From fa5414fdaf14aa9b6f3e29585a0546bd249a10f8 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 9 Mar 2023 14:18:36 -0800
Subject: [PATCH 01/43] ScanBeforeInitialLogonAllowed MAXADO-7679187
---
windows/deployment/update/waas-wu-settings.md | 27 +++++++++++++------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index af807a712a..34a121a25d 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -9,17 +9,12 @@ manager: aaroncz
ms.topic: article
ms.collection: highpri, tier2
ms.technology: itpro-updates
-ms.date: 01/06/2023
+ms.date: 03/28/2023
---
# Manage additional Windows Update settings
-
-**Applies to**
-
-- Windows 10
-- Windows 11
-
+***(Applies to: Windows 11 & Windows 10)***
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@@ -37,7 +32,9 @@ You can use Group Policy settings or mobile device management (MDM) to configure
| [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All |
| [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
| [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
-| | [Windows Update notifications display organization name](#bkmk_display-name) *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered |
+| | [Windows Update notifications display organization name](#bkmk_display-name) *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered |
+| | [Allow Windows updates to install before initial user sign-in](#allow-windows-update-before-initial-sign-in) | Windows 11 version 22H2 |
+
>[!IMPORTANT]
>Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**.
@@ -283,3 +280,17 @@ if (!(Test-Path $registryPath))
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
```
+
+## Allow Windows updates to install before initial user sign-in
+*(Starting in Windows 11, version 22H2)*
+
+On new devices, Windows Update doesn't begin installing background updates until a user has completed the Out of Box Experience (OOBE) and signs in for the first time. In many cases, the user signs in immediately after completing the OOBE. However, some VM-based solutions provision a device and automate the first user experience. These VMs may not be immediately assigned to a user so they won't see an initial sign-in until several days later.
+
+In scenarios where initial sign-in is delayed, setting the following registry values allow devices to begin background update work before a user first signs in:
+
+- **Registry key**: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator
+- **DWORD value name**: ScanBeforeInitialLogonAllowed
+- **Value data**: 1
+
+> [!Warning]
+> This value is designed to be used only for scenarios with a deferred initial user sign in. Setting this value on devices where initial user sign in isn't delayed could have a detrimental effect on performance since it may allow update work to occur as the user is signing in for the first time.
From 4e070da4362c2e7c2e3b25a0cbd932f73d82a0bd Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 9 Mar 2023 14:25:51 -0800
Subject: [PATCH 02/43] ScanBeforeInitialLogonAllowed MAXADO-7679187
---
windows/deployment/update/waas-wu-settings.md | 28 +++++++++----------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 34a121a25d..fe39eda580 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -47,7 +47,7 @@ Admins have a lot of flexibility in configuring how their devices scan and recei
[Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) allows admins to point devices to an internal Microsoft update service location, while [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) gives them the option to restrict devices to just that internal update service. [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) controls how frequently devices scan for updates.
-You can make custom device groups that'll work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that were not signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location).
+You can make custom device groups that will work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that weren't signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location).
Finally, to make sure the updating experience is fully controlled by the admins, you can [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) for users.
@@ -61,10 +61,10 @@ This setting lets you specify a server on your network to function as an interna
To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service.
If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them.
-If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
+If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates isn't disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service.
-The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service does not provide download Urls in the update metadata for files which are present on the alternate download server.
+The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service doesn't provide download Urls in the update metadata for files that are present on the alternate download server.
>[!NOTE]
>If the "Configure Automatic Updates" policy is disabled, then this policy has no effect.
@@ -109,7 +109,7 @@ Use **Computer Configuration\Administrative Templates\Windows Components\Windows
Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service. This allows admins to configure device groups that will receive different updates from sources like WSUS or Configuration Manager.
This Group Policy setting can be found under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Enable client-side targeting**.
-If the setting is set to **Enabled**, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer.
+If the setting is set to **Enabled**, the specified target group information is sent to the intranet Microsoft update service, which uses it to determine which updates should be deployed to this computer.
If the setting is set to **Disabled** or **Not Configured**, no target group information will be sent to the intranet Microsoft update service.
If the intranet Microsoft update service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified.
@@ -123,8 +123,8 @@ This policy setting allows you to manage whether Automatic Updates accepts updat
To configure this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows update\Allow signed updates from an intranet Microsoft update service location**.
-If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
-If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft.
+If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
+If you disable or don't configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft.
>[!NOTE]
>Updates from a service other than an intranet Microsoft update service must always be signed by Microsoft and are not affected by this policy setting.
@@ -136,7 +136,7 @@ To configure this policy with MDM, use [AllowNonMicrosoftSignedUpdate](/windows/
To add more flexibility to the update process, settings are available to control update installation.
-[Configure Automatic Updates](#configure-automatic-updates) offers four different options for automatic update installation, while [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) makes sure drivers are not installed with the rest of the received updates.
+[Configure Automatic Updates](#configure-automatic-updates) offers four different options for automatic update installation, while [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) makes sure drivers aren't installed with the rest of the received updates.
### Do not include drivers with Windows Updates
@@ -144,7 +144,7 @@ Allows admins to exclude Windows Update drivers during updates.
To configure this setting in Group Policy, use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not include drivers with Windows Updates**.
Enable this policy to not include drivers with Windows quality updates.
-If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification.
+If you disable or don't configure this policy, Windows Update will include updates that have a Driver classification.
### Configure Automatic Updates
@@ -156,13 +156,13 @@ Under **Computer Configuration\Administrative Templates\Windows Components\Windo
**2 - Notify for download and auto install** - When Windows finds updates that apply to this device, users will be notified that updates are ready to be downloaded. After going to **Settings > Update & security > Windows Update**, users can download and install any available updates.
-**3 - Auto download and notify for Install** - Windows finds updates that apply to the device and downloads them in the background (the user is not notified or interrupted during this process). When the downloads are complete, users will be notified that they are ready to install. After going to **Settings > Update & security > Windows Update**, users can install them.
+**3 - Auto download and notify for Install** - Windows finds updates that apply to the device and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to **Settings > Update & security > Windows Update**, users can install them.
**4 - Auto download and schedule the install** - Specify the schedule using the options in the Group Policy Setting. For more information about this setting, see [Schedule update installation](waas-restart.md#schedule-update-installation).
-**5 - Allow local admin to choose setting** - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators will not be allowed to disable the configuration for Automatic Updates. This option is not available in any Windows 10 or later versions.
+**5 - Allow local admin to choose setting** - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates. This option isn't available in any Windows 10 or later versions.
-**7 - Notify for install and notify for restart** (Windows Server 2016 and later only) - With this option, when Windows finds updates that apply to this device, they will be downloaded, then users will be notified that updates are ready to be installed. Once updates are installed, a notification will be displayed to users to restart the device.
+**7 - Notify for install and notify for restart** (Windows Server 2016 and later only) - With this option, when Windows finds updates that apply to this device, they'll be downloaded, then users will be notified that updates are ready to be installed. Once updates are installed, a notification will be displayed to users to restart the device.
If this setting is set to **Disabled**, any updates that are available on Windows Update must be downloaded and installed manually. To do this, users must go to **Settings > Update & security > Windows Update**.
@@ -173,7 +173,7 @@ If this setting is set to **Not Configured**, an administrator can still configu
> [!NOTE]
> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require you to reinstall the operating system. Microsoft cannot guarantee that these problems can be resolved. Modify the registry at your own risk.
-In an environment that does not have Active Directory deployed, you can edit registry settings to configure group policies for Automatic Update.
+In an environment that doesn't have Active Directory deployed, you can edit registry settings to configure group policies for Automatic Update.
To do this, follow these steps:
@@ -203,7 +203,7 @@ To do this, follow these steps:
* **4**: Automatically download and scheduled installation.
- * **5**: Allow local admin to select the configuration mode. This option is not available for Windows 10 or later versions.
+ * **5**: Allow local admin to select the configuration mode. This option isn't available for Windows 10 or later versions.
* **7**: Notify for install and notify for restart. (Windows Server 2016 and later only)
@@ -230,7 +230,7 @@ To do this, follow these steps:
* NoAutoRebootWithLoggedOnUsers (REG_DWORD):
- **0** (false) or **1** (true). If set to **1**, Automatic Updates does not automatically restart a computer while users are logged on.
+ **0** (false) or **1** (true). If set to **1**, Automatic Updates doesn't automatically restart a computer while users are logged on.
> [!NOTE]
> This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
From 9fb4ad33635471826df9db468b1a3900f37576ea Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 29 Mar 2023 09:44:45 -0700
Subject: [PATCH 03/43] wufbr perms MAXADO-7738226
---
.../wufb-reports-admin-center-permissions.md | 18 ++++++++++--------
.../update/wufb-reports-admin-center.md | 7 ++++---
.../update/wufb-reports-prerequisites.md | 2 +-
3 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index b132951a59..05d3a799e1 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -5,25 +5,27 @@ manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
-ms.date: 03/15/2023
+ms.date: 03/29/2023
ms.localizationpriority: medium
---
+**Roles for enrolling into Windows Update for Business reports**
+
To enroll into Windows Update for Business reports, edit configuration settings, display and edit the workbook, and view the **Windows** tab in the **Software Updates** page from the [Microsoft 365 admin center](https://admin.microsoft.com) use one of the following roles:
- [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator)
- - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center
- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Intune role
- - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center
-To display the workbook and view the **Windows** tab in the **Software Updates** page [Microsoft 365 admin center](https://admin.microsoft.com) use the following role:
- - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader)
+**Roles for reading Windows Update for Business reports**:
-**Log Analytics permissions**:
+The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions:
-The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query data, users must have one of the following roles, or the equivalent permissions:
-- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used to edit and write queries
- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data
+- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if write access to the Log Analytics workspace is needed
+
+> [!IMPORTANT]
+> - At minimum, the Log Analytics Reader role (or equivalent permissions) need to be assigned to all of the above enrollment roles because they don't have the permissions by default.
+> - Assigning either of the Log Analytics roles alone allows access to the [workbook](../wufb-reports-use.md), but doesn't allow access to the Microsoft 365 admin center.
diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md
index 0ba338dd97..dc316fec52 100644
--- a/windows/deployment/update/wufb-reports-admin-center.md
+++ b/windows/deployment/update/wufb-reports-admin-center.md
@@ -7,7 +7,7 @@ author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
-ms.date: 11/15/2022
+ms.date: 03/29/2023
ms.technology: itpro-updates
---
@@ -27,11 +27,12 @@ The **Software updates** page has following tabs to assist you in monitoring upd
## Permissions
+> [!NOTE]
+> These permissions for the Microsoft 365 admin center apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).
+
[!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)]
-> [!NOTE]
-> These permissions for the Microsoft 365 admin center apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).
## Limitations
diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md
index fa6514d687..b2b565908f 100644
--- a/windows/deployment/update/wufb-reports-prerequisites.md
+++ b/windows/deployment/update/wufb-reports-prerequisites.md
@@ -6,7 +6,7 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.topic: article
-ms.date: 03/15/2023
+ms.date: 03/29/2023
ms.technology: itpro-updates
---
From fad891daf9ac8250fe21d9898efa524a08faa53a Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 29 Mar 2023 12:04:11 -0700
Subject: [PATCH 04/43] wufbr perms MAXADO-7738226
---
.../wufb-reports-admin-center-permissions.md | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index 05d3a799e1..b54639dfe6 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -10,22 +10,24 @@ ms.localizationpriority: medium
---
-**Roles for enrolling into Windows Update for Business reports**
+**Enrolling into Windows Update for Business reports**
-To enroll into Windows Update for Business reports, edit configuration settings, display and edit the workbook, and view the **Windows** tab in the **Software Updates** page from the [Microsoft 365 admin center](https://admin.microsoft.com) use one of the following roles:
+To enroll into Windows Update for Business reports from the [Azure portal](portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
- [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator)
- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Intune role
-**Roles for reading Windows Update for Business reports**:
+> [!IMPORTANT]
+> At minimum, the Log Analytics Reader role (or equivalent permissions) needs to be assigned to the user all of the above enrollment roles because they don't have the permissions by default.
+
+**Read Windows Update for Business reports data**:
The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions:
- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data
-- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if write access to the Log Analytics workspace is needed
+- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if write access is needed
> [!IMPORTANT]
-> - At minimum, the Log Analytics Reader role (or equivalent permissions) need to be assigned to all of the above enrollment roles because they don't have the permissions by default.
-> - Assigning either of the Log Analytics roles alone allows access to the [workbook](../wufb-reports-use.md), but doesn't allow access to the Microsoft 365 admin center.
+> Assigning either of the Log Analytics roles alone allows access to the [workbook](../wufb-reports-use.md), but doesn't allow access to the Microsoft 365 admin center.
From 7adde9753711797a058f8dddcaa7bc43676f4084 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Thu, 30 Mar 2023 09:49:32 -0700
Subject: [PATCH 05/43] edits
---
.../includes/wufb-reports-admin-center-permissions.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index b54639dfe6..8e4d1fe6ba 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
**Enrolling into Windows Update for Business reports**
-To enroll into Windows Update for Business reports from the [Azure portal](portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
+To enroll into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
- [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
@@ -27,7 +27,7 @@ To enroll into Windows Update for Business reports from the [Azure portal](porta
The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions:
- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data
-- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if write access is needed
+- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if creating a new workspace or write access is needed
> [!IMPORTANT]
-> Assigning either of the Log Analytics roles alone allows access to the [workbook](../wufb-reports-use.md), but doesn't allow access to the Microsoft 365 admin center.
+> Assigning either of the Log Analytics roles alone allows access to the [workbook](../wufb-reports-use.md), but doesn't allow access to the Microsoft 365 admin center. For more information, see [Admin roles in the Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles).
From 7e20af4408da9a4827348fa718a6bf866c0b330c Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Mon, 3 Apr 2023 14:50:07 -0700
Subject: [PATCH 06/43] perms
---
.../update/includes/wufb-reports-admin-center-permissions.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index 8e4d1fe6ba..ac7d452c55 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -14,10 +14,11 @@ ms.localizationpriority: medium
To enroll into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
-- [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
+- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator)
- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator)
- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Intune role
+- [Global reader](/azure/active-directory/roles/permissions-reference#global-reader)
> [!IMPORTANT]
> At minimum, the Log Analytics Reader role (or equivalent permissions) needs to be assigned to the user all of the above enrollment roles because they don't have the permissions by default.
From 907411b4858501831e4d56b45930d89424a27ba5 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Mon, 3 Apr 2023 15:02:52 -0700
Subject: [PATCH 07/43] perms
---
.../update/includes/wufb-reports-admin-center-permissions.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index ac7d452c55..bb8b7715f7 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -21,7 +21,7 @@ To enroll into Windows Update for Business reports from the [Azure portal](https
- [Global reader](/azure/active-directory/roles/permissions-reference#global-reader)
> [!IMPORTANT]
-> At minimum, the Log Analytics Reader role (or equivalent permissions) needs to be assigned to the user all of the above enrollment roles because they don't have the permissions by default.
+> At minimum, the Log Analytics Reader role (or equivalent permissions) needs to be assigned to the user as well. All of the above roles don't have the permissions to actually read the Windows Update for Business reports data by default.
**Read Windows Update for Business reports data**:
From 4d15fe3a6ef9a66a131b3a08da93d853be0afa12 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 7 Apr 2023 13:54:43 -0700
Subject: [PATCH 08/43] reorg data
---
.../wufb-reports-admin-center-permissions.md | 33 ++++++++++++-------
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index bb8b7715f7..ed7581e9ca 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -9,26 +9,35 @@ ms.date: 03/29/2023
ms.localizationpriority: medium
---
+Accessing Windows Update for Business reports typcially requires permissions from multiple sources.
-**Enrolling into Windows Update for Business reports**
+- [Azure Active Directory (Azure AD)](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
+- [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace
+- [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain roles access to sign in
+
+**Roles that allow enrollment into Windows Update for Business reports**
To enroll into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
-- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator)
-- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
-- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator)
-- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Intune role
-- [Global reader](/azure/active-directory/roles/permissions-reference#global-reader)
+- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) Azure AD role
+- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) Azure AD role
+- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) Azure AD role
+- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Microsoft Intune role
+ - Microsoft Intune RBAC roles don't allow access to the Microsoft 365 admin center
-> [!IMPORTANT]
-> At minimum, the Log Analytics Reader role (or equivalent permissions) needs to be assigned to the user as well. All of the above roles don't have the permissions to actually read the Windows Update for Business reports data by default.
-
-**Read Windows Update for Business reports data**:
+**Azure roles that allow access to the Log Analytics workspace Windows Update for Business reports data**
The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions:
- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data
- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if creating a new workspace or write access is needed
-> [!IMPORTANT]
-> Assigning either of the Log Analytics roles alone allows access to the [workbook](../wufb-reports-use.md), but doesn't allow access to the Microsoft 365 admin center. For more information, see [Admin roles in the Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles).
+Examples of commonly assigned roles for Windows Update for Business reports users:
+
+| Roles | Enroll though workbook | Enroll through admin center | Read data workbook | Display admin center | Create Log Analytics workspace |
+| --- | --- | --- | --- | --- | --- |
+| Intune Administrator + Log Analytics Contributor | Yes | Yes | Yes | Yes | Yes |
+| Windows Update deployment administrator + Log Analytics reader | Yes | Yes | Yes | Yes| No |
+| Policy and profile manager + Log Analytics reader | Yes | No | Yes | No | No |
+| Log Analytics reader | No | No | Yes | No | No|
+| [Global reader](/azure/active-directory/roles/permissions-reference#global-reader) + Log Analytics reader | No | No | Yes | Yes | No |
From da5178b284e7161c2591d424ea85beb02dce98e5 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 7 Apr 2023 13:58:20 -0700
Subject: [PATCH 09/43] reorg data
---
windows/deployment/update/wufb-reports-admin-center.md | 1 -
windows/deployment/update/wufb-reports-prerequisites.md | 1 -
2 files changed, 2 deletions(-)
diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md
index dc316fec52..cf45ebae7c 100644
--- a/windows/deployment/update/wufb-reports-admin-center.md
+++ b/windows/deployment/update/wufb-reports-admin-center.md
@@ -33,7 +33,6 @@ The **Software updates** page has following tabs to assist you in monitoring upd
[!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)]
-
## Limitations
Windows Update for Business reports is a Windows service hosted in Azure that uses Windows diagnostic data. Windows Update for Business reports is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers since it doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home).
diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md
index b2b565908f..6e179ad957 100644
--- a/windows/deployment/update/wufb-reports-prerequisites.md
+++ b/windows/deployment/update/wufb-reports-prerequisites.md
@@ -25,7 +25,6 @@ Before you begin the process of adding Windows Update for Business reports to yo
- The Log Analytics workspace must be in a [supported region](#log-analytics-regions)
- Data in the **Driver update** tab of the [workbook](wufb-reports-workbook.md) is only available for devices that receive driver and firmware updates from the [Windows Update for Business deployment service](deployment-service-overview.md)
-
## Permissions
[!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)]
From 423dd6d8dfbc58662c8b108e85ca2f8e0636b8ae Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 7 Apr 2023 14:01:18 -0700
Subject: [PATCH 10/43] reorg data
---
.../update/includes/wufb-reports-admin-center-permissions.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index ed7581e9ca..8babdb3b2e 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -13,7 +13,7 @@ Accessing Windows Update for Business reports typcially requires permissions fro
- [Azure Active Directory (Azure AD)](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
- [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace
-- [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain roles access to sign in
+- [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain Azure AD roles access to sign in
**Roles that allow enrollment into Windows Update for Business reports**
From 8e5146662bb4cf6a342e3f756d27e02dc0e8031c Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 7 Apr 2023 14:02:54 -0700
Subject: [PATCH 11/43] reorg data
---
.../update/includes/wufb-reports-admin-center-permissions.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index 8babdb3b2e..ec8c548368 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -9,7 +9,7 @@ ms.date: 03/29/2023
ms.localizationpriority: medium
---
-Accessing Windows Update for Business reports typcially requires permissions from multiple sources.
+Accessing Windows Update for Business reports typcially requires permissions from multiple sources including:
- [Azure Active Directory (Azure AD)](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
- [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace
From c954b5de54ae29d2bb5f222de4ed60388962a891 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 7 Apr 2023 14:53:21 -0700
Subject: [PATCH 12/43] reorg data
---
.../wufb-reports-admin-center-permissions.md | 13 ++++++++-----
.../deployment/update/wufb-reports-admin-center.md | 10 ++--------
2 files changed, 10 insertions(+), 13 deletions(-)
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index ec8c548368..c8d9549c99 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -15,7 +15,7 @@ Accessing Windows Update for Business reports typcially requires permissions fro
- [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace
- [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain Azure AD roles access to sign in
-**Roles that allow enrollment into Windows Update for Business reports**
+**Roles that can enroll into Windows Update for Business reports**
To enroll into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
@@ -25,19 +25,22 @@ To enroll into Windows Update for Business reports from the [Azure portal](https
- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Microsoft Intune role
- Microsoft Intune RBAC roles don't allow access to the Microsoft 365 admin center
-**Azure roles that allow access to the Log Analytics workspace Windows Update for Business reports data**
+**Azure roles that allow access to the Log Analytics workspace**
-The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions:
+The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions for the workspace:
- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data
- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if creating a new workspace or write access is needed
Examples of commonly assigned roles for Windows Update for Business reports users:
-| Roles | Enroll though workbook | Enroll through admin center | Read data workbook | Display admin center | Create Log Analytics workspace |
+| Roles | Enroll though the [workbook](wufb-reports-workbook.md) | Enroll through Microsoft 365 admin center | Display the workbook | Microsoft 365 admin center access | Create Log Analytics workspace |
| --- | --- | --- | --- | --- | --- |
| Intune Administrator + Log Analytics Contributor | Yes | Yes | Yes | Yes | Yes |
| Windows Update deployment administrator + Log Analytics reader | Yes | Yes | Yes | Yes| No |
-| Policy and profile manager + Log Analytics reader | Yes | No | Yes | No | No |
+| Policy and profile manager (Intune role)+ Log Analytics reader | Yes | No | Yes | No | No |
| Log Analytics reader | No | No | Yes | No | No|
| [Global reader](/azure/active-directory/roles/permissions-reference#global-reader) + Log Analytics reader | No | No | Yes | Yes | No |
+
+> [!NOTE]
+> The Azure AD roles discussed in this article for the Microsoft 365 admin center access apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).
diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md
index cf45ebae7c..ae429a6271 100644
--- a/windows/deployment/update/wufb-reports-admin-center.md
+++ b/windows/deployment/update/wufb-reports-admin-center.md
@@ -25,20 +25,14 @@ The **Software updates** page has following tabs to assist you in monitoring upd
:::image type="content" source="media/37063317-admin-center-software-updates.png" alt-text="Screenshot of the Microsoft 365 admin center displaying the software updates page with the Windows tab selected." lightbox="media/37063317-admin-center-software-updates.png":::
-## Permissions
-
-> [!NOTE]
-> These permissions for the Microsoft 365 admin center apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).
-
-
-[!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)]
-
## Limitations
Windows Update for Business reports is a Windows service hosted in Azure that uses Windows diagnostic data. Windows Update for Business reports is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers since it doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home).
## Get started
+After verifying that you've met the [prerequisites and permissions](wufb-reports-prerequisistes.md) for Windows Update for Business reports, enroll using the instructions below if needed:
+
[!INCLUDE [Onboarding Windows Update for Business reports through the Microsoft 365 admin center](./includes/wufb-reports-onboard-admin-center.md)]
From e41d136b72885a15b07a092749ffe68fb9c16739 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 7 Apr 2023 15:03:28 -0700
Subject: [PATCH 13/43] fix links
---
.../update/includes/wufb-reports-admin-center-permissions.md | 2 +-
windows/deployment/update/wufb-reports-admin-center.md | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index c8d9549c99..29941791b6 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -34,7 +34,7 @@ The data for Windows Update for Business reports is routed to a Log Analytics wo
Examples of commonly assigned roles for Windows Update for Business reports users:
-| Roles | Enroll though the [workbook](wufb-reports-workbook.md) | Enroll through Microsoft 365 admin center | Display the workbook | Microsoft 365 admin center access | Create Log Analytics workspace |
+| Roles | Enroll though the [workbook](../wufb-reports-workbook.md) | Enroll through Microsoft 365 admin center | Display the workbook | Microsoft 365 admin center access | Create Log Analytics workspace |
| --- | --- | --- | --- | --- | --- |
| Intune Administrator + Log Analytics Contributor | Yes | Yes | Yes | Yes | Yes |
| Windows Update deployment administrator + Log Analytics reader | Yes | Yes | Yes | Yes| No |
diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md
index ae429a6271..68161072ed 100644
--- a/windows/deployment/update/wufb-reports-admin-center.md
+++ b/windows/deployment/update/wufb-reports-admin-center.md
@@ -31,7 +31,7 @@ Windows Update for Business reports is a Windows service hosted in Azure that us
## Get started
-After verifying that you've met the [prerequisites and permissions](wufb-reports-prerequisistes.md) for Windows Update for Business reports, enroll using the instructions below if needed:
+After verifying that you've met the [prerequisites and permissions](wufb-reports-prerequisites.md) for Windows Update for Business reports, enroll using the instructions below if needed:
[!INCLUDE [Onboarding Windows Update for Business reports through the Microsoft 365 admin center](./includes/wufb-reports-onboard-admin-center.md)]
From abb8e0281110620a890dba4c25c0c908b6edf956 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 7 Apr 2023 15:04:14 -0700
Subject: [PATCH 14/43] fix links
---
.../update/includes/wufb-reports-admin-center-permissions.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index 29941791b6..8c21fa2340 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -9,7 +9,7 @@ ms.date: 03/29/2023
ms.localizationpriority: medium
---
-Accessing Windows Update for Business reports typcially requires permissions from multiple sources including:
+Accessing Windows Update for Business reports typcially requires permissions from multiple sources including:
- [Azure Active Directory (Azure AD)](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
- [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace
From cf25521a69f08c52f767e543f0fd91acbe7813ba Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Fri, 7 Apr 2023 15:10:12 -0700
Subject: [PATCH 15/43] fix links
---
.../update/includes/wufb-reports-admin-center-permissions.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index 8c21fa2340..c1eb23d550 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -17,7 +17,7 @@ Accessing Windows Update for Business reports typcially requires permissions fro
**Roles that can enroll into Windows Update for Business reports**
-To enroll into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
+To [enroll](../bkmk_enroll.md) into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) Azure AD role
- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) Azure AD role
@@ -34,7 +34,7 @@ The data for Windows Update for Business reports is routed to a Log Analytics wo
Examples of commonly assigned roles for Windows Update for Business reports users:
-| Roles | Enroll though the [workbook](../wufb-reports-workbook.md) | Enroll through Microsoft 365 admin center | Display the workbook | Microsoft 365 admin center access | Create Log Analytics workspace |
+| Roles | Enroll though the workbook | Enroll through Microsoft 365 admin center | Display the workbook | Microsoft 365 admin center access | Create Log Analytics workspace |
| --- | --- | --- | --- | --- | --- |
| Intune Administrator + Log Analytics Contributor | Yes | Yes | Yes | Yes | Yes |
| Windows Update deployment administrator + Log Analytics reader | Yes | Yes | Yes | Yes| No |
From da0ebbe59b81d3c9a7f7ea181fb722d30de59586 Mon Sep 17 00:00:00 2001
From: rekhanr <40372231+rekhanr@users.noreply.github.com>
Date: Mon, 17 Apr 2023 14:43:11 -0700
Subject: [PATCH 16/43] Update windows-autopatch-changes-to-tenant.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Added the settings for the below.
Upgrade Windows 10 to latest Windows 11 (Yes/No)
Microsoft product updates (Block/Allow)
Enable pre-release builds (Enable/Not Configured)
Restart checks (Allow/Skip)
Option to Pause windows Updates (Disable/Enable)
Option to check for Windows Update (Disable/Enable)
This is the change going into the baseline config, hence listed here.
---
.../references/windows-autopatch-changes-to-tenant.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
index bf23950f18..a1fd2c87e2 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
@@ -74,10 +74,10 @@ The following groups target Windows Autopatch configurations to devices and mana
| Policy name | Policy description | OMA | Value |
| ----- | ----- | ----- | ----- |
-| Modern Workplace Update Policy [Test]-[Windows Autopatch | Windows Update for Business Configuration for the Test RingAssigned to:
- Modern Workplace Devices-Windows Autopatch-Test
|- QualityUpdatesDeferralPeriodInDays
- FeatureUpdatesDeferralPeriodInDays
- FeatureUpdatesRollbackWindowInDays
- BusinessReadyUpdatesOnly
- AutomaticUpdateMode
- InstallTime
- DeadlineForFeatureUpdatesInDays
- DeadlineForQualityUpdatesInDays
- DeadlineGracePeriodInDays
- PostponeRebootUntilAfterDeadline
- DriversExcluded
|- 0
- 0
- 30
- All
- WindowsDefault
- 3
- 5
- 0
- 0
- False
- False
|
-| Modern Workplace Update Policy [First]-[Windows Autopatch] | Windows Update for Business Configuration for the First Ring Assigned to:
- Modern Workplace Devices-Windows Autopatch-First
|- QualityUpdatesDeferralPeriodInDays
- FeatureUpdatesDeferralPeriodInDays
- FeatureUpdatesRollbackWindowInDays
- BusinessReadyUpdatesOnly
- AutomaticUpdateMode
- InstallTime
- DeadlineForFeatureUpdatesInDays
- DeadlineForQualityUpdatesInDays
- DeadlineGracePeriodInDays
- PostponeRebootUntilAfterDeadline
- DriversExcluded
|- 1
- 0
- 30
- All
- WindowsDefault
- 3
- 5
- 2
- 2
- False
- False
|
-| Modern Workplace Update Policy [Fast]-[Windows Autopatch] | Windows Update for Business Configuration for the Fast RingAssigned to:
- Modern Workplace Devices-Windows Autopatch-Fast
|- QualityUpdatesDeferralPeriodInDays
- FeatureUpdatesDeferralPeriodInDays
- FeatureUpdatesRollbackWindowInDays
- BusinessReadyUpdatesOnly
- AutomaticUpdateMode
- InstallTime
- DeadlineForFeatureUpdatesInDays
- DeadlineForQualityUpdatesInDays
- DeadlineGracePeriodInDays
- PostponeRebootUntilAfterDeadline
- DriversExcluded
|- 6
- 0
- 30
- All
- WindowsDefault
- 3
- 5
- 2
- 2
- False
- False
|
-| Modern Workplace Update Policy [Broad]-[Windows Autopatch] | Windows Update for Business Configuration for the Broad RingAssigned to:
- Modern Workplace Devices-Windows Autopatch-Broad
|- QualityUpdatesDeferralPeriodInDays
- FeatureUpdatesDeferralPeriodInDays
- FeatureUpdatesRollbackWindowInDays
- BusinessReadyUpdatesOnly
- AutomaticUpdateMode
- InstallTime
- DeadlineForFeatureUpdatesInDays
- DeadlineForQualityUpdatesInDays
- DeadlineGracePeriodInDays
- PostponeRebootUntilAfterDeadline
- DriversExcluded
|- 9
- 0
- 30
- All
- WindowsDefault
- 3
- 5
- 5
- 2
- False
- False
|
+| Modern Workplace Update Policy [Test]-[Windows Autopatch | Windows Update for Business Configuration for the Test RingAssigned to:
- Modern Workplace Devices-Windows Autopatch-Test
|- MicrosoftProductUpdates
- EnablePrereleasebuilds
- UpgradetoLatestWin11
- QualityUpdatesDeferralPeriodInDays
- FeatureUpdatesDeferralPeriodInDays
- FeatureUpdatesRollbackWindowInDays
- BusinessReadyUpdatesOnly
- AutomaticUpdateMode
- InstallTime
- DeadlineForFeatureUpdatesInDays
- DeadlineForQualityUpdatesInDays
- DeadlineGracePeriodInDays
- PostponeRebootUntilAfterDeadline
- DriversExcluded
- RestartChecks
- SetDisablePauseUXAccess
- SetUXtoCheckforUpdates
|- Allow
- Not Configured
- No
- 0
- 0
- 30
- All
- WindowsDefault
- 3
- 5
- 0
- 0
- False
- False
- Allow
- Disable
- Enable
|
+| Modern Workplace Update Policy [First]-[Windows Autopatch] | Windows Update for Business Configuration for the First Ring Assigned to:
- Modern Workplace Devices-Windows Autopatch-First
|- MicrosoftProductUpdates
- EnablePrereleasebuilds
- UpgradetoLatestWin11
- QualityUpdatesDeferralPeriodInDays
- FeatureUpdatesDeferralPeriodInDays
- FeatureUpdatesRollbackWindowInDays
- BusinessReadyUpdatesOnly
- AutomaticUpdateMode
- InstallTime
- DeadlineForFeatureUpdatesInDays
- DeadlineForQualityUpdatesInDays
- DeadlineGracePeriodInDays
- PostponeRebootUntilAfterDeadline
- DriversExcluded
- RestartChecks
- SetDisablePauseUXAccess
- SetUXtoCheckforUpdates
|- Allow
- Not Configured
- No
- 1
- 0
- 30
- All
- WindowsDefault
- 3
- 5
- 2
- 2
- False
- False
- Allow
- Disable
- Enable
|
+| Modern Workplace Update Policy [Fast]-[Windows Autopatch] | Windows Update for Business Configuration for the Fast RingAssigned to:
- Modern Workplace Devices-Windows Autopatch-Fast
|- MicrosoftProductUpdates
- EnablePrereleasebuilds
- UpgradetoLatestWin11
- QualityUpdatesDeferralPeriodInDays
- FeatureUpdatesDeferralPeriodInDays
- FeatureUpdatesRollbackWindowInDays
- BusinessReadyUpdatesOnly
- AutomaticUpdateMode
- InstallTime
- DeadlineForFeatureUpdatesInDays
- DeadlineForQualityUpdatesInDays
- DeadlineGracePeriodInDays
- PostponeRebootUntilAfterDeadline
- DriversExcluded
- RestartChecks
- SetDisablePauseUXAccess
- SetUXtoCheckforUpdates
|- Allow
- Not Configured
- No
- 6
- 0
- 30
- All
- WindowsDefault
- 3
- 5
- 2
- 2
- False
- False
- Allow
- Disable
- Enable
|
+| Modern Workplace Update Policy [Broad]-[Windows Autopatch] | Windows Update for Business Configuration for the Broad RingAssigned to:
- Modern Workplace Devices-Windows Autopatch-Broad
|- MicrosoftProductUpdates
- EnablePrereleasebuilds
- UpgradetoLatestWin11
- QualityUpdatesDeferralPeriodInDays
- FeatureUpdatesDeferralPeriodInDays
- FeatureUpdatesRollbackWindowInDays
- BusinessReadyUpdatesOnly
- AutomaticUpdateMode
- InstallTime
- DeadlineForFeatureUpdatesInDays
- DeadlineForQualityUpdatesInDays
- DeadlineGracePeriodInDays
- PostponeRebootUntilAfterDeadline
- DriversExcluded
- RestartChecks
- SetDisablePauseUXAccess
- SetUXtoCheckforUpdates
|- Allow
- Not Configured
- No
- 9
- 0
- 30
- All
- WindowsDefault
- 3
- 5
- 5
- 2
- False
- False
- Allow
- Disable
- Enable
|
## Windows feature update policies
From 9fb21d4986c32990333a4dbe1b3cd906f6cbf5d2 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 19 Apr 2023 08:46:56 -0700
Subject: [PATCH 17/43] edits
---
windows/deployment/update/waas-wu-settings.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 46e13890a1..bb8d50b541 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -35,7 +35,7 @@ You can use Group Policy settings or mobile device management (MDM) to configure
| [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
| [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
| | [Windows Update notifications display organization name](#display-organization-name-in-windows-update-notifications) *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered |
-| [Allow Windows updates to install before initial user sign-in](#allow-windows-update-before-initial-sign-in) | Windows 11 version 22H2 with 2023-04 Cumulative Update Preview, or later |
+| [Allow Windows updates to install before initial user sign-in](#allow-windows-updates-to-install-before-initial-user-sign--in) | Windows 11 version 22H2 with 2023-04 Cumulative Update Preview, or later |
>[!IMPORTANT]
@@ -266,7 +266,7 @@ The organization name appears automatically for Windows 11 clients that are asso
To disable displaying the organization name in Windows Update notifications, add or modify the following in the registry:
- **Registry key**: `HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsUpdate\Orchestrator\Configurations`
- - **DWORD value name**: UsoDisableAADJAttribution
+ - **DWORD value name**: UsoDisableAADJAttribution
- **Value data:** 1
The following PowerShell script is provided as an example to you:
@@ -283,7 +283,7 @@ if (!(Test-Path $registryPath))
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
```
-## Allow Windows updates to install before initial user sign-in
+## Allow Windows updates to install before initial user sign-in
*(Starting in Windows 11, version 22H2 with 2023-04 Cumulative Update Preview, or later)*
On new devices, Windows Update doesn't begin installing background updates until a user has completed the Out of Box Experience (OOBE) and signs in for the first time. In many cases, the user signs in immediately after completing the OOBE. However, some VM-based solutions provision a device and automate the first user experience. These VMs may not be immediately assigned to a user so they won't see an initial sign-in until several days later.
From 4677e7fbdc8803f96c4392cff96cdebea0977008 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 19 Apr 2023 10:12:50 -0700
Subject: [PATCH 18/43] edits
---
windows/deployment/update/waas-wu-settings.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index bb8d50b541..77a014acd7 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -35,7 +35,7 @@ You can use Group Policy settings or mobile device management (MDM) to configure
| [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
| [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
| | [Windows Update notifications display organization name](#display-organization-name-in-windows-update-notifications) *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered |
-| [Allow Windows updates to install before initial user sign-in](#allow-windows-updates-to-install-before-initial-user-sign--in) | Windows 11 version 22H2 with 2023-04 Cumulative Update Preview, or later |
+| [Allow Windows updates to install before initial user sign-in](#allow-windows-updates-to-install-before-initial-user-sign-in) | Windows 11 version 22H2 with 2023-04 Cumulative Update Preview, or later |
>[!IMPORTANT]
From 22e5103357a48c5518dcc2e5c372b97179fda765 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 19 Apr 2023 10:50:16 -0700
Subject: [PATCH 19/43] edits
---
windows/deployment/update/waas-wu-settings.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 77a014acd7..5d01b577d1 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -35,7 +35,7 @@ You can use Group Policy settings or mobile device management (MDM) to configure
| [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
| [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
| | [Windows Update notifications display organization name](#display-organization-name-in-windows-update-notifications) *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered |
-| [Allow Windows updates to install before initial user sign-in](#allow-windows-updates-to-install-before-initial-user-sign-in) | Windows 11 version 22H2 with 2023-04 Cumulative Update Preview, or later |
+| | [Allow Windows updates to install before initial user sign-in](#allow-windows-updates-to-install-before-initial-user-sign-in) | Windows 11 version 22H2 with 2023-04 Cumulative Update Preview, or a later cumulative update |
>[!IMPORTANT]
@@ -284,7 +284,7 @@ New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWO
```
## Allow Windows updates to install before initial user sign-in
-*(Starting in Windows 11, version 22H2 with 2023-04 Cumulative Update Preview, or later)*
+*(Starting in Windows 11, version 22H2 with 2023-04 Cumulative Update Preview, or a later cumulative update)*
On new devices, Windows Update doesn't begin installing background updates until a user has completed the Out of Box Experience (OOBE) and signs in for the first time. In many cases, the user signs in immediately after completing the OOBE. However, some VM-based solutions provision a device and automate the first user experience. These VMs may not be immediately assigned to a user so they won't see an initial sign-in until several days later.
From 8315716c015320dbff91baec9fdf43229318bf7e Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 19 Apr 2023 10:57:13 -0700
Subject: [PATCH 20/43] edits
---
windows/deployment/update/waas-wu-settings.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 5d01b577d1..0c088b2aee 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -35,7 +35,7 @@ You can use Group Policy settings or mobile device management (MDM) to configure
| [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
| [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
| | [Windows Update notifications display organization name](#display-organization-name-in-windows-update-notifications) *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered |
-| | [Allow Windows updates to install before initial user sign-in](#allow-windows-updates-to-install-before-initial-user-sign-in) | Windows 11 version 22H2 with 2023-04 Cumulative Update Preview, or a later cumulative update |
+| | [Allow Windows updates to install before initial user sign-in](#allow-windows-updates-to-install-before-initial-user-sign-in) (registry only)| Windows 11 version 22H2 with 2023-04 Cumulative Update Preview, or a later cumulative update |
>[!IMPORTANT]
From f4426059c956785fa9465e003066072d6f0b795c Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Wed, 19 Apr 2023 12:55:35 -0700
Subject: [PATCH 21/43] Revert "Update windows-autopatch-prerequisites.md"
---
.../prepare/windows-autopatch-prerequisites.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index 40591c7936..c2f86d2ca3 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -46,9 +46,9 @@ Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-b
The following Windows OS 10 editions, 1809+ builds and architecture are supported in Windows Autopatch:
-- Windows 10 (20H2+)/11 Pro
-- Windows 10 (20H2+)/11 Enterprise
-- Windows 10 (20H2+)/11 Pro for Workstations
+- Windows 10 (1809+)/11 Pro
+- Windows 10 (1809+)/11 Enterprise
+- Windows 10 (1809+)/11 Pro for Workstations
> [!NOTE]
> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions).
From 0ed866d1c6edceef373c263c7a71d94ebeba2634 Mon Sep 17 00:00:00 2001
From: Narkis Engler <41025789+narkissit@users.noreply.github.com>
Date: Wed, 19 Apr 2023 17:20:05 -0700
Subject: [PATCH 22/43] Update waas-delivery-optimization-setup.md
correct -peerinfo definition of output, it's not "connected" peers but rather list of proposed peers by the service + indication when it is successfully connected to a peer
---
windows/deployment/do/waas-delivery-optimization-setup.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md
index 9fa907d90e..c26e194cd0 100644
--- a/windows/deployment/do/waas-delivery-optimization-setup.md
+++ b/windows/deployment/do/waas-delivery-optimization-setup.md
@@ -152,7 +152,7 @@ Try these steps:
4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**, to fix this.
> [!NOTE]
-> Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers.
+> Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of potential peers per file, including which peers are successfully connected and the total bytes sent or recieved from each peer.
### Clients aren't able to connect to peers offered by the cloud service
From de8ceb80b3c99f1c638a044ac8a5f156813ec816 Mon Sep 17 00:00:00 2001
From: Narkis Engler <41025789+narkissit@users.noreply.github.com>
Date: Thu, 20 Apr 2023 15:13:40 -0700
Subject: [PATCH 23/43] Update
windows/deployment/do/waas-delivery-optimization-setup.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/deployment/do/waas-delivery-optimization-setup.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md
index c26e194cd0..04c0b9e893 100644
--- a/windows/deployment/do/waas-delivery-optimization-setup.md
+++ b/windows/deployment/do/waas-delivery-optimization-setup.md
@@ -152,7 +152,7 @@ Try these steps:
4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**, to fix this.
> [!NOTE]
-> Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of potential peers per file, including which peers are successfully connected and the total bytes sent or recieved from each peer.
+> Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of potential peers per file, including which peers are successfully connected and the total bytes sent or received from each peer.
