deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-30 22:27:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Windows Autopatch RBAC

Browse Source
This commit is contained in:
tiaraquan 2025-05-23 10:53:38 -07:00
parent 840cfceac2
commit 09bcb76e68
7 changed files with 223 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/deployment/windows-autopatch/TOC.yml
View File

@ -15,6 +15,8 @@
items:
- name: Prerequisites
href: prepare/windows-autopatch-prerequisites.md
- name: Role-based access control
href: prepare/windows-autopatch-role-based-access-control.md
- name: Configure your network
href: prepare/windows-autopatch-configure-network.md
- name: Start using Windows Autopatch

5
windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
View File

@ -1,7 +1,7 @@
---
title: Register devices with Autopatch groups
description: This article details how to register devices in Autopatch.
ms.date: 03/31/2025
ms.date: 05/27/2025
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -54,6 +54,9 @@ Windows Autopatch has an Autopatch groups membership report provides the followi
- Update status
- Policies that target each device
> [!NOTE]
> You can configure custom roles to access the Autopatch groups membership report, including the various device actions.<p>To **Assign ring** the user requires a minimum of **Windows Autopatch Group/Read permissions**. Use the dropdown menu to select the deployment ring to move devices to, the menu will only display deployment rings in the users' scope. </p><p>To view the device's properties, the minimum permission required is **Manage Devices/Read**.</p><p>Scoped admins can only move devices between deployment rings in the same Autopatch group, with the same scope tags.</p><p>For more information, see [Windows Autopatch role-based access controls](../prepare/windows-autopatch-role-based-access-control.md).</p>
### View the Autopatch groups membership report
**To view the Autopatch groups membership report:**

6
windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md
View File

@ -1,7 +1,7 @@
---
title: Manage Windows Autopatch groups
description: This article explains how to manage Autopatch groups
ms.date: 03/31/2025
ms.date: 05/27/2025
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -68,6 +68,7 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat
1. Edit the deferrals, deadlines, grace periods as needed
1. Edit the deployment rings as necessary
1. If you made changes, but want to start over, select **Reset to preset values [release schedule preset]**. The reset is dependent on which release schedule preset you selected in step 12.
1. Select **Next: Scope tags**. Add the scope tags you want to assign for the Autopatch group. For more information on Scope tags, see [Scoped admins and Autopatch groups](../prepare/windows-autopatch-role-based-access-control.md#scoped-admins-and-autopatch-groups).
1. Select **Review + create** to review all changes made.
1. Once the review is done, select **Create** to save your Autopatch group.
@ -90,7 +91,8 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat
1. In the **Deployment rings** page, edit your deployment rings as necessary or select **Next: Update types**.
1. In the **Update types** page, add or remove update types as necessary, or select **Next: Deployment settings**.
1. In the **Deployment settings** page, edit the deployment settings as necessary, or select **Next: Release schedule**.
1. In the **Release schedule** page, edit the deferral and/or deadline day as necessary. If you need to change the release schedule preset, you must create a new Autopatch group.
1. In the **Release schedule** page, edit the deferral and/or deadline day as necessary, or select **Next: Scope tags**. If you need to change the release schedule preset, you must create a new Autopatch group.
1. In the Scope tags page, edit the scope tags as necessary, or select **Next: Review + save**. For more information on Scope tags, see [Scoped admins and Autopatch groups](../prepare/windows-autopatch-role-based-access-control.md#scoped-admins-and-autopatch-groups).
1. Select **Review + create** to review all changes made.
1. Once the review is done, select **Save** to finish editing the Autopatch group.

4
windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md
View File

@ -1,7 +1,7 @@
---
title: Windows feature updates overview
description: This article explains how Windows feature updates are managed
ms.date: 03/31/2025
ms.date: 05/27/2025
ms.service: windows-client
ms.subservice: autopatch
ms.topic: overview
@ -39,6 +39,7 @@ The release statuses are described in the following table:
| Inactive | All the Autopatch groups within the release are assigned to a new release. As a result, the Windows feature update policies were unassigned from all phases from within the release. |<ul><li>Release can be viewed as a historical record.</li><li>Releases can't be deleted, edited, or canceled.</li></ul> |
| Paused | All phases in the release are paused. The release remains paused until you resume it. | <ul><li>Releases with the Paused status can't be edited or canceled since the Windows feature update policy was already created for its phases.</li><li>Release can be resumed.</li></ul> |
| Canceled | All phases in the release are canceled. | <ul><li>Releases with the Canceled status can't be edited or canceled since the Windows feature update policy wasn't created for its phases.</li><li>Canceled release can't be deleted.</li></ul> |
| Assignment error | The release is scheduled but one or more policies aren't assigned. The user that created the release doesn't have the required permissions to assign one or more policies because the selected Autopatch group isn't in their Scoped Group. Contact the Intune administrator or Role administrator to complete steps in [Scoped admins and Autopatch groups](../prepare/windows-autopatch-role-based-access-control.md#scoped-admins-and-autopatch-groups). |
#### Phase statuses
@ -54,6 +55,7 @@ A phase is made of one or more [Autopatch group deployment rings](../deploy/wind
| Inactive | All Autopatch groups within the phase are reassigned to a new release. All Windows feature update policies were unassigned from the Autopatch groups. |
| Paused | Phase is paused. You must resume the phase. |
| Canceled | Phase is canceled. All Autopatch groups within the phase can be used with a new release. A phase that is canceled can't be deleted. |
| Assignment error | The phase is scheduled but the policy isn't assigned. The user that created the policy doesn't have the required permissions to assign the policy because the selected Autopatch group isn't in their Scoped Group. Contact the Intune Administrator or Role administrator to complete steps in [Scoped admins and Autopatch groups](../prepare/windows-autopatch-role-based-access-control.md#scoped-admins-and-autopatch-groups). |
#### Phase policy configuration

19
windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md
View File

@ -1,7 +1,7 @@
---
title: Windows quality and feature update reports overview
description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch.
ms.date: 03/31/2025
ms.date: 05/27/2025
ms.service: windows-client
ms.subservice: autopatch
ms.topic: overview
@ -26,6 +26,23 @@ Windows Autopatch requires, and uses Windows diagnostic data to display device u
This data collection configuration method using Windows diagnostic data in Intune is shared across Autopatch reports. To support Autopatch reporting, you must configure the [Enable Windows diagnostic data collection settings](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) from devices at the **Required** or higher level.
### Permissions and scope to view reports
To view Windows Update reports, you must be assigned an Intune role with the **Device Configuration** > **View reports** permission. This permission is included in the following built-in roles:
- Policy and Profile Manager
- Read Only Operator
- Helpdesk Operator
In addition, the following roles have **Reports** > **Read permissions**. This permission is included in the following built-in roles, to access Windows Autopatch reports.
- Windows Autopatch Administrator
- Windows Autopatch reader
The report displays data based on device scope tags only. Therefore, Windows Update reports might include Update policies and Autopatch group information that aren't in the same scope as the device. For more information, see [role-based access control](../prepare/windows-autopatch-role-based-access-control.md) in Windows Autopatch.
To ensure accurate display of reports information, ensure that the Autopatch groups, update policies are accurately assigned to the same scope as the device.
## Windows quality update reports
The Windows quality reports provide you with information about:

183
windows/deployment/windows-autopatch/prepare/windows-autopatch-role-based-access-control.md Normal file
View File

@ -0,0 +1,183 @@
---
title: Role-based access control
description: This article provides an overview on how to register devices in Autopatch.
ms.date: 05/27/2025
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: aaroncz
ms.reviewer: andredm7
ms.collection:
- highpri
- tier1
---
# Role-based access control
Use role-based access control in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) to manage who has access to your organization's resources and what they can do with those resources.
## Built-in roles
Windows Autopatch enables role-based access control to use the least privileged access to distribute and delegate Windows Update management in Microsoft Intune.
> [!IMPORTANT]
> To successfully manage Windows Autopatch as a lower privilege role, the user must have both Autopatch Admin permissions and Policy and Profile admin permissions.
The permissions defined in Windows Autopatch administrator or Windows Autopatch reader roles are used to manage Autopatch groups, support requests, Autopatch messages, and Autopatch reports.
To manage update policies and Windows Update reports, Device Configuration permission is **required**. This permission is available in built-in roles such as the Policy and Profile Manager roles.
### Policy and Profile Manager roles
Policy and Profile Manager roles include device configuration permissions for managing Intune policies including the following Update policies:
- Update rings
- Quality updates
- Feature updates
- Driver updates
### Windows Autopatch Administrator
The Windows Autopatch Administrator role manages all aspects of Windows Autopatch:
- [Autopatch groups](../deploy/windows-autopatch-groups-overview.md)
- [Autopatch reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md)
- Quality and feature update status and trending reports
- [Support requests and messages](../manage/windows-autopatch-support-request.md)
### Windows Autopatch Reader
Windows Autopatch Reader can view Windows Autopatch data available in Microsoft Intune but can't make changes.
### Update policy roles
To manage Windows quality update, update rings, Windows feature update, driver update, Microsoft 365 Apps, and Microsoft Edge policies the user must have full [Device Configuration permissions](/intune/intune-service/fundamentals/role-based-access-control-reference#policy-and-profile-manager). The following table is the full list of update management roles:
| Intune role | Update policies |
| --- | --- |
| Policy & Profile Manager | Read/Write |
| Helpdesk Operator | Read |
| Read-only Operator | Read |
| Autopatch Administrator | No permission |
| Autopatch Reader | No permission |
To successfully manage Windows Autopatch as a lower privilege role, the user must have both Autopatch Admin permissions and the Policy and Profile admin permissions.
### Microsoft Entra roles
The following Microsoft Entra roles can access Windows Autopatch features via the Microsoft Intune portal.
| Microsoft Entra role | All Windows Autopatch data | Tenant Administration > Windows Autopatch |
| --- | --- | --- |
| Global Administrator | Read/Write | Read/Write |
| Intune Service Administrator | Read/Write | Read/Write |
| Global Reader | Read | Read |
| Service Support Administrator | No permission | Read<p>Tenant Administration/Windows Autopatch/All</p> |
| Security Admin | No permission | Read<p>Tenant Administration/Windows Autopatch/All</p> |
| Security Reader | No permission | Read<p>Tenant Administration/Windows Autopatch/All</p> |
| Billing Administrator | No permission | Read<p>Tenant Administration/Windows Autopatch/All</p> |
| Helpdesk Administrator | No permission | Read<p>Tenant Administration/Windows Autopatch/All</p> |
### Custom roles
You can create two custom roles that include permissions required for a specific job role.
To achieve all-up update management, make sure that the groups assigned to the Autopatch custom role are also a member of the [Policy & Profile Manager role](#policy-and-profile-manager-roles) or a custom role with equivalent permissions.
Navigate to **Tenant Administration** > **Roles** > **Create Custom role** > **Windows Autopatch** to create a custom role.
| Permission | Description |
| --- | --- |
| Role Assignments/Create | Create an Autopatch role for operations that are performed on Autopatch resources. |
| Role Assignments/Update | Update role for Autopatch, where Edit operations are performed on Autopatch resources. |
| Role Assignments/Delete | Delete role for Autopatch, where delete operations are performed on Autopatch resources. |
| Roles/Read | View permissions, role definitions, and role assignments for Autopatch role. View operation or actions are performed on Autopatch resources. |
| Autopatch Groups/Read | Read Autopatch groups and its properties. |
| Autopatch Groups/Create | Create Autopatch groups, add group assignments, and configure release settings. |
| Autopatch Groups/Edit | Edit Autopatch groups, modify release settings, and manage group assignments. |
| Autopatch Groups/Delete | Delete Autopatch groups. |
| Reports/Read | Read and export Autopatch quality and feature update reports. |
| Reports/DiscoverDevices | Allows Device report action to discover devices. |
| Reports/AssignRing | Allows Device ring assignment to Autopatch groups. |
| Reports/ExcludeDevices | Perform exclude devices action on the Device reports. |
| Reports/RestoreExcludedDevices | Perform Restore action on the Device reports. |
| Support requests/Read | Read existing Autopatch support requests and responses. |
| Messages/Read | Read published Autopatch and Service Health Dashboard messages. |
### Scopes
Windows Autopatch supports Intune scope tags and scoped groups to be used for distributed update management. Use Microsoft Intune to create and manage scope tags.
- Windows Autopatch supports Intune scope for Autopatch groups, Autopatch role assignments, update policies, and reports.
- Autopatch messages, support, and Admin contacts don't support scopes.
- Autopatch groups created by scoped admins are assigned to the same scope tags as the user.
- Only scoped admins, with the same scope tags assigned to them, can edit and manage Autopatch groups.
- When you create Autopatch groups and assign scope tags, the update policies created inherit the same scope tags.
- The devices assigned to Autopatch groups don't inherit the Autopatch group scope tags. Use Intune to assign scope tag to devices.
## Permissions for Autopatch groups
Autopatch groups create Microsoft Entra groups and update policies and assign the policies to the group as part of its workflow. To successfully complete the workflow, both permissions are **required**. The option to create Autopatch groups is only available when the user has both the permissions enabled.
1. Device Configuration, **all** permissions
2. Windows Autopatch group, **all** permissions
Windows Autopatch groups that are assigned scoped tags are only visible to users with those exact scope tags. This ensures the IT admin can manage the ring-based rollouts using Autopatch groups and aren't affected by scope discrepancies.
> [!NOTE]
> The Autopatch group workflow creates deployment rings and assigns update policies to them. If the Autopatch role includes All devices in scope, the policy administration role must have [All devices and All Users](/intune/intune-service/fundamentals/role-based-access-control#role-assignments) in its scope.<p>Lack of Microsoft Entra permissions can prevent the logged-in user from creating Groups. The user must have sufficient permission to create Groups. For more information, see [How to set up self-service group management](/entra/identity/users/groups-self-service-management#make-a-group-available-for-user-self-service) or [Create Groups permissions](/entra/identity/role-based-access-control/custom-group-permissions#create-groups).</p>
When the user is assigned scoped groups, they can only assign scoped groups for distribution into deployment rings.
## Scoped admins and Autopatch groups
In Intune scoped admins, only an admin user that is assigned specific scope tags and Scoped Groups, can assign policies only to Scoped Groups.
> [!NOTE]
> Intune administrators or update administrators with All devices and All users scopes can't see the Pending assignment workflow; this only affects roles that have scopes assigned through specific Scoped Groups.
### Scoped admins and Autopatch group workflow
As part of the Autopatch group creation workflow, Windows Autopatch creates Microsoft Entra groups and update policies for the selected deployment settings. To assign the update policies to the newly created deployment rings, you must include the Autopatch group as a Scoped Group in the role that contains [Device Configuration permissions](/intune/intune-service/fundamentals/role-based-access-control-reference#policy-and-profile-manager).
> [!NOTE]
> An Intune administrator or a Role Administrator must assign the newly created Windows Autopatch group as a scoped group before the Autopatch group can be used by the scoped Admin.<p>Once the Autopatch group, in **Pending Assignment** status, is added as a scoped group, the scoped admin can assign the update policies the Autopatch group becomes **Active**.</p>
The following table explains the high-level workflow:
| Step | Description | Who |
| --- | --- | --- |
| Step 1: Create an Autopatch group | Create an Autopatch group. Autopatch groups register devices with the Windows Autopatch service when you either [create](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) or [edit an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group).<p>The Autopatch group, deployment rings, and the update policies are created.</p><p>You can view the [update policies](/intune/intune-service/protect/windows-10-update-rings) under Windows updates.</p> | Scoped admin |
| Step 2: Contact your Intune Administrator or Role administrator to assign the Autopatch parent group as a Scoped Group for your role | Include the following information:<ul><li>The name of the Autopatch parent group. Select the **Pending Assignment** status flyout to find the name.</li><li>Your Intune role that has Device Configuration permissions for update management </li></ul>| Scoped admin |
| Step 3: Assign the Autopatch parent group as the Scoped Group for the role with Device Configuration permission | Add the Autopatch parent as the Scoped Group using [Assign scoped group](/intune/intune-service/fundamentals/scope-tags#to-assign-a-scope-tag-to-a-ro). | Intune Administrator or Intune Role Administrator |
| Step 4: Complete the policy assignments so Autopatch groups are ready for use | Select **Complete group assignments** if the Autopatch group remains in Pending assignment status, and the Assign scoped group step isn't yet complete.<p>Once the policy assignment is successful, the Autopatch group is set to **Active** and ready for use.</p><p>The Scoped group assignment might not be immediately available. It might take up to 10 minutes to take effect.</p> | Scoped admin |
### Assign scope tags to Autopatch groups
> [!NOTE]
> If you're assigning scope tags to existing Autopatch groups, the scope admin must be included as a Scoped Group in their role with [Device Configuration permissions](/intune/intune-service/fundamentals/role-based-access-control-reference#policy-and-profile-manager) to manage the Autopatch group.<p>Windows Autopatch creates a parent group that nests the Autopatch group and deployment rings which can be added as the Scoped Group. You can find the parent group name in the Autopatch group properties.</p>
1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), navigate to **Tenant Administration** > **Autopatch groups** > **select a group**. All rings and policies of the Autopatch group have the same scope.
1. In the **Add group to ring** option, select the Microsoft Entra groups to be assigned to the Autopatch group. Only groups with scope objects are available for selection.
1. Navigate to **Properties** > **Scope (Tags)** > **Edit** > **Select scope tags** > select the tags that you want to add to the profile. You can assign a **maximum of 100 scope tags** to an object.
1. The **Scope Group** section is displayed when the service detects Autopatch groups that are created before role-based access controls. This indicates that a Microsoft Entra group is created, which can be added as a Scoped Group. A scoped admin can manage this Autopatch group if included in their scope.
2. Follow the steps in the [Scoped admins and Autopatch group workflow](#scoped-admins-and-autopatch-group-workflow) section to assign scoped groups.
1. Select **Review + save**.
## Known issues
Windows 365 Enterprise gives IT admins the option to [register devices with Windows Autopatch](../deploy/windows-autopatch-register-devices.md#windows-autopatch-on-windows-365-enterprise-workloads) as part of the Windows 365 provisioning policy creation. You must be an Intune Service administrator to complete this action.
### General troubleshooting
| Scenario | Message | Cause | Solution |
| --- | --- | --- | --- |
| You receive an error message when you try to [create](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group), [edit](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group), or [delete an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#delete-an-autopatch-group). | You don't have sufficient permission to modify this Autopatch group. You can only modify Autopatch groups that match your assigned scope. This Autopatch group has additional assigned Scope tags that don't match your role assignment.<p>Or</p><p>The Autopatch group submission failed, and the logged in user has scope tags assigned.</p> | The problem occurs when you edit an Autopatch group, and the service detected a mismatch in your scope tags. | Verify the scope tags assigned to the Autopatch group and Policy assignment role. The Policy assignment role might have more scope tags but must include **all** the scope tags assigned to the Autopatch group. |
| You receive an error message when you choose a device and the *Assign ring device* action in the [Autopatch groups membership report](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report). | You don't have sufficient permission, or the scope required to assign devices. | The problem occurs when Autopatch is unable to populate the Autopatch group list, because of a mismatch in scope tags. | Verify the scope tags for the Autopatch groups and your role. Ensure they share at least **one** scope tag. |
| You receive an error message when you choose a device and the *Assign ring device* action in the [Autopatch groups membership report](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report). | You don't have sufficient Autopatch group permission to complete this action. The minimum of Autopatch Group Read permission is required. | To move devices between Autopatch deployment rings, you need permission to read Autopatch groups. | Ensure your role includes **Autopatch Group/Read permission**. Navigate to Tenant Administration > Roles > My permission. |
| You receive an error message when you select a device in the [Autopatch groups membership report](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report). | Access Denied | You don't have the Intune permission to view the properties of the device. | Ensure your role includes **Managed devices/Read permission**. Navigate to Tenant Administration > Roles > My permission. |
| You can only see the **Releases**, **Update rings**, and **Monitor** tabs when logged in as a delegated Windows Autopatch administrator. | | You don't have all the required permission to view Windows Update. | Ensure your role includes **Organization/Read permission**. Navigate to Tenant Administration > Roles > My permission. |
| You receive an error message when you try to edit a preexisting Autopatch group that was newly assigned a scope tag. You successfully added the parent scope group into the Policy assignment role. | You don't have sufficient permission to modify this Autopatch group. You can only modify Autopatch groups that match your assigned scope. This Autopatch group has additional assigned Scope tags that don't match your role assignment. | The issue occurs when the service detects that the logged in user "Assigned Entra Group" isn't in the scoped group for the Autopatch admin role. This happens with preexisting Autopatch groups. | Add the Assigned Entra group as the scoped group to the Autopatch admin role. |

