mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-16 07:17:24 +00:00
Merge branch 'jgeurten-add-wdac-wizard-instructions' of https://github.com/jgeurten/windows-docs-pr into jgeurten-add-wdac-wizard-instructions
This commit is contained in:
Jordan Geurten
commit
167b33adaa
@ -54,6 +54,8 @@
|
||||
href: operate/windows-autopatch-wqu-end-user-exp.md
|
||||
- name: Windows quality update signals
|
||||
href: operate/windows-autopatch-wqu-signals.md
|
||||
- name: Windows quality update communications
|
||||
href: operate/windows-autopatch-wqu-communications.md
|
||||
- name: Windows quality update reports
|
||||
href: operate/windows-autopatch-wqu-reports-overview.md
|
||||
items:
|
||||
@ -72,8 +74,6 @@
|
||||
items:
|
||||
- name: Windows feature update end user experience
|
||||
href: operate/windows-autopatch-fu-end-user-exp.md
|
||||
- name: Windows quality and feature update communications
|
||||
href: operate/windows-autopatch-wqu-communications.md
|
||||
- name: Microsoft 365 Apps for enterprise
|
||||
href: operate/windows-autopatch-microsoft-365-apps-enterprise.md
|
||||
- name: Microsoft Edge
|
||||
|
||||
@ -29,11 +29,11 @@ In this section we'll review what an end user would see in the following three s
|
||||
|
||||
### Typical update experience
|
||||
|
||||
In this example, we'll be discussing a device in the First ring. The Autopatch service updates the First ring’s DSS policy to target the next version of Windows 30 days after the start of the release. When the policy is applied to the device, the device will download the update, and notify end users that the new version of Windows is ready to install. The end user can either:
|
||||
In this example, we'll be discussing a device in the First ring. When the policy is applied to the device, the device will download the update, and notify end users that the new version of Windows is ready to install. The end user can either:
|
||||
|
||||
1. Restart immediately to install the updates
|
||||
1. Schedule the installation, or
|
||||
1. Snooze (the device will attempt to install outside of active hours.)
|
||||
1. Restart immediately to install the updates.
|
||||
2. Schedule the installation.
|
||||
3. Snooze (the device will attempt to install outside of active hours).
|
||||
|
||||
In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline.
|
||||
|
||||
@ -51,7 +51,16 @@ The deadline specified in the update policy is five days. Therefore, once this d
|
||||
|
||||
In the following example, the user is on holiday and the device is offline beyond the feature update deadline. The user then returns to work and the device is turned back on.
|
||||
|
||||
Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification.
|
||||
The grace period to install the update and restart depends on the deployment ring the device is assigned to:
|
||||
|
||||
| Deployment ring | Grace period (in days) |
|
||||
| ----- | ----- |
|
||||
| Test | Zero days |
|
||||
| First | Two days |
|
||||
| Fast | Two days |
|
||||
| Broad | Two days |
|
||||
|
||||
The user will be notified of a pending installation and given options to choose from. Once the grace period has expired, the user is forced to restart with a 15-minute warning notification.
|
||||
|
||||
:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Windows feature update grace period" lightbox="../media/windows-feature-update-grace-period.png":::
|
||||
|
||||
|
||||
@ -14,22 +14,21 @@ msreviewer: andredm7
|
||||
|
||||
# Windows feature updates
|
||||
|
||||
Microsoft provides robust modern device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and fundamental tasks by IT organizations because Windows feature updates provide:
|
||||
Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation. Windows feature updates:
|
||||
|
||||
- Fixes for security vulnerabilities and known bugs to keep Windows devices protected against advanced malicious attacks.
|
||||
- New features to boost end-user productivity.
|
||||
- Keep Windows devices protected against behavioral issues.
|
||||
- Provide new features to boost end-user productivity.
|
||||
|
||||
Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date so you can focus on running your core businesses while Windows Autopatch runs update management on your behalf.
|
||||
|
||||
## Enforcing a minimum Windows OS version
|
||||
|
||||
Once devices are registered with Windows Autopatch, they’re assigned to deployment rings. Each deployment ring has its Windows feature update policy assigned to them.
