy-csp-storage#storage-allowstoragesensetemporaryfilescleanup) Insider -- [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](.policy-csp-storage#storage-configstoragesensecloudcontentdehydrationthreshold) Insider -- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](.policy-csp-storage#storage-configstoragesensedownloadscleanupthreshold) Insider -- [Storage/ConfigStorageSenseGlobalCadence](.policy-csp-storage#storage-configstoragesenseglobalcadence) Insider +- [Storage/AllowStorageSenseGlobal](.policy-csp-storage.md#storage-allowstoragesenseglobal) Insider +- [Storage/AllowStorageSenseTemporaryFilesCleanup](.policy-csp-storage.md#storage-allowstoragesensetemporaryfilescleanup) Insider +- [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](.policy-csp-storage.md#storage-configstoragesensecloudcontentdehydrationthreshold) Insider +- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](.policy-csp-storage.md#storage-configstoragesensedownloadscleanupthreshold) Insider +- [Storage/ConfigStorageSenseGlobalCadence](.policy-csp-storage.md#storage-configstoragesenseglobalcadence) Insider - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline) - [System/AllowLocation](policy-csp-system.md#system-allowlocation) - [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard) diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 1b9a4cf774..20da373209 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -104,6 +104,14 @@ Steps to use this policy correctly: > [!NOTE] > This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ This new feature is an opt-in policy that IT Admins can enable to help with the setup of new devices in new areas or new users. When this policy is turned on it allows a captive portal on the sign-in screen, which allows a user to enter credentials to connect to the Wi-Fi access point. If enabled, sign in will implement similar logic as OOBE to display captive portal if necessary. @@ -277,6 +285,14 @@ Supported value is Integer. > [!NOTE] > This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ Wi-Fi auto recovery is enabled on HoloLens 2 by default. In some cases you may want your devices to not automatically reconnect. This may be because you have a preferred network you want to keep your devices on, you find yourself reconnecting to an access point that doesn't have internet, or you want to keep those devices offline in specific areas. For those cases we've enabled a new policy that you can opt to use to keep your devices from automatically reconnecting back to your access points. @@ -435,6 +451,14 @@ The following list shows the supported values: > [!NOTE] > This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ Skips the calibration experience on HoloLens 2 devices when setting up a new user in the Out of Box Experience (OOBE) or when adding a new user to the device. The user will still be able to calibrate their device from the Settings app. @@ -463,6 +487,14 @@ The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/Skip > [!NOTE] > This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ On HoloLens 2 devices, skips the training experience of interactions with the humming bird and start menu training when setting up a new user in the Out of Box Experience (OOBE) or when adding a new user to the device. The user will still be able to learn these movement controls from the Tips app. From 835f8dd246a5f0ebd021ad70c52fe874fb5b6a55 Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Mon, 1 Aug 2022 13:41:07 -0700 Subject: [PATCH 03/45] link struc --- .../policies-in-policy-csp-supported-by-hololens2.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 36eb8cf224..6661ba3f5a 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -101,11 +101,11 @@ ms.date: 08/01/2022 - [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) - [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) 9 - [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) -- [Storage/AllowStorageSenseGlobal](.policy-csp-storage.md#storage-allowstoragesenseglobal) Insider -- [Storage/AllowStorageSenseTemporaryFilesCleanup](.policy-csp-storage.md#storage-allowstoragesensetemporaryfilescleanup) Insider -- [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](.policy-csp-storage.md#storage-configstoragesensecloudcontentdehydrationthreshold) Insider -- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](.policy-csp-storage.md#storage-configstoragesensedownloadscleanupthreshold) Insider -- [Storage/ConfigStorageSenseGlobalCadence](.policy-csp-storage.md#storage-configstoragesenseglobalcadence) Insider +- [Storage/AllowStorageSenseGlobal](policy-csp-storage.md#storage-allowstoragesenseglobal) Insider +- [Storage/AllowStorageSenseTemporaryFilesCleanup](policy-csp-storage.md#storage-allowstoragesensetemporaryfilescleanup) Insider +- [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md#storage-configstoragesensecloudcontentdehydrationthreshold) Insider +- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#storage-configstoragesensedownloadscleanupthreshold) Insider +- [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#storage-configstoragesenseglobalcadence) Insider - [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline) - [System/AllowLocation](policy-csp-system.md#system-allowlocation) - [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard) From 341e3d386ad614e5c4720c8d2c12c19649b7cb91 Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Tue, 2 Aug 2022 09:25:31 -0700 Subject: [PATCH 04/45] setup --- .../policies-in-policy-csp-supported-by-hololens2.md | 4 ++-- .../client-management/mdm/policy-csp-mixedreality.md | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 6661ba3f5a..f63727b2a4 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -60,8 +60,8 @@ ms.date: 08/01/2022 - [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) 9 - [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#mixedreality-headtrackingmode) 9 - [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) 9 -- [MixedReality/SkipCalibrationDuringFirstExperience](./policy-csp-mixedreality.md#mixedreality-skipcalibrationduringfirstexperience) Insider -- [MixedReality/SkipTrainingDuringFirstExperience](./policy-csp-mixedreality.md#mixedreality-skiptrainingduringfirstexperience) Insider +- [MixedReality/SkipCalibrationDuringSetup](./policy-csp-mixedreality.md#mixedreality-skipcalibrationduringsetup) Insider +- [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#mixedreality-skiptrainingduringsetup) Insider - [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#mixedreality-visitorautologon) 10 - [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) 9 - [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) 9 diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 20da373209..901555820c 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -47,10 +47,10 @@ manager: dansimp MixedReality/MicrophoneDisabled
- MixedReality/SkipCalibrationDuringFirstExperience + MixedReality/SkipCalibrationDuringSetup
- MixedReality/SkipTrainingDuringFirstExperience + MixedReality/SkipTrainingDuringSetup
MixedReality/VisitorAutoLogon @@ -436,7 +436,7 @@ The following list shows the supported values:
-**MixedReality/SkipCalibrationDuringFirstExperience** +**MixedReality/SkipCalibrationDuringSetup** @@ -462,7 +462,7 @@ The following list shows the supported values: Skips the calibration experience on HoloLens 2 devices when setting up a new user in the Out of Box Experience (OOBE) or when adding a new user to the device. The user will still be able to calibrate their device from the Settings app. -The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/SkipCalibrationDuringFirstExperience` +The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/SkipCalibrationDuringSetup` - Bool value @@ -472,7 +472,7 @@ The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/Skip
-**MixedReality/SkipTrainingDuringFirstExperience** +**MixedReality/SkipTrainingDuringSetup** @@ -498,7 +498,7 @@ The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/Skip On HoloLens 2 devices, skips the training experience of interactions with the humming bird and start menu training when setting up a new user in the Out of Box Experience (OOBE) or when adding a new user to the device. The user will still be able to learn these movement controls from the Tips app. -The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/SkipTrainingDuringFirstExperience` +The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/SkipTrainingDuringSetup` - Bool value From af74e259bb825cbcdc9c0243990c56fc054ee8cd Mon Sep 17 00:00:00 2001 From: Saurabh Koshta Date: Mon, 8 Aug 2022 13:58:46 -0500 Subject: [PATCH 05/45] Update bitlocker-csp.md https://portal.microsofticm.com/imp/v3/incidents/details/324141086/home --- windows/client-management/mdm/bitlocker-csp.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 7af651d2c0..111fecc2c2 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1348,6 +1348,13 @@ Value type is string. Supported operation is Execute. Request ID is expected as a parameter. +> [!NOTE] +> Key rotation is supported only on these enrollment types: +> - windowsAzureADJoin +> - windowsBulkAzureDomainJoin +> - windowsAzureADJoinUsingDeviceAuth +> - windowsCoManagement + > [!TIP] > Key rotation feature will only work when: > From a7e98e416d4628ff581a3a64e785e2d06fd47d2d Mon Sep 17 00:00:00 2001 From: Shesh <56231259+sheshachary@users.noreply.github.com> Date: Fri, 12 Aug 2022 15:45:30 +0530 Subject: [PATCH 06/45] sheshachary-6401150 Updated the article with a note information --- windows/client-management/connect-to-remote-aadj-pc.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index a2b2682d33..3849eae29c 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -83,6 +83,9 @@ The table below lists the supported configurations for remotely connecting to an > [!NOTE] > If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities). +> [!NOTE] +> When an Azure Active Directory group is added to the Remote Desktop Users group on a Windows device, it isn't honoured when the user that belongs to the Azure AD group logs in through Remote Desktop Protocol (they can't sign in using Remote Desktop Connection). If the Network Level Authentication is disabled, then the connection works. + ## Related topics [How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c) From 7066850420353d41ab90413776a00712573bb5d2 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Tue, 16 Aug 2022 15:53:10 -0700 Subject: [PATCH 07/45] update script error codes and move them to include file --- .../update-compliance-script-error-codes.md | 62 +++++++++++++++++++ .../update-compliance-configuration-script.md | 52 +--------------- ...date-compliance-v2-configuration-script.md | 53 ++-------------- 3 files changed, 68 insertions(+), 99 deletions(-) create mode 100644 windows/deployment/update/includes/update-compliance-script-error-codes.md diff --git a/windows/deployment/update/includes/update-compliance-script-error-codes.md b/windows/deployment/update/includes/update-compliance-script-error-codes.md new file mode 100644 index 0000000000..fa70e9df8b --- /dev/null +++ b/windows/deployment/update/includes/update-compliance-script-error-codes.md @@ -0,0 +1,62 @@ +--- +author: mestew +ms.author: mstewart +manager: dougeby +ms.prod: w10 +ms.collection: M365-modern-desktop +ms.topic: include +ms.date: 08/18/2022 +ms.localizationpriority: medium +--- + +|Error |Description | +|---------|---------| +| 1 | General unexpected error| +| 6 | Invalid CommercialID| +| 8 | Couldn't create registry key path to set up CommercialID| +| 9 | Couldn't write CommercialID at registry key path| +| 11 | Unexpected result when setting up CommercialID.| +| 12 | CheckVortexConnectivity failed, check Log output for more information.| +| 12 | Unexpected failure when running CheckVortexConnectivity.| +| 16 | Reboot is pending on device, restart device and restart script.| +| 17 | Unexpected exception in CheckRebootRequired.| +| 27 | Not system account. | +| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.| +| 34 | Unexpected exception when attempting to check Proxy settings.| +| 35 | Unexpected exception when checking User Proxy.| +| 37 | Unexpected exception when collecting logs| +| 40 | Unexpected exception when checking and setting telemetry.| +| 41 | Unable to impersonate logged-on user.| +| 42 | Unexpected exception when attempting to impersonate logged-on user.| +| 43 | Unexpected exception when attempting to impersonate logged-on user.| +| 44 | Error when running CheckDiagTrack service.| +| 45 | DiagTrack.dll not found.| +| 48 | CommercialID isn't a GUID| +| 50 | DiagTrack service not running.| +| 51 | Unexpected exception when attempting to run Census.exe| +| 52 | Couldn't find Census.exe| +| 53 | There are conflicting CommercialID values.| +| 54 | Microsoft Account Sign In Assistant (MSA) Service disabled.| +| 55 | Failed to create new registry path for SetDeviceNameOptIn| +| 56 | Failed to create property for SetDeviceNameOptIn at registry path| +| 57 | Failed to update value for SetDeviceNameOptIn| +| 58 | Unexpected exception in SetrDeviceNameOptIn| +| 59 | Failed to delete LastPersistedEventTimeOrFirstBoot property at registry path when attempting to clean up OneSettings.| +| 60 | Failed to delete registry key when attempting to clean up OneSettings.| +| 61 | Unexpected exception when attempting to clean up OneSettings.| +| 62 | AllowTelemetry registry key isn't of the correct type REG_DWORD| +| 63 | AllowTelemetry isn't set to the appropriate value and it couldn't be set by the script.| +| 64 | AllowTelemetry isn't of the correct type REG_DWORD.| +| 66 | Failed to verify UTC connectivity and recent uploads.| +| 67 | Unexpected failure when verifying UTC CSP.| +| 91 | Failed to create new registry path for EnableAllowUCProcessing| +| 92 | Failed to create property for EnableAllowUCProcessing at registry path| +| 93 | Failed to update value for EnableAllowUCProcessing| +| 94 | Unexpected exception in EnableAllowUCProcessing| +| 95 | Failed to create new registry path for EnableAllowCommercialDataPipeline | +| 96 | Failed to create property for EnableAllowCommercialDataPipeline at registry path | +| 97 | Failed to update value for EnableAllowCommercialDataPipeline | +| 98 | Unexpected exception in EnableAllowCommercialDataPipeline | +| 99 | Device isn't Windows 10.| +| 100 | Device must be AADJ or hybrid AADJ to use Update Compliance | +| 101 | Check AADJ failed with unexpected exception | \ No newline at end of file diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index bb275f2935..0661213d61 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -48,56 +48,8 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru ## Script errors -|Error |Description | -|---------|---------| -| 1 | General unexpected error| -| 6 | Invalid CommercialID| -| 8 | Couldn't create registry key path to setup CommercialID| -| 9 | Couldn't write CommercialID at registry key path| -| 11 | Unexpected result when setting up CommercialID.| -| 12 | CheckVortexConnectivity failed, check Log output for more information.| -| 12 | Unexpected failure when running CheckVortexConnectivity.| -| 16 | Reboot is pending on device, restart device and restart script.| -| 17 | Unexpected exception in CheckRebootRequired.| -| 27 | Not system account. | -| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.| -| 34 | Unexpected exception when attempting to check Proxy settings.| -| 35 | Unexpected exception when checking User Proxy.| -| 37 | Unexpected exception when collecting logs| -| 40 | Unexpected exception when checking and setting telemetry.| -| 41 | Unable to impersonate logged-on user.| -| 42 | Unexpected exception when attempting to impersonate logged-on user.| -| 43 | Unexpected exception when attempting to impersonate logged-on user.| -| 44 | Error when running CheckDiagTrack service.| -| 45 | DiagTrack.dll not found.| -| 48 | CommercialID is not a GUID| -| 50 | DiagTrack service not running.| -| 51 | Unexpected exception when attempting to run Census.exe| -| 52 | Could not find Census.exe| -| 53 | There are conflicting CommercialID values.| -| 54 | Microsoft account (MSA) Sign In Assistant Service disabled.| -| 55 | Failed to create new registry path for SetDeviceNameOptIn| -| 56 | Failed to create property for SetDeviceNameOptIn at registry path| -| 57 | Failed to update value for SetDeviceNameOptIn| -| 58 | Unexpected exception in SetrDeviceNameOptIn| -| 59 | Failed to delete LastPersistedEventTimeOrFirstBoot property at registry path when attempting to clean up OneSettings.| -| 60 | Failed to delete registry key when attempting to clean up OneSettings.| -| 61 | Unexpected exception when attempting to clean up OneSettings.| -| 62 | AllowTelemetry registry key is not of the correct type REG_DWORD| -| 63 | AllowTelemetry is not set to the appropriate value and it could not be set by the script.| -| 64 | AllowTelemetry is not of the correct type REG_DWORD.| -| 66 | Failed to verify UTC connectivity and recent uploads.| -| 67 | Unexpected failure when verifying UTC CSP.| -| 91 | Failed to create new registry path for EnableAllowUCProcessing| -| 92 | Failed to create property for EnableAllowUCProcessing at registry path| -| 93 | Failed to update value for EnableAllowUCProcessing| -| 94 | Unexpected exception in EnableAllowUCProcessing| -| 95 | Failed to create new registry path for EnableAllowCommercialDataPipeline | -| 96 | Failed to create property for EnableAllowCommercialDataPipeline at registry path | -| 97 | Failed to update value for EnableAllowCommercialDataPipeline | -| 98 | Unexpected exception in EnableAllowCommercialDataPipeline | -| 99 | Device is not Windows 10.| - + +[!INCLUDE [Update Compliance script error codes](./includes/update-compliance-script-error-codes.md)] ## Verify device configuration diff --git a/windows/deployment/update/update-compliance-v2-configuration-script.md b/windows/deployment/update/update-compliance-v2-configuration-script.md index 7e9fd6a12b..5a6e1bc324 100644 --- a/windows/deployment/update/update-compliance-v2-configuration-script.md +++ b/windows/deployment/update/update-compliance-v2-configuration-script.md @@ -54,55 +54,10 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru ## Script errors -|Error |Description | -|---------|---------| -| 1 | General unexpected error| -| 6 | Invalid CommercialID| -| 8 | Couldn't create registry key path to set up CommercialID| -| 9 | Couldn't write CommercialID at registry key path| -| 11 | Unexpected result when setting up CommercialID.| -| 12 | CheckVortexConnectivity failed, check Log output for more information.| -| 12 | Unexpected failure when running CheckVortexConnectivity.| -| 16 | Reboot is pending on device, restart device and restart script.| -| 17 | Unexpected exception in CheckRebootRequired.| -| 27 | Not system account. | -| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.| -| 34 | Unexpected exception when attempting to check Proxy settings.| -| 35 | Unexpected exception when checking User Proxy.| -| 37 | Unexpected exception when collecting logs| -| 40 | Unexpected exception when checking and setting telemetry.| -| 41 | Unable to impersonate logged-on user.| -| 42 | Unexpected exception when attempting to impersonate logged-on user.| -| 43 | Unexpected exception when attempting to impersonate logged-on user.| -| 44 | Error when running CheckDiagTrack service.| -| 45 | DiagTrack.dll not found.| -| 48 | CommercialID isn't a GUID| -| 50 | DiagTrack service not running.| -| 51 | Unexpected exception when attempting to run Census.exe| -| 52 | Couldn't find Census.exe| -| 53 | There are conflicting CommercialID values.| -| 54 | Microsoft Account Sign In Assistant (MSA) Service disabled.| -| 55 | Failed to create new registry path for SetDeviceNameOptIn| -| 56 | Failed to create property for SetDeviceNameOptIn at registry path| -| 57 | Failed to update value for SetDeviceNameOptIn| -| 58 | Unexpected exception in SetrDeviceNameOptIn| -| 59 | Failed to delete LastPersistedEventTimeOrFirstBoot property at registry path when attempting to clean up OneSettings.| -| 60 | Failed to delete registry key when attempting to clean up OneSettings.| -| 61 | Unexpected exception when attempting to clean up OneSettings.| -| 62 | AllowTelemetry registry key isn't of the correct type REG_DWORD| -| 63 | AllowTelemetry isn't set to the appropriate value and it couldn't be set by the script.| -| 64 | AllowTelemetry isn't of the correct type REG_DWORD.| -| 66 | Failed to verify UTC connectivity and recent uploads.| -| 67 | Unexpected failure when verifying UTC CSP.| -| 91 | Failed to create new registry path for EnableAllowUCProcessing| -| 92 | Failed to create property for EnableAllowUCProcessing at registry path| -| 93 | Failed to update value for EnableAllowUCProcessing| -| 94 | Unexpected exception in EnableAllowUCProcessing| -| 95 | Failed to create new registry path for EnableAllowCommercialDataPipeline | -| 96 | Failed to create property for EnableAllowCommercialDataPipeline at registry path | -| 97 | Failed to update value for EnableAllowCommercialDataPipeline | -| 98 | Unexpected exception in EnableAllowCommercialDataPipeline | -| 99 | Device isn't Windows 10.| + +[!INCLUDE [Update Compliance script error codes](./includes/update-compliance-script-error-codes.md)] + + ## Next steps From a845cf7b3687ac228bb39b884637abb4bf17d2d6 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Wed, 17 Aug 2022 12:44:43 -0700 Subject: [PATCH 08/45] Update configure-md-app-guard.md Added update for network isolation changes, and removed deprecated policy. --- .../configure-md-app-guard.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 6e85b47920..0d92659840 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -28,7 +28,7 @@ Application Guard uses both network isolation and application-specific settings. ## Network isolation settings -These settings, located at `Computer Configuration\Administrative Templates\Network\Network Isolation`, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. +These settings, located at `Computer Configuration\Administrative Templates\Network\Network Isolation`, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge. > [!NOTE] > You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the **Domains categorized as both work and personal** policy. @@ -55,9 +55,8 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |-----------|------------------|-----------|-------| |Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| |Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.

