deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into aljupudi-6010065-cspWindowsSErowaddition

Browse Source
This commit is contained in:
Jeff Borsecnik 2022-05-31 10:18:20 -07:00 committed by GitHub
commit 55ebbe202d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
33 changed files with 1594 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
windows/deployment/windows-autopatch/TOC.yml Normal file
View File

@ -0,0 +1,64 @@
- name: Windows Autopatch
href: index.yml
items:
- name: Overview
href:
items:
- name: What is Windows Autopatch?
href: overview/windows-autopatch-overview.md
- name: FAQ
href: overview/windows-autopatch-faq.md
- name: Prepare
href: prepare/index.md
items:
- name: Prerequisites
href: prepare/windows-autopatch-prerequisites.md
- name: Configure your network
href: prepare/windows-autopatch-configure-network.md
- name: Enroll your tenant
href: prepare/windows-autopatch-enroll-tenant.md
- name: Fix issues found by the Readiness assessment tool
href: prepare/windows-autopatch-fix-issues.md
- name: Deploy
href: deploy/index.md
items:
- name: Add and verify admin contacts
href: deploy/windows-autopatch-admin-contacts.md
- name: Register your devices
href: deploy/windows-autopatch-register-devices.md
- name: Operate
href: operate/index.md
items:
- name: Update management
href: operate/windows-autopatch-update-management.md
items:
- name: Windows quality updates
href: operate/windows-autopatch-wqu-overview.md
items:
- name: Windows quality end user experience
href: operate/windows-autopatch-wqu-end-user-exp.md
- name: Windows quality update signals
href: operate/windows-autopatch-wqu-signals.md
- name: Windows quality update communications
href: operate/windows-autopatch-wqu-communications.md
- name: Conflicting and unsupported policies
href: operate/windows-autopatch-wqu-unsupported-policies.md
- name: Microsoft 365 Apps for enterprise
href: operate/windows-autopatch-microsoft-365-apps-enterprise.md
- name: Microsoft Edge
href: operate/windows-autopatch-edge.md
- name: Microsoft Teams
href: operate/windows-autopatch-teams.md
- name: Deregister a devices
href: operate/windows-autopatch-deregister-devices.md
- name: Submit a support request
href: operate/windows-autopatch-support-request.md
- name: Reference
href:
items:
- name: Privacy
href: references/windows-autopatch-privacy.md
- name: Windows Autopatch preview addendum
href: references/windows-autopatch-preview-addendum.md

20
windows/deployment/windows-autopatch/deploy/index.md Normal file
View File

@ -0,0 +1,20 @@
---
title: Deploying with Windows Autopatch
description: Landing page for the deploy section
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Deploying with Windows Autopatch
The following articles describe the steps you must take to deploy your devices with Windows Autopatch:
1. [Add and verify admin contacts](windows-autopatch-admin-contacts.md)
1. [Register devices](windows-autopatch-register-devices.md)

44
windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md Normal file
View File

@ -0,0 +1,44 @@
---
title: Add and verify admin contacts
description: This article explains how to add and verify admin contacts
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Add and verify admin contacts
There are several ways that Windows Autopatch service communicates with customers. To streamline communication and ensure we're checking with the right people when you [submit a support request](../operate/windows-autopatch-support-request.md), you must provide a set of admin contacts when you onboard with Windows Autopatch.
> [!IMPORTANT]
> You might have already added these contacts in the Microsoft Endpoint Manager admin center during the enrollment process. If so, take a moment now to double-check that the contact list is accurate, since the Windows Autopatch Service Engineering Team must be able to reach them if a severe incident occurs.
You must have an admin contact for each specified area of focus. The Windows Autopatch Service Engineering Team will contact these individuals for assistance with troubleshooting your support request. Admin contacts should be the best person or group that can answer questions and make decisions for different [areas of focus](#area-of-focus).
> [!IMPORTANT]
> Whoever you choose as admin contacts, they must have the knowledge and authority to make decisions for your Windows Autopatch environment. The Windows Autopatch Service Engineering Team will contact these admin contacts for questions involving support requests.
## Area of focus
Your admin contacts will receive notifications about support request updates and new messages. These areas include the following:
| Area of focus | Description |
| ----- | ----- |
| Devices | <uL><li>Device registration</li><li>Device health</li></ul> |
| Updates | <ul><li>Windows quality updates</li><li>Microsoft 365 Apps for enterprise</li><li>Microsoft Teams updates</li><li>Microsoft Edge</li></ul> |
**To add admin contacts:**
1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
1. Under **Tenant administration** in the **Windows Autopatch** section, select **Admin contacts**.
1. Select **+Add**.
1. Enter the contact details including name, email, phone number and preferred language. For a support ticket, the ticket's primary contact's preferred language will determine the language used for email communications.
1. Select an [Area of focus](#area-of-focus) and enter details of the contact's knowledge and authority in the specified area of focus.
1. Select **Save** to add the contact.
1. Repeat for each area of focus.

94
windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md Normal file
View File

@ -0,0 +1,94 @@
---
title: Register your devices
description: This article details how to register devices in Autopatch
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Register your devices
Before Microsoft can manage your devices in Windows Autopatch, you must have devices registered with the service.
## Before you begin
Windows Autopatch to take over software updates management of supported devices as soon as an IT admin decides to have their tenant managed by Windows Autopatch. Windows Autopatch update management scope includes:
- [Windows quality updates](../operate/windows-autopatch-wqu-overview.md)
- [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
- [Microsoft Edge updates](../operate/windows-autopatch-edge.md)
- [Microsoft Teams updates](../operate/windows-autopatch-teams.md)
You must choose what devices to manage with Windows Autopatch by adding either devices through direct membership or by adding other Azure Active Directory (Azure AD) dynamic groups into the Azure Active Directory assigned **Windows Autopatch Device Registration** group. Windows Autopatch runs every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices into its service.
To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites:
## Prerequisites
- Supported Windows OS Enterprise edition version.
- Either hybrid or Azure AD joined (personal devices aren't supported).
- Managed by Microsoft Endpoint Manager (either Microsoft Endpoint Manager-Intune or Microsoft Endpoint Manager-Configuration Manager Co-management).
- Microsoft Endpoint Manager-Configuration Manager Co-management workloads (Windows Updates policies, Device configuration and Office Click-to-run) must be set to Pilot Intune or Intune.
- Last Intune device check-in completed within the last 28 days.
For more information about each prerequisite check, see the [Prerequisites](../prepare/windows-autopatch-prerequisites.md) article.
## About Devices Ready and Not Ready tabs
Windows Autopatch introduces a new user interface to help IT admins manage devices and troubleshoot device readiness statuses seamlessly with actionable in-UI device readiness reports for unregistered devices or unhealthy devices.
| Tab | Purpose |
| ----- | ----- |
| Ready tab | The purpose of the Ready tab is to show devices that were successfully registered to the Windows Autopatch service and that have met device health requirements. |
| Not ready tab | The purpose of the Not ready tab is to show devices that didn't successfully register into the Windows Autopatch service, or didn't pass one of the device readiness checks. This tab is intended to help customers identify and remediate devices that don't meet device readiness checks.<p><p>Devices successfully registered and healthy don't show up in the Not ready tab. |
## Built-in roles required for device registration
A role defines the set of permissions granted to users assigned to that role. You can use one of the following built-in roles in Windows Autopatch to register devices:
- Global Administrator
- Intune Service Administrator
- Modern Workplace Intune Administrator
> [!NOTE]
> The Modern Workplace Intune Admin role is a custom created role in Windows Autopatch. This role can assign administrators to Endpoint Manager roles, and allows you to create and configure custom Endpoint Manager roles.
## Steps to register devices
**To register devices into Windows Autopatch:**
1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Windows Autopatch** from the left navigation menu.
3. Select **Devices**.
4. Select the **Ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens.
5. Add either devices through direct membership or other Azure Active Directory dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group.
Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices and runs device-level prerequisite checks to try to register them.
## Other device lifecycle management scenarios
There are a few more device lifecycle management scenarios to consider when planning to register devices in Windows Autopatch.
### Device refresh
If a device was previously registered into the Windows Autopatch service, but it needs to be reimaged, you must run one of the device provisioning processes available in Microsoft Endpoint Manager to reimage the device.
The device will be rejoined to Azure AD (either Hybrid or Azure AD-only). Then, re-enrolled into Intune as well. No further action is required from you or the Windows Autopatch service, because the Azure AD device ID record of that device remains the same.
### Device repair and hardware replacement
If you need to repair a device that was previously registered into the Windows Autopatch service, by replacing the motherboard, non-removable network interface cards (NIC) or hard drive, you must re-register the device into the Windows Autopatch service, because a new hardware ID is generated when there are major hardware changes, such as:
- SMBIOS UUID (motherboard)
- MAC address (non-removable NICs)
- OS hard drive's serial, model, manufacturer information
When one of these hardware changes occurs, Azure AD creates a new device ID record for that device, even if it's technically the same device.
Any device that needs to be registered into the Windows Autopatch service must be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device record ID. Windows Autopatch scans the Azure AD group to discover the new device and brings it in to be registered.

