From 7cb561f7370c18d40afabd4a69e18cfb4e509533 Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Thu, 15 Dec 2022 11:11:12 -0800 Subject: [PATCH 01/43] Update media-dynamic-update.md --- windows/deployment/update/media-dynamic-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 83136ce4d4..dfb300e76e 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -311,7 +311,7 @@ $WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" Foreach ($IMAGE in $WINPE_IMAGES) { # update WinPE - Write-Output "$(Get-TS): Mounting WinPE" + Write-Output "$(Get-TS): Mounting WinPE, image index $($IMAGE.ImageIndex)" Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null # Add servicing stack update (Step 9 from the table) From 408aee9deac6246589df2b57f53280948eb5ee8c Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Thu, 15 Dec 2022 14:08:12 -0800 Subject: [PATCH 02/43] Update media-dynamic-update.md --- windows/deployment/update/media-dynamic-update.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index dfb300e76e..3b21084493 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -414,6 +414,11 @@ Foreach ($IMAGE in $WINPE_IMAGES) { Write-Output "$(Get-TS): Performing image cleanup on WinPE" DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null + # If second image, save setup.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder + if ($IMAGE.ImageIndex -eq "2") { + Copy-Item -Path $WINPE_MOUNT"\sources\setup.exe" -Destination $WORKING_PATH"\setup.exe" -Force -Recurse -ErrorAction stop | Out-Null + } + # Dismount Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null From 4d0fbfdb6018cc791a3ddaa7ba87d1ac6728a2cf Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Thu, 15 Dec 2022 14:18:35 -0800 Subject: [PATCH 03/43] Update media-dynamic-update.md --- windows/deployment/update/media-dynamic-update.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 3b21084493..568f0cc29b 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -75,6 +75,7 @@ This table shows the correct sequence for applying the various tasks to the file |Add Features on Demand | | | 20 | |Add Safe OS Dynamic Update | 6 | | | |Add Setup Dynamic Update | | | | 26 +|Add setup.exe from WinPE | | | | 27 |Add latest cumulative update | | 15 | 21 | |Clean up the image | 7 | 16 | 22 | |Add Optional Components | | | 23 | @@ -298,7 +299,7 @@ Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim ### Update WinPE -This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media. +This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe for later use, to ensure this version matches the main OS \sources version. If these binaries are not identical, Windows Setup will fail during installation. Finally, it cleans and exports Boot.wim, and copies it back to the new media. ```powershell # @@ -530,7 +531,7 @@ Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sourc ### Update remaining media files -This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings an updated Setup.exe as needed, along with the latest compatibility database, and replacement component manifests. +This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings an updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe using the previously saved version from WinPE. ```powershell # @@ -540,6 +541,10 @@ This part of the script updates the Setup files. It simply copies the individual # Add Setup DU by copy the files from the package into the newMedia Write-Output "$(Get-TS): Adding package $SETUP_DU_PATH" cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null + +# Copy setup.exe from boot.wim, saved earlier. +Copy-Item -Path $WORKING_PATH"\setup.exe" -Destination $MEDIA_NEW_PATH"\sources\setup.exe" -Force -Recurse -ErrorAction stop | Out-Null + ``` ### Finish up From 573b2d396ff0ce450f25b49df2f25379063cf28b Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Mon, 23 Jan 2023 10:18:56 -0800 Subject: [PATCH 04/43] Update media-dynamic-update.md --- windows/deployment/update/media-dynamic-update.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 568f0cc29b..396231cde1 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -188,7 +188,7 @@ Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Pa # # update Windows Recovery Environment (WinRE) # -Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null +Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null Write-Output "$(Get-TS): Mounting WinRE" Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null @@ -417,7 +417,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) { # If second image, save setup.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder if ($IMAGE.ImageIndex -eq "2") { - Copy-Item -Path $WINPE_MOUNT"\sources\setup.exe" -Destination $WORKING_PATH"\setup.exe" -Force -Recurse -ErrorAction stop | Out-Null + Copy-Item -Path $WINPE_MOUNT"\sources\setup.exe" -Destination $WORKING_PATH"\setup.exe" -Force -ErrorAction stop | Out-Null } # Dismount @@ -501,7 +501,7 @@ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop # Copy our updated recovery image from earlier into the main OS # Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file # into each edition to enable single instancing -Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null +Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -ErrorAction stop | Out-Null # Perform image cleanup Write-Output "$(Get-TS): Performing image cleanup on main OS" @@ -543,7 +543,7 @@ Write-Output "$(Get-TS): Adding package $SETUP_DU_PATH" cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null # Copy setup.exe from boot.wim, saved earlier. -Copy-Item -Path $WORKING_PATH"\setup.exe" -Destination $MEDIA_NEW_PATH"\sources\setup.exe" -Force -Recurse -ErrorAction stop | Out-Null +Copy-Item -Path $WORKING_PATH"\setup.exe" -Destination $MEDIA_NEW_PATH"\sources\setup.exe" -Force -ErrorAction stop | Out-Null ``` From a82133a236e7a15af674686f2e55acca2f974672 Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Mon, 23 Jan 2023 10:42:07 -0800 Subject: [PATCH 05/43] Update media-dynamic-update.md --- windows/deployment/update/media-dynamic-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 396231cde1..12b895af40 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -299,7 +299,7 @@ Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim ### Update WinPE -This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe for later use, to ensure this version matches the main OS \sources version. If these binaries are not identical, Windows Setup will fail during installation. Finally, it cleans and exports Boot.wim, and copies it back to the new media. +This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe for later use, to ensure this version matches the \sources\setup.exe version from the installation media. If these binaries are not identical, Windows Setup will fail during installation. Finally, it cleans and exports Boot.wim, and copies it back to the new media. ```powershell # From 392d1298b911d754bf60b9645cf931c948e1df86 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 30 Jan 2023 23:48:13 +0530 Subject: [PATCH 06/43] added windows 11, windows 11 admx lik as per user #11296, i added windows 11 after verifying with GPO Also I added windows 10 October admx templates link and windows 11 September admx templates link --- ...ndows-10-device-automatically-using-group-policy.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index ec40469278..2208709b0c 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -16,6 +16,7 @@ ms.collection: highpri **Applies to:** +- Windows 11 - Windows 10 Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices. @@ -196,6 +197,10 @@ Requirements: - 21H2 --> [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) + - 22H2 --> [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677) + + - 22H2 --> [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593) + 2. Install the package on the Domain Controller. @@ -216,6 +221,11 @@ Requirements: - 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)** - 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update V2 (21H2)** + + - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2022 Update (22H2)** + + - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)** + 4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`. From 63de8d86692a88d1a8e59830fe6c171fac988f88 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 31 Jan 2023 17:01:00 +0530 Subject: [PATCH 07/43] Update windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...nroll-a-windows-10-device-automatically-using-group-policy.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index 2208709b0c..6ea9c7848e 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -201,7 +201,6 @@ Requirements: - 22H2 --> [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593) - 2. Install the package on the Domain Controller. 3. Navigate, depending on the version to the folder: From 6e788ec8b4643f3adf712f73fbc74efcef445016 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 31 Jan 2023 17:01:26 +0530 Subject: [PATCH 08/43] Update windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...nroll-a-windows-10-device-automatically-using-group-policy.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index 6ea9c7848e..80e253c59f 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -225,7 +225,6 @@ Requirements: - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)** - 4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`. 5. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`. From bcd973f3a800cbf76556c36b1e060919b776125a Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 31 Jan 2023 08:17:20 -0800 Subject: [PATCH 09/43] Changed Incidents and outages section again based on feedback. --- .../operate/windows-autopatch-update-management.md | 3 +-- .../operate/windows-autopatch-wqu-overview.md | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index 81dd91dbd5..c250ba4502 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -58,7 +58,6 @@ The Windows Autopatch deployment ring calculation happens during the [device reg - If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is First **(5%)**, Fast **(15%)**, remaining devices go to the Broad ring **(80%)**. - If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**. - | Deployment ring | Default device balancing percentage | Description | | ----- | ----- | ----- | | Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | @@ -84,7 +83,7 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad > [!NOTE] > You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.

