diff --git a/.openpublishing.redirection.windows-deployment.json b/.openpublishing.redirection.windows-deployment.json index 7efdfec5ae..2470da681e 100644 --- a/.openpublishing.redirection.windows-deployment.json +++ b/.openpublishing.redirection.windows-deployment.json @@ -1689,6 +1689,51 @@ "source_path": "windows/deployment/windows-autopatch/monitor/windows-autopatch-reliability-report.md", "redirect_url": "/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview", "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/prepare/windows-autopatch-feature-activation.md", + "redirect_url": "/windows/deployment/windows-autopatch/prepare/windows-autopatch-start-using-autopatch", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/manage/windows-autopatch-customize-windows-update-settings.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-communications.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-policies.md", + "redirect_url": "/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/manage/windows-autopatch-feature-deactivation.md", + "redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-overview", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md", + "redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-overview", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md", + "redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-overview", + "redirect_document_id": false + }, + { + "source_path": "windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md", + "redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-overview", + "redirect_document_id": false } ] } diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index 3a10604086..161bf41952 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -18,22 +18,20 @@ - name: Configure your network href: prepare/windows-autopatch-configure-network.md - name: Start using Windows Autopatch - href: prepare/windows-autopatch-feature-activation.md + href: prepare/windows-autopatch-start-using-autopatch.md items: - name: Deploy href: items: - - name: Add and verify admin contacts - href: deploy/windows-autopatch-admin-contacts.md - name: Device registration href: items: - - name: Device registration overview - href: deploy/windows-autopatch-device-registration-overview.md - - name: Register your devices - href: deploy/windows-autopatch-register-devices.md - - name: Windows Autopatch groups overview + - name: Autopatch groups overview href: deploy/windows-autopatch-groups-overview.md + - name: Autopatch group registration overview + href: deploy/windows-autopatch-device-registration-overview.md + - name: Register devices with Autopatch groups + href: deploy/windows-autopatch-register-devices.md - name: Post-device registration readiness checks href: deploy/windows-autopatch-post-reg-readiness-checks.md - name: Manage @@ -46,15 +44,11 @@ - name: Windows Autopatch groups href: manage/windows-autopatch-manage-autopatch-groups.md items: - - name: Customize Windows Update settings - href: manage/windows-autopatch-customize-windows-update-settings.md - name: Windows Autopatch group policies href: manage/windows-autopatch-groups-policies.md - name: Windows feature updates href: manage/windows-autopatch-windows-feature-update-overview.md items: - - name: Windows feature update policies - href: manage/windows-autopatch-windows-feature-update-policies.md - name: Programmatic controls for Windows feature updates href: manage/windows-autopatch-windows-feature-update-programmatic-controls.md - name: Windows quality updates @@ -62,8 +56,6 @@ items: - name: Windows quality update end user experience href: manage/windows-autopatch-windows-quality-update-end-user-exp.md - - name: Windows quality update communications - href: manage/windows-autopatch-windows-quality-update-communications.md - name: Windows quality update policies href: manage/windows-autopatch-windows-update-policies.md - name: Programmatic controls for expedited Windows quality updates @@ -88,8 +80,6 @@ href: manage/windows-autopatch-support-request.md - name: Exclude a device href: manage/windows-autopatch-exclude-device.md - - name: Deactivate Windows Autopatch features - href: manage/windows-autopatch-feature-deactivation.md - name: Troubleshoot programmatic controls href: manage/windows-autopatch-troubleshoot-programmatic-controls.md - name: Monitor @@ -120,8 +110,6 @@ href: monitor/windows-autopatch-hotpatch-quality-update-report.md - name: Windows feature and quality update device alerts href: monitor/windows-autopatch-device-alerts.md - - name: Policy health and remediation - href: monitor/windows-autopatch-policy-health-and-remediation.md - name: Maintain the Windows Autopatch environment href: monitor/windows-autopatch-maintain-environment.md - name: References @@ -129,11 +117,11 @@ items: - name: Conflicting configurations href: references/windows-autopatch-conflicting-configurations.md - - name: Changes made at feature activation - href: references/windows-autopatch-changes-made-at-feature-activation.md - name: What's new href: - items: + items: + - name: What's new 2025 + href: whats-new/windows-autopatch-whats-new-2025.md - name: What's new 2024 href: whats-new/windows-autopatch-whats-new-2024.md - name: What's new 2023 diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index fb561d216a..4500d3d9ec 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -1,7 +1,7 @@ --- -title: Device registration overview +title: Autopatch group registration overview description: This article provides an overview on how to register devices in Autopatch. -ms.date: 10/30/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: concept-article @@ -15,11 +15,9 @@ ms.collection: - tier1 --- -# Device registration overview +# Autopatch group registration overview -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - -Windows Autopatch must [register your existing devices](../deploy/windows-autopatch-register-devices.md) into its service to manage update deployments on your behalf. +When you assign a Microsoft Entra Group to an Autopatch policy or [create an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group), the device is registered with the Autopatch Service. ## Prerequisites for device registration @@ -31,88 +29,17 @@ A role defines the set of permissions granted to users assigned to that role. Yo To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites. For more information, see [Windows Autopatch prerequisites](../prepare/windows-autopatch-prerequisites.md). -> [!IMPORTANT] -> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. - The Windows Autopatch device registration process is transparent for end-users because it doesn't require devices to be reset. -The overall device registration process is as follows: +The overall Autopatch group registration process is as follows: :::image type="content" source="../media/windows-autopatch-device-registration-overview.png" alt-text="Overview of the device registration process" lightbox="../media/windows-autopatch-device-registration-overview.png"::: -1. IT admin reviews [Windows Autopatch device registration prerequisites](#prerequisites-for-device-registration) before registering devices with Windows Autopatch. -2. IT admin identifies and adds devices, or nests other Microsoft Entra device groups when you [create an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group), [edit an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group), or import Windows Update for Business (WUfB) policies. -3. Windows Autopatch then: +1. IT admin identifies and adds devices, or nests other Microsoft Entra device groups when you [create an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group), or [edit an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group). +2. Windows Autopatch then: 1. Performs device readiness prior registration (prerequisite checks). 2. Calculates the deployment ring distribution. 3. Assigns devices to one of the deployment rings based on the previous calculation. 4. Assigns devices to other Microsoft Entra groups required for management. - 5. Marks devices as active for management so it can apply its update deployment policies. -4. IT admin then monitors the device registration trends and the update deployment reports. For more information about the device registration workflow, see the [Detailed device registration workflow diagram](../deploy/windows-autopatch-register-devices.md#detailed-device-registration-workflow-diagram) section for more technical details behind the Windows Autopatch device registration process. - -## Windows Autopatch deployment rings - -> [!CAUTION] -> **Don't** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly.

Additionally, it's not supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.

- -When you [start using Autopatch](../prepare/windows-autopatch-feature-activation.md), Windows Autopatch creates the following deployment ring set to organize devices. - -| Deployment ring | Description | -| --- | --- | -| Modern Workplace Devices-Windows Autopatch-Test | Deployment ring for testing service-based configuration, app deployments prior production rollout | -| Modern Workplace Devices-Windows Autopatch-First | First production deployment ring for early adopters. | -| Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption | -| Modern Workplace Devices-Windows Autopatch-Broad | Final deployment ring for broad rollout into the organization | - -> [!CAUTION] -> Adding or importing devices directly into any of these groups isn't supported. Doing so might affect the Windows Autopatch service. To move devices between these groups, see [Move devices in between deployment rings](../deploy/windows-autopatch-register-devices.md#move-devices-in-between-deployment-rings). - -> [!IMPORTANT] -> Windows Autopatch device registration doesn't assign devices to the Test deployment rings of either the service-based (**Modern Workplace Devices-Windows Autopatch-Test**), or your Autopatch groups. This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments. - -During the device registration process, Windows Autopatch assigns each device to a deployment ring so that the service has the proper representation of device diversity across your organization. -The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment. - -### Device record and deployment ring assignment - -When you register your devices, Windows Autopatch: - -1. Makes a record of devices in the service. -2. Assign devices to the [deployment ring set](#default-deployment-ring-calculation-logic) and other groups required for software update management. - -### Default deployment ring calculation logic - -The Windows Autopatch deployment ring calculation occurs during the device registration process: - -- If the Windows Autopatch tenant's existing managed device size is **≤ 200**, the deployment ring assignment is First **(5%)**, Fast **(15%)**, remaining devices go to the Broad ring **(80%)**. -- If the Windows Autopatch tenant's existing managed device size is **>200**, the deployment ring assignment is First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**. - -> [!NOTE] -> You can customize the deployment ring calculation logic by [editing an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group). - -| Deployment ring | Default device balancing percentage | Description | -| --- | --- | --- | -| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates before reaching production users. | -| First | **1%** | The First ring is the first group of production users to receive a change.

This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| -| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

| -| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.| -| N/A | **zero** | The Last ring is intended to be used for either specialized devices or devices that belong to VIP/executives in an organization. Windows Autopatch doesn't automatically add devices to this deployment ring. | - -## Automated deployment ring remediation functions - -Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test** and **Windows Autopatch - Last** rings, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: - -- Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or -- An issue occurred which prevented devices from getting a deployment ring assigned during the device registration process. - -There are two automated deployment ring remediation functions: - -| Function | Description | -| ----- | ----- | -| Check device deployment ring membership | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test and Windows Autopatch - Last** rings). | -| Multi-deployment ring device remediator | Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test** and **Windows Autopatch - Last** rings). If a device is part of multiple deployment rings, Windows Autopatch randomly removes the device until the device is only part of one deployment ring. | - -> [!IMPORTANT] -> Windows Autopatch automated deployment ring functions don't assign or remove devices to or from the following deployment rings:
  • **Modern Workplace Devices-Windows Autopatch-Test**
  • **Windows Autopatch - Test**
  • **Windows Autopatch - Last**
    • diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md index b397788c4b..da54b8ef15 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md @@ -1,7 +1,7 @@ --- title: Windows Autopatch groups overview description: This article explains what Autopatch groups are -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: concept-article @@ -17,13 +17,11 @@ ms.collection: # Windows Autopatch groups -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - As organizations move to a managed-service model where Microsoft manages update processes on their behalf, they’re challenged with having the right representation of their organizational structures followed by their own deployment cadence. Windows Autopatch groups help organizations manage updates in a way that makes sense for their businesses with no extra cost or unplanned disruptions. ## What are Windows Autopatch groups? -An Autopatch group is a logical container or unit that groups several [Microsoft Entra groups](/entra/fundamentals/groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates). +An Autopatch group is a logical container or unit that groups several [Microsoft Entra groups](/entra/fundamentals/groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings), [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates), [driver update policies](../manage/windows-autopatch-manage-driver-and-firmware-updates.md), [Microsoft 365 App update policies](../manage/windows-autopatch-microsoft-365-policies.md), and [Microsoft Edge update policies](../manage/windows-autopatch-edge.md). Autopatch groups are intended to help organizations that require a more precise representation of their organization's structures along with their own update deployment cadence in the service. @@ -49,10 +47,7 @@ Before you start managing Autopatch groups, ensure you meet the following prereq | Review [Windows Autopatch groups overview documentation](../deploy/windows-autopatch-groups-overview.md) | Understand [key benefits](../deploy/windows-autopatch-groups-overview.md#key-benefits) and [common ways to use Autopatch groups](../deploy/windows-autopatch-groups-overview.md#common-ways-to-use-autopatch-groups) within your organization. | | Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../monitor/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality doesn't work properly. Autopatch uses app-only auth to: | | | Make sure that all device-based Microsoft Entra groups you intend to use with Autopatch groups are created before using the feature. | Review your existing Microsoft Entra group dynamic queries and direct device memberships to: | -| Ensure devices used with your existing Microsoft Entra groups meet [device registration prerequisite checks](../deploy/windows-autopatch-device-registration-overview.md#prerequisites-for-device-registration) when being registered with the service | Autopatch groups register devices on your behalf, and device readiness states are determined based on the registration state and if any applicable alerts are targeting the device. For more information, see the [Devices report](../deploy/windows-autopatch-register-devices.md#devices-report). | - -> [!TIP] -> [Update rings](/mem/intune/protect/windows-10-update-rings) and [feature updates](/mem/intune/protect/windows-10-feature-updates) for Windows 10 and later policies that are created and managed by Windows Autopatch can be restored using the [Policy health](../monitor/windows-autopatch-policy-health-and-remediation.md) feature. For more information on remediation actions, see [restore Windows update policies](../monitor/windows-autopatch-policy-health-and-remediation.md#restore-missing-windows-update-policies). +| Ensure devices used with your existing Microsoft Entra groups meet [device registration prerequisite checks](../deploy/windows-autopatch-device-registration-overview.md#prerequisites-for-device-registration) when being registered with the service | Autopatch groups register devices on your behalf, and device readiness states are determined based on the registration state and if any applicable alerts are targeting the device. For more information, see the [Autopatch groups membership report](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report). | ## Register devices into Autopatch groups @@ -67,9 +62,9 @@ An Autopatch group is a function app that is part of the device registration mic | Step | Description | | ----- | ----- | | Step 1: Create an Autopatch group | Create an Autopatch group. Autopatch groups register devices with the Windows Autopatch service when you either [create](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) or [edit an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group). | -| Step 2: Windows Autopatch uses Microsoft Graph to create Microsoft Entra ID and policy assignments | Windows Autopatch service uses Microsoft Graph to coordinate the creation of: | +| Step 2: Windows Autopatch uses Microsoft Graph to create Microsoft Entra ID and policy assignments | Windows Autopatch service uses Microsoft Graph to coordinate the creation of: | | Step 3: Intune assigns software update policies | Once Microsoft Entra groups are created in the Microsoft Entra service, Intune is used to assign the software update policies to these groups and provide the number of devices that need the software update policies to the Windows Update for Business (WUfB) service. | -| Step 4: Windows Update for Business responsibilities | Windows Update for Business (WUfB) is the service responsible for: | +| Step 4: Windows Autopatch responsibilities | Windows Autopatch service is responsible for: | ## Autopatch group deployment rings @@ -108,7 +103,7 @@ The following are three common uses for using Autopatch groups. :::image type="content" source="../media/autopatch-groups-finance-department-example.png" alt-text="Finance department example" lightbox="../media/autopatch-groups-finance-department-example.png"::: > [!IMPORTANT] -> Once Autopatch groups are setup, the release of either Windows quality or feature updates will be deployed sequentially through its deployment rings. +> Once Autopatch groups are set up, the releases of either Windows quality or feature updates are deployed sequentially through its deployment rings. ### Use case #2 @@ -119,7 +114,7 @@ The following are three common uses for using Autopatch groups. :::image type="content" source="../media/autopatch-groups-contoso-chicago-example.png" alt-text="Contoso Chicago example" lightbox="../media/autopatch-groups-contoso-chicago-example.png"::: > [!IMPORTANT] -> Once Autopatch groups are setup, the release of either Windows quality or feature updates will be deployed sequentially through its deployment rings. +> Once Autopatch groups are set up, the releases of either Windows quality or feature updates are deployed sequentially through its deployment rings. ## Supported configurations @@ -137,9 +132,9 @@ Autopatch groups work with the following software update workloads: ### Maximum number of Autopatch groups -Windows Autopatch supports up to 50 Autopatch groups in your tenant. Each Autopatch group supports up to 15 deployment rings. +Windows Autopatch supports up to 300 Autopatch groups in your tenant. Each Autopatch group supports up to 15 deployment rings. > [!NOTE] -> If you reach the maximum number of Autopatch groups supported (50), and try to create more Autopatch groups, the "Create" option in the Autopatch groups blade will be greyed out. +> If you reach the maximum number of Autopatch groups supported (50), and try to create more Autopatch groups, the "Create" option in the Autopatch groups blade is greyed out. To manage your Autopatch groups, see [Manage Windows Autopatch groups](../manage/windows-autopatch-manage-autopatch-groups.md). diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md index c4a299bb50..5a810e4f10 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md @@ -1,7 +1,7 @@ --- title: Post-device registration readiness checks description: This article details how post-device registration readiness checks are performed in Windows Autopatch -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: concept-article @@ -17,8 +17,6 @@ ms.collection: # Post-device registration readiness checks -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - One of the most expensive aspects of the software update management process is to make sure devices are always healthy to receive and report software updates for each software update release cycle. Having a way of measuring, quickly detecting and remediating when something goes wrong with ongoing change management processes is important; it helps mitigate high Helpdesk ticket volumes, reduces cost, and improves overall update management results. @@ -51,7 +49,7 @@ Figuring out device health can be challenging and disruptive to the end user whe - Obtain proactive data sent by the device to the service, or - Proactively detect and remediate issues -Windows Autopatch has devices readiness states within its [**Devices report**](../deploy/windows-autopatch-register-devices.md#devices-report). Each state provides IT admins monitoring information on which devices might have potential device health issues. +Windows Autopatch has devices readiness states within its [**Autopatch group membership report**](../deploy/windows-autopatch-register-devices.md#autopatch-group-membership-report). Each state provides IT admins monitoring information on which devices might have potential device health issues. | Tab | Description | | ----- | ----- | @@ -68,6 +66,16 @@ A healthy or active device in Windows Autopatch is: The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** has the Device Readiness Check Plugin. The Device Readiness Check Plugin is responsible for performing the readiness checks and reporting the results back to the service. The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** are subcomponents of the overall Windows Autopatch service. +### Install the Windows Autopatch Client Broker + +You can install the Windows Autopatch Client Broker on-demand at the tenant level to determine device update readiness and collect logs for issue triaging. + +**To install the Windows Autopatch Client Broker**: + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to the **Tenant administration** menu. +1. In the **Windows Autopatch** section, select **Tenant Management**. Then, select **Manage client broker**. + The following list of post-device registration readiness checks is performed in Windows Autopatch: | Check | Description | diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index c2b584ffa3..64c04f55c4 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- -title: Register your devices +title: Register devices with Autopatch groups description: This article details how to register devices in Autopatch. -ms.date: 09/26/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -15,11 +15,11 @@ ms.collection: - tier1 --- -# Register your devices +# Register devices with Autopatch groups -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] +An Autopatch group is a logical container or unit that groups several [Microsoft Entra groups](/entra/fundamentals/groups-view-azure-portal), and software update policies. For more information, see [Windows Autopatch groups](../deploy/windows-autopatch-groups-overview.md). -Before Microsoft can manage your devices in Windows Autopatch, you must register devices with the service. Make sure your devices meet the [device registration prerequisites](../deploy/windows-autopatch-device-registration-overview.md#prerequisites-for-device-registration). +When you [create an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) or [edit an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group), the device-based Microsoft Entra groups you use are scanned on an ongoing basis to see if new devices need to be added to the Autopatch group. ## Detailed device registration workflow diagram @@ -29,91 +29,45 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto | Step | Description | | ----- | ----- | -| **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. | -| **Step 2: Add devices** | IT admin identifies and adds devices, or nests other Microsoft Entra device groups into any Microsoft Entra group when you [create an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) or [edit an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group) or imported (WUfB) policies. | -| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function discovers devices (hourly) that were previously added by the IT admin from Microsoft Entra groups used with Autopatch groups in **step #2**. The Microsoft Entra device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Microsoft Entra ID when registering devices into its service.
    1. Once devices are discovered from the Microsoft Entra group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Microsoft Entra ID in this step:
      1. **AzureADDeviceID**
      2. **OperatingSystem**
      3. **DisplayName (Device name)**
      4. **AccountEnabled**
      5. **RegistrationDateTime**
      6. **ApproximateLastSignInDateTime**
    2. In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements before registration.
    | -| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:
    1. **If the device is Intune-managed or not.**
      1. Windows Autopatch looks to see **if the Microsoft Entra device ID has an Intune device ID associated with it**.
        1. If **yes**, it means this device is enrolled into Intune.
        2. If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
      2. **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name, and other attributes. When this happens, the Windows Autopatch service uses the Microsoft Entra device attributes gathered and saved to its memory in **step 3a**.
        1. Once it has the device attributes gathered from Microsoft Entra ID in **step 3a**, the device is flagged with the **Prerequisite failed** status, and the device's Autopatch readiness status appears as **Not registered** in the [**Devices report**](#devices-report). The IT admin can review the reasons the device wasn't registered into Windows Autopatch. The IT admin remediates these devices. In this case, the IT admin should check why the device wasn't enrolled into Intune.
        2. A common reason is when the Microsoft Entra device ID is stale, it doesn't have an Intune device ID associated with it anymore. To remediate, [clean up any stale Microsoft Entra device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
      3. **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device checked into Intune in the last 28 days.
    2. **If the device is a Windows device or not.**
      1. Windows Autopatch looks to see if the device is a Windows and corporate-owned device.
        1. **If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.
        2. **If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.
    3. **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
      1. **Enterprise**
      2. **Pro**
      3. **Pro Workstation**
    4. **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
      1. **Only managed by Intune.**
        1. If the device is only managed by Intune, the device is marked as Passed all prerequisites.
      2. **Co-managed by both Configuration Manager and Intune.**
        1. If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
          1. **Windows Updates Policies**
          2. **Device Configuration**
          3. **Office Click to Run**
        2. If Windows Autopatch determines that one of these workloads isn't enabled on the device, the service marks the device as **Prerequisite failed** and the device's Autopatch readiness status appears as **Not registered** in the **Devices report**.
    | -| **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:
    1. If the Windows Autopatch tenant's existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.
    2. If the Windows Autopatch tenant's existing managed device size is **>200**, the deployment ring assignment is **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.
    | -| **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to two deployment ring sets, the first one being the service-based deployment ring set represented by the following Microsoft Entra groups:
    1. **Modern Workplace Devices-Windows Autopatch-First**
      1. The Windows Autopatch device registration process doesn't automatically assign devices to the Test ring represented by the Microsoft Entra group (**Modern Workplace Devices-Windows Autopatch-Test**). It's important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
    2. **Modern Workplace Devices-Windows Autopatch-Fast**
    3. **Modern Workplace Devices-Windows Autopatch-Broad**
      4. | -| **Step 7: Assign devices to a Microsoft Entra group** | Windows Autopatch also assigns devices to the following Microsoft Entra groups when certain conditions apply:
      1. **Modern Workplace Devices - All**
        1. This group has all devices managed by Windows Autopatch.
      2. **Modern Workplace Devices - Virtual Machine**
        1. This group has all **virtual devices** managed by Windows Autopatch.
        | -| **Step 8: Post-device registration** | In post-device registration, three actions occur:
        1. Windows Autopatch adds devices to its managed database.
        2. Flags devices as **Ready**. The device's Autopatch readiness status appears as **Registered** in the **Devices report**.
        3. The Microsoft Entra device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension's allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.
          1. The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.
          | -| **Step 9: Review device registration status** | IT admins review the device's Autopatch readiness status. Devices are either **Registered** or **Not registered** in the **Devices report**.
          1. If the device was **successfully registered**, the device's Autopatch readiness status appears as **Registered** in the **Devices report**.
          2. If **not**, the device's Autopatch readiness status appears as **Not registered** in the **Devices report**.
          | -| **Step 10: End of registration workflow** | This is the end of the Windows Autopatch device registration workflow. | +| **Step 1: Assign Entra Groups** | IT admin identifies the Microsoft Entra group they want to assign when they [create an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) or [edit an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group). | +| **Step 2: Discover devices** | The Windows Autopatch Discover Devices function discovers devices (hourly) that were previously added by the IT admin from Microsoft Entra groups used with Autopatch groups in **step #1**. The Microsoft Entra device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Microsoft Entra ID when registering devices into its service.
          1. Once devices are discovered from the Microsoft Entra group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Microsoft Entra ID in this step:
            1. **AzureADDeviceID**
            2. **OperatingSystem**
            3. **DisplayName (Device name)**
            4. **AccountEnabled**
            5. **RegistrationDateTime**
            6. **ApproximateLastSignInDateTime**
          2. In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements before registration.
          | +| **Step 3: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:
          1. **If the device is Intune-managed or not.**
            1. Windows Autopatch looks to see **if the Microsoft Entra device ID has an Intune device ID associated with it**.
              1. If **yes**, it means this device is enrolled into Intune.
              2. If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
            2. **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name, and other attributes. When this happens, the Windows Autopatch service uses the Microsoft Entra device attributes gathered and saved to its memory in **step 3a**.
              1. Once it has the device attributes gathered from Microsoft Entra ID in **step 3a**, the device is flagged with the **Prerequisite failed** status, and the device's Autopatch readiness status appears as **Not registered** in the [**Autopatch groups membership report**](#autopatch-groups-membership-report). The IT admin can review the reasons the device wasn't registered into Windows Autopatch. The IT admin remediates these devices. In this case, the IT admin should check why the device wasn't enrolled into Intune.
              2. A common reason is when the Microsoft Entra device ID is stale, it doesn't have an Intune device ID associated with it anymore. To remediate, [clean up any stale Microsoft Entra device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
            3. **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device checked into Intune in the last 28 days.
          2. **If the device is a Windows device or not.**
            1. Windows Autopatch looks to see if the device is a Windows and corporate-owned device.
              1. **If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.
              2. **If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.
          3. **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
            1. **Enterprise**
            2. **Pro**
            3. **Pro Workstation**
          4. **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
            1. **Only managed by Intune.**
              1. If the device is only managed by Intune, the device is marked as Passed all prerequisites.
            2. **Co-managed by both Configuration Manager and Intune.**
              1. If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
                1. **Windows Updates Policies**
                2. **Device Configuration**
                3. **Office Click to Run**
              2. If Windows Autopatch determines that one of these workloads isn't enabled on the device, the service marks the device as **Prerequisite failed** and the device's Autopatch readiness status appears as **Not registered** in the **Autopatch groups membership report**.
          | +| **Step 4: Calculate dynamic distribution and assign devices** | Microsoft Entra Groups, which are directly assigned to a deployment ring, adds those devices to the Microsoft Entra Group that Autopatch creates for that deployment ring.

