deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Unification GA

Browse Source
This commit is contained in:
tiaraquan
2024-08-29 20:59:11 -07:00
parent f062c407d7
commit 0b7abd9bc5
75 changed files with 1789 additions and 2067 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md
View File

@ -1,7 +1,7 @@
---
title: Device alerts
description: Provide notifications and information about the necessary steps to keep your devices up to date.
ms.date: 07/08/2023
ms.date: 09/16/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -17,9 +17,11 @@ ms.collection:
# Device alerts
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
Windows Autopatch and Windows Updates use Device alerts to provide notifications and information about the necessary steps to keep your devices up to date. In Windows Autopatch reporting, every device is provided with a section for alerts. If no alerts are listed, no action is needed. Navigate to **Reports** > **Quality update status** or **Feature update status** > **Device** > select the **Device alerts** column. The provided information helps you understand:
- Microsoft and/or Windows Autopatch performs the action(s) to keep the device properly updated.
- Microsoft and/or Windows Autopatch performs the actions to keep the device properly updated.
- The actions you must perform so the device can properly be updated.
> [!NOTE]
@ -43,59 +45,59 @@ Windows Autopatch assigns alerts to either Microsoft Action or Customer Action.
| Assignment | Description |
| ----- | ----- |
| Microsoft Action | Refers to the responsibility of the Windows Autopatch service to remediate. Windows Autopatch performs these actions automatically. |
| Customer Action | Refers to your responsibility to carry out the appropriate action(s) to resolve the reported alert. |
| Customer Action | Refers to your responsibility to carry out the appropriate actions to resolve the reported alert. |
## Alert resolutions
Alert resolutions are provided through the Windows Update service and provide the reason why an update didn't perform as expected. The recommended actions are general recommendations and if additional assistance is needed, [submit a support request](../operate/windows-autopatch-support-request.md).
| Alert message | Description | Windows Autopatch recommendation(s) |
| Alert message | Description | Windows Autopatch recommendations |
| ----- | ----- | ----- |
| `CancelledByUser` | User canceled the update | The Windows Update service has reported the update was canceled by the user.<p>It's recommended to work with the end user to allow updates to execute as scheduled.</p> |
| `DamagedMedia` | The update file or hard drive is damaged | The Windows Update service has indicated the update payload might be damaged or corrupt. <p>It's recommended to run `Chkdsk /F` on the device with administrator privileges, then retry the update. For more information, see [chkdsk](/windows-server/administration/windows-commands/chkdsk?tabs=event-viewer).</p> |
| `DeploymentConflict` | Device is in more than one deployment of the same update type. Only the first deployment assigned is effective. | The Windows Update service has reported a policy conflict.<p>For more information, see the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `DeviceRegistrationInvalidAzureADDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Microsoft Entra Device ID. | The Windows Update service has reported a device registration issue.<p>For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `DeviceRegistrationInvalidGlobalDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Global Device ID. |The Windows Update service has reported that the MSA Service may be disabled preventing Global Device ID assignment.<p>Check that the MSA Service is running or able to run on device.</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `DeviceRegistrationIssue` | The device isn't able to register or authenticate properly with Windows Update. | The Windows Update service has reported a device registration issue.<p>For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `DeviceRegistrationNoTrustType` | The device isn't able to register or authenticate properly with Windows Update because it can't establish Trust. | The Windows Update service has reported a device registration issue.<p>For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `DiskFull` | The installation couldn't be completed because the Windows partition is full. | The Windows Update service has reported there's insufficient disk space to perform the update. Free up disk space on the Windows partition and retry the installation.<p>For more information, see [Free up space for Windows Updates](https://support.microsoft.com/windows/free-up-space-for-windows-updates-429b12ba-f514-be0b-4924-ca6d16fa1d65).</p> |
| `DownloadCancelled` | Windows Update couldn't download the update because the update server stopped the connection. | The Windows Update service has reported an issue with your update server. Validate your network is working and retry the download. If the alert persists, review your network configuration to make sure that this computer can access the internet.<p>For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).</p> |
| `DownloadConnectionIssue` | Windows Update couldn't connect to the update server and the update couldn't download. | The Windows Update service has reported an issue connecting to Windows Update. Review your network configuration, and to make sure that this computer can access the internet and Windows Update Online.<p>For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `DownloadCredentialsIssue` | Windows Update couldn't download the file because the Background Intelligent Transfer Service ([BITS](/windows/win32/bits/about-bits)) couldn't connect to the internet. A proxy server or firewall on your network might require credentials. | The Windows Update service Windows has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client. Retry the download.<p>Review your network configuration to make sure that this computer can access the internet. Validate and/or allowlist Windows Update and Delivery Optimization endpoint.</p><p>For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `DownloadIssue` | There was an issue downloading the update. | The Windows Update service has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client.<p>For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `DownloadIssueServiceDisabled` | There was a problem with the Background Intelligent Transfer Service (BITS). The BITS service or a service it depends on might be disabled. | The Windows Updates service has reported that the BITS service is disabled. In the local client services, make sure that the Background Intelligent Transfer Service is enabled. If the service isn't running, try starting it manually. For more information, see [Issues with BITS](/windows/win32/bits/about-bits).<p>If it will not start, check the event log for errors or [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `DownloadTimeout` | A timeout occurred while Windows tried to contact the update service or the server containing the update's payload. | The Windows Update service has reported it attempted to download the payload and the connection timed out.<p>Retry downloading the payload. If not successful, review your network configuration to make sure that this computer can access the internet.</p>For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5). |
| `EndOfService` | The device is on a version of Windows that has passed its end of service date. | Windows Update service has reported the current version is past End of Service. Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).<p>For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).</p> |
| `CancelledByUser` | User canceled the update | The Windows Update service reported the update was canceled by the user.<p>It's recommended to work with the end user to allow updates to execute as scheduled.</p> |
| `DamagedMedia` | The update file or hard drive is damaged | The Windows Update service indicated the update payload might be damaged or corrupt. <p>It's recommended to run `Chkdsk /F` on the device with administrator privileges, then retry the update. For more information, see [chkdsk](/windows-server/administration/windows-commands/chkdsk?tabs=event-viewer).</p> |