If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). -> [!WARNING] +> [!WARNING] > Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings. ## Automated deployment ring remediation functions diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md index 3b22965f8e..7fdb0ac0d9 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md @@ -119,6 +119,6 @@ There are two statuses associated with paused quality updates, **Service Paused* | Service Paused | If the Windows Autopatch service has paused an update, the release will have the **Service Paused** status. You must [submit a support request](windows-autopatch-support-request.md) to resume the update. | | Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. | -## Incidents and outages +## Remediating Ineligible and/or Not up to Date devices -Windows Autopatch provides information on how you can remediate [Ineligible Devices (Customer Actions)](../operate/windows-autopatch-wqu-reports-overview.md#ineligible-devices-customer-action) and/or the Windows Autopatch service may remediate [Not up to Date devices](../operate/windows-autopatch-wqu-reports-overview.md#not-up-to-date-microsoft-action) to bring them back into compliance. +To ensure your devices receive Windows quality updates, Windows Autopatch provides information on how you can remediate [Ineligible Devices (Customer Actions)](../operate/windows-autopatch-wqu-reports-overview.md#ineligible-devices-customer-action). In addition, the Windows Autopatch service may remediate [Not up to Date devices](../operate/windows-autopatch-wqu-reports-overview.md#not-up-to-date-microsoft-action) to bring them back into compliance. From ef3cc5be8d77955b49b7556212c2ee6c9293f6ab Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 31 Jan 2023 09:33:50 -0800 Subject: [PATCH 10/43] Windows feature update..updates. --- .../operate/windows-autopatch-fu-overview.md | 106 ++++++++---------- .../overview/windows-autopatch-faq.yml | 11 +- .../windows-autopatch-whats-new-2023.md | 3 +- 3 files changed, 53 insertions(+), 67 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index ef3dba90f8..146f1197cc 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -14,93 +14,75 @@ msreviewer: hathind # Windows feature updates -## Service level objective +Microsoft provides robust modern device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and fundamental tasks by IT organizations because Windows feature updates provide: -Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows so that they can continue receiving Windows feature updates. +- Fixes for security vulnerabilities and known bugs to keep Windows devices protected against advanced malicious attacks. +- New features to boost end-user productivity. -## Device eligibility +Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date so you can focus on running your core businesses while Windows Autopatch runs update management on your behalf. -For a device to be eligible for Windows feature updates as a part of Windows Autopatch it must meet the following criteria: +Windows Autopatch feature update deployment provides: -| Criteria | Description | -| ----- | ----- | -| Activity | Devices must have at least six hours of usage, with at least two hours being continuous since the start of the update. | -| Intune sync | Devices must have checked with Intune within the last five days. | -| Storage space | Devices must have more than one GB (GigaBytes) of free storage space. | -| Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. | -| Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). | -| Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). | -| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../references/windows-autopatch-wqu-unsupported-policies.md). | -| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](../references/windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers). | +- A customer-driven and efficient Windows feature update deployment approach for Windows OS target versions and deployment cadence. +- Proactive insights prior, during and after Windows Feature update deployments. +- Options to [pause or resume Windows](#pausing-and-resuming-a-release) feature updates on behalf of your organization. -## Windows feature update releases +## Enforcing a minimum Windows OS version -When the service decides to move to a new version of Windows, the following update schedule is indicative of the minimum amount of time between rings during a rollout. +Once devices are registered with Windows Autopatch, they’re assigned to deployment rings. Each deployment ring has a set of Windows feature update policies assigned to them. -The final release schedule is communicated prior to release and may vary a little from the following schedule to account for business weeks or other scheduling considerations. For example, Autopatch may decide to release to the Fast Ring after 62 days instead of 60, if 60 days after the release start was a weekend. +The policies: -| Ring | Timeline | -| ----- | ----- | -| Test | Release start | -| First | Release start + 30 days | -| Fast | Release start + 60 days | -| Broad | Release start + 90 days | +- Contain the minimum Windows OS version being currently serviced by the Windows servicing channels. The current minimum OS version is **Windows 10 20H2**. +- Set a bare minimum Windows OS version required by the service once devices are registered with the service. +- Minimize unexpected Windows OS upgrades once new devices register with Windows Autopatch. -:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline" lightbox="../media/windows-feature-release-process-timeline.png"::: +If a device is registered with Windows Autopatch, and the device is: -## New devices to Windows Autopatch +- Below the service's currently targeted Windows feature update, that device will update to the service's target version when it meets the Windows OS upgrade eligibility criteria. +- On, or above the currently targeted Windows feature update version, there won't be any Windows OS upgrades to that device. -If a device is enrolled and it's below Autopatch's currently targeted Windows feature update, that device will update to the service's target version within five days of meeting eligibility criteria. +## Windows feature update policy configuration -If a device is enrolled and it's on, or above the currently targeted Windows feature update, there won't be any change to that device. +If your tenant is enrolled with Windows Autopatch, you can see the following policies created by the service in the Microsoft Intune portal: -## Feature update configuration +| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch – DSS Policy [Test] | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | 5/8/2023, 7:00PM | +| Windows Autopatch – DSS Policy [First] | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | 5/8/2023, 7:00PM | +| Windows Autopatch – DSS Policy [Fast] | Windows 10 20H2 | Make update available as soon as possible | 12/14/2022 | 12/21/2022 | 1 | 5/8/2023, 7:00PM | +| Windows Autopatch – DSS Policy [Broad] | Windows 10 20H2 | Make update available as soon as possible | 12/15/2022 | 12/29/2022 | 1 | 5/8/2023, 7:00PM | -When releasing a feature update, there are two policies that are configured by the service to create the update schedule described in the previous section. You’ll see four of each of the following policies in your tenant, one for each ring: +## Test Windows 11 feature updates -- **Modern Workplace DSS Policy**: This policy is used to control the target version of Windows. -- **Modern Workplace Update Policy**: This policy is used to control deferrals and deadlines for feature and quality updates. +You can test Windows 11 deployments by adding devices either through direct membership or by bulk importing them into the Modern Workplace - Windows 11 Pre-Release Test Devices Azure AD group. There’s a separate Windows feature update policy (**Modern Workplace DSS Policy [Windows 11]**) targeted to this Azure AD group, and its configuration is set as follows: -| Ring | Target version (DSS) Policy | Feature update deferral | Feature update deadline | Feature update grace period | -| ----- | ----- | ----- | ----- | ----- | -| Test | 20H2 | 0 | 5 | 0 | -| First | 20H2 | 0 | 5 | 2 | -| Fast | 20H2 | 0 | 5 | 2 | -| Broad | 20H2 | 0 | 5 | 2 | +| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch – DSS Policy [Test] | Windows 11 22H2 | Make update available as soon as possible | N/A | N/A | N/A | 10/13/2025, 7:00PM | -> [!NOTE] -> Customers are not able to select a target version for their tenant. +## Manage Windows feature update deployments -During a release, the service modifies the Modern Workplace DSS policy to change the target version for a specific ring in Intune. That change is deployed to devices and updates the devices prior to the update deadline. +Windows Autopatch uses Microsoft Intune’s built-in solution, which uses configuration service providers (CSPs), for pausing and resuming both [Windows quality](windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release) and feature updates. -To understand how devices will react to the change in the Modern Workplace DSS policy, it's important to understand how deferral, deadline, and grace periods affect devices. - -| Policy | Description | -| ----- | ----- | -| [Deferrals](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) | The deferral policy determines how many days after a release the feature update is offered to a device. The service maximizes control over feature updates by creating individual DSS policies for each ring and modifying the ring's DSS policy to change the target update version. Therefore, the feature update deferral policy for all rings is set to zero days so that a change in the DSS policy is released as soon as possible. | -| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. | -| [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. | - -> [!IMPORTANT] -> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will render a device ineligible for management. Also, if any update related to group policy settings are detected, the device will also be ineligible for management. - -## Windows 11 testing - -To allow customers to test Windows 11 in their environment, there's a separate DSS policy that enables you to test Windows 11 before broadly adopting within your environment. When you add devices to the **Modern Workplace - Windows 11 Pre-Release Test Devices** group they'll update to Windows 11. - -> [!IMPORTANT] -> This group is intended for testing purposes only and shouldn't be used to broadly update to Windows 11 in your environment. +Windows Autopatch provides a permanent pause of a Windows feature update deployment. The Windows Autopatch service automatically extends the 35 day pause limit (permanent pause) established by Microsoft Intune on your behalf. The deployment remains permanently paused until you decide to resume it. ## Pausing and resuming a release -You can pause or resume a Windows feature update from the Release management tab in the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +**To pause or resume a feature update:** + +1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** from the left navigation menu. +1. Under the **Windows Autopatch** section, select **Release management**. +1. In the **Release management** blade, select either **Pause** or **Resume**. ## Rollback -Windows Autopatch doesn't support the rollback of feature updates. +Windows Autopatch doesn’t support the rollback of Windows Feature updates. -## Incidents and outages +> [!CAUTION] +> It’s not recommended to use [Microsoft Intune’s capabilities](/mem/intune/protect/windows-10-update-rings#manage-your-windows-update-rings) to pause and rollback a Windows feature update. However, if you choose to pause, resume and/or roll back from Intune, Windows Autopatch is **not** responsible for any problems that arise from rolling back the feature update. -If devices in your tenant don't meet the [service level objective](#service-level-objective) for Windows feature updates, Autopatch will raise an incident will be raised. The Windows Autopatch Service Engineering Team will work to bring those devices onto the latest version of Windows. +## Contact support -If you're experiencing other issues related to Windows feature updates, [submit a support request](../operate/windows-autopatch-support-request.md). +If you’re experiencing issues related to Windows feature updates, you can [submit a support request](../operate/windows-autopatch-support-request.md). Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team. diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index e51bf1f82a..0c377a7e69 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -37,7 +37,7 @@ sections: Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. - question: What if I enrolled into Windows Autopatch using the promo code? Will I still have access to the service? answer: | - Yes. For those who used the promo code to access Windows Autopatch during public preview, you'll continue to have access to Windows Autopatch even when the promo code expires. There is no additional action you have to take to continue using Windows Autopatch. + Yes. For those who used the promo code to access Windows Autopatch during public preview, you'll continue to have access to Windows Autopatch even when the promo code expires. There's no additional action you have to take to continue using Windows Autopatch. - name: Requirements questions: - question: What are the prerequisites for Windows Autopatch? @@ -70,14 +70,14 @@ sections: No, Windows 365 Enterprise Cloud PC's support all features of Windows Autopatch. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices). - question: Do my Cloud PCs appear any differently in the Windows Autopatch admin center? answer: | - Cloud PC displays the model as the license type you have provisioned. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads). + Cloud PC displays the model as the license type you've provisioned. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads). - question: Can I run Autopatch on my Windows 365 Business Workloads? answer: | No. Autopatch is only available on enterprise workloads. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads). - question: Can you change the policies and configurations created by Windows Autopatch? answer: | No. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. For more information about policies and configurations, see [Changes made at tenant enrollment](/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant). - - name: Update Management + - name: Update management questions: - question: What systems does Windows Autopatch update? answer: | @@ -94,9 +94,12 @@ sections: Autopatch relies on the following capabilities to help resolve update issues: - Pausing and resuming: If Windows Autopatch detects an issue with a Windows quality release, we may decide that it's necessary to pause that release. Once the issue is resolved, the release will be resumed. For more information, see [Pausing and resuming a Windows quality release](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release). - Rollback: If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might force all devices to roll back to the previous version. For more information, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#update-controls). + - question: Can I permanently pause a Windows feature update deployment? + answer: | + Yes. Windows Autopatch provides a [permanent pause of either a feature update deployment](../operate/windows-autopatch-fu-overview.md#pausing-and-resuming-a-release). - question: Will Windows quality updates be released more quickly after vulnerabilities are identified, or what is the regular cadence of updates? answer: | - For zero-day threats, Autopatch will have an [expedited release cadence](../operate/windows-autopatch-wqu-overview.md#expedited-releases). For normal updates Autopatch uses a [regular release cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) starting with devices in the Test ring and completing with general rollout to the Broad ring. + For zero-day threats, Autopatch will have an [expedited release cadence](../operate/windows-autopatch-wqu-overview.md#expedited-releases). For normal updates Autopatch, uses a [regular release cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) starting with devices in the Test ring and completing with general rollout to the Broad ring. - question: Can customers configure when to move to the next ring or is it controlled by Windows Autopatch? answer: | The decision of when to move to the next ring is handled by Windows Autopatch; it isn't customer configurable. diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index cbc9b52878..966d0c3c43 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -1,7 +1,7 @@ --- title: What's new 2023 description: This article lists the 2023 feature releases and any corresponding Message center post numbers. -ms.date: 01/09/2023 +ms.date: 01/31/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: whats-new @@ -24,6 +24,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | +| [Windows feature update](../operate/windows-autopatch-fu-overview.md) | Updated Windows feature update information | | [Submit a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md) | Added the Submit a tenant enrollment support request section. You can submit a tenant enrollment support request through the Tenant enrollment tool if you're running into issues with enrollment. | | [Submit a support request](../operate/windows-autopatch-support-request.md) | Added Premier and Unified support options section | From b67711e8bcb251e1658a5b5df4da7f29b9bdc449 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 31 Jan 2023 09:36:27 -0800 Subject: [PATCH 11/43] Tweak --- .../operate/windows-autopatch-fu-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index 146f1197cc..0714448dcc 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -1,7 +1,7 @@ --- title: Windows feature updates description: This article explains how Windows feature updates are managed in Autopatch -ms.date: 07/11/2022 +ms.date: 01/31/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +msreviewer: andredm7 --- # Windows feature updates From a2e02e31b7bd4cfe3b9eff3bad490efdf69e9520 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 31 Jan 2023 13:00:46 -0500 Subject: [PATCH 12/43] Fix AutoPilot to Autopilot Fix AutoPilot to Autopilot --- windows/whats-new/whats-new-windows-10-version-1809.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 776e3fd5fe..5e8d923106 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -68,7 +68,7 @@ This new functionality is an update to the [BitLocker CSP](/windows/client-manag This feature will soon be enabled on Olympia Corp as an optional feature. -#### Delivering BitLocker policy to AutoPilot devices during OOBE +#### Delivering BitLocker policy to Autopilot devices during OOBE You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This option allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. From a9f54bc9d0ba94d76fd336454b6b4b5314a33eac Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 31 Jan 2023 13:25:13 -0500 Subject: [PATCH 13/43] Update metadata & remove video Updated metadata and removed video that is no longer available --- .../whats-new/whats-new-windows-10-version-1809.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 5e8d923106..8fd4016b72 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -3,14 +3,14 @@ title: What's new in Windows 10, version 1809 ms.reviewer: description: Learn about features for Windows 10, version 1809, including features and fixes included in previous cumulative updates to Windows 10, version 1803. ms.prod: windows-client -author: aczechowski -manager: dougeby -ms.author: aaroncz +author: mestew +manager: aaroncz +ms.author: mstewart ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX ms.technology: itpro-fundamentals -ms.date: 12/31/2017 +ms.date: 01/31/2023 --- # What's new in Windows 10, version 1809 for IT Pros @@ -19,12 +19,14 @@ ms.date: 12/31/2017 In this article, we describe new and updated features of interest to IT Pros for Windows 10, version 1809. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1803. + + ## Deployment ### Windows Autopilot self-deploying mode From 2baba527e6457257065572e4321c5772700d4d63 Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Tue, 31 Jan 2023 14:26:02 -0600 Subject: [PATCH 14/43] Last feature update change --- .../operate/windows-autopatch-fu-overview.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index 0714448dcc..e891b1534d 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -21,12 +21,6 @@ Microsoft provides robust modern device management (MDM) solutions such as Micro Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date so you can focus on running your core businesses while Windows Autopatch runs update management on your behalf. -Windows Autopatch feature update deployment provides: - -- A customer-driven and efficient Windows feature update deployment approach for Windows OS target versions and deployment cadence. -- Proactive insights prior, during and after Windows Feature update deployments. -- Options to [pause or resume Windows](#pausing-and-resuming-a-release) feature updates on behalf of your organization. - ## Enforcing a minimum Windows OS version Once devices are registered with Windows Autopatch, they’re assigned to deployment rings. Each deployment ring has a set of Windows feature update policies assigned to them. From 3c63370a4cb56eec34663be84827e9ec2e49b3d6 Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Tue, 31 Jan 2023 14:38:39 -0600 Subject: [PATCH 15/43] More changes --- .../operate/windows-autopatch-fu-overview.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index e891b1534d..e4120c6a27 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -69,6 +69,11 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym 1. Select **Devices** from the left navigation menu. 1. Under the **Windows Autopatch** section, select **Release management**. 1. In the **Release management** blade, select either **Pause** or **Resume**. +2. Choose the type of update you would like to either Pause or Resume. +3. Choose a reason from the drop-down box. +4. When resuming an update you have an option to only resume one or more specific Windows Autopatch deployment rings. +4. Enter description text and click on **Okay**. + ## Rollback From 29504fb4dda83f9a6d0c197b5a2fad46d4ca7dc5 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 31 Jan 2023 12:52:21 -0800 Subject: [PATCH 16/43] Update windows-autopatch-fu-overview.md Reworded/reviewed. --- .../operate/windows-autopatch-fu-overview.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index e4120c6a27..91ef84c244 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -66,14 +66,16 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym **To pause or resume a feature update:** 1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Devices** from the left navigation menu. -1. Under the **Windows Autopatch** section, select **Release management**. -1. In the **Release management** blade, select either **Pause** or **Resume**. -2. Choose the type of update you would like to either Pause or Resume. -3. Choose a reason from the drop-down box. -4. When resuming an update you have an option to only resume one or more specific Windows Autopatch deployment rings. -4. Enter description text and click on **Okay**. +2. Select **Devices** from the left navigation menu. +3. Under the **Windows Autopatch** section, select **Release management**. +4. In the **Release management** blade, select either: **Pause** or **Resume**. When resuming an update, you can select one or more deployment rings. +5. Select the update you would like to pause or resume. +6. Select a reason from the dropdown menu. +7. Optional. Enter details about why you're pausing or resuming the selected update. +8. Select **Okay**. +> [!CAUTION] +> Pausing an update can take up to eight hours to deploy to devices. ## Rollback From 4d99444eddb8411a27f24cf74e2211c4ba9a6c6f Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 31 Jan 2023 12:52:58 -0800 Subject: [PATCH 17/43] Update windows-autopatch-fu-overview.md --- .../windows-autopatch/operate/windows-autopatch-fu-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index 91ef84c244..363ef7885c 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -74,7 +74,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym 7. Optional. Enter details about why you're pausing or resuming the selected update. 