39
windows/deployment/windows-autopatch/index.yml Normal file
View File

@ -0,0 +1,39 @@
### YamlMime:Landing
title: Windows Autopatch documentation # < 60 chars
summary: Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. # < 160 chars
metadata:
title: Windows Autopatch documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. # Required; article description that is displayed in search results. < 160 chars.
keywords: device, app, update, management
ms.service: w11 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.topic: landing-page # Required
author: tiaraquan #Required; your GitHub user alias, with correct capitalization.
ms.author: tiaraquan #Required; microsoft alias of author; optional team alias.
ms.date: 05/30/2022 #Required; mm/dd/yyyy format.
ms.custom: intro-hub-or-landing
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
landingContent:
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
- title: About Windows Autopatch
linkLists:
- linkListType: overview
links:
- text: What is Windows Autopatch?
url: ./overview/windows-autopatch-overview.md
- text: Windows Autopatch FAQ
url: ./overview/windows-autopatch-faq.md
# Card (optional)
- title: Articles and blog posts
linkLists:
- linkListType: learn
links:
- text: "[Blog] Get current and stay current with Windows Autopatch"
url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/get-current-and-stay-current-with-windows-autopatch/ba-p/3271839

BIN
windows/deployment/windows-autopatch/media/release-process-timeline.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

BIN
windows/deployment/windows-autopatch/media/update-communications.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/deployment/windows-autopatch/media/windows-quality-force-update.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 258 KiB

BIN
windows/deployment/windows-autopatch/media/windows-quality-typical-update-experience.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 259 KiB

BIN
windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 216 KiB

25
windows/deployment/windows-autopatch/operate/index.md Normal file
View File

@ -0,0 +1,25 @@
---
title: Operating with Windows Autopatch
description: Landing page for the operate section
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Operating with Windows Autopatch
This section includes information about Windows Autopatch update management, types of updates managed by Windows Autopatch, and how to contact the Windows Autopatch Service Engineering Team:
- [Update management](windows-autopatch-update-management.md)
- [Windows quality updates](windows-autopatch-wqu-overview.md)
- [Microsoft 365 Apps for enterprise updates](windows-autopatch-microsoft-365-apps-enterprise.md)
- [Microsoft Edge updates](windows-autopatch-edge.md)
- [Microsoft Teams updates](windows-autopatch-teams.md)
- [Deregister devices](windows-autopatch-deregister-devices.md)
- [Submit a support request](windows-autopatch-support-request.md)

43
windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md Normal file
View File

@ -0,0 +1,43 @@
---
title: Deregister a device
description: This article explains how to deregister devices
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Deregister a device
To avoid end-user disruption, device de-registration in Windows Autopatch only deletes the Windows Autopatch device record itself. Device de-registration can't delete Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity.
**To deregister a device:**
1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
1. Select **Windows Autopatch** in the left navigation menu.
1. Select **Devices**.
1. In either **Ready** or **Not ready** tab, select the device(s) you want to deregister.
1. Once a device or multiple devices are selected, select **Device actions**, then select **Deregister device**.
## Excluded devices
When you deregister a device from the Windows Autopatch service, the device is flagged as "excluded". Windows Autopatch doesn't try to re-register the device into the service again, because the de-registration command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** Azure Active Directory group. This is due to a direct membership removal limitation present in Azure Active Directory dynamic groups.
If you want to re-register a device that was previously deregistered from Windows Autopatch, you must [submit a support request](../operate/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team to request the removal of the "excluded" flag set during the de-registration process. After the Windows Autopatch Service Engineering Team removes the flag, you can re-register a device or a group of devices.
## Hiding unregistered devices
You can hide unregistered devices you don't expect to be remediated anytime soon.
**To hide unregistered devices:**
1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
1. Select **Windows Autopatch** in the left navigation menu.
1. Select **Devices**.
1. In the **Not ready** tab, select an unregistered device or a group of unregistered devices you want to hide then select **Status == All**.
1. Unselect the **Registration failed** status checkbox from the list.

42
windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md Normal file
View File

@ -0,0 +1,42 @@
---
title: Microsoft Edge
description: This article explains how Microsoft Edge updates are managed in Windows Autopatch
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Microsoft Edge
Windows Autopatch uses the [Stable channel](/deployedge/microsoft-edge-channels%22%20/l%20%22stable-channel) of Microsoft Edge.
## Device eligibility
For a device to be eligible for Microsoft Edge updates as a part of Windows Autopatch, they must meet the following criteria:
- The device must be powered on and have an internet connection.
- There are no policy conflicts between Windows Autopatch policies and customer policies.
- The device must be able to access the required network endpoints to reach the Microsoft Edge update service.
- If Microsoft Edge is open, it must restart for the update process to complete.
## Update release schedule
Microsoft Edge will check for updates every 10 hours. Quality updates occur weekly by default. Feature updates occur automatically every four weeks and are rolled out [progressively](/deployedge/microsoft-edge-update-progressive-rollout) by the Microsoft Edge product group to ensure the best experience for customers. All users will see the update within a few days of the initial release.
Browser updates with critical security fixes will have a faster rollout cadence than updates that don't have critical security fixes to ensure prompt protection from vulnerabilities.
Devices in the Test device group receive feature updates from the [Beta channel](/deployedge/microsoft-edge-channels#beta-channel). This channel is fully supported and automatically updated with new features approximately every four weeks.
## Pausing and resuming updates
Currently, Windows Autopatch can't pause or resume Microsoft Edge updates.
## Incidents and outages
If you're experiencing issues related to Microsoft Edge updates, [submit a support request](../operate/windows-autopatch-support-request.md).

108
windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md Normal file
View File

@ -0,0 +1,108 @@
---
title: Microsoft 365 Apps for enterprise
description: This article explains how Microsoft 365 Apps for enterprise updates are managed in Windows Autopatch
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Microsoft 365 Apps for enterprise
## Service level objective
Windows Autopatch aims to keep at least 90% of eligible devices on a [supported version](/deployoffice/overview-update-channels#support-duration-for-monthly-enterprise-channel) of the Monthly Enterprise Channel (MEC) for [Enterprise Standard Suite](/deployoffice/about-microsoft-365-apps) (Access, Excel, OneNote, Outlook, PowerPoint, and Word). Microsoft 365 Apps deployed on the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview) are supported for two months.
> [!NOTE]
> [Microsoft Teams](../operate/windows-autopatch-teams.md) uses a different update channel from the rest of Microsoft 365 Apps.
## Device eligibility
For a device to be eligible for Microsoft 365 Apps for enterprise updates, as a part of Windows Autopatch, they must meet the following criteria:
- Microsoft 365 Apps for enterprise 64-bit must be installed.
- There are no policy conflicts between Microsoft Autopatch policies and customer policies.
- The device must have checked into the Intune service in the last five days.
## Update release schedule
All devices registered for Windows Autopatch will receive updates from the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new features each month, and they'll receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and are pulled directly from the Office Content Delivery Network (CDN).
Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update has been downloaded, there's a three-day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update.
## Update rings
Since the Office CDN determines when devices are offered updates, Windows Autopatch doesn't use rings to control the rollout of these updates.
## End user experience
There are two parts of the end user experience that are configured by Windows Autopatch:
- Behavior during updates
- Office client
### Behavior during updates
Updates can only be applied when Microsoft 365 Apps aren't running. Therefore, notifications usually appear because the user is working in a Microsoft 365 App, such as Microsoft Outlook, and hasn't closed it in several days.
Once the device has downloaded the update, users are given notifications leading up to the deadline. They'll receive the following message in the notification area in Windows, reminding them that updates are ready to be applied.
*Updates ready to be applied
Updates are required by your system admin are blocked by one or more apps. Office will restart at mm/dd/yyyy h:mm AM/PM to apply updates.*
Alternatively, users can select **Update now** to apply the updates. The user is then prompted to close all open Office programs. After the updates are applied, the message disappears.
If the deadline arrives and the updates still aren't applied, users see a dialog box that warns them that they have 15 minutes before the updates are applied.
This warning gives users 15 minutes to save and close any work. When the countdown reaches 0000, any open Office programs are closed, and the updates are applied.
### Office client app configuration
To ensure that users are receiving automatic updates, Windows Autopatch prevents the user from opting out of automatic updates.
## Update controls
If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might pause the update by forcing Microsoft 365 Apps to stay on a specific version.
Windows Autopatch will either:
- Choose to stay on the previous version for rings that haven't received the update yet.
- Force all devices to roll back to the previous version.
> [!NOTE]
> Windows Autopatch doesn't currently allow customers to force their devices to stay on a previous version or rollback to a previous version.
Since Windows quality updates are bundled together into a single release in the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview), we can't roll back only a portion of the update for Microsoft 365 Apps for enterprise.
## Conflicting and unsupported policies
Deploying any of the following policies to a managed device will make that device ineligible for management since the device will prevent us from delivering the service as designed.
### Update policies
Window Autopatch deploys mobile device management (MDM) policies to configure Microsoft 365 Apps and requires a specific configuration. If any [Microsoft 365 Apps update settings](/deployoffice/configure-update-settings-microsoft-365-apps) are deployed which conflict with our policies, then the device won't be eligible for management.
| Update setting | Value | Usage reason |
| ----- | ----- | ----- |
| Set updates to occur automatically | Enabled | Enable automatic updates |
| Specify a location to look for updates | Blank | Don't use this setting since it overwrites the update branch |
| Update branch | Monthly Enterprise | Supported branch for Windows Autopatch |
| Specify the version of Microsoft 365 Apps to update to | Variable | Used to roll back to a previous version if an error occurs |
| Set a deadline by when updates must be applied | 3 | Update deadline |
| Hide update notifications from users | Turned off | Users should be notified when Microsoft 365 Apps are being updated |
| Hide the option to turn on or off automatic Office updates | Turned on | Prevents users from disabling automatic updates |
## Microsoft 365 Apps servicing profiles
A service profile takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the above requirements regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management.
## Incidents and outages
If devices in your tenant aren't meeting the [service level objective](#service-level-objective) for Microsoft 365 Apps for enterprise updates, an incident will be raised. The Windows Autopatch Service Engineering Team will work to bring the devices back into compliance.
If you're experiencing issues related to Microsoft 365 Apps for enterprise updates, [submit a support request](../operate/windows-autopatch-support-request.md).

