From a9b5a2e27f902920bc9438d4e1f187e85efb224b Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 4 Oct 2024 16:44:02 -0400 Subject: [PATCH 1/6] Add link to blog Add link to blog for more info. --- .../comanage/autopilot-enrollment.md | 30 +++++++++++-------- 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/memdocs/configmgr/comanage/autopilot-enrollment.md b/memdocs/configmgr/comanage/autopilot-enrollment.md index 37bcd03bce7..2e024859165 100644 --- a/memdocs/configmgr/comanage/autopilot-enrollment.md +++ b/memdocs/configmgr/comanage/autopilot-enrollment.md @@ -83,12 +83,12 @@ The following components are required to support Autopilot into co-management: - Windows devices running one of the following versions: - - Windows 11 + - Windows 11 -> [!NOTE] - > For Windows 11 devices, if a device has not been targeted with a co-management settings policy, the management authority will be set to Intune, during the Autopilot process. Installing Configuration Manager client as Win32 app does not change management authority to Configuration Manager and thus Intune will continue to manage all the co-management workloads. To mitigate this, you must create a co-management settings policy and set **automatically install the Configuration Manager client** to **No** and in Advanced settings, keep default settings for **Override co-management policy and use Intune for all workloads.** + > [!NOTE] + > For Windows 11 devices, if a device has not been targeted with a co-management settings policy, the management authority will be set to Intune, during the Autopilot process. Installing Configuration Manager client as Win32 app does not change management authority to Configuration Manager and thus Intune will continue to manage all the co-management workloads. To mitigate this, you must create a co-management settings policy and set **automatically install the Configuration Manager client** to **No** and in Advanced settings, keep default settings for **Override co-management policy and use Intune for all workloads.** - - At least Windows 10, version 20H2, with the latest cumulative update + - A [currently supported](/windows/release-health/supported-versions-windows-client#windows-10-supported-versions-by-servicing-option) version of Windows 10. - Register the device for Autopilot. For more information, see [Windows Autopilot registration overview](/autopilot/registration-overview). @@ -127,19 +127,25 @@ Use these recommendations for a more successful deployment: ## Limitations -Autopilot into co-management currently doesn't support the following functionality: + - For Windows 11 devices in Microsoft Entra hybrid joined scenario, the management authority will be set to Microsoft Intune during the Windows Autopilot process. Installing Configuration Manager client as Win32 app does not change management authority to Configuration Manager and thus Microsoft Intune will continue to manage all the co-management workloads. -- Microsoft Entra hybrid joined devices - If the device is targeted with co-management settings policy, in Microsoft Entra hybrid join scenario, the autopilot provisioning times out during ESP phase. + To change the management authority to Configuration Manager, set the following registry key value: -> [!NOTE] -> -> For Windows 11 devices in Microsoft Entra hybrid joined scenario, the management authority will be set to Intune, during the Autopilot process. Installing Configuration Manager client as Win32 app does not change management authority to Configuration Manager and thus Intune will continue to manage all the co-management workloads. To mitigate this, along with Configuration Manager client installation, registry value **ConfigInfo** in registry path **HKLM\SOFTWARE\Microsoft\DeviceManageabilityCSP\Provider\MS DM Server** must be set to **2** which will set the management authority as Configuration Manager. + - Path: **HKLM\SOFTWARE\Microsoft\DeviceManageabilityCSP\Provider\MS DM Server**. + - Value: **ConfigInfo** + - REG_SZ: **2** + + For more information, see [Co-management settings: Windows Autopilot with co-management](https://techcommunity.microsoft.com/t5/microsoft-intune-blog/co-management-settings-windows-autopilot-with-co-management/ba-p/3638500). + +- Autopilot into co-management currently doesn't support the following functionality: + + - Microsoft Entra hybrid joined devices - If the device is targeted with co-management settings policy, in Microsoft Entra hybrid join scenario, the autopilot provisioning times out during ESP phase. -- Autopilot pre-provisioning. + - Autopilot pre-provisioning. -- Workloads switched to **Pilot Intune** with pilot collections. This functionality is dependent upon collection evaluation, which