|
||||
Once devices are registered with Windows Autopatch, they’re assigned to deployment rings. Each of the four deployment rings have its Windows feature update policy assigned to them. This is intended to minimize unexpected Windows OS upgrades once new devices register with the service.
|
||||
|
||||
The policies:
|
||||
|
||||
- Contain the minimum Windows 10 version being currently serviced by the [Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). The current minimum OS version is **Windows 10 20H2**.
|
||||
- Set a bare minimum Windows OS version required by the service once devices are registered with the service.
|
||||
- Minimize unexpected Windows OS upgrades once new devices register with Windows Autopatch.
|
||||
|
||||
If a device is registered with Windows Autopatch, and the device is:
|
||||
|
||||
@ -50,19 +49,25 @@ If your tenant is enrolled with Windows Autopatch, you can see the following pol
|
||||
> [!IMPORTANT]
|
||||
> If you’re ahead of the current minimum OS version enforced by Windows Autopatch in your organization, you can [edit Windows Autopatch’s default Windows feature update policy and select your desired targeted version](/mem/intune/protect/windows-10-feature-updates#create-and-assign-feature-updates-for-windows-10-and-later-policy).
|
||||
|
||||
> [!NOTE]
|
||||
> The four minimum Windows 10 OS version feature update policies were introduced in Windows Autopatch in the 2212 release milestone. Its creation automatically unassigns the previous four feature update policies targeting Windows 10 21H2 from all four Windows Autopatch deployment rings:<ul><li>**Modern Workplace DSS Policy [Test]**</li><li>**Modern Workplace DSS Policy [First]**</li><li>**Modern Workplace DSS Policy [Fast]**</li><li>**Modern Workplace DSS Policy [Broad]**</li><p>Since the new Windows feature update policies that set the minimum Windows 10 OS version are already in place, the Modern Workplace DSS policies can be safely removed from your tenant.</p>
|
||||
|
||||
## Test Windows 11 feature updates
|
||||
|
||||
You can test Windows 11 deployments by adding devices either through direct membership or by bulk importing them into the Modern Workplace - Windows 11 Pre-Release Test Devices Azure AD group. There’s a separate Windows feature update policy (**Modern Workplace DSS Policy [Windows 11]**) targeted to this Azure AD group, and its configuration is set as follows:
|
||||
You can test Windows 11 deployments by adding devices either through direct membership or by bulk importing them into the **Modern Workplace - Windows 11 Pre-Release Test Devices** Azure AD group. There’s a separate Windows feature update policy (**Modern Workplace DSS Policy [Windows 11]**) targeted to this Azure AD group, and its configuration is set as follows:
|
||||
|
||||
| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
|
||||
| ----- | ----- | ----- | ----- | ----- | ----- | ----- |
|
||||
| Modern Workplace DSS Policy [Windows 11] | Windows 11 22H2 | Make update available as soon as possible | N/A | N/A | N/A | 10/13/2025, 7:00PM |
|
||||
|
||||
> [!IMPORTANT]
|
||||
> Windows Autopatch neither applies its deployment ring distribution, nor configures the [Windows Update for Business gradual rollout settings](/mem/intune/protect/windows-update-rollout-options) in the **Modern Workplace DSS Policy [Windows 11]** policy.<p>Once devices are added to the **Modern Workplace - Windows 11 Pre-Release Test Devices** Azure AD group, the devices can be offered the Windows 11 22H2 feature update at the same time.</p>
|
||||
|
||||
## Manage Windows feature update deployments
|
||||
|
||||
Windows Autopatch uses Microsoft Intune’s built-in solution, which uses configuration service providers (CSPs), for pausing and resuming both [Windows quality](windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release) and feature updates.
|
||||
Windows Autopatch uses Microsoft Intune’s built-in solution, which uses configuration service providers (CSPs), for pausing and resuming both [Windows quality](windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release).
|
||||
|
||||
Windows Autopatch provides a permanent pause of a Windows feature update deployment. The Windows Autopatch service automatically extends the 35 day pause limit (permanent pause) established by Microsoft Intune on your behalf. The deployment remains permanently paused until you decide to resume it.
|
||||
Windows Autopatch provides a permanent pause of a Windows feature update deployment. The Windows Autopatch service automatically extends the 35-day pause limit (permanent pause) established by Microsoft Intune on your behalf. The deployment remains permanently paused until you decide to resume it.
|
||||
|
||||
## Pausing and resuming a release
|
||||
|
||||
@ -79,14 +84,14 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
|
||||
9. Select **Okay**.
|
||||
|
||||
> [!NOTE]
|
||||
> Pausing an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch uses Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
|
||||
> Pausing or resuming an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch uses Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
|
||||
|
||||
## Rollback
|
||||
|
||||
Windows Autopatch doesn’t support the rollback of Windows Feature updates.
|
||||
|
||||
> [!CAUTION]
|
||||
> It’s not recommended to use [Microsoft Intune’s capabilities](/mem/intune/protect/windows-10-update-rings#manage-your-windows-update-rings) to pause and rollback a Windows feature update. However, if you choose to pause, resume and/or roll back from Intune, Windows Autopatch is **not** responsible for any problems that arise from rolling back the feature update.
|
||||
> It’s not recommended to use [Microsoft Intune’s capabilities](/mem/intune/protect/windows-10-update-rings#manage-your-windows-update-rings) to pause and rollback a Windows feature update. However, if you choose to pause, resume and/or roll back from Intune, Windows Autopatch is **not** responsible for any problems that arise from rolling back the Windows feature update.
|
||||
|
||||
## Contact support
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Windows quality and feature update communications
|
||||
title: Windows quality update communications
|
||||
description: This article explains Windows quality update communications
|
||||
ms.date: 05/30/2022
|
||||
ms.prod: windows-client
|
||||
@ -12,7 +12,7 @@ manager: dougeby
|
||||
msreviewer: hathind
|
||||
---
|
||||
|
||||
# Windows quality and feature update communications
|
||||
# Windows quality update communications
|
||||
|
||||
There are three categories of communication that are sent out during a Windows quality and feature update:
|
||||
|
||||
@ -20,7 +20,11 @@ There are three categories of communication that are sent out during a Windows q
|
||||
- [Communications during release](#communications-during-release)
|
||||
- [Incident communications](#incident-communications)
|
||||
|
||||
Communications are posted to Message center, Service health dashboard, and the Windows Autopatch messages section of the Microsoft Endpoint Manager admin center as appropriate for the type of communication.
|
||||
Communications are posted to, as appropriate for the type of communication, to the:
|
||||
|
||||
- Message center
|
||||
- Service health dashboard
|
||||
- Windows Autopatch messages section of the Microsoft Endpoint Manager admin center
|
||||
|
||||
:::image type="content" source="../media/update-communications.png" alt-text="Update communications timeline" lightbox="../media/update-communications.png":::
|
||||
|
||||
@ -42,4 +46,4 @@ For example, new threat intelligence may require us to expedite a release, or we
|
||||
|
||||
## Incident communications
|
||||
|
||||
Despite the best intentions, every service should plan for failure and success. When there's an incident, timely and transparent communication is key to building and maintaining your trust. If insufficient numbers of devices have been updated to meet the service level objective, devices will experience an interruption to productivity and an incident will be raised. Microsoft will update the status of the incident at least once every 24 hours.
|
||||
Despite the best intentions, every service should plan for failure and success. When there's an incident, timely and transparent communication is key to building and maintaining your trust. If insufficient numbers of devices have been updated to meet the service level objective, devices will experience an interruption to productivity, and an incident will be raised. Microsoft will update the status of the incident at least once every 24 hours.
|
||||
|
||||
@ -56,4 +56,4 @@ Autopatch monitors the following reliability signals:
|
||||
| Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. |
|
||||
| Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. |
|
||||
|
||||
When the update is released to the First ring, the service crosses the 500 device threshold. Therefore, Autopatch can to detect regressions, which are common to all customers. At this point in the release, we'll decide if we need to change the release schedule or pause for all customers.
