From c5bd3b4ee96cb21153943603dd18a46a527e5816 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Fri, 1 Jun 2018 17:26:57 +0000 Subject: [PATCH 1/6] Merged PR 8690: add instructions for anonymous email/IM on Surface Hub --- .../surface-hub/change-history-surface-hub.md | 9 +++- ...-deployment-surface-hub-device-accounts.md | 51 +++++++++++++++++-- ...ses-deployment-surface-hub-multi-forest.md | 46 ++++++++++++++++- 3 files changed, 99 insertions(+), 7 deletions(-) diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index e5ecc34139..3d35042b08 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -9,7 +9,7 @@ ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 05/22/2018 +ms.date: 06/01/2018 ms.localizationpriority: medium --- @@ -17,6 +17,12 @@ ms.localizationpriority: medium This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md). +## June 2018 + +New or changed topic | Description +--- | --- +[On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md) and [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) | Added (prerelease) instructions for disabling anonymous email and IM. + ## May 2018 New or changed topic | Description @@ -29,6 +35,7 @@ New or changed topic | Description --- | --- [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Updated instructions for Skype for Business Hybrid. + ## March 2018 New or changed topic | Description diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index 6b3031daf5..aadc1fa22e 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -9,8 +9,7 @@ ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker -ms.topic: article -ms.date: 04/13/2018 +ms.date: 06/01/2018 ms.localizationpriority: medium --- @@ -105,10 +104,54 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013 Set-CsMeetingRoom -Identity HUB01 -DomainController DC-ND-001.contoso.com -LineURI “tel:+14255550555;ext=50555" -EnterpriseVoiceEnabled $true ``` - Again, you'll need to replace the provided domain controller and phone number examples with your own information. The parameter value `$true` stays the same. + Again, you need to replace the provided domain controller and phone number examples with your own information. The parameter value `$true` stays the same. -  + ## Disable anonymous email and IM + + +>[!WARNING] +>This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +Surface Hub uses a device account to provide email and collaboration services (IM, video, voice). This device account is used as the originating identity (the “from” party) when sending email, IM, and placing calls. As this account is not coming from an individual, identifiable user, it is deemed “anonymous” because it originated from the Surface Hub's device account. + +Assume you have a per-user client policy assigned to each meeting room device with an identity of **SurfaceHubPolicy**. To disable anonymous email and messaging, you add a clientPolicyEntry to this client policy by using the following commands. + +``` +$policyEntry = New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $false +$clientPolicy = Get-CsClientPolicy -Identity SurfaceHubPolicy +$clientPolicy.PolicyEntry.Add($policyEntry) +Set-CsClientPolicy -Instance $clientPolicy +``` + +To verify that the policy has been set: + +``` +Select-Object -InputObject $clientPolicy -Property PolicyEntry +``` + +The output should be: + +``` +PolicyEntry +----------- +{Name=AllowResourceAccountSendMessage;Value=False} +``` + + +To change the policy entry: + +``` +$policyEntry = New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $true +$clientPolicy | Set-CsClientPolicy -PolicyEntry @{Replace = $policyEntry} +``` + +To remove the policy entry: + +``` +$policyEntry = New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $true +$clientPolicy | Set-CsClientPolicy -PolicyEntry @{Remove = $policyEntry} +```   diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md index dd4e285e06..3c92823a8b 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md @@ -8,8 +8,7 @@ ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker -ms.topic: article -ms.date: 07/27/2017 +ms.date: 06/01/2018 ms.localizationpriority: medium --- @@ -98,7 +97,50 @@ If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 o You'll need to use the Session Initiation Protocol (SIP) address and domain controller for the Surface Hub, along with your own Skype for Business Server pool identifier and user identity. +## Disable anonymous email and IM +>[!WARNING] +>This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +Surface Hub uses a device account to provide email and collaboration services (IM, video, voice). This device account is used as the originating identity (the “from” party) when sending email, IM, and placing calls. As this account is not coming from an individual, identifiable user, it is deemed “anonymous” because it originated from the Surface Hub's device account. + +Assume you have a per-user client policy assigned to each meeting room device with an identity of **SurfaceHubPolicy**. To disable anonymous email and messaging, you add a clientPolicyEntry to this client policy by using the following commands. + +``` +$policyEntry = New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $false +$clientPolicy = Get-CsClientPolicy -Identity SurfaceHubPolicy +$clientPolicy.PolicyEntry.Add($policyEntry) +Set-CsClientPolicy -Instance $clientPolicy +``` + +To verify that the policy has been set: + +``` +Select-Object -InputObject $clientPolicy -Property PolicyEntry +``` + +The output should be: + +``` +PolicyEntry +----------- +{Name=AllowResourceAccountSendMessage;Value=False} +``` + + +To change the policy entry: + +``` +$policyEntry = New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $true +$clientPolicy | Set-CsClientPolicy -PolicyEntry @{Replace = $policyEntry} +``` + +To remove the policy entry: + +``` +$policyEntry = New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $true +$clientPolicy | Set-CsClientPolicy -PolicyEntry @{Remove = $policyEntry} +```   From a3fe35121ad584b1eae08fe781c87478e023f1e0 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Fri, 1 Jun 2018 11:54:44 -0700 Subject: [PATCH 2/6] added notes about diagdata requirements for semi-annual channel --- .../update/device-health-get-started.md | 8 ++++---- .../deployment/update/waas-configure-wufb.md | 15 ++++++++------ .../update/waas-manage-updates-wufb.md | 20 +++++++++---------- windows/deployment/update/waas-overview.md | 9 +++++++-- .../update/windows-analytics-get-started.md | 6 ++++++ 5 files changed, 36 insertions(+), 22 deletions(-) diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md index 4a72395427..b1dd75c4e5 100644 --- a/windows/deployment/update/device-health-get-started.md +++ b/windows/deployment/update/device-health-get-started.md @@ -26,9 +26,9 @@ Steps are provided in sections that follow the recommended setup process: Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). -**If you are already using OMS**, you’ll find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. +**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. -**If you are not yet using OMS**, use the following steps to subscribe to OMS Device Health: +**If you are not yet using Windows Analytics or Azure Log Analytics**, use the following steps to subscribe: 1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**. [![Operations Management Suite bar with sign-in button](images/uc-02a.png)](images/uc-02.png) @@ -50,11 +50,11 @@ Device Health is offered as a solution in the Microsoft Operations Management Su [![OMS dialog to link existing Azure subscription or create a new one](images/uc-06a.png)](images/uc-06.png) -6. To add Device Health to your workspace, go to the Solution Gallery, Select the **Device Health** tile and then select **Add** on the solution's detail page. While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions. +6. To add Update Readiness to your workspace, go to the Solution Gallery, Select the **Update Readiness** tile and then select **Add** on the solution's detail page. [![Windows Analytics details page in Solutions Gallery](images/solution-bundle.png)](images/solution-bundle.png) -7. Click the **Device Health** tile to configure the solution. The **Settings Dashboard** opens. In this example, both Upgrade Readiness and Device Health solutions have been added. +7. Click the **Update Readiness** tile to configure the solution. The **Settings Dashboard** opens. In this example, both Upgrade Readiness and Device Health solutions have been added. [![OMS Settings Dashboard showing Device Health and Upgrade Readiness tiles](images/OMS-after-adding-solution.jpg)](images/OMS-after-adding-solution.jpg) diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index b6260dbd6d..f9c3e0a5d1 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -4,10 +4,10 @@ description: You can use Group Policy or your mobile device management (MDM) ser ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: DaniHalfin +author: jaimeo ms.localizationpriority: high -ms.author: daniha -ms.date: 10/13/2017 +ms.author: jaimeo +ms.date: 06/01/2018 --- # Configure Windows Update for Business @@ -21,14 +21,14 @@ ms.date: 10/13/2017 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) >[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products. +>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still appear in some of our products. > >In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx). >[!IMPORTANT] ->For Windows Update for Business policies to be honored, the Diagnostic Data level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). +>For Windows Update for Business policies to be honored, the diagnostic data level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md). @@ -42,7 +42,7 @@ By grouping devices with similar deferral periods, administrators are able to cl ## Configure devices for Current Branch (CB) or Current Branch for Business (CBB) -With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). +With Windows Update for Business, you can set a device to be on either the Current Branch (CB) (now called Semi-Annual Channel (Targeted)) or the Current Branch for Business (CBB) (now called Semi-Annual Channel) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). **Release branch policies** @@ -60,6 +60,9 @@ Starting with version 1703, users are able to configure their device's branch re >[!NOTE] >Users will not be able to change this setting if it was configured by policy. +>[!IMPORTANT] +>Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). + ## Configure when devices receive Feature Updates After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 88a40b5473..4a3d26fe3b 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -4,10 +4,10 @@ description: Windows Update for Business lets you manage when devices received u ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: DaniHalfin +author: jaimeo ms.localizationpriority: high -ms.author: daniha -ms.date: 10/13/2017 +ms.author: jaimeo +ms.date: 06/01/2018 --- # Deploy updates using Windows Update for Business @@ -21,11 +21,11 @@ ms.date: 10/13/2017 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) >[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products. +>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still apear in some of our products. > ->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. +>In the following settings, CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. -Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices. +Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices. Specifically, Windows Update for Business allows for: @@ -45,7 +45,7 @@ Windows Update for Business is a free service that is available for Windows Pro, Windows Update for Business provides three types of updates to Windows 10 devices: - **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually. -- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates. +- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates. - **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred. Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business. @@ -102,10 +102,10 @@ The pause period is now calculated starting from the set start date. For additio ## Comparing Windows Update for Business in Windows 10, version 1511 and version 1607 -Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior. +Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior. >[!NOTE] ->For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](waas-overview.md#servicing-channels). +>For more information on Current Branch (Semi-Annual Channel (Targeted)) and Current Branch for Business (Semi-Annual Channel), see [Windows 10 servicing options](waas-overview.md#servicing-channels). @@ -113,7 +113,7 @@ Windows Update for Business was first made available in Windows 10, version 1511 - + diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index a3a8becf16..11d7d0c708 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -7,7 +7,7 @@ ms.sitesec: library author: Jaimeo ms.localizationpriority: high ms.author: jaimeo -ms.date: 02/09/2018 +ms.date: 06/01/2018 --- # Overview of Windows as a service @@ -72,11 +72,16 @@ As part of the alignment with Windows 10 and Office 365 ProPlus, we are adopting * Semi-Annual Channel - We will be referreing to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel". * Long-Term Servicing Channel -  The Long-Term Servicing Branch (LTSB) will be referred to as Long-Term Servicing Channel (LTSC). +>[!IMPORTANT] +>With each Semi-Annual Channel release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion, regardless of the "Targeted" designation. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. For nmore information, see the blog post [Windows 10 and the "disappearing" SAC-T](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747). + >[!NOTE] >For additional information, see the section about [Servicing Channels](#servicing-channels). > ->You can also read [this blog post](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/), with details on this change. +>You can also read the blog post [Waas simplified and aligned](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/), with details on this change. +>[!IMPORTANT] +>Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). ### Feature updates diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index 03892db937..143925ed43 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -90,6 +90,12 @@ If you are planning to enable IE Site Discovery in Upgrade Readiness, you will n |----------------------|-----------------------------------------------------------------------------| | [Review site discovery](../upgrade/upgrade-readiness-additional-insights.md#site-discovery) | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149)
Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices.
For more information about this update, see

Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. | +## Set diagnostic data levels + +You can set the diagnostic data level used by monitored devices either with the Update Readiness deployment script or by policy (by using Group Policy or Mobile Device Management). + +The basic functionality of Update Readiness will work at the Basic diagnostic data level, you won't get usage or health data for your updated devices without enabling the Enhanced level. This means you won't get information about health regressions on updated devices. So it is best to enable the Enhanced diagnostic data level, at least on devices running Windows 10, version 1709 (or later) where the Enhanced diagnostic data setting can be paired with "limited enhanced" data level (see [Windows 10 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields)). For more information, see [Windows Analytics and privacy](https://docs.microsoft.com/windows/deployment/update/windows-analytics-privacy). + ## Enroll a few pilot devices You can use the Upgrade Readiness deployment script to automate and verify your deployment. We always recommend manually running this script on a few representative devices to verify things are properly configured and the device can connect to the diagnostic data endpoints. Make sure to run the pilot version of the script, which will provide extra diagnostics. From 0c0814698d9f396d7654630c0df886c03cec3989 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 1 Jun 2018 15:21:18 -0700 Subject: [PATCH 3/6] udpate refs --- ...ows-defender-advanced-threat-protection.md | 134 +++++++++--------- 1 file changed, 66 insertions(+), 68 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md index 4510f2dbe7..5919dad684 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 04/24/2018 +ms.date: 06/01/2018 --- # Advanced hunting reference in Windows Defender ATP @@ -35,75 +35,73 @@ Use the following table to understand what the columns represent, its data type, | Column name | Data type | Description :---|:--- |:--- -| AccountDomain | string | Domain of the account. | -| AccountName | string | User name of the account. | -| AccountSid | string | Security Identifier (SID) of the account. | -| ActionType | string | Type of activity that triggered the event. | -| AdditionalFields | string | Additional information about the event in JSON array format. | -| AlertId | string | Unique identifier for the alert. | -| ComputerName | string | Fully qualified domain name (FQDN) of the machine. | -| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. | -| EventId | int | Unique identifier used by Event Tracing for Windows (ETW) for the event type. | -| EventTime | datetime | Date and time when the event was recorded. | -| EventType | string | Table where the record is stored. | -| FileName | string | Name of the file that the recorded action was applied to. | -| FileOriginIp | string | IP address where the file was downloaded from. | -| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file. | -| FileOriginUrl | string | URL where the file was downloaded from. | -| FolderPath | string | Folder containing the file that the recorded action was applied to. | -| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event. | -| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event. | -| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event. | -| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. | -| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event. | -| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started. | -| InitiatingProcessFileName | string | Name of the process that initiated the event. | -| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event. | -| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event. | -| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. | -| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event. | -| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started. | -| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event. | -| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event. | -| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event. | -| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. | -| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event. | -| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory. | -| LocalIP | string | IP address assigned to the local machine used during communication. | -| LocalPort | int | TCP port on the local machine used during communication. | -| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format. | -| LogonType | string | Type of logon session, specifically:

