From ed92b6f5a04451b93bf4ac91c5552265dc70e8e3 Mon Sep 17 00:00:00 2001 From: Jon Callahan Date: Mon, 26 Aug 2024 13:35:09 -0400 Subject: [PATCH 1/4] Added docs for Windows Update workload --- .../docs/workshop-guidance/devices/RMD_141.md | 17 ++++++++++- .../docs/workshop-guidance/devices/RMD_142.md | 2 +- .../docs/workshop-guidance/devices/RMD_143.md | 2 +- .../docs/workshop-guidance/devices/RMD_167.md | 28 ++++++++++++++++++- 4 files changed, 45 insertions(+), 4 deletions(-) diff --git a/src/react/docs/workshop-guidance/devices/RMD_141.md b/src/react/docs/workshop-guidance/devices/RMD_141.md index 7d86af59d..7fe31f004 100644 --- a/src/react/docs/workshop-guidance/devices/RMD_141.md +++ b/src/react/docs/workshop-guidance/devices/RMD_141.md @@ -2,9 +2,24 @@ ## Overview +### Update Rings +**Update Rings** in Intune allow administrators to manage how and when Windows 10/11 devices receive updates. These rings are essentially policies that define the deployment schedule for feature and quality updates. Key aspects include: + +* Admins can specify deferral periods, deadlines, and active hours to minimize disruption. +* Updates can be deployed in phases to different groups of devices, reducing the risk of widespread issues. +* Ensures devices are up-to-date with the latest security patches, aligning with Zero Trust principles by maintaining a secure and compliant environment. + +### Windows Autopatch +**Windows Autopatch** is a service that automates the process of keeping Windows and Microsoft 365 apps up-to-date. It leverages Intune for device management and allow for the management and operation of update rings via **Autopatch Groups**: + +* Devices are grouped into these rings to receive updates at different times, allowing for early detection of issues before a broader rollout. +* Microsoft manages the update process, reducing the administrative burden and ensuring timely updates +* Autopatch uses Intune’s capabilities for device management, reporting, and compliance + ## Reference -* +* [Update rings for Windows 10 and later policy in Intune](https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-update-rings) +* [Windows Autopatch Overview](https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/) diff --git a/src/react/docs/workshop-guidance/devices/RMD_142.md b/src/react/docs/workshop-guidance/devices/RMD_142.md index 4839f63d3..891ee50dc 100644 --- a/src/react/docs/workshop-guidance/devices/RMD_142.md +++ b/src/react/docs/workshop-guidance/devices/RMD_142.md @@ -2,7 +2,7 @@ ## Overview - +See [Update Rings](https://microsoft.github.io/zerotrustassessment/docs/workshop-guidance/devices/RMD_141) ## Reference diff --git a/src/react/docs/workshop-guidance/devices/RMD_143.md b/src/react/docs/workshop-guidance/devices/RMD_143.md index e5789eaea..f4b574485 100644 --- a/src/react/docs/workshop-guidance/devices/RMD_143.md +++ b/src/react/docs/workshop-guidance/devices/RMD_143.md @@ -2,7 +2,7 @@ ## Overview - +See [Update Rings](https://microsoft.github.io/zerotrustassessment/docs/workshop-guidance/devices/RMD_141) ## Reference diff --git a/src/react/docs/workshop-guidance/devices/RMD_167.md b/src/react/docs/workshop-guidance/devices/RMD_167.md index 318db4dc8..3cd8b4a11 100644 --- a/src/react/docs/workshop-guidance/devices/RMD_167.md +++ b/src/react/docs/workshop-guidance/devices/RMD_167.md @@ -2,9 +2,35 @@ ## Overview +### Importance of Windows 11 for Zero Trust + +**Windows 11** introduces several security features that align with the principles of **Zero Trust**: + +* Windows 11 includes advanced security measures such as hardware-based isolation, encryption, and malware protection. Features like **Windows Hello** for passwordless authentication and **Secured-core PCs** help protect against sophisticated threats. + +* **Device Health Attestation** ensures that devices are in a secure state before granting access to corporate resources. It verifies the integrity of the device's firmware, boot process, and operating system. + +* **Zero Trust DNS** feature restricts devices to connect only to approved network destinations, ensuring that outbound traffic is secure and monitored. + +* Regular updates ensure that devices are protected against the latest threats, maintaining a secure environment. + +### Windows 11 and Intune + +* Intune allows administrators to create and deploy feature update policies, making it easier to upgrade devices from Windows 10 to Windows 11. This process can be automated and