mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-18 11:53:37 +00:00
Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into rm-storeuploader-7297297
This commit is contained in:
Meghan Stewart
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Understanding ADMX policies
|
||||
description: In Windows 10, you can use ADMX policies for Windows 10 mobile device management (MDM) across Windows 10 devices.
|
||||
description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices.
|
||||
ms.author: vinpa
|
||||
ms.topic: article
|
||||
ms.prod: windows-client
|
||||
@ -237,7 +237,7 @@ Below is the internal OS mapping of a Group Policy to an MDM area and name. This
|
||||
|
||||
`./[Device|User]/Vendor/MSFT/Policy/Config/[config|result]/<area>/<policy>`
|
||||
|
||||
The data payload of the SyncML needs to be encoded so that it doesn't conflict with the boilerplate SyncML XML tags. Use this online tool for encoding and encoding the policy data [Coder's Toolbox](http://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii)
|
||||
The data payload of the SyncML needs to be encoded so that it doesn't conflict with the boilerplate SyncML XML tags. Use this online tool for encoding and decoding the policy data [Coder's Toolbox](https://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii).
|
||||
|
||||
**Snippet of manifest for AppVirtualization area:**
|
||||
|
||||
|
||||
@ -1,15 +1,15 @@
|
||||
---
|
||||
title: Add or remove pinned apps on the Start menu in Windows 11 | Microsoft Docs
|
||||
title: Add or remove pinned apps on the Start menu in Windows 11
|
||||
description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices.
|
||||
manager: aaroncz
|
||||
author: lizgt2000
|
||||
ms.author: lizlong
|
||||
ms.reviewer: ericpapa
|
||||
ms.prod: windows-client
|
||||
author: lizgt2000
|
||||
ms.localizationpriority: medium
|
||||
ms.collection: highpri
|
||||
ms.technology: itpro-configure
|
||||
ms.date: 12/31/2017
|
||||
ms.date: 01/10/2023
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
@ -31,9 +31,11 @@ This article shows you how to export an existing Start menu layout, and use the
|
||||
|
||||
## Before you begin
|
||||
|
||||
- When you customize the Start layout, you overwrite the entire full layout. A partial Start layout isn't available. Users can pin and unpin apps, and uninstall apps from Start. You can't prevent users from changing the layout.
|
||||
- When you customize the Start layout, you overwrite the entire full layout. A partial Start layout isn't available. Users can pin and unpin apps, and uninstall apps from Start. When a user signs in or Explorer restarts, Windows reapplies the MDM policy. This action restores the specified layout and doesn't retain any user changes.
|
||||
|
||||
- It's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use Microsoft Intune. Intune is a family of products that include Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
|
||||
To prevent users from making any changes to the Start menu layout, see the [NoChangeStartMenu](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-nochangestartmenu) policy.
|
||||
|
||||
- It's recommended to use a mobile device management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. You can use Microsoft Intune. Intune is a family of products that include Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
|
||||
|
||||
In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
|
||||
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 42 KiB After Width: | Height: | Size: 60 KiB |
@ -31,7 +31,7 @@ For a device to be eligible for Windows feature updates as a part of Windows Aut
|
||||
| Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). |
|
||||
| Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). |
|
||||
| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). |
|
||||
| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers) |
|
||||
| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers). |
|
||||
|
||||
## Windows feature update releases
|
||||
|
||||
@ -101,6 +101,6 @@ Windows Autopatch doesn't support the rollback of feature updates.
|
||||
|
||||
## Incidents and outages
|
||||
|
||||
If devices in your tenant aren't meeting the [service level objective](#service-level-objective) for Windows feature updates, Autopatch will raise an incident will be raised. The Windows Autopatch Service Engineering Team will work to bring those devices onto the latest version of Windows.
|
||||
If devices in your tenant don't meet the [service level objective](#service-level-objective) for Windows feature updates, Autopatch will raise an incident will be raised. The Windows Autopatch Service Engineering Team will work to bring those devices onto the latest version of Windows.
|
||||
|
||||
If you're experiencing other issues related to Windows feature updates, [submit a support request](../operate/windows-autopatch-support-request.md).
|
||||
|
||||
@ -12,7 +12,7 @@ manager: dougeby
|
||||
msreviewer: hathind
|
||||
---
|
||||
|
||||
# Windows quality update communications
|
||||
# Windows quality and feature update communications
|
||||
|
||||
There are three categories of communication that are sent out during a Windows quality and feature update:
|
||||
|
||||
@ -29,8 +29,8 @@ Communications are posted to Message center, Service health dashboard, and the W
|
||||
| Communication | Location | Timing | Description |
|
||||
| ----- | ----- | ----- | ----- |
|
||||
| Release schedule | <ul><li>Message center</li><li>Messages blade</li><li>Email sent to your specified [admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><ul> | At least seven days prior to the second Tuesday of the month| Notification of the planned release window for each ring. |
|
||||
| Release start | Same as release schedule | The second Tuesday of every month | Notification that the update is now being released into your environment. |
|
||||
| Release summary | Same as release schedule | The fourth Tuesday of every month | Informs you of the percentage of eligible devices that were patched during the release. |
|
||||
| Release start | Same as release schedule | The second Tuesday of every month. | Notification that the update is now being released into your environment. |
|
||||
| Release summary | Same as release schedule | The fourth Tuesday of every month. | Informs you of the percentage of eligible devices that were patched during the release. |
|
||||
|
||||
## Communications during release
|
||||
|
||||
|
||||
@ -73,7 +73,7 @@ For each [deployment ring](windows-autopatch-update-management.md#windows-autopa
|
||||
|
||||
Threat and vulnerability information about a new revision of Windows becomes available on the second Tuesday of each month. Windows Autopatch assesses that information shortly afterwards. If the service determines that it's critical to security, it may be expedited. The quality update is also evaluated on an ongoing basis throughout the release and Windows Autopatch may choose to expedite at any time during the release.
|
||||
|
||||
When running an expedited release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update as quickly.
|
||||
When running an expedited release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update quickly.
|
||||
|
||||
| Release type | Group | Deferral | Deadline | Grace period |
|
||||
| ----- | ----- | ----- | ----- | ----- |
|
||||
@ -84,7 +84,7 @@ When running an expedited release, the regular goal of 95% of devices in 21 days
|
||||
|
||||
Windows Autopatch provides the option to turn off of service-driven expedited quality updates.
|
||||
|
||||
By default, the service expedites quality updates as needed. For those organizations seeking greater control, you can disable expedited quality updates for Microsoft Managed Desktop-enrolled devices using Microsoft Intune.
|
||||
By default, the service expedites quality updates as needed. For those organizations seeking greater control, you can disable expedited quality updates for Windows Autopatch-enrolled devices using Microsoft Intune.
|
||||
|
||||
**To turn off service-driven expedited quality updates:**
|
||||
|
||||
@ -116,8 +116,8 @@ There are two statuses associated with paused quality updates, **Service Paused*
|
||||
|
||||
| Status | Description |
|
||||
| ----- | ------ |
|
||||
| Service Paused | If the Microsoft Managed Desktop service has paused an update, the release will have the **Service Paused** status. You must [submit a support request](windows-autopatch-support-request.md) to resume the update. |
|
||||
| Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Microsoft Managed Desktop service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. |
|
||||
| Service Paused | If the Windows Autopatch service has paused an update, the release will have the **Service Paused** status. You must [submit a support request](windows-autopatch-support-request.md) to resume the update. |
|
||||
| Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. |
|
||||
|
||||
## Incidents and outages
|
||||
|
||||
|
||||
@ -22,7 +22,7 @@ If there's a scenario that is critical to your business, which isn't monitored b
|
||||
|
||||
Before being released to the Test ring, Windows Autopatch reviews several data sources to determine if we need to send any customer advisories or need to pause the update. Situations where Windows Autopatch doesn't release an update to the Test ring are seldom occurrences.
|
||||
|
||||
| Text | Text |
|
||||
| Pre-release signal | Description |
|
||||
| ----- | ----- |
|
||||
| Windows Payload Review | The contents of the B release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-wqu-communications.md#communications-during-release) will be sent out. |
|
||||
| C-Release Review - Internal Signals | Windows Autopatch reviews active incidents associated with the previous C release to understand potential risks in the B release. |
|
||||
@ -50,12 +50,12 @@ Autopatch monitors the following reliability signals:
|
||||
|
||||
| Device reliability signal | Description |
|
||||
| ----- | ----- |
|
||||
| Blue screens | These events are highly disruptive to end users so are closely watched. |
|
||||
| Blue screens | These events are highly disruptive to end users. These events are closely monitored. |
|
||||
| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known limitation with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. |
|
||||
| Microsoft Office reliability | Tracks the number of Office crashes and freezes per application per device. |
|
||||
| Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. |
|
||||
| Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. |
|
||||
|
||||
When the update is released to the First ring, the service crosses the 500 device threshold. Therefore, Autopatch is able to detect regressions, which are common to all customers. At this point in the release, we'll decide if we need to change the release schedule or pause for all customers.
|
||||
When the update is released to the First ring, the service crosses the 500 device threshold. Therefore, Autopatch can to detect regressions, which are common to all customers. At this point in the release, we'll decide if we need to change the release schedule or pause for all customers.
|
||||
|
||||
Once your tenant reaches 500 devices, Windows Autopatch starts generating recommendations specific to your devices. Based on this information, the service starts developing insights specific to your tenant allowing a customized response to what's happening in your environment.
|
||||
|
||||
@ -88,7 +88,7 @@ sections:
|
||||
- Microsoft Teams: Windows Autopatch allows eligible devices to benefit from the standard automatic update channels and will provide support for issues with Teams updates.
|
||||
- question: What does Windows Autopatch do to ensure updates are done successfully?
|
||||
answer: |
|
||||
For Windows quality updates, updates are applied to devices in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task.
|
||||
For Windows quality and feature updates, updates are applied to devices in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task.
|
||||
- question: What happens if there's an issue with an update?
|
||||
answer: |
|
||||
Autopatch relies on the following capabilities to help resolve update issues:
|
||||
|
||||
@ -79,7 +79,7 @@ Windows Autopatch creates and uses guest accounts using just-in-time access func
|
||||
| Account name | Usage | Mitigating controls |
|
||||
| ----- | ----- | -----|
|
||||
| MsAdmin@tenantDomain.onmicrosoft.com | <ul><li>This account is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Windows Autopatch devices.</li><li>This account doesn't have interactive sign-in permissions. The account performs operations only through the service.</li></ul> | Audited sign-ins |
|
||||
| MsAdminInt@tenantDomain.onmicrosoft.com |<ul><li>This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.</li><li>This account is used for interactive login to the customer’s tenant.</li><li>The use of this account is limited as most operations are exclusively through MsAdmin (non-interactive) account.</li></ul> | <ul><li>Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy</li><li>Audited sign-ins</li</ul> |
|
||||
| MsAdminInt@tenantDomain.onmicrosoft.com |<ul><li>This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.</li><li>This account is used for interactive login to the customer’s tenant.</li><li>The use of this account is limited as most operations are exclusively through MsAdmin (non-interactive) account.</li></ul> | <ul><li>Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy</li><li>Audited sign-ins</li></ul> |
|
||||
| MsTest@tenantDomain.onmicrosoft.com | This account is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins |
|
||||
|
||||
## Microsoft Windows Update for Business
|
||||
|
||||
Reference in New Issue
Block a user