From bee7236457d0f3d4155d5ac4a8a5fd4364950733 Mon Sep 17 00:00:00 2001 From: cbrito01 Date: Thu, 23 Jun 2022 20:56:02 -0500 Subject: [PATCH 01/14] Update personalization-csp.md Personalization CSP is supported in Windows 11 SE. Changed the top table from No to Yes on Windows 11 --- windows/client-management/mdm/personalization-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index 736959df4e..7eca48b485 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -19,7 +19,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|No|No| -|Windows SE|No|No| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| From 557e056eb0088be0d31466ad8644537a135406e1 Mon Sep 17 00:00:00 2001 From: Bob Clements <72577850+bobclements-msft@users.noreply.github.com> Date: Tue, 28 Jun 2022 08:36:04 -0700 Subject: [PATCH 02/14] Update windows-autopatch-microsoft-365-apps-enterprise.md Section edit for Servicing Profile. Re-labeled section to point out compatibility. Added links to Servicing Profile resources. Added intro statement for readers that are not familiar with Servicing Profiles. --- .../windows-autopatch-microsoft-365-apps-enterprise.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md index 2175c45a94..05111912f8 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md @@ -100,7 +100,9 @@ Window Autopatch deploys mobile device management (MDM) policies to configure Mi | Hide update notifications from users | Turned off | Users should be notified when Microsoft 365 Apps are being updated | | Hide the option to turn on or off automatic Office updates | Turned on | Prevents users from disabling automatic updates | -## Microsoft 365 Apps servicing profiles +## Compatibility with Servicing Profiles + +[Servicing profiles](/deployoffice/admincenter/servicing-profile) is a feature in the [Microsoft 365 Apps admin center](https://config.office.com/) that provides controlled update management of monthly Office updates, including controls for user and device targeting, scheduling, rollback, and reporting. A service profile takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management. From e42b13922d3b1615edf56d02c8445c78428b8915 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Tue, 28 Jun 2022 12:09:40 -0700 Subject: [PATCH 03/14] 37251356 - Add note about garrulous events caused by MI/ISG enablements --- .../operations/known-issues.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md index a54661c0b2..2463f2312e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md @@ -31,6 +31,10 @@ ms.localizationpriority: medium This topic covers tips and tricks for admins as well as known issues with WDAC. Test this configuration in your lab before enabling it in production. +## ManagedInstaller/ISG enablements may cause garrulous events + +These events do not indicate an issue with the policy, and we are servicing the code to turn them off by default. This will be resolved in the September 2022 C release. + ## .NET native images may generate false positive block events In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fallback to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window. From 568e1da35e86cb065d7341d918c1483401b50528 Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Tue, 28 Jun 2022 12:33:35 -0700 Subject: [PATCH 04/14] Update known-issues.md --- .../operations/known-issues.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md index 34b4026eb5..57efc3c9da 100644 --- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md @@ -28,20 +28,20 @@ ms.localizationpriority: medium >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This topic covers tips and tricks for admins as well as known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production. +This topic covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production. ## ManagedInstaller/ISG enablements may cause garrulous events -These events do not indicate an issue with the policy, and we are servicing the code to turn them off by default. This will be resolved in the September 2022 C release. +These events don't indicate an issue with the policy, and we're servicing the code to turn them off by default. This issue will be resolved in the September 2022 C release. ## .NET native images may generate false positive block events -In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fallback to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window. +In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fall back to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window. ## MSI Installations launched directly from the internet are blocked by WDAC Installing .msi files directly from the internet to a computer protected by WDAC will fail. -For example, this command will not work: +For example, this command won't work: ```console msiexec –i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi From f3f40d05bbf77178b8c973af37ca115fb381b3a0 Mon Sep 17 00:00:00 2001 From: Harman Thind <63820404+hathin@users.noreply.github.com> Date: Tue, 28 Jun 2022 13:54:41 -0700 Subject: [PATCH 05/14] New URLs added added 2 new urls for Windows Autopatch service --- .../prepare/windows-autopatch-configure-network.