monitored through the Intune admin center. + +* Intune provides tools to assess the readiness of devices for Windows 11. **Endpoint Analytics** helps identify which devices meet the hardware requirements and are ready for the upgrade. + +* Intune can enforce security policies and configurations to ensure that all devices comply with organizational standards. This includes setting up compliance policies, configuration profiles, and conditional access. + +* Administrators can use Intune to deploy updates in phases, reducing the risk of widespread issues. This approach allows for testing and validation before a broader rollout. + +* Intune provides detailed reports on the status of updates and compliance, helping administrators track progress and address any issues promptly. ## Reference -* +* [New Windows 11 features strengthen security to address evolving](https://www.microsoft.com/en-us/security/blog/2024/05/20/new-windows-11-features-strengthen-security-to-address-evolving-cyberthreat-landscape/) +* [Zero Trust and Windows device health](https://learn.microsoft.com/en-us/windows/security/security-foundations/zero-trust-windows-device-health) +* [Simplify your Windows 11 upgrade experience with Intune](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplify-your-windows-11-upgrade-experience-with-intune/ba-p/3974500) +[Understanding readiness for Windows 11 with Microsoft Endpoint Manager](https://techcommunity.microsoft.com/t5/microsoft-intune-blog/understanding-readiness-for-windows-11-with-microsoft-endpoint/ba-p/2770866) From 0ae8dc3ad51abe22e9b25b3d88202ed8f364be2d Mon Sep 17 00:00:00 2001 From: Jon Callahan Date: Mon, 26 Aug 2024 14:08:54 -0400 Subject: [PATCH 2/4] Added docs for Windows apps in Devices section --- .../docs/workshop-guidance/devices/RMD_146.md | 7 ++++++- .../docs/workshop-guidance/devices/RMD_147.md | 18 +++++++++++++++++- .../docs/workshop-guidance/devices/RMD_149.md | 10 ++++++++-- .../docs/workshop-guidance/devices/RMD_168.md | 9 ++++++++- 4 files changed, 39 insertions(+), 5 deletions(-) diff --git a/src/react/docs/workshop-guidance/devices/RMD_146.md b/src/react/docs/workshop-guidance/devices/RMD_146.md index fb41c612e..d4a542c9b 100644 --- a/src/react/docs/workshop-guidance/devices/RMD_146.md +++ b/src/react/docs/workshop-guidance/devices/RMD_146.md @@ -2,9 +2,14 @@ ## Overview +Using **Microsoft Store** apps with Intune offers streamlined app management and enhanced security, crucial for a Zero Trust environment. Intune allows administrators to centrally deploy, update, and monitor apps from the Microsoft Store. +The Microsoft Store supports Universal Windows Platform (UWP) apps, desktop apps packaged in .msix, and now Win32 apps packaged in .exe or .msi installers. + +Microsoft Store applications keep updating automatically, by default. ## Reference -* +* [Add Microsoft Store apps to Microsoft Intune](https://learn.microsoft.com/en-us/mem/intune/apps/store-apps-microsoft) +* [Configure access to the Microsoft Store app](https://learn.microsoft.com/en-us/windows/configuration/store/?tabs=intune) diff --git a/src/react/docs/workshop-guidance/devices/RMD_147.md b/src/react/docs/workshop-guidance/devices/RMD_147.md index 93c44d584..56d9e7d8e 100644 --- a/src/react/docs/workshop-guidance/devices/RMD_147.md +++ b/src/react/docs/workshop-guidance/devices/RMD_147.md @@ -2,9 +2,25 @@ ## Overview +### Line of Business (LOB) apps +**Line of Business (LOB) apps** in Intune are custom or in-house applications that are deployed using installation files like .msi, .appx, or .msix. LOB apps allow organizations to deploy tailored applications that are not available in public app stores. LOB apps do not support complex deployments or apps, especially for apps with dependencies or complex installation requirements. LOB apps also require manual updates and maintenance. + +### Win32 apps + +**Win32 apps** in Intune allows you to install, configure, protect, and monitor your Windows applications on devices at your organization. Win32 app management offer extensive customization and control over installation parameters, making them suitable for complex enterprise applications. + +Win32 app management in Microsoft Intune provides support for the following capabilities: + +* Management of traditional desktop apps +* Support for several app types +* Control for complex app installations +* Support for detection rules, dependencies, and requirements +* Support for 32-bit and 64-bit Windows operating