          If you choose to use dynamic distribution, the Autopatch service distributes the devices you selected. The service takes a percentage of the devices in the dynamic pool and adds them to the relevant Microsoft Entra groups. Devices that are members of Microsoft Entra groups that are directly assigned aren't included in the dynamic pool.

          If you have fewer than 100 devices in an Autopatch group, the distribution might not match your selection.

          | +| **Step 5: Post-device registration** | If you deployed the [**Windows Autopatch Client Broker**](../deploy/windows-autopatch-post-reg-readiness-checks.md#install-the-windows-autopatch-client-broker), post-device registration actions occur. For more information, see [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md#post-device-registration-readiness-checks-workflow). | +| **Step 6: Review device registration status** | IT admins review the device's Autopatch readiness status. Devices are either **Registered** or **Not registered** in the **[**Autopatch groups membership report**](#autopatch-groups-membership-report)**.
          1. If the device was **successfully registered**, the device's Autopatch readiness status appears as **Registered** in the **Autopatch groups membership report**.
          2. If **not**, the device's Autopatch readiness status appears as **Not registered** in the **Autopatch groups membership report**.
          | +| **Step 7: End of registration workflow** | This is the end of the Windows Autopatch device registration workflow. | ## Detailed prerequisite check workflow diagram -As described in **step #4** in the previous [Detailed device registration workflow diagram](#detailed-device-registration-workflow-diagram), the following diagram is a visual representation of the prerequisite construct for the Windows Autopatch device registration process. The prerequisite checks are sequentially performed. +As described in **step #3** in the previous [Detailed device registration workflow diagram](#detailed-device-registration-workflow-diagram), the following diagram is a visual representation of the prerequisite construct for the Windows Autopatch device registration process. The prerequisite checks are sequentially performed. :::image type="content" source="../media/windows-autopatch-prerequisite-check-workflow-diagram.png" alt-text="Diagram of the prerequisite check workflow." lightbox="../media/windows-autopatch-prerequisite-check-workflow-diagram.png"::: -## Devices report +## Autopatch groups membership report -Windows Autopatch has a device report that allows you to see: +Windows Autopatch has an Autopatch groups membership report that allows you to see: -- Each registered devices readiness for the service +- Autopatch group membership (only if the device is added to an Autopatch group) - Update status - Policies that target each device -### View the device report +### View the Autopatch groups membership report -**To view the device report:** +**To view the Autopatch groups membership report:** 1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane. -1. Under Manage updates, select **Windows updates**. +1. Under **Manage updates**, select **Windows updates**. 1. Select the **Monitor** tab, and then select **Autopatch devices**. -Once a device is registered to the service, a readiness status is displayed. Each readiness status helps you to determine if there are any actions to take or if the device is ready for the service. +Once a device is added to an Autopatch group, a readiness status is displayed. Each readiness status helps you to determine if there are any actions to take or if the device is ready for the service. #### Readiness statuses -| Autopatch readiness status in the Devices report | Substatus description | +| Autopatch readiness status in the Autopatch groups membership report | Substatus description | | --- | --- | | Registered |
          • **Ready**: Devices successfully passed all prerequisite checks and successfully registered with Windows Autopatch. Additionally, Ready devices successfully passed all [post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) and don't have any active alerts targeting them.
          • **Not ready**: These devices were successfully registered with Windows Autopatch. However, these devices:
            • Failed to pass one or more [post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).
            • Aren't ready to have one or more software update workloads managed by the service.
            • The device didn't communicate with Microsoft Intune in the last 28 days
            • The device has a conflict with policies or with Autopatch group membership
          | | Not registered |
          • **Autopatch group conflict**: The device has a conflict with Autopatch group membership
          • **Prerequisites failed**: The device failed to pass one or more [post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).
          • **Excluded**: Devices with this status are removed from the Windows Autopatch service only. Microsoft assumes you manage these devices yourself in some capacity.
          | -### View only excluded devices - -You can view the excluded devices in the Not registered tab to make it easier for you to bulk restore devices that were previously excluded from the Windows Autopatch service. - -**To view only excluded devices:** - -1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), navigate to **Windows Autopatch** > **Devices**. -2. In the **Not registered** tab, select **Excluded** from the filter list. Leave all other filter options unselected. - -## Move devices in between deployment rings - -If you want to move devices to different deployment rings after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices. - -> [!IMPORTANT] -> **You can only move devices in between deployment rings within the same Autopatch group**. You can't move devices in between deployment rings across different Autopatch groups. If you try to select a device that belongs to one Autopatch group, and another device that belongs to a different Autopatch group, you'll receive the following error message on the top right corner of the Microsoft Intune portal: **An error occurred. Please select devices within the same Autopatch group**. - -**To move devices in between deployment rings:** - -> [!NOTE] -> You can only move devices to other deployment rings when the device's Autopatch readiness status appears as **Registered** and the Update status is **Active**. - -1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane. -1. Navigate to **Windows updates** > **Monitor** > **Autopatch devices**. -1. Select one or more devices you want to assign and select **Assign ring**. -1. Use the dropdown menu to select the deployment ring to move devices to, and then select **Save**. All selected devices are assigned to the deployment ring you specify. The "1 devices scheduled for assignment" notification appears. -1. When the assignment is complete, the **Ring assigned by** column changes to Admin (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment. The **Ring assigned by** column is only visible in the fly-in menu. - -> [!WARNING] -> Moving devices between deployment rings through directly changing Microsoft Entra group membership isn't supported and might cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign ring** action described previously to move devices between deployment rings. - -## Register devices into Autopatch groups - -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - -An Autopatch group is a logical container or unit that groups several [Microsoft Entra groups](/entra/fundamentals/groups-view-azure-portal), and software update policies. For more information, see [Windows Autopatch groups](../deploy/windows-autopatch-groups-overview.md). - -When you [create an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) or [edit an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group) to add or remove deployment rings, the device-based Microsoft Entra groups you use when setting up your deployment rings, are scanned to see if devices need to be registered with the Windows Autopatch service. - -If devices aren't registered, Autopatch groups start the device registration process by using your existing device-based Microsoft Entra groups. - -- For more information, see [create an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) or [edit an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group) to register devices into Autopatch groups. -- For more information about moving devices between deployment rings, see [Move devices in between deployment rings](#move-devices-in-between-deployment-rings). - ### Supported scenarios when nesting other Microsoft Entra groups Windows Autopatch also supports the following Microsoft Entra nested group scenarios: @@ -136,7 +90,7 @@ Windows 365 Enterprise gives IT admins the option to register devices with the W 1. Provide a policy name and select **Join Type**. For more information, see [Device join types](/windows-365/enterprise/identity-authentication#device-join-types). 1. Select **Next**. 1. Choose the desired image and select **Next**. -1. Under the **Microsoft managed services** section, select **Windows Autopatch**. Then, select **Next**. If the *Windows Autopatch (preview) can't manage your Cloud PCs until a Global Admin has finished setting it up.* message appears, you must [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md) to continue. +1. Under the **Microsoft managed services** section, ensure **Windows Autopatch** is selected. 1. Assign your policy accordingly and select **Next**. 1. Select **Create**. Now your newly provisioned Windows 365 Enterprise Cloud PCs are automatically enrolled and managed by Windows Autopatch. @@ -146,7 +100,7 @@ For more information, see [Create a Windows 365 Provisioning Policy](/windows-36 Windows Autopatch is available for your Azure Virtual Desktop workloads. Enterprise admins can provision their Azure Virtual Desktop workloads to be managed by Windows Autopatch using the existing device registration process. -Windows Autopatch provides the same scope of service with virtual machines as it does with [physical devices](../deploy/windows-autopatch-device-registration-overview.md). However, Windows Autopatch defers any Azure Virtual Desktop specific support to [Azure support](#contact-support-for-device-registration-related-incidents), unless otherwise specified. +Windows Autopatch provides the same scope of service with virtual machines as it does with [physical devices](../deploy/windows-autopatch-device-registration-overview.md). However, Windows Autopatch defers any Azure Virtual Desktop specific support to [Azure support](#contact-support-for-autopatch-group-registration-related-incidents), unless otherwise specified. ### Prerequisites @@ -183,27 +137,23 @@ In the dual state, you end up having two Microsoft Entra device records with dif It's recommended to detect and clean up stale devices in Microsoft Entra ID before registering devices with Windows Autopatch, see [How To: Manage stale devices in Microsoft Entra ID](/entra/identity/devices/manage-stale-devices). > [!WARNING] -> If you don't clean up stale devices in Microsoft Entra ID before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the **Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed)** pre-requisite check in the **Not ready** tab because it's expected that these stale Microsoft Entra devices aren't enrolled into the Intune service anymore. +> If you don't clean up stale devices in Microsoft Entra ID before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the **Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed)** prerequisite check in the **Not ready** tab because it expects that these stale Microsoft Entra devices aren't enrolled into the Intune service anymore. -### Contact support for device registration-related incidents - -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] +### Contact support for Autopatch group registration-related incidents Support is available either through Windows 365, or the Windows Autopatch Service Engineering team for device registration-related incidents. - For Windows 365 support, see [Get support](/mem/get-support). - For Azure Virtual Desktop support, see [Get support](https://azure.microsoft.com/support/create-ticket/). -- For Windows Autopatch support, see [Submit a support request](../manage/windows-autopatch-support-request.md). - ---- +- For Windows Autopatch support, see [Submit a support request](../manage/windows-autopatch-support-request.md). You can only submit a support request if you have E3+ or F3 licenses. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md). ## Device management lifecycle scenarios -There's a few more device management lifecycle scenarios to consider when planning to register devices in Windows Autopatch. +There's a few more device management lifecycle scenarios to consider when planning to register devices in an Autopatch group. ### Device refresh -If a device was previously registered into the Windows Autopatch service, but it needs to be reimaged, you must run one of the device provisioning processes available in Microsoft Intune to reimage the device. +If a device was previously registered into an Autopatch group, but it needs to be reimaged, you must run one of the device provisioning processes available in Microsoft Intune to reimage the device. The device is rejoined to Microsoft Entra ID (either Hybrid or Microsoft Entra-only). Then, re-enrolled into Intune as well. No further action is required from you or the Windows Autopatch service, because the Microsoft Entra device ID record of that device remains the same. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md index a9fcc86c26..528758638d 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md @@ -14,7 +14,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 09/24/2024 +ms.date: 03/31/2025 --- # Programmatic controls for drivers and firmware updates diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md index 831fe0e8a1..a49bce722c 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md @@ -1,7 +1,7 @@ --- title: Microsoft Edge description: This article explains how Microsoft Edge updates are managed in Windows Autopatch -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,13 +17,8 @@ ms.collection: # Microsoft Edge -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - Windows Autopatch uses the [Stable Channel](/deployedge/microsoft-edge-channels#stable-channel) of Microsoft Edge. -> [!IMPORTANT] -> To update Microsoft 365 Apps for enterprise, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) first and **Microsoft Edge update setting** must be set to [**Allow**](#allow-or-block-microsoft-edge-updates). For more information on workloads supported by Windows Autopatch groups, see [Software update workloads](../deploy/windows-autopatch-groups-overview.md#software-update-workloads). - ## Device eligibility For a device to be eligible for Microsoft Edge updates as a part of Windows Autopatch, they must meet the following criteria: @@ -33,44 +28,65 @@ For a device to be eligible for Microsoft Edge updates as a part of Windows Auto - The device must be able to access the required network endpoints to reach the Microsoft Edge update service. - If Microsoft Edge is open, it must restart for the update process to complete. -## Allow or block Microsoft Edge updates +## Microsoft Edge update controls -> [!IMPORTANT] -> You must be an Intune Administrator to make changes to the setting. +With the expanded Autopatch group capabilities, you can choose to enable Microsoft Edge updates on a per Autopatch group level. Depending on your tenant settings, one of the following scenarios occurs: -For organizations seeking greater control, you can allow or block Microsoft Edge updates for Windows Autopatch-enrolled devices. +- Tenants that previously turned on Autopatch Microsoft Edge updates, has the Microsoft Edge updates Update Type checkbox selected, and the updated policies applied to each Autopatch group. +- Tenants that previously turned off Autopatch Microsoft Edge updates, or are new to Windows Autopatch, Autopatch Microsoft Edge updates remain turned off. -| Microsoft Edge setting | Description | -| ----- | ----- | -| **Allow** | When set to **Allow**, Windows Autopatch assigns devices to Microsoft Edge's [Stable Channel](/deployedge/microsoft-edge-channels#stable-channel). To manage updates manually, set the Microsoft Edge setting to **Block**. | -| **Block** | When set to **Block**, Windows Autopatch doesn't assign devices to Microsoft Edge's [Stable Channel](/deployedge/microsoft-edge-channels#stable-channel) updates on your behalf, and your organizations have full control over these updates. You can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). | +If you [created an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) and selected Microsoft Edge updates as a content type, the **Update Type** checkbox is **selected**, with new policies created and any available old policies are removed. If you didn’t select Microsoft Edge updates as a content type upon creating an Autopatch group, the **Update Type** checkbox is **unselected**. Any available customized policies are retained and appear in the **Policies** tab. -**To allow or block Edge updates:** +### Turn on Microsoft Edge updates + +**To turn on Microsoft Edge updates:** 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Navigate to **Tenant administration** > **Windows Autopatch** > **Autopatch groups** > **Update settings**. -1. Go to the **Edge updates** section. By default, the Allow/Block toggle is set to **Block**. -1. Turn off the **Allow** toggle (set to Block) to opt out of Microsoft Edge update policies. You see the notification: *Update in process. This setting will be unavailable until the update is complete.* -1. Once the update is complete, you receive the notification: *This setting is updated*. +1. Navigate to **Tenant Administration** > **Windows Autopatch** > **Autopatch groups**. +1. Select an Autopatch group to modify (repeat these steps for each group).  +1. Next to **Update types**, select **Edit**.  +1. Select **Microsoft Edge updates**.  +1. Select **Next: Deployment settings** > **Next: Release schedules** > **Next: Review + save** > **Save** to save these changes. +1. We recommend deleting old Autopatch default policies to avoid policy conflict. Navigate to **Devices** > **Manage devices** > **Configuration** > **Policies** tab.  +1. Manually remove the following profiles related to Microsoft Edge + 1. Windows Autopatch - Microsoft Edge Update Channel Beta + 1. Windows Autopatch - Microsoft Edge Update Channel Stable > [!NOTE] -> If the notification: *This setting couldn't be updated. Please try again or submit a support request.* appears, use the following steps:
          1. Refresh your page.
          2. Please repeat the same steps in To allow or block Edge updates.
          3. If the issue persists, [submit a support request](../manage/windows-autopatch-support-request.md).
            4. +> If you previously selected **Microsoft Edge updates** when [creating an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group), but your tenant isn't showing the new updates, there’s a possibility that you previously modified the policy. To ensure there are no disruptions, the Autopatch Service retains that policy. -**To verify if the Edge update setting is set to Allow:** +### Turn off Microsoft Edge updates + +**To turn off Microsoft Edge updates:** 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Navigate to **Devices** > **Configuration profiles** > **Profiles**. -3. The following profiles should be discoverable from the list of profiles: - 1. Windows Autopatch - Microsoft Edge Update Channel Stable - 2. Windows Autopatch - Microsoft Edge Update Channel Beta +1. Navigate to **Tenant Administration** > **Windows Autopatch** > **Autopatch groups**. +1. Select an Autopatch group to modify (repeat these steps for each group).  +1. Next to **Update types**, select **Edit**. +1. Unselect **Microsoft Edge updates**.  +1. Select **Next: Deployment settings** > **Next: Release schedules** > **Next: Review + save** > **Save** to save these changes. -**To verify if the Edge update setting is set to Block:** +### Verify Microsoft Edge updates policies + +**To verify Microsoft Edge updates policies:** 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Navigate to **Devices** > **Configuration profiles** > **Profiles**. -3. The following **five** profiles should be removed from your list of profiles and no longer visible/active. Use the Search with the keywords "Microsoft Edge Configuration". The result should return *0 profiles filtered*. +1. Navigate to **Tenant Administration** > **Windows Autopatch** > **Autopatch groups**.  +1. Verify each Autopatch group has the **Microsoft Edge Update Type** checkbox **selected**. +1. Navigate to **Devices** > **Manage devices** > **Configuration** > **Policies** tab. +1. The following new policies should be discoverable from the list of profiles: + 1. `"Windows Autopatch Microsoft Edge Update Policy - - "` +1. The following profiles should be removed from your list of profiles and no longer visible/active. Use the Search with the keywords "Microsoft Edge Update Channel". The result should return *0 profiles filtered*. + 1. Windows Autopatch - Microsoft Edge Update Channel Beta 1. Windows Autopatch - Microsoft Edge Update Channel Stable - 2. Windows Autopatch - Microsoft Edge Update Channel Beta + +### Verify Microsoft Edge updates policies are created + +**To verify Microsoft Edge updates policies are created:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Devices** > **Manage devices** > **Configuration** > **Policies**. +1. Confirm the new policies are named:`"Windows Autopatch Microsoft Edge Update Policy - - "` ## Update release schedule @@ -86,4 +102,4 @@ Currently, Windows Autopatch can't pause or resume Microsoft Edge updates. ## Incidents and outages -If you're experiencing issues related to Microsoft Edge updates, [submit a support request](../operate/windows-autopatch-support-request.md). +If you're experiencing issues related to Microsoft Edge updates, [submit a support request](../operate/windows-autopatch-support-request.md). You can only submit a support request if you have E3+ or F licenses. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-exclude-device.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-exclude-device.md index 1c024c812e..b8eb5ff8e1 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-exclude-device.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-exclude-device.md @@ -1,7 +1,7 @@ --- title: Exclude a device description: This article explains how to exclude a device from the Windows Autopatch service -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -16,8 +16,6 @@ ms.collection: # Exclude a device -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - To avoid end-user disruption, excluding a device in Windows Autopatch only deletes the Windows Autopatch device record itself. Excluding a device can't delete the Microsoft Intune and/or the Microsoft Entra device records. Microsoft assumes you manage those devices yourself in some capacity. When you exclude a device from the Windows Autopatch service, the device is flagged as **Excluded** so Windows Autopatch doesn't try to restore the device into the service again. The exclusion command doesn't trigger device membership removal from any other Microsoft Entra group, used with Autopatch groups. @@ -34,11 +32,11 @@ When you exclude a device from the Windows Autopatch service, the device is flag 1. Once a device or multiple devices are selected, select **Device actions**. Then, select **Exclude device**. > [!WARNING] -> Excluding devices from the Windows Autopatch Device Registration group, or any other Microsoft Entra group, used with Autopatch groups doesn't exclude devices from the Windows Autopatch service. +> When you exclude devices from the Windows Autopatch Device Registration group, or any other Microsoft Entra group, used with Autopatch groups doesn't exclude devices from the Windows Autopatch service. ## Only view excluded devices -You can view the excluded devices in the [**Devices report**](../deploy/windows-autopatch-register-devices.md#devices-report) to make it easier for you to bulk restore devices that were previously excluded from the Windows Autopatch service. +You can view the excluded devices in the [**Autopatch groups membership report**](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report) to make it easier for you to bulk restore devices that were previously excluded from the Windows Autopatch service. **To view only excluded devices:** diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-groups-policies.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-groups-policies.md index 4fa624de44..f4712f163c 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-groups-policies.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-groups-policies.md @@ -1,7 +1,7 @@ --- title: Autopatch group policies description: This article describes Autopatch group policies -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,26 +17,32 @@ ms.collection: # Autopatch group policies -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - The following Autopatch group policies are only created when you create an Autopatch group. ## Update rings policy for Windows 10 and later -Update rings policy for Windows 10 and later - -Autopatch groups set up the [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) for each of its deployment rings in the Default Autopatch group. See the following default policy values: +Autopatch groups create one Windows 10 Update Ring policy for each deployment ring you specify. These rings configure important update settings like automatic update behavior, deferrals, deadlines, and grace periods. See the following preset default policy values for restart-sensitive devices where the deadline and grace period aren't configured. | Policy name | Quality updates deferral in days | Feature updates deferral in days | Feature updates uninstall window in days | Deadline for quality updates in days | Deadline for feature updates in days | Grace period | Auto restart before deadline | | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | | Test | 0 | 0 | 30 | 0 | 5 | 0 | Yes | | Ring 1 | 1 | 0 | 30 | 2 | 5 |2 | Yes | -| Ring 2 | 6 | 0 | 30 | 2 | 5 | 2 | Yes | +| Ring 2 | 5 | 0 | 30 | 2 | 5 | 2 | Yes | | Ring 3 | 9 | 0 | 30 | 5 | 5 | 2 | Yes | -| Last | 11 | 0 | 30 | 3 | 5 | 2 | Yes | +| Last | 10 | 0 | 30 | 3 | 5 | 2 | Yes | ## Feature update policy for Windows 10 and later +If features updates are [selected as a content type for an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group), a feature update policy is created with the Microsoft Entra groups for each update ring assigned to it. This policy does the following: + +- Ensures existing devices on the target version don’t update beyond that version. +- If new devices are added to the Autopatch group and are below your target version, the devices are updated to the target version. + +To achieve this outcome, the feature update policy is configured for immediate start as required. + +> [!IMPORTANT] +> To safely deploy a new feature update, Autopatch recommends using a custom Windows feature update release. The custom release allows you to choose how and when different deployment rings receive the update. Autopatch doesn't recommend updating the minimum version within an Autopatch group until your rollout is complete. Doing so initiates a rollout which starts immediately for all members of that group.

            Once you create a custom Windows feature update release, the Autopatch group's deployment rings are unassigned from that group’s feature update policy.

            + Autopatch groups set up the [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates) for each of its deployment rings in the Default Autopatch group, see the following default policy values: | Policy name |Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index 0cf0c9260b..78799f5867 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -1,7 +1,7 @@ --- title: Hotpatch updates description: Use Hotpatch updates to receive security updates without restarting your device -ms.date: 02/03/2025 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Hotpatch updates (public preview) -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] - > [!IMPORTANT] > This feature is in public preview. It's being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md index ffcd082e07..6b60b3a9ba 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md @@ -1,7 +1,7 @@ --- title: Manage Windows Autopatch groups description: This article explains how to manage Autopatch groups -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,21 +17,22 @@ ms.collection: # Manage Windows Autopatch groups -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - Autopatch groups help Microsoft Cloud-Managed services meet organizations where they are in their update management journey. -An Autopatch group is a logical container or unit that groups several [Microsoft Entra groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates policy for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates). +An Autopatch group is a logical container or unit that groups several [Microsoft Entra groups](/entra/fundamentals/groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings), [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates), [driver update policies](../manage/windows-autopatch-manage-driver-and-firmware-updates.md), [Microsoft 365 App update policies](../manage/windows-autopatch-microsoft-365-policies.md), and [Microsoft Edge update policies](../manage/windows-autopatch-edge.md). Before you start managing Autopatch groups, ensure you meet the [Windows Autopatch groups prerequisites](../deploy/windows-autopatch-groups-overview.md#prerequisites). +> [!NOTE] +> If you reach the maximum number of Autopatch groups supported (300), and try to create more Autopatch groups, the "Create" option in the Autopatch groups blade is greyed out. + ## Create an Autopatch group > [!IMPORTANT] > Windows Autopatch creates the device-based Microsoft Entra ID assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience. > [!TIP] -> For more information on workloads supported by Windows Autopatch groups, see [Supported software workloads](../deploy/windows-autopatch-groups-overview.md#software-update-workloads).
            • To manage Microsoft 365 Apps for enterprise, you must create an Autopatch group first and [set the Microsoft 365 app update setting to Allow](../manage/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates).
            • To manage Microsoft Edge updates, you must create an Autopatch group first and [set the Edge update setting to Allow](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).
            +> For more information on workloads supported by Windows Autopatch groups, see [Supported software workloads](../deploy/windows-autopatch-groups-overview.md#software-update-workloads). **To create an Autopatch group:** @@ -41,37 +42,55 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat 1. In the **Autopatch groups** blade, select **Create**. 1. In the **Basics** page, enter a **name** and a **description** then select **Next: Deployment rings**. 1. Enter up to 64 characters for the Autopatch group name and 150 characters maximum for the description. The Autopatch group name is appended to both the update rings and the DSS policy names that get created once the Autopatch group is created. -1. In the **Deployment rings** page, select **Add deployment ring** to add the number of deployment rings to the Autopatch group. +1. In the **Deployment rings** page, select **Add deployment ring** to add the number of deployment rings to the Autopatch group. Autopatch assigns a default rollout schedule to ensure gradual deployment with deferral and deadline periods ranging from one to 20 days. When a new ring is added, its default deferral and deadline are spaced with existing rings to maintain deferral and deadline period compliance. Therefore, the deferral and deadline period of the new ring might be before or after the previous ring. Adding a new ring doesn’t modify the deferral or deadline of already existing rings. Autopatch doesn’t set deadlines on Sundays. The deadline is scheduled for the following Monday. 1. Each new deployment ring added must have either a Microsoft Entra device group assigned to it, or a Microsoft Entra group that is dynamically distributed across your deployments rings using defined percentages. 1. In the **Dynamic groups** area, select **Add groups** to select one or more existing device-based Microsoft Entra groups to be used for Dynamic group distribution. 1. In the **Dynamic group distribution** column, select the desired deployment ring checkbox. Then, either: 1. Enter the percentage of devices that should be added from the Microsoft Entra groups selected in step 9. The percentage calculation for devices must equal to 100%, or 1. Select **Apply default dynamic group distribution** to use the default values. 1. In the **Assigned group** column, select **Add group to ring** to add an existing Microsoft Entra group to any of the defined deployment rings. The **Test** and **Last** deployment rings only support Assigned group distribution. These deployment rings don't support Dynamic distribution. -1. Select **Next: Windows Update settings**. -1. Select the **horizontal ellipses (…)** > **Manage deployment cadence** to [customize your gradual rollout of Windows quality and feature updates](../manage/windows-autopatch-customize-windows-update-settings.md). Select **Save**. -1. Select the **horizontal ellipses (…)** > **Manage notifications** to customize the end-user experience when receiving Windows updates. Select **Save**. +1. Select **Next: Update types**. Select the types of updates you want Windows Autopatch to create policies for. You can select: + 1. Quality updates + 1. Feature updates + 1. Driver updates + 1. Microsoft 365 apps updates + 1. Microsoft Edge updates +1. Select **Next: Deployment settings**. If you selected quality updates and Microsoft 365 apps updates in Step 9, these updates are deployed automatically. Use the dropdown menu to select: + 1. The target version for feature updates + 1. The approval method for driver updates + 1. The channel for Microsoft Edge updates +1. Select **Next: Release schedules**. In this page, select one of the following release schedule presets from the **Select a release schedule preset** dropdown menu: + 1. Information worker: Single-user devices that are used in most workplaces + 1. Shared device: Devices that are used by multiple users over a period of time + 1. Kiosks and billboards: High uptime devices used to accomplish a specific task that hides notifications and restart at specific times + 1. Reboot-sensitive devices: Devices that can’t be interrupted in the middle of a task and only update at a scheduled time +1. The Windows update installation, reboot, and notification behavior setting is based on the selected release schedule preset (in step 11). The setting determines how the Windows Update client behaves for all update types that you selected in Step 9. You can: + 1. Edit the deferrals, deadlines, grace periods as needed + 1. Edit the deployment rings as necessary + 1. If you made changes, but want to start over, select **Reset to preset values [release schedule preset]**. The reset is dependent on which release schedule preset you selected in step 12. 1. Select **Review + create** to review all changes made. 1. Once the review is done, select **Create** to save your Autopatch group. > [!CAUTION] -> **Don't** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won't be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly.

            Additionally, it's not supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.

            +> **Don't** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service isn't able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly.

            Additionally, it's not supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.

            > [!CAUTION] -> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that's been already used, you'll receive an error that prevents you from creating or editing the Autopatch group. +> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that is already used, an error occurs that prevents you from creating or editing the Autopatch group. ## Edit an Autopatch group > [!TIP] -> You can't edit an Autopatch group when there's one or more Windows feature update releases targeted to it. If you try to edit an Autopatch group with one or more ongoing Windows feature update releases targeted to it, you get the following informational banner message: "**Some settings are not allowed to be modified as there's one or more on-going Windows feature update release targeted to this Autopatch group.**" +> You can't edit an Autopatch group when there's one or more Windows feature update releases targeted to it. If you try to edit an Autopatch group with one or more ongoing Windows feature update releases targeted to it, you get the following informational banner message: "**Some settings are not allowed to be modified as there's one or more ongoing Windows feature update release targeted to this Autopatch group.**" > For more information on release and phase statuses, see [Windows feature update](../manage/windows-autopatch-windows-feature-update-overview.md). **To edit an Autopatch group:** 1. Select the **horizontal ellipses (…)** > **Edit** for the Autopatch group you want to edit. -1. You can only modify the **description** of an Autopatch group. You **can't** modify the name. Once the description is modified, select **Next: Deployment rings**. To rename an Autopatch group, see [Rename an Autopatch group](#rename-an-autopatch-group). -1. Make the necessary changes in the **Deployment rings** page, then select **Next: Windows Update settings**. -1. Make the necessary changes in the **Windows Update settings** page, then select **Next: Review + save**. +1. In the **Basics** page, you can only modify the **description** of an Autopatch group. You **can't** modify the name. Once the description is modified, or if you don't need to edit the description, select **Next: Deployment rings**. To rename an Autopatch group, see [Rename an Autopatch group](#rename-an-autopatch-group). +1. In the **Deployment rings** page, edit your deployment rings as necessary or select **Next: Update types**. +1. In the **Update types** page, add or remove update types as necessary, or select **Next: Deployment settings**. +1. In the **Deployment settings** page, edit the deployment settings as necessary, or select **Next: Release schedule**. +1. In the **Release schedule** page, edit the deferral and/or deadline day as necessary. If you need to change the release schedule preset, you must create a new Autopatch group. 1. Select **Review + create** to review all changes made. 1. Once the review is done, select **Save** to finish editing the Autopatch group. @@ -79,7 +98,7 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat > Windows Autopatch creates the device-based Microsoft Entra ID assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience. > [!CAUTION] -> If a device that was previously added to an Autopatch group uses an Entra group (via Assigned groups or Dynamic distribution method) is removed from the Entra group, the device is removed and de-registered from the Autopatch service. The removed device no longer has any Autopatch service-created policies applied to it and the device won't appear in the Autopatch devices reports. +> If a device that was previously added to an Autopatch group uses a Microsoft Entra group (via Assigned groups or Dynamic distribution method) is removed from the Microsoft Entra group, the device is removed and deregistered from the Autopatch service. The removed device no longer has any Autopatch service-created policies applied to it and the device doesn't appear in the Autopatch groups membership report. ## Rename an Autopatch group @@ -89,7 +108,7 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat 1. In the **New Autopatch group name**, enter the new Autopatch group name of your choice, then select **Rename group**. > [!IMPORTANT] -> Autopatch supports up to 64 characters for the Autopatch group name. Additionally, when you rename a Autopatch group all [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) associated with the Autopatch group are renamed to include the new Autopatch group name you define in its name string. Also, when renaming an Autopatch group all Microsoft Entra groups representing the Autopatch group's deployment rings are renamed to include the new Autopatch group name you define in its name string. +> Autopatch supports up to 64 characters for the Autopatch group name. Additionally, when you rename an Autopatch group all [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) associated with the Autopatch group are renamed to include the new Autopatch group name you define in its name string. Also, when renaming an Autopatch group all Microsoft Entra groups representing the Autopatch group's deployment rings are renamed to include the new Autopatch group name you define in its name string. ## Delete an Autopatch group @@ -99,7 +118,7 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat 1. Select **Yes** to confirm you want to delete the Autopatch group. > [!CAUTION] -> You can't delete an Autopatch group when it's being used as part of one or more active or paused feature update releases. However, you can delete an Autopatch group when the release for either Windows quality or feature updates have either the **Scheduled** or **Paused** statuses. +> You can't delete an Autopatch group when it's being used as part of one or more active or paused feature update releases. However, you can delete an Autopatch group when the release for either Windows quality or feature updates has either the **Scheduled** or **Paused** statuses. ## Manage device conflict scenarios when using Autopatch groups @@ -108,7 +127,7 @@ Overlap in device membership is a common scenario when working with device-based Since Autopatch groups allow you to use your existing Microsoft Entra groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that might occur. > [!CAUTION] -> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that's been already used, you'll receive an error that prevents you from creating or editing the Autopatch group. +> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that is already used, an error occurs that prevents you from creating or editing the Autopatch group. ### Device conflict in deployment rings within an Autopatch group @@ -120,7 +139,7 @@ Autopatch groups use the following logic to solve device conflicts on your behal | Step 2: Checks for deployment ring ordering when device belongs to one or more deployment ring with the same distribution type (**Assigned** or **Dynamic**) | For example, if a device is part of one deployment ring with **Assigned** distribution (Test), and in another deployment ring with **Assigned** distribution (Ring3) within the **same** Autopatch group, the deployment ring that comes later (Ring3) takes precedence over the deployment ring that comes earlier (Test) in the deployment ring order. | > [!IMPORTANT] -> When a device belongs to a deployment ring that has combined distribution types (**Assigned** and **Dynamic**), and a deployment ring that has only the **Dynamic** distribution type, the deployment ring with the combined distribution types takes precedence over the one with only the **Dynamic** distribution. If a device belongs to two deployment rings that have combined distribution types (**Assigned** and **Dynamic**), the deployment ring that comes later takes precedence over the deployment ring that comes earlier in the deployment ring order. +> When a device belongs to a deployment ring that contains combined distribution types (**Assigned** and **Dynamic**), and a deployment ring that has only the **Dynamic** distribution type, the deployment ring with the combined distribution types takes precedence over the one with only the **Dynamic** distribution. If a device belongs to two deployment rings that contains combined distribution types (**Assigned** and **Dynamic**), the deployment ring that comes later takes precedence over the deployment ring that comes earlier in the deployment ring order. ### Device conflict across different Autopatch groups @@ -130,7 +149,7 @@ Device conflict across different deployment rings in different Autopatch groups | Conflict scenario | Conflict resolution | | ----- | ----- | -| You, the IT admin at Contoso Ltd., are using several Autopatch groups. While navigating through devices in the Windows Autopatch Devices blade, you notice that the same device is part of different deployment rings across several different Autopatch groups. This device appears as **Not ready**. | You must resolve this conflict.

            Autopatch groups inform you about the device conflict in the [**Devices report**](../deploy/windows-autopatch-register-devices.md#devices-report). Select the **Not ready** status for the device you want to address. You're required to manually indicate which of the existing Autopatch groups the device should exclusively belong to.

            | +| You, the IT admin at Contoso Ltd., are using several Autopatch groups. While navigating through devices in the Windows Autopatch Devices blade, you notice that the same device is part of different deployment rings across several different Autopatch groups. This device appears as **Not ready**. | You must resolve this conflict.

            Autopatch groups inform you about the device conflict in the [**Autopatch groups membership report**](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report). Select the **Not ready** status for the device you want to address. You're required to manually indicate which of the existing Autopatch groups the device should exclusively belong to.

            | #### Device conflict before device registration diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md index e968491819..bf2a7f31be 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md @@ -1,7 +1,7 @@ --- title: Manage driver and firmware updates description: This article explains how you can manage driver and firmware updates with Windows Autopatch -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -21,8 +21,6 @@ You can manage driver and firmware profiles for Windows 10 and later devices. By ## Driver and firmware controls -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - You can manage and control your driver and firmware updates by: - Controlling the flow of all drivers to an Autopatch group or rings within an Autopatch group @@ -33,9 +31,6 @@ You can manage and control your driver and firmware updates by: The Autopatch service creates additional driver profiles on a per-deployment ring and per group basis within your tenant. -> [!NOTE] -> For more information about policies created for Driver updates for Windows 10 and later, see [Changes made at feature activation](../references/windows-autopatch-changes-made-at-feature-activation.md#driver-updates-for-windows-10-and-later). - Choosing between Automatic and Manual modes can be done per-deployment ring and/or per Autopatch group. For a single Autopatch group, a mix of both Automatic and Manual policies is allowed. If you were previously in Manual mode, we create Manual policies for all your group rings. If Automatic (the default) was previously used, we create Automatic policies instead. > [!IMPORTANT] @@ -55,10 +50,16 @@ Choosing between Automatic and Manual modes can be done per-deployment ring and/ 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Navigate to **Devices** > **Manage Updates** > **Windows Updates** > **Driver Updates** tab. -1. Select the groups you’d like to modify. Find the Driver update settings section, then select Edit. -1. Set the policy to be **Automatic** or **Manual** for each deployment ring within the previously selected group. - 1. If you select **Automatic**, you can choose a **Deferral period** in days from the dropdown menu. - 2. If you select **Manual**, the deferral day setting can’t be set and displays **Not applicable**. +1. Select the groups you’d like to modify. Find the Deployment settings section, then select Edit. +1. Select **Next: Deployment settings**. +1. Choose **Use the same approval method for all deployment rings** or **Use different approval methods for each deployment ring**. + 1. If you select **Use the same approval method for all deployment rings**, you must choose **Automatically approve** or **Manually review and approve**. All deployment rings use this setting. + 1. If you select **Use different approval methods for each deployment ring**, you must choose **Automatically approve** or **Manually review and approve** for each deployment ring. +1. Select **Next: Release schedules**. +1. If you selected **Automatically approve**, under **Quality and driver updates**, you can choose a Driver update deferral for each policy or Driver updates. **Manually review and approve** policies are displayed as *Not applicable*. + 1. Select **Edit** to the right of your deployment ring. + 1. Find **Driver update deferrals** and select **Deferral period in days** from the dropdown menu. + 1. Select **Save**. 1. Select **Review + Save** to review all changes made. 1. Once the review is done, select **Save** to commit your changes. @@ -79,7 +80,7 @@ The deferral period can be set from 0 to 30 days, and it can be different for ea Recommended drivers are the best match for the 'required' driver updates that Windows Update can identify for a device. To be a recommended update, the OEM or driver publisher must mark the update as required and the update must be the most recent update version marked as required. These updates are the same ones available through Windows Update and are almost always the most current update version for a driver. -When an OEM releases a newer update version that qualifies to be the new recommended driver, it replaces the previous update as the recommended driver update. If the older update version is still applicable to a device in the policy, it's moved to the **Other drivers** tab. If the older version was previously approved, it remains approved. +When an OEM releases a newer update version that qualifies to be the new recommended driver, it replaces the previous update as the recommended driver update. If the older update version is still applicable to a device in the policy, it moves to the **Other drivers** tab. If the older version was previously approved, it remains approved. ##### Approve and deploy recommended drivers @@ -102,7 +103,7 @@ Extensions and Plug and play driver updates might not require admin approval. | Driver update | Description | | ----- | ----- | -| Extensions | Windows Autopatch doesn't manage extension drivers. They're easily identified by the term 'extension' in the name. Extensions are typically minor updates to a base driver package that can enhance, modify, or filter the functionality provided by the base driver. They play a crucial role in facilitating effective communication between the operating system and the hardware. If the device hasn't received drivers from Windows Update for some time, the device might have multiple extension drivers offered during the first scan. For more information, see [Why do my devices have driver updates installed that didn't pass through an updates policy?](/mem/intune/protect/windows-driver-updates-overview#why-do-my-devices-have-driver-updates-installed-that-didnt-pass-through-an-updates-policy). | +| Extensions | Windows Autopatch doesn't manage extension drivers. They're easily identified by the term 'extension' in the name. Extensions are typically minor updates to a base driver package that can enhance, modify, or filter the functionality provided by the base driver. They play a crucial role in facilitating effective communication between the operating system and the hardware. If the device doesn't receive drivers from Windows Update for some time, the device might have multiple extension drivers offered during the first scan. For more information, see [Why do my devices have driver updates installed that didn't pass through an updates policy?](/mem/intune/protect/windows-driver-updates-overview#why-do-my-devices-have-driver-updates-installed-that-didnt-pass-through-an-updates-policy). | | Plug and play | When Windows detects a hardware or software component (such as, but not limited to, a mouse, keyboard, or webcam) without an existing driver, it automatically downloads and installs the latest driver to ensure the component functions properly to keep the end-user productive. After the initial installation, the driver becomes manageable. Any additional updates require approval before being offered to the device. | ### Other drivers and firmware diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-apps-enterprise.md index 2ba3d40763..f7dad834ee 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-apps-enterprise.md @@ -1,7 +1,7 @@ --- title: Microsoft 365 Apps for enterprise description: This article explains how Windows Autopatch manages Microsoft 365 Apps for enterprise updates -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Microsoft 365 Apps for enterprise -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - ## Service level objective > [!IMPORTANT] @@ -77,58 +75,77 @@ To ensure that users are receiving automatic updates, Windows Autopatch prevents ## Microsoft 365 Apps for enterprise update controls -Windows Autopatch doesn't allow you to pause or roll back an update in the Microsoft Intune admin center. +With the expanded Autopatch group capabilities, you can choose to turn on Microsoft 365 Apps updates on a per Autopatch group level. Depending on your tenant settings, one of the following scenarios occurs: -[Submit a support request](../manage/windows-autopatch-support-request.md) to the Windows Autopatch Service Engineering Team to pause or roll back an update when needed. +- Tenants that previously turned on Autopatch Microsoft 365 Apps update, has the Microsoft 365 Apps updates Update Type checkbox selected and have the updated policies applied to each Autopatch group. +- Tenants that previously turned off Autopatch Microsoft 365 Apps updates, or are new to Windows Autopatch, Autopatch Microsoft 365 Apps updates remain turned off. + +If you [created an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) and selected Microsoft 365 apps updates as a content type, the **Update Type** checkbox is **selected**, with new policies created, and any available old policies are removed. If you didn’t select Microsoft 365 apps updates as a content type upon creating an Autopatch group, the **Update Type** checkbox is **unselected**. Any available customized policies are retained and appear in the **Policies** tab. + +### Turn on Microsoft 365 Apps updates + +**To turn on Microsoft 365 Apps updates:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Tenant Administration** > **Windows Autopatch** > **Autopatch groups**. +1. Select an Autopatch group to modify (repeat these steps for each group).  +1. Next to **Update types**, select **Edit**.  +1. Select **Microsoft 365 Apps updates**.  +1. Select **Next: Deployment settings** > **Next: Release schedules** > **Next: Review + save** > **Save** to save these changes. +1. We recommend deleting old Autopatch default policies to avoid policy conflict. Navigate to **Devices** > **Manage devices** > **Configuration** > **Policies** tab.  +1. Manually remove the following profiles related to Microsoft 365 Apps: + 1. Windows Autopatch - Office Configuration + 2. Windows Autopatch - Office Update Configuration [Test] + 3. Windows Autopatch - Office Update Configuration [First] + 4. Windows Autopatch - Office Update Configuration [Fast] + 5. Windows Autopatch - Office Update Configuration [Broad] + +> [!NOTE] +> If you previously selected **Microsoft 365 Apps updates** when [creating an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group), but your tenant isn't showing the new updates, there’s a possibility that you previously modified the policy. To ensure there are no disruptions, the Autopatch Service retains that policy. + +### Turn off Microsoft 365 Apps updates + +**To turn off Microsoft 365 Apps updates:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Tenant Administration** > **Windows Autopatch** > **Autopatch groups**. +1. Select an Autopatch group to modify (repeat these steps for each group).  +1. Next to **Update types**, select **Edit**. +1. Unselect **Microsoft 365 Apps updates**.  +1. Select **Next: Deployment settings** > **Next: Release schedules** > **Next: Review + save** > **Save** to save these changes. + +### Verify Microsoft 365 Apps updates policies + +**To verify Microsoft 365 Apps updates policies:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Tenant Administration** > **Windows Autopatch** > **Autopatch groups**.  +1. Verify each Autopatch group has the **Microsoft 365 Apps Update Type** checkbox **selected**. +1. Navigate to **Devices** > **Manage devices** > **Configuration** > **Policies** tab. +1. The following new policies should be discoverable from the list of profiles: + 1. `"Windows Autopatch Microsoft 365 Update Policy - - "` +1. The following profiles should be removed from your list of profiles and no longer visible/active. Use the Search with the keywords "Office Configuration". The result should return *0 profiles filtered*. + 1. Windows Autopatch - Office Configuration + 2. Windows Autopatch - Office Update Configuration [Test] + 3. Windows Autopatch - Office Update Configuration [First] + 4. Windows Autopatch - Office Update Configuration [Fast] + 5. Windows Autopatch - Office Update Configuration [Broad] + +### Verify Microsoft 365 Apps updates policies are created + +**To verify Microsoft 365 Apps updates policies are created:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Devices** > **Manage devices** > **Configuration** > **Policies**. +1. Confirm the new policies are named:`"Windows Autopatch Microsoft 365 Update Policy - - "` + +### Roll back a Microsoft 365 App update + +Windows Autopatch doesn't allow you to pause or roll back an update in the Microsoft Intune admin center. > [!NOTE] > Updates are bundled together into a single release in the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). Therefore, we can't roll back only a portion of the update for Microsoft 365 Apps for enterprise. -## Allow or block Microsoft 365 App updates - -> [!IMPORTANT] -> You must be an Intune Administrator to make changes to the setting. - -For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices. - -| Microsoft 365 App setting | Description | -| ----- | ----- | -| **Allow** | When set to **Allow**, Windows Autopatch moves all Autopatch managed devices to the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview) and manages updates automatically. To manage updates manually, set the Microsoft 365 App update setting to **Block**. | -| **Block** | When set to **Block**, Windows Autopatch doesn't provide Microsoft 365 App updates on your behalf, and your organizations have full control over these updates. You can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). | - -**To allow or block Microsoft 365 App updates:** - -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Navigate to the **Tenant administration** > **Windows Autopatch** > **Autopatch groups** > **Update settings**. -3. Go to the **Microsoft 365 apps updates** section. By default, the **Allow/Block** toggle is set to **Block**. -4. Turn off the **Allow** toggle to opt out of Microsoft 365 App update policies. You see the notification: *Update in process. This setting will be unavailable until the update is complete.* -5. Once the update is complete, you receive the notification: *This setting is updated.* - -> [!NOTE] -> If the notification: *This setting couldn't be updated. Please try again or submit a support request.* appears, use the following steps:
            1. Refresh your page.
            2. Please repeat the same steps in To block Microsoft 365 apps updates.
            3. If the issue persists, [submit a support request](../manage/windows-autopatch-support-request.md).
              4. - -**To verify if the Microsoft 365 App update setting is set to Allow:** - -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Navigate to **Devices** > **Configuration profiles** > **Profiles**. -3. The following profiles should be discoverable from the list of profiles: - 1. Windows Autopatch - Office Configuration - 2. Windows Autopatch - Office Update Configuration [Test] - 3. Windows Autopatch - Office Update Configuration [First] - 4. Windows Autopatch - Office Update Configuration [Fast] - 5. Windows Autopatch - Office Update Configuration [Broad] - -**To verify if the Microsoft 365 App update setting is set to Block:** - -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Navigate to **Devices** > **Configuration profiles** > **Profiles**. -3. The following profiles should be removed from your list of profiles and no longer visible/active. Use the Search with the keywords "Office Configuration". The result should return *0 profiles filtered*. - 1. Windows Autopatch - Office Configuration - 2. Windows Autopatch - Office Update Configuration [Test] - 3. Windows Autopatch - Office Update Configuration [First] - 4. Windows Autopatch - Office Update Configuration [Fast] - 5. Windows Autopatch - Office Update Configuration [Broad] - ## Compatibility with Servicing Profiles [Servicing profiles](/deployoffice/admincenter/servicing-profile) is a feature in the [Microsoft 365 Apps admin center](https://config.office.com/) that provides controlled update management of monthly Office updates, including controls for user and device targeting, scheduling, rollback, and reporting. @@ -137,4 +154,4 @@ A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-wi ## Incidents and outages -If you're experiencing issues related to Microsoft 365 Apps for enterprise updates, [submit a support request](../manage/windows-autopatch-support-request.md). +If you're experiencing issues related to Microsoft 365 Apps for enterprise updates, [submit a support request](../manage/windows-autopatch-support-request.md). You can only submit a support request if you have E3+ or F licenses. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-policies.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-policies.md index b82a92e490..905c086332 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-policies.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-policies.md @@ -1,7 +1,7 @@ --- title: Microsoft 365 Apps for enterprise update policies description: This article explains the Microsoft 365 Apps for enterprise policies in Windows Autopatch -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: concept-article @@ -16,8 +16,6 @@ ms.collection: # Microsoft 365 Apps for enterprise update policies -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - ## Conflicting and unsupported policies Deploying any of the following policies to a managed device makes that device ineligible for management since the device prevents us from delivering the service as designed. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-release-schedule.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-release-schedule.md index 3b0fc4bdb1..398823cff1 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-release-schedule.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-release-schedule.md @@ -1,7 +1,7 @@ --- title: Manage the release schedule description: How to manage the release schedule -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Manage the Release schedule -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] - Windows Autopatch provides a unique update experience and a single view for all your current quality, feature, and driver and firmware releases. This view: - Consolidates all your applicable policies into a view consolidated by releases @@ -30,6 +28,3 @@ When you select a release, Windows Autopatch provides a list view of associated - percentage complete These metrics are a summary of the individual workload views that should be used to manage your updates. - -> [!NOTE] -> **The device count metric is only available if you have Windows Enterprise E3+ or F3 licenses (included in Microsoft 365 F3, E3, or E5) licenses and have [activated Windows Autopatch features](../overview/windows-autopatch-overview.md#windows-enterprise-e3-and-f3-licenses).**

              [Feature activation](../prepare/windows-autopatch-feature-activation.md) is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.

              For more information, see [Licenses and entitlements](../prepare/windows-autopatch-prerequisites.md#licenses-and-entitlements). If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in [Business premium and A3+ licenses](../overview/windows-autopatch-overview.md#business-premium-and-a3-licenses).

              diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md index 6465a2a404..7de0ad34ed 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md @@ -1,7 +1,7 @@ --- title: Submit a support request description: Details how to contact the Windows Autopatch Service Engineering Team and submit support requests -ms.date: 09/16/2024 +ms.date: 3/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,25 +17,20 @@ ms.collection: # Submit a support request -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - -> [!IMPORTANT] -> Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with remediating issues. - -## Submit a new support request - Support requests are triaged and responded to as they're received. **To submit a new support request:** -1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant administration** menu. -1. In the **Windows Autopatch** section, select **Support requests**. -1. In the **Support requests** section, select **+ New support request**. -1. Enter your questions and/or a description of the problem. -1. Review all the information you provided for accuracy. -1. When you're ready, select **Create**. +1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to **Troubleshooting + support**. +1. In the **Troubleshooting + support** section, select **Help and support**. +1. In the **Help and support** section, select **Windows Autopatch**. +1. In the **Help** section, enter your questions and/or a description of the issue. +1. Review the links that are provided to try to help with the issue. +1. If the answers that were given don't help you resolve the issue, select **Contact support** at the bottom of the page. +1. Follow the instructions to file a support request with Windows Autopatch. Make sure you provide the correct primary contact information for this specific support ticket. +1. When you're ready, select **Contact me**. -### Premier and Unified support options +## Premier and Unified support options If you have a **Premier** or **Unified** support contract, when you submit a new request, or edit an active support request, you can: @@ -59,25 +54,11 @@ You can see the summary status of all your support requests. At any time, you ca **To view all your active support requests:** -1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu. -1. In the **Windows Autopatch** section, select **Support request**. -1. From this view, you can export the summary view or select any case to view the details. - -## Edit support request details - -You can edit support request details, for example, updating the primary case contact. - -**To edit support request details:** - -1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu. -1. In the **Windows Autopatch** section, select **Support request**. -1. In the **Support requests** section, use the search bar or filters to find the case you want to edit. -1. Select the case to open the request's details. -1. Scroll to the bottom of the request details and select **Edit**. -1. Update the editable information, add attachments to the case, or add a note for the Windows Autopatch Service Engineering Team. -1. Select **Save**. - -Once a support request is mitigated, it can no longer be edited. If a request was mitigated in less than 24 hours, you can reactivate instead of edit. Once reactivated, you can again edit the request. +1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to **Troubleshooting + support**. +1. In the **Troubleshooting + support** section, select **Help and support**. +1. In the **Help and support** section, select **Windows Autopatch**. +1. Under **Windows Autopatch**, select **Support History** to view all filed support requests. +1. Once a support request is mitigated, a survey appears. Using the survey, the primary contact can rate their experience. ## Microsoft FastTrack diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md index e6b32fd7ca..a0d998ae5b 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md @@ -1,7 +1,7 @@ --- title: Microsoft Teams description: This article explains how Microsoft Teams updates are managed in Windows Autopatch -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Microsoft Teams -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - Windows Autopatch uses the [standard automatic update channel](/microsoftteams/teams-client-update#can-admins-deploy-updates-instead-of-teams-auto-updating) for Microsoft Teams. ## Device eligibility diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-troubleshoot-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-troubleshoot-programmatic-controls.md index 62a8d7c8e5..169146d992 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-troubleshoot-programmatic-controls.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-troubleshoot-programmatic-controls.md @@ -14,7 +14,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 09/16/2024 +ms.date: 03/31/2025 --- # Troubleshoot programmatic controls diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md index 81669a6614..64e0d1e9f7 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md @@ -1,7 +1,7 @@ --- title: Manage Update rings description: How to manage update rings -ms.date: 12/10/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,52 +17,4 @@ ms.collection: # Manage Update rings -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] - You can manage Update rings for Windows 10 and later devices with Windows Autopatch. Using Update rings, you can control when and how updates are installed on your devices. For more information, see [Configure Update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings). - -## Import Update rings for Windows 10 and later - -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - -You can import your organization’s existing Intune Update rings for Windows 10 and later into Windows Autopatch. Importing your organization’s Update rings provides the benefits of the Windows Autopatch's reporting and device readiness without the need to redeploy, or change your organization’s existing update rings. - -Imported rings automatically register all targeted devices into Windows Autopatch. For more information about device registration, see the [device registration workflow diagram](../deploy/windows-autopatch-register-devices.md#detailed-device-registration-workflow-diagram). - -> [!NOTE] -> Devices which are registered as part of an imported ring, might take up to 72 hours after the devices have received the latest version of the policy, to be reflected in Windows Autopatch devices blade and reporting. For more information about reporting, see [Windows quality and feature update reports overview](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md). - -> [!NOTE] -> Device registration failures don't affect your existing update schedule or targeting. However, devices that fail to register might affect Windows Autopatch's ability to provide reporting and insights. Any conflicts should be resolved as needed. For additional assistance, [submit a support request](../manage/windows-autopatch-support-request.md). - -### To import Update rings for Windows 10 and later - -**To import Update rings for Windows 10 and later:** - -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Devices** from the left navigation menu. -3. Under the **Manage updates** section, select **Windows updates**. -4. In the **Windows updates** blade, go to the **Update rings** tab. -5. Select **Enroll policies**. **This step only applies if you've gone through [feature activation](../prepare/windows-autopatch-feature-activation.md)**. -6. Select the existing rings you would like to import. -7. Select **Import**. - -### Remove an imported Update ring for Windows 10 and later - -**To remove an Imported Update rings for Windows 10 and later:** - -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Devices** from the left navigation menu. -3. Under the **Manage updates** section, select **Windows updates**. -4. In the **Windows updates** blade, go to the **Update rings**. -5. Select the Update rings for Windows 10 and later you would like to remove. -6. Select the **horizontal ellipses (...)** and select **Remove**. - -### Known limitations - -The following Windows Autopatch features aren't available with imported Intune Update rings: - -- [Autopatch groups](../deploy/windows-autopatch-groups-overview.md) and [features dependent on Autopatch groups](../deploy/windows-autopatch-groups-overview.md#supported-configurations) -- [Moving devices in between deployment rings in devices](../deploy/windows-autopatch-register-devices.md#move-devices-in-between-deployment-rings) -- [Automated deployment ring remediation functions](../deploy/windows-autopatch-device-registration-overview.md#automated-deployment-ring-remediation-functions) -- [Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md index b5259a8275..4a66bee616 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows feature updates overview description: This article explains how Windows feature updates are managed -ms.date: 11/20/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: overview @@ -17,8 +17,6 @@ ms.collection: # Windows feature update -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - Windows Autopatch provides tools to assist with the controlled roll out of annual Windows feature updates. These policies provide tools to allow version targeting, phased releases, and even Windows 10 to Windows 11 update options. For more information about how to configure feature update profiles, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates). > [!IMPORTANT] @@ -47,7 +45,7 @@ The release statuses are described in the following table: A phase is made of one or more [Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#autopatch-group-deployment-rings). Each phase reports its status to its release. > [!IMPORTANT] -> The determining factor that makes a phase status transition from **Scheduled** to **Active** is when the service automatically creates the Windows feature update policy for each Autopatch group deployment ring. Additionally, the phase status transition from **Active** to **Inactive** occurs when Windows feature update policies are unassigned from the Autopatch groups that belong to a phase. This can happen when an Autopatch group and its deployment rings are re-used as part of a new release. +> The determining factor that makes a phase status transition from **Scheduled** to **Active** is when the service automatically creates the Windows feature update policy for each Autopatch group deployment ring. Additionally, the phase status transition from **Active** to **Inactive** occurs when Windows feature update policies are unassigned from the Autopatch groups that belong to a phase. This can happen when an Autopatch group and its deployment rings are reused as part of a new release. | Phase status | Definition | | ----- | ----- | @@ -59,7 +57,21 @@ A phase is made of one or more [Autopatch group deployment rings](../deploy/wind #### Phase policy configuration -For more information about Windows feature update policies that are created for phases within a release, see [Windows feature update policies](../manage/windows-autopatch-windows-feature-update-policies.md). +Windows Autopatch creates one Windows feature update policy per phase using the following naming convention: + +**`Windows Autopatch - DSS policy - - Phase `** + +These policies can be viewed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +The following table is an example of the Windows feature update policies that were created for phases within a release: + +| Policy name | Feature update version | Rollout options| Day between groups | Support end date | +| ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch - DSS Policy - My feature update release - Phase 1 | Windows 10 22H2 | Make update available as soon as possible| N/A | October 14, 2025 | +| Windows Autopatch - DSS Policy - My feature update release - Phase 2 | Windows 10 22H2 | Make update available as soon as possible | 7 | October 14, 2025 | +| Windows Autopatch - DSS Policy - My feature update release - Phase 3 | Windows 10 22H2 | Make update available as soon as possible | 7 | October 14, 2025 | +| Windows Autopatch - DSS Policy - My feature update release - Phase 4 | Windows 10 22H2 | Make update available as soon as possible | 7 | October 14, 2025 | +| Windows Autopatch - DSS Policy - My feature update release - Phase 5 | Windows 10 22H2 | Make update available as soon as possible | 7 | October 14, 2025 | ## Create a custom release @@ -105,7 +117,7 @@ For more information about Windows feature update policies that are created for ## Cancel a release > [!IMPORTANT] -> You can only cancel a release under the **Scheduled** status. You cannot cancel a release under the **Active**, **Inactive, or **Paused** statuses. +> You can only cancel a release under the **Scheduled** status. You can't cancel a release under the **Active**, **Inactive, or **Paused** statuses. **To cancel a release:** @@ -121,18 +133,12 @@ For more information about Windows feature update policies that are created for ## Pause and resume a release > [!IMPORTANT] -> **Due to a recent change, we have identified an issue that prevents the Paused and Pause status columns from being displayed** in reporting. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed. - -> [!IMPORTANT] -> **Pausing or resuming an update can take up to eight hours to be applied to devices**. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates. For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned). +> **Pausing or resuming an update can take up to eight hours to be applied to devices**. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume, or rollback updates. For more information, see [how long does it take for devices to get a policy, profile, or app after they're assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned). **To pause and resume a release:** -> [!IMPORTANT] -> **You can only pause an Autopatch group if you have Windows Enterprise E3+ or F3 licenses (included in Microsoft 365 F3, E3, or E5) licenses and have [activated Windows Autopatch features](../overview/windows-autopatch-overview.md#windows-enterprise-e3-and-f3-licenses).**

              [Feature activation](../prepare/windows-autopatch-feature-activation.md) is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.

              For more information, see [Licenses and entitlements](../prepare/windows-autopatch-prerequisites.md#licenses-and-entitlements). If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in [Business premium and A3+ licenses](../overview/windows-autopatch-overview.md#business-premium-and-a3-licenses).

              - > [!NOTE] -> If you pause an update, the specified release has the **Paused** status. The Windows Autopatch service can't overwrite IT admin's pause. You must select **Resume** to resume the update. [The **Paused by Service Pause** status **only** applies to Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md#pause-and-resume-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf. +> If you pause an update, the specified release has the **Paused** status. You must select **Resume** to resume the update. 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Devices** from the left navigation menu. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-programmatic-controls.md index d6c5b41cb3..f2c2a7eba4 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-programmatic-controls.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-programmatic-controls.md @@ -14,13 +14,11 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 09/24/2024 +ms.date: 03/31/2025 --- # Programmatic controls for Windows feature updates -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] - Windows Autopatch programmatic controls are used to approve and schedule software updates through [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune). diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md index 6e8b915912..0711c5d7c5 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md @@ -1,7 +1,7 @@ --- title: Windows quality update end user experience description: This article explains the Windows quality update end user experience -ms.date: 11/04/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: article @@ -17,8 +17,6 @@ ms.collection: # Windows quality update end user experience -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] - ## User notifications In this section we review what an end user would see in the following three scenarios: diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md index 31a02381ec..d241191e50 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality updates overview description: This article explains how Windows quality updates are managed -ms.date: 11/20/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: article @@ -23,14 +23,10 @@ For more information about how to expedite quality update for Windows 10 or late ## Service level objective -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - Windows Autopatch aims to keep at least 95% of [Up to Date devices](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) on the latest quality update. Autopatch uses the previously defined release schedule on a per ring basis with a five-day reporting period to calculate and evaluate the service level objective (SLO). The result of the service level objective is the column "% with the latest quality update" displayed in the Windows updates blade and reporting. ## Service level objective calculation -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - There are two states a device can be in when calculating the service level objective (SLO): - Devices that are active during the release @@ -56,30 +52,15 @@ The service level objective for each of these states is calculated as: > [!IMPORTANT] > Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. -## Out of Band releases - -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] - -Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule. - -For the deployment rings that pass quality updates deferral date, the OOB release schedule is expedited and deployed on the same day. For the deployment rings that have deferral upcoming, OOBs are released as per the specified deferral dates. - ## Pause and resume a release -> [!IMPORTANT] -> **Due to a recent change, we have identified an issue that prevents the Paused and Pause status columns from being displayed** in reporting. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed. - -The service-level pause is driven by the various software update deployment-related signals. Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft. - -If Windows Autopatch detects a significant issue with a release, we might decide to pause that release. - > [!IMPORTANT] > **Pausing or resuming an update can take up to eight hours to be applied to devices**. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

              For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

              **To pause and resume a release:** -> [!IMPORTANT] -> **You can only pause an Autopatch group if you have Windows Enterprise E3+ or F3 licenses (included in Microsoft 365 F3, E3, or E5) licenses and have [activated Windows Autopatch features](../overview/windows-autopatch-overview.md#windows-enterprise-e3-and-f3-licenses).**

              [Feature activation](../prepare/windows-autopatch-feature-activation.md) is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.

              For more information, see [Licenses and entitlements](../prepare/windows-autopatch-prerequisites.md#licenses-and-entitlements). If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in [Business premium and A3+ licenses](../overview/windows-autopatch-overview.md#business-premium-and-a3-licenses).

              +> [!NOTE] +> If you pause an update, the specified release has the **Paused** status. You must select **Resume** to resume the update. 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Devices** from the left navigation menu. @@ -89,15 +70,6 @@ If Windows Autopatch detects a significant issue with a release, we might decide 1. If you're resuming an update, you can select one or more Autopatch groups or deployment rings. 1. Select **Pause or Resume deployment**. -The following statuses are associated with paused quality updates: - -| Status | Description | -| ----- | ------ | -| Paused by Service | If the Windows Autopatch service paused an update, the release has the **Paused by Service** status. The **Paused by Service** status only applies to rings that aren't Paused by the Tenant. | -| Paused by Tenant | If you paused an update, the release has the **Paused by Tenant** status. The Windows Autopatch service can't overwrite a tenant pause. You must select **Resume** to resume the update. | - ## Remediating Not ready and/or Not up to Date devices -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - To ensure your devices receive Windows quality updates, Windows Autopatch provides information on how you can [remediate Windows Autopatch device alerts](../monitor/windows-autopatch-device-alerts.md). diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md index 2aefa858cc..721d6a1169 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md @@ -14,7 +14,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 12/10/2024 +ms.date: 03/31/2025 --- # Programmatic controls for expedited Windows quality updates diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-update-policies.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-update-policies.md index 38ee9e58cb..65aded1caa 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-update-policies.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-update-policies.md @@ -1,7 +1,7 @@ --- title: Windows quality update policies description: This article explains Windows quality update policies in Windows Autopatch -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: concept-article @@ -16,8 +16,6 @@ ms.collection: # Windows quality update policies -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - ## Conflicting and unsupported policies Deploying any of the following policies to a Windows Autopatch device makes that device ineligible for management since the device prevents us from delivering the service as designed. diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png index bf4ba54006..186744f47f 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png index 18d4f8c542..4e89a69dea 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png differ diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md index aed2b1e644..d91f9205f3 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md @@ -1,7 +1,7 @@ --- title: Device alerts description: Provide notifications and information about the necessary steps to keep your devices up to date. -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Device alerts -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - Windows Autopatch and Windows Updates use Device alerts to provide notifications and information about the necessary steps to keep your devices up to date. In Windows Autopatch reporting, every device is provided with a section for alerts. If no alerts are listed, no action is needed. Navigate to **Reports** > **Quality update status** or **Feature update status** > **Device** > select the **Device alerts** column. The provided information helps you understand: - Microsoft and/or Windows Autopatch performs the actions to keep the device properly updated. diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md index afa0dfe072..e8c49abfe2 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md @@ -1,7 +1,7 @@ --- title: Hotpatch quality update report description: Use the Hotpatch quality update report to view the current update statuses for all devices that receive Hotpatch updates -ms.date: 11/19/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Hotpatch quality update report (public preview) -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] - > [!IMPORTANT] > This feature is in public preview. It is being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback. @@ -40,9 +38,6 @@ The Hotpatch quality update report provides a visual representation of the updat ### Default columns -> [!IMPORTANT] -> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed. - The following information is available as default columns in the Hotpatch quality update report: | Column name | Description | @@ -55,7 +50,7 @@ The following information is available as default columns in the Hotpatch qualit | In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). | | % with the latest quality update | Percent of [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices on the most current Windows release and its build number | | Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | -| Paused | Total device count reporting the status of the pause whether it's Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | +| Paused | Total device count reporting the Paused status. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | ## Report options diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md index 735d7a1414..02548f836e 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md @@ -1,7 +1,7 @@ --- title: Maintain the Windows Autopatch environment description: This article details how to maintain the Windows Autopatch environment -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,16 +17,14 @@ ms.collection: # Maintain the Windows Autopatch environment -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - -After you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md), some management settings might need to be adjusted. If any of the following items apply to your environment, make the adjustments as described. +If any of the following items apply to your environment, make the adjustments as described. > [!NOTE] -> As your operations continue in the following months, if you make changes after enrollment to policies in Microsoft Intune, Microsoft Entra ID, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly. +> If you make changes to policies in Microsoft Intune, Microsoft Entra ID, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly. ## Windows Autopatch configurations -Windows Autopatch deploys, manages, and maintains all configurations related to the operation of the service, as described in [Changes made at feature activation](../references/windows-autopatch-changes-made-at-feature-activation.md). Don't make any changes to any of the Windows Autopatch configurations. +Windows Autopatch deploys, manages, and maintains all configurations related to the operation of the service. Don't make any changes to any of the Windows Autopatch configurations. ## Windows Autopatch tenant management @@ -35,7 +33,7 @@ Windows Autopatch deploys, manages, and maintains all configurations related to The Tenant management blade presents IT admins with any actions that are required to maintain Windows Autopatch service health. The **Tenant management** blade can be found by navigating to **Tenant administration** > **Windows Autopatch** > **Tenant management**. > [!IMPORTANT] -> If you have any critical actions in your tenant, you must take action as soon as possible as the Windows Autopatch service might not be able to manage your tenant. When a critical action is active on your tenant, Windows Autopatch will consider your tenant as **[inactive](#inactive-status)**. +> If you have any critical actions in your tenant, you must take action as soon as possible. When a critical action is active, you might not be able to use Windows Autopatch features, and your tenant may be considered [**inactive**](#inactive-status) by the service. The type of banner that appears depends on the severity of the action. Currently, only critical actions are listed. @@ -43,30 +41,22 @@ The type of banner that appears depends on the severity of the action. Currently | Severity | Description | | ----- | ----- | -| Critical | You must take action as soon as possible to avoid disruption to the Windows Autopatch service.

              If no action is taken, Windows Autopatch might not be able to manage devices in your tenant, and the Windows Autopatch service might be marked as **inactive**.

              To restore service health and return to an active status, all critical pending actions must be resolved.

              | +| Critical | You must take action as soon as possible to avoid disruption to the Windows Autopatch service.

              If no action is taken, you might lose access to Windows Autopatch features and your tenant could be marked as [**inactive**](#inactive-status).

              To restore service health and return to an active status, all critical pending actions must be resolved.

              | ### Critical actions | Action type | Severity | Description | | ----- | ----- | ----- | -| Maintain tenant access | Critical | Required licenses expired. The licenses include:
              • Microsoft Intune
              • Microsoft Entra ID P1 or P2
              • Windows 10/11 Enterprise E3 or higher
                • For more information about specific services plans, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md)

                To take action on missing licenses, you can visit the Microsoft 365 admin center or contact your Microsoft account manager. Until you renew the required licenses to run the service, Windows Autopatch marks your tenant as **inactive**. For more information, see [Microsoft 365 - What happens after my subscription expires?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires)

                | -| Maintain tenant access | Critical | Address tenant access issues. Windows Autopatch currently can't manage your tenant. Until you take action, your tenant is marked as **inactive**, and you have only limited access to the Windows Autopatch portal.

                Reasons for tenant access issues:

                • You didn't migrate to the new [Windows Autopatch enterprise application](../references/windows-autopatch-changes-made-at-feature-activation.md#windows-autopatch-enterprise-applications). Windows Autopatch uses this enterprise application to run the service.
                • You blocked or removed the permissions required for the Windows Autopatch enterprise application.

                Take action by consenting to allow Windows Autopatch to make the appropriate changes on your behalf. You must be a Global Administrator to consent to this action. Once you provide consent, Windows Autopatch remediates this critical action for you.

                For more information, see [Windows Autopatch enterprise applications](../overview/windows-autopatch-privacy.md#tenant-access).

                | +| Maintain tenant access | Critical | Required licenses expired. The licenses include:
                • Microsoft Intune
                • Microsoft Entra ID P1 or P2
                • Microsoft 365 Business Premium
                • Windows 10/11 Education A3 or higher
                • Windows 10/11 Enterprise E3 or higher
                  • For more information about specific services plans, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md)

                  To take action on missing licenses, you can visit the Microsoft 365 admin center or contact your Microsoft account manager. Until you renew the required licenses to run the service, Windows Autopatch marks your tenant as **inactive**. For more information, see [Microsoft 365 - What happens after my subscription expires?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires)

                  | ### Inactive status > [!NOTE] -> Only the Windows Autopatch sections of your tenant will be marked as **inactive**. +> Only the Windows Autopatch sections of your tenant are marked as **inactive**. -When Windows Autopatch is **inactive**, you're alerted with banners on all Windows Autopatch blades. You only have access to the Tenant management and Support requests blades. All other blades return an error message and redirect you to Tenant management blade. +When Windows Autopatch is **inactive**, you're alerted with banners on all Windows Autopatch blades. You're alerted with banners on all Windows Autopatch blades and have minimal access to Windows Autopatch features. To be taken out of the **inactive** status, you must [resolve any critical actions shown in the Tenant management blade](#critical-actions). > [!NOTE] > Once critical actions are resolved, it can take up to two hours for Windows Autopatch to return to an **active** state. - -#### Impact to your tenant - -| Impact area | Description | -| ----- | ----- | -| Management | Windows Autopatch isn't able to manage your tenant and perform non-interactive actions we use to run the service. Non-interactive actions include:
                  • Managing the Windows Autopatch service
                  • Publishing the baseline configuration updates to your tenant's devices
                  • Maintaining overall service health

                  For more information, see [Windows Autopatch enterprise applications](../references/windows-autopatch-changes-made-at-feature-activation.md#windows-autopatch-enterprise-applications).

                  | -| Device updates | Changes to Windows Autopatch policies aren't pushed to your devices. The existing configurations on these devices remain unchanged, and they continue receiving updates. | diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md index c70e5b8f7a..f99254cf03 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md @@ -1,7 +1,7 @@ --- title: Feature update status report description: Provides a per device view of the current Windows OS upgrade status for all Intune devices. -ms.date: 11/20/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Feature update status report -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - The Feature update status report provides a per device view of the current Windows OS upgrade status for all Intune devices. **To view the Feature update status report:** @@ -32,9 +30,6 @@ The Feature update status report provides a per device view of the current Windo ### Default columns -> [!IMPORTANT] -> **Due to a recent change, we have identified an issue that prevents the Pause status column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed. - The following information is available as default columns in the Feature update status report: | Column name | Description | @@ -42,7 +37,7 @@ The following information is available as default columns in the Feature update | Device name | The name of the device. | | Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. | | Update status | The current update status for the device. For more information, see [Windows feature update statuses](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses). | -| Pause status | The current pause status whether Customer or Service initiated. For more information, see [Pause and resume a release](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#pause-and-resume-a-release). | +| Pause status | The current pause status. For more information, see [Pause and resume a release](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#pause-and-resume-a-release). | | Current version | The current version or build number of the device. For more information, see [Windows Versions](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). | | Readiness | The device readiness evaluation status. For more information, see [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md). | | Alerts | The summary of any alerts affecting the device. For more information, see [Device alerts](../operate/windows-autopatch-device-alerts.md). | diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md index fe310f106a..cd3667a8a2 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md @@ -1,7 +1,7 @@ --- title: Windows feature update summary dashboard description: Provides a broader view of the current Windows OS upgrade status for all Intune devices. -ms.date: 11/20/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Windows feature update summary dashboard -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - The Summary dashboard provides a broader view of the current Windows OS update status for all Intune devices. The first part of the Summary dashboard provides you with an all-devices trend report where you can follow the deployment trends within your organization. You can view if updates were successfully installed, failing, in progress, not ready or have their Windows feature update paused. @@ -31,9 +29,6 @@ The first part of the Summary dashboard provides you with an all-devices trend r ## Report information -> [!IMPORTANT] -> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed. - The following information is available in the Summary dashboard: | Column name | Description | @@ -44,7 +39,7 @@ The following information is available in the Summary dashboard: | Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | | Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | | In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). | -| Paused | Total device count reporting the status of the pause whether it's Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | +| Paused | Total device count reporting the Paused status. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | | Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | | % with the target feature update | Percent of [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices on the targeted feature update. | diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md index 7d7c71c4aa..674f5de9cc 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md @@ -1,7 +1,7 @@ --- title: Feature update trending report description: Provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days. -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Feature update trending report -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - Windows Autopatch provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days. **To view the Feature update trending report:** diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md index c678156938..084a2b1895 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality and feature update reports overview description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch. -ms.date: 03/03/2025 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: overview @@ -17,8 +17,6 @@ ms.collection: # Windows quality and feature update reports overview -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - ## Prerequisites Windows Autopatch requires, and uses Windows diagnostic data to display device update statuses in Autopatch reports. @@ -102,7 +100,7 @@ Up to date devices are devices that meet all of the following prerequisites: | Sub status | Description | | ----- | ----- | | In Progress | Devices are currently installing the latest [quality update](../operate/windows-autopatch-groups-windows-quality-update-overview.md#release-schedule) or [feature update](../operate/windows-autopatch-groups-windows-feature-update-overview.md#default-release) deployed through the Windows Autopatch release schedule. | -| Paused | Devices that are currently paused due to a Windows Autopatch or customer-initiated pause. For more information, see pausing and resuming a [Windows quality update](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) or [Windows feature update](../operate/windows-autopatch-windows-feature-update-overview.md#pause-and-resume-a-release). | +| Paused | Devices that are currently paused due to a customer-initiated pause. For more information, see pausing and resuming a [Windows quality update](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) or [Windows feature update](../operate/windows-autopatch-windows-feature-update-overview.md#pause-and-resume-a-release). | ### Not up to Date devices diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md index abde6947cc..e310b53f31 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md @@ -1,7 +1,7 @@ --- title: Quality update status report description: Provides a per device view of the current update status for all Intune devices. -ms.date: 11/20/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Quality update status report -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - The Quality update status report provides a per device view of the current update status for all Intune devices. **To view the Quality update status report:** @@ -35,9 +33,6 @@ The Quality update status report provides a per device view of the current updat ### Default columns -> [!IMPORTANT] -> **Due to a recent change, we have identified an issue that prevents the Pause status column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed. - The following information is available as default columns in the Quality update status report: | Column name | Description | @@ -45,7 +40,7 @@ The following information is available as default columns in the Quality update | Device name | The name of the device. | | Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. | | Update status | The current update status for the device. For more information, see [Windows quality update statuses](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses). | -| Pause status | The current pause status whether Customer or Service initiated. For more information, see [Pause and resume a release](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release). | +| Pause status | The current pause status. For more information, see [Pause and resume a release](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release). | | Current version | The current version or build number of the device. For more information, see [Windows Versions](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). | | Readiness | The device readiness evaluation status. For more information, see [Post registration device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md). | | Alerts | The summary of any alerts affecting the device. For more information, see [Device alerts](../operate/windows-autopatch-device-alerts.md). | diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md index 52bb8e8d65..0d0528d557 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md @@ -1,7 +1,7 @@ --- title: Windows quality update summary dashboard description: Provides a summary view of the current update status for all Intune devices. -ms.date: 11/20/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Windows quality update summary dashboard -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - The Summary dashboard provides a summary view of the current update status for all Intune devices. **To view the current update status for all your enrolled devices:** @@ -43,7 +41,7 @@ The following information is available in the Summary dashboard: | Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | | Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | | In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). | -| Paused | Total device count reporting the status of the pause whether it's Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | +| Paused | Total device count reporting the Paused status. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | | Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | | % with the latest quality update | Percent of [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices on the most current Windows release and its build number | diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md index 6932c1db07..7ac39cf891 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md @@ -1,7 +1,7 @@ --- title: Quality update trending report description: Provides a visual representation of the update status trend for all devices over the last 90 days. -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Quality update trending report -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - The Quality update trending report provides a visual representation of the update status trend for all devices over the last 90 days. **To view the Quality update trending report:** diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index d5be989897..c368cbf204 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -4,7 +4,7 @@ metadata: description: Answers to frequently asked questions about Windows Autopatch. ms.service: windows-client ms.topic: faq - ms.date: 09/16/2024 + ms.date: 03/31/2025 audience: itpro ms.localizationpriority: medium manager: aaroncz @@ -17,9 +17,6 @@ summary: This article answers frequently asked questions about Windows Autopatch sections: - name: General questions: - - question: What is the difference between Windows Update for Business and Windows Autopatch? - answer: | - Windows Autopatch is a service that removes the need for organizations to plan and operate the update process. Windows Autopatch moves the burden from your IT to Microsoft. Windows Autopatch uses [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) and other service components to update devices. Both are part of [Windows Enterprise E3+ and F3](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). - question: Is Windows 365 for Enterprise supported with Windows Autopatch? answer: | Windows Autopatch supports Windows 365 for Enterprise. Windows 365 for Business isn't supported. @@ -28,7 +25,7 @@ sections: Windows Autopatch doesn't support local (on-premises) domain join. Windows Autopatch supports [Microsoft Hybrid Entra join](/entra/identity/devices/concept-hybrid-join) or [Microsoft Entra join](/entra/identity/devices/concept-directory-join). - question: Will Windows Autopatch be available for state and local government customers? answer: | - Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. Although Windows 365 Enterprise is in the Azure Commercial cloud, when Windows 365 Enterprise is used with a GCC customer tenant, Autopatch is not supported. + Windows Autopatch isn't currently supported for government cloud (GCC) customers. Although Windows 365 Enterprise is in the Azure Commercial cloud, when Windows 365 Enterprise is used with a GCC customer tenant, Autopatch is not supported. - question: How do I access Windows Autopatch? answer: | You can access Windows Autopatch through Intune. For more information, see [Start using Windows Autopatch](../prepare/windows-autopatch-feature-activation.md#use-microsoft-intune-for-windows-autopatch) and [Prerequisites](../prepare/windows-autopatch-prerequisites.md) to ensure you meet the licensing requirements to activate all [Windows Autopatch features](../overview/windows-autopatch-overview.md#windows-enterprise-e3-and-f3-licenses). @@ -36,14 +33,10 @@ sections: questions: - question: What are the licensing requirements for Windows Autopatch? answer: | - Business Premium and A3+ licenses include: - Microsoft 365 Business Premium (for more information on available licenses, see Microsoft 365 licensing) - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) - Windows 10/11 Enterprise E3 or E5 VDA - To [activate all Windows Autopatch features](../overview/windows-autopatch-overview.md#features-and-capabilities), you must have Windows 10/11 Enterprise E3+ or F3 (included in Microsoft 365 F3, E3, or E5) licenses. [Feature activation](../prepare/windows-autopatch-feature-activation.md) is optional and at no additional cost to you when you have Windows 10/11 Enterprise E3+ or F3 licenses. For more information, see [Licenses and entitlements](../prepare/windows-autopatch-prerequisites.md#licenses-and-entitlements). The following licenses provide access to the Windows Autopatch features included in Business premium and A3+ licenses and its additional features after you activate Windows Autopatch features: - - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) - - Windows 10/11 Enterprise E3 or E5 VDA - question: What are the prerequisites for Windows Autopatch? answer: | - [Microsoft Entra ID](/mem/configmgr/comanage/overview#microsoft-entra-id)(for co-management) @@ -57,7 +50,7 @@ sections: - [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.) - question: What are the Intune permissions needed to operate Windows Autopatch? answer: | - You must use the Microsoft Entra Global Administrator role to activate Windows Autopatch features. For registering devices, managing update deployment and reporting tasks, use the Intune Service Administrator role. For more information, see [Built-in roles for device registration](../deploy/windows-autopatch-device-registration-overview.md#built-in-roles-required-for-device-registration). + For registering devices, managing update deployment and reporting tasks, use the Intune Service Administrator role. For more information, see [Built-in roles for device registration](../deploy/windows-autopatch-device-registration-overview.md#built-in-roles-required-for-device-registration). - question: Are there hardware requirements for Windows Autopatch? answer: | No, Windows Autopatch doesn't require any specific hardware. However, general hardware requirements for updates are still applicable. For example, to deliver Windows 11 to your Autopatch devices they must meet [specific hardware requirements](/windows/whats-new/windows-11-requirements). Windows devices must be supported by your hardware OEM. @@ -65,7 +58,7 @@ sections: questions: - question: Who can register devices into Windows Autopatch? answer: | - You can only register devices into Windows Autopatch if you have E3+ or F3 licenses and have [activated Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md). For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). + If you have Business Premium, A3+, E3+ and F3 licenses, you can register devices into Windows Autopatch. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). - question: Does Autopatch on Windows 365 Cloud PCs have any feature difference from a physical device? answer: | No, Windows 365 Enterprise Cloud PC's support all features of Windows Autopatch. For more information, see [Virtual devices](../deploy/windows-autopatch-register-devices.md#windows-autopatch-on-azure-virtual-desktop-workloads). @@ -77,15 +70,15 @@ sections: No. Autopatch is only available on enterprise workloads. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](../deploy/windows-autopatch-register-devices.md#windows-autopatch-on-windows-365-enterprise-workloads). - question: Can you change the policies and configurations created by Windows Autopatch? answer: | - No. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. For more information about policies and configurations, see [Changes made at feature activation](../references/windows-autopatch-changes-made-at-feature-activation.md). + No. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. - question: How can I represent our organizational structure with our own deployment cadence? answer: | [Windows Autopatch groups](../deploy/windows-autopatch-groups-overview.md) helps you manage updates in a way that makes sense for your businesses. For more information, see [Windows Autopatch groups overview](../deploy/windows-autopatch-groups-overview.md) and [Manage Windows Autopatch groups](../manage/windows-autopatch-manage-autopatch-groups.md). - name: Manage updates questions: - - question: Who can manage updates with activated Windows Autopatch features? + - question: Who can manage updates with Windows Autopatch? answer: | - This only applies if you have E3+ or F3 licenses and have activated Windows Autopatch features. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). + Business Premium, A3+, E3+ and F3 licenses can manage updates with Windows Autopatch. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). - question: What systems does Windows Autopatch update? answer: | - Windows 10/11 quality updates: Windows Autopatch manages all aspects of deployment rings. @@ -101,26 +94,11 @@ sections: Autopatch relies on the following capabilities to help resolve update issues: - Pausing and resuming: For more information about pausing and resuming updates, see [pausing and resuming Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md#pause-and-resume-a-release). - Rollback: For more information about Microsoft 365 Apps for enterprise, see [Update controls for Microsoft 365 Apps for enterprise](../manage/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls). - - question: Can I permanently pause a Windows feature update deployment? + - question: Can I configure when to move to the next ring or is it controlled by Windows Autopatch? answer: | - Yes. Windows Autopatch provides a [permanent pause of a feature update deployment](../manage/windows-autopatch-windows-feature-update-overview.md#pause-and-resume-a-release). - - question: Will Windows quality updates be released more quickly after vulnerabilities are identified, or what is the regular cadence of updates? - answer: | - For zero-day threats, Autopatch will have an [Out of Band release](../manage/windows-autopatch-windows-quality-update-overview.md#out-of-band-releases). For normal updates Autopatch, uses a [regular release cadence](../manage/windows-autopatch-windows-quality-update-overview.md) starting with devices in the Test ring and completing with general rollout to the Broad ring. - - question: Can customers configure when to move to the next ring or is it controlled by Windows Autopatch? - answer: | - The decision of when to move to the next ring is handled by Windows Autopatch; it isn't customer configurable. - - question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership? - answer: | - Windows Autopatch doesn't support managing update deployment ring membership using your Microsoft Entra groups. For more information, see [Move devices in between deployment rings](../deploy/windows-autopatch-register-devices.md#move-devices-in-between-deployment-rings). - - question: Does Autopatch have two release cadences per update or are there two release cadences per-ring? - answer: | - The release cadences are defined based on the update type. For example, a [regular cadence](../manage/windows-autopatch-windows-quality-update-overview.md) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [Out of Band release](../manage/windows-autopatch-windows-quality-update-overview.md#out-of-band-releases) would roll out more rapidly. + You're in full control over when updates are deployed to their devices. Autopatch groups will recommend a set of intelligent defaults but those are fully customizable so that you can achieve your desired rollout. - name: Support questions: - - question: What support is available for customers who need help with onboarding to Windows Autopatch? - answer: | - The FastTrack Center is the primary mode of support for customers who need assistance from Microsoft to meet the pre-requisites (such as Intune and Azure or Hybrid AD) for onboarding to Windows Autopatch. For more information, see [Microsoft FastTrack for Windows Autopatch](../manage/windows-autopatch-support-request.md#microsoft-fasttrack). If you have [Windows Enterprise E3+ or E5 licenses](../overview/windows-autopatch-overview.md#windows-enterprise-e3-and-f3-licenses) and you've [activated Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md), you can [submit a support request](../manage/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team. - question: Does Windows Autopatch Support Dual Scan for Windows Update? answer: | Dual Scan for Windows has been deprecated and replaced with the [scan source policy](/windows/deployment/update/wufb-wsus). Windows Autopatch supports the scan source policy if the Feature updates, and Windows quality updates workloads are configured for Windows update. If Feature and Windows updates are configured for WSUS, it could cause disruptions to the service and your release schedules. diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md index 78bb2e7125..f83682d76c 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md @@ -1,7 +1,7 @@ --- title: What is Windows Autopatch? description: Details what the service is and shortcuts to articles. -ms.date: 11/20/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: overview @@ -18,7 +18,7 @@ ms.reviewer: hathind # What is Windows Autopatch? > [!IMPORTANT] -> In September 2024, Windows Update for Business deployment service unified under Windows Autopatch. Unification is going through a gradual rollout over the next several weeks. If your experience looks different from the documentation, you didn't receive the unified experience yet. Review [Prerequisites](../prepare/windows-autopatch-prerequisites.md) and [Features and capabilities](#features-and-capabilities) to understand licensing and feature entitlement. +> In April 2025, Windows Autopatch removed feature activation and made Windows Autopatch features available support to Business Premium and A3+ licenses. These changes are rolling out over the next several weeks. If your experience looks different from the documentation, you didn’t receive the changes yet. Review [Prerequisites](../prepare/windows-autopatch-prerequisites.md) and [Features and capabilities](#features-and-capabilities) to understand licensing and feature entitlement. Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. @@ -26,67 +26,49 @@ Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps Rather than maintaining complex digital infrastructure, businesses want to focus on what makes them unique and successful. Windows Autopatch offers a solution to some of the challenges facing businesses and their people today: -- **Close the security gap**: Windows Autopatch keeps software current, there are fewer vulnerabilities and threats to your devices. +- **Close the security gap**: Windows Autopatch keeps Microsoft Windows current, there are fewer vulnerabilities and threats to your devices. - **Close the productivity gap**: Windows Autopatch adopts features as they're made available. End users get the latest tools to amplify their collaboration and work. - **Optimize your IT admin resources**: Windows Autopatch automates routine endpoint updates. IT pros have more time to create value. - **On-premises infrastructure**: Transitioning to the world of software as a service (SaaS) allows you to minimize your investment in on-premises hardware since updates are delivered from the cloud. - **Onboard new services**: Windows Autopatch makes it easy to enroll and minimizes the time required from your IT Admins to get started. - **Minimize end user disruption**: Windows Autopatch releases updates in sequential deployment rings, and responding to reliability and compatibility signals, user disruptions due to updates are minimized. -Windows Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge, or Teams. Windows Autopatch uses careful rollout sequences and communicates with you throughout the release, allowing your IT Admins can focus on other activities and tasks. +Windows Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge, or Teams. Windows Autopatch uses careful rollout sequences and communicates with you throughout the release so that IT Admins can focus on other activities and tasks. ## Features and capabilities -### Business Premium and A3+ licenses - -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] - The goal of Windows Autopatch is to deliver software updates to registered devices; the service frees up IT and minimizes disruptions to your end users. Once a device is registered with the service, you have access to the following features through the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431): -| Features included with Business Premium and A3+ licenses | Description | +### Features included with Business Premium, A3+, E3+ and F3 licenses + +| Features included with Business Premium, A3+, E3+ and F3 licenses | Description | | --- | --- | | [Update rings](../manage/windows-autopatch-update-rings.md) | You can manage Update rings for Windows 10 and later devices with Windows Autopatch. For more information, see [Manage Update rings](../manage/windows-autopatch-update-rings.md). | -| [Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md) | With Windows Autopatch, you can manage Windows quality update profiles for Windows 10 and later devices. You can expedite a specific Windows quality update using targeted policies. | -| [Windows feature updates](../manage/windows-autopatch-windows-feature-update-overview.md) | Windows Autopatch provides tools to assist with the controlled roll out of annual Windows feature updates. | -| [Driver and firmware updates](../manage/windows-autopatch-manage-driver-and-firmware-updates.md) | You can manage and control your driver and firmware updates with Windows Autopatch.| -| [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md) | Install [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) without requiring you to restart the device. | -| [Intune reports](/mem/intune/fundamentals/reports) | Use Intune reports to monitor the health and activity of endpoints in your organization.| -| [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) | Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. | - -> [!IMPORTANT] -> Microsoft 365 Business Premium and Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) do **not** have access to all Windows Autopatch features. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). - -### Windows Enterprise E3+ and F3 licenses - -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - -In addition to the features included in [Business Premium and A3+ licenses](#business-premium-and-a3-licenses), if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5), you have access to all of Windows Autopatch features in your tenant. When you [activate Windows Autopatch](../prepare/windows-autopatch-feature-activation.md), you have access to the following features through the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431): - -| Features included in Windows Enterprise E3+ and F3 licenses | Description | -| --- | --- | | [Autopatch groups](../deploy/windows-autopatch-groups-overview.md) | You can manage update deployment based on your audience.

                  An Autopatch group is a logical container or unit that groups several [Microsoft Entra groups](/entra/fundamentals/groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates policy for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates).

                  For more information about workloads supported by Autopatch groups, see [Software update workloads](../deploy/windows-autopatch-groups-overview.md#software-update-workloads).

                  | -| [Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md) | In addition to the [Business Premium and A3+ capabilities](#business-premium-and-a3-licenses), Windows Autopatch:
                  • Aims to keep at least 95% of [Up to Date devices](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) on the latest quality update. For more information, see [Windows quality update Service Level Objective](../manage/windows-autopatch-windows-quality-update-overview.md#service-level-objective).
                  | -| [Multi-phase release policies with feature updates](../manage/windows-autopatch-windows-feature-update-overview.md#multi-phase-feature-update) | In addition to the [Business Premium and A3+ capabilities](#business-premium-and-a3-licenses), with Windows Autopatch, you can create customizable feature update deployments using multiple phases for your existing Autopatch groups. These phased releases can be tailored to meet your organizational unique needs.| -| [Driver and firmware updates](../manage/windows-autopatch-manage-driver-and-firmware-updates.md) | In addition to the [Business Premium and A3+ capabilities](#business-premium-and-a3-licenses), with Windows Autopatch, you can:
                  • Choose to receive driver and firmware updates automatically, or self-manage the deployment
                  • Control the flow of all drivers to an Autopatch group or rings within an Autopatch group
                  • Control the flow of a specific driver or firmware across your entire tenant via approvals
                  • Approve and deploy [other drivers and firmware](../manage/windows-autopatch-manage-driver-and-firmware-updates.md#other-drivers-and-firmware) that previously couldn’t be centrally managed
                  | +| [Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md) | With Windows Autopatch, you can manage Windows quality update profiles for Windows 10 and later devices. You can expedite a specific Windows quality update using targeted policies. Windows Autopatch:
                  • Aims to keep at least 95% of [Up to Date devices](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) on the latest quality update. For more information, see [Windows quality update Service Level Objective](../manage/windows-autopatch-windows-quality-update-overview.md#service-level-objective).
                  | +| [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md) | Install [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) without requiring you to restart the device. | +| [Windows feature updates](../manage/windows-autopatch-windows-feature-update-overview.md) and [Multi-phase release policies with feature updates](../manage/windows-autopatch-windows-feature-update-overview.md#multi-phase-feature-update) | Windows Autopatch provides tools to assist with the controlled roll out of annual Windows feature updates. With multi-phase release policies, you can create customizable feature update deployments using multiple phases for your existing Autopatch groups. These phased releases can be tailored to meet the unique needs of your organization.| +| [Driver and firmware updates](../manage/windows-autopatch-manage-driver-and-firmware-updates.md) | You can manage and control your driver and firmware updates with Windows Autopatch. You can:
                  • Choose to receive driver and firmware updates automatically, or self-manage the deployment
                  • Control the flow of all drivers to an Autopatch group or rings within an Autopatch group
                  • Control the flow of a specific driver or firmware across your entire tenant via approvals
                  • Approve and deploy [other drivers and firmware](../manage/windows-autopatch-manage-driver-and-firmware-updates.md#other-drivers-and-firmware) that previously couldn’t be centrally managed
                  | | [Microsoft 365 Apps for enterprise updates](../manage/windows-autopatch-microsoft-365-apps-enterprise.md) | Windows Autopatch aims to keep at least 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC). | | [Microsoft Edge updates](../manage/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. | | [Microsoft Teams updates](../manage/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. | +| [Intune reports](/mem/intune/fundamentals/reports) | Use Intune reports to monitor the health and activity of endpoints in your organization.| +| [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) | Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. | | [Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md) | When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch raises alerts and detailed recommended actions to ensure healthy operation of the service. | | Enhanced [Windows quality and feature update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md) and [device alerts](../monitor/windows-autopatch-device-alerts.md) | Using Windows quality and feature update reports, you can monitor and remediate managed devices that are Not up to Date and resolve any device alerts to bring managed devices back into compliance. | -| [Submit support requests](../manage/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team | When you activate additional Autopatch features, you can submit, manage, and edit support requests. | + +### Features included with E3+ and F3 licenses only + +In addition to the features listed in the previous table, if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5), you have access to the following through the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431): + +| Feature included with E3+ and F3 licenses only | Description | +| --- | ---- | +| [Submit support requests](../manage/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team | You can submit, manage, and edit support requests. | ## Communications -### [Business Premium and A3+](#tab/business-premium-a3-communications) - -To stay informed of new and changed features and other announcements, navigate to [Microsoft 365 admin center > Message center](https://admin.microsoft.com/adminportal/home#/MessageCenter). - -### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-f3-communications) - To stay informed of upcoming changes, including new and changed features, planned maintenance, release and status communications, or other important announcements, navigate to [Microsoft 365 admin center > Message center](https://admin.microsoft.com/adminportal/home#/MessageCenter). ---- - ## Accessibility Microsoft remains committed to the security of your data and the [accessibility](https://www.microsoft.com/trust-center/compliance/accessibility) of our services. For more information, see the [Microsoft Trust Center](https://www.microsoft.com/trust-center) and the [Office Accessibility Center](https://support.office.com/article/ecab0fcf-d143-4fe8-a2ff-6cd596bddc6d). diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md index e0b6c63247..7c74041fa6 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md @@ -1,7 +1,7 @@ --- title: Privacy description: This article provides details about the data platform and privacy compliance for Autopatch -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: concept-article @@ -23,74 +23,39 @@ Windows Autopatch is a cloud service for enterprise customers designed to keep W Autopatch collects and stores data according to the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?LinkId=521839). -### [Business Premium and A3+](#tab/data-sources-forbusiness-premium-a3-data-sources) - -Data provided by the customer or generated by the service during normal operation is stored. For example, when a device is targeted with a policy, information is stored enabling the service to deliver content to targeted devices. - -Business Premium and A3+ licenses require the use of Windows Diagnostic data. For more information, see [Diagnostic data in Windows Autopatch](#microsoft-windows-1011-diagnostic-data). - -### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-f3-data-sources) - -When you've [activated Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md), data from various sources is used to properly administer enrolled devices and monitor that the service is working properly. +When you use Windows Autopatch features, data from various sources is used to properly administer enrolled devices and monitor that the service is working properly. The sources include Microsoft Entra ID, Microsoft Intune, and Microsoft Windows 10/11. The sources provide a comprehensive view of the devices that Windows Autopatch manages. | Data source | Purpose | | ---- | ---- | | [Microsoft Windows 10/11 Enterprise](/windows/windows-10/) | Management of device setup experience, managing connections to other services, and operational support for IT pros. | -| [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) | Uses Windows 10/11 Enterprise diagnostic data to provide additional information on Windows 10/11 update. | | [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) | Device management and to keep your data secure. The following endpoint management data sources are used:
                  • [Microsoft Entra ID](/entra/identity/): Authentication and identification of all user accounts.
                  • [Microsoft Intune](/mem/intune/): Distributing device configurations, device management and application management.
                  | -| [Windows Autopatch](https://go.microsoft.com/fwlink/?linkid=2109431) | Data provided by the customer or generated by the service during running of the service. | +| [Windows Autopatch](https://go.microsoft.com/fwlink/?linkid=2109431) |
                  • Uses Windows 10/11 Enterprise diagnostic data to provide additional information on Windows 10/11 update.
                  • Data provided by the customer or generated by the service during running of the service.
                  | | [Microsoft 365 Apps for enterprise](https://www.microsoft.com/microsoft-365/enterprise/compare-office-365-plans)| Management of Microsoft 365 Apps. | ---- - -## Windows Autopatch data process and storage - -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] +## Windows Autopatch data process Windows Autopatch relies on data from multiple Microsoft products and services to provide its service to enterprise customers. To protect and maintain enrolled devices, we process and copy data from these services to Windows Autopatch. When we process data, we follow the documented directions you provide as referenced in the [Online Services Terms](https://www.microsoft.com/licensing/product-licensing/products) and [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). Processor duties of Windows Autopatch include ensuring appropriate confidentiality, security, and resilience. Windows Autopatch employs additional privacy and security measures to ensure proper handling of personal identifiable data. -## Windows Autopatch data storage and staff location +## Windows Autopatch data storage Data obtained by Windows Autopatch and other services are required to keep the service operational. If a device is removed from Windows Autopatch, we keep data for a maximum of 30 days. For more information on data retention, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview). -### [Business Premium and A3+](#tab/business-premium-a3-data-storage) +Feature, quality, and driver update policy data is stored in only two regions, either in Azure's North American or European data center. -Data stored in this part of the service is stored only in two regions, either Azure’s north American data centers or its European ones. - -### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-f3-data-storage) - -Windows Autopatch stores its data in the Azure data centers based on your data residency. For more information, see [Microsoft 365 data center locations](/microsoft-365/enterprise/o365-data-locations). - -The Windows Autopatch Service Engineering Team is in the United States, India, and Romania. - ---- +Windows Autopatch groups and Windows Autopatch Client Broker stores its data in the Azure data centers based on your data residency. For more information, see [Microsoft 365 data center locations](/microsoft-365/enterprise/o365-data-locations). ## Microsoft Windows 10/11 diagnostic data -Windows Autopatch uses Windows diagnostic data to keep Windows secure, up to date, fix problems, and make product improvements. Learn more about configuring diagnostic data for your organization in Intune. +Windows Autopatch uses Windows diagnostic data to keep Windows secure, up to date, and fix problems. -### [Business Premium and A3+](#tab/business-premium-a3-diagnostic-data) +To take advantage of the unique deployment scheduling controls and protections tailored to your population, devices must share diagnostic data with Microsoft. For these features, at minimum, the deployment service requires devices to send [diagnostic data](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) at the *Required* level for these features. -To take advantage of the unique deployment scheduling controls and protections tailored to your population and to [deploy driver updates](/windows/deployment/update/deployment-service-drivers), devices must share diagnostic data with Microsoft. For these features, at minimum, the deployment service requires devices to send [diagnostic data](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) at the *Required* level for these features. - -### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-f3-diagnostic-data) - -When you've [activated Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md), Windows Autopatch creates the “Windows Autopatch – Data Collection Policy” and assigns it to enrolled devices. This policy configures the following settings: - -| Setting | Value | Description | -| --- | --- | --- | -| Allow telemetry | Optional. This value was previously named “**Full**” for Windows 10 devices. For more information, see [Changes to Windows diagnostic data collection](/previous-versions/windows/it-pro/privacy/changes-to-windows-diagnostic-data-collection). | Allow the device to send diagnostic and usage telemetry data, such as Watson. For more information about diagnostic data, including what is and what isn't collected by Windows, see [diagnostic data settings](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings). | -| Limit Diagnostic Log Collection | Enabled | This policy setting specifies whether diagnostic log data can be collected when more information is needed to troubleshoot a problem. | -| Limit Dump Collection | Enabled | This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. These dumps aren't sent unless we have permission to collect optional diagnostic data. By enabling this policy setting, Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps only. | -| Limit Enhanced Diagnostic Data Windows Analytics | Enabled | This policy setting, in combination with the Allow Telemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. | -| Allow Windows Autopatch Processing | Allowed | Allows diagnostic data from this device to be processed by Windows Autopatch. | - -Windows Autopatch only processes and stores system-level data from Windows 10/11 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' data such as chat and browser history, voice, text, or speech data. +Windows Autopatch only processes and stores system-level data from Windows 10/11 optional diagnostic data that originates from enrolled devices. Windows Autopatch doesn't process and store customers' data such as chat and browser history, voice, text, or speech data. For more information about the diagnostic data collection of Microsoft Windows 10/11, see the [Where we store and process data section](https://privacy.microsoft.com/en-US/privacystatement#mainwherewestoreandprocessdatamodule) of the Microsoft Privacy Statement. @@ -99,67 +64,22 @@ For more information about how Windows diagnostic data is used, see: - [Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration) - [Features that require Windows diagnostic data](/mem/intune/protect/data-enable-windows-data) ---- - -## Tenant access - -### [Business Premium and A3+](#tab/business-premium-a3-tenant-access) - -[!INCLUDE [windows-autopatch-business-premium-a3-licenses](../includes/windows-autopatch-business-premium-a3-licenses.md)] - -### [Windows Enterprise E3+ and F3 licenses](#tab/windows-enterprise-e3-f3-tenant-access) - -For more information about tenant access and changes made to your tenant upon activating Windows Autopatch features, see [Changes made at feature activation](../references/windows-autopatch-changes-made-at-feature-activation.md). - ---- - -## Microsoft Windows Update for Business Reports - -### [Business Premium and A3+](#tab/business-premium-a3-wufb-reports) - -If you have Business Premium and A3+ licenses, when you use [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), using diagnostic data at the following levels allows device names to appear in reporting: - -- *Optional* level (previously Full) for Windows 11 devices -- *Enhanced* level for Windows 10 devices - -### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-f3-wufb-reports) - -Windows Update for Business uses data from Windows diagnostics to analyze update status and failures. When you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md), this data is used to deliver reports and confirm that registered devices are up to date. - ---- - ## Microsoft Entra ID -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] - Identifying data used by Windows Autopatch is stored by Microsoft Entra ID in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Microsoft Entra data is located, see [Microsoft Entra ID - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9) ## Microsoft Intune -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] - Microsoft Intune collects, processes, and shares data to Windows Autopatch to support business operations and services. For more information about the data collected in Intune, see [Data collection in Intune](/mem/intune/protect/privacy-data-collect). For more information on Microsoft Intune data locations, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations). Intune respects the storage location selections made by the administrator for customer data. ## Microsoft 365 Apps for enterprise -### [Business Premium and A3+](#tab/business-premium-a3-microsoft-365) - -Microsoft 365 Apps for enterprise only collects and shares data with Windows Autopatch when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md). Windows Autopatch ensure those apps are up to date with the latest version. - -To use Windows Autopatch features, you must have the correct Enterprise license(s) and [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md). For more information about Enterprise licenses and the prerequisites, see [Windows Autopatch prerequisites](../prepare/windows-autopatch-prerequisites.md). For more information about features and capabilities, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). - -### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-f3-microsoft-365) - Microsoft 365 Apps for enterprise collects and shares data with Windows Autopatch to ensure those apps are up to date with the latest version. These updates are based on predefined update channels managed by Windows Autopatch. For more information on Microsoft 365 Apps's data collection and storage locations, see [Microsoft Defender for Endpoint data storage and privacy](/microsoft-365/enterprise/o365-data-locations). ---- - ## Major data change notification -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] - We notify customers through the Microsoft 365 message center, and the Windows Autopatch admin center about security incidents and major changes to the service. Changes to the types of data gathered and storage are considered a material change. We provide a minimum of 30 days advanced notice of this change as it's standard practice for Microsoft 365 products and services. @@ -178,7 +98,11 @@ These rights include: For more general information about Data Subject Requests (DSRs), see [Data Subject Requests and the GDPR and CCPA](/compliance/regulatory/gdpr-data-subject-requests). -### [Business Premium and A3+](#tab/business-premium-a3-data-subjects) +To exercise data subject requests on data collected by the Windows Autopatch case management system, see the following data subject requests: + +| Data subject requests | Description | +| ----- | ----- | +| Data from Windows Autopatch support requests | Your IT administrator can request deletion, or extraction of data related support requests by submitting a report request in the [admin center](https://go.microsoft.com/fwlink/?linkid=2109431). Provide the following information:
                  • Request type: Change request
                  • Category: Security
                  • Subcategory: Other
                  • Description: Provide the relevant device names or usernames
                  | For Data Subject Requests from other products related to the service, see the following articles: @@ -188,18 +112,8 @@ For Data Subject Requests from other products related to the service, see the fo ### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-f3-data-subjects) -To exercise data subject requests on data collected by the Windows Autopatch case management system, see the following data subject requests: - -| Data subject requests | Description | -| --- | --- | -| Data from Windows Autopatch support requests | Your IT administrator can request deletion, or extraction of data related support requests by submitting a report request in the [admin center](https://go.microsoft.com/fwlink/?linkid=2109431). Provide the following information:
                  • Request type: Change request
                  • Category: Security
                  • Subcategory: Other
                  • Description: Provide the relevant device names or usernames
                  | - ---- - ## Legal -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] - The following is Microsoft's privacy notice to end users of products provided by organizational customers. The [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) notifies end users that when they sign into Microsoft products with a work account: diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md index 7778e7edf0..d213b60868 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md @@ -1,7 +1,7 @@ --- title: Configure your network description: This article details the network configurations needed for Windows Autopatch -ms.date: 09/24/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -26,35 +26,18 @@ The proxy or firewall must support TLS 1.2. Otherwise, you might have to disable There are URLs from several Microsoft products that must be in the allowed list so that Windows Autopatch devices can communicate with those Microsoft services. Use the links to see the complete list for each product. -#### [Business Premium and A3+](#tab/business-premium-and-a3-licenses-required-microsoft-endpoints) - -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] - | Microsoft service | URLs required on Allowlist | | ----- | ----- | | Microsoft Entra ID | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports)

                  [Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))

                  | | Microsoft Intune | [Intune network configuration requirements](/mem/intune/fundamentals/network-bandwidth-use)

                  [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

                  | | Windows Update for Business (WUfB) | [Windows Update for Business firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) | - -#### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-and-f3-licenses-required-microsoft-endpoints) - -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - -In addition to the Microsoft Entra ID, Intune and Windows Update for Business endpoints listed in the Business Premium and A3+ licenses section, the following endpoints apply to Windows E3+ and F3 licenses that have [activated Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md). There are URLs from several Microsoft products that must be in the allowed list so that devices can communicate with Windows Autopatch. Use the links to see the complete list for each product. - -| Microsoft service | URLs required on Allowlist | -| ----- | ----- | | Windows 10/11 Enterprise including Windows Update for Business | [Manage connection endpoints for Windows 10 Enterprise, version 1909](/windows/privacy/manage-windows-1909-endpoints)

                  [Manage connection endpoints for Windows 10 Enterprise, version 2004](/windows/privacy/manage-windows-2004-endpoints)

                  [Connection endpoints for Windows 10 Enterprise, version 20H2](/windows/privacy/manage-windows-20h2-endpoints)

                  [Manage connection endpoints for Windows 10 Enterprise, version 21H1](/windows/privacy/manage-windows-21h1-endpoints)

                  [Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints)

                  [Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints)

                  | | Microsoft 365 | [Microsoft 365 URL and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true) | | Microsoft Edge | [Allowlist for Microsoft Edge Endpoints](/deployedge/microsoft-edge-security-endpoints) | | Microsoft Teams | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) | ---- - ### Required Windows Autopatch endpoints for proxy and firewall rules -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - Windows Autopatch is a cloud service. There's a set of endpoints that Windows Autopatch services must be able to reach for the various aspects of the Windows Autopatch service. You can optimize your network by sending all trusted Microsoft 365 network requests directly through your firewall or proxy to bypass authentication, and all additional packet-level inspection or processing. This process reduces latency and your perimeter capacity requirements. @@ -63,15 +46,10 @@ The following URLs must be on the allowed list of your proxy and firewall so tha | Microsoft service | URLs required on allowlist | | ----- | ----- | -| Windows Autopatch |
                  • mmdcustomer.microsoft.com
                  • mmdls.microsoft.com
                  • devicelistenerprod.microsoft.com
                  • login.windows.net
                  • device.autopatch.microsoft.com
                  | +| Windows Autopatch |
                  • mmdcustomer.microsoft.com
                  • mmdls.microsoft.com
                  • devicelistenerprod.microsoft.com (devicelistenprod.eudb.microsoft.com for tenants with billing addresses in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations))
                  • login.windows.net
                  • device.autopatch.microsoft.com
                  • services.autopatch.microsoft.com
                  • payloadprod*.blob.core.windows.net
                  • *.webpubsub.azure.com
                  | ## Delivery Optimization -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] - Delivery Optimization is a peer-to-peer distribution technology available in Windows 10 and Windows 11 that allows devices to share content, such as updates, that the devices downloaded from Microsoft over the internet. Delivery Optimization can help reduce network bandwidth because the device can get portions of the update from another device on the same local network instead of having to download the update completely from Microsoft. For more information, see [What is Delivery Optimization?](/windows/deployment/do/waas-delivery-optimization) - -> [!TIP] -> **It's recommended to configure and validate Delivery Optimization when you [activate Window Autopatch features](../prepare/windows-autopatch-feature-activation.md)**. This only applies if you have Windows Enterprise E3+ and F3 licenses. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index e66fe153ac..fdb50b7ebd 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -1,7 +1,7 @@ --- title: Prerequisites description: This article details the prerequisites needed for Windows Autopatch -ms.date: 10/30/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: concept-article @@ -19,29 +19,13 @@ ms.collection: ## Licenses and entitlements -> [!IMPORTANT] -> Microsoft 365 Business Premium and Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) do **not** have access to all Windows Autopatch features. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). - -### [Business Premium and A3+](#tab/business-premium-a3-entitlements) - -Business Premium and A3+ licenses include: +Windows Autopatch is available to the following licenses: - Microsoft 365 Business Premium (for more information on available licenses, see Microsoft 365 licensing) - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) - -[!INCLUDE [windows-autopatch-business-premium-a3-licenses](../includes/windows-autopatch-business-premium-a3-licenses.md)] - -### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-f3-entitlements) - -The following licenses provide access to the Windows Autopatch features [included in Business premium and A3+ licenses](../overview/windows-autopatch-overview.md#business-premium-and-a3-licenses) and its [additional features](../overview/windows-autopatch-overview.md#windows-enterprise-e3-and-f3-licenses) after you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md): - - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) - Windows 10/11 Enterprise E3 or E5 VDA -For more information about specific service plans, see [Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses]. - ---- - ### Feature entitlement For more information about feature entitlement, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). Features are accessed through the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). @@ -49,88 +33,51 @@ For more information about feature entitlement, see [Features and capabilities]( | Symbol | Meaning | | --- | --- | | :heavy_check_mark: | All features available | -| :large_orange_diamond: | Most features available | | :x: | Feature not available | #### Windows 10 and later update policy management | Feature | Business Premium | A3+ | E3+ | F3 | -| --- | --- | --- | --- | --- | +| --- | :---: | :---: | :---: | :---: | | Releases | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| | Update rings | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| | Quality updates | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| -| Feature updates | :large_orange_diamond: | :large_orange_diamond: | :heavy_check_mark: | :heavy_check_mark:| -| Driver and firmware updates | :large_orange_diamond: | :large_orange_diamond: | :heavy_check_mark: | :heavy_check_mark:| +| Feature updates | :heavy_check_mark:| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| +| Driver and firmware updates | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| #### Tenant management | Feature | Business Premium | A3+ | E3+ | F3 | -| --- | --- | --- | --- | --- | -| Autopatch groups | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:| +| --- | :---: | :---: | :---: | :---: | +| Autopatch groups | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| | New feature and change management communications | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| -| Release schedule and status communications | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:| +| Release schedule and status communications | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| | Support requests | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:| -| Policy health | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:| +| Policy health | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| #### Reporting | Feature | Business Premium | A3+ | E3+ | F3 | -| --- | --- | --- | --- | --- | +| --- | :---: | :---: | :---: | :---: | | Intune Reports | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| -| Quality updates | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:| -| Feature updates | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:| -| Device readiness | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:| - -## More about licenses - -### Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses - -> [!IMPORTANT] -> Only Windows 10/11 Enterprise E3+ or F3 (included in Microsoft 365 F3, E3, or E5) licenses have access to all Windows Autopatch features after you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md). Microsoft 365 Business Premium and Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) do **not** have access to all Windows Autopatch features. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). - -| License | ID | GUID number | -| ----- | ----- | ------| -| [Microsoft 365 E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3 | 05e9a617-0261-4cee-bb44-138d3ef5d965 | -| [Microsoft 365 E3 (500 seats minimum_HUB)](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | Microsoft_365_E3 | 0c21030a-7e60-4ec7-9a0f-0042e0e0211a | -| [Microsoft 365 E3 - Unattended License](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3_RPA1 | c2ac2ee4-9bb1-47e4-8541-d689c7e83371 | -| Microsoft 365 E3 EEA (no Teams) - Unattended License | Microsoft_365_E3_EEA_(no_Teams)_Unattended_License | a23dbafb-3396-48b3-ad9c-a304fe206043 | -| Microsoft 365 E3 EEA (no Teams) (500 seats min)_HUB | O365_w/o Teams Bundle_M3_(500_seats_min)_HUB | 602e6573-55a3-46b1-a1a0-cc267991501a | -| [TEST - Microsoft 365 E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3_TEST | 23a55cbc-971c-4ba2-8bae-04cd13d2f4ad | -| [Microsoft 365 E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5 | 06ebc4ee-1bb5-47dd-8120-11324bc54e06 | -| [Microsoft 365 E5 (500 seats minimum)_HUB](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | Microsoft_365_E5 | db684ac5-c0e7-4f92-8284-ef9ebde75d33 | -| [Microsoft 365 E5 with calling minutes](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5_CALLINGMINUTES | a91fc4e0-65e5-4266-aa76-4037509c1626 | -| [Microsoft 365 E5 without audio conferencing](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5_NOPSTNCONF | cd2925a3-5076-4233-8931-638a8c94f773 | -| [Microsoft 365 E5 without audio conferencing (500 seats minimum)_HUB](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | Microsoft_365_E5_without_Audio_Conferencing | 2113661c-6509-4034-98bb-9c47bd28d63c | -| Microsoft 365 E5 EEA (no Teams) | O365_w/o_Teams_Bundle_M5 |3271cf8e-2be5-4a09-a549-70fd05baaa17 | -| Microsoft 365 E5 EEA (no Teams) with Calling Minutes | Microsoft_365_E5_EEA_(no_Teams)_with_Calling_Minutes | 6ee4114a-9b2d-4577-9e7a-49fa43d222d3 | -| Microsoft 365 E5 EEA (no Teams) without Audio Conferencing | Microsoft_365_E5_EEA_(no_Teams)_without_Audio_Conferencing | 90277bc7-a6fe-4181-99d8-712b08b8d32b | -| Microsoft 365 E5 EEA (no Teams) without Audio Conferencing (500 seats min)_HUB | Microsoft_365_E5_EEA_(no_Teams)_without_Audio_Conferencing_(500_seats_min)_HUB | a640eead-25f6-4bec-97e3-23cfd382d7c2 | -| Microsoft 365 E5 EEA (no Teams) (500 seats min)_HUB | O365_w/o_Teams_Bundle_M5_(500_seats_min)_HUB | 1e988bf3-8b7c-4731-bec0-4e2a2946600c | -| [TEST - Microsoft 365 E5 without audio conferencing](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5_NOPSTNCONF_TEST | 1362a0d9-b3c2-4112-bf1a-7a838d181c0f | -| [Windows 10/11 Enterprise E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E3 | 6a0f6da5-0b87-4190-a6ae-9bb5a2b9546a | -| [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 | -| [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 | -| [Microsoft 365 F3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_F1 | 66b55226-6b4f-492c-910c-a3b7a3c9d993 | -| Microsoft 365 F3 (self-service) | Microsoft_365_F3_Department |6803cf1e-c822-41a1-864e-a31377bcdb7e | -| Microsoft 365 F3 (for Department) | Microsoft_365_F3_DEPT |45972061-34c4-44c8-9e83-ad97815acc34 | -| Microsoft 365 F3 EEA (no Teams) | Microsoft_365_F3_EEA_(no_Teams) | f7ee79a7-7aec-4ca4-9fb9-34d6b930ad87 | +| Quality updates | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| +| Feature updates | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| +| Device readiness | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| ## General infrastructure requirements -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] - | Area | Prerequisite details | | --- | --- | | Licensing terms and conditions for products and services | For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). | | Microsoft Entra ID and Intune | Microsoft Entra ID P1 or P2 and Microsoft Intune are required.

                  Microsoft Entra ID must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Microsoft Entra Connect to enable Microsoft Entra hybrid join.

                  • For more information, see [Microsoft Entra Connect](/entra/identity/hybrid/connect/whatis-azure-ad-connect) and [Microsoft Entra hybrid join](/entra/identity/devices/how-to-hybrid-join)
                  • For more information on supported Microsoft Entra Connect versions, see [Microsoft Entra Connect:Version release history](/entra/identity/hybrid/connect/reference-connect-version-history).
                  | | Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network. For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). | | Device management | [Devices must be already enrolled with Microsoft Intune](/mem/intune/user-help/enroll-windows-10-device) before registering with Windows Autopatch. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.

                  At a minimum, the Windows Update, Device configuration, and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements).

                  Other device management prerequisites include:

                  • Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
                  • Devices must be managed by either Intune or Configuration Manager co-management. Devices only managed by Configuration Manager aren't supported.
                  • Devices must be in communication with Microsoft Intune in the last 28 days. Otherwise, the devices aren't registered with Autopatch.
                  • Devices must be connected to the internet.

                  See [Register your devices](../deploy/windows-autopatch-register-devices.md) for more details on device prerequisites and on how the device registration process works with Windows Autopatch.

                  For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).

                  | -| Data and privacy |Deployment scheduling controls are always available. However, to take advantage of the unique deployment protections tailored to your population and to [deploy driver updates](/windows/deployment/update/deployment-service-drivers), devices must share diagnostic data with Microsoft. For these features, at minimum, the deployment service requires devices to send [diagnostic data](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) at the Required level (previously called *Basic*) for these features.

                  When you use [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) with the deployment service, using diagnostic data at the following levels allows device names to appear in reporting:

                  • Optional level (previously Full) for Windows 11 devices
                  • Enhanced level for Windows 10 devices

                  For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../overview/windows-autopatch-privacy.md).

                  | +| Data and privacy |Deployment scheduling controls are always available. However, to take advantage of the unique deployment protections tailored to your population, devices must share diagnostic data with Microsoft. For these features, at minimum, the deployment service requires devices to send [diagnostic data](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) at the Required level (previously called *Basic*) for these features.
                  • Optional level (previously Full) for Windows 11 devices
                  • Enhanced level for Windows 10 devices

                  For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../overview/windows-autopatch-privacy.md).

                  | ## Windows editions, build version, and architecture > [!IMPORTANT] -> The following Windows editions, build version, and architecture **applies if you have**:
                  • Windows Enterprise E3+ or F3 licenses
                  • [Activated Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md)
                  • [Registered devices with Windows Autopatch](../deploy/windows-autopatch-register-devices.md)
                  +> The following Windows editions, build version, and architecture **applies if you have**:
                  • Business Premium, A3+, E3+ and F3 licenses
                  • [Registered devices with Windows Autopatch](../deploy/windows-autopatch-register-devices.md)
                  The following Windows 10/11 editions, build version, and architecture are supported when [devices are registered with Windows Autopatch](../deploy/windows-autopatch-register-devices.md): @@ -141,14 +88,13 @@ The following Windows 10/11 editions, build version, and architecture are suppor Windows Autopatch service supports Windows client devices on the **General Availability Channel**. - > [!IMPORTANT] > Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. ## Configuration Manager co-management requirements > [!IMPORTANT] -> The following Windows editions, build version, and architecture **applies if you have**:
                  • Windows Enterprise E3+ or F3 licenses
                  • [Activated Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md)
                  • [Registered devices with Windows Autopatch](../deploy/windows-autopatch-register-devices.md)
                  +> The following Windows editions, build version, and architecture **applies if you have**:
                  • Business Premium, A3+, E3+ and F3 licenses
                  • [Registered devices with Windows Autopatch](../deploy/windows-autopatch-register-devices.md)
                  | Requirement | Description | | --- | --- | @@ -158,8 +104,6 @@ Windows Autopatch service supports Windows client devices on the **General Avail ## Required Intune permissions -### [Business Premium and A3+](#tab/business-premium-a3-intune-permissions) - Your account must be assigned an [Intune role-based access control](/mem/intune/fundamentals/role-based-access-control) (RBAC) role that includes the following permissions: - **Device configurations**: @@ -170,25 +114,13 @@ Your account must be assigned an [Intune role-based access control](/mem/intune/ - Update - Read -You can add the *Device configurations* permission with one or more rights to your own custom RBAC roles or use one of the built-in **Policy and Profile manager** roles, which include these rights. +You can add the *Device configurations* permission with one or more rights to your own custom RBAC roles or use one of the built-in **Policy and Profile manager** roles, which include these rights. For more information, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control). The Intune Service Administrator role is required to access and use all capabilities under: -### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-f3-intune-permissions) + - Tenant administration > Windows Autopatch + - Devices > Manage updates > Windows updates + - [Autopatch groups membership report](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report) -Your account must be assigned an [Intune role-based access control](/mem/intune/fundamentals/role-based-access-control) (RBAC) role that includes the following permissions: - -- **Device configurations**: - - Assign - - Create - - Delete - - View Reports - - Update -- Read - -After you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md#activate-windows-autopatch-features), use the Intune Service Administrator role to register devices, manage your update deployments, and reporting tasks. - -For more information, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control). +The **Intune Service Administrator** role is required to register devices, manage your update deployments, and reporting tasks. > [!TIP] > For more information, see [assign an owner of member of a group in Microsoft Entra ID](/entra/id-governance/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group). - ---- diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-feature-activation.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-start-using-autopatch.md similarity index 58% rename from windows/deployment/windows-autopatch/prepare/windows-autopatch-feature-activation.md rename to windows/deployment/windows-autopatch/prepare/windows-autopatch-start-using-autopatch.md index 53e7ddc90a..78381a1502 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-feature-activation.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-start-using-autopatch.md @@ -1,7 +1,7 @@ --- title: Start using Windows Autopatch -description: This article details how to activate Autopatch features -ms.date: 09/16/2024 +description: This article details how to start using Autopatch features +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Start using Windows Autopatch -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - Before you begin the process of deploying updates with Windows Autopatch, ensure you meet the [prerequisites](../prepare/windows-autopatch-prerequisites.md). Once you're ready to deploy updates to your devices, you can either use Microsoft Intune or Microsoft Graph to manage updates with Windows Autopatch. @@ -36,17 +34,3 @@ To start using the service, you must create an update policy owned by Windows Au - [Driver and firmware updates](../manage/windows-autopatch-manage-driver-and-firmware-updates.md) Once a device or Microsoft Entra device group is associated with a Windows Autopatch policy, your tenant is now using the Autopatch service to manage updates. Devices are registered with the service following the process as described in [Register your devices](../deploy/windows-autopatch-register-devices.md). - -## Activate Windows Autopatch features - -> [!IMPORTANT] -> You must be a Global Administrator to consent to the feature activation flow. - -If your tenant meets the licensing entitlement for Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5), you can activate Windows Autopatch features by either: - -| Method | Description | -| --- | --- | -| Banner method | **Select the banner** and follow the consent prompt on the side page that appears. | -| Intune admin center | Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). In the left pane, select **Tenant Administration** > **Windows Autopatch** > **Activate features**. | - -When you activate Windows Autopatch features, Windows Autopatch creates deployment rings. For more information about deployment rings, see [Windows Autopatch deployment rings](../deploy/windows-autopatch-device-registration-overview.md#windows-autopatch-deployment-rings). diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md index a570c117ed..176db43f98 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md @@ -1,7 +1,7 @@ --- title: Conflicting configurations description: This article explains how to remediate conflicting configurations affecting the Windows Autopatch service. -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: concept-article @@ -17,8 +17,6 @@ ms.collection: # Conflicting configurations -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - During Readiness checks, if there are devices with conflicting registry configurations, notifications are listed in the **Not ready** tab. The notifications include a list of alerts that explain why the device isn't ready for updates. Instructions are provided on how to resolve the issues. You can review any device marked as **Not ready** and remediate them to a **Ready** state. Windows Autopatch monitors conflicting configurations. You're notified of the specific registry values that prevent Windows from updating properly. These registry keys should be removed to resolve the conflict. However, it's possible that other services write back the registry keys. It's recommended that you review common sources for conflicting configurations to ensure your devices continue to receive Windows Updates. diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2025.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2025.md new file mode 100644 index 0000000000..d51b82e4f8 --- /dev/null +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2025.md @@ -0,0 +1,30 @@ +--- +title: What's new 2025 +description: This article lists the 2025 feature releases and any corresponding Message center post numbers. +ms.date: 03/31/2025 +ms.service: windows-client +ms.subservice: autopatch +ms.topic: whats-new +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: aaroncz +ms.reviewer: hathind +ms.collection: + - highpri + - tier1 +--- + +# What's new 2025 + +This article lists new and updated feature releases, and service releases, with their corresponding Message center post numbers (if applicable). + +Minor corrections such as typos, style, or formatting issues aren't listed. + +## March 2025 + +### March feature releases or updates + +| Article | Description | +| ----- | ----- | +| All articles | Any tenant with a [valid license](../prepare/windows-autopatch-prerequisites.md#licenses-and-entitlements) can seamlessly access [Autopatch features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). |