**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| -|Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher

Windows 11|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.

**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.

**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | |Allow Persistence|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

**Disabled or not configured.** All user data within Application Guard is reset between sessions.

**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| -|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher

Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| +|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher

Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.

**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.| |Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher

Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| |Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| |Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| From 47418fb014a6751ddd900cece2dd17ecf1595f88 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Wed, 17 Aug 2022 12:53:06 -0700 Subject: [PATCH 09/45] Update configure-md-app-guard.md --- .../configure-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 0d92659840..71b4af8046 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -56,7 +56,7 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| |Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.

**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| |Allow Persistence|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

**Disabled or not configured.** All user data within Application Guard is reset between sessions.

**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| -|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher

Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.

**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.| +|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher

Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.

**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.| |Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher

Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| |Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| |Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| From 982044e5cd99b2c59d25af5b802301900f889f38 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 17 Aug 2022 13:17:13 -0700 Subject: [PATCH 10/45] commid mac edits --- .../update-compliance-onboard-admin-center.md | 23 +++++++++++++++++ .../update/update-compliance-v2-enable.md | 25 ++++++++----------- .../update/update-status-admin-center.md | 19 ++++---------- 3 files changed, 38 insertions(+), 29 deletions(-) create mode 100644 windows/deployment/update/includes/update-compliance-onboard-admin-center.md diff --git a/windows/deployment/update/includes/update-compliance-onboard-admin-center.md b/windows/deployment/update/includes/update-compliance-onboard-admin-center.md new file mode 100644 index 0000000000..33c033bbdb --- /dev/null +++ b/windows/deployment/update/includes/update-compliance-onboard-admin-center.md @@ -0,0 +1,23 @@ +--- +author: mestew +ms.author: mstewart +manager: dougeby +ms.prod: w10 +ms.collection: M365-modern-desktop +ms.topic: include +ms.date: 08/18/2022 +ms.localizationpriority: medium +--- + +1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/) and sign in. +1. Expand **Health**, then select **Software Updates**. You may need to use the **Show all** option to display **Health** in the navigation menu. +1. In the **Software Updates** page, select the **Windows** tab. +1. When you select the **Windows** tab for the first time, you'll be asked to **Configure Settings**. This tab is populated by data from [Update Compliance](update-compliance-v2-overview.md). Verify or supply the following information about the settings for Update Compliance: + + - The Azure subscription + - The Log Analytics workspace +1. The initial setup can take up to 24 hours. During this time, the **Windows** tab will display that it's **Waiting for Update Compliance data**. +1. After the initial setup is complete, the **Windows** tab will display your Update Compliance data in the charts. + +> [!Tip] +> If you don't see an entry for **Software updates (preview)** in the menu, try going to this URL: [https://admin.microsoft.com/Adminportal/Home#/softwareupdates](https://admin.microsoft.com/Adminportal/Home#/softwareupdates). diff --git a/windows/deployment/update/update-compliance-v2-enable.md b/windows/deployment/update/update-compliance-v2-enable.md index 313d748f40..76b3245273 100644 --- a/windows/deployment/update/update-compliance-v2-enable.md +++ b/windows/deployment/update/update-compliance-v2-enable.md @@ -16,13 +16,16 @@ ms.date: 06/06/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!Important] -> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the CommercialID is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](#bkmk_admin-center) +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. After verifying the [prerequisites](update-compliance-v2-prerequisites.md) are met, you can start to set up Update Compliance. The two main steps for setting up the Update Compliance solution are: 1. [Add Update Compliance](#bkmk_add) to your Azure subscription. This step has the following two phases: 1. [Select or create a new Log Analytics workspace](#bkmk_workspace) for use with Update Compliance. 1. [Add the Update Compliance solution](#bkmk_solution) to the Log Analytics workspace. + 1. [Configure Update Compliance](#bkmk_admin-center) from the Microsoft 365 admin center. + 1. Configure the clients to send data to Update compliance. You can configure clients in the following three ways: - Use a [script](update-compliance-v2-configuration-script.md) - Use [Microsoft Endpoint Manager](update-compliance-v2-configuration-mem.md) @@ -63,27 +66,19 @@ Update Compliance is offered as an Azure Marketplace application that's linked t > [!Note] > - You can only map one tenant to one Log Analytics workspace. Mapping one tenant to multiple workspaces isn't supported. -> - If you change the Log Analytics workspace for Update Compliance, stale data will be displayed for about 24 hours until the new workspace is fully onboarded. +> - If you change the Log Analytics workspace for Update Compliance, stale data will be displayed for about 24 hours until the new workspace is fully onboarded. You will also need to reconfigure the Update Compliance settings in the Microsoft 365 admin center. -### Get the Commercial ID for the Update Compliance solution +### Configure Update Compliance settings through the Microsoft 365 admin center -The **Commercial ID** directs your clients to the Update Compliance solution in your Log Analytics workspace. You'll need this ID when you configure clients to send data to Update Compliance. +Complete enabling Updates Compliance by configuring its settings through the Microsoft 365 admin center. Completing the Update Compliance configuration through the admin center removes needing to specify [`CommercialID`](update-compliance-get-started.md#get-your-commercialid), which was needed by the earlier version of Updates Compliance. -1. If needed, sign into the [Azure portal](https://portal.azure.com). -1. In the Azure portal, type **Log Analytics** in the search bar. As you begin typing, the list filters based on your input. -1. Select **Log Analytics workspaces**. -1. Select the Log Analytics workspace that you added the Update Compliance solution to. -1. Select **Solutions** from the Log Analytics workspace, then select **WaaSUpdateInsights(<Log Analytics workspace name>)** to go to the summary page for the solution. -1. Select **Update Compliance Settings** from the **WaaSUpdateInsights(<Log Analytics workspace name>)** summary page. -1. The **Commercial Id Key** is listed in the text box with an option to copy the ID. The **Commercial Id Key** is commonly referred to as the `CommercialID` or **Commercial ID** in Update Compliance. - - > [!Warning] - > Regenerate a Commercial ID only if your original ID can no longer be used. Regenerating a Commercial ID requires you to deploy the new commercial ID to your computers in order to continue to collect data and can result in data loss. + +[!INCLUDE [Onboarding Update Compliance through the Microsoft 365 admin center](./includes/update-compliance-onboard-admin-center.md)] ## Next steps -Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. Enroll devices into Update Compliance using any of the following methods: +Once you've added Update Compliance to a workspace in your Azure subscription and configured the settings through the Microsoft 365 admin center, you'll need to configure any devices you want to monitor. Enroll devices into Update Compliance using any of the following methods: - [Configure clients with a script](update-compliance-v2-configuration-script.md) - [Configure clients manually](update-compliance-v2-configuration-manual.md) diff --git a/windows/deployment/update/update-status-admin-center.md b/windows/deployment/update/update-status-admin-center.md index 71e40f2c64..36be2d51a4 100644 --- a/windows/deployment/update/update-status-admin-center.md +++ b/windows/deployment/update/update-status-admin-center.md @@ -33,11 +33,11 @@ The **Software updates** page has following tabs to assist you in monitoring upd ## Prerequisites - [Update Compliance](update-compliance-v2-overview.md) needs to be enabled with clients sending data to the solution -- An appropriate role assigned for the [Microsoft 365 admin center](https://admin.microsoft.com) - - To configure settings and view the **Software Updates** page: +- An appropriate role assigned the [Microsoft 365 admin center](https://admin.microsoft.com) + - To configure settings and view the **Windows** tab in the **Software Updates** page: - [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator) - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) - - To view the **Software Updates** page: + - To view the **Windows** tab in the **Software Updates** page: - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader) @@ -47,18 +47,9 @@ Update Compliance is a Windows service hosted in Azure that uses Windows diagnos ## Get started -1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/) and sign in. -1. Expand **Health**, then select **Software Updates**. You may need to use the **Show all** option to display **Health** in the navigation menu. -1. In the **Software Updates** page, select the **Windows** tab. -1. When you select the **Windows** tab for the first time, you'll be asked to **Configure Settings**. This tab is populated by data from [Update Compliance](update-compliance-v2-overview.md). Verify or supply the following information about the settings for Update Compliance: - - The Azure subscription - - The Log Analytics workspace -1. The initial setup can take up to 24 hours. During this time, the **Windows** tab will display that it's **Waiting for Update Compliance data**. -1. After the initial setup is complete, the **Windows** tab will display your Update Compliance data in the charts. - -> [!Tip] -> If you don't see an entry for **Software updates (preview)** in the menu, try going to this URL: [https://admin.microsoft.com/Adminportal/Home#/softwareupdates](https://admin.microsoft.com/Adminportal/Home#/softwareupdates). + +[!INCLUDE [Onboarding Update Compliance through the Microsoft 365 admin center](./includes/update-compliance-onboard-admin-center.md)] ## The Windows tab From 4c4822c71d4578275ff22fb8cdedb83945d00b2f Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 17 Aug 2022 15:01:52 -0700 Subject: [PATCH 11/45] commid mac edits --- ...ate-compliance-admin-center-permissions.md | 22 +++++++++++++ .../update-compliance-onboard-admin-center.md | 2 +- ...-compliance-verify-device-configuration.md | 2 +- .../update-compliance-configuration-script.md | 33 ++----------------- ...date-compliance-v2-configuration-manual.md | 2 -- .../update-compliance-v2-configuration-mem.md | 8 +---- ...date-compliance-v2-configuration-script.md | 1 - .../update-compliance-v2-prerequisites.md | 12 ++----- .../update/update-status-admin-center.md | 12 ++----- 9 files changed, 33 insertions(+), 61 deletions(-) create mode 100644 windows/deployment/update/includes/update-compliance-admin-center-permissions.md diff --git a/windows/deployment/update/includes/update-compliance-admin-center-permissions.md b/windows/deployment/update/includes/update-compliance-admin-center-permissions.md new file mode 100644 index 0000000000..01f67b2713 --- /dev/null +++ b/windows/deployment/update/includes/update-compliance-admin-center-permissions.md @@ -0,0 +1,22 @@ +--- +author: mestew +ms.author: mstewart +manager: dougeby +ms.prod: w10 +ms.collection: M365-modern-desktop +ms.topic: include +ms.date: 08/18/2022 +ms.localizationpriority: medium +--- + +[Enabling Update Compliance](../update-compliance-v2-enable.md) requires access to the [Microsoft admin center software updates (preview) page](../update-status-admin-center.md) as does displaying Update Compliance data in the admin center. The following permissions are needed for access to the [Microsoft 365 admin center](https://admin.microsoft.com): + + +- To enable Update Compliance, edit Update Compliance configuration settings, and view the **Windows** tab in the **Software Updates** page: + - [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator) + - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) +- To view the **Windows** tab in the **Software Updates** page: + - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader) + +> [!NOTE] +> These permissions for the Microsoft 365 admin center apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status). diff --git a/windows/deployment/update/includes/update-compliance-onboard-admin-center.md b/windows/deployment/update/includes/update-compliance-onboard-admin-center.md index 33c033bbdb..13183b46dd 100644 --- a/windows/deployment/update/includes/update-compliance-onboard-admin-center.md +++ b/windows/deployment/update/includes/update-compliance-onboard-admin-center.