10
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2025.md
View File

@ -1,7 +1,7 @@
---
title: What's new 2025
description: This article lists the 2025 feature releases and any corresponding Message center post numbers.
ms.date: 04/11/2025
ms.date: 05/27/2025
ms.service: windows-client
ms.subservice: autopatch
ms.topic: whats-new
@ -21,6 +21,14 @@ This article lists new and updated feature releases, and service releases, with
Minor corrections such as typos, style, or formatting issues aren't listed.
## May 2025
### May feature releases or updates
| Article | Description |
| ----- | ----- |
| [Role-based access control](../prepare/windows-autopatch-role-based-access-control.md) | Added [Role-based access control](../prepare/windows-autopatch-role-based-access-control.md) article. Other articles updated with this feature:<ul><li>Register devices > added note to [Autopatch group membership report](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report) section</li><li>Manage Autopatch groups > added Scope tag steps to [Create an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) and [edit an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group) sections</li><li>Windows feature update overview > added Assignment error definition to [Release](../manage/windows-autopatch-windows-feature-update-overview.md#release-statuses) and [Phase statuses](../manage/windows-autopatch-windows-feature-update-overview.md#phase-statuses) sections </li><li>Windows quality and feature update reports overview > added [Permissions and scope to view reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#permissions-and-scope-to-view-reports) section</li></ul> |
## April 2025
### April feature releases or updates