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md index a1fb48b746..93a0fbe3bd 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md @@ -32,7 +32,7 @@ The Windows Autopatch URL is used for anything our service runs on the customer | Microsoft service | URLs required on allowlist | | ----- | ----- | -| Windows Autopatch | | +| Windows Autopatch | | ### Required Microsoft product endpoints From c6758d8894de1abbaf2ff6866edb53fa282ddffa Mon Sep 17 00:00:00 2001 From: valemieux <98555474+valemieux@users.noreply.github.com> Date: Wed, 29 Jun 2022 05:51:34 -0700 Subject: [PATCH 06/14] Update known-issues.md --- .../operations/known-issues.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md index 57efc3c9da..1c179e8e7a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md @@ -30,9 +30,9 @@ ms.localizationpriority: medium This topic covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production. -## ManagedInstaller/ISG enablements may cause garrulous events +## Managed Installer and ISG will cause garrulous events -These events don't indicate an issue with the policy, and we're servicing the code to turn them off by default. This issue will be resolved in the September 2022 C release. +When Managed Installer and ISG are enabled, 3091 and 3092 events will be logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. Beginning with the September 2022 C release, these events will be moved to the verbose channel since the events don't indicate an issue with the policy. ## .NET native images may generate false positive block events From a2f544c005c6624902081088299ff8732b871853 Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Thu, 30 Jun 2022 17:03:10 -0500 Subject: [PATCH 07/14] More changes --- .../deploy/windows-autopatch-register-devices.md | 15 ++++++++------- .../prepare/windows-autopatch-prerequisites.md | 8 +++++--- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index a522a08253..4c38fd7246 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices description: This article details how to register devices in Autopatch -ms.date: 06/24/2022 +ms.date: 06/30/2022 ms.prod: w11 ms.technology: windows ms.topic: how-to @@ -68,16 +68,17 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set - [Supported Windows 10/11 Enterprise and Professional edition versions](/windows/release-health/supported-versions-windows-client) - Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported). - Managed by Microsoft Endpoint Manager. - - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) or [Configuration Manager Co-management](../prepare/windows-autopatch-prerequisites.md#co-management-requirements). - - [Switch Microsoft Endpoint Manager-Configuration Manager Co-management workloads to Microsoft Endpoint Manager-Intune](/mem/configmgr/comanage/how-to-switch-workloads) (either set to Pilot Intune or Intune). This includes the following workloads: + - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](../prepare/windows-autopatch-prerequisites.md#co-management-requirements). + - Must switch the following Microsoft Endpoint Manager-Configuration Manager [Co-management workloads](/mem/configmgr/comanage/how-to-switch-workloads) to Microsoft Endpoint Manager-Intune (either set to Pilot Intune or Intune): - Windows updates policies - Device configuration - Office Click-to-run - Last Intune device check-in completed within the last 28 days. +- Devices must have Serial Number, Model and Manufacturer. + > [!NOTE] + > Windows Autopatch doesn't support device emulators that don't generate Serial number, Model and Manufacturer. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** pre-requisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch. -For more information on how Configuration Manager workloads work, see [How to switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads). - -See [Prerequisites](../prepare/windows-autopatch-prerequisites.md) for more details. +See [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md) for more details. ## About the Ready and Not ready tabs @@ -126,7 +127,7 @@ Once devices or Azure AD groups containing devices are added to the **Windows Au > [!IMPORTANT] > It might take up to an hour for a device to change its status from **Ready for User** to **Active** in the Ready tab during the public preview. -## Additional device management lifecycle scenarios +## Device management lifecycle scenarios There's a few more device lifecycle management scenarios to consider when planning to register devices in Windows Autopatch. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index 5d377d6e50..4484d30d3a 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -1,7 +1,7 @@ --- title: Prerequisites description: This article details the prerequisites needed for Windows Autopatch -ms.date: 05/30/2022 +ms.date: 06/30/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -21,7 +21,9 @@ Getting started with Windows Autopatch has been designed to be easy. This articl | Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).