- **Interactive** - User physically interacts with the machine using the local keyboard and screen.

- **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients.

- **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed.

- **Batch** - Session initiated by scheduled tasks.

- **Service** - Session initiated by services as they start.
-| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. | -| MachineId | string | Unique identifier for the machine in the service. | -| MD5 | string | MD5 hash of the file that the recorded action was applied to. | -| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format. | -| OSArchitecture | string | Architecture of the operating system running on the machine. | -| OSBuild | string | Build version of the operating system running on the machine. | -| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | -| PreviousRegistryKey | string | Original registry key of the registry value before it was modified. | -| PreviousRegistryValueData | string | Original data of the registry value before it was modified. | -| PreviousRegistryValueName | string | Original name of the registry value before it was modified. | -| PreviousRegistryValueType | string | Original data type of the registry value before it was modified. | -| ProcessCommandline | string | Command line used to create the new process. | -| ProcessCreationTime | datetime | Date and time the process was created. | -| ProcessId | int | Process ID (PID) of the newly created process. | -| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. | -| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process. | -| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log. | -| RegistryKey | string | Registry key that the recorded action was applied to. | -| RegistryValueData | string | Data of the registry value that the recorded action was applied to. | -| RegistryValueName | string | Name of the registry value that the recorded action was applied to. | -| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to. | -| RemoteIP | string | IP address that was being connected to. | -| RemotePort | int | TCP port on the remote device that was being connected to. | -| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. | -| ReportIndex | long | Event identifier that is unique among the same event type. | -| SHA1 | string | SHA-1 of the file that the recorded action was applied to. | -| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. +| AccountDomain | string | Domain of the account | +| AccountName | string | User name of the account | +| AccountSid | string | Security Identifier (SID) of the account | +| ActionType | string | Type of activity that triggered the event | +| AdditionalFields | string | Additional information about the event in JSON array format | +| AlertId | string | Unique identifier for the alert | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| EventTime | datetime | Date and time when the event was recorded | +| EventType | string | Table where the record is stored | +| FileName | string | Name of the file that the recorded action was applied to | +| FileOriginIp | string | IP address where the file was downloaded from | +| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file | +| FileOriginUrl | string | URL where the file was downloaded from | +| FolderPath | string | Folder containing the file that the recorded action was applied to | +| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event | +| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event | +| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event | +| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event | +| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started | +| InitiatingProcessFileName | string | Name of the process that initiated the event | +| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event | +| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event | +| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. | +| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. | +| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event | +| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | +| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event | +| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event | +| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. | +| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | +| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory | +| LocalIP | string | IP address assigned to the local machine used during communication | +| LocalPort | int | TCP port on the local machine used during communication | +| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format | +| LogonType | string | Type of logon session, specifically:

- **Interactive** - User physically interacts with the machine using the local keyboard and screen.

- **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients.

- **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed.

- **Batch** - Session initiated by scheduled tasks.

- **Service** - Session initiated by services as they start.
+| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. | +| MachineId | string | Unique identifier for the machine in the service | +| MD5 | string | MD5 hash of the file that the recorded action was applied to | +| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format | +| OSArchitecture | string | Architecture of the operating system running on the machine | +| OSBuild | string | Build version of the operating system running on the machine | +| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | +| PreviousRegistryKey | string | Original registry key of the registry value before it was modified | +| PreviousRegistryValueData | string | Original data of the registry value before it was modified | +| PreviousRegistryValueName | string | Original name of the registry value before it was modified | +| PreviousRegistryValueType | string | Original data type of the registry value before it was modified | +| ProcessCommandline | string | Command line used to create the new process | +| ProcessCreationTime | datetime | Date and time the process was created | +| ProcessId | int | Process ID (PID) of the newly created process | +| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. | +| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process | +| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log | +| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. | | +| RegistryKey | string | Registry key that the recorded action was applied to | +| RegistryValueData | string | Data of the registry value that the recorded action was applied to | +| RegistryValueName | string | Name of the registry value that the recorded action was applied to | +| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to | +| RemoteIP | string | IP address that was being connected to | +| RemotePort | int | TCP port on the remote device that was being connected to | +| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | +| SHA1 | string | SHA-1 of the file that the recorded action was applied to | +| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. | +| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. | >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink) ## Related topic - [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) -- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) - +- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) \ No newline at end of file From 545138eb1a3beeae802f0f8eebb38146182e58ac Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Fri, 1 Jun 2018 22:23:48 +0000 Subject: [PATCH 4/6] Merged PR 8714: Removed conversations item from removed features list removed conversations item --- .../deployment/planning/windows-10-1803-removed-features.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/deployment/planning/windows-10-1803-removed-features.md b/windows/deployment/planning/windows-10-1803-removed-features.md index 87631ec626..48f9beb9c1 100644 --- a/windows/deployment/planning/windows-10-1803-removed-features.md +++ b/windows/deployment/planning/windows-10-1803-removed-features.md @@ -7,7 +7,7 @@ ms.localizationpriority: high ms.sitesec: library author: lizap ms.author: elizapo -ms.date: 05/03/2018 +ms.date: 06/01/2018 --- # Features removed or planned for replacement starting with Windows 10, version 1803 @@ -32,7 +32,6 @@ We've removed the following features and functionalities from the installed prod |Language control in the Control Panel| Use the Settings app to change your language settings.| |HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.

When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.

Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | |**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| -|**Conversations** in the People app when you're offline or if you're using a non-Office 365 mail account|In Windows 10, the People app shows mail from Office 365 contacts and contacts from your school or work organization under **Conversations**. After you update to Windows 10, version 1803, in order to see new mail in the People app from these specific contacts, you need to be online, and you need to have signed in with either an Office 365 account or, for work or school organization accounts, through the [Mail](https://support.microsoft.com/help/17198/windows-10-set-up-email), [People](https://support.microsoft.com/help/14103/windows-people-app-help), or [Calendar](https://support.office.com/article/Mail-and-Calendar-for-Windows-10-FAQ-4ebe0864-260f-4d3a-a607-7b9899a98edc) apps. Please be aware that you’ll only see mail for work and school organization accounts and some Office 365 accounts.| |XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.