| `DeploymentConflict` | Device is in more than one deployment of the same update type. Only the first deployment assigned is effective. | The Windows Update service reported a policy conflict.<p>For more information, see the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `DeviceRegistrationInvalidAzureADDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Microsoft Entra Device ID. | The Windows Update service reported a device registration issue.<p>For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `DeviceRegistrationInvalidGlobalDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Global Device ID. |The Windows Update service reported that the MSA Service might be disabled preventing Global Device ID assignment.<p>Check that the MSA Service is running or able to run on device.</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `DeviceRegistrationIssue` | The device isn't able to register or authenticate properly with Windows Update. | The Windows Update service reported a device registration issue.<p>For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `DeviceRegistrationNoTrustType` | The device isn't able to register or authenticate properly with Windows Update because it can't establish Trust. | The Windows Update service reported a device registration issue.<p>For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `DiskFull` | The installation couldn't be completed because the Windows partition is full. | The Windows Update service reported there's insufficient disk space to perform the update. Free up disk space on the Windows partition and retry the installation.<p>For more information, see [Free up space for Windows Updates](https://support.microsoft.com/windows/free-up-space-for-windows-updates-429b12ba-f514-be0b-4924-ca6d16fa1d65).</p> |
| `DownloadCancelled` | Windows Update couldn't download the update because the update server stopped the connection. | The Windows Update service reported an issue with your update server. Validate that your network is working and retry the download. If the alert persists, review your network configuration to make sure that this computer can access the internet.<p>For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).</p> |
| `DownloadConnectionIssue` | Windows Update couldn't connect to the update server and the update couldn't download. | The Windows Update service reported an issue connecting to Windows Update. Review your network configuration, and to make sure that this computer can access the internet and Windows Update Online.<p>For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `DownloadCredentialsIssue` | Windows Update couldn't download the file because the Background Intelligent Transfer Service ([BITS](/windows/win32/bits/about-bits)) couldn't connect to the internet. A proxy server or firewall on your network might require credentials. | The Windows Update service Windows reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client. Retry the download.<p>Review your network configuration to make sure that this computer can access the internet. Validate and/or allowlist Windows Update and Delivery Optimization endpoint.</p><p>For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `DownloadIssue` | There was an issue downloading the update. | The Windows Update service reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client.<p>For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `DownloadIssueServiceDisabled` | There was a problem with the Background Intelligent Transfer Service (BITS). The BITS service or a service it depends on might be disabled. | The Windows Updates service reported that the BITS service is disabled. In the local client services, make sure that the Background Intelligent Transfer Service is enabled. If the service isn't running, try starting it manually. For more information, see [Issues with BITS](/windows/win32/bits/about-bits).<p>If it doesn't start, check the event log for errors or [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `DownloadTimeout` | A timeout occurred while Windows tried to contact the update service or the server containing the update's payload. | The Windows Update service reported it attempted to download the payload and the connection timed out.<p>Retry downloading the payload. If not successful, review your network configuration to make sure that this computer can access the internet.</p>For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5). |
| `EndOfService` | The device is on a version of Windows that passed its end of service date. | Windows Update service reported the current version is past End of Service. Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).<p>For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).</p> |
| `EndOfServiceApproaching` | The device is on a version of Windows that is approaching its end of service date. | Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).<p>For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).</p> |
| `FailureResponseThreshold` | The failure response threshold setting was met for a deployment to which the device belongs. | The Windows Update service has reported the client has hit the Failure Response Threshold. Consider pausing the deployment and assess for issues. If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md). |
| `FileNotFound` | The downloaded update files can't be found. The Disk Cleanup utility or a non-Microsoft software cleaning tool might have removed the files during cleanup. | Windows Update has reported that the update files couldn't be found, download the update again, and then retry the installation.<p>This can often occur with third party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `Incompatible` | The system doesn't meet the minimum requirements to install the update. | The Windows Update service has reported the update is incompatible with this device for more details please review the `ScanResult.xml` file in the `C:\WINDOWS\PANTHER folder for "Block Type=Hard`.<p>If this is occurring on a Windows Autopatch managed device, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `IncompatibleArchitecture` | This update is for a different CPU architecture. | The Windows Update service has reported the update architecture doesn't match the destination architecture, make sure the target operating system architecture matches the host operating system architecture.<p>This is **not** typical for Windows Update based environments.</p><p>If this is occurring on a Windows Autopatch managed device, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `IncompatibleServicingChannel` | Device is in a servicing channel that is incompatible with a deployment to which the device belongs. | The Windows Update service has reported the servicing channel on the client isn't compatible with the targeted payload.<p>We recommend configuring the device's servicing channel to the [Semi-Annual Enterprise Channel](/windows-server/get-started/servicing-channels-comparison#semi-annual-channel).</p> |
| `InstallAccessDenied` | Installer doesn't have permission to access or replace a file. The installer might have tried to replace a file that an antivirus, anti-malware, or a backup program is currently scanning. | The Windows Update service has reported it couldn't access the necessary system locations, ensure no other service has a lock or handle on the windows update client folders and retry the installation.<p>This can often occur with third party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).</p> |
| `InstalledCancelled` | The installation was canceled. | The Windows Update service has reported the update was canceled by the user.<p>It's recommended to work with the end user to allow updates to execute as scheduled.</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `InstallFileLocked` | Installer couldn't access a file that is already in use. The installer might have tried to replace a file that an antivirus, anti-malware, or backup program is currently scanning. | The Windows Update service has reported it couldn't access the necessary system locations.<p>Check the files under the `%SystemDrive%\$Windows.~bt` directory and retry the installation.</p><p>This can often occur with third party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `InstallIssue` | There was an issue installing the update. | The Windows Update service has reported the update installation has failed.<p>If the alert persists, run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges, then retry the update.</p><p>For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p>|
| `InstallIssueRedirection` | A known folder that doesn't support redirection to another drive might have been redirected to another drive. | The Windows Update service has reported that the Windows Update file location may be redirected to an invalid location. Check your Windows Installation, and retry the update.<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `InstallMissingInfo` | Windows Update doesn't have the information it needs about the update to finish the installation. | The Windows Update service has reported that another update may have replaced the one you're trying to install. Check the update, and then try reinstalling it. |
| `InstallOutOfMemory` | The installation couldn't be completed because Windows ran out of memory. | The Windows Update service has reported the system doesn't have sufficient system memory to perform the update.<p>Restart Windows, then try the installation again.</p><p>If it still fails, allocate more memory to the device, or increase the size of the virtual memory pagefile(s). For more information, see [How to determine the appropriate page file size for 64-bit versions of Windows](/troubleshoot/windows-client/performance/how-to-determine-the-appropriate-page-file-size-for-64-bit-versions-of-windows).</p> |
| `InstallSetupBlock` | There's an application or driver blocking the upgrade. | The Windows Update service has detected that an application or driver is hindering the upgrade process. Utilize the SetupDiag utility to identify and diagnose any compatibility problems.<p>For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).</p> |
| `InstallSetupError` | Windows Setup encountered an error while installing. | The Windows Update service has reported an error during installation.Review the last reported HEX error code in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) to further investigate.<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `PolicyConflict` | There are client policies (MDM, GP) that conflict with Windows Update settings. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `PolicyConflictDeferral` | The Deferral Policy configured on the device is preventing the update from installing. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `PolicyConflictPause` | Updates are paused on the device, preventing the update from installing. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `PostRestartIssue` | Windows Update couldn't determine the results of installing the update. The error is usually false, and the update probably succeeded. | The Windows Update Service has reported the update you're trying to install isn't available.<p>No action is required.</p><p>If the update is still available, retry the installation.</p> |
| `RollbackInitiated` | A rollback was started on this device, indicating a catastrophic issue occurred during the Windows Setup install process. | The Windows Update service has reported a failure with the update. Run the Setup Diagnostics Tool on the Device or review the HEX error in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md). **Don't** retry the installation until the impact is understood.<p>For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).</p> |
| `SafeguardHold` | Update can't install because of a known Safeguard Hold. | The Windows Update Service has reported a [Safeguard Hold](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds) which applies to this device.<p>For more information about safeguards, see [Windows 10/11 release information for the affected version(s)](/windows/release-health/release-information).</p> |
| `UnexpectedShutdown` | The installation was stopped because a Windows shutdown or restart was in progress. | The Windows Update service has reported Windows was unexpectedly restarted during the update process.<p>No action is necessary the update should retry when windows is available.</p><p>If the alert persists, ensure the device remains on during Windows installation.</p> |
| `VersionMismatch` | Device is on a version of Windows that wasn't intended by Windows Update. | The Windows Update service has reported that the version of Windows wasn't intended.<p>Confirm whether the device is on the intended version.</p> |
| `WindowsRepairRequired` | The current version of Windows needs to be repaired before it can be updated. | The Windows Update service has indicated that the service is in need of repair. Run the Startup Repair Tool on this device.<p>For more information, see [Windows boot issues - troubleshooting](/troubleshoot/windows-client/performance/windows-boot-issues-troubleshooting#method-1-startup-repair-tool).</p> |
| `WUBusy` | Windows Update can't do this task because it's busy. | The Windows Update service has reported that Windows Update is busy. No action is needed. Restart Windows should and retry the installation. |
| `WUComponentMissing` | Windows Update might be missing a component, or the update file might be damaged. | The Windows Update service has reported key components for windows update are missing.<p>Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges, to repair these components. Then retry the update.</p><p>For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.</p> |
| `WUDamaged` | Windows Update or the update file might be damaged. | The Windows Update service has reported key components for windows update are missing.<p>Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges to repair these components. Then retry the update.</p><p>For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.</p> |
| `WUDecryptionIssue` | Windows Update couldn't decrypt the encrypted update file because it couldn't find the proper key. | The Windows Update service has reported it couldn't decrypt the update payload.<p>This alert could be a network transit error and may be resolved on its own. If the alert persists, validate any network Riverbeds, Application or http proxies and retry.</p>|
| `WUDiskError` | Windows Update encountered an error while reading or writing to the system drive. | The Windows Update service has reported an alert reading or writing to the system disk. This alert is often a client issue with the target system. We recommend running the Windows Update Troubleshooter on the device. Retry the installation.<p>For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/windows/windows-update-troubleshooter-19bc41ca-ad72-ae67-af3c-89ce169755dd).</p> |
| `WUIssue` | Windows Update couldn't understand the metadata provided by the update service. This error usually indicates a problem with the update. | The Windows Update service has reported an issue with the Update payload. This could be a transient alert.<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `FailureResponseThreshold` | The failure response threshold setting was met for a deployment to which the device belongs. | The Windows Update service reported the client hit the Failure Response Threshold. Consider pausing the deployment and assess for issues. If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md). |
| `FileNotFound` | The downloaded update files can't be found. The Disk Cleanup utility or a non-Microsoft software cleaning tool might remove the files during cleanup. | Windows Update reported that the update files couldn't be found, download the update again, and then retry the installation.<p>This can often occur with third-party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `Incompatible` | The system doesn't meet the minimum requirements to install the update. | The Windows Update service reported the update is incompatible with this device for more details please review the `ScanResult.xml` file in the `C:\WINDOWS\PANTHER folder for "Block Type=Hard`.<p>If this is occurring on a Windows Autopatch managed device, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `IncompatibleArchitecture` | This update is for a different CPU architecture. | The Windows Update service reported the update architecture doesn't match the destination architecture. Make sure the target operating system architecture matches the host operating system architecture.<p>This is **not** typical for Windows Update based environments.</p><p>If this is occurring on a Windows Autopatch managed device, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `IncompatibleServicingChannel` | Device is in a servicing channel that is incompatible with a deployment to which the device belongs. | The Windows Update service reported the servicing channel on the client isn't compatible with the targeted payload.<p>We recommend configuring the device's servicing channel to the [Semi-Annual Enterprise Channel](/windows-server/get-started/servicing-channels-comparison#semi-annual-channel).</p> |