71
windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md Normal file
View File

@ -0,0 +1,71 @@
---
title: Submit a support request
description: Details how to contact the Windows Autopatch Service Engineering Team and submit support requests
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Submit a support request
> [!IMPORTANT]
> Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with troubleshooting issues.
You can submit support tickets to Microsoft using the Windows Autopatch admin center. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
## Submit a new support request
Support requests are triaged and responded to as they're received.
**To submit a new support request:**
1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant administration** menu.
1. In the **Windows Autopatch** section, select **Service requests**.
1. In the **Service requests** section, select **+ New support request**.
1. Enter your question(s) and/or a description of the problem.
1. Review all the information you provided for accuracy.
1. When you're ready, select **Create**.
## Manage an active support request
The primary contact for the support request will receive email notifications when a case is created, assigned to a service engineer to investigate, and mitigated. If, at any point, you have a question about the case, the best way to get in touch is to reply directly to one of those emails. If we have questions about your request or need more details, we'll email the primary contact listed on the support requests.
## View all your active support requests
You can see the summary status of all your support requests. At any time, you can use the portal to see all active support requests in the last six months.
**To view all your active support requests:**
1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant Administration** menu.
1. In the **Windows Autopatch** section, select **Service request**.
1. From this view, you can export the summary view or select any case to view the details.
## Edit support request details
You can edit support request details, for example, updating the primary case contact.
**To edit support request details:**
1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant Administration** menu.
1. In the **Windows Autopatch** section, select **Service request**.
1. In the **Service requests** section, use the search bar or filters to find the case you want to edit.
1. Select the case to open the request's details.
1. Scroll to the bottom of the request details and select **Edit**.
1. Update the editable information, add attachments to the case, or add a note for the Windows Autopatch Service Engineering Team.
1. Select **Save**.
Once a support request is mitigated, it can no longer be edited. If a request has been mitigated for less than 24 hours, you'll see the option to reactivate instead of edit. Once reactivated, you can again edit the request.
## Microsoft FastTrack
[Microsoft FastTrack](https://www.microsoft.com/en-us/fasttrack) offers Microsoft 365 deployment guidance for customers with 150 or more licenses of an eligible subscription at no additional cost. FastTrack Specialists can help customers work through the Windows Autopatch technical prerequisites described in the [FAQ](../overview/windows-autopatch-faq.md). For more information, visit the [FastTrack website](https://www.microsoft.com/en-ca/fasttrack?rtc=1).
Customers who need help with Microsoft 365 workloads can sign in to https://fasttrack.microsoft.com/ with a valid Azure ID and submit a Request for Assistance.
Contact your Microsoft account team if you need additional assistance.

53
windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md Normal file
View File

@ -0,0 +1,53 @@
---
title: Microsoft Teams
description: This article explains how Microsoft Teams updates are managed in Windows Autopatch
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Microsoft Teams
Windows Autopatch uses the [standard automatic update channel](/microsoftteams/teams-client-update#can-admins-deploy-updates-instead-of-teams-auto-updating) for Microsoft Teams.
## Device eligibility
For a device to be eligible for automated Teams updates as a part of Windows Autopatch they must meet the following criteria:
- Microsoft Teams must be installed on the device.
- The user must be signed into both the device and Teams.
- The device must be able to access the Teams update service [network endpoints](../prepare/windows-autopatch-configure-network.md).
- Once the update is downloaded, the user must be logged in with the device in an idle state for at least 40 minutes to ensure that Teams can automatically update.
## Update release schedule
The Teams desktop client updates are released once a month for all users, and twice a month for members of the Technology Adoption Program (TAP).
Updates undergo vigorous internal testing and are first released to members of TAP for validation. The update usually takes place on a Monday. If a critical update is needed, Teams will bypass this schedule and release the update as soon as it's available.
## End user experience
Teams will check for updates every few hours behind the scenes, download the updates, and then will wait for the computer to be idle for at least 40 minutes before automatically installing the update.
When an update is available, the following are required to be able to download the update:
- The user must be signed into both the device and Teams.
- The device must have an internet connection.
- The device must be able to access the required network endpoints to reach the Teams update service.
> [!NOTE]
> If a user is on a version of Teams that is out of date, Teams will force the user to update prior to allowing them to use the application.
## Pausing and resuming updates
Windows Autopatch can't pause or resume Teams updates.
## Incidents and outages
If you're experiencing issues related to Teams updates, [submit a support request](../operate/windows-autopatch-support-request.md).

69
windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md Normal file
View File

@ -0,0 +1,69 @@
---
title: Update management
description: This article provides an overview of how updates are handled in Autopatch
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: overview
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Update management
Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates.
## Update types
| Update type | Description |
| ----- | ----- |
| Window quality update | Windows Autopatch uses four update rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). |
| Anti-virus definition | Updated with each scan. |
| Microsoft 365 Apps for enterprise | For more information, see Microsoft 365 Apps for enterprise. |
| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). |
| Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). |
## Update rings
> [!NOTE]
> Update rings only apply to Windows quality updates.
During enrollment, Windows Autopatch creates four Azure Active Directory groups that are used to segment devices into update rings:
1. Modern Workplace Devices - Test
2. Modern Workplace Devices - First
3. Modern Workplace Devices - Fast
4. Modern Workplace Devices - Broad
Each of the update rings has a different purpose and assigned a set of policies to control the rollout of updates in each management area.
When a device is enrolled into the Windows Autopatch service, the device is assigned to an update ring so that we have the right distributions across your estate. The distribution of each ring is designed to release to as few devices as possible to get the signals needed to make a quality evaluation of a given release.
> [!NOTE]
> You can't create additional rings for managed devices and must use the four rings provided by Windows Autopatch.
| Ring | Default device count | Description
| ----- | ----- | ----- |
| Test | zero | Windows Autopatch doesn't automatically add devices to this ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows: <br><ul><li>0500 devices: minimum one device</li><li>5005000 devices: minimum five devices</li><li>5000+ devices: min 50 devices</li></ul>Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. |
| First | 1% | The First ring is the first group of production users to receive a change.<p><p>This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all customers. For example, we can generate a statistically significant signal saying that critical errors are trending up in a specific release for all customers but can't be confident that it's doing so in your environment.<p><p>Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this ring might experience outages if there are scenarios that weren't covered during testing in the Test ring.</p)> |
| Fast | 9% | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.<p><p>The goal with this ring is to cross the 500-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.</p> |
| Broad | 90% | The Broad ring is the last group of users to receive changes. Since it contains most of the devices enrolled in Windows Autopatch, it favors stability over speed in deployment.|
## Moving devices between rings
If you want to move separate devices to different rings, repeat the following steps for each device:
1. In Microsoft Endpoint Manager, select **Devices** in the left pane.
2. In the **Windows Autopatch** section, select **Devices**.
3. Select the devices you want to assign. All selected devices will be assigned to the ring you specify.
4. Select **Device actions** from the menu.
5. Select **Assign device to ring**. A fly-in opens.
6. Use the dropdown menu to select the ring to move devices to, and then select **Save**. The **Ring assigned by** column will change to **Pending**.
When the assignment is complete, the **Ring assigned by** column will change to Admin (indicates that you made the change) and the **Ring** column will show the new ring assignment.
> [!NOTE]
> You can't move devices to other rings if they're in the "error" or "pending" registration state.<p>If a device hasn't been properly removed, it could show a status of "ready." If you move such a device, it's possible that the move won't be complete. If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check that the device is available by searching for it in Intune. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory).

