diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index ec40469278..80e253c59f 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -16,6 +16,7 @@ ms.collection: highpri **Applies to:** +- Windows 11 - Windows 10 Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices. @@ -196,6 +197,9 @@ Requirements: - 21H2 --> [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) + - 22H2 --> [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677) + + - 22H2 --> [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593) 2. Install the package on the Domain Controller. @@ -216,6 +220,10 @@ Requirements: - 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)** - 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update V2 (21H2)** + + - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2022 Update (22H2)** + + - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)** 4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`. diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index af27a5c840..135a23932a 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -76,6 +76,7 @@ This table shows the correct sequence for applying the various tasks to the file |Add Features on Demand | | | 20 | |Add Safe OS Dynamic Update | 6 | | | |Add Setup Dynamic Update | | | | 26 +|Add setup.exe from WinPE | | | | 27 |Add latest cumulative update | | 15 | 21 | |Clean up the image | 7 | 16 | 22 | |Add Optional Components | | | 23 | @@ -188,7 +189,7 @@ Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Pa # # update Windows Recovery Environment (WinRE) # -Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null +Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null Write-Output "$(Get-TS): Mounting WinRE" Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null @@ -299,7 +300,7 @@ Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim ### Update WinPE -This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media. +This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe for later use, to ensure this version matches the \sources\setup.exe version from the installation media. If these binaries are not identical, Windows Setup will fail during installation. Finally, it cleans and exports Boot.wim, and copies it back to the new media. ```powershell # @@ -312,7 +313,7 @@ $WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" Foreach ($IMAGE in $WINPE_IMAGES) { # update WinPE - Write-Output "$(Get-TS): Mounting WinPE" + Write-Output "$(Get-TS): Mounting WinPE, image index $($IMAGE.ImageIndex)" Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null # Add servicing stack update (Step 9 from the table) @@ -415,6 +416,11 @@ Foreach ($IMAGE in $WINPE_IMAGES) { Write-Output "$(Get-TS): Performing image cleanup on WinPE" DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null + # If second image, save setup.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder + if ($IMAGE.ImageIndex -eq "2") { + Copy-Item -Path $WINPE_MOUNT"\sources\setup.exe" -Destination $WORKING_PATH"\setup.exe" -Force -ErrorAction stop | Out-Null + } + # Dismount Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null @@ -496,7 +502,7 @@ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop # Copy our updated recovery image from earlier into the main OS # Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file # into each edition to enable single instancing -Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null +Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -ErrorAction stop | Out-Null # Perform image cleanup Write-Output "$(Get-TS): Performing image cleanup on main OS" @@ -526,7 +532,7 @@ Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sourc ### Update remaining media files -This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings an updated Setup.exe as needed, along with the latest compatibility database, and replacement component manifests. +This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings an updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe using the previously saved version from WinPE. ```powershell # @@ -536,6 +542,10 @@ This part of the script updates the Setup files. It simply copies the individual # Add Setup DU by copy the files from the package into the newMedia Write-Output "$(Get-TS): Adding package $SETUP_DU_PATH" cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null + +# Copy setup.exe from boot.wim, saved earlier. +Copy-Item -Path $WORKING_PATH"\setup.exe" -Destination $MEDIA_NEW_PATH"\sources\setup.exe" -Force -ErrorAction stop | Out-Null + ``` ### Finish up diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index 5bc21c33d2..718c174a5f 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -50,10 +50,12 @@ - name: Windows quality updates href: operate/windows-autopatch-wqu-overview.md items: - - name: Windows quality end user experience + - name: Windows quality update end user experience href: operate/windows-autopatch-wqu-end-user-exp.md - name: Windows quality update signals href: operate/windows-autopatch-wqu-signals.md + - name: Windows quality update communications + href: operate/windows-autopatch-wqu-communications.md - name: Windows quality update reports href: operate/windows-autopatch-wqu-reports-overview.md items: @@ -70,10 +72,8 @@ - name: Windows feature updates href: operate/windows-autopatch-fu-overview.md items: - - name: Windows feature end user experience + - name: Windows feature update end user experience href: operate/windows-autopatch-fu-end-user-exp.md - - name: Windows quality and feature update communications - href: operate/windows-autopatch-wqu-communications.md - name: Microsoft 365 Apps for enterprise href: operate/windows-autopatch-microsoft-365-apps-enterprise.md - name: Microsoft Edge diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 47e7d10902..2a1201f79a 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -111,12 +111,18 @@ A role defines the set of permissions granted to users assigned to that role. Yo - Azure AD Global Administrator - Intune Service Administrator -- Modern Workplace Intune Administrator For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control). -> [!NOTE] -> The Modern Workplace Intune Admin role is a custom created role during the Windows Autopatch tenant enrollment process. This role can assign administrators to Intune roles, and allows you to create and configure custom Intune roles. +If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Azure AD groups created during the [tenant enrollment](../prepare/windows-autopatch-enroll-tenant.md) process: + +| Role | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions | +| ----- | ----- | ----- | ----- | ----- | ----- | +| Modern Workplace Roles - Service Administrator | Yes | Yes | Yes | Yes | Yes | +| Modern Workplace Roles - Service Reader | No | Yes | Yes | Yes | No | + +> [!TIP] +> If you're adding less-privileged user accounts into the **Modern Workplace Roles - Service Administrator** Azure AD group, it's recommended to add the same users as owners of the **Windows Autopatch Device Registration** Azure AD group. Owners of the **Windows Autopatch Device Registration** Azure AD group can add new devices as members of the group for registration purposes.

For more information, see [assign an owner of member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group).

## Details about the device registration process diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md index dec4bcff3a..65e90a8a96 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md @@ -29,11 +29,11 @@ In this section we'll review what an end user would see in the following three s ### Typical update experience -In this example, we'll be discussing a device in the First ring. The Autopatch service updates the First ring’s DSS policy to target the next version of Windows 30 days after the start of the release. When the policy is applied to the device, the device will download the update, and notify end users that the new version of Windows is ready to install. The end user can either: +In this example, we'll be discussing a device in the First ring. When the policy is applied to the device, the device will download the update, and notify end users that the new version of Windows is ready to install. The end user can either: -1. Restart immediately to install the updates -1. Schedule the installation, or -1. Snooze (the device will attempt to install outside of active hours.) +1. Restart immediately to install the updates. +2. Schedule the installation. +3. Snooze (the device will attempt to install outside of active hours). In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline. @@ -51,7 +51,16 @@ The deadline specified in the update policy is five days. Therefore, once this d In the following example, the user is on holiday and the device is offline beyond the feature update deadline. The user then returns to work and the device is turned back on. -Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification. +The grace period to install the update and restart depends on the deployment ring the device is assigned to: + +| Deployment ring | Grace period (in days) | +| ----- | ----- | +| Test | Zero days | +| First | Two days | +| Fast | Two days | +| Broad | Two days | + +The user will be notified of a pending installation and given options to choose from. Once the grace period has expired, the user is forced to restart with a 15-minute warning notification. :::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Windows feature update grace period" lightbox="../media/windows-feature-update-grace-period.png"::: diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index ef3dba90f8..64f6442d2d 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -1,7 +1,7 @@ --- title: Windows feature updates description: This article explains how Windows feature updates are managed in Autopatch -ms.date: 07/11/2022 +ms.date: 02/01/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -9,98 +9,90 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +msreviewer: andredm7 --- # Windows feature updates -## Service level objective +Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation. Windows feature updates: -Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows so that they can continue receiving Windows feature updates. +- Keep Windows devices protected against behavioral issues. +- Provide new features to boost end-user productivity. -## Device eligibility +Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date so you can focus on running your core businesses while Windows Autopatch runs update management on your behalf. -For a device to be eligible for Windows feature updates as a part of Windows Autopatch it must meet the following criteria: +## Enforcing a minimum Windows OS version -| Criteria | Description | -| ----- | ----- | -| Activity | Devices must have at least six hours of usage, with at least two hours being continuous since the start of the update. | -| Intune sync | Devices must have checked with Intune within the last five days. | -| Storage space | Devices must have more than one GB (GigaBytes) of free storage space. | -| Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. | -| Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). | -| Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). | -| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../references/windows-autopatch-wqu-unsupported-policies.md). | -| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](../references/windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers). | +Once devices are registered with Windows Autopatch, they’re assigned to deployment rings. Each of the four deployment rings have its Windows feature update policy assigned to them. This is intended to minimize unexpected Windows OS upgrades once new devices register with the service. -## Windows feature update releases +The policies: -When the service decides to move to a new version of Windows, the following update schedule is indicative of the minimum amount of time between rings during a rollout. +- Contain the minimum Windows 10 version being currently serviced by the [Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). The current minimum OS version is **Windows 10 20H2**. +- Set a bare minimum Windows OS version required by the service once devices are registered with the service. -The final release schedule is communicated prior to release and may vary a little from the following schedule to account for business weeks or other scheduling considerations. For example, Autopatch may decide to release to the Fast Ring after 62 days instead of 60, if 60 days after the release start was a weekend. +If a device is registered with Windows Autopatch, and the device is: -| Ring | Timeline | -| ----- | ----- | -| Test | Release start | -| First | Release start + 30 days | -| Fast | Release start + 60 days | -| Broad | Release start + 90 days | +- Below the service's currently targeted Windows feature update, that device will update to the service's target version when it meets the Windows OS upgrade eligibility criteria. +- On, or above the currently targeted Windows feature update version, there won't be any Windows OS upgrades to that device. -:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline" lightbox="../media/windows-feature-release-process-timeline.png"::: +## Windows feature update policy configuration -## New devices to Windows Autopatch +If your tenant is enrolled with Windows Autopatch, you can see the following policies created by the service in the Microsoft Intune portal: -If a device is enrolled and it's below Autopatch's currently targeted Windows feature update, that device will update to the service's target version within five days of meeting eligibility criteria. +| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch – DSS Policy [Test] | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | 5/8/2023, 7:00PM | +| Windows Autopatch – DSS Policy [First] | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | 5/8/2023, 7:00PM | +| Windows Autopatch – DSS Policy [Fast] | Windows 10 20H2 | Make update available as soon as possible | 12/14/2022 | 12/21/2022 | 1 | 5/8/2023, 7:00PM | +| Windows Autopatch – DSS Policy [Broad] | Windows 10 20H2 | Make update available as soon as possible | 12/15/2022 | 12/29/2022 | 1 | 5/8/2023, 7:00PM | -If a device is enrolled and it's on, or above the currently targeted Windows feature update, there won't be any change to that device. - -## Feature update configuration - -When releasing a feature update, there are two policies that are configured by the service to create the update schedule described in the previous section. You’ll see four of each of the following policies in your tenant, one for each ring: - -- **Modern Workplace DSS Policy**: This policy is used to control the target version of Windows. -- **Modern Workplace Update Policy**: This policy is used to control deferrals and deadlines for feature and quality updates. - -| Ring | Target version (DSS) Policy | Feature update deferral | Feature update deadline | Feature update grace period | -| ----- | ----- | ----- | ----- | ----- | -| Test | 20H2 | 0 | 5 | 0 | -| First | 20H2 | 0 | 5 | 2 | -| Fast | 20H2 | 0 | 5 | 2 | -| Broad | 20H2 | 0 | 5 | 2 | +> [!IMPORTANT] +> If you’re ahead of the current minimum OS version enforced by Windows Autopatch in your organization, you can [edit Windows Autopatch’s default Windows feature update policy and select your desired targeted version](/mem/intune/protect/windows-10-feature-updates#create-and-assign-feature-updates-for-windows-10-and-later-policy). > [!NOTE] -> Customers are not able to select a target version for their tenant. +> The four minimum Windows 10 OS version feature update policies were introduced in Windows Autopatch in the 2212 release milestone. Its creation automatically unassigns the previous four feature update policies targeting Windows 10 21H2 from all four Windows Autopatch deployment rings: