mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into 20230420-licensing-includes
This commit is contained in:
Paolo Matarazzo
commit
4f0595933f
@ -36,6 +36,8 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
|
|||||||
- Windows Autopatch – Ring2
|
- Windows Autopatch – Ring2
|
||||||
- Windows Autopatch – Ring3
|
- Windows Autopatch – Ring3
|
||||||
- Windows Autopatch – Last
|
- Windows Autopatch – Last
|
||||||
|
- Additionally, **don't** modify the Azure AD group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups.
|
||||||
|
- For more information, see [assign an owner of member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) on how to remediate Azure Azure AD group ownership.
|
||||||
- Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won’t work properly. Autopatch uses app-only auth to:
|
- Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won’t work properly. Autopatch uses app-only auth to:
|
||||||
- Read device attributes to successfully register devices.
|
- Read device attributes to successfully register devices.
|
||||||
- Manage all configurations related to the operation of the service.
|
- Manage all configurations related to the operation of the service.
|
||||||
@ -43,6 +45,9 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr
|
|||||||
- Review your existing Azure AD group dynamic queries and direct device memberships to avoid having device membership overlaps in between device-based Azure AD groups that are going to be used with Autopatch groups. This can help prevent device conflicts within an Autopatch group or across several Autopatch groups. **Autopatch groups doesn't support user-based Azure AD groups**.
|
- Review your existing Azure AD group dynamic queries and direct device memberships to avoid having device membership overlaps in between device-based Azure AD groups that are going to be used with Autopatch groups. This can help prevent device conflicts within an Autopatch group or across several Autopatch groups. **Autopatch groups doesn't support user-based Azure AD groups**.
|
||||||
- Ensure devices used with your existing Azure AD groups meet [device registration prerequisite checks](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) when being registered with the service. Autopatch groups register devices on your behalf, and devices can be moved to **Registered** or **Not registered** tabs in the Devices blade accordingly.
|
- Ensure devices used with your existing Azure AD groups meet [device registration prerequisite checks](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) when being registered with the service. Autopatch groups register devices on your behalf, and devices can be moved to **Registered** or **Not registered** tabs in the Devices blade accordingly.
|
||||||
|
|
||||||
|
> [!NOTE]
|
||||||
|
> During the public preview, Autopatch groups opt-in page will show a banner to let you know when one or more prerequisites are failing. Once you remediate the issue to meet the prerequisites, it can take up to an hour for your tenant to have the "Use preview" button available.
|
||||||
|
|
||||||
## Create a Custom Autopatch group
|
## Create a Custom Autopatch group
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
title: Windows feature updates
|
title: Windows feature updates
|
||||||
description: This article explains how Windows feature updates are managed in Autopatch
|
description: This article explains how Windows feature updates are managed in Autopatch
|
||||||
ms.date: 02/17/2023
|
ms.date: 05/02/2023
|
||||||
ms.prod: windows-client
|
ms.prod: windows-client
|
||||||
ms.technology: itpro-updates
|
ms.technology: itpro-updates
|
||||||
ms.topic: conceptual
|
ms.topic: conceptual
|
||||||
@ -85,7 +85,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
|
|||||||
> You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
|
> You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
|
||||||
|
|
||||||
> [!IMPORTANT]
|
> [!IMPORTANT]
|
||||||
> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
|
> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
|
||||||
|
|
||||||
**To pause or resume a Windows feature update:**
|
**To pause or resume a Windows feature update:**
|
||||||
|
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
title: Windows quality updates
|
title: Windows quality updates
|
||||||
description: This article explains how Windows quality updates are managed in Autopatch
|
description: This article explains how Windows quality updates are managed in Autopatch
|
||||||
ms.date: 04/24/2023
|
ms.date: 05/02/2023
|
||||||
ms.prod: windows-client
|
ms.prod: windows-client
|
||||||
ms.technology: itpro-updates
|
ms.technology: itpro-updates
|
||||||
ms.topic: conceptual
|
ms.topic: conceptual
|
||||||
@ -86,6 +86,9 @@ When running an expedited release, the regular goal of 95% of devices in 21 days
|
|||||||
| Standard release | Test<p>First<p>Fast<p>Broad | 0<p>1<p>6<p>9 | 0<p>2<p>2<p>5 | 0<p>2<p>2<p>2 |
|
| Standard release | Test<p>First<p>Fast<p>Broad | 0<p>1<p>6<p>9 | 0<p>2<p>2<p>5 | 0<p>2<p>2<p>2 |
|
||||||
| Expedited release | All devices | 0 | 1 | 1 |
|
| Expedited release | All devices | 0 | 1 | 1 |
|
||||||
|
|
||||||
|
> [!IMPORTANT]
|
||||||
|
> Expedited updates **don't** work with devices under the [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/). For more information, see [expedite Windows quality updates in Microsoft Intune](/mem/intune/protect/windows-10-expedite-updates).
|
||||||
|
|
||||||
#### Turn off service-driven expedited quality update releases
|
#### Turn off service-driven expedited quality update releases
|
||||||
|
|
||||||
Windows Autopatch provides the option to turn off of service-driven expedited quality updates.
|
Windows Autopatch provides the option to turn off of service-driven expedited quality updates.
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
title: Customize Windows Update settings
|
title: Customize Windows Update settings
|
||||||
description: This article explains how to customize Windows Updates in Windows Autopatch
|
description: This article explains how to customize Windows Updates in Windows Autopatch
|
||||||
ms.date: 03/08/2023
|
ms.date: 05/02/2023
|
||||||
ms.prod: windows-client
|
ms.prod: windows-client
|
||||||
ms.technology: itpro-updates
|
ms.technology: itpro-updates
|
||||||
ms.topic: how-to
|
ms.topic: how-to
|
||||||
@ -30,6 +30,9 @@ For each tenant, at the deployment ring level, there are two cadence types to co
|
|||||||
- [Deadline-driven](#deadline-driven)
|
- [Deadline-driven](#deadline-driven)
|
||||||
- [Scheduled install](#scheduled-install)
|
- [Scheduled install](#scheduled-install)
|
||||||
|
|
||||||
|
> [!NOTE]
|
||||||
|
> Windows Autopatch uses the [Update rings policy for Windows 10 and later in Microsoft Intune](/mem/intune/protect/windows-10-update-rings) to apply either **Deadline-driven** or **Scheduled install** cadence types. Microsoft Intune implements [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) using the settings available in the [Update policy CSP](/windows/client-management/mdm/policy-csp-update).
|
||||||
|
|
||||||
#### Deadline-driven
|
#### Deadline-driven
|
||||||
|
|
||||||
With the deadline-drive cadence type, you can control and customize the deferral, deadline, and grace period to meet your specific business needs and organizational requirements.
|
With the deadline-drive cadence type, you can control and customize the deferral, deadline, and grace period to meet your specific business needs and organizational requirements.
|
||||||
@ -92,6 +95,9 @@ For more information, see [Windows Update settings you can manage with Intune up
|
|||||||
|
|
||||||
## Customize the Windows Update deployment cadence
|
## Customize the Windows Update deployment cadence
|
||||||
|
|
||||||
|
> [!IMPORTANT]
|
||||||
|
> The Windows update setting customizations can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to apply new software update settings.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
|
||||||
|
|
||||||
**To customize the Windows Update deployment cadence:**
|
**To customize the Windows Update deployment cadence:**
|
||||||
|
|
||||||
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
|
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
|
||||||
|
|||||||
@ -179,8 +179,7 @@ The most common values:
|
|||||||
| 28 | Enc-tkt-in-skey | No information. |
|
| 28 | Enc-tkt-in-skey | No information. |
|
||||||
| 29 | Unused | - |
|
| 29 | Unused | - |
|
||||||
| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field hasn't passed. The ticket to be renewed is passed in the padata field as part of the authentication header. |
|
| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field hasn't passed. The ticket to be renewed is passed in the padata field as part of the authentication header. |
|
||||||
| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Shouldn't be in use, because postdated tickets aren't supported by KILE. <span id="kerberos-encryption-types" /> |
|
| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Shouldn't be in use, because postdated tickets aren't supported by KILE. |
|
||||||
| ## Table 4. Kerberos encryption types | | |
|
|
||||||
|
|
||||||
- **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used for issued TGS.
|
- **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used for issued TGS.
|
||||||
|
|
||||||
@ -252,7 +251,7 @@ The table below contains the list of the most common error codes for this event:
|
|||||||
| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after the user-supplied checksum in the Authenticator MUST be verified against the contents of the request, and the message MUST be rejected if the checksums don't match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum isn't collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). |
|
| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after the user-supplied checksum in the Authenticator MUST be verified against the contents of the request, and the message MUST be rejected if the checksums don't match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum isn't collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). |
|
||||||
| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. |
|
| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. |
|
||||||
| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. |
|
| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. |
|
||||||
| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.<br>Multiple recent password changes hanven't propagated.<br>Crypto subsystem error caused by running out of memory.<br>SPN too long.<br>SPN has too many parts. |
|
| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.<br>Multiple recent password changes haven't propagated.<br>Crypto subsystem error caused by running out of memory.<br>SPN too long.<br>SPN has too many parts. |
|
||||||
| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that doesn't understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. |
|
| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that doesn't understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. |
|
||||||
| 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when user’s smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) isn't trusted by the domain controller. |
|
| 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when user’s smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) isn't trusted by the domain controller. |
|
||||||
| 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client doesn't possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. |
|
| 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client doesn't possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. |
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user