For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).

For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). | | Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.

For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). | | Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.

| -| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.

At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.

Other device management prerequisites include:

For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview). | +| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.

At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.

Other device management prerequisites include:

See [register your devices](https://docs.microsoft.com/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device pre-requisites and on how the device registration process works. + +For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview). | | Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). | ## More about licenses @@ -42,7 +44,7 @@ The following Windows 64-bit editions are required for Windows Autopatch: - Windows 10/11 Enterprise - Windows 10/11 Pro for Workstations -## Co-management requirements +## Configuration Manager Co-management requirements Windows Autopatch fully supports co-management. The following co-management requirements apply: From bbbf4c39a3f387268471ba92086e5c65599fb92c Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Thu, 30 Jun 2022 15:29:51 -0700 Subject: [PATCH 08/14] Update windows-autopatch-prerequisites.md --- .../prepare/windows-autopatch-prerequisites.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index 4484d30d3a..431e2c3f27 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -21,7 +21,7 @@ Getting started with Windows Autopatch has been designed to be easy. This articl | Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).

For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).

For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). | | Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.

For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). | | Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.

| -| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.

At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.

Other device management prerequisites include:

See [register your devices](https://docs.microsoft.com/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device pre-requisites and on how the device registration process works. +| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.

At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.

Other device management prerequisites include:

See [Register your devices](../deploy/windows-autopatch-register-devices) for more details on device pre-requisites and on how the device registration process works. For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview). | | Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). | From 9dcbe8cbb4e86f1c8cc7fba1f13925c6c478b09d Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Thu, 30 Jun 2022 15:35:45 -0700 Subject: [PATCH 09/14] Update windows-autopatch-register-devices.md --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 4c38fd7246..bdb0f168e9 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -68,7 +68,7 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set - [Supported Windows 10/11 Enterprise and Professional edition versions](/windows/release-health/supported-versions-windows-client) - Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported). - Managed by Microsoft Endpoint Manager. - - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](../prepare/windows-autopatch-prerequisites.md#co-management-requirements). + - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#co-management-requirements). - Must switch the following Microsoft Endpoint Manager-Configuration Manager [Co-management workloads](/mem/configmgr/comanage/how-to-switch-workloads) to Microsoft Endpoint Manager-Intune (either set to Pilot Intune or Intune): - Windows updates policies - Device configuration From 97c1e235e780f80e80489a25bde9cb4f1c713b88 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Thu, 30 Jun 2022 15:38:02 -0700 Subject: [PATCH 10/14] Update windows-autopatch-prerequisites.md --- .../prepare/windows-autopatch-prerequisites.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index 431e2c3f27..029a20632c 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -21,7 +21,7 @@ Getting started with Windows Autopatch has been designed to be easy. This articl | Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).

For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).

For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). | | Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.

For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). | | Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.

| -| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.

At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.

Other device management prerequisites include:

See [Register your devices](../deploy/windows-autopatch-register-devices) for more details on device pre-requisites and on how the device registration process works. +| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.

At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.

Other device management prerequisites include:

See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device pre-requisites and on how the device registration process works. For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview). | | Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). | From e4136efa95d70be9c9e36c7d3088d4ead16eaa99 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 30 Jun 2022 15:46:23 -0700 Subject: [PATCH 11/14] Fixed broken links. --- .../windows-autopatch/overview/windows-autopatch-faq.yml | 2 +- .../prepare/windows-autopatch-enroll-tenant.md | 2 +- .../prepare/windows-autopatch-prerequisites.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 64041a261e..e88fc29e91 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -43,7 +43,7 @@ sections: - [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) Additional pre-requisites for devices managed by Configuration Manager: - - [Co-management](../prepare/windows-autopatch-prerequisites.md#co-management-requirements) + - [Co-management](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements) - [A supported version of Configuration Manager](/mem/configmgr/core/servers/manage/updates#supported-versions) - [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.) - question: What are the licensing requirements for Windows Autopatch? diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md index c594bece89..5170032f91 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md @@ -27,7 +27,7 @@ To start using the Windows Autopatch service, ensure you meet the [Windows Autop > [!IMPORTANT] > The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you'll no longer be able to access the tool again. -The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Co-management requirements](../prepare/windows-autopatch-prerequisites.md#co-management-requirements). +The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager Co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements). **To access and run the Readiness assessment tool:** diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index 5d377d6e50..2f24e926b6 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -42,7 +42,7 @@ The following Windows 64-bit editions are required for Windows Autopatch: - Windows 10/11 Enterprise - Windows 10/11 Pro for Workstations -## Co-management requirements +## Configuration Manager Co-management requirements Windows Autopatch fully supports co-management. The following co-management requirements apply: From c2be73ed32cd39163a1bf950e3c8469959cb3119 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Thu, 30 Jun 2022 15:51:54 -0700 Subject: [PATCH 12/14] Update windows-autopatch-register-devices.md --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index bdb0f168e9..f6dc54cf8d 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -68,7 +68,7 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set - [Supported Windows 10/11 Enterprise and Professional edition versions](/windows/release-health/supported-versions-windows-client) - Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported). - Managed by Microsoft Endpoint Manager. - - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#co-management-requirements). + - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#configuration-manager-co-management-requirements). - Must switch the following Microsoft Endpoint Manager-Configuration Manager [Co-management workloads](/mem/configmgr/comanage/how-to-switch-workloads) to Microsoft Endpoint Manager-Intune (either set to Pilot Intune or Intune): - Windows updates policies - Device configuration From 3ad2eaa8a3f72e8a6ce7bbd262bbb51cf6840fce Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Thu, 30 Jun 2022 15:52:33 -0700 Subject: [PATCH 13/14] Update windows-autopatch-faq.yml --- .../windows-autopatch/overview/windows-autopatch-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index e88fc29e91..3e968ceeab 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -43,7 +43,7 @@ sections: - [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) Additional pre-requisites for devices managed by Configuration Manager: - - [Co-management](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements) + - [Configuration Manager Co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements) - [A supported version of Configuration Manager](/mem/configmgr/core/servers/manage/updates#supported-versions) - [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.) - question: What are the licensing requirements for Windows Autopatch? From 980dd88868937de62dc8216960819732c0a67008 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 1 Jul 2022 10:07:52 -0700 Subject: [PATCH 14/14] Update known-issues.md --- .../operations/known-issues.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md index 1c179e8e7a..dfddeebe3f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md @@ -10,7 +10,7 @@ ms.reviewer: jogeurte ms.author: jogeurte ms.manager: jsuther manager: dansimp -ms.date: 04/14/2021 +ms.date: 07/01/2022 ms.technology: windows-sec ms.topic: article ms.localizationpriority: medium @@ -25,8 +25,8 @@ ms.localizationpriority: medium - Windows 11 - Windows Server 2016 and above ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production.