system architecture +* Support for Windows S mode devices ## Reference -* +* [Add a Windows line-of-business app to Microsoft Intune](https://learn.microsoft.com/en-us/mem/intune/apps/lob-apps-windows) +* [Win32 app management in Microsoft Intune](https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-app-management) diff --git a/src/react/docs/workshop-guidance/devices/RMD_149.md b/src/react/docs/workshop-guidance/devices/RMD_149.md index f0ad15b0e..08f0c6a2b 100644 --- a/src/react/docs/workshop-guidance/devices/RMD_149.md +++ b/src/react/docs/workshop-guidance/devices/RMD_149.md @@ -2,9 +2,15 @@ ## Overview +Microsoft Intune has discontinued future investments in managing and deploying **Windows Information Protection (WIP)**. +Support for the Windows Information Protection without enrollment scenario in Microsoft Intune has been removed. -## Reference +For more information, see [End of support guidance for Windows Information Protection](https://aka.ms/Intune-WIP-support). + +For information about Intune MAM on Windows, see [MAM for Windows](https://learn.microsoft.com/en-us/mem/intune/fundamentals/whats-new-archive#mam-for-windows-general-availability) and [App protection policy settings for Windows](https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-windows). -* +## Reference +* [MAM for Windows](https://learn.microsoft.com/en-us/mem/intune/fundamentals/whats-new-archive#mam-for-windows-general-availability) +* [End of support guidance for Windows Information Protection](https://aka.ms/Intune-WIP-support) diff --git a/src/react/docs/workshop-guidance/devices/RMD_168.md b/src/react/docs/workshop-guidance/devices/RMD_168.md index e10be9182..fc83baea9 100644 --- a/src/react/docs/workshop-guidance/devices/RMD_168.md +++ b/src/react/docs/workshop-guidance/devices/RMD_168.md @@ -2,9 +2,16 @@ ## Overview +There are two primary options for management of Microsoft 365 apps for Windows in Intune, **Policies for Office apps** and **ADMX management**: +* **Policies for Office apps** in Intune allow administrators to configure and enforce settings for Microsoft 365 applications. These policies can control features like macro settings, protected view, and trusted locations, ensuring that Office apps comply with organizational security standards. They are straightforward to implement and manage directly within the Intune admin center, making them ideal for organizations looking for a seamless way to enforce Office app configurations. + +* **ADMX management** in Intune involves using Administrative Templates to configure group policy settings for Windows and Office applications. ADMX templates provide a more granular level of control, allowing administrators to manage thousands of settings, including those for third-party applications. This method is beneficial for organizations with complex policy requirements or those needing to import custom ADMX files. + +Customers might prefer Office app policies for their simplicity and ease of use, especially if they only need to manage standard Office settings. On the other hand, ADMX management is suitable for more complex environments requiring detailed configuration and control over a broader range of settings. ## Reference -* +* [Policies for Office apps - Microsoft Intune](https://learn.microsoft.com/en-us/mem/intune/apps/app-office-policies) +* [Use ADMX templates on Windows 10/11 devices in Microsoft Intune](https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templates-window) From 328c59b721576ee357e806c44d23ba0c13db0c2e Mon Sep 17 00:00:00 2001 From: Jon Callahan Date: Thu, 29 Aug 2024 09:22:05 -0400 Subject: [PATCH 3/4] Updates to Windows Updates section and Endpoint Anlatytics --- src/react/docs/workshop-guidance/devices/RMD_142.md | 8 ++++++-- src/react/docs/workshop-guidance/devices/RMD_143.md | 4 ++-- src/react/docs/workshop-guidance/devices/RMD_150.md | 6 +++++- src/react/docs/workshop-guidance/devices/RMD_188.md | 7 ++++++- 4 files changed, 19 insertions(+), 6 deletions(-) diff --git a/src/react/docs/workshop-guidance/devices/RMD_142.md b/src/react/docs/workshop-guidance/devices/RMD_142.md index 2387d2a44..8262271bf 100644 --- a/src/react/docs/workshop-guidance/devices/RMD_142.md +++ b/src/react/docs/workshop-guidance/devices/RMD_142.md @@ -2,9 +2,13 @@ ## Overview -See [Update Rings](https://microsoft.github.io/zerotrustassessment/docs/workshop-guidance/devices/RMD_141) +Feature Update policies in Intune allow you to control which Windows feature updates are installed on your devices. You can specify a target version for Windows 10 or Windows 11, ensuring devices update to and remain on that version until you change the policy. This helps maintain stability and compatibility across your devices. Additionally, safeguard holds can temporarily block updates if there are known issues, preventing potential disruption. + +Intune provides built-in reports to monitor the status of feature updates. These reports help you track which devices have successfully updated and identify any issues. To utilize these reports, you need to enable Windows diagnostic data collection on your devices. Key reports include the Feature Update Status report, which shows the update status of devices, and the Update Compliance report, which provides insights into overall compliance with your update policies. + ## Reference -* +* [Feature updates for Windows 10 and later policy in Intune](https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-feature-updates) +* [Windows Update reports for Microsoft Intune](https://learn.microsoft.com/en-us/mem/intune/protect/windows-update-reports) diff --git a/src/react/docs/workshop-guidance/devices/RMD_143.md b/src/react/docs/workshop-guidance/devices/RMD_143.md index f4b574485..d6f409cce 100644 --- a/src/react/docs/workshop-guidance/devices/RMD_143.md +++ b/src/react/docs/workshop-guidance/devices/RMD_143.md @@ -2,9 +2,9 @@ ## Overview -See [Update Rings](https://microsoft.github.io/zerotrustassessment/docs/workshop-guidance/devices/RMD_141) +Intune can expedite the installation of the most recent Windows 10/11 security updates using Quality Update policies, which allow you to quickly deploy critical updates, such as security patches for zero-day vulnerabilities. This feature temporarily overrides any deferral settings to ensure that the update is installed as soon as possible ## Reference -* +* [Expedite Windows quality updates in Microsoft Intune](https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-expedite-updates) diff --git a/src/react/docs/workshop-guidance/devices/RMD_150.md b/src/react/docs/workshop-guidance/devices/RMD_150.md index 22f0a6515..751a0021b 100644 --- a/src/react/docs/workshop-guidance/devices/RMD_150.md +++ b/src/react/docs/workshop-guidance/devices/RMD_150.md @@ -2,9 +2,13 @@ ## Overview +**Endpoint Analytics** in Intune provides insights into the performance and health of your devices. It helps identify issues that might be affecting user productivity, such as long boot times or software configurations that aren't optimized. By collecting and analyzing data from your devices, Endpoint Analytics enables IT to proactively address these issues before they impact users. +To use Endpoint Analytics, you need to enable data collection on your devices. This involves creating a policy in Intune that targets the devices you want to monitor. The data collected includes information about boot times, application performance, and other metrics that can help you understand and improve the user experience. + +Endpoint Analytics supports the Zero Trust security model by providing visibility into device health and performance. Zero Trust assumes that breaches can occur at any time, so continuous monitoring and assessment are crucial ## Reference -* +* [What is Endpoint analytics?](https://learn.microsoft.com/en-us/mem/analytics/overview) diff --git a/src/react/docs/workshop-guidance/devices/RMD_188.md b/src/react/docs/workshop-guidance/devices/RMD_188.md index 91c9282ca..b90ec8ba0 100644 --- a/src/react/docs/workshop-guidance/devices/RMD_188.md +++ b/src/react/docs/workshop-guidance/devices/RMD_188.md @@ -2,9 +2,14 @@ ## Overview +Drivers Update policies in Intune allow you to manage and deploy driver and firmware updates for Windows devices. These policies help ensure that devices have the latest drivers and firmware, which are essential for optimal performance and security. You can configure these policies to automatically approve recommended updates or require manual approval before deployment. +To manage these updates, Intune leverages the Windows Update for Business deployment service. This service identifies applicable updates for your devices and provides detailed reporting on update status, alerts, and recommendations for remediation. This helps you monitor the health and performance of your devices and ensures that updates are applied consistently across your organization. + +Managing drivers and firmware updates is crucial. Zero Trust assumes that breaches can occur at any time, so maintaining up-to-date drivers and firmware is essential to minimize vulnerabilities. ## Reference -* +* [Windows Driver update management in Microsoft Intune](https://learn.microsoft.com/en-us/mem/intune/protect/windows-driver-updates-overview) +* [Manage Windows driver and firmware updates with Microsoft Intune](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/manage-windows-driver-and-firmware-updates-with-microsoft-intune/ba-p/3851402) From 1d8fedae5694231b7f3cc2834381c617b9883e0d Mon Sep 17 00:00:00 2001 From: Jon Callahan Date: Thu, 29 Aug 2024 09:27:00 -0400 Subject: [PATCH 4/4] Added Remote Help doc --- .../docs/workshop-guidance/devices/RMD_167.md | 31 ++----------------- 1 file changed, 3 insertions(+), 28 deletions(-) diff --git a/src/react/docs/workshop-guidance/devices/RMD_167.md b/src/react/docs/workshop-guidance/devices/RMD_167.md index 757f817fd..7cc994c22 100644 --- a/src/react/docs/workshop-guidance/devices/RMD_167.md +++ b/src/react/docs/workshop-guidance/devices/RMD_167.md @@ -2,35 +2,10 @@ ## Overview -### Importance of Windows 11 for Zero Trust - -**Windows 11** introduces several security features that align with the principles of **Zero Trust**: - -* Windows 11 includes advanced security measures such as hardware-based isolation, encryption, and malware protection. Features like **Windows Hello** for passwordless authentication and **Secured-core PCs** help protect against sophisticated threats. - -* **Device Health Attestation** ensures that devices are in a secure state before granting access to corporate resources. It verifies the integrity of the device's firmware, boot process, and operating system. - -* **Zero Trust DNS** feature restricts devices to connect only to approved network destinations, ensuring that outbound traffic is secure and monitored. - -* Regular updates ensure that devices are protected against the latest threats, maintaining a secure environment. - -### Windows 11 and Intune - -* Intune allows administrators to create and deploy feature update policies, making it easier to upgrade devices from Windows 10 to Windows 11. This process can be automated and monitored through the Intune admin center. - -* Intune provides tools to assess the readiness of devices for Windows 11. **Endpoint Analytics** helps identify which devices meet the hardware requirements and are ready for the upgrade. - -* Intune can enforce security policies and configurations to ensure that all devices comply with organizational standards. This includes setting up compliance policies, configuration profiles, and conditional access. - -* Administrators can use Intune to deploy updates in phases, reducing the risk of widespread issues. This approach allows for testing and validation before a broader rollout. - -* Intune provides detailed reports on the status of updates and compliance, helping administrators track progress and address any issues promptly. +**Remote Help** in Intune is a cloud-based solution that allows IT support staff to remotely assist users with their devices. This feature enables secure, real-time connections between helpdesk personnel and end-users, facilitating troubleshooting and issue resolution. Remote Help uses strong authentication and security controls to ensure that only authorized personnel can access and assist with devices1. +Remote Help is available as an Intune add-on. For more information, see [Use Intune Suite add-on capabilities](https://learn.microsoft.com/mem/intune/fundamentals/intune-add-ons). ## Reference -* [New Windows 11 features strengthen security to address evolving](https://www.microsoft.com/en-us/security/blog/2024/05/20/new-windows-11-features-strengthen-security-to-address-evolving-cyberthreat-landscape/) -* [Zero Trust and Windows device health](https://learn.microsoft.com/en-us/windows/security/security-foundations/zero-trust-windows-device-health) -* [Simplify your Windows 11 upgrade experience with Intune](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplify-your-windows-11-upgrade-experience-with-intune/ba-p/3974500) -[Understanding readiness for Windows 11 with Microsoft Endpoint Manager](https://techcommunity.microsoft.com/t5/microsoft-intune-blog/understanding-readiness-for-windows-11-with-microsoft-endpoint/ba-p/2770866) - +* [Use Remote Help with Microsoft Intune](https://learn.microsoft.com/en-us/mem/intune/fundamentals/remote-help)