45
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md Normal file
View File

@ -0,0 +1,45 @@
---
title: Windows quality update communications
description: This article explains Windows quality update communications
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Windows quality update communications
There are three categories of communication that are sent out during a Windows quality update:
- [Standard communications](#standard-communications)
- [Communications during release](#communications-during-release)
- [Incident communications](#incident-communications)
Communications are posted to Message center, Service health dashboard, and the Windows Autopatch messages section of the Microsoft Endpoint Manager admin center as appropriate for the type of communication.
:::image type="content" source="../media/update-communications.png" alt-text="Update communications timeline":::
## Standard communications
| Communication | Location | Timing | Description |
| ----- | ----- | ----- | ----- |
| Release schedule | <ul><li>Message center</li><li>Messages blade</li><li>Email sent to your specified [admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><ul> | At least seven days prior to the second Tuesday of the month| Notification of the planned release window for each ring. |
| Release start | Same as release schedule | The second Tuesday of every month | Notification that the update is now being released into your environment. |
| Release summary | Same as release schedule | The fourth Tuesday of every month | Informs you of the percentage of eligible devices that were patched during the release. |
## Communications during release
The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the Microsoft Endpoint Manager portal shortly after Autopatch becomes aware of the new information.
There are some circumstances where Autopatch will need to change the release schedule based on new information.
For example, new threat intelligence may require us to expedite a release, or we may pause due to user experience concerns. If the schedule of a quality update is changed, paused, resumed, or expedited, we'll inform you as quickly as possible so that you can adapt to the new information.
## Incident communications
Despite the best intentions, every service should plan for failure and success. When there's an incident, timely and transparent communication is key to building and maintaining your trust. If insufficient numbers of devices have been updated to meet the service level objective, devices will experience an interruption to productivity and an incident will be raised. Microsoft will update the status of the incident at least once every 24 hours.

76
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md Normal file
View File

@ -0,0 +1,76 @@
---
title: End user experience
description: This article explains the Windows quality update end user experience
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# End user experience
Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing reboots during business hours.
## User notifications
In this section we'll review what an end user would see in the following three scenarios:
1. Typical update experience
2. Quality update deadline forces an update
3. Quality update grace period
### Typical update experience
The Windows 10 quality update is published and devices in the Broad ring have a deferral period of nine days. Devices will wait nine days before downloading the latest quality update.
Once the deferral period has passed, the device will download the update and notify the end user that updates are ready to install. The end user can either:
- Restart immediately to install the updates
- Schedule the installation, or
- Snooze (the device will attempt to install outside of [active hours](#servicing-window).
In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline.
:::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience":::
### Quality update deadline forces an update
In the following example, the user:
- Ignores the notification and selects snooze.
- Further notifications are received, which the user ignores.
- The device is unable to install the updates outside of active hours.
The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the [active hours](#servicing-window) and force a restart to complete the update installation. The user will receive a 15-minute warning, after which, the device will install the update and restart.
:::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update":::
### Quality update grace period
In the following example, the user is on holiday and the device is offline beyond the quality update deadline. The user then returns to work and the device is turned back on.
Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification.
:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period":::
## Servicing window
Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. Device restarts occur outside of active hours until the deadline is reached. By default, active hours are configured dynamically based on device usage patterns. If you wish to specify active hours for your organization, you can do so by deploying both the following policies:
| Policy | Description |
| ----- | ----- |
| [Active hours start](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) | This policy controls the start of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 1200AM, representing the hours of the day in local time on that device. |
| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | This policy controls the end of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 1200AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
> [!IMPORTANT]
> Both policies must be deployed for them to work as expected.
A device won't restart during active hours unless it has passed the date specified by the update deadline policy. Once the device has passed the deadline policy, the device will update as soon as possible.
> [!IMPORTANT]
> If your devices must be updated at a specific date or time, they aren't suitable for Windows Autopatch. Allowing you to choose specific dates to update devices would disrupt the rollout schedule, and prevent us from delivering the service level objective. The use of any of the following CSPs on a managed device will render it ineligible for management:<ul><li>[Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)</li><li>[Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek)</li><li>[Update/ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek)</li><li>[Update/ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek)</li><li>[Update/ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek)</li><li>[Update/ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek)</li><li>[Update/ScheduledInstallTime](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)</li></ul>

76
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md Normal file
View File

@ -0,0 +1,76 @@
---
title: Windows quality updates
description: This article explains how Windows quality updates are managed in Autopatch
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Windows quality updates
## Service level objective
Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release.
## Device eligibility
For a device to be eligible for Windows quality updates as a part of Windows Autopatch they must meet the following criteria:
| Criteria | Description |
| ----- | ----- |
| Activity | Devices must have at least six hours of usage, with at least two hours being continuous. |
| Intune sync | Devices must have checked with Intune within the last five days. |
| Storage space | Devices must have more than one GB (GigaBytes) of free storage space. |
| Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. |
| Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). |
| Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). |
| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). |
| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy) |
## Windows quality update releases
Windows Autopatch deploys the [B release of Windows quality updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month.
To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update ring to control the rollout. There are three primary policies that are used to control Windows quality updates:
| Policy | Description |
| ----- | ----- |
| [Deferrals](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) | Deferral policies delay the time the update is offered to the device by a specific number of days. The "offer" date for Windows quality updates is equal to the number of days specified in the deferral policy after the second Tuesday of each month. |
| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. |
| [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. |
> [!IMPORTANT]
> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed. These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective).
Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Update rings](../operate/windows-autopatch-update-management.md#update-rings).
:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline":::
## Expedited releases
Threat and vulnerability information about a new revision of Windows becomes available on the second Tuesday of each month. Windows Autopatch assesses that information shortly afterwards. If the service determines that it's critical to security, it may be expedited. The quality update is also evaluated on an ongoing basis throughout the release and Windows Autopatch may choose to expedite at any time during the release.
When running an expedited release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update as quickly.
| Release type | Group | Deferral | Deadline | Grace period |
| ----- | ----- | ----- | ----- | ----- |
| Standard release | Test<p>First<p>Fast<p>Broad | 0<p>1<p>6<p>9 | 0<p>2<p>2<p>5 | 0<p>2<p>2<p>2 |
| Expedited release | All devices | 0 | 1 | 1 |
> [!NOTE]
> Windows Autopatch doesn't allow customers to request expedited releases.
## Pausing and resuming a release
If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md), we may decide to pause that release.
If we pause the release, a policy will be deployed which prevents devices from updating while the issue is investigated. Once the issue is resolved, the release will be resumed.
> [!NOTE]
> Windows Autopatch doesn't allow you to request that a release be paused or resumed during public preview.

61
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md Normal file
View File

@ -0,0 +1,61 @@
---
title: Windows quality update signals
description: This article explains the Windows quality update signals
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Windows quality update signals
Windows Autopatch monitors a specific set of signals and aims to release quality updates both quickly and safely. The service doesn't comprehensively monitor every use case in Windows.
If there's a scenario that is critical to your business, which isn't monitored by Windows Autopatch, you're responsible for testing and taking any follow-up actions, like requesting to pause the release.
## Pre-release signals
Before being released to the Test ring, Windows Autopatch reviews several data sources to determine if we need to send any customer advisories or need to pause the update. Situations where Windows Autopatch doesn't release an update to the Test ring are seldom occurrences.
| Text | Text |
| ----- | ----- |
| Windows Payload Review | The contents of the B release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-wqu-communications.md#communications-during-release) will be sent out. |
| C-Release Review - Internal Signals | Windows Autopatch reviews active incidents associated with the previous C release to understand potential risks in the B release. |
| C-Release Review - Social Signals | Windows Autopatch monitors social signals to better understand potential risks associated with the B release. |
## Early signals
The update is released to the Test ring on the second Tuesday of the month. Those test devices will update, allowing you to conduct early testing of critical scenarios in your environment. There are also several new Microsoft internal signals that have become available to the service that are monitored throughout the release.
| Device reliability signal | Description | Microsoft will |
| ----- | ----- | ----- |
| Security Risk Profile | As soon as the update is released, the criticality of the security content is assessed. | <ul><li>Consider expediting the release</li><li>Update customers with a risk profile</li></ul>
| B-Release - Internal Signals | Windows Autopatch reviews any active incidents associated with the current release. | <ul><li>Determine if a customer advisory is necessary</li><li>Pause the release if there's significant user impact</li></ul> |
| B-Release - Social Signals | Windows Autopatch monitors social signals to understand risks associated with the release. | Determine if a customer advisory is necessary |
## Device reliability signals
Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service.
The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices have upgraded to the new version.
As more devices update, the confidence of the analysis increases and gives us a clearer picture of release quality. If we determine that the user experience is impaired, Autopatch will either post a customer advisory or pause the release, depending on the criticality of the update.
Autopatch monitors the following reliability signals:
| Device reliability signal | Description |
| ----- | ----- |
| Blue screens | These events are highly disruptive to end users so are closely watched. |
| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known issue with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. |
| Microsoft Office reliability | Tracks the number of Office crashes or freezes per application per device. |
| Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. |
| Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. |
When the update is released to the First ring, the service crosses the 500 device threshold. Therefore, Autopatch is able to detect regressions, which are common to all customers. At this point in the release, we'll decide if we need to change the release schedule or pause for all customers.
Once your tenant reaches 500 devices, Windows Autopatch starts generating recommendations specific to your devices. Based on this information, the service starts developing insights specific to your tenant allowing a customized response to what's happening in your environment.