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium 1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/) and sign in. 1. Expand **Health**, then select **Software Updates**. You may need to use the **Show all** option to display **Health** in the navigation menu. 1. In the **Software Updates** page, select the **Windows** tab. -1. When you select the **Windows** tab for the first time, you'll be asked to **Configure Settings**. This tab is populated by data from [Update Compliance](update-compliance-v2-overview.md). Verify or supply the following information about the settings for Update Compliance: +1. When you select the **Windows** tab for the first time, you'll be asked to **Configure Settings**. This tab is populated by data from [Update Compliance](../update-compliance-v2-overview.md). Verify or supply the following information about the settings for Update Compliance: - The Azure subscription - The Log Analytics workspace diff --git a/windows/deployment/update/includes/update-compliance-verify-device-configuration.md b/windows/deployment/update/includes/update-compliance-verify-device-configuration.md index b0aeb4c8a1..ff16987a3b 100644 --- a/windows/deployment/update/includes/update-compliance-verify-device-configuration.md +++ b/windows/deployment/update/includes/update-compliance-verify-device-configuration.md @@ -35,7 +35,7 @@ In some cases, you may need to manually verify the device configuration has the 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. 1. Under **View diagnostic data**, select **Open Diagnostic Data Viewer**. 1. When the Diagnostic Data Viewer opens, type `SoftwareUpdateClientTelemetry` in the search field. Verify the following items: - - The **EnrolledTenantID** field under **m365a** should equal the [CommercialID](../update-compliance-v2-enable.md#bkmk_id) of your Log Analytics workspace for Update Compliance. + - The **EnrolledTenantID** field under **m365a** should equal the `CommercialID` of your Log Analytics workspace for Update Compliance. `CommercialID` is no longer required for the [preview version of Updates Compliance](../update-compliance-v2-overview.md), but the value may still be listed in this field. - The **MSP** field value under **protocol** should be either `16` or `18`. - If you need to send this data to Microsoft Support, select **Export data**. diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index 0661213d61..847c0301ba 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -52,35 +52,6 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru [!INCLUDE [Update Compliance script error codes](./includes/update-compliance-script-error-codes.md)] ## Verify device configuration - -In some cases, you may need to manually verify the device configuration has the `AllowUpdateComplianceProcessing` policy enabled. To verify the setting, use the following steps: - -1. Download and enable the **Diagnostic Data Viewer**. For more information, see [Diagnostic Data Viewer overview](/windows/privacy/diagnostic-data-viewer-overview#install-and-use-the-diagnostic-data-viewer). - 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. - 1. Under **View diagnostic data**, select **On** for the following option: - - - Windows 11: **Turn on the Diagnostic Data Viewer (uses up to 1 GB of hard drive space)** - - Windows 10: **Turn on this setting to see your data in the Diagnostic Data Viewer. (Setting uses up to 1GB of hard drive space.)** - -1. Select **Open Diagnostic Data Viewer**. - - If the application isn't installed, select **Get** when you're asked to download the [Diagnostic Data Viewer from the Microsoft Store](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. - - If the application is already installed, it will open. You can either close the application before running a scan for software updates, or use the refresh button to fetch the new data after the scan is completed. - -1. Check for software updates on the client device. - - Windows 11: - 1. Go to **Start**, select **Settings** > **Windows Update**. - 1. Select **Check for updates** then wait for the update check to complete. - - Windows 10: - 1. Go to **Start**, select **Settings** > **Update & Security** > **Windows Update**. - 1. Select **Check for updates** then wait for the update check to complete. - -1. Run the **Diagnostic Data Viewer**. - 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. - 1. Under **View diagnostic data**, select **Open Diagnostic Data Viewer**. -1. When the Diagnostic Data Viewer opens, type `SoftwareUpdateClientTelemetry` in the search field. Verify the following items: - - The **EnrolledTenantID** field under **m365a** should equal the [CommercialID](update-compliance-get-started.md#get-your-commercialid) of your Log Analytics workspace for Update Compliance. - - The **MSP** field value under **protocol** should be either `16` or `18`. - - If you need to send this data to Microsoft Support, select **Export data**. - - :::image type="content" alt-text="Screenshot of the Diagnostic Data Viewer displaying the data from SoftwareUpdateClientTelemetry. The export data option and the fields for MSP and EnrolledTenantID are outlined in red." source="./media/update-compliance-diagnostic-data-viewer.png" lightbox="./media/update-compliance-diagnostic-data-viewer.png"::: + +[!INCLUDE [Endpoints for Update Compliance](./includes/update-compliance-verify-device-configuration.md)]: diff --git a/windows/deployment/update/update-compliance-v2-configuration-manual.md b/windows/deployment/update/update-compliance-v2-configuration-manual.md index 708fcce0bf..a04ac23946 100644 --- a/windows/deployment/update/update-compliance-v2-configuration-manual.md +++ b/windows/deployment/update/update-compliance-v2-configuration-manual.md @@ -42,7 +42,6 @@ Each MDM Policy links to its documentation in the configuration service provider | Policy | Data type | Value | Function | |--------------------------|-|-|------------------------------------------------------------| -|**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |String |[Your CommercialID](update-compliance-v2-enable.md#bkmk_id) |Identifies the device as belonging to your organization. | |**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. | |**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | |**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and won't be visible in Update Compliance, showing `#` instead. | @@ -55,7 +54,6 @@ All Group policies that need to be configured for Update Compliance are under ** | Policy | Value | Function | |---------------------------|-|-----------------------------------------------------------| -|**Configure the Commercial ID** |[Your CommercialID](update-compliance-v2-enable.md#bkmk_id) | Identifies the device as belonging to your organization. | |**Allow Telemetry** | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the **Configure telemetry opt-in setting user interface**. | |**Configure telemetry opt-in setting user interface** | 1 - Disable diagnostic data opt-in Settings |(in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. | |**Allow device name to be sent in Windows diagnostic data** | 1 - Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name won't be sent and won't be visible in Update Compliance, showing `#` instead. | diff --git a/windows/deployment/update/update-compliance-v2-configuration-mem.md b/windows/deployment/update/update-compliance-v2-configuration-mem.md index 1a6b98c90c..aed111ec02 100644 --- a/windows/deployment/update/update-compliance-v2-configuration-mem.md +++ b/windows/deployment/update/update-compliance-v2-configuration-mem.md @@ -36,13 +36,7 @@ Take the following steps to create a configuration profile that will set require 1. For **Template name**, select **Custom**, and then press **Create**. 1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. 1. On the **Configuration settings** page, you'll be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md). - 1. If you don't already have it, get your Commercial ID. For steps, see [Get your CommmercialID](update-compliance-v2-enable.md#bkmk_id). - 1. Add a setting for **Commercial ID** with the following values: - - **Name**: Commercial ID - - **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace. - - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID` - - **Data type**: String - - **Value**: *Set this value to your Commercial ID* + 1. Add a setting configuring the **Windows Diagnostic Data level** for devices: - **Name**: Allow Telemetry - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance. diff --git a/windows/deployment/update/update-compliance-v2-configuration-script.md b/windows/deployment/update/update-compliance-v2-configuration-script.md index 5a6e1bc324..8ff093e131 100644 --- a/windows/deployment/update/update-compliance-v2-configuration-script.md +++ b/windows/deployment/update/update-compliance-v2-configuration-script.md @@ -58,7 +58,6 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru [!INCLUDE [Update Compliance script error codes](./includes/update-compliance-script-error-codes.md)] - ## Next steps [Use Update Compliance](update-compliance-v2-use.md) \ No newline at end of file diff --git a/windows/deployment/update/update-compliance-v2-prerequisites.md b/windows/deployment/update/update-compliance-v2-prerequisites.md index 88cfdcb10b..3be2e02464 100644 --- a/windows/deployment/update/update-compliance-v2-prerequisites.md +++ b/windows/deployment/update/update-compliance-v2-prerequisites.md @@ -66,15 +66,9 @@ For more information about what's included in different diagnostic levels, see [ > [!NOTE] > Enrolling into Update Compliance from the [Azure CLI](/cli/azure) or enrolling programmatically another way currently isn't supported. You must manually add Update Compliance to your Azure subscription. -## Microsoft 365 admin center permissions (currently optional) - -When you use the [Microsoft admin center software updates (preview) page](update-status-admin-center.md) with Update Compliance, the following permissions are also needed: - -- To configure settings and view the **Software Updates** page: - - [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator) - - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) -- To view the **Software Updates** page: - - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader) +## Microsoft 365 admin center permissions + +[!INCLUDE [Update Compliance script error codes](./includes/update-compliance-admin-center-permissions.md)] ## Log Analytics prerequisites diff --git a/windows/deployment/update/update-status-admin-center.md b/windows/deployment/update/update-status-admin-center.md index 36be2d51a4..08f6787ea7 100644 --- a/windows/deployment/update/update-status-admin-center.md +++ b/windows/deployment/update/update-status-admin-center.md @@ -30,15 +30,9 @@ The **Software updates** page has following tabs to assist you in monitoring upd :::image type="content" source="media/37063317-admin-center-software-updates.png" alt-text="Screenshot of the Microsoft 365 admin center displaying the software updates page with the Windows tab selected." lightbox="media/37063317-admin-center-software-updates.png"::: -## Prerequisites - -- [Update Compliance](update-compliance-v2-overview.md) needs to be enabled with clients sending data to the solution -- An appropriate role assigned the [Microsoft 365 admin center](https://admin.microsoft.com) - - To configure settings and view the **Windows** tab in the **Software Updates** page: - - [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator) - - [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) - - To view the **Windows** tab in the **Software Updates** page: - - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader) +## Permissions + +[!INCLUDE [Update Compliance script error codes](./includes/update-compliance-admin-center-permissions.md)] ## Limitations From 37738de4772744ec87f34e4a22fd4e0aebbae56b Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 17 Aug 2022 15:38:07 -0700 Subject: [PATCH 12/45] commid mac edits --- ...-compliance-verify-device-configuration.md | 2 +- .../update-compliance-configuration-script.md | 2 +- .../update/update-compliance-get-started.md | 19 +++++++++++-------- ...date-compliance-v2-configuration-script.md | 2 +- .../update/update-compliance-v2-enable.md | 6 ++++-- .../update/update-compliance-v2-overview.md | 10 +++++++--- .../update-compliance-v2-prerequisites.md | 2 +- 7 files changed, 26 insertions(+), 17 deletions(-) diff --git a/windows/deployment/update/includes/update-compliance-verify-device-configuration.md b/windows/deployment/update/includes/update-compliance-verify-device-configuration.md index ff16987a3b..d3fdaa9c05 100644 --- a/windows/deployment/update/includes/update-compliance-verify-device-configuration.md +++ b/windows/deployment/update/includes/update-compliance-verify-device-configuration.md @@ -35,7 +35,7 @@ In some cases, you may need to manually verify the device configuration has the 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. 1. Under **View diagnostic data**, select **Open Diagnostic Data Viewer**. 1. When the Diagnostic Data Viewer opens, type `SoftwareUpdateClientTelemetry` in the search field. Verify the following items: - - The **EnrolledTenantID** field under **m365a** should equal the `CommercialID` of your Log Analytics workspace for Update Compliance. `CommercialID` is no longer required for the [preview version of Updates Compliance](../update-compliance-v2-overview.md), but the value may still be listed in this field. + - The **EnrolledTenantID** field under **m365a** should equal the `CommercialID` of your Log Analytics workspace for Update Compliance. `CommercialID` is no longer required for the [preview version of Updates Compliance](../update-compliance-v2-overview.md), but the value may still be listed in this field. - The **MSP** field value under **protocol** should be either `16` or `18`. - If you need to send this data to Microsoft Support, select **Export data**. diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index 847c0301ba..15c207cf56 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -40,7 +40,7 @@ This script's two primary files are `ConfigScript.ps1` and `RunConfig.bat`. You Open `RunConfig.bat` and configure the following (assuming a first-run, with `runMode=Pilot`): 1. Define `logPath` to where you want the logs to be saved. Ensure that `runMode=Pilot`. -2. Set `commercialIDValue` to your Commercial ID. +2. Set `setCommercialID=true` and set the `commercialIDValue` to your [Commercial ID](update-compliance-get-started.md#get-your-commercialid). 3. Run the script. 4. Examine the logs for any issues. If there are no issues, then all devices with a similar configuration and network profile are ready for the script to be deployed with `runMode=Deployment`. 