However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| ## Features we’re no longer developing From 880adfa4956eba72241903fb6ad15a6ab710994b Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Mon, 4 Jun 2018 14:34:16 +0000 Subject: [PATCH 5/6] Merged PR 8733: fix broken link (SH) and clarify PIN for HL --- devices/hololens/change-history-hololens.md | 8 +++++++- devices/hololens/hololens-requirements.md | 12 ++++++++++-- devices/surface-hub/device-reset-surface-hub.md | 2 +- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md index b4fd1b6043..312d0a523b 100644 --- a/devices/hololens/change-history-hololens.md +++ b/devices/hololens/change-history-hololens.md @@ -10,13 +10,19 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 05/22/2018 +ms.date: 06/04/2018 --- # Change history for Microsoft HoloLens documentation This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md). +## June 2018 + +New or changed topic | Description +--- | --- +[HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md#pin) | Added instructions for creating a sign-in PIN. + ## May 2018 New or changed topic | Description diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md index d9d44b45ba..7120c2c082 100644 --- a/devices/hololens/hololens-requirements.md +++ b/devices/hololens/hololens-requirements.md @@ -9,7 +9,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 06/04/2018 --- # Microsoft HoloLens in the enterprise: requirements and FAQ @@ -47,9 +47,17 @@ When you develop for HoloLens, there are [system requirements and tools](https:/ ## FAQ for HoloLens + #### Is Windows Hello for Business supported on HoloLens? -Hello for Business (using a PIN to sign in) is supported for HoloLens. It must be configured [using MDM](hololens-enroll-mdm.md). +Windows Hello for Business (using a PIN to sign in) is supported for HoloLens. To allow Windows Hello for Business PIN sign-in on HoloLens: + +1. The HoloLens device must be [managed by MDM](hololens-enroll-mdm.md). +2. You must enable Windows Hello for Business for the device. ([See instructions for Microsoft Intune.](https://docs.microsoft.com/intune/windows-hello)) +3. On HoloLens, the user can then set up a PIN from **Settings** > **Sign-in Options** > **Add PIN**. + +>[!NOTE] +>Users who sign in with a Microsoft account can also set up a PIN in **Settings** > **Sign-in Options** > **Add PIN**. This PIN is associated with [Windows Hello](https://support.microsoft.com/help/17215/windows-10-what-is-hello), rather than [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-overview). #### Does the type of account change the sign-in behavior? diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md index bf70666e38..281dc1b880 100644 --- a/devices/surface-hub/device-reset-surface-hub.md +++ b/devices/surface-hub/device-reset-surface-hub.md @@ -78,7 +78,7 @@ If the device account gets into an unstable state or the Admin account is runnin On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset or recover the device from [Windows RE](https://technet.microsoft.com/library/cc765966.aspx). -1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch. +1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide (PDF)](http://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf) for help with locating the power switch. 2. The device should automatically boot into Windows RE. 3. After the Surface Hub enters Windows RE, select **Recover from the cloud**. (Optionally, you can choose **Reset**, however **Recover from the cloud** is the recommended approach.) From 68f108e059caac95c5682ac6e3099aedf6c6e903 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 4 Jun 2018 08:04:44 -0700 Subject: [PATCH 6/6] c\copyedits --- ...dows-defender-application-control-policies-using-intune.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 8031bc1bbf..2012791205 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -19,13 +19,13 @@ ms.date: 05/17/2018 You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). You can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps defined by the Intelligent Security Graph. -1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Creae profile**. +1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**. 3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**. ![Configure profile](images\wdac-intune-create-profile-name.png) -4. Click **Configure** > **Windows Defender Application Control**. for the following settings and then click **OK**: +4. Click **Configure** > **Windows Defender Application Control**, choose from the following settings and then click **OK**: - **Application control code intergity policies**: Select **Audit only** to log events but not block any apps from running or select **Enforce** to allow only Windows components and Store apps to run. - **Trust apps with good reputation**: Select **Enable** to allow reputable apps as defined by the Intelligent Security Graph to run in addition to Windows components and Store apps.

Select Servicing Options: CB or CBB

Not available. To defer updates, all systems must be on the Current Branch for Business (CBB)

Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB).

Select servicing options: CB or CBB

Not available. To defer updates, all systems must be on the Current Branch for Business (CBB)

Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB).

Quality Updates

Able to defer receiving Quality Updates:

  • Up to 4 weeks
  • In weekly increments

Able to defer receiving Quality Updates:

  • Up to 30 days
  • In daily increments

Feature Updates

Able to defer receiving Feature Updates:

  • Up to 8 months
  • In monthly increments

Able to defer receiving Feature Updates:

  • Up to 180 days
  • In daily increments

Pause updates

  • Feature Updates and Quality Updates paused together
  • Maximum of 35 days

Features and Quality Updates can be paused separately.

  • Feature Updates: maximum 60 days
  • Quality Updates: maximum 35 days