### Clients aren't able to connect to peers offered by the cloud service
From 4a3d1d34c3d56db0533a93a84d9f5355fffcd8d1 Mon Sep 17 00:00:00 2001
From: Marius Wyss <53998264+MrWyss-MSFT@users.noreply.github.com>
Date: Fri, 21 Apr 2023 14:30:46 +0200
Subject: [PATCH 24/43] additional information for ScheduledInstall*week
policies
---
.../mdm/policy-csp-update.md | 36 +++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 28b396eb2f..3215ea8066 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3069,6 +3069,15 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie
+The ScheduledInstall*week policies operate on numeric days.
+
+- first week of the month [ScheduledInstallFirstWeek](#scheduledinstallfirstweek) = Days 1-7
+- second week of the month [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) = Days 8-14
+- third week of the month [ScheduledInstallThirdWeek](#scheduledinstallthirdweek) = Days 15-21
+- fourth week of the month [ScheduledInstallFourthWeek](#scheduledinstallfourthweek) = Days 22-31
+
+These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday) it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#ScheduledInstallSecondWeek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. **Important**, if the first day of the month is a Wednesday, the 2nd Wednesday will be 6 days before 2nd Tuesday. If the device happens to be unavailable at this scheduled time, it can postpone installation of updates until the next month if it misses the install window for a given month.
+
> [!NOTE]
> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation.
@@ -3167,6 +3176,15 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie
+The ScheduledInstall*week policies operate on numeric days.
+
+- first week of the month [ScheduledInstallFirstWeek](#scheduledinstallfirstweek) = Days 1-7
+- second week of the month [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) = Days 8-14
+- third week of the month [ScheduledInstallThirdWeek](#scheduledinstallthirdweek) = Days 15-21
+- fourth week of the month [ScheduledInstallFourthWeek](#scheduledinstallfourthweek) = Days 22-31
+
+These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday) it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#ScheduledInstallSecondWeek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. **Important**, if the first day of the month is a Wednesday, the 2nd Wednesday will be 6 days before 2nd Tuesday. If the device happens to be unavailable at this scheduled time, it can postpone installation of updates until the next month if it misses the install window for a given month.
+
> [!NOTE]
> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation.
@@ -3265,6 +3283,15 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie
+The ScheduledInstall*week policies operate on numeric days.
+
+- first week of the month [ScheduledInstallFirstWeek](#scheduledinstallfirstweek) = Days 1-7
+- second week of the month [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) = Days 8-14
+- third week of the month [ScheduledInstallThirdWeek](#scheduledinstallthirdweek) = Days 15-21
+- fourth week of the month [ScheduledInstallFourthWeek](#scheduledinstallfourthweek) = Days 22-31
+
+These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday) it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#ScheduledInstallSecondWeek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. **Important**, if the first day of the month is a Wednesday, the 2nd Wednesday will be 6 days before 2nd Tuesday. If the device happens to be unavailable at this scheduled time, it can postpone installation of updates until the next month if it misses the install window for a given month.
+
> [!NOTE]
> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation.
@@ -3363,6 +3390,15 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie
+The ScheduledInstall*week policies operate on numeric days.
+
+- first week of the month [ScheduledInstallFirstWeek](#scheduledinstallfirstweek) = Days 1-7
+- second week of the month [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) = Days 8-14
+- third week of the month [ScheduledInstallThirdWeek](#scheduledinstallthirdweek) = Days 15-21
+- fourth week of the month [ScheduledInstallFourthWeek](#scheduledinstallfourthweek) = Days 22-31
+
+These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday) it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#ScheduledInstallSecondWeek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. **Important**, if the first day of the month is a Wednesday, the 2nd Wednesday will be 6 days before 2nd Tuesday. If the device happens to be unavailable at this scheduled time, it can postpone installation of updates until the next month if it misses the install window for a given month.
+
> [!NOTE]
> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation.
From 60f70f92a8a99d13c1885fb6ed6797636cfee926 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Mon, 24 Apr 2023 10:52:31 -0400
Subject: [PATCH 25/43] Update policy-csp-update.md
---
.../mdm/policy-csp-update.md | 40 +++++++++----------
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 3215ea8066..50b88f32ed 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3071,12 +3071,12 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie
The ScheduledInstall*week policies operate on numeric days.
-- first week of the month [ScheduledInstallFirstWeek](#scheduledinstallfirstweek) = Days 1-7
-- second week of the month [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) = Days 8-14
-- third week of the month [ScheduledInstallThirdWeek](#scheduledinstallthirdweek) = Days 15-21
-- fourth week of the month [ScheduledInstallFourthWeek](#scheduledinstallfourthweek) = Days 22-31
+- [ScheduledInstallFirstWeek](#scheduledinstallfirstweek): First week of the month (Days 1-7).
+- [ScheduledInstallSecondWeek](#scheduledinstallsecondweek): Second week of the month (Days 8-14).
+- [ScheduledInstallThirdWeek](#scheduledinstallthirdweek): Third week of the month (Days 15-21).
+- [ScheduledInstallFourthWeek](#scheduledinstallfourthweek): Fourth week of the month (Days 22-31).
-These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday) it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#ScheduledInstallSecondWeek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. **Important**, if the first day of the month is a Wednesday, the 2nd Wednesday will be 6 days before 2nd Tuesday. If the device happens to be unavailable at this scheduled time, it can postpone installation of updates until the next month if it misses the install window for a given month.
+These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday), it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. If the device is unavailable at the scheduled time, it can postpone installation of updates until the next month.
> [!NOTE]
> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation.
@@ -3178,12 +3178,12 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie
The ScheduledInstall*week policies operate on numeric days.
-- first week of the month [ScheduledInstallFirstWeek](#scheduledinstallfirstweek) = Days 1-7
-- second week of the month [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) = Days 8-14
-- third week of the month [ScheduledInstallThirdWeek](#scheduledinstallthirdweek) = Days 15-21
-- fourth week of the month [ScheduledInstallFourthWeek](#scheduledinstallfourthweek) = Days 22-31
+- [ScheduledInstallFirstWeek](#scheduledinstallfirstweek): First week of the month (Days 1-7).
+- [ScheduledInstallSecondWeek](#scheduledinstallsecondweek): Second week of the month (Days 8-14).
+- [ScheduledInstallThirdWeek](#scheduledinstallthirdweek): Third week of the month (Days 15-21).
+- [ScheduledInstallFourthWeek](#scheduledinstallfourthweek): Fourth week of the month (Days 22-31).
-These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday) it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#ScheduledInstallSecondWeek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. **Important**, if the first day of the month is a Wednesday, the 2nd Wednesday will be 6 days before 2nd Tuesday. If the device happens to be unavailable at this scheduled time, it can postpone installation of updates until the next month if it misses the install window for a given month.
+These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday), it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. If the device is unavailable at the scheduled time, it can postpone installation of updates until the next month.
> [!NOTE]
> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation.
@@ -3285,12 +3285,12 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie
The ScheduledInstall*week policies operate on numeric days.
-- first week of the month [ScheduledInstallFirstWeek](#scheduledinstallfirstweek) = Days 1-7
-- second week of the month [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) = Days 8-14
-- third week of the month [ScheduledInstallThirdWeek](#scheduledinstallthirdweek) = Days 15-21
-- fourth week of the month [ScheduledInstallFourthWeek](#scheduledinstallfourthweek) = Days 22-31
+- [ScheduledInstallFirstWeek](#scheduledinstallfirstweek): First week of the month (Days 1-7).
+- [ScheduledInstallSecondWeek](#scheduledinstallsecondweek): Second week of the month (Days 8-14).
+- [ScheduledInstallThirdWeek](#scheduledinstallthirdweek): Third week of the month (Days 15-21).
+- [ScheduledInstallFourthWeek](#scheduledinstallfourthweek): Fourth week of the month (Days 22-31).
-These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday) it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#ScheduledInstallSecondWeek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. **Important**, if the first day of the month is a Wednesday, the 2nd Wednesday will be 6 days before 2nd Tuesday. If the device happens to be unavailable at this scheduled time, it can postpone installation of updates until the next month if it misses the install window for a given month.
+These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday), it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. If the device is unavailable at the scheduled time, it can postpone installation of updates until the next month.
> [!NOTE]
> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation.
@@ -3392,12 +3392,12 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie
The ScheduledInstall*week policies operate on numeric days.
-- first week of the month [ScheduledInstallFirstWeek](#scheduledinstallfirstweek) = Days 1-7
-- second week of the month [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) = Days 8-14
-- third week of the month [ScheduledInstallThirdWeek](#scheduledinstallthirdweek) = Days 15-21
-- fourth week of the month [ScheduledInstallFourthWeek](#scheduledinstallfourthweek) = Days 22-31
+- [ScheduledInstallFirstWeek](#scheduledinstallfirstweek): First week of the month (Days 1-7).
+- [ScheduledInstallSecondWeek](#scheduledinstallsecondweek): Second week of the month (Days 8-14).
+- [ScheduledInstallThirdWeek](#scheduledinstallthirdweek): Third week of the month (Days 15-21).
+- [ScheduledInstallFourthWeek](#scheduledinstallfourthweek): Fourth week of the month (Days 22-31).
-These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday) it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#ScheduledInstallSecondWeek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. **Important**, if the first day of the month is a Wednesday, the 2nd Wednesday will be 6 days before 2nd Tuesday. If the device happens to be unavailable at this scheduled time, it can postpone installation of updates until the next month if it misses the install window for a given month.
+These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday), it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. If the device is unavailable at the scheduled time, it can postpone installation of updates until the next month.
> [!NOTE]
> This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation.
From df62af6f3f8989d9510d3da38731228c24e11802 Mon Sep 17 00:00:00 2001
From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com>
Date: Mon, 24 Apr 2023 10:43:17 -0500
Subject: [PATCH 26/43] Update policy-csp-update.md
Acro edits.
---
.../client-management/mdm/policy-csp-update.md | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 34a1970df8..8bf785ab2e 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -2143,9 +2143,9 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie
| Value | Description |
|:--|:--|
-| 0 | Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. |
-| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. |
-| 2 (Default) | Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. |
+| 0 | Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. |
+| 1 | Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shut down properly on restart. |
+| 2 (Default) | Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shut down properly on restart. |
| 3 | Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. |
| 4 | Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. |
| 5 | Turn off automatic updates. |
@@ -3551,7 +3551,7 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie
-This setting allows to remove access to "Pause updates" feature.
+This setting allows removal access to "Pause updates" feature.
Once enabled user access to pause updates is removed.
@@ -3693,7 +3693,7 @@ The following rules are followed regarding battery power:
- Above 40% - allowed to reboot;
- Above 20% - allowed to continue work.
-This setting overrides the install deferral behaviour of [AllowAutoUpdate](#allowautoupdate).
+This setting overrides the install deferral behavior of [AllowAutoUpdate](#allowautoupdate).
These settings are designed for education devices that remain in carts overnight that are left in sleep mode. It is not designed for 1:1 devices.
@@ -4311,7 +4311,7 @@ Enable this policy to control the timing before transitioning from Auto restarts
You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days.
-You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period.
+You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period.
If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart.
@@ -4381,7 +4381,7 @@ Enable this policy to control the timing before transitioning from Auto restarts
You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days.
-You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period.
+You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period.
If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart.
@@ -4451,7 +4451,7 @@ Enable this policy to control the timing before transitioning from Auto restarts
You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days.
-You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period.
+You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period.
If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart.
@@ -4521,7 +4521,7 @@ Enable this policy to control the timing before transitioning from Auto restarts
You can specify the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days.
-You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period.
+You can specify the deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed, within the specified period.
If you do not specify a deadline or if the deadline is set to 0, the PC won't automatically restart and will require the person to schedule it prior to restart.
From d89a43bec67c1a65833d2b79b24b1672255a281f Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Mon, 24 Apr 2023 10:26:05 -0700
Subject: [PATCH 27/43] Update
windows/deployment/do/includes/waas-delivery-optimization-monitor.md
---
.../do/includes/waas-delivery-optimization-monitor.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md
index 55f373f373..faf96a6339 100644
--- a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md
+++ b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md
@@ -28,7 +28,7 @@ ms.localizationpriority: medium
| TotalBytesDownloaded | The number of bytes from any source downloaded so far |
| PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP |
| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) |
-| BytesfromHTTP | Total number of bytes received over HTTP. This metric represents all HTTP sources, which include BytesFromCacheServer |
+| BytesfromHTTP | Total number of bytes received over HTTP. This metric represents all HTTP sources, which includes BytesFromCacheServer |
| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but isn't uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) |
| Priority | Priority of the download; values are **foreground** or **background** |
| BytesFromCacheServer | Total number of bytes received from cache server (MCC) |
From f1253599e627677d1105805e8240d23ddce5cc9c Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Mon, 24 Apr 2023 10:56:40 -0700
Subject: [PATCH 28/43] Resolves
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/11478
---
.../update/wufb-reports-schema-ucclientupdatestatus.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
index 12318c9c53..c779ba83e4 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
@@ -6,7 +6,7 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.topic: reference
-ms.date: 06/06/2022
+ms.date: 04/24/2023
ms.technology: itpro-updates
---
@@ -37,7 +37,7 @@ Update Event that combines the latest client-based data with the latest service-
| **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)| `Azure`| |
| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this value would correspond to the full build (10.0.14393.385). |
| **TargetBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `18363` | Integer of the Major portion of Build. |
-| **TargetKBNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `4524570` | KB Article. |
+| **TargetKBNumber** | [string](/azure/kusto/query/scalar-data-types/string) | `KB4524570` | KB Article. |
| **TargetRevisionNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `836` | Integer or the minor (or revision) portion of the build. |
| **TargetVersion** | [int](/azure/kusto/query/scalar-data-types/int) | `1909` | The target operating system version, such as 1909. |
| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
From 6767705c3a9d79c18183696ae05f95097039ab4a Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Mon, 24 Apr 2023 11:45:25 -0700
Subject: [PATCH 29/43] Resolves
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/11478
---
.../update/wufb-reports-schema-ucclientupdatestatus.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
index c779ba83e4..34cab456db 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
@@ -50,3 +50,4 @@ Update Event that combines the latest client-based data with the latest service-
| **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. |
| **UpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the update |
| **UpdateSource** | [string](/azure/kusto/query/scalar-data-types/string) | `UUP` | The source of the update such as UUP, MUv6, Media |
+
\ No newline at end of file
From 7fd48a7e176b3737f5116382b6163296195178fb Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Mon, 24 Apr 2023 12:24:37 -0700
Subject: [PATCH 30/43] Updated LTSC note
---
.../deploy/windows-autopatch-register-devices.md | 6 +++---
.../windows-autopatch-windows-quality-update-overview.md | 6 +++---
.../prepare/windows-autopatch-prerequisites.md | 6 +++---
3 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index fcc1e157cf..209062f4b0 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -1,7 +1,7 @@
---
title: Register your devices
description: This article details how to register devices in Autopatch
-ms.date: 02/03/2023
+ms.date: 04/24/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@@ -83,8 +83,8 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set
> [!NOTE]
> Windows Autopatch doesn't support device emulators that don't generate the serial number, model and manufacturer information. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** prerequisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch.
-> [!NOTE]
-> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions).
+> [!IMPORTANT]
+> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
For more information, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index 974c419ebd..943537d1bc 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -1,7 +1,7 @@
---
title: Windows quality updates
description: This article explains how Windows quality updates are managed in Autopatch
-ms.date: 02/17/2023
+ms.date: 04/24/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -33,8 +33,8 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut
| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../references/windows-autopatch-windows-update-unsupported-policies.md). |
| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](../references/windows-autopatch-windows-update-unsupported-policies.md#group-policy-and-other-policy-managers) |
-> [!NOTE]
-> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions).
+> [!IMPORTANT]
+> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
## Windows quality update releases
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index c2f86d2ca3..5946fa7bd6 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -1,7 +1,7 @@
---
title: Prerequisites
description: This article details the prerequisites needed for Windows Autopatch
-ms.date: 02/17/2023
+ms.date: 04/24/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -50,8 +50,8 @@ The following Windows OS 10 editions, 1809+ builds and architecture are supporte
- Windows 10 (1809+)/11 Enterprise
- Windows 10 (1809+)/11 Pro for Workstations
-> [!NOTE]
-> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions).
+> [!IMPORTANT]
+> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
## Configuration Manager co-management requirements
From 001afa4d7f51e2a06ee3a2b5e12d7a9ed2c00943 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 24 Apr 2023 18:51:48 -0400
Subject: [PATCH 31/43] update to error codes
---
.../hello-errors-during-pin-creation.md | 31 +++++++------------
1 file changed, 11 insertions(+), 20 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 23537daa14..e63b129275 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -2,7 +2,7 @@
title: Windows Hello errors during PIN creation
description: When you set up Windows Hello, you may get an error during the Create a work PIN step.
ms.topic: troubleshooting
-ms.date: 03/31/2023
+ms.date: 04/24/2023
---
# Windows Hello errors during PIN creation
@@ -22,7 +22,7 @@ When a user encounters an error when creating the work PIN, advise the user to t
1. Try to create the PIN again. Some errors are transient and resolve themselves.
2. Sign out, sign in, and try to create the PIN again.
3. Reboot the device and then try to create the PIN again.
-4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a device, go to **Settings** > **System** > **About** > select **Disconnect from organization**.
+4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a device, go to **Settings > System > About > Disconnect from organization**.
If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
@@ -31,21 +31,21 @@ If the error occurs again, check the error code against the following table to s
| 0x80090005 | NTE\_BAD\_DATA | Unjoin the device from Azure AD and rejoin. |
| 0x8009000F | The container or key already exists. | Unjoin the device from Azure AD and rejoin. |
| 0x80090011 | The container or key was not found. | Unjoin the device from Azure AD and rejoin. |
-| 0x80090029 | TPM is not set up. | Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. |
+| 0x80090029 | TPM is not set up. | Sign on with an administrator account. Select **Start**, type `tpm.msc`, and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. |
| 0x8009002A | NTE\_NO\_MEMORY | Close programs which are taking up memory and try again. |
| 0x80090031 | NTE\_AUTHENTICATION\_IGNORED | Reboot the device. If the error occurs again after rebooting, [reset the TPM](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd851452(v=ws.11)) or run [Clear-TPM](/powershell/module/trustedplatformmodule/clear-tpm). |
| 0x80090035 | Policy requires TPM and the device does not have TPM. | Change the Windows Hello for Business policy to not require a TPM. |
| 0x80090036 | User canceled an interactive dialog. | User will be asked to try again. |
| 0x801C0003 | User is not authorized to enroll. | Check if the user has permission to perform the operation. |
-| 0x801C000E | Registration quota reached. | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](/azure/active-directory/devices/device-management-azure-portal). |
+| 0x801C000E | Registration quota reached. | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](/azure/active-directory/devices/device-management-azure-portal). |
| 0x801C000F | Operation successful, but the device requires a reboot. | Reboot the device. |
| 0x801C0010 | The AIK certificate is not valid or trusted. | Sign out and then sign in again. |
| 0x801C0011 | The attestation statement of the transport key is invalid. | Sign out and then sign in again. |
| 0x801C0012 | Discovery request is not in a valid format. | Sign out and then sign in again. |
-| 0x801C0015 | The device is required to be joined to an Active Directory domain. | Join the device to an Active Directory domain. |
-| 0x801C0016 | The federation provider configuration is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the file is not empty. |
-| 0x801C0017 | The federation provider domain is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the FPDOMAINNAME element is not empty. |
-| 0x801C0018 | The federation provider client configuration URL is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the CLIENTCONFIG element contains a valid URL. |
+| 0x801C0015 | The device is required to be joined to an Active Directory domain. | Join the device to an Active Directory domain. |
+| 0x801C0016 | The federation provider configuration is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the file is not empty. |
+| 0x801C0017 | The federation provider domain is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the FPDOMAINNAME element is not empty. |
+| 0x801C0018 | The federation provider client configuration URL is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the CLIENTCONFIG element contains a valid URL. |
| 0x801C03E9 | Server response message is invalid | Sign out and then sign in again. |
| 0x801C03EA | Server failed to authorize user or device. | Check if the token is valid and user has permission to register Windows Hello for Business keys. |
| 0x801C03EB | Server response http status is not valid | Sign out and then sign in again. |
@@ -53,10 +53,11 @@ If the error occurs again, check the error code against the following table to s
| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed.
-or-
Token was not found in the Authorization header.
-or-
Failed to read one or more objects.
-or-
The request sent to the server was invalid.
-or-
User does not have permissions to join to Azure AD. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure AD and rejoin.
Allow user(s) to join to Azure AD under Azure AD Device settings.
| 0x801C03EE | Attestation failed. | Sign out and then sign in again. |
| 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. |
-| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Azure Active Directory and the Primary SMTP address are the same in the proxy address.
+| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Azure Active Directory and the Primary SMTP address are the same in the proxy address.
| 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. |
| | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. |
| 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. |
+| 0x801C0451 | User token switch account. | Delete the Web Account Manager token broker files located in `%LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts\*.*\` and reboot.|
| 0xC00000BB | Your PIN or this option is temporarily unavailable. | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client cannot verify the KDC certificate CRL. Use a different login method.|
## Errors with unknown mitigation
@@ -72,7 +73,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
| 0x80090020 | NTE\_FAIL |
| 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. |
| 0x8009002D | NTE\_INTERNAL\_ERROR |
-| 0x801C0001 | ADRS server response is not in a valid format. |
+| 0x801C0001 | ADRS server response is not in a valid format. |
| 0x801C0002 | Server failed to authenticate the user. |
| 0x801C0006 | Unhandled exception from server. |
| 0x801C000B | Redirection is needed and redirected location is not a well known server. |
@@ -88,13 +89,3 @@ For errors listed in this table, contact Microsoft Support for assistance.
| 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request Azure Active Directory token for provisioning. Unable to enroll a device to use a PIN for login. |
| 0xCAA30193 | HTTP 403 Request Forbidden: it means request left the device, however either Server, proxy or firewall generated this response. |
-## Related topics
-
-- [Windows Hello for Business](hello-identity-verification.md)
-- [How Windows Hello for Business works](hello-how-it-works.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Event ID 300 - Windows Hello successfully created](/troubleshoot/windows-client/user-profiles-and-logon/event-id-300-windows-hello-successfully-created-in-windows-10)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
From ed9ac90bbfb32c9777dd24a96d5623a477285fe8 Mon Sep 17 00:00:00 2001
From: Andre Della Monica
Date: Mon, 24 Apr 2023 18:19:50 -0500
Subject: [PATCH 32/43] More changes
---
.../prepare/windows-autopatch-prerequisites.md | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index 5946fa7bd6..a6392239f1 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -44,13 +44,16 @@ Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-b
| [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 |
| [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 |
-The following Windows OS 10 editions, 1809+ builds and architecture are supported in Windows Autopatch:
+The following Windows 10 editions, build version and architecture are supported to be [registered](windows-autopatch-register-devices) with Windows Autopatch:
- Windows 10 (1809+)/11 Pro
- Windows 10 (1809+)/11 Enterprise
- Windows 10 (1809+)/11 Pro for Workstations
> [!IMPORTANT]
+> While Windows Autopatch supports registering devices below the [minimum Windows OS version enforced by the service](windows-autopatch-windows-feature-update-overview#enforcing-a-minimum-windows-os-version), once registered, devices are automatically offered with the [minimum windows OS version](windows-autopatch-windows-feature-update-overview#enforcing-a-minimum-windows-os-version) as these devices must be on a [minimum Windows OS currently serviced](https://learn.microsoft.com/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) by the Windows servicing channels to keep receiving monthly quality updates that are critical to security and the health of the Windows ecosystem.
+
+> [!NOTE]
> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
## Configuration Manager co-management requirements
@@ -58,9 +61,9 @@ The following Windows OS 10 editions, 1809+ builds and architecture are supporte
Windows Autopatch fully supports co-management. The following co-management requirements apply:
- Use a currently supported [Configuration Manager version](/mem/configmgr/core/servers/manage/updates#supported-versions).
-- ConfigMgr must be [cloud-attached with Intune (co-management)](/mem/configmgr/cloud-attach/overview) and must have the following co-management workloads enabled:
- - Set the [Windows Update policies workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune.
- - Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune.
- - Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune.
+- Configuration Manager must be [cloud-attached with Intune (co-management)](/mem/configmgr/cloud-attach/overview) and must have the following co-management workloads enabled and set to either **Pilot Intune** or **Intune**:
+ - [Windows Update policies workload](/mem/configmgr/comanage/workloads#windows-update-policies)
+ - [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration)
+ - [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps)
For more information, see [paths to co-management](/mem/configmgr/comanage/quickstart-paths).
From c7123a332b23c793a62e4fc437caa63844651179 Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Tue, 25 Apr 2023 08:17:36 -0700
Subject: [PATCH 33/43] Update windows-autopatch-prerequisites.md
Fixed links, grammar
---
.../prepare/windows-autopatch-prerequisites.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index a6392239f1..1808dd285c 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -44,14 +44,14 @@ Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-b
| [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 |
| [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 |
-The following Windows 10 editions, build version and architecture are supported to be [registered](windows-autopatch-register-devices) with Windows Autopatch:
+The following Windows 10 editions, build version and architecture are supported to be [registered](../deploy/windows-autopatch-register-devices.md) with Windows Autopatch:
- Windows 10 (1809+)/11 Pro
- Windows 10 (1809+)/11 Enterprise
- Windows 10 (1809+)/11 Pro for Workstations
> [!IMPORTANT]
-> While Windows Autopatch supports registering devices below the [minimum Windows OS version enforced by the service](windows-autopatch-windows-feature-update-overview#enforcing-a-minimum-windows-os-version), once registered, devices are automatically offered with the [minimum windows OS version](windows-autopatch-windows-feature-update-overview#enforcing-a-minimum-windows-os-version) as these devices must be on a [minimum Windows OS currently serviced](https://learn.microsoft.com/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) by the Windows servicing channels to keep receiving monthly quality updates that are critical to security and the health of the Windows ecosystem.
+> While Windows Autopatch supports registering devices below the [minimum Windows OS version enforced by the service](../operate/windows-autopatch-windows-feature-update-overview.md#enforcing-a-minimum-windows-os-version), once registered, devices are automatically offered with the [minimum windows OS version](../operate/windows-autopatch-windows-feature-update-overview.md#enforcing-a-minimum-windows-os-version). The devices must be on a [minimum Windows OS currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) by the [Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) to keep receiving monthly security updates that are critical to security and the health Windows.
> [!NOTE]
> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
From 66ddb1be927e37a6de14d16514da2fb9ab78d580 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Wed, 26 Apr 2023 11:15:02 -0400
Subject: [PATCH 34/43] Add another example for sandbox
---
...indows-sandbox-configure-using-wsb-file.md | 70 +++++++++++++++----
.../windows-sandbox-overview.md | 12 ++--
2 files changed, 64 insertions(+), 18 deletions(-)
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index e9790d83e9..e9dc1bb0cc 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -5,7 +5,7 @@ ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
-ms.collection:
+ms.collection:
- highpri
- tier2
ms.topic: article
@@ -53,7 +53,7 @@ To create a configuration file:
To use a configuration file, double-click it to start Windows Sandbox according to its settings. You can also invoke it via the command line as shown here:
```batch
-C:\Temp> MyConfigFile.wsb
+C:\Temp> MyConfigFile.wsb
```
## Keywords, values, and limits
@@ -80,6 +80,7 @@ Enables or disables networking in the sandbox. You can disable network access to
`value`
Supported values:
+
- *Enable*: Enables networking in the sandbox.
- *Disable*: Disables networking in the sandbox.
- *Default*: This value is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.
@@ -93,12 +94,12 @@ An array of folders, each representing a location on the host machine that will
```xml
-
- absolute path to the host folder
- absolute path to the sandbox folder
- value
+
+ absolute path to the host folder
+ absolute path to the sandbox folder
+ value
-
+
...
@@ -110,8 +111,7 @@ An array of folders, each representing a location on the host machine that will
*ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
-
-> [!NOTE]
+> [!NOTE]
> Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.
### Logon command
@@ -136,13 +136,14 @@ Enables or disables audio input to the sandbox.
`value`
Supported values:
+
- *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox will be able to receive audio input from the user. Applications that use a microphone may require this capability.
- *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting.
- *Default*: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled.
> [!NOTE]
> There may be security implications of exposing host audio input to the container.
-
+
### Video input
Enables or disables video input to the sandbox.
@@ -150,7 +151,8 @@ Enables or disables video input to the sandbox.
`value`
Supported values:
-- *Enable*: Enables video input in the sandbox.
+
+- *Enable*: Enables video input in the sandbox.
- *Disable*: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox.
- *Default*: This value is the default value for video input support. Currently, this default value denotes that video input is disabled. Applications that use video input may not function properly in the sandbox.
@@ -164,6 +166,7 @@ Applies more security settings to the sandbox Remote Desktop client, decreasing
`value`
Supported values:
+
- *Enable*: Runs Windows sandbox in Protected Client mode. If this value is set, the sandbox runs with extra security mitigations enabled.
- *Disable*: Runs the sandbox in standard mode without extra security mitigations.
- *Default*: This value is the default value for Protected Client mode. Currently, this default value denotes that the sandbox doesn't run in Protected Client mode.
@@ -178,6 +181,7 @@ Enables or disables printer sharing from the host into the sandbox.
`value`
Supported values:
+
- *Enable*: Enables sharing of host printers into the sandbox.
- *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host.
- *Default*: This value is the default value for printer redirection support. Currently, this default value denotes that printer redirection is disabled.
@@ -189,8 +193,9 @@ Enables or disables sharing of the host clipboard with the sandbox.
`value`
Supported values:
+
- *Enable*: Enables sharing of the host clipboard with the sandbox.
-- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted.
+- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted.
- *Default*: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*.
### Memory in MB
@@ -202,6 +207,7 @@ Specifies the amount of memory that the sandbox can use in megabytes (MB).
If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount.
## Example 1
+
The following config file can be used to easily test the downloaded files inside the sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started.
### Downloads.wsb
@@ -233,7 +239,7 @@ With the Visual Studio Code installer script already mapped into the sandbox, th
### VSCodeInstall.cmd
-Download vscode to `downloads` folder and run from `downloads` folder
+Download vscode to `downloads` folder and run from `downloads` folder.
```batch
REM Download Visual Studio Code
@@ -264,3 +270,41 @@ C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes
```
+
+## Example 3
+
+The following config file runs a PowerShell script as a logon command to swap the primary mouse button for left-handed users.
+
+`C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file.
+
+### SwapMouse.ps1
+
+Create a powershell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`.
+
+```powershell
+[Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null
+
+$SwapButtons = Add-Type -MemberDefinition @'
+[DllImport("user32.dll")]
+public static extern bool SwapMouseButton(bool swap);
+'@ -Name "NativeMethods" -Namespace "PInvoke" -PassThru
+
+$SwapButtons::SwapMouseButton(!([System.Windows.Forms.SystemInformation]::MouseButtonsSwapped))
+```
+
+### SwapMouse.wsb
+
+```xml
+
+
+
+ C:\sandbox
+ C:\sandbox
+ True
+
+
+
+ powershell.exe -ExecutionPolicy Bypass -File C:\sandbox\SwapMouse.ps1
+
+
+```
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 6e2f83d198..846f0ed7f6 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -5,7 +5,7 @@ ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
-ms.collection:
+ms.collection:
- highpri
- tier2
ms.topic: article
@@ -22,6 +22,7 @@ A sandbox is temporary. When it's closed, all the software and files and the sta
Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment.
Windows Sandbox has the following properties:
+
- **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a VHD.
- **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
- **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application.
@@ -32,7 +33,7 @@ Windows Sandbox has the following properties:
> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking).
## Prerequisites
-
+
- Windows 10 Pro, Enterprise or Education build 18305 or Windows 11 (*Windows Sandbox is currently not supported on Windows Home edition*)
- AMD64 or (as of [Windows 11 Build 22483](https://blogs.windows.com/windows-insider/2021/10/20/announcing-windows-11-insider-preview-build-22483/)) ARM64 architecture
- Virtualization capabilities enabled in BIOS
@@ -59,7 +60,7 @@ Windows Sandbox has the following properties:
> [!NOTE]
> To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command:
- >
+ >
> ```powershell
> Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online
> ```
@@ -67,9 +68,10 @@ Windows Sandbox has the following properties:
4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
> [!NOTE]
- > Windows Sandbox does not adhere to the mouse settings of the host system, so if the host system is set to use a right-handed mouse, you should apply these settings in Windows Sandbox manually.
+ > Windows Sandbox does not adhere to the mouse settings of the host system, so if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. For an example, see [Example 3](windows-sandbox-configure-using-wsb-file.md#example-3).
+
+## Usage
-## Usage
1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window.
2. Run the executable file or installer inside the sandbox.
From 3fc85a8320997668afe20468db47156324c7028c Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Wed, 26 Apr 2023 12:22:57 -0400
Subject: [PATCH 35/43] Update prereqs
---
.../windows-sandbox/windows-sandbox-overview.md | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 846f0ed7f6..153162fd8e 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -34,12 +34,16 @@ Windows Sandbox has the following properties:
## Prerequisites
-- Windows 10 Pro, Enterprise or Education build 18305 or Windows 11 (*Windows Sandbox is currently not supported on Windows Home edition*)
-- AMD64 or (as of [Windows 11 Build 22483](https://blogs.windows.com/windows-insider/2021/10/20/announcing-windows-11-insider-preview-build-22483/)) ARM64 architecture
+- Windows 10, version 1903 or later, or Windows 11
+- Windows Pro, Enterprise or Education edition
+- ARM64 (as of Windows 11, version 22H2) or AMD64 architecture
- Virtualization capabilities enabled in BIOS
- At least 4 GB of RAM (8 GB recommended)
- At least 1 GB of free disk space (SSD recommended)
-- At least two CPU cores (four cores with hyperthreading recommended)
+- At least two CPU cores (four cores with hyper-threading recommended)
+
+> [!NOTE]
+> Windows Sandbox is currently not supported on Windows Home edition
## Installation
From 00f4fd0438668b43d613689b73431ed232ba5d6f Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Wed, 26 Apr 2023 12:37:43 -0400
Subject: [PATCH 36/43] Minor changes
---
.../windows-sandbox/windows-sandbox-overview.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 153162fd8e..74e81b1a05 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -34,9 +34,9 @@ Windows Sandbox has the following properties:
## Prerequisites
-- Windows 10, version 1903 or later, or Windows 11
+- Windows 10, version 1903 and later, or Windows 11
- Windows Pro, Enterprise or Education edition
-- ARM64 (as of Windows 11, version 22H2) or AMD64 architecture
+- ARM64 (for Windows 11, version 22H2 and later) or AMD64 architecture
- Virtualization capabilities enabled in BIOS
- At least 4 GB of RAM (8 GB recommended)
- At least 1 GB of free disk space (SSD recommended)
From ad699b34ae083bdeefb565ea23a7e13bea6045f8 Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Wed, 26 Apr 2023 09:39:15 -0700
Subject: [PATCH 37/43] Updated Whats new to include changes to Win 10
deployment rings and later
---
.../whats-new/windows-autopatch-whats-new-2023.md | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index 04d0ae58bc..9c2e3531ae 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -20,6 +20,12 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
## April 2023
+### April feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated the [Deployment rings for Windows 10 and later](../references/windows-autopatch-changes-to-tenant.md#deployment-rings-for-windows-10-and-later) section |
+
### April 2023 service release
| Message center post number | Description |
From d7cc8917a7ab76b61676703b38d133fda8d1c9ce Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 26 Apr 2023 10:28:26 -0700
Subject: [PATCH 38/43] update metadata
---
.../update/includes/wufb-reports-admin-center-permissions.md | 2 +-
windows/deployment/update/wufb-reports-admin-center.md | 2 +-
windows/deployment/update/wufb-reports-enable.md | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index c1eb23d550..b859c33a3e 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -5,7 +5,7 @@ manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
-ms.date: 03/29/2023
+ms.date: 04/26/2023
ms.localizationpriority: medium
---
diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md
index 68161072ed..8d7b1f616c 100644
--- a/windows/deployment/update/wufb-reports-admin-center.md
+++ b/windows/deployment/update/wufb-reports-admin-center.md
@@ -7,7 +7,7 @@ author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
-ms.date: 03/29/2023
+ms.date: 04/26/2023
ms.technology: itpro-updates
---
diff --git a/windows/deployment/update/wufb-reports-enable.md b/windows/deployment/update/wufb-reports-enable.md
index a02c8ece15..df307acd3d 100644
--- a/windows/deployment/update/wufb-reports-enable.md
+++ b/windows/deployment/update/wufb-reports-enable.md
@@ -6,7 +6,7 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.topic: article
-ms.date: 11/15/2022
+ms.date: 04/26/2023
ms.technology: itpro-updates
---
From 6e31c319da7682bbc789f826c965607ecf6ac9b7 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 26 Apr 2023 10:33:22 -0700
Subject: [PATCH 39/43] update metadata
---
windows/deployment/update/wufb-reports-prerequisites.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md
index 6e179ad957..f9951294d8 100644
--- a/windows/deployment/update/wufb-reports-prerequisites.md
+++ b/windows/deployment/update/wufb-reports-prerequisites.md
@@ -6,7 +6,7 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.topic: article
-ms.date: 03/29/2023
+ms.date: 04/26/2023
ms.technology: itpro-updates
---
From 533d0ad7259404f5153d64cfc831dba0d1743e85 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 26 Apr 2023 10:39:27 -0700
Subject: [PATCH 40/43] edit
---
.../update/includes/wufb-reports-admin-center-permissions.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index b859c33a3e..342b6d4210 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -17,7 +17,7 @@ Accessing Windows Update for Business reports typcially requires permissions fro
**Roles that can enroll into Windows Update for Business reports**
-To [enroll](../bkmk_enroll.md) into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
+To [enroll](../wufb-reports-enable.md#bkmk_enroll) into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) Azure AD role
- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) Azure AD role
From 491a2882cbea44ea1ad2510f2e6152476f846179 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 26 Apr 2023 11:48:17 -0700
Subject: [PATCH 41/43] rm targetver chart for device under qu
---
windows/deployment/update/wufb-reports-workbook.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md
index 53396697ce..9756777253 100644
--- a/windows/deployment/update/wufb-reports-workbook.md
+++ b/windows/deployment/update/wufb-reports-workbook.md
@@ -6,7 +6,7 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.topic: article
-ms.date: 04/12/2023
+ms.date: 04/26/2023
ms.technology: itpro-updates
---
@@ -97,7 +97,6 @@ The **Update deployment status** table displays the quality updates for each ope
The **Device status** group for quality updates contains the following items:
- **OS build number**: Chart containing a count of devices by OS build that are getting security updates.
-- **Target version**: Chart containing how many devices by operating system version that are getting security updates.
- **Device alerts**: Chart containing the count of active device errors and warnings for quality updates.
- **Device compliance status**: Table containing a list of devices getting security updates and update installation information including active alerts for the devices.
- This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
From fb4737100af343e6654d095c484a03011d232760 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 26 Apr 2023 15:08:56 -0400
Subject: [PATCH 42/43] updated S mode article
---
windows/deployment/s-mode.md | 31 +++++++++++++++++--------------
1 file changed, 17 insertions(+), 14 deletions(-)
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index edf0aba102..22fb1a0711 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -1,49 +1,52 @@
---
-title: Windows 10 Pro in S mode
-description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers?
+title: Windows Pro in S mode
+description: Overview of Windows Pro and Enterprise in S mode.
ms.localizationpriority: high
ms.prod: windows-client
manager: aaroncz
author: frankroj
ms.author: frankroj
-ms.topic: article
-ms.date: 11/23/2022
+ms.topic: conceptual
+ms.date: 04/26/2023
ms.technology: itpro-deploy
---
-# Windows 10 in S mode - What is it?
+# Windows Pro in S mode
-S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS.
+S mode is a configuration that's available on all Windows Editions, and it's enabled at the time of manufacturing. Windows can be switched out of S mode at any time, as shown in the picture below. However, the switch is a one-time operation, and can only be undone by a wipe and reload of the operating system.
-
+:::image type="content" source="images/smodeconfig.png" alt-text="Table listing the capabilities of S mode across the different Windows editions.":::
## S mode key features
### Microsoft-verified security
-With Windows 10 in S mode, you'll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they're Microsoft-verified for security. You can also feel secure when you're online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware.
+With Windows in S mode, you'll find your favorite applications in the Microsoft Store, where they're Microsoft-verified for security. You can also feel secure when you're online. Microsoft Edge, your default browser, gives you protection against phishing and socially-engineered malware.
### Performance that lasts
-Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you'll enjoy a smooth, responsive experience, whether you're streaming HD video, opening apps, or being productive on the go.
+Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. You'll enjoy a smooth, responsive experience, whether you're streaming videos, opening apps, or being productive on the go.
### Choice and flexibility
-Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don't find exactly what you want, you can easily [switch out of S mode](./windows-10-pro-in-s-mode.md) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below.
+Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don't find exactly what you want, you can easily [switch out of S mode](./windows-10-pro-in-s-mode.md) to Windows Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below.
-
+:::image type="content" source="images/s-mode-flow-chart.png" alt-text="Switching out of S mode flow chart.":::
## Deployment
-Windows 10 in S mode is built for [modern management](/windows/client-management/manage-windows-10-in-your-organization-modern-management), which means using [Windows Autopilot](/mem/autopilot/windows-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired.
+Windows in S mode is built for [modern management](/windows/client-management/manage-windows-10-in-your-organization-modern-management), which means using [Windows Autopilot](/mem/autopilot/windows-autopilot) for deployment, and a Mobile Device Management (MDM) solution for management, like Microsoft Intune.\
+Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic device that can only be used to join the company Azure AD tenant or Active Directory domain. Policies are then deployed automatically through MDM, to customize the device to the user and the desired environment.
+
+For the devices that are shipped in S mode, you can either keep them in S mode, use Windows Autopilot to switch them out of S mode during the first run process, or later using MDM, if desired.
## Keep line of business apps functioning with Desktop Bridge
-Worried about your line of business apps not working in S mode? [Desktop Bridge](/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode.
+[Desktop Bridge](/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating the apps, you can distribute them through an MDM solution like Microsoft Intune.
## Repackage Win32 apps into the MSIX format
-The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through the MSIX Packaging Tool interactively and obtain an MSIX package that you can install on your device and upload to the Microsoft Store. The MSIX Packaging Tool is another way to get your apps ready to run on Windows 10 in S mode.
+The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through the MSIX Packaging Tool interactively, and obtain an MSIX package that you can deploy through and MDM solution like Microsoft Intune. The MSIX Packaging Tool is another way to get your apps ready to run on Windows in S mode.
## Related links
From 6f81ff89602c297a72e659150534b71a4be1d00b Mon Sep 17 00:00:00 2001
From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com>
Date: Wed, 26 Apr 2023 15:10:07 -0500
Subject: [PATCH 43/43] Update s-mode.md
---
windows/deployment/s-mode.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index 22fb1a0711..d20d9c067f 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -35,7 +35,8 @@ Save your files to your favorite cloud, like OneDrive or Dropbox, and access the
## Deployment
-Windows in S mode is built for [modern management](/windows/client-management/manage-windows-10-in-your-organization-modern-management), which means using [Windows Autopilot](/mem/autopilot/windows-autopilot) for deployment, and a Mobile Device Management (MDM) solution for management, like Microsoft Intune.\
+Windows in S mode is built for [modern management](/windows/client-management/manage-windows-10-in-your-organization-modern-management), which means using [Windows Autopilot](/mem/autopilot/windows-autopilot) for deployment, and a Mobile Device Management (MDM) solution for management, like Microsoft Intune.
+
Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic device that can only be used to join the company Azure AD tenant or Active Directory domain. Policies are then deployed automatically through MDM, to customize the device to the user and the desired environment.
For the devices that are shipped in S mode, you can either keep them in S mode, use Windows Autopilot to switch them out of S mode during the first run process, or later using MDM, if desired.