5. If there are issues, gather the logs and provide them to Support. diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 663fedf6e7..3449a9e3ff 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -92,19 +92,22 @@ Once the solution is in place, you can leverage one of the following Azure roles > [!NOTE] > It is not currently supported to programmatically enroll to Update Compliance via the [Azure CLI](/cli/azure) or otherwise. You must manually add Update Compliance to your Azure subscription. - + ### Get your CommercialID -A CommercialID is a globally unique identifier assigned to a specific Log Analytics workspace. The CommercialID is copied to an MDM or Group Policy and is used to identify devices in your environment. +A `CommercialID` is a globally unique identifier assigned to a specific Log Analytics workspace. The `CommercialID` is copied to an MDM or Group Policy and is used to identify devices in your environment. The `Commercial ID` directs your clients to the Update Compliance solution in your Log Analytics workspace. You'll need this ID when you configure clients to send data to Update Compliance. -To find your CommercialID within Azure: +1. If needed, sign into the [Azure portal](https://portal.azure.com). +1. In the Azure portal, type **Log Analytics** in the search bar. As you begin typing, the list filters based on your input. +1. Select **Log Analytics workspaces**. +1. Select the Log Analytics workspace that you added the Update Compliance solution to. +1. Select **Solutions** from the Log Analytics workspace, then select **WaaSUpdateInsights(<Log Analytics workspace name>)** to go to the summary page for the solution. +1. Select **Update Compliance Settings** from the **WaaSUpdateInsights(<Log Analytics workspace name>)** summary page. +1. The **Commercial Id Key** is listed in the text box with an option to copy the ID. The **Commercial Id Key** is commonly referred to as the `CommercialID` or **Commercial ID** in Update Compliance. -1. Navigate to the **Solutions** tab for your workspace, and then select the **WaaSUpdateInsights** solution. -2. From there, select the Update Compliance Settings page on the navbar. -3. Your CommercialID is available in the settings page. + > [!Warning] + > Regenerate a Commercial ID only if your original ID can no longer be used. Regenerating a Commercial ID requires you to deploy the new commercial ID to your computers in order to continue to collect data and can result in data loss. -> [!IMPORTANT] -> Regenerate your CommercialID only if your original ID can no longer be used or if you want to completely reset your workspace. Regenerating your CommercialID cannot be undone and will result in you losing data for all devices that have the current CommercialID until the new CommercialID is deployed to devices. ## Enroll devices in Update Compliance diff --git a/windows/deployment/update/update-compliance-v2-configuration-script.md b/windows/deployment/update/update-compliance-v2-configuration-script.md index 8ff093e131..a3595b876b 100644 --- a/windows/deployment/update/update-compliance-v2-configuration-script.md +++ b/windows/deployment/update/update-compliance-v2-configuration-script.md @@ -42,7 +42,7 @@ This script's two primary files are `ConfigScript.ps1` and `RunConfig.bat`. You Open `RunConfig.bat` and configure the following (assuming a first-run, with `runMode=Pilot`): 1. Define `logPath` to where you want the logs to be saved. Ensure that `runMode=Pilot`. -1. Set `commercialIDValue` to your [Commercial ID](update-compliance-v2-enable.md#bkmk_id) for the Update Compliance solution. +1. Don't modify the [Commercial ID](update-compliance-get-started.md#get-your-commercialid) values since they're used for the earlier version of Update Compliance. Leave `setCommercialID=false` and the `commercialIDValue=Unknown`. 1. Run the script. 1. Examine the logs for any issues. If there are no issues, then all devices with a similar configuration and network profile are ready for the script to be deployed with `runMode=Deployment`. 1. If there are issues, gather the logs and provide them to Microsoft Support. diff --git a/windows/deployment/update/update-compliance-v2-enable.md b/windows/deployment/update/update-compliance-v2-enable.md index 76b3245273..863d8bbd8b 100644 --- a/windows/deployment/update/update-compliance-v2-enable.md +++ b/windows/deployment/update/update-compliance-v2-enable.md @@ -16,7 +16,7 @@ ms.date: 06/06/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!Important] -> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the CommercialID is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](#bkmk_admin-center) +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the CommercialID is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](#bkmk_admin-center). > - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. After verifying the [prerequisites](update-compliance-v2-prerequisites.md) are met, you can start to set up Update Compliance. The two main steps for setting up the Update Compliance solution are: @@ -31,6 +31,8 @@ After verifying the [prerequisites](update-compliance-v2-prerequisites.md) are m - Use [Microsoft Endpoint Manager](update-compliance-v2-configuration-mem.md) - Configure [manually](update-compliance-v2-configuration-manual.md) +> [!IMPORTANT] +> Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers. ## Add Update Compliance to your Azure subscription Before you configure clients to send data, you'll need to add the Update Compliance solution to your Azure subscription so the data can be received. First, you'll select or create a new Log Analytics workspace to use. Second, you'll add the Update Compliance solution to the workspace. @@ -70,7 +72,7 @@ Update Compliance is offered as an Azure Marketplace application that's linked t ### Configure Update Compliance settings through the Microsoft 365 admin center -Complete enabling Updates Compliance by configuring its settings through the Microsoft 365 admin center. Completing the Update Compliance configuration through the admin center removes needing to specify [`CommercialID`](update-compliance-get-started.md#get-your-commercialid), which was needed by the earlier version of Updates Compliance. +Finish enabling Updates Compliance by configuring its settings through the Microsoft 365 admin center. Completing the Update Compliance configuration through the admin center removes needing to specify [`CommercialID`](update-compliance-get-started.md#get-your-commercialid), which was needed by the earlier version of Updates Compliance. [!INCLUDE [Onboarding Update Compliance through the Microsoft 365 admin center](./includes/update-compliance-onboard-admin-center.md)] diff --git a/windows/deployment/update/update-compliance-v2-overview.md b/windows/deployment/update/update-compliance-v2-overview.md index e4d165eb8c..c07c7a3489 100644 --- a/windows/deployment/update/update-compliance-v2-overview.md +++ b/windows/deployment/update/update-compliance-v2-overview.md @@ -16,7 +16,8 @@ ms.date: 08/09/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!Important] -> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the CommercialID is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable#bkmk_admin-center). +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. Update Compliance is a cloud-based solution that provides information about the compliance of your Azure Active Directory-joined devices with Windows updates. Update Compliance is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Update Compliance helps you: @@ -24,6 +25,7 @@ Update Compliance is a cloud-based solution that provides information about the - Report on devices with update compliance issues - Review [Delivery Optimization](../do/waas-delivery-optimization.md) bandwidth savings across multiple content types + ## Technical preview information for Update Compliance The new version of Update Compliance is in technical preview. Some of the benefits of this new version include: @@ -48,8 +50,10 @@ Currently, these new tables are available to all Updates Compliance users. They :::image type="content" source="media/update-compliance-v2-query-table.png" alt-text="Screenshot of using a custom Kusto (KQL) query on Update Compliance data in Log Analytics." lightbox="media/update-compliance-v2-query-table.png"::: -> [!IMPORTANT] -> Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers. +## Limitations + +Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers. + ## How Update Compliance works diff --git a/windows/deployment/update/update-compliance-v2-prerequisites.md b/windows/deployment/update/update-compliance-v2-prerequisites.md index 3be2e02464..f3bbdb2a81 100644 --- a/windows/deployment/update/update-compliance-v2-prerequisites.md +++ b/windows/deployment/update/update-compliance-v2-prerequisites.md @@ -16,8 +16,8 @@ ms.date: 06/30/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!Important] +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the CommercialID is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable#bkmk_admin-center). > - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. -> - Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers. ## Update Compliance prerequisites From 08eaee962110c2812edccc9fae36d956d4de6add Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 17 Aug 2022 16:06:25 -0700 Subject: [PATCH 13/45] commid mac edits --- .../update/update-compliance-v2-configuration-manual.md | 3 ++- .../update/update-compliance-v2-configuration-mem.md | 3 ++- .../update/update-compliance-v2-configuration-script.md | 3 ++- windows/deployment/update/update-compliance-v2-enable.md | 4 ++-- windows/deployment/update/update-compliance-v2-overview.md | 2 +- .../deployment/update/update-compliance-v2-prerequisites.md | 2 +- 6 files changed, 10 insertions(+), 7 deletions(-) diff --git a/windows/deployment/update/update-compliance-v2-configuration-manual.md b/windows/deployment/update/update-compliance-v2-configuration-manual.md index a04ac23946..07c449792b 100644 --- a/windows/deployment/update/update-compliance-v2-configuration-manual.md +++ b/windows/deployment/update/update-compliance-v2-configuration-manual.md @@ -17,7 +17,8 @@ ms.date: 06/06/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!Important] -> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center). +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. There are a number of requirements to consider when manually configuring devices for Update Compliance. These requirements can potentially change with newer versions of Windows client. The [Update Compliance configuration script](update-compliance-v2-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required. diff --git a/windows/deployment/update/update-compliance-v2-configuration-mem.md b/windows/deployment/update/update-compliance-v2-configuration-mem.md index aed111ec02..1dabf9b1e5 100644 --- a/windows/deployment/update/update-compliance-v2-configuration-mem.md +++ b/windows/deployment/update/update-compliance-v2-configuration-mem.md @@ -17,7 +17,8 @@ ms.date: 06/06/2022 ***(Applies to: Windows 11 & Windows 10 managed by [Microsoft Endpoint Manager](/mem/endpoint-manager-overview))*** > [!Important] -> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center). +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within Microsoft Endpoint Manager itself. Configuring devices for Update Compliance in Microsoft Endpoint Manager breaks down to the following steps: diff --git a/windows/deployment/update/update-compliance-v2-configuration-script.md b/windows/deployment/update/update-compliance-v2-configuration-script.md index a3595b876b..ce8b8ff96b 100644 --- a/windows/deployment/update/update-compliance-v2-configuration-script.md +++ b/windows/deployment/update/update-compliance-v2-configuration-script.md @@ -17,7 +17,8 @@ ms.date: 06/16/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!Important] -> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center). +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configured devices for Update Compliance](update-compliance-v2-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured. diff --git a/windows/deployment/update/update-compliance-v2-enable.md b/windows/deployment/update/update-compliance-v2-enable.md index 863d8bbd8b..2125392ab8 100644 --- a/windows/deployment/update/update-compliance-v2-enable.md +++ b/windows/deployment/update/update-compliance-v2-enable.md @@ -16,7 +16,7 @@ ms.date: 06/06/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!Important] -> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the CommercialID is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](#bkmk_admin-center). +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](#bkmk_admin-center). > - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. After verifying the [prerequisites](update-compliance-v2-prerequisites.md) are met, you can start to set up Update Compliance. The two main steps for setting up the Update Compliance solution are: @@ -72,7 +72,7 @@ Update Compliance is offered as an Azure Marketplace application that's linked t ### Configure Update Compliance settings through the Microsoft 365 admin center -Finish enabling Updates Compliance by configuring its settings through the Microsoft 365 admin center. Completing the Update Compliance configuration through the admin center removes needing to specify [`CommercialID`](update-compliance-get-started.md#get-your-commercialid), which was needed by the earlier version of Updates Compliance. +Finish enabling Updates Compliance by configuring its settings through the Microsoft 365 admin center. Completing the Update Compliance configuration through the admin center removes needing to specify [`CommercialID`](update-compliance-get-started.md#get-your-commercialid), which was needed by the earlier version of Updates Compliance. This step is needed even if you enabled earlier previews of Update Compliance. [!INCLUDE [Onboarding Update Compliance through the Microsoft 365 admin center](./includes/update-compliance-onboard-admin-center.md)] diff --git a/windows/deployment/update/update-compliance-v2-overview.md b/windows/deployment/update/update-compliance-v2-overview.md index c07c7a3489..c6e20c35ae 100644 --- a/windows/deployment/update/update-compliance-v2-overview.md +++ b/windows/deployment/update/update-compliance-v2-overview.md @@ -16,7 +16,7 @@ ms.date: 08/09/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!Important] -> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the CommercialID is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable#bkmk_admin-center). +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center). > - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. Update Compliance is a cloud-based solution that provides information about the compliance of your Azure Active Directory-joined devices with Windows updates. Update Compliance is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Update Compliance helps you: diff --git a/windows/deployment/update/update-compliance-v2-prerequisites.md b/windows/deployment/update/update-compliance-v2-prerequisites.md index f3bbdb2a81..31c046a6b0 100644 --- a/windows/deployment/update/update-compliance-v2-prerequisites.md +++ b/windows/deployment/update/update-compliance-v2-prerequisites.md @@ -16,7 +16,7 @@ ms.date: 06/30/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!Important] -> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the CommercialID is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable#bkmk_admin-center). +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the CommercialID is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center). > - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. ## Update Compliance prerequisites From 2c33bdd6bd30efee3521b21eafd34f9044eebf54 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 18 Aug 2022 08:22:09 -0700 Subject: [PATCH 14/45] tweak toc, edit impt banner --- windows/deployment/TOC.yml | 12 ++++++------ .../deployment/update/update-compliance-v2-help.md | 3 ++- .../deployment/update/update-compliance-v2-use.md | 4 ++-- .../update/update-compliance-v2-workbook.md | 3 ++- 4 files changed, 12 insertions(+), 10 deletions(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 073d1e0582..49da11e085 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -184,7 +184,7 @@ href: update/deploy-updates-intune.md - name: Monitor Windows client updates items: - - name: Monitor with Update Compliance (preview version) + - name: Update Compliance overview (preview version) href: update/update-compliance-v2-overview.md items: - name: Enable Update Compliance (preview) @@ -200,13 +200,13 @@ - name: Configure clients with Microsoft Endpoint Manager href: update/update-compliance-v2-configuration-mem.md - name: Use Update Compliance (preview) - items: - - name: Use Update Compliance - href: update/update-compliance-v2-use.md + items: - name: Update Compliance workbook - href: update/update-compliance-v2-workbook.md + href: update/update-compliance-v2-workbook.md - name: Software updates in the Microsoft admin center (preview) - href: update/update-status-admin-center.md + href: update/update-status-admin-center.md + - name: Use Update Compliance data + href: update/update-compliance-v2-use.md - name: Feedback, support, and troubleshooting href: update/update-compliance-v2-help.md - name: Update Compliance schema reference (preview) diff --git a/windows/deployment/update/update-compliance-v2-help.md b/windows/deployment/update/update-compliance-v2-help.md index 25e1dff44a..63db627633 100644 --- a/windows/deployment/update/update-compliance-v2-help.md +++ b/windows/deployment/update/update-compliance-v2-help.md @@ -17,7 +17,8 @@ ms.date: 08/10/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!IMPORTANT] -> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](#bkmk_admin-center). +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. There are several resources that you can use to find help with Update Compliance. Whether you're just getting started or an experienced administrator, use the following resources when you need help with Update Compliance: diff --git a/windows/deployment/update/update-compliance-v2-use.md b/windows/deployment/update/update-compliance-v2-use.md index c136aeae12..9326548d4f 100644 --- a/windows/deployment/update/update-compliance-v2-use.md +++ b/windows/deployment/update/update-compliance-v2-use.md @@ -1,8 +1,8 @@ --- -title: Use the Update Compliance (preview) solution +title: Use the Update Compliance (preview) data ms.reviewer: manager: dougeby -description: How to use the Update Compliance (preview) solution. +description: How to use the Update Compliance (preview) data. ms.prod: w10 author: mestew ms.author: mstewart diff --git a/windows/deployment/update/update-compliance-v2-workbook.md b/windows/deployment/update/update-compliance-v2-workbook.md index da0c935974..94904ba537 100644 --- a/windows/deployment/update/update-compliance-v2-workbook.md +++ b/windows/deployment/update/update-compliance-v2-workbook.md @@ -16,7 +16,8 @@ ms.date: 08/10/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!IMPORTANT] -> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](#bkmk_admin-center). +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. [Update Compliance](update-compliance-v2-overview.md) presents information commonly needed by updates administrators in an easy to use format. Update Compliance uses [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started) to give you a visual representation of your compliance data. The workbook is broken down into three tab sections: From 2a6e560d69cb22b848b396125d2167a02a0906d2 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 18 Aug 2022 08:25:30 -0700 Subject: [PATCH 15/45] tweak toc, edit impt banner --- windows/deployment/update/update-compliance-v2-help.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-v2-help.md b/windows/deployment/update/update-compliance-v2-help.md index 63db627633..871ce3464e 100644 --- a/windows/deployment/update/update-compliance-v2-help.md +++ b/windows/deployment/update/update-compliance-v2-help.md @@ -17,7 +17,7 @@ ms.date: 08/10/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!IMPORTANT] -> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](#bkmk_admin-center). +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center). > - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. There are several resources that you can use to find help with Update Compliance. Whether you're just getting started or an experienced administrator, use the following resources when you need help with Update Compliance: From 7d12c12e629598e02c5235ea11a9af1ad2d04422 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 18 Aug 2022 08:31:46 -0700 Subject: [PATCH 16/45] tweak toc, edit impt banner --- windows/deployment/TOC.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 49da11e085..231195498d 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -184,9 +184,10 @@ href: update/deploy-updates-intune.md - name: Monitor Windows client updates items: - - name: Update Compliance overview (preview version) - href: update/update-compliance-v2-overview.md + - name: Monitor with Update Compliance (preview version) items: + - name: Update Compliance overview (preview) + - href: update/update-compliance-v2-overview.md - name: Enable Update Compliance (preview) items: - name: Update Compliance prerequisites From 89f7d77f41e6e1b3face06b09f0b04fcf4dde026 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 18 Aug 2022 08:33:57 -0700 Subject: [PATCH 17/45] edits --- windows/deployment/update/update-compliance-v2-workbook.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-v2-workbook.md b/windows/deployment/update/update-compliance-v2-workbook.md index 94904ba537..a781782920 100644 --- a/windows/deployment/update/update-compliance-v2-workbook.md +++ b/windows/deployment/update/update-compliance-v2-workbook.md @@ -16,7 +16,7 @@ ms.date: 08/10/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!IMPORTANT] -> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](#bkmk_admin-center). +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center). > - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. [Update Compliance](update-compliance-v2-overview.md) presents information commonly needed by updates administrators in an easy to use format. Update Compliance uses [Azure Workbooks](/azure/azure-monitor/visualize/workbooks-getting-started) to give you a visual representation of your compliance data. The workbook is broken down into three tab sections: From 220c5851b86527baed0d43834c466b3926479970 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 18 Aug 2022 08:37:55 -0700 Subject: [PATCH 18/45] edits --- windows/deployment/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 231195498d..e098c2421f 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -184,7 +184,7 @@ href: update/deploy-updates-intune.md - name: Monitor Windows client updates items: - - name: Monitor with Update Compliance (preview version) + - name: Monitor with Update Compliance (preview) items: - name: Update Compliance overview (preview) - href: update/update-compliance-v2-overview.md From bbb00b30a4b973f4cb2b261dbdce69e2ab851785 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 18 Aug 2022 08:39:48 -0700 Subject: [PATCH 19/45] edits --- windows/deployment/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index e098c2421f..6547857c18 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -187,7 +187,7 @@ - name: Monitor with Update Compliance (preview) items: - name: Update Compliance overview (preview) - - href: update/update-compliance-v2-overview.md + href: update/update-compliance-v2-overview.md - name: Enable Update Compliance (preview) items: - name: Update Compliance prerequisites From 09910edc6bf252ad611e72857fea4482ad477c5f Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 18 Aug 2022 08:53:27 -0700 Subject: [PATCH 20/45] edits --- windows/deployment/TOC.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 6547857c18..5daa9b74d5 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -184,9 +184,9 @@ href: update/deploy-updates-intune.md - name: Monitor Windows client updates items: - - name: Monitor with Update Compliance (preview) + - name: Monitor with Update Compliance (preview version) items: - - name: Update Compliance overview (preview) + - name: Update Compliance overview href: update/update-compliance-v2-overview.md - name: Enable Update Compliance (preview) items: From 76e34af02827689e731d0562b50311ffbe15fdac Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 18 Aug 2022 09:19:47 -0700 Subject: [PATCH 21/45] edits --- windows/deployment/update/update-compliance-v2-overview.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/update/update-compliance-v2-overview.md b/windows/deployment/update/update-compliance-v2-overview.md index c6e20c35ae..f4329c485d 100644 --- a/windows/deployment/update/update-compliance-v2-overview.md +++ b/windows/deployment/update/update-compliance-v2-overview.md @@ -37,6 +37,7 @@ The new version of Update Compliance is in technical preview. Some of the benefi Currently, the technical preview contains the following features: - [Update Compliance workbook](update-compliance-v2-workbook.md) +- Update Compliance status [charts in the Microsoft 365 admin](updates-status-admin-center.md) - Access to the following new [Update Compliance tables](update-compliance-v2-schema.md): - UCClient - UCClientReadinessStatus From 45f0e991d64281b126259c176ed953cbef9fea10 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 18 Aug 2022 09:28:36 -0700 Subject: [PATCH 22/45] edits --- .../deployment/update/update-compliance-v2-overview.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/deployment/update/update-compliance-v2-overview.md b/windows/deployment/update/update-compliance-v2-overview.md index f4329c485d..ce3473199f 100644 --- a/windows/deployment/update/update-compliance-v2-overview.md +++ b/windows/deployment/update/update-compliance-v2-overview.md @@ -23,18 +23,18 @@ Update Compliance is a cloud-based solution that provides information about the - Monitor security, quality, and feature updates for Windows 11 and Windows 10 devices - Report on devices with update compliance issues -- Review [Delivery Optimization](../do/waas-delivery-optimization.md) bandwidth savings across multiple content types +- Analyze and display your data in multiple ways -## Technical preview information for Update Compliance +## Preview information for Update Compliance -The new version of Update Compliance is in technical preview. Some of the benefits of this new version include: +The new version of Update Compliance is in preview. Some of the benefits of this new version include: - Integration with [Windows Update for Business deployment service](deployment-service-overview.md) to enable per deployment reporting, monitoring, and troubleshooting. - Compatibility with [Feature updates](/mem/intune/protect/windows-10-feature-updates) and [Expedite Windows quality updates](/mem/intune/protect/windows-10-expedite-updates) policies in Intune. - A new **Alerts** data type to assist you with identifying devices that encounter issues during the update process. Error code information is provided to help troubleshoot update issues. -Currently, the technical preview contains the following features: +Currently, the preview contains the following features: - [Update Compliance workbook](update-compliance-v2-workbook.md) - Update Compliance status [charts in the Microsoft 365 admin](updates-status-admin-center.md) From 7447942744c6da42178f4eed60d5a8e8b30390e5 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 18 Aug 2022 09:33:51 -0700 Subject: [PATCH 23/45] edits --- windows/deployment/update/update-compliance-v2-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-v2-overview.md b/windows/deployment/update/update-compliance-v2-overview.md index ce3473199f..ee51d8c204 100644 --- a/windows/deployment/update/update-compliance-v2-overview.md +++ b/windows/deployment/update/update-compliance-v2-overview.md @@ -37,7 +37,7 @@ The new version of Update Compliance is in preview. Some of the benefits of this Currently, the preview contains the following features: - [Update Compliance workbook](update-compliance-v2-workbook.md) -- Update Compliance status [charts in the Microsoft 365 admin](updates-status-admin-center.md) +- Update Compliance status [charts in the Microsoft 365 admin](update-status-admin-center.md) - Access to the following new [Update Compliance tables](update-compliance-v2-schema.md): - UCClient - UCClientReadinessStatus From aff9d382865a4a51c4c0674bd020f56d07bf6c03 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 18 Aug 2022 22:49:26 +0530 Subject: [PATCH 24/45] added Education,Enterprise Professional. editions as per user report #10778, so i added **Education, Enterprise, and Professional. editions** --- .../reqs-md-app-guard.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index ddf7e13d0d..1ce5b5ae0d 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -19,8 +19,8 @@ ms.technology: windows-sec **Applies to** -- Windows 10 -- Windows 11 +- Windows 10 Education,Enterprise and Professional. +- Windows 11 Education,Enterprise and Professional. The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. @@ -45,6 +45,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl | Software | Description | |--------|-----------| -| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Professional editions are only supported for non-managed devices; Intune or any other third-party mobile device management (MDM) solutions aren't supported with MDAG for Professional editions.
Windows 11 | +| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Professional editions are only supported for non-managed devices; Intune or any other third-party mobile device management (MDM) solutions aren't supported with MDAG for Professional editions.
Windows 11 Education,Enterprise and Professional. | | Browser | Microsoft Edge | | Management system
(only for managed devices)| [Microsoft Intune](/intune/)

**OR**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**OR**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**OR**

Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. | From e9949c8a40786b52cc480e6348c702982a04589d Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Thu, 18 Aug 2022 10:37:56 -0700 Subject: [PATCH 25/45] edits --- windows/deployment/update/update-compliance-v2-schema.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-v2-schema.md b/windows/deployment/update/update-compliance-v2-schema.md index ce8c149ee1..add12d9e62 100644 --- a/windows/deployment/update/update-compliance-v2-schema.md +++ b/windows/deployment/update/update-compliance-v2-schema.md @@ -16,7 +16,8 @@ ms.date: 06/06/2022 ***(Applies to: Windows 11 & Windows 10)*** > [!Important] -> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. +> - As of August 17, 2022, a new step needs to be taken to ensure access to the preview version of Update Compliance and the `CommercialID` is no longer required. For more information, see [Configure Update Compliance settings through the Microsoft 365 admin center](update-compliance-v2-enable.md#bkmk_admin-center). +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. When the visualizations provided in the default experience don't fulfill your reporting needs, or if you need to troubleshoot issues with devices, it's valuable to understand the schema for Update Compliance and have a high-level understanding of the capabilities of [Azure Monitor log queries](/azure/azure-monitor/log-query/query-language) to power additional dashboards, integration with external data analysis tools, automated alerting, and more. From 57f6bb6160f378aeb9a5c1e1d38619c024416bf2 Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Thu, 18 Aug 2022 11:41:52 -0700 Subject: [PATCH 26/45] update --- .../mdm/policies-in-policy-csp-supported-by-hololens2.md | 2 +- windows/client-management/mdm/policy-csp-mixedreality.md | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index f63727b2a4..6d7c82e95f 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -56,7 +56,7 @@ ms.date: 08/01/2022 - [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) 11 - [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9 - [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#mixedreality-configuremovingplatform) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) -- [MixedReality/DisableNCSIPassivePolling](./policy-csp-mixedreality.md#mixedreality-disablencispassivepolling) Insider +- [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#mixedreality-disablesisallownetworkconnectivitypassivepolling) Insider - [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) 9 - [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#mixedreality-headtrackingmode) 9 - [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) 9 diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 901555820c..208a49fbf0 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -35,7 +35,7 @@ manager: dansimp MixedReality/ConfigureMovingPlatform