|
||||
When the update is released to the First ring, the service crosses the 500 device threshold. Therefore, Autopatch can detect regressions that are common to all customers. At this point in the release, we'll decide if we need to change the release schedule or pause for all customers.
|
||||
|
||||
@ -45,13 +45,13 @@ This setting must be turned on to avoid a "lack of permissions" error when we in
|
||||
| ----- | ----- |
|
||||
| Not ready | Allow access to unlicensed admins should be turned on. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.<p><p>For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). |
|
||||
|
||||
### Deployment rings for Windows 10 or later
|
||||
### Windows 10 and later update rings
|
||||
|
||||
Your "Windows 10 deployment ring" policy in Intune must not target any Windows Autopatch devices.
|
||||
Your "Windows 10 and later update ring" policy in Intune must not target any Windows Autopatch devices.
|
||||
|
||||
| Result | Meaning |
|
||||
| ----- | ----- |
|
||||
| Not ready | You have an "update ring" policy that targets all devices, all users, or both.<p>To resolve, change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.</p><p>For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p> |
|
||||
| Not ready | You have an "update ring" policy that targets all devices, all users, or both.<p>To resolve, change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.</p><p>For more information, see [Manage Windows 10 and later software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p> |
|
||||
| Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch.<p>You can continue with enrollment. However, you must resolve the advisory prior to deploying your first device. To resolve the advisory, see [Maintain the Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md).</p>|
|
||||
|
||||
## Azure Active Directory settings
|
||||
|
||||
@ -78,18 +78,18 @@ Windows Autopatch will create Azure Active Directory groups that are required to
|
||||
|
||||
## Feature update policies
|
||||
|
||||
- Modern Workplace DSS Policy [Test]
|
||||
- Modern Workplace DSS Policy [First]
|
||||
- Modern Workplace DSS Policy [Fast]
|
||||
- Modern Workplace DSS Policy [Broad]
|
||||
- Modern Workplace DSS Policy [Windows 11]
|
||||
- Windows Autopatch - DSS Policy [Test]
|
||||
- Windows Autopatch - DSS Policy [First]
|
||||
- Windows Autopatch - DSS Policy [Fast]
|
||||
- Windows Autopatch - DSS Policy [Broad]
|
||||
- Windows Autopatch - DSS Policy [Windows 11]
|
||||
|
||||
| Policy name | Policy description | Value |
|
||||
| ----- | ----- | ----- |
|
||||
| Modern Workplace DSS Policy [Test] | DSS policy for Test device group | Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li></ul><br>Exclude from:<ul><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li></ul>|
|
||||
| Modern Workplace DSS Policy [First] | DSS policy for First device group | Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li> |
|
||||
| Modern Workplace DSS Policy [Fast] | DSS policy for Fast device group | Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Fast</li></ul><br>Exclude from:<ul><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li></ul> |
|
||||
| Modern Workplace DSS Policy [Broad] | DSS policy for Broad device group | Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul><br>Exclude from:<ul><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li></ul>|
|
||||
| Windows Autopatch - DSS Policy [Test] | DSS policy for Test device group | Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test</li></ul><br>Exclude from:<ul><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li></ul>|
|
||||
| Windows Autopatch - DSS Policy [First] | DSS policy for First device group | Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li> |
|
||||
| Windows Autopatch - DSS Policy [Fast] | DSS policy for Fast device group | Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Fast</li></ul><br>Exclude from:<ul><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li></ul> |
|
||||
| Windows Autopatch - Policy [Broad] | DSS policy for Broad device group | Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul><br>Exclude from:<ul><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li></ul>|
|
||||
| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | Assigned to:<ul><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li></ul>|
|
||||
|
||||
## Microsoft Office update policies
|
||||
|
||||
@ -24,6 +24,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
|
||||
|
||||
| Article | Description |
|
||||
| ----- | ----- |
|
||||
| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated Feature update policies section with Windows Autopatch - DSS Policy [deployment ring] |
|
||||
| [Register your devices](../deploy/windows-autopatch-register-devices.md) |<ul><li>Updated the Built-in roles required for registration section.</li><li>Added more information about assigning less-privileged user accounts</li></ul> |
|
||||
|
||||
## January 2023
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user