doesn't happen until after the client is installed and registered. Since the client won't get the correct policy until later in the Autopilot process, it can cause indeterminate behaviors. + - Workloads switched to **Pilot Intune** with pilot collections. This functionality is dependent upon collection evaluation, which doesn't happen until after the client is installed and registered. Since the client won't get the correct policy until later in the Autopilot process, it can cause indeterminate behaviors. -- Clients that authenticate with PKI certificates. You can't provision the certificate on the device before the Configuration Manager client installs and needs to authenticate to the CMG. Microsoft Entra ID is recommended for client authentication. For more information, see [Plan for CMG client authentication: Microsoft Entra ID](../core/clients/manage/cmg/plan-client-authentication.md#azure-ad). + - Clients that authenticate with PKI certificates. You can't provision the certificate on the device before the Configuration Manager client installs and needs to authenticate to the CMG. Microsoft Entra ID is recommended for client authentication. For more information, see [Plan for CMG client authentication: Microsoft Entra ID](../core/clients/manage/cmg/plan-client-authentication.md#azure-ad). ## Configure From e3cdc369d7e64a17e5056b477be13cbc952fc4b2 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 4 Oct 2024 17:01:10 -0400 Subject: [PATCH 2/6] Update autopilot-enrollment.md --- memdocs/configmgr/comanage/autopilot-enrollment.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/memdocs/configmgr/comanage/autopilot-enrollment.md b/memdocs/configmgr/comanage/autopilot-enrollment.md index 2e024859165..524a2a189ef 100644 --- a/memdocs/configmgr/comanage/autopilot-enrollment.md +++ b/memdocs/configmgr/comanage/autopilot-enrollment.md @@ -85,8 +85,12 @@ The following components are required to support Autopilot into co-management: - Windows 11 - > [!NOTE] - > For Windows 11 devices, if a device has not been targeted with a co-management settings policy, the management authority will be set to Intune, during the Autopilot process. Installing Configuration Manager client as Win32 app does not change management authority to Configuration Manager and thus Intune will continue to manage all the co-management workloads. To mitigate this, you must create a co-management settings policy and set **automatically install the Configuration Manager client** to **No** and in Advanced settings, keep default settings for **Override co-management policy and use Intune for all workloads.** + For Windows 11 devices, if a device has not been targeted with a co-management settings policy, the management authority will be set to Microsoft Intune during the Autopilot process. Installing the Configuration Manager client as Win32 app doesn't change management authority to Configuration Manager and Microsoft Intune will continue to manage all the co-management workloads. To set the management authority to Configuration Manager, create a co-management settings policy with the following Advanced settings: + + - **Automatically install the Configuration Manager client>**: **No** + - **Override co-management policy and use Intune for all workloads.**: **No** + + For additional information, see [Co-management settings: Windows Autopilot with co-management](https://techcommunity.microsoft.com/t5/microsoft-intune-blog/co-management-settings-windows-autopilot-with-co-management/ba-p/3638500). - A [currently supported](/windows/release-health/supported-versions-windows-client#windows-10-supported-versions-by-servicing-option) version of Windows 10. From 1f6c48e6e85da6d30f17462afdd23952166c0e75 Mon Sep 17 00:00:00 2001 From: brenduns Date: Fri, 4 Oct 2024 14:05:17 -0700 Subject: [PATCH 3/6] Freshness and technical improvements --- memdocs/intune/protect/certificates-configure.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/memdocs/intune/protect/certificates-configure.md b/memdocs/intune/protect/certificates-configure.md index 2b3a24ce2ad..6d44aad1193 100644 --- a/memdocs/intune/protect/certificates-configure.md +++ b/memdocs/intune/protect/certificates-configure.md @@ -1,13 +1,13 @@ --- # required metadata -title: Learn about the types of certificate that are supported by Microsoft Intune +title: Types of certificate that are supported by Microsoft Intune description: Learn about Microsoft Intune's support for Simple Certificate Enrollment Protocol (SCEP), Public Key Cryptography Standards (PKCS) certificates. keywords: author: lenewsad ms.author: lanewsad manager: dougeby -ms.date: 08/21/2023 +ms.date: 10/04/2024 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: protect @@ -120,11 +120,13 @@ When you use a Microsoft Certification Authority (CA): When you use a third-party (non-Microsoft) Certification Authority (CA): -- To use SCEP certificate profiles: +- SCEP certificate profiles don't require use of the Microsoft Intune Certificate Connector. Instead, the third-party CA handles the certificate issuance and management directly. To use SCEP certificate profiles without the Intune Certificate Connector: - Configure integration with a third-party CA from [one of our supported partners](certificate-authority-add-scep-overview.md#third-party-certification-authority-partners). Setup includes following the instructions from the third-party CA to complete integration of their CA with Intune. - [Create an application in Microsoft Entra ID](certificate-authority-add-scep-overview.md#set-up-third-party-ca-integration) that delegates rights to Intune to do SCEP certificate challenge validation. + + For more information, see [Set up third-party CA integration](../protect/certificate-authority-add-scep-overview.md#set-up-third-party-ca-integration) -- PKCS imported certificates require you to [Install the Certificate Connector for Microsoft Intune](certificate-connector-install.md). +- PKCS imported certificates require use of the Microsoft Intune Certificate Connector. See [Install the Certificate Connector for Microsoft Intune](certificate-connector-install.md). - Deploy certificates by using the following mechanisms: - [Trusted certificate profiles](certificates-trusted-root.md#create-trusted-certificate-profiles) to deploy the Trusted Root CA certificate from your root or intermediate (issuing) CA to devices @@ -152,10 +154,9 @@ When you use a third-party (non-Microsoft) Certification Authority (CA): [!INCLUDE [windows-phone-81-windows-10-mobile-support](../includes/windows-phone-81-windows-10-mobile-support.md)] + !INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)] - [!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)] - -## Next steps +## Related content More resources: From 827cddebb98d34c8167332108252391f3f4ddacc Mon Sep 17 00:00:00 2001 From: brenduns Date: Fri, 4 Oct 2024 14:10:10 -0700 Subject: [PATCH 4/6] Minor fix --- memdocs/intune/protect/certificates-configure.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/protect/certificates-configure.md b/memdocs/intune/protect/certificates-configure.md index 6d44aad1193..cda2beba9d0 100644 --- a/memdocs/intune/protect/certificates-configure.md +++ b/memdocs/intune/protect/certificates-configure.md @@ -58,7 +58,8 @@ To provision a user or device with a specific type of certificate, Intune uses a In addition to the three certificate types and provisioning methods, you need a trusted root certificate from a trusted Certification Authority (CA). The CA can be an on-premises Microsoft Certification Authority, or a [third-party Certification Authority](certificate-authority-add-scep-overview.md). The trusted root certificate establishes a trust from the device to your root or intermediate (issuing) CA from which the other certificates are issued. To deploy this certificate, you use the *trusted certificate* profile, and deploy it to the same devices and users that receive the certificate profiles for SCEP, PKCS, and imported PKCS. -> [!TIP] +> [!TIP] +> > Intune also supports use of [Derived credentials](derived-credentials.md) for environments that require use of smartcards. ### What’s required to use certificates @@ -154,7 +155,7 @@ When you use a third-party (non-Microsoft) Certification Authority (CA): [!INCLUDE [windows-phone-81-windows-10-mobile-support](../includes/windows-phone-81-windows-10-mobile-support.md)] - !INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)] +[!INCLUDE [android-device-administrator-support](../includes/android-device-administrator-support.md)] ## Related content From 47401db79b5b2717119400dc6ed8bba50476a800 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 4 Oct 2024 17:13:08 -0400 Subject: [PATCH 5/6] Additional changes Additional changes --- memdocs/configmgr/comanage/autopilot-enrollment.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/memdocs/configmgr/comanage/autopilot-enrollment.md b/memdocs/configmgr/comanage/autopilot-enrollment.md index 524a2a189ef..3df9507d8a6 100644 --- a/memdocs/configmgr/comanage/autopilot-enrollment.md +++ b/memdocs/configmgr/comanage/autopilot-enrollment.md @@ -85,9 +85,9 @@ The following components are required to support Autopilot into co-management: - Windows 11 - For Windows 11 devices, if a device has not been targeted with a co-management settings policy, the management authority will be set to Microsoft Intune during the Autopilot process. Installing the Configuration Manager client as Win32 app doesn't change management authority to Configuration Manager and Microsoft Intune will continue to manage all the co-management workloads. To set the management authority to Configuration Manager, create a co-management settings policy with the following Advanced settings: + For Windows 11 devices, if a device has not been targeted with a co-management settings policy, the management authority will be set to Microsoft Intune during the Autopilot process. Installing the Configuration Manager client as Win32 app doesn't change management authority to Configuration Manager and Microsoft Intune will continue to manage all the co-management workloads. To set the management authority to Configuration Manager, create a co-management settings policy with the following Advanced settings:
- - **Automatically install the Configuration Manager client>**: **No** + - **Automatically install the Configuration Manager client.**: **No** - **Override co-management policy and use Intune for all workloads.**: **No** For additional information, see [Co-management settings: Windows Autopilot with co-management](https://techcommunity.microsoft.com/t5/microsoft-intune-blog/co-management-settings-windows-autopilot-with-co-management/ba-p/3638500). @@ -131,11 +131,11 @@ Use these recommendations for a more successful deployment: ## Limitations - - For Windows 11 devices in Microsoft Entra hybrid joined scenario, the management authority will be set to Microsoft Intune during the Windows Autopilot process. Installing Configuration Manager client as Win32 app does not change management authority to Configuration Manager and thus Microsoft Intune will continue to manage all the co-management workloads. + - For Windows 11 devices in Microsoft Entra hybrid joined scenario, the management authority will be set to Microsoft Intune during the Windows Autopilot process. Installing Configuration Manager client as Win32 app does not change management authority to Configuration Manager and Microsoft Intune will continue to manage all the co-management workloads. - To change the management authority to Configuration Manager, set the following registry key value: + To change the management authority to Configuration Manager, set the following registry key value:
- - Path: **HKLM\SOFTWARE\Microsoft\DeviceManageabilityCSP\Provider\MS DM Server**. + - Path: **HKLM\SOFTWARE\Microsoft\DeviceManageabilityCSP\Provider\MS DM Server** - Value: **ConfigInfo** - REG_SZ: **2** From 358da92682d47e4cc83c6268b6bdfd38d2aa1758 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Fri, 4 Oct 2024 17:18:08 -0400 Subject: [PATCH 6/6] Add breaks Add breaks --- memdocs/configmgr/comanage/autopilot-enrollment.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/memdocs/configmgr/comanage/autopilot-enrollment.md b/memdocs/configmgr/comanage/autopilot-enrollment.md index 3df9507d8a6..c66b33772e5 100644 --- a/memdocs/configmgr/comanage/autopilot-enrollment.md +++ b/memdocs/configmgr/comanage/autopilot-enrollment.md @@ -9,7 +9,7 @@ ms.topic: how-to ms.localizationpriority: medium author: gowdhamankarthikeyan ms.author: gokarthi -ms.reviewer: mstewart,aaroncz +ms.reviewer: mstewart,aaroncz,frankroj manager: apoorvseth ms.collection: tier3 --- @@ -86,7 +86,7 @@ The following components are required to support Autopilot into co-management: - Windows 11 For Windows 11 devices, if a device has not been targeted with a co-management settings policy, the management authority will be set to Microsoft Intune during the Autopilot process. Installing the Configuration Manager client as Win32 app doesn't change management authority to Configuration Manager and Microsoft Intune will continue to manage all the co-management workloads. To set the management authority to Configuration Manager, create a co-management settings policy with the following Advanced settings:
- +
- **Automatically install the Configuration Manager client.**: **No** - **Override co-management policy and use Intune for all workloads.**: **No** @@ -134,7 +134,7 @@ Use these recommendations for a more successful deployment: - For Windows 11 devices in Microsoft Entra hybrid joined scenario, the management authority will be set to Microsoft Intune during the Windows Autopilot process. Installing Configuration Manager client as Win32 app does not change management authority to Configuration Manager and Microsoft Intune will continue to manage all the co-management workloads. To change the management authority to Configuration Manager, set the following registry key value:
- +
- Path: **HKLM\SOFTWARE\Microsoft\DeviceManageabilityCSP\Provider\MS DM Server** - Value: **ConfigInfo** - REG_SZ: **2**