diff --git a/autopilot/device-preparation/known-issues.md b/autopilot/device-preparation/known-issues.md index d34731b0cce..42c612580be 100644 --- a/autopilot/device-preparation/known-issues.md +++ b/autopilot/device-preparation/known-issues.md @@ -40,6 +40,35 @@ This article describes known issues that can often be resolved with: ## Known issues +## Security group membership update failures might lead to non-compliant devices + +Date added: *September 27, 2024* + +If security groups aren't properly configured in Microsoft Intune, devices might lose compliance and be left in an unsecured state. The following are potential reasons for security group membership failures: + +- **Retry failures**: Security group membership updates might not succeed during retry windows, leading to delays in group updates. + +- **Static to dynamic group changes**: After the Windows Autopilot device preparation profiles are configured, changing a security group from static to dynamic could cause failures. + +- **Owner removal**: If the Intune Autopilot First Party App is removed as an owner of a configured security group, updates might fail. + +- **Group deletion**: If a configured security group is deleted and devices are deployed before Microsoft Intune detects the deletion, security configurations might fail to apply. + +To mitigate the issue, follow these steps: + +1. **Validate security group configuration before provisioning**: + + - Ensure the correct security group is selected within the Microsoft Intune admin center or the Microsoft Entra admin center. + - The security group should be configured within the Windows Autopilot device preparation profile. + - The group shouldn't be assignable to other groups. + - The Intune Autopilot First Party App should be an owner of the group. + +1. **Manually fix the provisioned devices**: + + - If devices are already deployed or the security group isn't applicable, manually add the affected devices to the correct security group. + +By following these steps, you can prevent security group membership failures and ensure devices remain compliant and secure. + ## Deployment fails for devices not in the Coordinated Universal Time (UTC) time zone Date added: *July 8, 2024*
@@ -92,9 +121,7 @@ The issue is being investigated. As a workaround, add the following additional r For more information, see [Required RBAC permissions](requirements.md?tabs=rbac#required-rbac-permissions). > [!NOTE] -> > The [Required RBAC permissions](requirements.md?tabs=rbac#required-rbac-permissions) article doesn't list the **Device configurations** - **Assign** permission. This permission requirement is only temporary until the issue is resolved. However, the article can be used as a guide on how to properly add this permission. - **This issue was resolved in July 2024.** ### Device is stuck at 100% during the out-of-box experience (OOBE) diff --git a/windows-365/enterprise/media/restrict-office-365-cloud-pcs/create-conditional-policy.png b/windows-365/enterprise/media/restrict-office-365-cloud-pcs/create-conditional-policy.png index 20b2e2445cb..efec5d69195 100644 Binary files a/windows-365/enterprise/media/restrict-office-365-cloud-pcs/create-conditional-policy.png and b/windows-365/enterprise/media/restrict-office-365-cloud-pcs/create-conditional-policy.png differ diff --git a/windows-365/enterprise/media/restrict-office-365-cloud-pcs/include-apps.png b/windows-365/enterprise/media/restrict-office-365-cloud-pcs/include-apps.png index 8291926c478..24ecaac81b6 100644 Binary files a/windows-365/enterprise/media/restrict-office-365-cloud-pcs/include-apps.png and b/windows-365/enterprise/media/restrict-office-365-cloud-pcs/include-apps.png differ diff --git a/windows-365/enterprise/media/restrict-office-365-cloud-pcs/select-group.png b/windows-365/enterprise/media/restrict-office-365-cloud-pcs/select-group.png index 2b222bce2fa..90ac3526a6a 100644 Binary files a/windows-365/enterprise/media/restrict-office-365-cloud-pcs/select-group.png and b/windows-365/enterprise/media/restrict-office-365-cloud-pcs/select-group.png differ diff --git a/windows-365/enterprise/restrict-office-365-cloud-pcs.md b/windows-365/enterprise/restrict-office-365-cloud-pcs.md index bc128eb9aea..bd087454bfd 100644 --- a/windows-365/enterprise/restrict-office-365-cloud-pcs.md +++ b/windows-365/enterprise/restrict-office-365-cloud-pcs.md @@ -7,7 +7,7 @@ keywords: author: ErikjeMS ms.author: erikje manager: dougeby -ms.date: 09/27/2023 +ms.date: 09/30/2024 ms.topic: how-to ms.service: windows-365 ms.subservice: windows-365-enterprise @@ -36,18 +36,27 @@ Administrators can deny access to Office 365 services on any device other than a This article describes how to limit access to Office 365 services. You can use the same strategy with any cloud service that uses Microsoft Entra ID as the authentication source. 1. Create a Microsoft Entra security group to manage which users are controlled by the new policy. Add to this group all the Cloud PC users who will be subjected to the new policy. Only users in this group will be restricted to using Cloud PCs when accessing Office 365 services. If you want to change a user’s access, you can just remove them from this group. + 2. Sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Endpoint security** > **Conditional access** > **Create new policy**. + ![Create conditional access policy screen shot](./media/restrict-office-365-cloud-pcs/create-conditional-policy.png) + 3. Type a **Name** for your new Conditional Access policy. For example, “Restrict Office 365 access to CPCs”. + 4. Select **0 users and groups selected** > **Include** > **Select users and groups** > **Users and groups** > select the Microsoft Entra security group that you created > **Select**. + ![Select group screen shot](./media/restrict-office-365-cloud-pcs/select-group.png) -5. Select **No cloud apps, actions, or authentication contexts selected** > **Include** > **Select apps** > **None** (under **Select**) > search for and select **Office 365** > **Select**. + +5. Select **No target resources selected** > **Include** > **Select apps** > **None** (under **Select**) > search for and select **Office 365** > **Select**. + ![Select apps to include](./media/restrict-office-365-cloud-pcs/include-apps.png) + 6. Select **Exclude** > **None** (under **Select excluded cloud apps**) > search for and select **Azure Virtual Desktop** and **Windows 365** apps > **Select**. - ![Select apps to exclude](./media/restrict-office-365-cloud-pcs/exclude-apps.png) -7. Select **0 conditions selected** > **Not configured** (under **Filter for devices**). - ![Filter devices screen shot](./media/restrict-office-365-cloud-pcs/filter-devices.png) + +7. Select **0 conditions selected** (under **Conditions**) > **Not configured** (under **Filter for devices**). + 8. In the **Filter for devices** pane: + 1. Set **Configure** to **Yes**. 2. Select **Exclude filtered devices from policy**. 3. Select the dropdown option under **Property** > **Model**. @@ -55,12 +64,14 @@ This article describes how to limit access to Office 365 services. You can use t 5. In the text box under **Value**, type the value as **Cloud PC**. If the Cloud PC naming conventions change, change the filter value to match the device names. 6. Select **Done** to set the filter. - ![Configure filtering devices](./media/restrict-office-365-cloud-pcs/filter-devices-configure.png) + ![Configure filtering devices](./media/restrict-office-365-cloud-pcs/filter-devices-configure.png) You can set more options in this policy as needed, but such additions are outside the scope of this article. + 9. Select **0 controls selected** (under **Grant**) > **Block Access** >**Select**. - ![Block access screen shot](./media/restrict-office-365-cloud-pcs/block-access.png) + 10. Select **On** (under **Enable policy**). This policy will restrict users from accessing Office 365 services on non-Cloud PC devices. You may want to select **Report-only** to monitor the policy and build confidence prior to enforcing it. + 11. Select **Create** to complete the creation of policy. >[!NOTE]