39
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md Normal file
View File

@ -0,0 +1,39 @@
---
title: Conflicting and unsupported policies
description: This article explains the conflicting and unsupported policies in Windows quality updates
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Conflicting and unsupported policies
Deploying any of the following policies to a Windows Autopatch device will make that device ineligible for management since the device will prevent us from delivering the service as designed.
## Update policies
Window Autopatch deploys mobile device management (MDM) policies to configure devices and requires a specific configuration. If any policies from the [Update Policy CSP](/windows/client-management/mdm/policy-csp-update) are deployed to devices that aren't on the permitted list, those devices will be excluded from management.
| Allowed policy | Policy CSP | Description |
| ----- | ----- | ----- |
| [Active hours start](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) | Update/ActiveHoursStart | This policy controls the end of the protected window where devices won't reboot.<p><p>Supported values are from zero through to 23, where zero is 1200AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | Update/ActiveHoursEnd | This policy controls the end of the protected window where devices won't reboot.<p><p>Supported values are from zero through to 23, where zero is 1200AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
| [Active hours max range](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange) | Update/ActiveHoursMaxRange | Allows the IT admin to specify the max active hours range.<p><p>This value sets the maximum number of active hours from the start time. Supported values are from eight through to 18. |
## Group policy
Group policy takes precedence over mobile device management (MDM) policies. For Windows quality updates, if any group policies are detected which modify the following hive in the registry, the device will be ineligible for management:
`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState`
## Incidents and outages
If devices in your tenant aren't meeting the [service level objective](../operate/windows-autopatch-wqu-overview.md#service-level-objective) for Windows quality updates, an incident will be raised, and the Windows Autopatch Service Engineering Team will work to bring the devices back into compliance.
If you're experiencing other issues related to Windows quality updates, [submit a support request](../operate/windows-autopatch-support-request.md).

65
windows/deployment/windows-autopatch/overview/windows-autopatch-faq.md Normal file
View File

@ -0,0 +1,65 @@
---
title: FAQ
description: This article answers frequently asked questions about Windows Autopatch
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: troubleshooting
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# FAQ
## General
| Question | Answer |
| ----- | ----- |
| What Windows versions are supported? | Windows Autopatch works with all [supported versions of Windows 10 and Windows 11 Enterprise edition](/windows/release-health/supported-versions-windows-client). |
| What is the difference between Windows Updates for Business and Windows Autopatch? | Windows Autopatch is a service that removes the need for organizations to plan and operate the update process.<p> Windows Autopatch moves the burden from your IT to Microsoft. Windows Autopatch uses [Windows Update for Business](/windows/deployment/update/deployment-service-overview) and other service components to update devices. Both are part of Windows Enterprise E3. |
| Is Windows 365 for Enterprise supported with Windows Autopatch? | Windows Autopatch supports Windows 365 for Enterprise. Windows 365 for Business isn't supported.|
| Does Windows Autopatch support Windows Education (A3) or Windows Front Line Worker (F3) licensing? | Autopatch isn't available for 'A' or 'F' series licensing. |
| Will Windows Autopatch support local domain join Windows 10? | Windows Autopatch doesn't support local (on-premise) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Azure AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid). |
| Will Windows Autopatch be available for state and local government customers? | Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. |
## Requirements
| Question | Answer |
| ----- | ----- |
| What are the prerequisites for Windows Autopatch? | <ul><li>[Supported Windows 10/11 Enterprise edition versions](/windows/release-health/supported-versions-windows-client)</li><li>[Azure Active Directory (Azure AD) Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses)</li><li>[Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid)</li><li>[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune)</li><li>[Co-management](/prepare/windows-autopatch-prerequisites.md#co-management-requirements)</li><li>[Configuration Manager version 2010 or later](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2010)</li><li>[Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune)</li></ul> |
| What are the licensing requirements for Windows Autopatch? |<ul><li>Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. For more information, see More about licenses.</li><li>[Azure AD Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) (for Co-management)</li><li>[Microsoft Intune](/mem/intune/fundamentals/licenses) (includes Configuration Manager 2010 or greater via co-management)</li></ul> |
| Are there hardware requirements for Windows Autopatch? | No, Windows Autopatch doesn't require any specific hardware. However, general hardware requirements for updates are still applicable. For example, to deliver Windows 11 to your Autopatch devices they must meet [specific hardware requirements](/windows/windows-11-specifications?r=1). Windows devices must be supported by your hardware OEM. |
## Device registration
| Question | Answer |
| ----- | ----- |
| Can Autopatch customers individually approve or deny devices? | No you can't individually approve or deny devices. Once a device is registered with Windows Autopatch, updates are rolled out to the devices according to its ring assignment. Individual device level control isn't supported. |
## Update management
| Question | Answer |
| ----- | ----- |
| What systems does Windows Autopatch update? |<ul><li>Windows 10/11 quality updates: Windows Autopatch manages all aspects of update rings.</li><li>Microsoft 365 Apps for enterprise updates: All devices registered for Windows Autopatch will receive updates from the Monthly Enterprise Channel.</li><li>Microsoft Edge: Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel and will provide support for issues with Microsoft Edge updates.</li><li>Microsoft Teams: Windows Autopatch allows eligible devices to benefit from the standard automatic update channels and will provide support for issues with Teams updates.</li> |
| What does Windows Autopatch do to ensure updates are done successfully? | For Windows quality updates, updates are applied to device in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression.<p><p>This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task. |
| What happens if there's an issue with an update? | Autopatch relies on the following capabilities to help resolve update issues. <ol><li>Pausing and resuming: If Windows Autopatch detects an issue with a Windows quality release, we may decide that it's necessary to pause that release. Once the issue is resolved, the release will be resumed. For more information, see [Pausing and resuming a Windows quality release](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release).</li><li>Rollback: If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might force all devices to roll back to the previous version. For more information, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#update-controls).</li></ol>|
| Will Windows quality updates be released more quickly after vulnerabilities are identified, or what is the regular cadence of updates? | For zero-day threats, Autopatch will have an [expedited release cadence](../operate/windows-autopatch-wqu-overview.md#expedited-releases). For normal updates Autopatch uses a [regular release cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) starting with devices in the Test ring and completing with general rollout to the Broad ring. |
| Can customers configure when to move to the next ring or is it controlled by Windows Autopatch? | The decision of when to move to the next ring is handled by Windows Autopatch; it isn't customer configurable. |
| Can you customize the scheduling of an update rollout to only install on certain days and times? | No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours. |
| Does Autopatch support include and exclude groups, or dynamic groups to define ring membership? | Windows autopatch doesn't support managing update ring membership using your Azure AD groups. For more information, see [Move devices between rings](../operate/windows-autopatch-update-management.md#moving-devices-between-rings). |
| Does Autopatch have two release cadences per update or are there two release cadences per-ring? | The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly. |
## Support
| Question | Answer |
| ----- | ----- |
| What support is available for customers who need help with onboarding to Windows Autopatch? | The FastTrack Center is the primary mode of support for customers who need assistance from Microsoft to meet the pre-requisites (such as Intune and Azure or Hybrid AD) for onboarding to Windows Autopatch. For more information, see [Microsoft FastTrack for Windows Autopatch](../operate/windows-autopatch-support-request.md#microsoft-fasttrack).<p><p>When you've onboarded with Windows Autopatch, you can [submit a support request](../operate/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team. |
## Other
| Question | Answer |
| ----- | ----- |
| Are there Autopatch specific APIs or PowerShell scripts available? | Programmatic access to Autopatch isn't currently available. |

91
windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md Normal file
View File

@ -0,0 +1,91 @@
---
title: What is Windows Autopatch? (preview)
description: Details what the service is and shortcuts to articles
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# What is Windows Autopatch? (preview)
> [!IMPORTANT]
> **Windows Autopatch is in public preview**. It's actively being developed and may not be complete. You can test and use these features in production environments and [provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch).
Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.
## Unique to Windows Autopatch
Rather than maintaining complex digital infrastructure, businesses want to focus on what makes them unique and successful. Windows Autopatch offers a solution to some of the challenges facing businesses and their people today:
- **Close the security gap**: By keeping software current, there are fewer vulnerabilities and threats to your devices.
- **Close the productivity gap**: By adopting features as they're made available, users get the latest tools to enhance creation and collaboration.
- **Optimize your IT admin resources**: By automating routine endpoint updates, IT pros have more time to create value.
- **On-premises infrastructure**: Transitioning to the world of software as a service (SaaS) allows you to minimize your investment in on-premises hardware since updates are delivered from the cloud.
- **Onboard new services**: Windows Autopatch is scoped to make it easy to enroll and minimizes the time investment from your IT Admins to get started.
- **Minimize end user disruption**: By releasing in sequential update rings, and responding to reliability and compatibility signals, user disruptions due to updates are minimized.
Windows Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge or Teams. By crafting careful rollout sequences and communicating with you throughout the release, your IT Admins can focus on other activities and tasks.
## Update management
The goal of Windows Autopatch is to deliver software updates to registered devices; the service frees up IT and minimizes disruptions to your end users. Once a device is registered with the service, Windows Autopatch takes on several areas of management:
| Management area | Service level objective |
| ----- | ----- |
| [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) | Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. |
| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Windows Autopatch aims to keep at least 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC). |
| [Microsoft Edge](../operate/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. |
| [Microsoft Teams](../operate/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. |
For each management area, there's a set of eligibility requirements that determine if the device will receive that specific update. An example of an eligibility criteria is that the device must have access to the required network endpoints for the Windows update. It's your responsibility to ensure that devices are meeting eligibility requirements for each management area.
To determine if we're meeting our service level objectives, all eligible devices are labeled as either "Healthy" or "Unhealthy". Healthy devices are meeting the eligibility requirements for that management area and unhealthy devices aren't. If Windows Autopatch falls below any service level objective for a management area, an incident is raised. Then, we bring the service back into compliance.
While an update is in progress, it's monitored by Windows Autopatch. Depending on the criticality of the update, the service may decide to expedite the update. If we detect an issue during release, we may pause or roll back the update. Since each management area has a different monitoring and update control capabilities, you review the documentation for each area to familiarize yourself with the service.
## Messages
To stay informed of upcoming changes, including new and changed features, planned maintenance, or other important announcements, navigate to [Microsoft 365 admin center > Message center](https://admin.microsoft.com/adminportal/home#/MessageCenter).
## Accessibility
Microsoft remains committed to the security of your data and the [accessibility](https://www.microsoft.com/trust-center/compliance/accessibility) of our services. For more information, see the [Microsoft Trust Center](https://www.microsoft.com/trust-center) and the [Office Accessibility Center](https://support.office.com/article/ecab0fcf-d143-4fe8-a2ff-6cd596bddc6d).
## Need more details?
### Prepare
The following articles describe the mandatory steps to prepare for enrollment, including:
- [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
- [Configure your network](../prepare/windows-autopatch-configure-network.md)
- [Enroll your tenant with Windows Autopatch](../prepare/windows-autopatch-enroll-tenant.md)
- [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)
### Deploy
Once you're ready to enroll, this section includes the following articles:
- [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
- [Register your devices](../deploy/windows-autopatch-register-devices.md)
### Operate
This section includes the following information about your day-to-day life with the service:
- [Update management](../operate/windows-autopatch-update-management.md)
- [Submit a support request](../operate/windows-autopatch-support-request.md)
- [Deregister a device](../operate/windows-autopatch-deregister-devices.md)
### References
This section includes the following articles:
- [Privacy](../references/windows-autopatch-privacy.md)
- [Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md)

22
windows/deployment/windows-autopatch/prepare/index.md Normal file
View File

@ -0,0 +1,22 @@
---
title: Preparing for Windows Autopatch
description: Landing page for the prepare section
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Preparing for Windows Autopatch
The following articles describe the steps you must take to onboard with Windows Autopatch:
1. [Review the prerequisites](windows-autopatch-prerequisites.md)
1. [Configure your network](windows-autopatch-configure-network.md)
1. [Enroll your tenant](windows-autopatch-enroll-tenant.md)
1. [Fix issues found in the Readiness assessment tool](windows-autopatch-fix-issues.md)

49
windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md Normal file
View File

@ -0,0 +1,49 @@
---
title: Configure your network
description: This article details the network configurations needed for Windows Autopatch
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Configure your network
## Proxy configuration
Windows Autopatch is a cloud service. There's a set of endpoints that Windows Autopatch services must be able to reach for the various aspects of the Windows Autopatch service.
You can optimize their network by sending all trusted Microsoft 365 network requests directly through their firewall or proxy to bypass authentication, and all additional packet-level inspection or processing. This process reduces latency and your perimeter capacity requirements.
## Proxy requirements
The proxy or firewall must support TLS 1.2. Otherwise, you might have to disable protocol detection.
### Required Windows Autopatch endpoints for proxy and firewall rules
The following URLs must be on the allowed list of your proxy and firewall so that Windows Autopatch devices can communicate with Microsoft services.
The Windows Autopatch URL is used for anything our service runs on the customer API. You must ensure this URL is always accessible on your corporate network.
| Microsoft service | URLs required on allowlist |
| ----- | ----- |
| Windows Autopatch | <ul><li>mmdcustomer.microsoft.com</li><li>mmdls.microsoft.com</li></ul>|
### Required Microsoft product endpoints
There are URLs from several Microsoft products that must be in the allowed list so that Windows Autopatch devices can communicate with those Microsoft services. Use the links to see the complete list for each product.
| Microsoft service | URLs required on Allowlist |
| ----- | ----- |
| Windows 10/11 Enterprise including Windows Update for Business | [Manage connection endpoints for Windows 10 Enterprise, version 1909](/windows/privacy/manage-windows-1909-endpoints)<p><p>[Manage connection endpoints for Windows 10 Enterprise, version 2004](/windows/privacy/manage-windows-2004-endpoints)</p><p>[Connection endpoints for Windows 10 Enterprise, version 20H2](/windows/privacy/manage-windows-20h2-endpoints)</p><p>[Manage connection endpoints for Windows 10 Enterprise, version 21H1](/windows/privacy/manage-windows-21h1-endpoints)</p><p>[Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints)</p><p>[Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints)</p>|
| Microsoft 365 | [Microsoft 365 URL and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true) |
| Azure Active Directory | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports)<p><p>[Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))</p> |
| Microsoft Intune | [Intune network configuration requirements](/intune/network-bandwidth-use)<p><p>[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)</p>
| Microsoft Edge | [Allowlist for Microsoft Edge Endpoints](/deployedge/microsoft-edge-security-endpoints) |
| Microsoft Teams | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) |
| Windows Update for Business (WUfB) | [Windows Update for Business firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p)

108
windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md Normal file
View File

@ -0,0 +1,108 @@
---
title: Enroll your tenant
description: This article details how to enroll your tenant
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Enroll your tenant
Before you enroll in Windows Autopatch, there are settings and other parameters you must set ahead of time.
The Readiness assessment tool, accessed through the [Windows Autopatch admin center](https://endpoint.microsoft.com/), checks management or configuration -related settings. This tool allows you to check the relevant settings and detailed steps to fix any settings that aren't configured properly for Windows Autopatch.
## Step 1: Review all prerequisites
To start using the Windows Autopatch service, ensure you meet the [Windows Autopatch prerequisites](../prepare/windows-autopatch-prerequisites.md).
## Step 2: Run the Readiness assessment tool
> [!IMPORTANT]
> The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you'll no longer be able to access the tool again.
The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Co-management requirements](../prepare/windows-autopatch-prerequisites.md#co-management-requirements).
**To access and run the Readiness assessment tool:**
> [!IMPORTANT]
> You must be a Global Administrator to enroll your tenant.
1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. In the left pane, select Tenant administration and then navigate to Windows Autopatch > **Tenant enrollment**.
> [!IMPORTANT]
> If you don't see the Tenant enrollment blade, this is because you don't meet the prerequisites or the proper licenses. For more information, see [Windows Autopatch prerequisites](windows-autopatch-prerequisites.md).
A Global Administrator should be used to run this tool. Other roles, such as the Global Reader and Intune Administrator have insufficient permissions to complete the checks on Conditional Access Policies and Multi-factor Authentication. For more information about the extra permissions, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies).
The Readiness assessment tool checks the following settings:
### Microsoft Intune settings
The following are the Microsoft Intune settings:
| Check | Description |
| ----- | ----- |
| Update rings for Windows 10 or later | Verifies that Intune's Update rings for Windows 10 or later policy doesn't target all users or all devices. The policy shouldn't target any Windows Autopatch devices. |
| Unlicensed admin | Verifies that this setting is enabled to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. |
### Azure Active Directory settings
The following are the Azure Active Directory settings:
| Check | Description |
| ----- | ----- |
| Conditional access | Verifies that conditional access policies and multi-factor authentication aren't assigned to all users.<p><p>Conditional access policies shouldn't be assigned to Windows Autopatch service accounts. For more information on steps to take, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies). |
| Windows Autopatch service accounts | Checks that no usernames conflict with ones that Windows Autopatch reserves for its own use. |
| Security defaults | Checks whether your Azure Active Directory organization has security defaults enabled. |
| Licenses | Checks that you've obtained the necessary [licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
For each check, the tool will report one of four possible results:
| Result | Meaning |
| ----- | ----- |
| Ready | No action is required before completing enrollment. |
| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.<p><p>You can complete enrollment, but you must fix these issues before you deploy your first device. |
| Not ready | Enrollment will fail if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. |
### Seeing issues with your tenant?
If the Readiness assessment tool is displaying issues with your tenant, see [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) for more information on how to remediate.
### Delete data collected from the Readiness assessment tool
Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a de-identified form. You can choose to delete the data we collect directly within the Readiness assessment tool.
> [!NOTE]
> Windows Autopatch will only delete the results we collect within the Readiness assessment tool; Autopatch won't delete any other tenant-level data.
**To delete the data we collect:**
1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Navigate to Windows Autopatch > **Tenant enrollment**.
3. Select **Delete all data**.
## Step 3: Enroll your tenant
> [!IMPORTANT]
> You must be a Global Administrator to enroll your tenant.
Once the Readiness assessment tool provides you with a "Ready" result, you're ready to enroll!
**To enroll your tenant:**
Within the Readiness assessment tool, you'll now see the **Enroll** button. By selecting **Enroll**, you'll kick off the enrollment of your tenant to the Windows Autopatch service. During the enrollment workflow, you'll see the following:
- Consent workflow to manage your tenant.
- Provide Windows Autopatch with IT admin contacts.
- Setup of the Windows Autopatch service on your tenant. This step is where we'll create the policies, groups and accounts necessary to run the service.
Once these actions are complete, you've now successfully enrolled your tenant. Ensure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md) before you [register your devices](../deploy/windows-autopatch-register-devices.md).

85
windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md Normal file
View File

@ -0,0 +1,85 @@
---
title: Fix issues found by the Readiness assessment tool
description: This article details how to fix issues found by the Readiness assessment tool
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Fix issues found by the Readiness assessment tool
For each check, the tool will report one of four possible results:
| Result | Meaning |
| ----- | ----- |
| Ready | No action is required before completing enrollment. |
| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.<p><p>You can complete enrollment, but you must fix these issues before you deploy your first device. |
| Not ready | Enrollment will fail if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. |
> [!NOTE]
> The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Azure Active Directory (AD), or Microsoft 365, items that were "Ready" can become "Not ready". To avoid problems with Windows Autopatch operations, review the specific settings described in this article before you change any policies.
## Microsoft Intune settings
You can access Intune settings at the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
### Unlicensed admins
This setting must be turned on to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization.
| Result | Meaning |
| ----- | ----- |
| Not ready | Allow access to unlicensed admins should be turned on. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.<p><p>For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). |
### Windows 10 update rings
Your "Windows 10 update ring" policy in Intune must not target any Windows Autopatch devices.
| Result | Meaning |
| ----- | ----- |
| Not ready | You have an "update ring" policy that targets all devices, all users, or both. Change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.<p><p>After enrolling into Autopatch, make sure that any update ring policies you have exclude the **Modern Workplace Devices - All** Azure Active Directory (AD) group.</p><p>For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p>|
| Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch.<p>This advisory appears after enrolling into Autopatch. Check the following:<ol><li>Make sure that any update ring policies you have exclude the **Modern Workplace Devices - All** Azure Active Directory (AD) group.</li><li>If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also exclude the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).</li></ol>For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure). |
## Azure Active Directory settings
You can access Azure Active Directory (AD) settings in the [Azure portal](https://portal.azure.com/).
### Conditional access policies
Conditional access policies must not prevent Windows Autopatch from connecting to your Intune tenant.
| Result | Meaning |
| ----- | ----- |
| Advisory | You have at least one conditional access policy that targets all users or at least one conditional access policy set as required for multi-factor authentication. These policies could prevent Windows Autopatch from managing the Windows Autopatch service.<p><p>During enrollment, we'll attempt to exclude Windows Autopatch service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. However, if we're unsuccessful, this can cause errors during your enrollment experience.<p><p>For best practice, [create an assignment that targets a specific Azure Active Directory (AD) group](/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) that doesn't include Windows Autopatch service accounts.</p> |
| Error | The Intune Administrator role doesn't have sufficient permissions for this check. You'll also need to have these Azure Active Directory (AD) roles assigned to run this check:<br><ul><li>Security Reader</li><li>Security Administrator</li><li>Conditional Access Administrator</li><li>Global Reader</li><li>Devices Administrator</li></ul> |
### Licenses
Windows Autopatch requires the following licenses:
| Result | Meaning |
| ----- | ----- |
| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, Microsoft Intune and Windows 10/11 Enterprise are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
### Windows Autopatch service accounts
Certain account names could conflict with account names created by Windows Autopatch.
| Result | Meaning |
| ----- | ----- |
| Not ready | You have at least one account name that will conflict with account names created by Windows Autopatch. Work with your Microsoft account representative to exclude these account names. We don't list the account names publicly to minimize security risk. |
### Security defaults
Security defaults in Azure Active Directory (AD) will prevent Windows Autopatch from managing your devices.
| Result | Meaning |
| ----- | ----- |
| Not ready | You have Security defaults turned on. Turn off Security defaults and set up conditional access policies. For more information, see [Common conditional access policies](/azure/active-directory/conditional-access/concept-conditional-access-policy-common). |

49
windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md Normal file
View File

@ -0,0 +1,49 @@
---
title: Prerequisites
description: This article details the prerequisites needed for Windows Autopatch
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Prerequisites
Getting started with Windows Autopatch has been designed to be easy. This article outlines the infrastructure requirements you must meet to assure success with Windows Autopatch.
| Area | Prerequisite details |
| ----- | ----- |
| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).<p><p>For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).<p><p>For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.<p><p>For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.<br><ul><li>For more information, see [Azure Active Directory Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Hybrid Azure Active Directory join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)</li><li>For more information on supported Azure Active Directory Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).</li></ul> |
| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.<p><p>At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.<p>Other device management prerequisites include:<ul><li>Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.</li><li>Devices managed only by Microsoft Endpoint Configuration Manager aren't supported.</li><li>Devices must be in communication with Microsoft Intune in the last 28 days. Otherwise, the devices won't be registered with Autopatch.</li><li>Devices must be connected to the internet.</li></ul><p>For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview). |
| Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). |
## More about licenses
Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. The following are the other licenses that grant entitlement to Windows Autopatch:
- Windows 10/11 Enterprise E3
- Windows 10/11 Enterprise E5
- Microsoft 365 E3
- Microsoft 365 E5
The following Windows 64-bit editions are required for Windows Autopatch:
- Windows 10/11 Enterprise
## Co-management requirements
Windows Autopatch fully supports co-management. The following co-management requirements apply:
- Use a currently supported [Configuration Manager version](/mem/configmgr/core/servers/manage/updates#supported-versions).
- Ensure ConfigMgr is connected to the internet and [cloud-attach with Intune](/mem/configmgr/cloud-attach/overview).
- Ensure ConfigMgr is co-managed. For more information, see [Paths to co-management](/mem/configmgr/comanage/quickstart-paths).
- Set the [Windows Update workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune.
- Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune.
- Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune.

33
windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md Normal file
View File

@ -0,0 +1,33 @@
---
title: Windows Autopatch Preview Addendum
description: This article explains the Autopatch preview addendum
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: reference
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Windows Autopatch Preview Addendum
**This Windows Autopatch - Preview Addendum ("Addendum") to the Microsoft Product Terms** (as provided at: <https://www.microsoft.com/licensing/terms> (the "**Product Terms**")) is entered into between Microsoft Corporation, a Washington corporation having its principal place of business at One Microsoft Way, Redmond, Washington, USA 98052-6399 (or based on where Customer lives, one of Microsoft's affiliates) ("**Microsoft**"), and you ("**Customer**").
## Background
Microsoft desires to preview the Windows Autopatch service it is developing ("**Windows Autopatch Preview**") in order to evaluate it. Customer would like to particulate this Windows Autopatch Preview under the terms of the Product Terms and this Addendum. Windows Autopatch Preview consists of features and services that are in preview, beta, or other pre-release form. Windows Autopatch Preview is subject to the "preview" terms set forth in the Online Service sections of Product Terms.
For good and valuable consideration, the receipt and sufficiency of which is acknowledged, the parties agree as follows:
## Agreement
### Definitions
Capitalized terms used but not defined herein have the meanings given in the Product Terms.
### Data Handling
Windows Autopatch Preview integrates Customer Data from other Products, including Windows, Microsoft Intune, Azure Active Directory, and Office (collectively for purposes of this provision "Windows Autopatch Input Services"). Once Customer Data from Windows Autopatch Input Services is integrated into Windows Autopatch Preview, only the Product Terms and [DPA provisions)](https://www.microsoft.com/licensing/terms/product/Glossary/all) applicable to Windows Autopatch Preview apply to that data.

120
windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md Normal file
View File

@ -0,0 +1,120 @@
---
title: Privacy
description: This article provides details about the data platform and privacy compliance for Autopatch
ms.date: 05/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: reference
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Privacy
Windows Autopatch is a cloud service for enterprise customers designed to keep employees' Windows devices updated. This article provides details about data platform and privacy compliance for Windows Autopatch.
## Windows Autopatch data sources and purpose
Windows Autopatch provides its service to enterprise customers, and properly administers customers' enrolled devices by using data from various sources.
The sources include Azure Active Directory (AD), Microsoft Intune, and Microsoft Windows 10/11. The sources provide a comprehensive view of the devices that Windows Autopatch manages. The service also uses these Microsoft services to enable Windows Autopatch to provide IT as a Service (ITaaS) capabilities:
| Data source | Purpose |
| ------ | ------ |
| [Microsoft Windows 10/11 Enterprise](/windows/windows-10/) | Management of device setup experience, managing connections to other services, and operational support for IT pros. |
| [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) | Uses Windows 10 Enterprise diagnostic data to provide additional information on Windows 10/11 update. |
| [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) | Device management and to keep your data secure. The following data sources fall under Microsoft Endpoint Manager:<br><ul><li>[Microsoft Azure Active Directory](/azure/active-directory/): Authentication and identification of all user accounts.</li><li>[Microsoft Intune](/mem/intune/): Distributing device configurations, device management and application management.</li></ul>
| [Windows Autopatch](https://endpoint.microsoft.com/#home) | Data provided by the customer or generated by the service during running of the service. |
| [Microsoft 365 Apps for enterprise](/microsoft-365/enterprise/compare-office-365-plans?rtc=1)| Management of Microsoft 365 Apps. |
## Windows Autopatch data process and storage
Windows Autopatch relies on data from multiple Microsoft products and services to provide its service to enterprise customers.
To protect and maintain enrolled devices, we process and copy data from these services to Windows Autopatch. When we process data, we follow the documented directions you provide as referenced in the [Online Services Terms](https://www.microsoft.com/licensing/product-licensing/products) and [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).
Processor duties of Windows Autopatch include ensuring appropriate confidentiality, security, and resilience. Windows Autopatch employs additional privacy and security measures to ensure proper handling of personal identifiable data.
## Windows Autopatch data storage and staff location
Windows Autopatch stores its data in the Azure data centers in the United States.
Personal data obtained by Windows Autopatch and other services are required to keep the service operational. If a device is removed from Windows Autopatch, we keep personal data for a maximum of 30 days. For more information on data retention, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview).
Windows Autopatch Service Engineering Team is in the United States, India and Romania.
## Microsoft Windows 10/11 diagnostic data
Windows Autopatch uses [Windows 10/11 Enhanced diagnostic data](/windows/privacy/windows-diagnostic-data) to keep Windows secure, up to date, troubleshoot problems, and make product improvements.
The enhanced diagnostic data setting includes more detailed information about the devices enrolled in Windows Autopatch and their settings, capabilities, and device health. When enhanced diagnostic data is selected, data, including required diagnostic data, are collected. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection) about the Windows 10 diagnostic data setting and data collection.
The diagnostic data terminology will change in future versions of Windows. Windows Autopatch is committed to processing only the data that the service needs. While this will mean the diagnostic level will change to **Optional**, Windows Autopatch will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection).
Windows Autopatch only processes and stores system-level data from Windows 10 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' personal data such as chat and browser history, voice, text, or speech data.
For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process personal data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement.
## Microsoft Windows Update for Business
Microsoft Windows Update for Business uses data from Windows diagnostics to analyze update status and failures. Windows Autopatch uses this data and uses it to mitigate, and resolve problems to ensure that all registered devices are up to date based on a predefined update cadence.
## Microsft Azure Active Directory
Identifying data used by Windows Autopatch is stored by Azure Active Directory (Azure AD) in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Azure AD data is located, see [Azure Active Directory - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9)
## Microsoft Intune
Microsoft Intune collects, processes, and shares data to Windows Autopatch to support business operations and services. For more information about the data collected in Intune, see [Data collection in Intune](/mem/intune/protect/privacy-data-collect)
For more information on Microsoft Intune data locations, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations). Intune respects the storage location selections made by the administrator for customer data.
## Microsoft 365 Apps for enterprise
Microsoft 365 Apps for enterprise collects and shares data with Windows Autopatch to ensure those apps are up to date with the latest version. These updates are based on predefined update channels managed by Windows Autopatch. For more information on Microsoft 365 Apps's data collection and storage locations, see [Microsoft Defender for Endpoint data storage and privacy](/microsoft-365/security/defender-endpoint/data-storage-privacy#what-data-does-microsoft-defender-atp-collect).
## Major data change notification
Windows Autopatch follows a change control process as outlined in our service communication framework.
We notify customers through the Microsoft 365 message center, and the Windows Autopatch admin center of both security incidents and major changes to the service.
Changes to the types of data gathered and where it's stored are considered a material change. We'll provide a minimum of 30 days advanced notice of this change as it's standard practice for Microsoft 365 products and services.
## Data subject requests
Windows Autopatch follows General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) privacy regulations, which give data subjects specific rights to their personal data.
These rights include:
- Obtaining copies of personal data
- Requesting corrections to it
- Restricting the processing of it
- Deleting it
- Receiving it in an electronic format so it can be moved to another controller
For more general information about Data Subject Requests (DSRs), see [Data Subject Requests and the GDPR and CCPA](/compliance/regulatory/gdpr-data-subject-requests).
To exercise data subject requests on data collected by the Windows Autopatch case management system, see the following data subject requests:
| Data subject requests | Description |
| ------ | ------ |
| Data from Windows Autopatch support requests | Your IT administrator can request deletion, or extraction of personal data related support requests by submitting a report request at the [admin center](https://aka.ms/memadmin). <br><br> Provide the following information: <ul><li>Request type: Change request</li><li>Category: Security</li><li>Subcategory: Other</li><li>Description: Provide the relevant device names or user names.</li></ul> |
For DSRs from other products related to the service, see the following articles:
- [Windows diagnostic data](/compliance/regulatory/gdpr-dsr-windows)
- [Microsoft Intune data](/compliance/regulatory/gdpr-dsr-intune)
- [Azure Active Directory data](/compliance/regulatory/gdpr-dsr-azure)
## Legal
The following is Microsoft's privacy notice to end users of products provided by organizational customers.
The [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) notifies end users that when they sign into Microsoft products with a work account:
1. Their organization can control and administer their account (including controlling privacy-related settings), and access and process their data.
2. Microsoft may collect and process the data to provide the service to the organization and end users.

44
windows/docfx.json
View File

@ -1,44 +0,0 @@
{
"build": {
"content":
[
{
"files": ["**/**.md", "**/**.yml"],
"exclude": ["**/obj/**"]
}
],
"resource": [
{
"files": ["**/images/**", "**/*.pdf", "**/*.bmp"],
"exclude": ["**/obj/**"]
}
],
"globalMetadata": {
"recommendations": true,
"ROBOTS": "INDEX, FOLLOW",
"audience": "ITPro",
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.windows"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"Kellylorenebaker",
"jborsecnik",
"tiburd",
"garycentric"
]
},
"externalReference": [
],
"template": "op.html",
"dest": "windows",
"markdownEngineName": "dfm"
}
}

3
windows/hub/index.yml
View File

@ -133,6 +133,9 @@ conceptualContent:
- url: /windows/deployment/update/prepare-deploy-windows
itemType: deploy
text: Prepare to deploy Windows client
- url: /windows/deployment/windows-autopatch
itemType: deploy
text: Windows Autopatch
# Card
- title: App management