8. Select **Okay**. -> [!CAUTION] +> [!NOTE] > Pausing an update can take up to eight hours to deploy to devices. ## Rollback From 92d9bdcac54528ef72a9185c502a0b9586c3162a Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 31 Jan 2023 12:54:36 -0800 Subject: [PATCH 18/43] Update windows-autopatch-fu-overview.md --- .../windows-autopatch/operate/windows-autopatch-fu-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index 363ef7885c..f6c6ada5d0 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -69,7 +69,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym 2. Select **Devices** from the left navigation menu. 3. Under the **Windows Autopatch** section, select **Release management**. 4. In the **Release management** blade, select either: **Pause** or **Resume**. When resuming an update, you can select one or more deployment rings. -5. Select the update you would like to pause or resume. +5. Select the update type you would like to pause or resume. 6. Select a reason from the dropdown menu. 7. Optional. Enter details about why you're pausing or resuming the selected update. 8. Select **Okay**. From ec0935731334a0d62a12b9588e56e77224e28ee7 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 31 Jan 2023 12:59:39 -0800 Subject: [PATCH 19/43] Update windows-autopatch-fu-overview.md --- .../operate/windows-autopatch-fu-overview.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index f6c6ada5d0..b00aad6290 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -68,11 +68,12 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym 1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Devices** from the left navigation menu. 3. Under the **Windows Autopatch** section, select **Release management**. -4. In the **Release management** blade, select either: **Pause** or **Resume**. When resuming an update, you can select one or more deployment rings. +4. In the **Release management** blade, select either: **Pause** or **Resume**. 5. Select the update type you would like to pause or resume. 6. Select a reason from the dropdown menu. 7. Optional. Enter details about why you're pausing or resuming the selected update. -8. Select **Okay**. +8. If you're resuming an update, you can select one or more deployment rings. +9. Select **Okay**. > [!NOTE] > Pausing an update can take up to eight hours to deploy to devices. From 694a05ba33e8186d88c406c90c5324540ea633df Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 31 Jan 2023 14:41:28 -0800 Subject: [PATCH 20/43] Feature update tweak. --- .../windows-autopatch/operate/windows-autopatch-fu-overview.md | 3 +++ .../whats-new/windows-autopatch-whats-new-2023.md | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index b00aad6290..0875a29339 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -47,6 +47,9 @@ If your tenant is enrolled with Windows Autopatch, you can see the following pol | Windows Autopatch – DSS Policy [Fast] | Windows 10 20H2 | Make update available as soon as possible | 12/14/2022 | 12/21/2022 | 1 | 5/8/2023, 7:00PM | | Windows Autopatch – DSS Policy [Broad] | Windows 10 20H2 | Make update available as soon as possible | 12/15/2022 | 12/29/2022 | 1 | 5/8/2023, 7:00PM | +> [!IMPORTANT] +> If you’re ahead of the current minimum OS version enforced by Windows Autopatch in your organization, you can [edit Windows Autopatch’s default Windows feature update policy and select your desired targeted version](/mem/intune/protect/windows-10-feature-updates#create-and-assign-feature-updates-for-windows-10-and-later-policy). + ## Test Windows 11 feature updates You can test Windows 11 deployments by adding devices either through direct membership or by bulk importing them into the Modern Workplace - Windows 11 Pre-Release Test Devices Azure AD group. There’s a separate Windows feature update policy (**Modern Workplace DSS Policy [Windows 11]**) targeted to this Azure AD group, and its configuration is set as follows: diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index 966d0c3c43..265777e93b 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -25,7 +25,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | | [Windows feature update](../operate/windows-autopatch-fu-overview.md) | Updated Windows feature update information | -| [Submit a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md) | Added the Submit a tenant enrollment support request section. You can submit a tenant enrollment support request through the Tenant enrollment tool if you're running into issues with enrollment. | +| [Submit a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md) | Added the Submit a tenant enrollment support request section. You can submit a tenant enrollment support request through the Tenant enrollment tool if you're running into issues with enrollment | | [Submit a support request](../operate/windows-autopatch-support-request.md) | Added Premier and Unified support options section | ### January service release From af2b897a4d51f9feaaab6f7078d66896c609d9ec Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Tue, 31 Jan 2023 18:42:01 -0600 Subject: [PATCH 21/43] More changes --- .../operate/windows-autopatch-fu-overview.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index 0875a29339..b46ae79d24 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -1,7 +1,7 @@ --- title: Windows feature updates description: This article explains how Windows feature updates are managed in Autopatch -ms.date: 01/31/2023 +ms.date: 02/01/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -23,11 +23,11 @@ Windows Autopatch makes it easier and less expensive for you to keep your Window ## Enforcing a minimum Windows OS version -Once devices are registered with Windows Autopatch, they’re assigned to deployment rings. Each deployment ring has a set of Windows feature update policies assigned to them. +Once devices are registered with Windows Autopatch, they’re assigned to deployment rings. Each deployment ring has its Windows feature update policy assigned to them. The policies: -- Contain the minimum Windows OS version being currently serviced by the Windows servicing channels. The current minimum OS version is **Windows 10 20H2**. +- Contain the minimum Windows 10 OS version being currently serviced by the [Windows servicing channels](https://learn.microsoft.com/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). The current minimum OS version is **Windows 10 20H2**. - Set a bare minimum Windows OS version required by the service once devices are registered with the service. - Minimize unexpected Windows OS upgrades once new devices register with Windows Autopatch. @@ -56,7 +56,7 @@ You can test Windows 11 deployments by adding devices either through direct memb | Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | | ----- | ----- | ----- | ----- | ----- | ----- | ----- | -| Windows Autopatch – DSS Policy [Test] | Windows 11 22H2 | Make update available as soon as possible | N/A | N/A | N/A | 10/13/2025, 7:00PM | +| Modern Workplace DSS Policy [Windows 11] | Windows 11 22H2 | Make update available as soon as possible | N/A | N/A | N/A | 10/13/2025, 7:00PM | ## Manage Windows feature update deployments @@ -78,8 +78,9 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym 8. If you're resuming an update, you can select one or more deployment rings. 9. Select **Okay**. -> [!NOTE] -> Pausing an update can take up to eight hours to deploy to devices. +> [!TIP] +> Pausing an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch leverages Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates. + > See [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](https://learn.microsoft.com/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned) for more details. ## Rollback From 0348c52803a345884d743a09fd52bf4363fd0349 Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Tue, 31 Jan 2023 18:45:04 -0600 Subject: [PATCH 22/43] More changes --- .../windows-autopatch/operate/windows-autopatch-fu-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index b46ae79d24..e901982064 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -27,7 +27,7 @@ Once devices are registered with Windows Autopatch, they’re assigned to deploy The policies: -- Contain the minimum Windows 10 OS version being currently serviced by the [Windows servicing channels](https://learn.microsoft.com/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). The current minimum OS version is **Windows 10 20H2**. +- Contain the minimum Windows 10 version being currently serviced by the [Windows servicing channels](https://learn.microsoft.com/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). The current minimum OS version is **Windows 10 20H2**. - Set a bare minimum Windows OS version required by the service once devices are registered with the service. - Minimize unexpected Windows OS upgrades once new devices register with Windows Autopatch. From 1dc5d1f12440efa7056dea145d12a3ac40af1c64 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 31 Jan 2023 17:10:32 -0800 Subject: [PATCH 23/43] Update windows-autopatch-fu-overview.md --- .../operate/windows-autopatch-fu-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index e901982064..a832ff3449 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -27,7 +27,7 @@ Once devices are registered with Windows Autopatch, they’re assigned to deploy The policies: -- Contain the minimum Windows 10 version being currently serviced by the [Windows servicing channels](https://learn.microsoft.com/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). The current minimum OS version is **Windows 10 20H2**. +- Contain the minimum Windows 10 version being currently serviced by the [Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). The current minimum OS version is **Windows 10 20H2**. - Set a bare minimum Windows OS version required by the service once devices are registered with the service. - Minimize unexpected Windows OS upgrades once new devices register with Windows Autopatch. @@ -80,7 +80,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym > [!TIP] > Pausing an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch leverages Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates. - > See [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](https://learn.microsoft.com/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned) for more details. + > See [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned) for more details. ## Rollback From f4d666a9e67a0ee5e6e745e5c4fc24fe213e0eb5 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 31 Jan 2023 17:15:06 -0800 Subject: [PATCH 24/43] Update windows-autopatch-fu-overview.md --- .../windows-autopatch/operate/windows-autopatch-fu-overview.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index a832ff3449..c18f523c0a 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -79,8 +79,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym 9. Select **Okay**. > [!TIP] -> Pausing an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch leverages Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates. - > See [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned) for more details. +> Pausing an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch leverages Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned) for more details.

## Rollback From 4051d3c31325e8df597d2c66fc7599c3d529e4db Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 31 Jan 2023 17:16:18 -0800 Subject: [PATCH 25/43] Update windows-autopatch-fu-overview.md --- .../windows-autopatch/operate/windows-autopatch-fu-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index c18f523c0a..60d77714ac 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -79,7 +79,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym 9. Select **Okay**. > [!TIP] -> Pausing an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch leverages Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned) for more details.

+> Pausing an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch uses Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned) for more details.

## Rollback From 731ad4f526bca64a351a0ddb419367eaefc4f4ff Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 31 Jan 2023 18:12:17 -0800 Subject: [PATCH 26/43] Tweak toc. --- windows/deployment/windows-autopatch/TOC.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index 5bc21c33d2..c16dff950a 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -50,7 +50,7 @@ - name: Windows quality updates href: operate/windows-autopatch-wqu-overview.md items: - - name: Windows quality end user experience + - name: Windows quality update end user experience href: operate/windows-autopatch-wqu-end-user-exp.md - name: Windows quality update signals href: operate/windows-autopatch-wqu-signals.md @@ -70,7 +70,7 @@ - name: Windows feature updates href: operate/windows-autopatch-fu-overview.md items: - - name: Windows feature end user experience + - name: Windows feature update end user experience href: operate/windows-autopatch-fu-end-user-exp.md - name: Windows quality and feature update communications href: operate/windows-autopatch-wqu-communications.md From 7d2d674760474d734763f29676b183f1fcd28483 Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Tue, 31 Jan 2023 20:20:49 -0600 Subject: [PATCH 27/43] Device registration updates --- .../deploy/windows-autopatch-register-devices.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 47e7d10902..ba4d431052 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -111,12 +111,19 @@ A role defines the set of permissions granted to users assigned to that role. Yo - Azure AD Global Administrator - Intune Service Administrator -- Modern Workplace Intune Administrator For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control). -> [!NOTE] -> The Modern Workplace Intune Admin role is a custom created role during the Windows Autopatch tenant enrollment process. This role can assign administrators to Intune roles, and allows you to create and configure custom Intune roles. +If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Azure AD groups created during the tenant enrollment process: + +| Role | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions | +| ----- | ----- | ----- | ----- | ----- | ----- | +| Modern Workplace Roles - Service Administrator | Yes | Yes | Yes | Yes | Yes | +| Modern Workplace Roles - Service Reader | No | Yes | Yes | Yes | No | + +> [!TIP] +> If adding less-privileged user accounts into the **Modern Workplace Roles - Service Administrator** Azure AD group, it's also recommended to add the same users as owners of the **Windows Autopatch Device Registration** Azure AD group so these user accounts can add new devices as members of the group for registration purposes. +> See [assign an owner of member of a group in Azure AD](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) for more details. ## Details about the device registration process From eac2d1b8ed10f95284ba722b87ef6cfb32fac79e Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 31 Jan 2023 19:28:01 -0800 Subject: [PATCH 28/43] Update windows-autopatch-fu-overview.md --- .../windows-autopatch/operate/windows-autopatch-fu-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index 60d77714ac..1bfeaa20e7 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -79,7 +79,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym 9. Select **Okay**. > [!TIP] -> Pausing an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch uses Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned) for more details.

+> Pausing an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch uses Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

## Rollback From 941f432ea03876c520802837f272eb4a4fe00166 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 31 Jan 2023 19:30:26 -0800 Subject: [PATCH 29/43] Update windows-autopatch-register-devices.md --- .../deploy/windows-autopatch-register-devices.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index ba4d431052..d79e596da9 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -114,7 +114,7 @@ A role defines the set of permissions granted to users assigned to that role. Yo For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control). -If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Azure AD groups created during the tenant enrollment process: +If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Azure AD groups created during the [tenant enrollment](../prepare/windows-autopatch-enroll-tenant.md)process: | Role | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions | | ----- | ----- | ----- | ----- | ----- | ----- | @@ -122,8 +122,7 @@ If you want to assign less-privileged user accounts to perform specific tasks in | Modern Workplace Roles - Service Reader | No | Yes | Yes | Yes | No | > [!TIP] -> If adding less-privileged user accounts into the **Modern Workplace Roles - Service Administrator** Azure AD group, it's also recommended to add the same users as owners of the **Windows Autopatch Device Registration** Azure AD group so these user accounts can add new devices as members of the group for registration purposes. -> See [assign an owner of member of a group in Azure AD](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) for more details. +> If you're adding less-privileged user accounts into the **Modern Workplace Roles - Service Administrator** Azure AD group, it's recommended to add the same users as owners of the **Windows Autopatch Device Registration** Azure AD group. Owners of the **Windows Autopatch Device Registration** Azure AD group can add new devices as members of the group for registration purposes.

For more information, see [assign an owner of member of a group in Azure AD](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group).

## Details about the device registration process From 4381235b338390d4fe8df16021ebf55a9e7536da Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 31 Jan 2023 19:31:20 -0800 Subject: [PATCH 30/43] Update windows-autopatch-fu-overview.md --- .../windows-autopatch/operate/windows-autopatch-fu-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index 1bfeaa20e7..451a64865c 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -78,7 +78,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym 8. If you're resuming an update, you can select one or more deployment rings. 9. Select **Okay**. -> [!TIP] +> [!NOTE] > Pausing an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch uses Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

## Rollback From 44ef591d51c2e2ee825a26df57036a123abaef90 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 31 Jan 2023 19:34:11 -0800 Subject: [PATCH 31/43] Update windows-autopatch-register-devices.md --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index d79e596da9..28a153cbc5 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -122,7 +122,7 @@ If you want to assign less-privileged user accounts to perform specific tasks in | Modern Workplace Roles - Service Reader | No | Yes | Yes | Yes | No | > [!TIP] -> If you're adding less-privileged user accounts into the **Modern Workplace Roles - Service Administrator** Azure AD group, it's recommended to add the same users as owners of the **Windows Autopatch Device Registration** Azure AD group. Owners of the **Windows Autopatch Device Registration** Azure AD group can add new devices as members of the group for registration purposes.

For more information, see [assign an owner of member of a group in Azure AD](https://learn.microsoft.com/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group).

+> If you're adding less-privileged user accounts into the **Modern Workplace Roles - Service Administrator** Azure AD group, it's recommended to add the same users as owners of the **Windows Autopatch Device Registration** Azure AD group. Owners of the **Windows Autopatch Device Registration** Azure AD group can add new devices as members of the group for registration purposes.

For more information, see [assign an owner of member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group).

## Details about the device registration process From af1b438a7376d5dccdaf01dd32ee977bc2a63b48 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 31 Jan 2023 19:35:37 -0800 Subject: [PATCH 32/43] Update windows-autopatch-register-devices.md --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 28a153cbc5..2a1201f79a 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -114,7 +114,7 @@ A role defines the set of permissions granted to users assigned to that role. Yo For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control). -If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Azure AD groups created during the [tenant enrollment](../prepare/windows-autopatch-enroll-tenant.md)process: +If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Azure AD groups created during the [tenant enrollment](../prepare/windows-autopatch-enroll-tenant.md) process: | Role | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions | | ----- | ----- | ----- | ----- | ----- | ----- | From 1f6362411232fb947fcd1e2ed69587d7fe265d21 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Wed, 1 Feb 2023 06:37:04 -0800 Subject: [PATCH 33/43] Updated with RBAC change --- .../whats-new/windows-autopatch-whats-new-2023.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index 265777e93b..9bed5c29cd 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -18,6 +18,14 @@ This article lists new and updated feature releases, and service releases, with Minor corrections such as typos, style, or formatting issues aren't listed. +## February 2023 + +### February feature releases or updates + +| Article | Description | +| ----- | ----- | +| [Register your devices](../deploy/windows-autopatch-register-devices.md) |
  • Removed Modern Workplace Intune Administrator role from the Built-in roles required for registration section.
  • Added more information about assigning less-privileged user accounts
| + ## January 2023 ### January feature releases or updates From ac116e4791a59d16ad5f4ac0835f0bda26b330fe Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Wed, 1 Feb 2023 06:52:49 -0800 Subject: [PATCH 34/43] Update windows-autopatch-whats-new-2023.md --- .../whats-new/windows-autopatch-whats-new-2023.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index 9bed5c29cd..31b0c56041 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -24,7 +24,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | -| [Register your devices](../deploy/windows-autopatch-register-devices.md) |
  • Removed Modern Workplace Intune Administrator role from the Built-in roles required for registration section.
  • Added more information about assigning less-privileged user accounts
| +| [Register your devices](../deploy/windows-autopatch-register-devices.md) |
  • Updated the Built-in roles required for registration section.
  • Added more information about assigning less-privileged user accounts
| ## January 2023 From 1b47600fc4509ab30b6a36db1c18e68901073b19 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Wed, 1 Feb 2023 09:22:50 -0800 Subject: [PATCH 35/43] Updated Changes made at tenant enrollment to reflect new Feature update policies. --- .../windows-autopatch-fu-end-user-exp.md | 8 ++++---- .../windows-autopatch-changes-to-tenant.md | 18 +++++++++--------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md index dec4bcff3a..858f6b8c7a 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md @@ -29,11 +29,11 @@ In this section we'll review what an end user would see in the following three s ### Typical update experience -In this example, we'll be discussing a device in the First ring. The Autopatch service updates the First ring’s DSS policy to target the next version of Windows 30 days after the start of the release. When the policy is applied to the device, the device will download the update, and notify end users that the new version of Windows is ready to install. The end user can either: +In this example, we'll be discussing a device in the First ring. When the policy is applied to the device, the device will download the update, and notify end users that the new version of Windows is ready to install. The end user can either: -1. Restart immediately to install the updates -1. Schedule the installation, or -1. Snooze (the device will attempt to install outside of active hours.) +1. Restart immediately to install the updates. +2. Schedule the installation. +3. Snooze (the device will attempt to install outside of active hours). In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline. diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index 3b6cc306de..5155521cf1 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -78,18 +78,18 @@ Windows Autopatch will create Azure Active Directory groups that are required to ## Feature update policies -- Modern Workplace DSS Policy [Test] -- Modern Workplace DSS Policy [First] -- Modern Workplace DSS Policy [Fast] -- Modern Workplace DSS Policy [Broad] -- Modern Workplace DSS Policy [Windows 11] +- Windows Autopatch - DSS Policy [Test] +- Windows Autopatch - DSS Policy [First] +- Windows Autopatch - DSS Policy [Fast] +- Windows Autopatch - DSS Policy [Broad] +- Windows Autopatch - DSS Policy [Windows 11] | Policy name | Policy description | Value | | ----- | ----- | ----- | -| Modern Workplace DSS Policy [Test] | DSS policy for Test device group | Assigned to:
  • Modern Workplace Devices-Windows Autopatch-Test

Exclude from:
  • Modern Workplace - Windows 11 Pre-Release Test Devices
| -| Modern Workplace DSS Policy [First] | DSS policy for First device group | Assigned to:
  • Modern Workplace Devices-Windows Autopatch-First
  • Modern Workplace - Windows 11 Pre-Release Test Devices
    • | -| Modern Workplace DSS Policy [Fast] | DSS policy for Fast device group | Assigned to:
    • Modern Workplace Devices-Windows Autopatch-Fast

    Exclude from:
    • Modern Workplace - Windows 11 Pre-Release Test Devices
    | -| Modern Workplace DSS Policy [Broad] | DSS policy for Broad device group | Assigned to:
    • Modern Workplace Devices-Windows Autopatch-Broad

    Exclude from:
    • Modern Workplace - Windows 11 Pre-Release Test Devices
    | +| Windows Autopatch - DSS Policy [Test] | DSS policy for Test device group | Assigned to:
    • Modern Workplace Devices-Windows Autopatch-Test

    Exclude from:
    • Modern Workplace - Windows 11 Pre-Release Test Devices
    | +| Windows Autopatch - DSS Policy [First] | DSS policy for First device group | Assigned to:
    • Modern Workplace Devices-Windows Autopatch-First
    • Modern Workplace - Windows 11 Pre-Release Test Devices
      • | +| Windows Autopatch - DSS Policy [Fast] | DSS policy for Fast device group | Assigned to:
      • Modern Workplace Devices-Windows Autopatch-Fast

      Exclude from:
      • Modern Workplace - Windows 11 Pre-Release Test Devices
      | +| Windows Autopatch - Policy [Broad] | DSS policy for Broad device group | Assigned to:
      • Modern Workplace Devices-Windows Autopatch-Broad

      Exclude from:
      • Modern Workplace - Windows 11 Pre-Release Test Devices
      | | Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | Assigned to:
      • Modern Workplace - Windows 11 Pre-Release Test Devices
      | ## Microsoft Office update policies From c19495ec0e5ab87045eece70af0a6cbfbcbfa163 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Wed, 1 Feb 2023 09:26:40 -0800 Subject: [PATCH 36/43] Updated Whats new with new DSS policies --- .../whats-new/windows-autopatch-whats-new-2023.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index 31b0c56041..5f09e58ac0 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -24,6 +24,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | +| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated Feature update policies section with Windows Autopatch - DSS Policy [deployment ring] | | [Register your devices](../deploy/windows-autopatch-register-devices.md) |
      • Updated the Built-in roles required for registration section.
      • Added more information about assigning less-privileged user accounts
      | ## January 2023 From dce7d54d3cd5d7ab17bb57071860b3cc57d03923 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Wed, 1 Feb 2023 11:32:51 -0800 Subject: [PATCH 37/43] Tweaks based on feedback --- windows/deployment/windows-autopatch/TOC.yml | 4 ++-- .../operate/windows-autopatch-fu-end-user-exp.md | 11 ++++++++++- .../operate/windows-autopatch-wqu-communications.md | 4 ++-- .../operate/windows-autopatch-wqu-signals.md | 2 +- 4 files changed, 15 insertions(+), 6 deletions(-) diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index c16dff950a..718c174a5f 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -54,6 +54,8 @@ href: operate/windows-autopatch-wqu-end-user-exp.md - name: Windows quality update signals href: operate/windows-autopatch-wqu-signals.md + - name: Windows quality update communications + href: operate/windows-autopatch-wqu-communications.md - name: Windows quality update reports href: operate/windows-autopatch-wqu-reports-overview.md items: @@ -72,8 +74,6 @@ items: - name: Windows feature update end user experience href: operate/windows-autopatch-fu-end-user-exp.md - - name: Windows quality and feature update communications - href: operate/windows-autopatch-wqu-communications.md - name: Microsoft 365 Apps for enterprise href: operate/windows-autopatch-microsoft-365-apps-enterprise.md - name: Microsoft Edge diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md index 858f6b8c7a..65e90a8a96 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md @@ -51,7 +51,16 @@ The deadline specified in the update policy is five days. Therefore, once this d In the following example, the user is on holiday and the device is offline beyond the feature update deadline. The user then returns to work and the device is turned back on. -Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification. +The grace period to install the update and restart depends on the deployment ring the device is assigned to: + +| Deployment ring | Grace period (in days) | +| ----- | ----- | +| Test | Zero days | +| First | Two days | +| Fast | Two days | +| Broad | Two days | + +The user will be notified of a pending installation and given options to choose from. Once the grace period has expired, the user is forced to restart with a 15-minute warning notification. :::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Windows feature update grace period" lightbox="../media/windows-feature-update-grace-period.png"::: diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md index e0b5a5f133..2670ca8b39 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md @@ -1,5 +1,5 @@ --- -title: Windows quality and feature update communications +title: Windows quality update communications description: This article explains Windows quality update communications ms.date: 05/30/2022 ms.prod: windows-client @@ -12,7 +12,7 @@ manager: dougeby msreviewer: hathind --- -# Windows quality and feature update communications +# Windows quality update communications There are three categories of communication that are sent out during a Windows quality and feature update: diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md index b27a0d0447..c715c4e960 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md @@ -56,4 +56,4 @@ Autopatch monitors the following reliability signals: | Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. | | Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. | -When the update is released to the First ring, the service crosses the 500 device threshold. Therefore, Autopatch can to detect regressions, which are common to all customers. At this point in the release, we'll decide if we need to change the release schedule or pause for all customers. +When the update is released to the First ring, the service crosses the 500 device threshold. Therefore, Autopatch can detect regressions that are common to all customers. At this point in the release, we'll decide if we need to change the release schedule or pause for all customers. From fa4d66cc729c873df724278c96e5a4925a2cf88b Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Wed, 1 Feb 2023 11:38:40 -0800 Subject: [PATCH 38/43] Tweak. --- .../operate/windows-autopatch-wqu-communications.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md index 2670ca8b39..9fc28bcbbb 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md @@ -20,7 +20,11 @@ There are three categories of communication that are sent out during a Windows q - [Communications during release](#communications-during-release) - [Incident communications](#incident-communications) -Communications are posted to Message center, Service health dashboard, and the Windows Autopatch messages section of the Microsoft Endpoint Manager admin center as appropriate for the type of communication. +Communications are posted to, as appropriate for the type of communication, to the: + +- Message center +- Service health dashboard +- Windows Autopatch messages section of the Microsoft Endpoint Manager admin center :::image type="content" source="../media/update-communications.png" alt-text="Update communications timeline" lightbox="../media/update-communications.png"::: @@ -42,4 +46,4 @@ For example, new threat intelligence may require us to expedite a release, or we ## Incident communications -Despite the best intentions, every service should plan for failure and success. When there's an incident, timely and transparent communication is key to building and maintaining your trust. If insufficient numbers of devices have been updated to meet the service level objective, devices will experience an interruption to productivity and an incident will be raised. Microsoft will update the status of the incident at least once every 24 hours. +Despite the best intentions, every service should plan for failure and success. When there's an incident, timely and transparent communication is key to building and maintaining your trust. If insufficient numbers of devices have been updated to meet the service level objective, devices will experience an interruption to productivity, and an incident will be raised. Microsoft will update the status of the incident at least once every 24 hours. From 90a492de59b80a276b30b4759bf67125efdf9224 Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Wed, 1 Feb 2023 15:32:55 -0600 Subject: [PATCH 39/43] More updates --- .../operate/windows-autopatch-fu-overview.md | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index 451a64865c..c29fcd0299 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -14,22 +14,21 @@ msreviewer: andredm7 # Windows feature updates -Microsoft provides robust modern device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and fundamental tasks by IT organizations because Windows feature updates provide: +Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation. -- Fixes for security vulnerabilities and known bugs to keep Windows devices protected against advanced malicious attacks. +- Fixes known bugs to keep Windows devices protected against behavioral issues. - New features to boost end-user productivity. Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date so you can focus on running your core businesses while Windows Autopatch runs update management on your behalf. ## Enforcing a minimum Windows OS version -Once devices are registered with Windows Autopatch, they’re assigned to deployment rings. Each deployment ring has its Windows feature update policy assigned to them. +Once devices are registered with Windows Autopatch, they’re assigned to deployment rings. Each of the four deployment rings have its Windows feature update policy assigned to them. This is intended to minimize unexpected Windows OS upgrades once new devices register with the service. The policies: - Contain the minimum Windows 10 version being currently serviced by the [Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). The current minimum OS version is **Windows 10 20H2**. - Set a bare minimum Windows OS version required by the service once devices are registered with the service. -- Minimize unexpected Windows OS upgrades once new devices register with Windows Autopatch. If a device is registered with Windows Autopatch, and the device is: @@ -50,17 +49,23 @@ If your tenant is enrolled with Windows Autopatch, you can see the following pol > [!IMPORTANT] > If you’re ahead of the current minimum OS version enforced by Windows Autopatch in your organization, you can [edit Windows Autopatch’s default Windows feature update policy and select your desired targeted version](/mem/intune/protect/windows-10-feature-updates#create-and-assign-feature-updates-for-windows-10-and-later-policy). +> [!NOTE] +> The four minimum Windows 10 OS version feature update policies were introduced in Windows Autopatch in the 2212 release milestone. Its creation automatically unassigns the previous four feature update policies targeting Windows 10 21H2 from all four Windows Autopatch deployment rings:

      **Modern Workplace DSS Policy [Test]**

      **Modern Workplace DSS Policy [First]**

      **Modern Workplace DSS Policy [Fast]**

      **Modern Workplace DSS Policy [Broad]**

      Since the new feature update policies setting the minimum Windows 10 OS version are in place, the policies above can be removed from your tenant.

      + ## Test Windows 11 feature updates -You can test Windows 11 deployments by adding devices either through direct membership or by bulk importing them into the Modern Workplace - Windows 11 Pre-Release Test Devices Azure AD group. There’s a separate Windows feature update policy (**Modern Workplace DSS Policy [Windows 11]**) targeted to this Azure AD group, and its configuration is set as follows: +You can test Windows 11 deployments by adding devices either through direct membership or by bulk importing them into the **Modern Workplace - Windows 11 Pre-Release Test Devices** Azure AD group. There’s a separate Windows feature update policy (**Modern Workplace DSS Policy [Windows 11]**) targeted to this Azure AD group, and its configuration is set as follows: | Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | | ----- | ----- | ----- | ----- | ----- | ----- | ----- | | Modern Workplace DSS Policy [Windows 11] | Windows 11 22H2 | Make update available as soon as possible | N/A | N/A | N/A | 10/13/2025, 7:00PM | +> [!IMPORTANT] +> Windows Autopatch neither applies its deployment ring distribution, nor configure [Windows Update for Business gradual rollout settings](https://learn.microsoft.com/mem/intune/protect/windows-update-rollout-options) in the Feature update policy **Modern Workplace DSS Policy [Windows 11]**.

      Once devices are added into the **Modern Workplace - Windows 11 Pre-Release Test Devices** Azure AD group, they can all apply the Windows 11 22H2 feature update with no gradual rollout or deployment ring capabilities.

      + ## Manage Windows feature update deployments -Windows Autopatch uses Microsoft Intune’s built-in solution, which uses configuration service providers (CSPs), for pausing and resuming both [Windows quality](windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release) and feature updates. +Windows Autopatch uses Microsoft Intune’s built-in solution, which uses configuration service providers (CSPs), for pausing and resuming both [Windows quality and feature updates](windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release). Windows Autopatch provides a permanent pause of a Windows feature update deployment. The Windows Autopatch service automatically extends the 35 day pause limit (permanent pause) established by Microsoft Intune on your behalf. The deployment remains permanently paused until you decide to resume it. @@ -86,7 +91,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym Windows Autopatch doesn’t support the rollback of Windows Feature updates. > [!CAUTION] -> It’s not recommended to use [Microsoft Intune’s capabilities](/mem/intune/protect/windows-10-update-rings#manage-your-windows-update-rings) to pause and rollback a Windows feature update. However, if you choose to pause, resume and/or roll back from Intune, Windows Autopatch is **not** responsible for any problems that arise from rolling back the feature update. +> It’s not recommended to use [Microsoft Intune’s capabilities](/mem/intune/protect/windows-10-update-rings#manage-your-windows-update-rings) to pause and rollback a Windows feature update. However, if you choose to pause, resume and/or roll back from Intune, Windows Autopatch is **not** responsible for any problems that arise from rolling back the Windows feature update. ## Contact support From 0d5112966455ae88d50e37a42ff8ece18c3ae782 Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Wed, 1 Feb 2023 15:46:24 -0600 Subject: [PATCH 40/43] More updates --- .../operate/windows-autopatch-fu-overview.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index c29fcd0299..12c9c732f1 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -50,7 +50,7 @@ If your tenant is enrolled with Windows Autopatch, you can see the following pol > If you’re ahead of the current minimum OS version enforced by Windows Autopatch in your organization, you can [edit Windows Autopatch’s default Windows feature update policy and select your desired targeted version](/mem/intune/protect/windows-10-feature-updates#create-and-assign-feature-updates-for-windows-10-and-later-policy). > [!NOTE] -> The four minimum Windows 10 OS version feature update policies were introduced in Windows Autopatch in the 2212 release milestone. Its creation automatically unassigns the previous four feature update policies targeting Windows 10 21H2 from all four Windows Autopatch deployment rings:

      **Modern Workplace DSS Policy [Test]**

      **Modern Workplace DSS Policy [First]**

      **Modern Workplace DSS Policy [Fast]**

      **Modern Workplace DSS Policy [Broad]**

      Since the new feature update policies setting the minimum Windows 10 OS version are in place, the policies above can be removed from your tenant.

      +> The four minimum Windows 10 OS version feature update policies were introduced in Windows Autopatch in the 2212 release milestone. Its creation automatically unassigns the previous four feature update policies targeting Windows 10 21H2 from all four Windows Autopatch deployment rings:

      **Modern Workplace DSS Policy [Test]**

      **Modern Workplace DSS Policy [First]**

      **Modern Workplace DSS Policy [Fast]**

      **Modern Workplace DSS Policy [Broad]**

      Since the new feature update policies setting the minimum Windows 10 OS version are already in place, the policies above can be safely removed from your tenant.

      ## Test Windows 11 feature updates @@ -67,7 +67,7 @@ You can test Windows 11 deployments by adding devices either through direct memb Windows Autopatch uses Microsoft Intune’s built-in solution, which uses configuration service providers (CSPs), for pausing and resuming both [Windows quality and feature updates](windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release). -Windows Autopatch provides a permanent pause of a Windows feature update deployment. The Windows Autopatch service automatically extends the 35 day pause limit (permanent pause) established by Microsoft Intune on your behalf. The deployment remains permanently paused until you decide to resume it. +Windows Autopatch provides a permanent pause of a Windows feature update deployment. The Windows Autopatch service automatically extends the 35-day pause limit (permanent pause) established by Microsoft Intune on your behalf. The deployment remains permanently paused until you decide to resume it. ## Pausing and resuming a release @@ -84,7 +84,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym 9. Select **Okay**. > [!NOTE] -> Pausing an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch uses Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

      For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

      +> Pausing or resuming an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch uses Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

      For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

      ## Rollback From 12f09b4ff04b32078eee6485480b9adf1ec3fa36 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Wed, 1 Feb 2023 14:03:50 -0800 Subject: [PATCH 41/43] Update windows-autopatch-fu-overview.md --- .../operate/windows-autopatch-fu-overview.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index 12c9c732f1..b8c1b604fe 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -50,7 +50,7 @@ If your tenant is enrolled with Windows Autopatch, you can see the following pol > If you’re ahead of the current minimum OS version enforced by Windows Autopatch in your organization, you can [edit Windows Autopatch’s default Windows feature update policy and select your desired targeted version](/mem/intune/protect/windows-10-feature-updates#create-and-assign-feature-updates-for-windows-10-and-later-policy). > [!NOTE] -> The four minimum Windows 10 OS version feature update policies were introduced in Windows Autopatch in the 2212 release milestone. Its creation automatically unassigns the previous four feature update policies targeting Windows 10 21H2 from all four Windows Autopatch deployment rings:

      **Modern Workplace DSS Policy [Test]**

      **Modern Workplace DSS Policy [First]**

      **Modern Workplace DSS Policy [Fast]**

      **Modern Workplace DSS Policy [Broad]**

      Since the new feature update policies setting the minimum Windows 10 OS version are already in place, the policies above can be safely removed from your tenant.

      +> The four minimum Windows 10 OS version feature update policies were introduced in Windows Autopatch in the 2212 release milestone. Its creation automatically unassigns the previous four feature update policies targeting Windows 10 21H2 from all four Windows Autopatch deployment rings:
      • **Modern Workplace DSS Policy [Test]**
      • **Modern Workplace DSS Policy [First]**
      • **Modern Workplace DSS Policy [Fast]**
      • **Modern Workplace DSS Policy [Broad]**

        • Since the new Windows feature update policies that set the minimum Windows 10 OS version are already in place, the Modern Workplace DSS policies can be safely removed from your tenant.

        ## Test Windows 11 feature updates @@ -61,11 +61,11 @@ You can test Windows 11 deployments by adding devices either through direct memb | Modern Workplace DSS Policy [Windows 11] | Windows 11 22H2 | Make update available as soon as possible | N/A | N/A | N/A | 10/13/2025, 7:00PM | > [!IMPORTANT] -> Windows Autopatch neither applies its deployment ring distribution, nor configure [Windows Update for Business gradual rollout settings](https://learn.microsoft.com/mem/intune/protect/windows-update-rollout-options) in the Feature update policy **Modern Workplace DSS Policy [Windows 11]**.

        Once devices are added into the **Modern Workplace - Windows 11 Pre-Release Test Devices** Azure AD group, they can all apply the Windows 11 22H2 feature update with no gradual rollout or deployment ring capabilities.

        +> Windows Autopatch neither applies its deployment ring distribution, nor configures the [Windows Update for Business gradual rollout settings](/mem/intune/protect/windows-update-rollout-options) in the **Modern Workplace DSS Policy [Windows 11]** policy.

        Once devices are added to the **Modern Workplace - Windows 11 Pre-Release Test Devices** Azure AD group, the devices can be offered the Windows 11 22H2 feature update at the same time.

        ## Manage Windows feature update deployments -Windows Autopatch uses Microsoft Intune’s built-in solution, which uses configuration service providers (CSPs), for pausing and resuming both [Windows quality and feature updates](windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release). +Windows Autopatch uses Microsoft Intune’s built-in solution, which uses configuration service providers (CSPs), for pausing and resuming both [Windows quality](windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). Windows Autopatch provides a permanent pause of a Windows feature update deployment. The Windows Autopatch service automatically extends the 35-day pause limit (permanent pause) established by Microsoft Intune on your behalf. The deployment remains permanently paused until you decide to resume it. From fd3a80d1d5652335e0c8e3741fe2eb538dd192e1 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Wed, 1 Feb 2023 14:09:03 -0800 Subject: [PATCH 42/43] Update windows-autopatch-fu-overview.md --- .../operate/windows-autopatch-fu-overview.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index b8c1b604fe..64f6442d2d 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -14,10 +14,10 @@ msreviewer: andredm7 # Windows feature updates -Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation. +Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation. Windows feature updates: -- Fixes known bugs to keep Windows devices protected against behavioral issues. -- New features to boost end-user productivity. +- Keep Windows devices protected against behavioral issues. +- Provide new features to boost end-user productivity. Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date so you can focus on running your core businesses while Windows Autopatch runs update management on your behalf. From 88ca572ece1a27f46b1590e7dd81fcdff59dee41 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Wed, 1 Feb 2023 14:39:00 -0800 Subject: [PATCH 43/43] Tweak from Harman. --- .../prepare/windows-autopatch-fix-issues.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md index 8e9d0f1a63..776fb296c0 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -45,13 +45,13 @@ This setting must be turned on to avoid a "lack of permissions" error when we in | ----- | ----- | | Not ready | Allow access to unlicensed admins should be turned on. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.

        For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). | -### Deployment rings for Windows 10 or later +### Windows 10 and later update rings -Your "Windows 10 deployment ring" policy in Intune must not target any Windows Autopatch devices. +Your "Windows 10 and later update ring" policy in Intune must not target any Windows Autopatch devices. | Result | Meaning | | ----- | ----- | -| Not ready | You have an "update ring" policy that targets all devices, all users, or both.

        To resolve, change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.

        For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).

        | +| Not ready | You have an "update ring" policy that targets all devices, all users, or both.

        To resolve, change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.

        For more information, see [Manage Windows 10 and later software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).

        | | Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch.

        You can continue with enrollment. However, you must resolve the advisory prior to deploying your first device. To resolve the advisory, see [Maintain the Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md).

        | ## Azure Active Directory settings