From deec52f36cc60b85e6e88912b7f31c74677bbe42 Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Tue, 11 May 2021 12:29:58 -0400 Subject: [PATCH 1/3] Removing reference to registry keys After conferring with SMEs on registry key vs. configuring thru GP/MDM, while it is best practice to configure through GP/MDM (because it can be audited), there isn't strictly any issue with configuring devices straight thru regkey (this is what the script does). --- .../update/update-compliance-configuration-manual.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index beb8b237cd..ccdb293504 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -31,9 +31,6 @@ The requirements are separated into different categories: ## Required policies -> [!NOTE] -> Windows 10 MDM and Group Policies are backed by registry keys. It is not recommended you set these registry keys directly for configuration as it can lead to unexpected behavior, so the exact registry key locations are not provided, though they are referenced for troubleshooting configuration issues with the [Update Compliance Configuration Script](update-compliance-configuration-script.md). - Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](/windows/client-management/mdm/) (MDM) or Group Policy. For both tables: - **Policy** corresponds to the location and name of the policy. From 2df86dde5d9a33f70c61392214313f016f82ee03 Mon Sep 17 00:00:00 2001 From: Charles Inglis <32555877+cinglis-msft@users.noreply.github.com> Date: Tue, 11 May 2021 12:36:01 -0400 Subject: [PATCH 2/3] More context on config script Config script docs inaccurately said that the script configures GP directly. It configures regkeys. This means that if GP Policy X is set to 1, but the regkey value is supposed to be 0, then the config script will set the regkey to 0; however, on the next GP refresh, the regkey will be set back to 1. --- .../update/update-compliance-configuration-script.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index 120768cee3..db9c4b87e6 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -18,9 +18,12 @@ ms.topic: article # Configuring devices through the Update Compliance Configuration Script > [!NOTE] -> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured. We don't recommend using this script if you configure devices using MDM. Instead, configure the policies listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) by using your MDM provider. +> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured. We don't recommend using this script if you configure devices using MDM. Instead, configure the policies listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) by using your MDM provider. Thus, it is worth auditing devices to ensure that there are no GP policy configurations in any existing tool that conflict with how policies should be configured. -The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more. +The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more. + +> [!NOTE] +> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings (GP/MDM) -- **reconfiguring devices with the script does not reconfigure previously set policies, both in the case of GP and MDM**. Therefore, if there are conflicts between your GP/MDM configurations, and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), there can be issues with device enrollment. You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting. From 42aacc1da7ca76158c05c5dcb4ee1e41aaa088ac Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Tue, 11 May 2021 09:47:45 -0700 Subject: [PATCH 3/3] Update update-compliance-configuration-script.md Slight edits for clarity. --- .../update/update-compliance-configuration-script.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index db9c4b87e6..2bdf88323c 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -18,12 +18,12 @@ ms.topic: article # Configuring devices through the Update Compliance Configuration Script > [!NOTE] -> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured. We don't recommend using this script if you configure devices using MDM. Instead, configure the policies listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) by using your MDM provider. Thus, it is worth auditing devices to ensure that there are no GP policy configurations in any existing tool that conflict with how policies should be configured. +> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured. We don't recommend using this script if you configure devices using MDM. Instead, configure the policies listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) by using your MDM provider. You should check devices to ensure that there aren't any policy configurations in any existing tool that conflict with how policies should be configured. The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more. > [!NOTE] -> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings (GP/MDM) -- **reconfiguring devices with the script does not reconfigure previously set policies, both in the case of GP and MDM**. Therefore, if there are conflicts between your GP/MDM configurations, and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), there can be issues with device enrollment. +> The configuration script configures registry keys directly. Registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script does not reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md), there can be issues with device enrollment. You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.