| `InstallAccessDenied` | Installer doesn't have permission to access or replace a file. The installer might try to replace a file that an antivirus, anti-malware, or a backup program is currently scanning. | The Windows Update service reported it couldn't access the necessary system locations. Ensure no other service has a lock or handle on the Windows Update client folders and retry the installation.<p>This can often occur with third-party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).</p> |
| `InstalledCancelled` | The installation was canceled. | The Windows Update service reported the update was canceled by the user.<p>It's recommended to work with the end user to allow updates to execute as scheduled.</p><p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `InstallFileLocked` | Installer couldn't access a file that is already in use. The installer tried to replace a file that an antivirus, anti-malware, or backup program is currently scanning. | The Windows Update service reported it couldn't access the necessary system locations.<p>Check the files under the `%SystemDrive%\$Windows.~bt` directory and retry the installation.</p><p>This can often occur with third party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `InstallIssue` | There was an issue installing the update. | The Windows Update service reported the update installation failed.<p>If the alert persists, run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges, then retry the update.</p><p>For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows might be required.<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p>|
| `InstallIssueRedirection` | A known folder that doesn't support redirection to another drive might be redirected to another drive. | The Windows Update service reported that the Windows Update file location was redirected to an invalid location. Check your Windows Installation, and retry the update.<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `InstallMissingInfo` | Windows Update doesn't have the information it needs about the update to finish the installation. | The Windows Update service reported that another update replaced the one you're trying to install. Check the update, and then try reinstalling it. |
| `InstallOutOfMemory` | The installation couldn't be completed because Windows ran out of memory. | The Windows Update service reported the system doesn't have sufficient system memory to perform the update.<p>Restart Windows, then try the installation again.</p><p>If it still fails, allocate more memory to the device, or increase the size of the virtual memory pagefiles. For more information, see [How to determine the appropriate page file size for 64-bit versions of Windows](/troubleshoot/windows-client/performance/how-to-determine-the-appropriate-page-file-size-for-64-bit-versions-of-windows).</p> |
| `InstallSetupBlock` | There's an application or driver blocking the upgrade. | The Windows Update service detected that an application or driver is hindering the upgrade process. Utilize the SetupDiag utility to identify and diagnose any compatibility problems.<p>For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).</p> |
| `InstallSetupError` | Windows Setup encountered an error while installing. | The Windows Update service reported an error during installation. Review the last reported HEX error code in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) to further investigate.<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `PolicyConflict` | There are client policies (MDM, GP) that conflict with Windows Update settings. | The Windows Update service reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `PolicyConflictDeferral` | The Deferral Policy configured on the device is preventing the update from installing. | The Windows Update service reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `PolicyConflictPause` | Updates are paused on the device, preventing the update from installing. | The Windows Update service reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `PostRestartIssue` | Windows Update couldn't determine the results of installing the update. The error is false, and the update probably succeeded. | The Windows Update Service reported the update you're trying to install isn't available.<p>No action is required.</p><p>If the update is still available, retry the installation.</p> |
| `RollbackInitiated` | A rollback was started on this device, indicating a catastrophic issue occurred during the Windows Setup install process. | The Windows Update service reported a failure with the update. Run the Setup Diagnostics Tool on the Device or review the HEX error in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md). **Don't** retry the installation until the impact is understood.<p>For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).</p> |
| `SafeguardHold` | Update can't install because of a known Safeguard Hold. | The Windows Update Service reported a [Safeguard Hold](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds) which applies to this device.<p>For more information about safeguards, see [Windows 10/11 release information for the affected versions](/windows/release-health/release-information).</p> |
| `UnexpectedShutdown` | The installation was stopped because a Windows shutdown or restart was in progress. | The Windows Update service reported Windows was unexpectedly restarted during the update process.<p>No action is necessary the update should retry when windows is available.</p><p>If the alert persists, ensure the device remains on during Windows installation.</p> |
| `VersionMismatch` | Device is on a version of Windows that wasn't intended by Windows Update. | The Windows Update service reported that the version of Windows wasn't intended.<p>Confirm whether the device is on the intended version.</p> |
| `WindowsRepairRequired` | The current version of Windows needs to be repaired before it can be updated. | The Windows Update service indicated that the service is in need of repair. Run the Startup Repair Tool on this device.<p>For more information, see [Windows boot issues - troubleshooting](/troubleshoot/windows-client/performance/windows-boot-issues-troubleshooting#method-1-startup-repair-tool).</p> |
| `WUBusy` | Windows Update can't do this task because it's busy. | The Windows Update service reported that Windows Update is busy. No action is needed. Restart Windows should and retry the installation. |
| `WUComponentMissing` | Windows Update might be missing a component, or the update file might be damaged. | The Windows Update service reported key components for Windows Update are missing.<p>Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges. Repair these components. Then retry the update.</p><p>For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows might be required.</p> |
| `WUDamaged` | Windows Update or the update file might be damaged. | The Windows Update service reported key components for Windows Update are missing.<p>Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges. Repair these components. Then retry the update.</p><p>For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows might be required.</p> |
| `WUDecryptionIssue` | Windows Update couldn't decrypt the encrypted update file because it couldn't find the proper key. | The Windows Update service reported it couldn't decrypt the update payload.<p>This alert could be a network transit error and might resolve on its own. If the alert persists, validate any network Riverbeds, Application, or http proxies and retry.</p>|
| `WUDiskError` | Windows Update encountered an error while reading or writing to the system drive. | The Windows Update service reported an alert reading or writing to the system disk. This alert is often a client issue with the target system. We recommend running the Windows Update Troubleshooter on the device. Retry the installation.<p>For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/windows/windows-update-troubleshooter-19bc41ca-ad72-ae67-af3c-89ce169755dd).</p> |
| `WUIssue` | Windows Update couldn't understand the metadata provided by the update service. This error usually indicates a problem with the update. | The Windows Update service reported an issue with the Update payload. This could be a transient alert.<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
## Additional resources

25
windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md
View File

@ -1,7 +1,7 @@
---
title: Maintain the Windows Autopatch environment
description: This article details how to maintain the Windows Autopatch environment
ms.date: 09/15/2023
ms.date: 09/16/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -17,23 +17,16 @@ ms.collection:
# Maintain the Windows Autopatch environment
After you've completed enrollment in Windows Autopatch, some management settings might need to be adjusted. Use the following steps:
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
1. Review the [Microsoft Intune settings](#microsoft-intune-settings) described in the following section.
1. If any of the items apply to your environment, make the adjustments as described.
After you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md), some management settings might need to be adjusted. If any of the following items apply to your environment, make the adjustments as described.
> [!NOTE]
> As your operations continue in the following months, if you make changes after enrollment to policies in Microsoft Intune, Microsoft Entra ID, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly. To avoid problems with the service, check the specific settings described in [Fix issues found by the readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) before you change the policies listed there.
## Microsoft Intune settings
| Setting | Description |
| ----- | ----- |
| Deployment rings for Windows 10 or later | For any deployment rings for Windows 10 or later policies you've created, exclude the**Modern Workplace Devices - All**Microsoft Entra group from each policy. For more information, see[Create and assign deployment rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).<p>Windows Autopatch creates some update ring policies. These policies have "**Modern Workplace**" in the name. For example:</p><ul><li>Modern Workplace Update Policy [Broad]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [Fast]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [First]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [Test]-[Windows Autopatch]</li></ul><p>When you update your own policies, ensure that youdon'texclude the**Modern Workplace Devices - All**Microsoft Entra group from the policies that Windows Autopatch created.</p><p>**To resolve the Not ready result:**</p><p>After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Microsoft Entra group. For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p><p>**To resolve the Advisory result:**</p><ol><li>Make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Microsoft Entra group.</li> <li>If you have assigned Microsoft Entra user groups to these policies, make sure that any update ring policies you have also **exclude** the **Modern Workplace - All** Microsoft Entra group that you add your Windows Autopatch users to (or an equivalent group).</li></ol><p>For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p> |
> As your operations continue in the following months, if you make changes after enrollment to policies in Microsoft Intune, Microsoft Entra ID, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly.
## Windows Autopatch configurations
Windows Autopatch deploys, manages and maintains all configurations related to the operation of the service, as described in [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). Don't make any changes to any of the Windows Autopatch configurations.
Windows Autopatch deploys, manages, and maintains all configurations related to the operation of the service, as described in [Changes made at feature activation](../references/windows-autopatch-changes-made-at-feature-activation.md). Don't make any changes to any of the Windows Autopatch configurations.
## Windows Autopatch tenant management
@ -50,14 +43,14 @@ The type of banner that appears depends on the severity of the action. Currently
| Severity | Description |
| ----- | ----- |
| Critical | You must take action as soon as possible to avoid disruption to the Windows Autopatch service.<p>If no action is taken, Windows Autopatch might not be able to manage devices in your tenant, and the Windows Autopatch service may be marked as **inactive**.</p><p>To restore service health and return to an active status, all critical pending actions must be resolved.</p> |
| Critical | You must take action as soon as possible to avoid disruption to the Windows Autopatch service.<p>If no action is taken, Windows Autopatch might not be able to manage devices in your tenant, and the Windows Autopatch service might be marked as **inactive**.</p><p>To restore service health and return to an active status, all critical pending actions must be resolved.</p> |
### Critical actions
| Action type | Severity | Description |
| ----- | ----- | ----- |
| Maintain tenant access | Critical | Required licenses have expired. The licenses include:<ul><li>Microsoft Intune</li><li>Microsoft Entra ID P1 or P2</li><li>Windows 10/11 Enterprise E3 or higher</li><ul><li>For more information about specific services plans, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li></ul><p>To take action on missing licenses, you can visit the Microsoft 365 admin center or contact your Microsoft account manager. Until you have renewed the required licenses to run the service, Windows Autopatch marks your tenant as **inactive**. For more information, see [Microsoft 365 - What happens after my subscription expires?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires)</p> |
| Maintain tenant access | Critical | Address tenant access issues. Windows Autopatch currently can't manage your tenant. Until you take action, your tenant is marked as **inactive**, and you have only limited access to the Windows Autopatch portal.<p>Reasons for tenant access issues:<ul><li>You haven't yet migrated to the new [Windows Autopatch enterprise application](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). Windows Autopatch uses this enterprise application to run the service.</li><li>You have blocked or removed the permissions required for the Windows Autopatch enterprise application.</li></ul><p>Take action by consenting to allow Windows Autopatch to make the appropriate changes on your behalf. You must be a Global Administrator to consent to this action. Once you provide consent, Windows Autopatch remediates this critical action for you.</p><p>For more information, see [Windows Autopatch enterprise applications](../overview/windows-autopatch-privacy.md#tenant-access).</p> |
| Maintain tenant access | Critical | Required licenses expired. The licenses include:<ul><li>Microsoft Intune</li><li>Microsoft Entra ID P1 or P2</li><li>Windows 10/11 Enterprise E3 or higher</li><ul><li>For more information about specific services plans, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li></ul><p>To take action on missing licenses, you can visit the Microsoft 365 admin center or contact your Microsoft account manager. Until you renew the required licenses to run the service, Windows Autopatch marks your tenant as **inactive**. For more information, see [Microsoft 365 - What happens after my subscription expires?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires)</p> |
| Maintain tenant access | Critical | Address tenant access issues. Windows Autopatch currently can't manage your tenant. Until you take action, your tenant is marked as **inactive**, and you have only limited access to the Windows Autopatch portal.<p>Reasons for tenant access issues:<ul><li>You didn't migrate to the new [Windows Autopatch enterprise application](../references/windows-autopatch-changes-made-at-feature-activation.md#windows-autopatch-enterprise-applications). Windows Autopatch uses this enterprise application to run the service.</li><li>You blocked or removed the permissions required for the Windows Autopatch enterprise application.</li></ul><p>Take action by consenting to allow Windows Autopatch to make the appropriate changes on your behalf. You must be a Global Administrator to consent to this action. Once you provide consent, Windows Autopatch remediates this critical action for you.</p><p>For more information, see [Windows Autopatch enterprise applications](../overview/windows-autopatch-privacy.md#tenant-access).</p> |
### Inactive status
@ -75,5 +68,5 @@ To be taken out of the **inactive** status, you must [resolve any critical actio
| Impact area | Description |
| ----- | ----- |
| Management | Windows Autopatch isn't able to manage your tenant and perform non-interactive actions we use to run the service. Non-interactive actions include:<ul><li>Managing the Windows Autopatch service</li><li>Publishing the baseline configuration updates to your tenant's devices</li><li>Maintaining overall service health</li></ul><p>For more information, see [Windows Autopatch enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications).</p>|
| Management | Windows Autopatch isn't able to manage your tenant and perform non-interactive actions we use to run the service. Non-interactive actions include:<ul><li>Managing the Windows Autopatch service</li><li>Publishing the baseline configuration updates to your tenant's devices</li><li>Maintaining overall service health</li></ul><p>For more information, see [Windows Autopatch enterprise applications](../references/windows-autopatch-changes-made-at-feature-activation.md#windows-autopatch-enterprise-applications).</p>|
| Device updates | Changes to Windows Autopatch policies aren't pushed to your devices. The existing configurations on these devices remain unchanged, and they continue receiving updates. |

54
windows/deployment/windows-autopatch/monitor/windows-autopatch-policy-health-and-remediation.md
View File

@ -1,7 +1,7 @@
---
title: policy health and remediation
title: Policy health and remediation
description: Describes what Autopatch does it detects policies in the tenant are either missing or modified to states that affect the service
ms.date: 07/10/2024
ms.date: 09/16/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -17,12 +17,14 @@ ms.collection:
# Policy health and remediation
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
Windows Autopatch uses Microsoft Intune policies to set configurations and deliver the service. Windows Autopatch continuously monitors the policies and maintains all configurations related to the operation of the service.
> [!IMPORTANT]
> Don't change, edit, add to, or remove any of the Windows Autopatch policies or groups. Doing so can cause unintended configuration changes and impact the Windows Autopatch service. For more information about Windows Autopatch configurations, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md).
> Don't change, edit, add to, or remove any of the Windows Autopatch policies or groups. Doing so can cause unintended configuration changes and impact the Windows Autopatch service. For more information about Windows Autopatch configurations, see [Changes made at feature activation](../references/windows-autopatch-changes-made-at-feature-activation.md).
When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch will raise alerts and detailed recommended actions to ensure healthy operation of the service.
When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch raises alerts and detailed recommended actions to ensure healthy operation of the service.
IT admins must respond to the service-generated alerts to ensure that Autopatch services can be delivered, and devices remain eligible for the service.
@ -39,13 +41,16 @@ With this feature, IT admins can:
## Check policy health
Alerts are raised when deployment rings don't have the required policies and the settings that impact devices within the ring. The remediation actions from the displayed alerts are intended to keep the deployment rings in a healthy state. Devices in each ring may continue to report different states, including errors and conflicts. This occurs due to multiple policies targeted at the same device or other conditions on the device. Policy conflicts and other device errors aren't addressed by these alerts.
Alerts are raised when deployment rings don't have the required policies and the settings that impact devices within the ring. The remediation actions from the displayed alerts are intended to keep the deployment rings in a healthy state. Devices in each ring might continue to report different states, including errors and conflicts. This occurs due to multiple policies targeted at the same device or other conditions on the device. Policy conflicts and other device errors aren't addressed by these alerts.
## Built-in roles required for remediation actions
The minimum role required to restore configurations is **Intune Service Administrator**.
## Restore device configuration policy
## Restore Data collection, Office and/or Edge configuration policies
> [!IMPORTANT]
> For these policies, Windows Autopatch doesn't store the last known policy value, Autopatch restores the base policy values.
**To initiate remediation action for device configuration alerts:**
@ -56,33 +61,32 @@ The minimum role required to restore configurations is **Intune Service Administ
1. If the **Change modified policy alert** appears, select this alert to launch the workflow.
1. Select **Submit changes** to restore to service required values.
There will be an alert for each policy that is missing or has deviated from the service defined values.
There's an alert for each policy that is missing or deviated from the service defined values.
## Restore Windows Update policies
## Restore missing Windows Update policies
**To initiate remediation actions for Windows quality update policies:**
> [!IMPORTANT]
> For Quality and Feature update policies, Autopatch restores the last known value of policy. For Driver update policies, Autopatch restores the base policy.
**To initiate remediation actions for Windows Update policies (Quality, Feature or Driver updates):**
> [!NOTE]
> By default, the service will auto-select all the policies.
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release schedule** > **Windows quality updates** > **Status**.
1. Select **Policy Error** to launch the Policy error workflow.
1. Review the message:
1. If this is a missing policy error, select **Restore policy** to complete the workflow.
2. If this is a modified policy, select **Submit changes** to restore to service required values.
1. Navigate to **Tenant administration** > **Windows Autopatch** > **Autopatch groups** > **Policy health**.
1. Select **Missing policy** to launch the Restore missing policy workflow.
1. Review the message for the missing policy error. If more than once policy is present, select which policy you'd like to restore.
1. Select **Restore policies** to complete the workflow.
**To initiate remediation actions for Windows feature update policies:**
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release schedule** > **Windows feature updates** > **Status**.
1. Select **Policy Error** to launch the Policy error workflow.
1. Review the message.
1. If this is a missing policy error, select **Restore policy** to complete the workflow.
2. If this is a modified policy, select **Submit changes** to restore to service required values.
> [!NOTE]
> You can also select on the associated Windows Autopatch group name for any Autopatch group that has a **Missing Policy** under the **Policy health** column. Doing so will lead you to the details page of that specific Autopatch group. Under the **Windows update settings** section, you'll see a banner that states "*There are missing update settings in this Autopatch group. Take action to resolve"*. Selecting this banner will take you to the same experience as mentioned in [Restore missing Windows Update policies](#restore-missing-windows-update-policies).
## Restore deployment groups
Windows Autopatch will automatically restore any missing groups that are required by the service. When a missing deployment group is restored, and the policies are also missing, the policies be restored to the deployment groups.
Windows Autopatch automatically restores any missing groups that are required by the service. When a missing deployment group is restored, and the policies are also missing, the policies be restored to the deployment groups.
If policies are misconfigured or unassigned, admins must restore them. In the Release management blade, the service will raise a Policy error workflow that you must complete to repair Windows Update policies. All other policies must be restored from the Tenant administration blade.
If policies are misconfigured or unassigned, admins must restore them. In the Autopatch groups blade, the service raises a missing policy workflow that you must complete to repair Windows Update policies. All other policies must be restored from the Tenant administration blade.
Due to the asynchronous run of service detectors, it might take up to four (4) hours for this error to be displayed.
@ -96,6 +100,6 @@ You can review audit logs in Intune to review the activities completed on the te
**To review audit logs in Intune:**
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select**Tenant administration**>**Audit logs**.
1. Select **Tenant administration** > **Audit logs**.
The entries with enterprise application name, Modern Workplace Management, are the actions requested by Windows Autopatch.

4
windows/deployment/windows-autopatch/monitor/windows-autopatch-reliability-report.md
View File

@ -17,6 +17,8 @@ ms.collection:
# Reliability report (public preview)
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
> [!IMPORTANT]
> This feature is in **public preview**. It's being actively developed, and might not be complete.
@ -117,4 +119,4 @@ The following information is available as default columns in the Reliability rep
## Known limitations
The Reliability report supports tenant and service-level score data going back to September 2023. Data before that date isn't supported. A full 12 months of score data will be available to select from the menu dropdowns in September 2024.
The Reliability report supports tenant and service-level score data going back to September 2023. Data before that date isn't supported. A full 12 months of score data are available to select from the menu dropdowns in September 2024.

43
windows/deployment/windows-autopatch/monitor/windows-autopatch-resolve-policy-conflicts.md
View File

@ -1,7 +1,7 @@
---
title: Resolve policy conflicts
description: This article describes how to resolve Windows Autopatch policy conflicts.
ms.date: 04/09/2024
ms.date: 09/16/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -15,21 +15,20 @@ ms.collection:
- tier1
---
# Resolve policy conflicts (public preview)
# Resolve policy conflicts
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
Windows Autopatch deploys Microsoft Intune policies to enrolled tenants, and continuously monitors the Microsoft Intune policies. Conflicts can happen when there are two policies in the tenant, and they update the same setting to different values. For Windows Autopatch to successfully deliver updates to registered devices, it's critical for the devices in the service to have the policy targeted and assigned successfully.
> [!IMPORTANT]
> This feature is in **public preview**. It's being actively developed, and might not be complete.
> Don't change, edit, add to, or remove any of the Windows Autopatch policies or groups. Doing so can cause unintended configuration changes and impact the Windows Autopatch service. For more information about Windows Autopatch configurations, see [Changes made at feature activation](../references/windows-autopatch-changes-made-at-feature-activation.md).
Windows Autopatch deploys Microsoft Intune policies to enrolled tenants, and continuously monitors the Microsoft Intune policies. Conflicts occur when there are two policies in the tenant, and they update the same setting to different values.For Windows Autopatch to successfully deliver updates to registered devices, its critical for the devices in the service to have the policy targeted and assigned successfully.
> [!IMPORTANT]
> Don't change, edit, add to, or remove any of the Windows Autopatch policies or groups. Doing so can cause unintended configuration changes and impact the Windows Autopatch service. For more information about Windows Autopatch configurations, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md).
When the Windows Autopatch service detects policies in the tenant that conflict with a setting in another Intune device policy, this conflict is displayed. Its necessary to review the policies and their settings and manually resolve these conflicts.
When the Windows Autopatch service detects policies in the tenant that conflict with a setting in another Intune device policy, this conflict is displayed. It's necessary to review the policies and their settings and manually resolve these conflicts.
With this feature, IT admins can view:
- List of all Autopatch policies that conflict with other device policies in the tenant
- A list of all Autopatch policies that conflict with other device policies in the tenant
- A summary view of conflicting policies, affected devices, and open alerts
- A detailed view of affected devices
- Alerts that include details of conflicting policies, the settings, and the Azure AD groups they're assigned to. Admins must take necessary action so the expected policy is successfully assigned to the device
@ -38,25 +37,25 @@ With this feature, IT admins can view:
Alerts are raised when devices report policy conflicts. Autopatch policies are assigned to Autopatch groups. Devices that are members of Autopatch groups are expected to receive only Windows Autopatch policies.
Once you resolve the conflict, it takes effect on the device at the next Intune sync. This view is refreshed every 24 hours. It can take up to 72 hours after the conflict is resolved for the view to be updated.
Once you resolve the conflict, it can take effect on the device at the next Intune sync. This view is refreshed every 24 hours. It can take up to 72 hours after the conflict is resolved for the view to be updated.
> [!NOTE]
> This view only includes policy conflicts between Microsoft Intune policies. This view doesnt include policy issues caused by other configurations, for example, group policy settings, registry settings that are changed by scripts and prevent Windows Autopatch from deploying updates.<p>When Windows Autopatch detects Intune based policies are missing or modified, this information is displayed with detailed recommended actions, and described in [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md).</p><p>To ensure devices remain healthy and not affected by group policies, see [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md#details-about-the-post-device-registration-readiness-checks).</p>
> This view only includes policy conflicts between Microsoft Intune policies. This view doesn't include policy issues caused by other configurations, for example, group policy settings, registry settings that are changed by scripts and prevent Windows Autopatch from deploying updates.<p>When Windows Autopatch detects Intune based policies are missing or modified, this information is displayed with detailed recommended actions, and described in [Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md).</p><p>To ensure devices remain healthy and not affected by group policies, see [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md#details-about-the-post-device-registration-readiness-checks).</p>
## Policy conflict view
This view includes the list of Windows Autopatch policies ([Expected policies](#policy-conflict-alert-details)) that are assigned to various Windows Autopatch groups that include devices. When the Expected policy can't be successfully assigned to one or more devices, because of an equivalent setting in another Intune policy targeting the device, the conflict is detected, and reported as a [Conflicting policy](#policy-conflict-alert-details).
This view includes the list of Windows Autopatch policies ([Expected policies](#policy-conflict-view-alert-details)) that are assigned to various Windows Autopatch groups that include devices. When the Expected policy can't be successfully assigned to one or more devices, because of an equivalent setting in another Intune policy targeting the device, the conflict is detected, and reported as a [Conflicting policy](#policy-conflict-view-alert-details).
If the Expected policy conflicts with multiple Intune policies, each conflict is displayed in different lines in the Policy conflict view.
If the Expected policy conflicts with multiple Intune policies, each conflict is displayed in different lines in the Policy conflict view.
**To view all policies conflicting with the expected policies:**
**To view all policies conflicting with the Expected policies:**
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Windows Autopatch** > **Policy health**.
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Managed updates** > **Windows Updates** > **Monitor** > **Policy health**.
3. In the **Policy conflicts** tab, the list of expected policies and conflicting policies is displayed.
4. Select **View alert** and review the details of the **Recommended action** and alert details.
### Policy conflict alert details
### Policy conflict view alert details
All alerts displayed in this flyout include the following details. You must review the details and take action to resolve the conflict.
@ -71,9 +70,9 @@ All alerts displayed in this flyout include the following details. You must revi
## Affected devices view
This view includes the list of devices with policy conflicts with the [Expected policy](#policy-conflict-alert-details). Its possible for devices to have multiple conflicting policies, due to their membership in various groups.
This view includes the list of devices with policy conflicts with the [Expected policy](#policy-conflict-view-alert-details). It's possible for devices to have multiple conflicting policies, due to their membership in various groups.
You can navigate to this view from the Affected devices column link in the Policy conflicts view, or directly from Policy health blade. This page displays a filtered device list, when navigating from the Policy conflicts view. Affected devices only include devices that have a successful Intune sync status in the last 28 days.
You can navigate to this view from the Affected devices column link in the [Policy conflicts view](#policy-conflict-view), or directly from Policy health blade. This page displays a filtered device list, when navigating from the Policy conflicts view. Affected devices only include devices that have a successful Intune sync status in the last 28 days.
**To view the alert details and perform the recommended actions:**
@ -81,9 +80,9 @@ You can navigate to this view from the Affected devices column link in the Polic
2. Navigate to **Windows Autopatch** > **Policy health** > **Affected devices** tab.
3. Select **View alert** to see the alert details.
### Affected devices alert details
### Affected devices view alert details
In this flyout, when the device is reporting conflicts due to multiple policies, each policy is displayed as a separate section in this alert. Alerts occur when the device is a member of multiple groups, and each policy conflicts with the [Expected Windows Autopatch policy](#policy-conflict-view).
In this flyout, when the device is reporting conflicts due to multiple policies, each policy is displayed, as a separate section in this alert. This occurs when the device is a member of multiple groups, and each policy conflicts with the [Expected Windows Autopatch policy](#policy-conflict-view).
## Options

10
windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md
View File

@ -1,7 +1,7 @@
---
title: Feature update status report
description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
ms.date: 07/08/2024
ms.date: 09/16/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -17,7 +17,9 @@ ms.collection:
# Feature update status report
The Feature update status report provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
The Feature update status report provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
**To view the Feature update status report:**
@ -50,7 +52,7 @@ The following information is available as optional columns in the Feature update
| ----- | ----- |
| Microsoft Entra device ID | The current Microsoft Entra ID recorded device ID for the device |
| Serial number | The current Intune recorded serial number for the device |
| Intune last check in time | The last time the device checked in to Intune |
| Intune last check-in time | The last time the device checked in to Intune |
| Service State | The Service State provided from Windows Update |
| Service Substate | The Service Substate provided from Windows Update |
| Client State | The Client State provided from Windows Update |
@ -73,7 +75,7 @@ The following options are available:
| Option | Description |
| ----- | ----- |
| Search | Use to search by device name, Microsoft Entra device ID or serial number |
| Search | Use to search by device name, Microsoft Entra device ID, or serial number |
| Sort | Select the **column headings** to sort the report data in ascending and descending order. |
| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
| Filter | Select either the **Add filters** or at the top of the report to filter the results. |

4
windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md
View File

@ -1,7 +1,7 @@
---
title: Windows feature update summary dashboard
description: Provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
ms.date: 01/22/2024
ms.date: 09/16/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -17,6 +17,8 @@ ms.collection:
# Windows feature update summary dashboard
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
The Summary dashboard provides a broader view of the current Windows OS update status for all devices registered with Windows Autopatch.
The first part of the Summary dashboard provides you with an all-devices trend report where you can follow the deployment trends within your organization. You can view if updates were successfully installed, failing, in progress, not ready or have their Windows feature update paused.

4
windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md
View File

@ -1,7 +1,7 @@
---
title: Feature update trending report
description: Provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days.
ms.date: 07/08/2024
ms.date: 09/16/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -17,6 +17,8 @@ ms.collection:
# Feature update trending report
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
Windows Autopatch provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days.
**To view the Feature update trending report:**

6
windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md
View File

@ -1,7 +1,7 @@
---
title: Windows quality and feature update reports overview
description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch.
ms.date: 07/10/2024
ms.date: 09/16/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: overview
@ -17,6 +17,8 @@ ms.collection:
# Windows quality and feature update reports overview
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
## Windows quality update reports
The Windows quality reports provide you with information about:
@ -96,7 +98,7 @@ Up to date devices are devices that meet all of the following prerequisites:
Not Up to Date means a device isn't up to date when the:
- Quality or feature update is out of date, or the device is on the previous update.
- The assigned update schedule has elapsed and the device still has not applied the current release.
- The assigned update schedule elapsed and the device still didn't apply the current release.
- Device has an [alert](../operate/windows-autopatch-device-alerts.md) resulting in an error and action must be taken.
### Not Ready devices

12
windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md
View File

@ -1,7 +1,7 @@
---
title: Quality update status report
description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices.
ms.date: 07/08/2024
description: Provides a per device view of the current update status for all Windows Autopatch managed devices.
ms.date: 09/16/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -17,7 +17,9 @@ ms.collection:
# Quality update status report
The Quality update status report provides a per device view of the current update status for all Windows Autopatch enrolled devices.
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
The Quality update status report provides a per device view of the current update status for all Windows Autopatch managed devices.
**To view the Quality update status report:**
@ -53,7 +55,7 @@ The following information is available as optional columns in the Quality update
| ----- | ----- |
| Microsoft Entra device ID | The current Microsoft Entra ID recorded device ID for the device |
| Serial number | The current Intune recorded serial number for the device |
| Intune last check in time | The last time the device checked in to Intune |
| Intune last check-in time | The last time the device checked in to Intune |
| Service State | The Service State provided from Windows Update |
| Service Substate | The Service Substate provided from Windows Update |
| Client State | The Client State provided from Windows Update |
@ -75,7 +77,7 @@ The following options are available:
| Option | Description |
| ----- | ----- |
| Search | Use to search by device name, Microsoft Entra device ID or serial number |
| Search | Use to search by device name, Microsoft Entra device ID, or serial number |
| Sort | Select the **column headings** to sort the report data in ascending and descending order. |
| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
| Filter | Select either the **Add filters** or at the top of the report to filter the results. |

8
windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md
View File

@ -1,7 +1,7 @@
---
title: Windows quality update summary dashboard
description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch
ms.date: 01/22/2024
description: Provides a summary view of the current update status for all Windows Autopatch managed devices.
ms.date: 09/16/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -17,7 +17,9 @@ ms.collection:
# Windows quality update summary dashboard
The Summary dashboard provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
The Summary dashboard provides a summary view of the current update status for all Windows Autopatch managed devices.
**To view the current update status for all your enrolled devices:**

16
windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md
View File

@ -1,7 +1,7 @@
---
title: Quality update trending report
description: Provides a visual representation of the update status trend for all devices over the last 90 days.
ms.date: 07/08/2024
ms.date: 09/16/2024
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -17,14 +17,16 @@ ms.collection:
# Quality update trending report
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
The Quality update trending report provides a visual representation of the update status trend for all devices over the last 90 days.
**To view the Quality update trending report:**
1. Go to the[Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to**Reports**>**Windows Autopatch**>**Windows Quality Updates**.
1. Select the**Reports**tab.
1. Select**Quality update trending**.
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
1. Select the **Reports** tab.
1. Select **Quality update trending**.
> [!NOTE]
> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page.
@ -35,8 +37,8 @@ The following options are available:
| Option | Description |
| ----- | ----- |
| Filter | Select either the**Update status**or**Deployment rings**filters at the top of the report to filter the results. Then, select**Generate trend**. |
| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
| By percentage | Select **by percentage** to show your trending graphs and indicators by percentage. |
| By device count | Select **by device count** to show your trending graphs and indicators by numeric value. |
For a description of the displayed device status trends, see[Windows quality update statuses](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses).
For a description of the displayed device status trends, see [Windows quality update statuses](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses).