deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 13:23:36 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into aljupudi-6027362-improperacronyms-batch2

Browse Source
This commit is contained in:
Alekhya Jupudi
2022-06-06 12:23:14 +05:30
parent 7903bb2526 dfbffa4e01
commit 14dd013ae2
629 changed files with 7023 additions and 4802 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
windows/deployment/update/deployment-service-overview.md
View File

@ -134,14 +134,14 @@ Deployment scheduling controls are always available, but to take advantage of th
To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy or Group Policy.
| Policy | Sets registry key under **HKLM\\Software** |
|--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------|
| GPO for Windows 10, version 1809 or later: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow WUfB Cloud Processing** | \\Policies\\Microsoft\\Windows\\DataCollection\\AllowWUfBCloudProcessing |
| MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing |
| Policy| Sets registry key under `HKLM\Software`|
|--|--|
| GPO for Windows 10, version 1809 or later: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow WUfB Cloud Processing** | `\Policies\Microsoft\Windows\DataCollection\AllowWUfBCloudProcessing` |
| MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | `\Microsoft\PolicyManager\current\device\System\AllowWUfBCloudProcessing` |
Following is an example of setting the policy using Microsoft Endpoint Manager:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Devices** > **Configuration profiles** > **Create profile**.
@ -162,7 +162,7 @@ Following is an example of setting the policy using Microsoft Endpoint Manager:
8. (Optional) To verify that the policy reached the client, check the value of the following registry entry:
**HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**
`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\System\AllowWUfBCloudProcessing`
## Best practices
Follow these suggestions for the best results with the service.

3
windows/deployment/update/wufb-wsus.md
View File

@ -57,6 +57,9 @@ To help you better understand the scan source policy, see the default scan behav
> [!TIP]
> The only two relevant policies for where your updates come from are the specify scan source policy and whether or not you have configured a WSUS server. This should simplify the configuration options.
> [!NOTE]
> If you have devices configured for WSUS and do not configure the scan source policy for feature updates to come from Windows update or set any Windows Update for Business offering policies, then users who select "Check online for updates" on the Settings page may see the optional upgrade to Windows 11. We recommend configuring the scan source policy or a Windows Update for Business offering policy to prevent such.
## Configure the scan sources
The policy can be configured using the following two methods:

4
windows/deployment/windows-autopatch/TOC.yml
View File

@ -7,7 +7,7 @@
- name: What is Windows Autopatch?
href: overview/windows-autopatch-overview.md
- name: FAQ
href: overview/windows-autopatch-faq.md
href: overview/windows-autopatch-faq.yml
- name: Prepare
href: prepare/index.md
items:
@ -49,7 +49,7 @@
href: operate/windows-autopatch-edge.md
- name: Microsoft Teams
href: operate/windows-autopatch-teams.md
- name: Deregister a devices
- name: Deregister a device
href: operate/windows-autopatch-deregister-devices.md
- name: Submit a support request
href: operate/windows-autopatch-support-request.md

73
windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
View File

@ -1,7 +1,7 @@
---
title: Register your devices
description: This article details how to register devices in Autopatch
ms.date: 05/30/2022
ms.date: 05/31/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
msreviewer: andredm7
---
# Register your devices
@ -18,46 +18,83 @@ Before Microsoft can manage your devices in Windows Autopatch, you must have dev
## Before you begin
Windows Autopatch to take over software updates management of supported devices as soon as an IT admin decides to have their tenant managed by Windows Autopatch. Windows Autopatch update management scope includes:
Windows Autopatch can take over software update management of supported devices as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes:
- [Windows quality updates](../operate/windows-autopatch-wqu-overview.md)
- [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
- [Microsoft Edge updates](../operate/windows-autopatch-edge.md)
- [Microsoft Teams updates](../operate/windows-autopatch-teams.md)
You must choose what devices to manage with Windows Autopatch by adding either devices through direct membership or by adding other Azure Active Directory (Azure AD) dynamic groups into the Azure Active Directory assigned **Windows Autopatch Device Registration** group. Windows Autopatch runs every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices into its service.
### About the use of an Azure AD group to register devices
To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites:
You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices into its service.
> [!NOTE]
> All devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered.
#### Supported scenarios when nesting other Azure AD groups
Windows Autopatch also supports the following Azure AD nested group scenarios:
Azure AD groups synced up from:
- On-premises Active Directory groups (Windows server type).
- [Configuration Manager collections](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync).
> [!IMPORTANT]
> The **Windows Autopatch Device Registration** Azure AD group only supports one level of Azure AD nested groups.
> [!TIP]
> You can also use the **Discover Devices** button in either the Ready or Not ready tabs to discover devices from the Windows Autopatch Device Registration Azure AD group on demand.
## Prerequisites
- Supported Windows OS Enterprise edition version.
- Either hybrid or Azure AD joined (personal devices aren't supported).
- Managed by Microsoft Endpoint Manager (either Microsoft Endpoint Manager-Intune or Microsoft Endpoint Manager-Configuration Manager Co-management).
- Microsoft Endpoint Manager-Configuration Manager Co-management workloads (Windows Updates policies, Device configuration and Office Click-to-run) must be set to Pilot Intune or Intune.
To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites:
- [Supported Windows 10/11 Enterprise and Professional edition versions](/windows/release-health/supported-versions-windows-client)
- Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported).
- Managed by Microsoft Endpoint Manager.
- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) or [Co-management](/prepare/windows-autopatch-prerequisites.md#co-management-requirements).
- [Switch Microsoft Endpoint Manager-Configuration Manager Co-management workloads to Microsoft Endpoint Manager-Intune](/mem/configmgr/comanage/how-to-switch-workloads) (either set to Pilot Intune or Intune). This includes the following workloads:
- Windows updates policies
- Device configuration
- Office Click-to-run
- Last Intune device check-in completed within the last 28 days.
For more information about each prerequisite check, see the [Prerequisites](../prepare/windows-autopatch-prerequisites.md) article.
For more details on each prerequisite check, see the [Prerequisites](../prepare/windows-autopatch-prerequisites.md) article.
## About Devices Ready and Not Ready tabs
## About the Ready and Not ready tabs
Windows Autopatch introduces a new user interface to help IT admins manage devices and troubleshoot device readiness statuses seamlessly with actionable in-UI device readiness reports for unregistered devices or unhealthy devices.
> [!IMPORTANT]
> The **Not ready** tab will not be available during the first week of the public preview.
| Tab | Purpose |
| ----- | ----- |
| Ready tab | The purpose of the Ready tab is to show devices that were successfully registered to the Windows Autopatch service and that have met device health requirements. |
| Not ready tab | The purpose of the Not ready tab is to show devices that didn't successfully register into the Windows Autopatch service, or didn't pass one of the device readiness checks. This tab is intended to help customers identify and remediate devices that don't meet device readiness checks.<p><p>Devices successfully registered and healthy don't show up in the Not ready tab. |
| Ready tab | The purpose of the Ready tab is to show devices that were successfully registered to the Windows Autopatch service and that have met post-registration device health requirements. |
| Not ready tab | The purpose of the Not ready tab is to show devices that didn't successfully register into the Windows Autopatch service, or didn't pass one of the post-registration health requirements. This tab is intended to help customers identify and remediate devices that don't meet either pre or post-registration device readiness checks.<p><p>Devices successfully registered and healthy don't appear in the Not ready tab. |
## Built-in roles required for device registration
A role defines the set of permissions granted to users assigned to that role. You can use one of the following built-in roles in Windows Autopatch to register devices:
- Global Administrator
- Azure AD Global Administrator
- Service Support Administrator
- Intune Service Administrator
- Modern Workplace Intune Administrator
For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
> [!NOTE]
> The Modern Workplace Intune Admin role is a custom created role in Windows Autopatch. This role can assign administrators to Endpoint Manager roles, and allows you to create and configure custom Endpoint Manager roles.
> The Modern Workplace Intune Admin role is a custom created role during the Windows Autopatch tenant enrollment process. This role can assign administrators to Endpoint Manager roles, and allows you to create and configure custom Endpoint Manager roles.
## Details about the device registration process
Registering your devices in Windows Autopatch does the following:
1. Makes a record of devices in the service.
2. Assign devices into the ring groups and other groups required for software updates management.
## Steps to register devices
@ -71,6 +108,9 @@ A role defines the set of permissions granted to users assigned to that role. Yo
Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices and runs device-level prerequisite checks to try to register them.
> [!IMPORTANT]
> It might take up to an hour for a device to change its status from **Ready for User** to **Active** in the Ready tab during the public preview.
## Other device lifecycle management scenarios
There are a few more device lifecycle management scenarios to consider when planning to register devices in Windows Autopatch.
@ -91,4 +131,5 @@ If you need to repair a device that was previously registered into the Windows A
When one of these hardware changes occurs, Azure AD creates a new device ID record for that device, even if it's technically the same device.
Any device that needs to be registered into the Windows Autopatch service must be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device record ID. Windows Autopatch scans the Azure AD group to discover the new device and brings it in to be registered.
> [!IMPORTANT]
> If a new Azure AD device ID is generated for a device that was previously registered into Windows Autopatch, even if it's the same device, the new Azure AD device ID must be added either through device direct membership or through nested Azure AD dynamic/assigned group into the **Windows Autopatch Device Registration** group. This process guarantees the newly generated Azure AD device ID is registered with Windows Autopatch and that the device continues to have its software updates managed by the service.

2
windows/deployment/windows-autopatch/index.yml
View File

@ -27,7 +27,7 @@ landingContent:
- text: What is Windows Autopatch?
url: ./overview/windows-autopatch-overview.md
- text: Windows Autopatch FAQ
url: ./overview/windows-autopatch-faq.md
url: ./overview/windows-autopatch-faq.yml
# Card (optional)
- title: Articles and blog posts

9
windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
View File

@ -1,7 +1,7 @@
---
title: Deregister a device
description: This article explains how to deregister devices
ms.date: 05/30/2022
ms.date: 05/31/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
msreviewer: andredm7
---
# Deregister a device
@ -26,7 +26,10 @@ To avoid end-user disruption, device de-registration in Windows Autopatch only d
## Excluded devices
When you deregister a device from the Windows Autopatch service, the device is flagged as "excluded". Windows Autopatch doesn't try to re-register the device into the service again, because the de-registration command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** Azure Active Directory group. This is due to a direct membership removal limitation present in Azure Active Directory dynamic groups.
When you deregister a device from the Windows Autopatch service, the device is flagged as "excluded" so Windows Autopatch doesn't try to re-register the device into the service again, since the de-registration command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** Azure Active Directory group.
> [!IMPORTANT]
> The Azure AD team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues.
If you want to re-register a device that was previously deregistered from Windows Autopatch, you must [submit a support request](../operate/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team to request the removal of the "excluded" flag set during the de-registration process. After the Windows Autopatch Service Engineering Team removes the flag, you can re-register a device or a group of devices.

13
windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
View File

@ -57,9 +57,12 @@ Updates are required by your system admin are blocked by one or more apps. Offic
Alternatively, users can select **Update now** to apply the updates. The user is then prompted to close all open Office programs. After the updates are applied, the message disappears.
If the deadline arrives and the updates still aren't applied, users see a dialog box that warns them that they have 15 minutes before the updates are applied.
When the deadline arrives and the updates still aren't applied, users will:
This warning gives users 15 minutes to save and close any work. When the countdown reaches 0000, any open Office programs are closed, and the updates are applied.
1. See a dialog box that warns them that they have 15 minutes before the updates are applied.
1. Have 15 minutes to save and close any work.
When the countdown reaches 0000, any open Office programs are closed, and the updates are applied.
### Office client app configuration
@ -77,7 +80,7 @@ Windows Autopatch will either:
> [!NOTE]
> Windows Autopatch doesn't currently allow customers to force their devices to stay on a previous version or rollback to a previous version.
Since Windows quality updates are bundled together into a single release in the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview), we can't roll back only a portion of the update for Microsoft 365 Apps for enterprise.
Since quality updates are bundled together into a single release in the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview), we can't roll back only a portion of the update for Microsoft 365 Apps for enterprise.
## Conflicting and unsupported policies
@ -99,7 +102,9 @@ Window Autopatch deploys mobile device management (MDM) policies to configure Mi
## Microsoft 365 Apps servicing profiles
A service profile takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the above requirements regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management.
A service profile takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management.
However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [update type](windows-autopatch-update-management.md#update-types), see the Device eligibility section of each respective update type.
## Incidents and outages

2
windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
View File

@ -64,7 +64,7 @@ Once a support request is mitigated, it can no longer be edited. If a request ha
## Microsoft FastTrack
[Microsoft FastTrack](https://www.microsoft.com/en-us/fasttrack) offers Microsoft 365 deployment guidance for customers with 150 or more licenses of an eligible subscription at no additional cost. FastTrack Specialists can help customers work through the Windows Autopatch technical prerequisites described in the [FAQ](../overview/windows-autopatch-faq.md). For more information, visit the [FastTrack website](https://www.microsoft.com/en-ca/fasttrack?rtc=1).
[Microsoft FastTrack](https://www.microsoft.com/en-us/fasttrack) offers Microsoft 365 deployment guidance for customers with 150 or more licenses of an eligible subscription at no additional cost. FastTrack Specialists can help customers work through the Windows Autopatch technical prerequisites described in the [FAQ](../overview/windows-autopatch-faq.yml). For more information, visit the [FastTrack website](https://www.microsoft.com/en-ca/fasttrack?rtc=1).
Customers who need help with Microsoft 365 workloads can sign in to https://fasttrack.microsoft.com/ with a valid Azure ID and submit a Request for Assistance.

4
windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
View File

@ -22,7 +22,7 @@ Keeping your devices up to date is a balance of speed and stability. Windows Aut
| ----- | ----- |
| Window quality update | Windows Autopatch uses four update rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). |
| Anti-virus definition | Updated with each scan. |
| Microsoft 365 Apps for enterprise | For more information, see Microsoft 365 Apps for enterprise. |
| Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). |
| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). |
| Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). |
@ -48,7 +48,7 @@ When a device is enrolled into the Windows Autopatch service, the device is assi
| Ring | Default device count | Description
| ----- | ----- | ----- |
| Test | zero | Windows Autopatch doesn't automatically add devices to this ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows: <br><ul><li>0500 devices: minimum one device</li><li>5005000 devices: minimum five devices</li><li>5000+ devices: min 50 devices</li></ul>Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. |
| First | 1% | The First ring is the first group of production users to receive a change.<p><p>This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all customers. For example, we can generate a statistically significant signal saying that critical errors are trending up in a specific release for all customers but can't be confident that it's doing so in your environment.<p><p>Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this ring might experience outages if there are scenarios that weren't covered during testing in the Test ring.</p)> |
| First | 1% | The First ring is the first group of production users to receive a change.<p><p>This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all customers. For example, we can generate a statistically significant signal saying that critical errors are trending up in a specific release for all customers but can't be confident that it's doing so in your environment.<p><p>Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this ring might experience outages if there are scenarios that weren't covered during testing in the Test ring.|
| Fast | 9% | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.<p><p>The goal with this ring is to cross the 500-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.</p> |
| Broad | 90% | The Broad ring is the last group of users to receive changes. Since it contains most of the devices enrolled in Windows Autopatch, it favors stability over speed in deployment.|

65
windows/deployment/windows-autopatch/overview/windows-autopatch-faq.md
View File

@ -1,65 +0,0 @@
---
title: FAQ
description: This article answers frequently asked questions about Windows Autopatch
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: troubleshooting
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# FAQ
## General
| Question | Answer |
| ----- | ----- |
| What Windows versions are supported? | Windows Autopatch works with all [supported versions of Windows 10 and Windows 11 Enterprise edition](/windows/release-health/supported-versions-windows-client). |
| What is the difference between Windows Updates for Business and Windows Autopatch? | Windows Autopatch is a service that removes the need for organizations to plan and operate the update process.<p> Windows Autopatch moves the burden from your IT to Microsoft. Windows Autopatch uses [Windows Update for Business](/windows/deployment/update/deployment-service-overview) and other service components to update devices. Both are part of Windows Enterprise E3. |
| Is Windows 365 for Enterprise supported with Windows Autopatch? | Windows Autopatch supports Windows 365 for Enterprise. Windows 365 for Business isn't supported.|
| Does Windows Autopatch support Windows Education (A3) or Windows Front Line Worker (F3) licensing? | Autopatch isn't available for 'A' or 'F' series licensing. |
| Will Windows Autopatch support local domain join Windows 10? | Windows Autopatch doesn't support local (on-premise) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Azure AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid). |
| Will Windows Autopatch be available for state and local government customers? | Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. |
## Requirements
| Question | Answer |
| ----- | ----- |
| What are the prerequisites for Windows Autopatch? | <ul><li>[Supported Windows 10/11 Enterprise edition versions](/windows/release-health/supported-versions-windows-client)</li><li>[Azure Active Directory (Azure AD) Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses)</li><li>[Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid)</li><li>[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune)</li><li>[Co-management](/prepare/windows-autopatch-prerequisites.md#co-management-requirements)</li><li>[Configuration Manager version 2010 or later](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2010)</li><li>[Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune)</li></ul> |
| What are the licensing requirements for Windows Autopatch? |<ul><li>Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. For more information, see More about licenses.</li><li>[Azure AD Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) (for Co-management)</li><li>[Microsoft Intune](/mem/intune/fundamentals/licenses) (includes Configuration Manager 2010 or greater via co-management)</li></ul> |
| Are there hardware requirements for Windows Autopatch? | No, Windows Autopatch doesn't require any specific hardware. However, general hardware requirements for updates are still applicable. For example, to deliver Windows 11 to your Autopatch devices they must meet [specific hardware requirements](/windows/windows-11-specifications?r=1). Windows devices must be supported by your hardware OEM. |
## Device registration
| Question | Answer |
| ----- | ----- |
| Can Autopatch customers individually approve or deny devices? | No you can't individually approve or deny devices. Once a device is registered with Windows Autopatch, updates are rolled out to the devices according to its ring assignment. Individual device level control isn't supported. |
## Update management
| Question | Answer |
| ----- | ----- |
| What systems does Windows Autopatch update? |<ul><li>Windows 10/11 quality updates: Windows Autopatch manages all aspects of update rings.</li><li>Microsoft 365 Apps for enterprise updates: All devices registered for Windows Autopatch will receive updates from the Monthly Enterprise Channel.</li><li>Microsoft Edge: Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel and will provide support for issues with Microsoft Edge updates.</li><li>Microsoft Teams: Windows Autopatch allows eligible devices to benefit from the standard automatic update channels and will provide support for issues with Teams updates.</li> |
| What does Windows Autopatch do to ensure updates are done successfully? | For Windows quality updates, updates are applied to device in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression.<p><p>This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task. |
| What happens if there's an issue with an update? | Autopatch relies on the following capabilities to help resolve update issues. <ol><li>Pausing and resuming: If Windows Autopatch detects an issue with a Windows quality release, we may decide that it's necessary to pause that release. Once the issue is resolved, the release will be resumed. For more information, see [Pausing and resuming a Windows quality release](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release).</li><li>Rollback: If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might force all devices to roll back to the previous version. For more information, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#update-controls).</li></ol>|
| Will Windows quality updates be released more quickly after vulnerabilities are identified, or what is the regular cadence of updates? | For zero-day threats, Autopatch will have an [expedited release cadence](../operate/windows-autopatch-wqu-overview.md#expedited-releases). For normal updates Autopatch uses a [regular release cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) starting with devices in the Test ring and completing with general rollout to the Broad ring. |
| Can customers configure when to move to the next ring or is it controlled by Windows Autopatch? | The decision of when to move to the next ring is handled by Windows Autopatch; it isn't customer configurable. |
| Can you customize the scheduling of an update rollout to only install on certain days and times? | No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours. |
| Does Autopatch support include and exclude groups, or dynamic groups to define ring membership? | Windows autopatch doesn't support managing update ring membership using your Azure AD groups. For more information, see [Move devices between rings](../operate/windows-autopatch-update-management.md#moving-devices-between-rings). |
| Does Autopatch have two release cadences per update or are there two release cadences per-ring? | The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly. |
## Support
| Question | Answer |
| ----- | ----- |
| What support is available for customers who need help with onboarding to Windows Autopatch? | The FastTrack Center is the primary mode of support for customers who need assistance from Microsoft to meet the pre-requisites (such as Intune and Azure or Hybrid AD) for onboarding to Windows Autopatch. For more information, see [Microsoft FastTrack for Windows Autopatch](../operate/windows-autopatch-support-request.md#microsoft-fasttrack).<p><p>When you've onboarded with Windows Autopatch, you can [submit a support request](../operate/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team. |
## Other
| Question | Answer |
| ----- | ----- |
| Are there Autopatch specific APIs or PowerShell scripts available? | Programmatic access to Autopatch isn't currently available. |

106
windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml Normal file
View File

@ -0,0 +1,106 @@
### YamlMime:FAQ
metadata:
title: Windows Autopatch - Frequently Asked Questions (FAQ)
description: Answers to frequently asked questions about Windows Autopatch.
ms.prod: w11
ms.topic: faq
ms.date: 06/02/2022
audience: itpro
ms.localizationpriority: medium
manager: dougeby
author: tiaraquan
ms.author: tiaraquan
ms.reviwer: hathind
title: Frequently Asked Questions about Windows Autopatch
summary: This article answers frequently asked questions about Windows Autopatch.
sections:
- name: General
questions:
- question: What Windows versions are supported?
answer: |
Windows Autopatch works with all [supported versions of Windows 10 and Windows 11](/windows/release-health/supported-versions-windows-client) Enterprise and Professional editions.
- question: What is the difference between Windows Update for Business and Windows Autopatch?
answer: |
Windows Autopatch is a service that removes the need for organizations to plan and operate the update process. Windows Autopatch moves the burden from your IT to Microsoft. Windows Autopatch uses [Windows Update for Business](/windows/deployment/update/deployment-service-overview) and other service components to update devices. Both are part of Windows Enterprise E3.
- question: Is Windows 365 for Enterprise supported with Windows Autopatch?
answer: |
Windows Autopatch supports Windows 365 for Enterprise. Windows 365 for Business isn't supported.
- question: Does Windows Autopatch support Windows Education (A3) or Windows Front Line Worker (F3) licensing?
answer: |
Autopatch isn't available for 'A' or 'F' series licensing.
- question: Will Windows Autopatch support local domain join Windows 10?
answer: |
Windows Autopatch doesn't support local (on-premise) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Azure AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
- question: Will Windows Autopatch be available for state and local government customers?
answer: |
Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers.
- name: Requirements
questions:
- question: What are the prerequisites for Windows Autopatch?
answer: |
- [Supported Windows 10/11 Enterprise and Professional edition versions](/windows/release-health/supported-versions-windows-client)
- [Azure Active Directory (Azure AD) Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses)
- [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune)
- [Co-management](/prepare/windows-autopatch-prerequisites.md#co-management-requirements)
- [Configuration Manager version 2010 or later](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2010)
- [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune)
- question: What are the licensing requirements for Windows Autopatch?
answer: |
- Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses).
- [Azure AD Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) (for Co-management)
- [Microsoft Intune](/mem/intune/fundamentals/licenses) (includes Configuration Manager 2010 or greater via co-management)
- question: Are there hardware requirements for Windows Autopatch?
answer: |
No, Windows Autopatch doesn't require any specific hardware. However, general hardware requirements for updates are still applicable. For example, to deliver Windows 11 to your Autopatch devices they must meet [specific hardware requirements](/windows/whats-new/windows-11-requirements). Windows devices must be supported by your hardware OEM.
- name: Device registration
questions:
- question: Can Autopatch customers individually approve or deny devices?
answer: |
No you can't individually approve or deny devices. Once a device is registered with Windows Autopatch, updates are rolled out to the devices according to its ring assignment. Individual device level control isn't supported.
- name: Update Management
questions:
- question: What systems does Windows Autopatch update?
answer: |
- Windows 10/11 quality updates: Windows Autopatch manages all aspects of update rings.
- Microsoft 365 Apps for enterprise updates: All devices registered for Windows Autopatch will receive updates from the Monthly Enterprise Channel.
- Microsoft Edge: Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel and will provide support for issues with Microsoft Edge updates.
- Microsoft Teams: Windows Autopatch allows eligible devices to benefit from the standard automatic update channels and will provide support for issues with Teams updates.
- question: What does Windows Autopatch do to ensure updates are done successfully?
answer: For information about the Microsoft Admin Center, see [Manage third-party app subscriptions for your organization](/microsoft-365/commerce/manage-saas-apps).
- question: What does Windows Autopatch do to ensure updates are done successfully?
answer: |
For Windows quality updates, updates are applied to device in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task.
- question: What happens if there's an issue with an update?
answer: |
Autopatch relies on the following capabilities to help resolve update issues:
- Pausing and resuming: If Windows Autopatch detects an issue with a Windows quality release, we may decide that it's necessary to pause that release. Once the issue is resolved, the release will be resumed. For more information, see [Pausing and resuming a Windows quality release](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release).
- Rollback: If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might force all devices to roll back to the previous version. For more information, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#update-controls).
- question: Will Windows quality updates be released more quickly after vulnerabilities are identified, or what is the regular cadence of updates?
answer: |
For zero-day threats, Autopatch will have an [expedited release cadence](../operate/windows-autopatch-wqu-overview.md#expedited-releases). For normal updates Autopatch uses a [regular release cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) starting with devices in the Test ring and completing with general rollout to the Broad ring.
- question: Can customers configure when to move to the next ring or is it controlled by Windows Autopatch?
answer: |
The decision of when to move to the next ring is handled by Windows Autopatch; it isn't customer configurable.
- question: Can you customize the scheduling of an update rollout to only install on certain days and times?
answer: |
No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours.
- question: Does Autopatch support include and exclude groups, or dynamic groups to define ring membership?
answer: |
Windows autopatch doesn't support managing update ring membership using your Azure AD groups. For more information, see [Move devices between rings](../operate/windows-autopatch-update-management.md#moving-devices-between-rings).
- question: Does Autopatch have two release cadences per update or are there two release cadences per-ring?
answer: |
The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly.
- name: Support
questions:
- question: What support is available for customers who need help with onboarding to Windows Autopatch?
answer: |
The FastTrack Center is the primary mode of support for customers who need assistance from Microsoft to meet the pre-requisites (such as Intune and Azure or Hybrid AD) for onboarding to Windows Autopatch. For more information, see [Microsoft FastTrack for Windows Autopatch](../operate/windows-autopatch-support-request.md#microsoft-fasttrack). When you've onboarded with Windows Autopatch, you can [submit a support request](../operate/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team.
- name: Other
questions:
- question: Are there Autopatch specific APIs or PowerShell scripts available?
answer: |
Programmatic access to Autopatch isn't currently available.
additionalContent: |
## Additional Content
[Provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch

8
windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
View File

@ -38,14 +38,14 @@ This setting must be turned on to avoid a "lack of permissions" error when we in
| ----- | ----- |
| Not ready | Allow access to unlicensed admins should be turned on. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.<p><p>For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). |
### Windows 10 update rings
### Update rings for Windows 10 or later
Your "Windows 10 update ring" policy in Intune must not target any Windows Autopatch devices.
| Result | Meaning |
| ----- | ----- |
| Not ready | You have an "update ring" policy that targets all devices, all users, or both. Change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.<p><p>After enrolling into Autopatch, make sure that any update ring policies you have exclude the **Modern Workplace Devices - All** Azure Active Directory (AD) group.</p><p>For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p>|
| Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch.<p>This advisory appears after enrolling into Autopatch. Check the following:<ol><li>Make sure that any update ring policies you have exclude the **Modern Workplace Devices - All** Azure Active Directory (AD) group.</li><li>If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also exclude the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).</li></ol>For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure). |
| Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch. This advisory is flagging an action you should take after enrolling into the service:<ol><li>Make sure that any update ring policies you have exclude the **Modern Workplace Devices - All** Azure Active Directory (AD) group.</li><li>If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also exclude the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).</li></ol><br>For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure). |
## Azure Active Directory settings
@ -53,7 +53,7 @@ You can access Azure Active Directory (AD) settings in the [Azure portal](https:
### Conditional access policies
Conditional access policies must not prevent Windows Autopatch from connecting to your Intune tenant.
Conditional access policies must not prevent Windows Autopatch from connecting to your tenant.
| Result | Meaning |
| ----- | ----- |
@ -66,7 +66,7 @@ Windows Autopatch requires the following licenses:
| Result | Meaning |
| ----- | ----- |
| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, Microsoft Intune and Windows 10/11 Enterprise are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
### Windows Autopatch service accounts

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
View File

@ -35,7 +35,9 @@ Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. The fol
The following Windows 64-bit editions are required for Windows Autopatch:
- Windows 10/11 Pro
- Windows 10/11 Enterprise
- Windows 10/11 Pro for Workstations
## Co-management requirements