mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 21:37:22 +00:00
Removing CA, MFA and service accounts from docs as per Harman's change.
This commit is contained in:
tiaraquan
parent
c3053e781a
commit
e47586b809
@ -14,7 +14,7 @@ msreviewer: hathind
|
|||||||
|
|
||||||
# Enroll your tenant
|
# Enroll your tenant
|
||||||
|
|
||||||
Before you enroll in Windows Autopatch, there are settings and other parameters you must set ahead of time.
|
Before you enroll in Windows Autopatch, there are settings, and other parameters you must set ahead of time.
|
||||||
|
|
||||||
> [!IMPORTANT]
|
> [!IMPORTANT]
|
||||||
> You must be a Global Administrator to enroll your tenant.
|
> You must be a Global Administrator to enroll your tenant.
|
||||||
@ -62,9 +62,7 @@ The following are the Azure Active Directory settings:
|
|||||||
|
|
||||||
| Check | Description |
|
| Check | Description |
|
||||||
| ----- | ----- |
|
| ----- | ----- |
|
||||||
| Conditional access | Verifies that conditional access policies and multi-factor authentication aren't assigned to all users.<p><p>Your conditional access policies must not prevent our service accounts from accessing the service and must not require multi-factor authentication. For more information, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies). |
|
| Co-management | This advisory check only applies if co-management is applied to your tenant. This check ensures that the proper workloads are in place for Windows Autopatch. If co-management doesn't apply to your tenant, this check can be safely disregarded, and won't block device deployment. |
|
||||||
| Windows Autopatch cloud service accounts | Checks that no usernames conflict with ones that Windows Autopatch reserves for its own use. The cloud service accounts are:<ul><li>MsAdmin</li><li>MsAdminInt</li><li>MsTest</li></ul> For more information, see [Tenant access](../references/windows-autopatch-privacy.md#tenant-access). |
|
|
||||||
| Security defaults | Checks whether your Azure Active Directory organization has security defaults enabled. |
|
|
||||||
| Licenses | Checks that you've obtained the necessary [licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
|
| Licenses | Checks that you've obtained the necessary [licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
|
||||||
|
|
||||||
### Check results
|
### Check results
|
||||||
|
|||||||
@ -25,7 +25,7 @@ For each check, the tool will report one of four possible results:
|
|||||||
| Ready | No action is required before completing enrollment. |
|
| Ready | No action is required before completing enrollment. |
|
||||||
| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.<p><p>You can complete enrollment, but you must fix these issues before you deploy your first device. |
|
| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.<p><p>You can complete enrollment, but you must fix these issues before you deploy your first device. |
|
||||||
| Not ready | You must fix these issues before enrollment. You won’t be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
|
| Not ready | You must fix these issues before enrollment. You won’t be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
|
||||||
| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permission to run this check or your tenant is not properly licensed for Microsoft Intune. |
|
| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permission to run this check or your tenant isn't properly licensed for Microsoft Intune. |
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Azure Active Directory (AD), or Microsoft 365, items that were "Ready" can become "Not ready". To avoid problems with Windows Autopatch operations, review the specific settings described in this article before you change any policies.
|
> The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Azure Active Directory (AD), or Microsoft 365, items that were "Ready" can become "Not ready". To avoid problems with Windows Autopatch operations, review the specific settings described in this article before you change any policies.
|
||||||
@ -55,14 +55,13 @@ Your "Windows 10 update ring" policy in Intune must not target any Windows Autop
|
|||||||
|
|
||||||
You can access Azure Active Directory (AD) settings in the [Azure portal](https://portal.azure.com/).
|
You can access Azure Active Directory (AD) settings in the [Azure portal](https://portal.azure.com/).
|
||||||
|
|
||||||
### Conditional access policies
|
### Co-management
|
||||||
|
|
||||||
Conditional access policies must not prevent Windows Autopatch from connecting to your tenant.
|
Co-management enables you to concurrently manage Windows 10 or later devices by using both Configuration Manager and Microsoft Intune.
|
||||||
|
|
||||||
| Result | Meaning |
|
| Result | Meaning |
|
||||||
| ----- | ----- |
|
| ----- | ----- |
|
||||||
| Advisory | You have at least one conditional access policy that targets all users or at least one conditional access policy set as required for multi-factor authentication. These policies could prevent Windows Autopatch from managing the Windows Autopatch service.<p><p>During enrollment, we'll attempt to exclude Windows Autopatch service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. However, if we're unsuccessful, this can cause errors during your enrollment experience.<p><p>For best practice, [create an assignment that targets a specific Azure Active Directory (AD) group](/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) that doesn't include Windows Autopatch service accounts.</p> |
|
| Advisory | To successfully enroll devices that are co-managed into Windows Autopatch, it's necessary that the following co-managed workloads are set to **Intune**:<ul><li>Device configuration</li><li>Windows update policies</li><li>Office 365 client apps</li></ul><p>If co-management doesn't apply to your tenant, this check can be safely disregarded, and it won't block device deployment.</p> |
|
||||||
| Error | The Intune Administrator role doesn't have sufficient permissions for this check. You'll also need to have these Azure Active Directory (AD) roles assigned to run this check:<br><ul><li>Security Reader</li><li>Security Administrator</li><li>Conditional Access Administrator</li><li>Global Reader</li><li>Devices Administrator</li></ul> |
|
|
||||||
|
|
||||||
### Licenses
|
### Licenses
|
||||||
|
|
||||||
@ -71,19 +70,3 @@ Windows Autopatch requires the following licenses:
|
|||||||
| Result | Meaning |
|
| Result | Meaning |
|
||||||
| ----- | ----- |
|
| ----- | ----- |
|
||||||
| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
|
| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
|
||||||
|
|
||||||
### Windows Autopatch cloud service accounts
|
|
||||||
|
|
||||||
Certain account names could conflict with account names created by Windows Autopatch.
|
|
||||||
|
|
||||||
| Result | Meaning |
|
|
||||||
| ----- | ----- |
|
|
||||||
| Not ready | You have at least one account name that will conflict with account names created by Windows Autopatch. The cloud service accounts are:<ul><li>MsAdmin</li><li>MsAdminInt</li><li>MsTest</li></ul><p>You must either rename or remove conflicting accounts to move forward with enrolling to the Windows Autopatch service as we'll create these accounts as part of running our service. For more information, see [Tenant Access](../references/windows-autopatch-privacy.md#tenant-access).</p> |
|
|
||||||
|
|
||||||
### Security defaults
|
|
||||||
|
|
||||||
Security defaults in Azure Active Directory (AD) will prevent Windows Autopatch from managing your devices.
|
|
||||||
|
|
||||||
| Result | Meaning |
|
|
||||||
| ----- | ----- |
|
|
||||||
| Not ready | You have Security defaults turned on. Turn off Security defaults and set up conditional access policies. For more information, see [Common conditional access policies](/azure/active-directory/conditional-access/concept-conditional-access-policy-common). |
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user