- MixedReality/DisableNCSIPassivePolling + MixedReality/DisallowNetworkConnectivityPassivePolling
MixedReality/FallbackDiagnostics @@ -270,7 +270,7 @@ Supported value is Integer.
-**MixedReality/DisableNCSIPassivePolling** +**MixedReality/DisallowNetworkConnectivityPassivePolling** @@ -294,9 +294,9 @@ Supported value is Integer.
-Wi-Fi auto recovery is enabled on HoloLens 2 by default. In some cases you may want your devices to not automatically reconnect. This may be because you have a preferred network you want to keep your devices on, you find yourself reconnecting to an access point that doesn't have internet, or you want to keep those devices offline in specific areas. For those cases we've enabled a new policy that you can opt to use to keep your devices from automatically reconnecting back to your access points. +Windows Network Connectivity Status Indicator may get false positive Internet capable signal from passive polling. Which may result in unexpected Wi-Fi adapter reset when device connects to an intranet only access point. Enabling this policy would avoid unexpected network interruptions caused by false positive NCSI passive polling. -The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/DisableNCSIPassivePolling` +The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/DisallowNetworkConnectivityPassivePolling` - Bool value From 134bc3190fe2b6bb59c155135850b9ed5800fbbb Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Thu, 18 Aug 2022 12:08:49 -0700 Subject: [PATCH 27/45] AllowLaunchUriInSingleAppKiosk --- ...es-in-policy-csp-supported-by-hololens2.md | 1 + .../mdm/policy-csp-mixedreality.md | 38 +++++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index de4ba5687e..30325907dd 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -53,6 +53,7 @@ ms.date: 08/01/2022 - [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) - [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) 9 - [MixedReality/AllowCaptivePortalBeforeSignIn](./policy-csp-mixedreality.md#mixedreality-allowcaptiveportalpeforesignin) Insider +- [MixedReality/AllowLaunchUriInSingleAppKiosk](./policy-csp-mixedreality.md#mixedreality-allowlaunchuriinsingleappkiosk)10 - [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) 11 - [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9 - [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#mixedreality-configuremovingplatform) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 2630843c66..c30a9270ca 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -25,6 +25,9 @@ manager: aaroncz
MixedReality/AllowCaptivePortalBeforeSignIn
+
+ MixedReality/AllowLaunchUriInSingleAppKiosk +
MixedReality/AutoLogonUser
@@ -125,6 +128,41 @@ Bool value + +**MixedReality/AllowLaunchUriInSingleAppKiosk** + + + +|Windows Edition|Supported| +|--- |--- | +|HoloLens (first gen) Development Edition|No| +|HoloLens (first gen) Commercial Suite|No| +|HoloLens 2|Yes| + +> [!NOTE] +> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + +This can be enabled to allow for other apps to be launched with in a single app Kiosk, which may be useful, for example, if you want to launch the Settings app to calibrate your device or change your Wi-fi. + +By default, launching applications via Launcher API (Launcher Class (Windows.System) - Windows UWP applications) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true. + +The OMA-URI of policy: ./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowLaunchUriInSingleAppKiosk + +Bool value + + + + + **MixedReality/AutoLogonUser** From 47dfa014f7541b46cc3d5926c07af3bc6582d42d Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Thu, 18 Aug 2022 12:09:57 -0700 Subject: [PATCH 28/45] Update policy-csp-mixedreality.md --- windows/client-management/mdm/policy-csp-mixedreality.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index c30a9270ca..9b8f94104e 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -129,7 +129,7 @@ Bool value -**MixedReality/AllowLaunchUriInSingleAppKiosk** +**MixedReality/AllowLaunchUriInSingleAppKiosk** @@ -164,7 +164,7 @@ Bool value -**MixedReality/AutoLogonUser** +**MixedReality/AutoLogonUser** From 4021180aa35e517bbc600937b211b5cd6be9b84e Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Thu, 18 Aug 2022 12:21:06 -0700 Subject: [PATCH 29/45] remove note --- windows/client-management/mdm/policy-csp-mixedreality.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 9b8f94104e..2922cb7c28 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -139,9 +139,6 @@ Bool value |HoloLens (first gen) Commercial Suite|No| |HoloLens 2|Yes| -> [!NOTE] -> This feature is currently only available in [HoloLens Insider](/hololens/hololens-insider) builds. - [Scope](./policy-configuration-service-provider.md#policy-scope): From 6cb8be8b7fb7ebb2b7ff8c2e0a728b57222c85c9 Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Thu, 18 Aug 2022 12:47:50 -0700 Subject: [PATCH 30/45] down direction --- ...es-in-policy-csp-supported-by-hololens2.md | 1 + .../mdm/policy-csp-mixedreality.md | 43 +++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 30325907dd..9d2038131f 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -60,6 +60,7 @@ ms.date: 08/01/2022 - [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#mixedreality-disablesisallownetworkconnectivitypassivepolling) Insider - [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) 9 - [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#mixedreality-headtrackingmode) 9 +- [MixedReality/ManualDownDirectionDisabled](policy-csp-mixedreality.md#mixedreality-manualdowndirectiondisabled) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) - [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) 9 - [MixedReality/SkipCalibrationDuringSetup](./policy-csp-mixedreality.md#mixedreality-skipcalibrationduringsetup) Insider - [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#mixedreality-skiptrainingduringsetup) Insider diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 2922cb7c28..38f5de2e58 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -46,6 +46,9 @@ manager: aaroncz
MixedReality/HeadTrackingMode
+
+ MixedReality/ManualDownDirectionDisabled +
MixedReality/MicrophoneDisabled
@@ -427,6 +430,46 @@ The following list shows the supported values:
+ +**MixedReality/ManualDownDirectionDisabled** + + + +|Windows Edition|Supported| +|--- |--- | +|HoloLens (first gen) Development Edition|No| +|HoloLens (first gen) Commercial Suite|No| +|HoloLens 2|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls whether the user can change down direction manually or not. If no down direction is set by the user, then an automatically calculated down direction is used by the system. This policy has no dependency on ConfigureMovingPlatform policy and they can be set independently. + +The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/ManualDownDirectionDisabled` + + + + + +Supported values: + +- **False (Default)** - User can manually change down direction if they desire, otherwise down direction will be determined automatically based on the measured gravity vector. +- **True** - User can’t manually change down direction and down direction will be always determined automatically based on the measured gravity vector. + + + **MixedReality/MicrophoneDisabled** From d761f251d4df7797a83ef7a98cce0e2f489baa7b Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Thu, 18 Aug 2022 14:48:10 -0600 Subject: [PATCH 31/45] Update policy-csp-mixedreality.md Lines 126 & 158: Add backticks to match other lines beginning "The OMA-URI of...." https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/2bb0ce63-267c-48b3-9c09-7ad9072c2cdd#CORRECTNESS Lines 178 & 189: sign in > sign-in Line 335: Which > That Alternatives for line 335 include changing the period to a comma and the capital W to lowercase, or changing the second sentence to something like "That false-positive signal may result in unexpected Wi-Fi adapter reset when device connects to an intranet only access point." (Note: add hyphen to "false positive" in the prior sentence, as well." --- .../client-management/mdm/policy-csp-mixedreality.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 38f5de2e58..56f82e6ba2 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -123,7 +123,7 @@ This new feature is an opt-in policy that IT Admins can enable to help with the MixedReality/AllowCaptivePortalBeforeSignIn -The OMA-URI of new policy: ./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowCaptivePortalBeforeSignIn +The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowCaptivePortalBeforeSignIn` Bool value @@ -155,7 +155,7 @@ This can be enabled to allow for other apps to be launched with in a single app By default, launching applications via Launcher API (Launcher Class (Windows.System) - Windows UWP applications) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true. -The OMA-URI of policy: ./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowLaunchUriInSingleAppKiosk +The OMA-URI of policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/AllowLaunchUriInSingleAppKiosk` Bool value @@ -175,7 +175,7 @@ Bool value |HoloLens 2|Yes| -This new AutoLogonUser policy controls whether a user will be automatically signed in. Some customers want to set up devices that are tied to an identity but don't want any sign-in experience. Imagine picking up a device and using remote assist immediately. Or have a benefit of being able to rapidly distribute HoloLens devices and enable their end users to speed up sign in. +This new AutoLogonUser policy controls whether a user will be automatically signed in. Some customers want to set up devices that are tied to an identity but don't want any sign-in experience. Imagine picking up a device and using remote assist immediately. Or have a benefit of being able to rapidly distribute HoloLens devices and enable their end users to speed up sign-in. When the policy is set to a non-empty value, it specifies the email address of the auto log-on user. The specified user must sign in to the device at least once to enable autologon. @@ -186,7 +186,7 @@ Supported value is String. - User with the same email address will have autologon enabled. -On a device where this policy is configured, the user specified in the policy will need to sign in at least once. Subsequent reboots of the device after the first sign in will have the specified user automatically signed in. Only a single autologon user is supported. Once enabled, the automatically signed-in user won't be able to sign out manually. To sign in as a different user, the policy must first be disabled. +On a device where this policy is configured, the user specified in the policy will need to sign in at least once. Subsequent reboots of the device after the first sign-in will have the specified user automatically signed in. Only a single autologon user is supported. Once enabled, the automatically signed-in user won't be able to sign out manually. To sign in as a different user, the policy must first be disabled. > [!NOTE] > @@ -332,7 +332,7 @@ Supported value is Integer.
-Windows Network Connectivity Status Indicator may get false positive Internet capable signal from passive polling. Which may result in unexpected Wi-Fi adapter reset when device connects to an intranet only access point. Enabling this policy would avoid unexpected network interruptions caused by false positive NCSI passive polling. +Windows Network Connectivity Status Indicator may get false positive Internet capable signal from passive polling. That may result in unexpected Wi-Fi adapter reset when device connects to an intranet only access point. Enabling this policy would avoid unexpected network interruptions caused by false positive NCSI passive polling. The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/DisallowNetworkConnectivityPassivePolling` @@ -675,4 +675,4 @@ The following list shows the supported values: ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From 4d6283a76c71cbe381f83407b3d0384788f0e365 Mon Sep 17 00:00:00 2001 From: sawft99 <81699231+sawft99@users.noreply.github.com> Date: Fri, 19 Aug 2022 00:48:07 -0400 Subject: [PATCH 32/45] Wording --- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 28426e5d60..7c87a7eecd 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -497,7 +497,7 @@ You can reset the recovery password in two ways: > [!NOTE] > To manage a remote computer, you can specify the remote computer name rather than the local computer name. -You can use the following sample script to create a VBScript file to reset the recovery passwords: +You can use the following sample VBScript to reset the recovery passwords: ```vb ' Target drive letter From b66107da15753ad3701135e622711855205a00d9 Mon Sep 17 00:00:00 2001 From: Shesh <56231259+sheshachary@users.noreply.github.com> Date: Fri, 19 Aug 2022 12:30:36 +0530 Subject: [PATCH 33/45] Updated Gov's comments --- windows/client-management/connect-to-remote-aadj-pc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 3849eae29c..50338f7ae8 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -84,7 +84,7 @@ The table below lists the supported configurations for remotely connecting to an > If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities). > [!NOTE] -> When an Azure Active Directory group is added to the Remote Desktop Users group on a Windows device, it isn't honoured when the user that belongs to the Azure AD group logs in through Remote Desktop Protocol (they can't sign in using Remote Desktop Connection). If the Network Level Authentication is disabled, then the connection works. +> When an Azure Active Directory group is added to the Remote Desktop Users group on a Windows device, it isn't honoured when the user that belongs to the Azure AD group logs in through Remote Desktop Protocol (they can't sign in using Remote Desktop Connection). In this scenario, Network Level Authentication should be disabled to run the connection. ## Related topics From d827849e4712868ecbfa89d91a8b74e3f8504125 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 19 Aug 2022 12:36:29 +0530 Subject: [PATCH 34/45] Update windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md Accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-application-guard/reqs-md-app-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 1ce5b5ae0d..7e02768001 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -19,8 +19,8 @@ ms.technology: windows-sec **Applies to** -- Windows 10 Education,Enterprise and Professional. -- Windows 11 Education,Enterprise and Professional. +- Windows 10 Education, Enterprise, and Professional +- Windows 11 Education, Enterprise, and Professional The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. From 27f769b576d1c411dc7871a6f29d043366bb29d9 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 19 Aug 2022 12:36:50 +0530 Subject: [PATCH 35/45] Update windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md Accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-application-guard/reqs-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 7e02768001..33f69ede20 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -45,6 +45,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl | Software | Description | |--------|-----------| -| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Professional editions are only supported for non-managed devices; Intune or any other third-party mobile device management (MDM) solutions aren't supported with MDAG for Professional editions.
Windows 11 Education,Enterprise and Professional. | +| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Professional editions are only supported for non-managed devices; Intune or any other third-party mobile device management (MDM) solutions aren't supported with MDAG for Professional editions.
Windows 11 Education, Enterprise, and Professional | | Browser | Microsoft Edge | | Management system
(only for managed devices)| [Microsoft Intune](/intune/)

**OR**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**OR**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**OR**

Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. | From de7bc797d5a4b07d231036a0f1ab5faf1f50f139 Mon Sep 17 00:00:00 2001 From: Albert Cabello Serrano Date: Fri, 19 Aug 2022 08:25:02 -0700 Subject: [PATCH 36/45] Update changes-to-windows-diagnostic-data-collection.md added windows insider dev channel build number that included the changes --- .../privacy/changes-to-windows-diagnostic-data-collection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 06dbd93c71..e63e7f1322 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -108,7 +108,7 @@ If you don’t sign up for any of these enterprise services, Microsoft will act ### Rollout plan for this change -This change will roll out initially to Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program no earlier than July 2022. Once the rollout is initiated, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option. +This change will rollout in phases, starting with Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program. Starting in build 25169, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option. During this initial rollout, the following conditions apply to devices in the Dev Channel that are joined to an Azure AD tenant with a billing address outside of the EU or EFTA: @@ -129,4 +129,4 @@ As part of this change, the following policies will no longer be supported to co - Allow Desktop Analytics Processing - Allow Update Compliance Processing - Allow WUfB Cloud Processing - - Configure the Commercial ID \ No newline at end of file + - Configure the Commercial ID From 5ce7fcf566f16a3ed5710ce581c1c5c87b74d185 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 19 Aug 2022 09:10:50 -0700 Subject: [PATCH 37/45] Update policy-csp-admx-microsoftdefenderantivirus.md --- .../mdm/policy-csp-admx-microsoftdefenderantivirus.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index 62d92eb76a..88b2c471c4 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: vinaypamnani-msft -ms.date: 01/03/2022 +ms.date: 08/19/2022 ms.reviewer: manager: aaroncz --- @@ -3757,7 +3757,7 @@ ADMX Info: -This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several other actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. +This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several other actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 7 days. We don't recommend setting the value to less than 2 days to prevent machines from going out of date. @@ -4797,4 +4797,4 @@ ADMX Info: ## Related topics -[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) From dbe45bb8a6d07ca2458cba24e4471468e1e4b289 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 19 Aug 2022 15:16:27 -0400 Subject: [PATCH 38/45] Fix the command for PS execution --- .../diagnose-mdm-failures-in-windows-10.md | 84 +++++++++---------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index 1191fc721d..b28a49b37e 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -14,7 +14,7 @@ ms.collection: highpri # Diagnose MDM failures in Windows 10 -To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop. The following sections describe the procedures for collecting MDM logs. +To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop. The following sections describe the procedures for collecting MDM logs. ## Download the MDM Diagnostic Information log from Windows 10 PCs @@ -30,32 +30,34 @@ To help diagnose enrollment or device management issues in Windows 10 devices m 1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report. -## Use command to collect logs directly from Windows 10 PCs +## Use command to collect logs directly from Windows 10 PCs You can also collect the MDM Diagnostic Information logs using the following command: ```xml -mdmdiagnosticstool.exe -area DeviceEnrollment;DeviceProvisioning;Autopilot -zip c:\users\public\documents\MDMDiagReport.zip +mdmdiagnosticstool.exe -area "DeviceEnrollment;DeviceProvisioning;Autopilot" -zip "c:\users\public\documents\MDMDiagReport.zip" ``` -- In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report. + +- In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report. ### Understanding zip structure + The zip file will have logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning and Autopilot areas. It applies to the zip files collected via command line or Feedback Hub -- DiagnosticLogCSP_Collector_Autopilot_*: Autopilot etls -- DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider) -- MDMDiagHtmlReport.html: Summary snapshot of MDM space configurations and policies. Includes, management url, MDM server device ID, certificates, policies. -- MdmDiagLogMetadata, json: mdmdiagnosticstool metadata file, contains command-line arguments used to run the tool -- MDMDiagReport.xml: contains a more detail view into the MDM space configurations, e.g enrollment variables -- MdmDiagReport_RegistryDump.reg: contains dumps from common MDM registry locations -- MdmLogCollectorFootPrint.txt: mdmdiagnosticslog tool logs from running the command -- *.evtx: Common event viewer logs microsoft-windows-devicemanagement-enterprise-diagnostics-provider-admin.evtx main one that contains MDM events. +- DiagnosticLogCSP_Collector_Autopilot_*: Autopilot etls +- DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider) +- MDMDiagHtmlReport.html: Summary snapshot of MDM space configurations and policies. Includes, management url, MDM server device ID, certificates, policies. +- MdmDiagLogMetadata, json: mdmdiagnosticstool metadata file, contains command-line arguments used to run the tool +- MDMDiagReport.xml: contains a more detail view into the MDM space configurations, e.g enrollment variables +- MdmDiagReport_RegistryDump.reg: contains dumps from common MDM registry locations +- MdmLogCollectorFootPrint.txt: mdmdiagnosticslog tool logs from running the command +- *.evtx: Common event viewer logs microsoft-windows-devicemanagement-enterprise-diagnostics-provider-admin.evtx main one that contains MDM events. -## Collect logs directly from Windows 10 PCs +## Collect logs directly from Windows 10 PCs -Starting with the Windows 10, version 1511, MDM logs are captured in the Event Viewer in the following location: +Starting with the Windows 10, version 1511, MDM logs are captured in the Event Viewer in the following location: -- Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider +- Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider Here's a screenshot: @@ -63,34 +65,34 @@ Here's a screenshot: In this location, the **Admin** channel logs events by default. However, if you need more details logs you can enable **Debug** logs by choosing **Show Analytic and Debug** logs option in **View** menu in Event Viewer. -**To collect Admin logs** +### Collect admin logs -1. Right click on the **Admin** node. -2. Select **Save all events as**. -3. Choose a location and enter a filename. -4. Click **Save**. -5. Choose **Display information for these languages** and then select **English**. -6. Click **Ok**. +1. Right click on the **Admin** node. +2. Select **Save all events as**. +3. Choose a location and enter a filename. +4. Click **Save**. +5. Choose **Display information for these languages** and then select **English**. +6. Click **Ok**. For more detailed logging, you can enable **Debug** logs. Right click on the **Debug** node and then click **Enable Log**. -**To collect Debug logs** +### Collect debug logs -1. Right click on the **Debug** node. -2. Select **Save all events as**. -3. Choose a location and enter a filename. -4. Click **Save**. -5. Choose **Display information for these languages** and then select **English**. -6. Click **Ok**. +1. Right click on the **Debug** node. +2. Select **Save all events as**. +3. Choose a location and enter a filename. +4. Click **Save**. +5. Choose **Display information for these languages** and then select **English**. +6. Click **Ok**. -You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC running the November 2015 update. +You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC running the November 2015 update. -## Collect logs remotely from Windows 10 PCs +## Collect logs remotely from Windows 10 PCs When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this facility. The [DiagnosticLog CSP](diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels: -- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FAdmin -- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug +- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FAdmin +- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug Example: Enable the Debug channel logging @@ -235,27 +237,27 @@ After the logs are collected on the device, you can retrieve the files through t For best results, ensure that the PC or VM on which you're viewing logs matches the build of the OS from which the logs were collected. -1. Open eventvwr.msc. -2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**. +1. Open eventvwr.msc. +2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**. ![event viewer screenshot.](images/diagnose-mdm-failures9.png) -3. Navigate to the etl file that you got from the device and then open the file. -4. Click **Yes** when prompted to save it to the new log format. +3. Navigate to the etl file that you got from the device and then open the file. +4. Click **Yes** when prompted to save it to the new log format. ![event viewer prompt.](images/diagnose-mdm-failures10.png) ![diagnose mdm failures.](images/diagnose-mdm-failures11.png) -5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu. +5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu. ![event viewer actions.](images/diagnose-mdm-failures12.png) -6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**. +6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**. ![event filter for Device Management.](images/diagnose-mdm-failures13.png) -7. Now you're ready to start reviewing the logs. +7. Now you're ready to start reviewing the logs. ![event viewer review logs.](images/diagnose-mdm-failures14.png) @@ -283,5 +285,3 @@ Here's an example of how to collect current MDM device state data using the [Dia ``` - -  From fe6c5cb5538cb3ca5c092224f45cbd73dd59f4b2 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 19 Aug 2022 16:32:58 -0400 Subject: [PATCH 39/45] Fix explanation --- .../mdm/policy-csp-update.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 384768cd58..26dfc16e2f 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -3524,8 +3524,8 @@ ADMX Info: The following list shows the supported values: -- 0: (Default) Detect, download, and deploy Driver from Windows Update. -- 1: Enabled, Detect, download, and deploy Driver from Windows Server Update Server (WSUS). +- 0: (Default) Detect, download, and deploy Drivers from Windows Update. +- 1: Enabled, Detect, download, and deploy Drivers from Windows Server Update Server (WSUS). @@ -3560,7 +3560,7 @@ The table below shows the applicability of Windows: -Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. +Configure this policy to specify whether to receive Windows Feature Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: - SetPolicyDrivenUpdateSourceForQualityUpdates @@ -3582,8 +3582,8 @@ ADMX Info: The following list shows the supported values: -- 0: (Default) Detect, download, and deploy Feature from Windows Update. -- 1: Enabled, Detect, download, and deploy Feature from Windows Server Update Server (WSUS). +- 0: (Default) Detect, download, and deploy Feature Updates from Windows Update. +- 1: Enabled, Detect, download, and deploy Feature Updates from Windows Server Update Server (WSUS). @@ -3618,7 +3618,7 @@ The table below shows the applicability of Windows: -Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. +Configure this policy to specify whether to receive Other Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: - SetPolicyDrivenUpdateSourceForFeatureUpdates @@ -3640,8 +3640,8 @@ ADMX Info: The following list shows the supported values: -- 0: (Default) Detect, download, and deploy Other from Windows Update. -- 1: Enabled, Detect, download, and deploy Other from Windows Server Update Server (WSUS). +- 0: (Default) Detect, download, and deploy Other updates from Windows Update. +- 1: Enabled, Detect, download, and deploy Other updates from Windows Server Update Server (WSUS). @@ -3676,7 +3676,7 @@ The table below shows the applicability of Windows: -Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. +Configure this policy to specify whether to receive Windows Quality Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: - SetPolicyDrivenUpdateSourceForFeatureUpdates @@ -3698,8 +3698,8 @@ ADMX Info: The following list shows the supported values: -- 0: (Default) Detect, download, and deploy Quality from Windows Update. -- 1: Enabled, Detect, download, and deploy Quality from Windows Server Update Server (WSUS). +- 0: (Default) Detect, download, and deploy Quality Updates from Windows Update. +- 1: Enabled, Detect, download, and deploy Quality Updates from Windows Server Update Server (WSUS). From 745023a55ceba54ee58aacabdf1fbb9209b3e64a Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 19 Aug 2022 17:40:42 -0400 Subject: [PATCH 40/45] Change SupportedSku for ConfigureChatIcon --- windows/client-management/mdm/policy-csp-experience.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index a2da6374ab..80986cd431 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -925,10 +925,10 @@ The following list shows the supported values: |Edition|Windows 10|Windows 11| |--- |--- |--- | -|Home|No|Yes| +|Home|No|No| |Pro|No|Yes| |Windows SE|No|Yes| -|Business|No|No| +|Business|No|Yes| |Enterprise|No|Yes| |Education|No|Yes| From 19c60668a5235e18b9aa8090f60586d5881893ce Mon Sep 17 00:00:00 2001 From: Office Content Publishing 4 <87501895+officedocspr4@users.noreply.github.com> Date: Sat, 20 Aug 2022 23:33:43 -0700 Subject: [PATCH 41/45] Uploaded file: education-content-updates.md - 2022-08-20 23:33:43.5187 --- education/includes/education-content-updates.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index e06d4cfd48..b9d519b4c6 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,6 +2,14 @@ +## Week of August 15, 2022 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 8/17/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified | + + ## Week of August 08, 2022 From ca1723615fa3d7e439c303711542c397409024e0 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Mon, 22 Aug 2022 11:12:53 -0400 Subject: [PATCH 42/45] change note syntax --- .../configure-md-app-guard.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 71b4af8046..168c3d7608 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 03/10/2022 +ms.date: 08/22/2022 ms.reviewer: manager: dansimp ms.custom: sasr @@ -28,7 +28,10 @@ Application Guard uses both network isolation and application-specific settings. ## Network isolation settings -These settings, located at `Computer Configuration\Administrative Templates\Network\Network Isolation`, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge. +These settings, located at `Computer Configuration\Administrative Templates\Network\Network Isolation`, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. + +> [!NOTE] +> For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you don't need to configure network isolation policy to enable Application Guard for Microsoft Edge. > [!NOTE] > You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the **Domains categorized as both work and personal** policy. From 20e3f15d9ff806a4e37b7b9abde53ef7243be335 Mon Sep 17 00:00:00 2001 From: Saurabh Koshta Date: Mon, 22 Aug 2022 10:24:10 -0500 Subject: [PATCH 43/45] Update bitlocker-csp.md --- windows/client-management/mdm/bitlocker-csp.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 1e27f08aa2..53deb22171 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1350,10 +1350,10 @@ Supported operation is Execute. Request ID is expected as a parameter. > [!NOTE] > Key rotation is supported only on these enrollment types: -> - windowsAzureADJoin -> - windowsBulkAzureDomainJoin -> - windowsAzureADJoinUsingDeviceAuth -> - windowsCoManagement +> - Windows 10 Azure AD Join. +> - Windows 10 bulk Azure AD Join. +> - Windows 10 Azure AD Join using Device Auth. +> - Windows 10 Co-Management triggered by AutoPilot or Group Policy. > [!TIP] > Key rotation feature will only work when: From 94c92bd1d8fba2f40adc424553f1677423909e2e Mon Sep 17 00:00:00 2001 From: Saurabh Koshta Date: Mon, 22 Aug 2022 10:58:01 -0500 Subject: [PATCH 44/45] Update bitlocker-csp.md --- windows/client-management/mdm/bitlocker-csp.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 53deb22171..77aa4ade1e 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1350,10 +1350,11 @@ Supported operation is Execute. Request ID is expected as a parameter. > [!NOTE] > Key rotation is supported only on these enrollment types: -> - Windows 10 Azure AD Join. -> - Windows 10 bulk Azure AD Join. -> - Windows 10 Azure AD Join using Device Auth. -> - Windows 10 Co-Management triggered by AutoPilot or Group Policy. +> - windowsAzureADJoin. +> - windowsBulkAzureDomainJoin. +> - windowsAzureADJoinUsingDeviceAuth. +> - windowsCoManagement. +> For more information, see [Device Enrollment Type](https://docs.microsoft.com/en-us/graph/api/resources/intune-devices-deviceenrollmenttype?view=graph-rest-1.0). > [!TIP] > Key rotation feature will only work when: From 94278d8f606223db98ef3a878ebe82eb47a36b4e Mon Sep 17 00:00:00 2001 From: Saurabh Koshta Date: Mon, 22 Aug 2022 11:06:37 -0500 Subject: [PATCH 45/45] Update bitlocker-csp.md --- windows/client-management/mdm/bitlocker-csp.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 77aa4ade1e..97ff6341d2 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1349,12 +1349,11 @@ Value type is string. Supported operation is Execute. Request ID is expected as a parameter. > [!NOTE] -> Key rotation is supported only on these enrollment types: +> Key rotation is supported only on these enrollment types. For more information, see [deviceEnrollmentType enum](/graph/api/resources/intune-devices-deviceenrollmenttype). > - windowsAzureADJoin. > - windowsBulkAzureDomainJoin. > - windowsAzureADJoinUsingDeviceAuth. > - windowsCoManagement. -> For more information, see [Device Enrollment Type](https://docs.microsoft.com/en-us/graph/api/resources/intune-devices-deviceenrollmenttype?view=graph-rest-1.0). > [!TIP] > Key rotation feature will only work when: