To **Assign ring** the user requires a minimum of **Windows Autopatch Group/Read permissions**. Use the dropdown menu to select the deployment ring to move devices to, the menu will only display deployment rings in the users' scope.
To view the device's properties, the minimum permission required is **Manage Devices/Read**.
Scoped admins can only move devices between deployment rings in the same Autopatch group, with the same scope tags.
For more information, see [Windows Autopatch role-based access controls](../prepare/windows-autopatch-role-based-access-control.md).
+ ### View the Autopatch groups membership report **To view the Autopatch groups membership report:** diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md index 29fc0d54bf..c180c7bfa8 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md @@ -1,7 +1,7 @@ --- title: Manage Windows Autopatch groups description: This article explains how to manage Autopatch groups -ms.date: 03/31/2025 +ms.date: 05/27/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -68,6 +68,7 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat 1. Edit the deferrals, deadlines, grace periods as needed 1. Edit the deployment rings as necessary 1. If you made changes, but want to start over, select **Reset to preset values [release schedule preset]**. The reset is dependent on which release schedule preset you selected in step 12. +1. Select **Next: Scope tags**. Add the scope tags you want to assign for the Autopatch group. For more information on Scope tags, see [Scoped admins and Autopatch groups](../prepare/windows-autopatch-role-based-access-control.md#scoped-admins-and-autopatch-groups). 1. Select **Review + create** to review all changes made. 1. Once the review is done, select **Create** to save your Autopatch group. @@ -90,7 +91,8 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat 1. In the **Deployment rings** page, edit your deployment rings as necessary or select **Next: Update types**. 1. In the **Update types** page, add or remove update types as necessary, or select **Next: Deployment settings**. 1. In the **Deployment settings** page, edit the deployment settings as necessary, or select **Next: Release schedule**. -1. In the **Release schedule** page, edit the deferral and/or deadline day as necessary. If you need to change the release schedule preset, you must create a new Autopatch group. +1. In the **Release schedule** page, edit the deferral and/or deadline day as necessary, or select **Next: Scope tags**. If you need to change the release schedule preset, you must create a new Autopatch group. +1. In the Scope tags page, edit the scope tags as necessary, or select **Next: Review + save**. For more information on Scope tags, see [Scoped admins and Autopatch groups](../prepare/windows-autopatch-role-based-access-control.md#scoped-admins-and-autopatch-groups). 1. Select **Review + create** to review all changes made. 1. Once the review is done, select **Save** to finish editing the Autopatch group. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md index 6e8f9565bc..a228676afb 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows feature updates overview description: This article explains how Windows feature updates are managed -ms.date: 03/31/2025 +ms.date: 05/27/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: overview @@ -39,6 +39,7 @@ The release statuses are described in the following table: | Inactive | All the Autopatch groups within the release are assigned to a new release. As a result, the Windows feature update policies were unassigned from all phases from within the release. |Tenant Administration/Windows Autopatch/All
| +| Security Admin | No permission | ReadTenant Administration/Windows Autopatch/All
| +| Security Reader | No permission | ReadTenant Administration/Windows Autopatch/All
| +| Billing Administrator | No permission | ReadTenant Administration/Windows Autopatch/All
| +| Helpdesk Administrator | No permission | ReadTenant Administration/Windows Autopatch/All
| + +### Custom roles + +You can create two custom roles that include permissions required for a specific job role. + +To achieve all-up update management, make sure that the groups assigned to the Autopatch custom role are also a member of the [Policy & Profile Manager role](#policy-and-profile-manager-roles) or a custom role with equivalent permissions. + +Navigate to **Tenant Administration** > **Roles** > **Create Custom role** > **Windows Autopatch** to create a custom role. + +| Permission | Description | +| --- | --- | +| Role Assignments/Create | Create an Autopatch role for operations that are performed on Autopatch resources. | +| Role Assignments/Update | Update role for Autopatch, where Edit operations are performed on Autopatch resources. | +| Role Assignments/Delete | Delete role for Autopatch, where delete operations are performed on Autopatch resources. | +| Roles/Read | View permissions, role definitions, and role assignments for Autopatch role. View operation or actions are performed on Autopatch resources. | +| Autopatch Groups/Read | Read Autopatch groups and its properties. | +| Autopatch Groups/Create | Create Autopatch groups, add group assignments, and configure release settings. | +| Autopatch Groups/Edit | Edit Autopatch groups, modify release settings, and manage group assignments. | +| Autopatch Groups/Delete | Delete Autopatch groups. | +| Reports/Read | Read and export Autopatch quality and feature update reports. | +| Reports/DiscoverDevices | Allows Device report action to discover devices. | +| Reports/AssignRing | Allows Device ring assignment to Autopatch groups. | +| Reports/ExcludeDevices | Perform exclude devices action on the Device reports. | +| Reports/RestoreExcludedDevices | Perform Restore action on the Device reports. | +| Support requests/Read | Read existing Autopatch support requests and responses. | +| Messages/Read | Read published Autopatch and Service Health Dashboard messages. | + +### Scopes + +Windows Autopatch supports Intune scope tags and scoped groups to be used for distributed update management. Use Microsoft Intune to create and manage scope tags. + +- Windows Autopatch supports Intune scope for Autopatch groups, Autopatch role assignments, update policies, and reports. +- Autopatch messages, support, and Admin contacts don't support scopes. +- Autopatch groups created by scoped admins are assigned to the same scope tags as the user. +- Only scoped admins, with the same scope tags assigned to them, can edit and manage Autopatch groups. +- When you create Autopatch groups and assign scope tags, the update policies created inherit the same scope tags. +- The devices assigned to Autopatch groups don't inherit the Autopatch group scope tags. Use Intune to assign scope tag to devices. + +## Permissions for Autopatch groups + +Autopatch groups create Microsoft Entra groups and update policies and assign the policies to the group as part of its workflow. To successfully complete the workflow, both permissions are **required**. The option to create Autopatch groups is only available when the user has both the permissions enabled. + +1. Device Configuration, **all** permissions +2. Windows Autopatch group, **all** permissions + +Windows Autopatch groups that are assigned scoped tags are only visible to users with those exact scope tags. This ensures the IT admin can manage the ring-based rollouts using Autopatch groups and aren't affected by scope discrepancies. + +> [!NOTE] +> The Autopatch group workflow creates deployment rings and assigns update policies to them. If the Autopatch role includes All devices in scope, the policy administration role must have [All devices and All Users](/intune/intune-service/fundamentals/role-based-access-control#role-assignments) in its scope.Lack of Microsoft Entra permissions can prevent the logged-in user from creating Groups. The user must have sufficient permission to create Groups. For more information, see [How to set up self-service group management](/entra/identity/users/groups-self-service-management#make-a-group-available-for-user-self-service) or [Create Groups permissions](/entra/identity/role-based-access-control/custom-group-permissions#create-groups).
+ +When the user is assigned scoped groups, they can only assign scoped groups for distribution into deployment rings. + +## Scoped admins and Autopatch groups + +In Intune scoped admins, only an admin user that is assigned specific scope tags and Scoped Groups, can assign policies only to Scoped Groups. + +> [!NOTE] +> Intune administrators or update administrators with All devices and All users scopes can't see the Pending assignment workflow; this only affects roles that have scopes assigned through specific Scoped Groups. + +### Scoped admins and Autopatch group workflow + +As part of the Autopatch group creation workflow, Windows Autopatch creates Microsoft Entra groups and update policies for the selected deployment settings. To assign the update policies to the newly created deployment rings, you must include the Autopatch group as a Scoped Group in the role that contains [Device Configuration permissions](/intune/intune-service/fundamentals/role-based-access-control-reference#policy-and-profile-manager). + +> [!NOTE] +> An Intune administrator or a Role Administrator must assign the newly created Windows Autopatch group as a scoped group before the Autopatch group can be used by the scoped Admin.Once the Autopatch group, in **Pending Assignment** status, is added as a scoped group, the scoped admin can assign the update policies the Autopatch group becomes **Active**.
+ +The following table explains the high-level workflow: + +| Step | Description | Who | +| --- | --- | --- | +| Step 1: Create an Autopatch group | Create an Autopatch group. Autopatch groups register devices with the Windows Autopatch service when you either [create](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) or [edit an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group).The Autopatch group, deployment rings, and the update policies are created.
You can view the [update policies](/intune/intune-service/protect/windows-10-update-rings) under Windows updates.
| Scoped admin | +| Step 2: Contact your Intune Administrator or Role administrator to assign the Autopatch parent group as a Scoped Group for your role | Include the following information:Once the policy assignment is successful, the Autopatch group is set to **Active** and ready for use.
The Scoped group assignment might not be immediately available. It might take up to 10 minutes to take effect.
| Scoped admin | + +### Assign scope tags to Autopatch groups + +> [!NOTE] +> If you're assigning scope tags to existing Autopatch groups, the scope admin must be included as a Scoped Group in their role with [Device Configuration permissions](/intune/intune-service/fundamentals/role-based-access-control-reference#policy-and-profile-manager) to manage the Autopatch group.Windows Autopatch creates a parent group that nests the Autopatch group and deployment rings which can be added as the Scoped Group. You can find the parent group name in the Autopatch group properties.
+ +1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), navigate to **Tenant Administration** > **Autopatch groups** > **select a group**. All rings and policies of the Autopatch group have the same scope. +1. In the **Add group to ring** option, select the Microsoft Entra groups to be assigned to the Autopatch group. Only groups with scope objects are available for selection. +1. Navigate to **Properties** > **Scope (Tags)** > **Edit** > **Select scope tags** > select the tags that you want to add to the profile. You can assign a **maximum of 100 scope tags** to an object. + 1. The **Scope Group** section is displayed when the service detects Autopatch groups that are created before role-based access controls. This indicates that a Microsoft Entra group is created, which can be added as a Scoped Group. A scoped admin can manage this Autopatch group if included in their scope. + 2. Follow the steps in the [Scoped admins and Autopatch group workflow](#scoped-admins-and-autopatch-group-workflow) section to assign scoped groups. +1. Select **Review + save**. + +## Known issues + +Windows 365 Enterprise gives IT admins the option to [register devices with Windows Autopatch](../deploy/windows-autopatch-register-devices.md#windows-autopatch-on-windows-365-enterprise-workloads) as part of the Windows 365 provisioning policy creation. You must be an Intune Service administrator to complete this action. + +### General troubleshooting + +| Scenario | Message | Cause | Solution | +| --- | --- | --- | --- | +| You receive an error message when you try to [create](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group), [edit](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group), or [delete an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#delete-an-autopatch-group). | You don't have sufficient permission to modify this Autopatch group. You can only modify Autopatch groups that match your assigned scope. This Autopatch group has additional assigned Scope tags that don't match your role assignment.Or
The Autopatch group submission failed, and the logged in user has scope tags assigned.
| The problem occurs when you edit an Autopatch group, and the service detected a mismatch in your scope tags. | Verify the scope tags assigned to the Autopatch group and Policy assignment role. The Policy assignment role might have more scope tags but must include **all** the scope tags assigned to the Autopatch group. | +| You receive an error message when you choose a device and the *Assign ring device* action in the [Autopatch groups membership report](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report). | You don't have sufficient permission, or the scope required to assign devices. | The problem occurs when Autopatch is unable to populate the Autopatch group list, because of a mismatch in scope tags. | Verify the scope tags for the Autopatch groups and your role. Ensure they share at least **one** scope tag. | +| You receive an error message when you choose a device and the *Assign ring device* action in the [Autopatch groups membership report](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report). | You don't have sufficient Autopatch group permission to complete this action. The minimum of Autopatch Group Read permission is required. | To move devices between Autopatch deployment rings, you need permission to read Autopatch groups. | Ensure your role includes **Autopatch Group/Read permission**. Navigate to Tenant Administration > Roles > My permission. | +| You receive an error message when you select a device in the [Autopatch groups membership report](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report). | Access Denied | You don't have the Intune permission to view the properties of the device. | Ensure your role includes **Managed devices/Read permission**. Navigate to Tenant Administration > Roles > My permission. | +| You can only see the **Releases**, **Update rings**, and **Monitor** tabs when logged in as a delegated Windows Autopatch administrator. | | You don't have all the required permission to view Windows Update. | Ensure your role includes **Organization/Read permission**. Navigate to Tenant Administration > Roles > My permission. | +| You receive an error message when you try to edit a preexisting Autopatch group that was newly assigned a scope tag. You successfully added the parent scope group into the Policy assignment role. | You don't have sufficient permission to modify this Autopatch group. You can only modify Autopatch groups that match your assigned scope. This Autopatch group has additional assigned Scope tags that don't match your role assignment. | The issue occurs when the service detects that the logged in user "Assigned Entra Group" isn't in the scoped group for the Autopatch admin role. This happens with preexisting Autopatch groups. | Add the Assigned Entra group as the scoped group to the Autopatch admin role. | diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2025.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2025.md index 4754455eb7..2e4db95468 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2025.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2025.md @@ -1,7 +1,7 @@ --- title: What's new 2025 description: This article lists the 2025 feature releases and any corresponding Message center post numbers. -ms.date: 04/11/2025 +ms.date: 05/27/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: whats-new @@ -21,6 +21,14 @@ This article lists new and updated feature releases, and service releases, with Minor corrections such as typos, style, or formatting issues aren't listed. +## May 2025 + +### May feature releases or updates + +| Article | Description | +| ----- | ----- | +| [Role-based access control](../prepare/windows-autopatch-role-based-access-control.md) | Added [Role-based access control](../prepare/windows-autopatch-role-based-access-control.md) article. Other articles updated with this feature: