mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-20 21:03:42 +00:00
Merge branch 'main' into sheshachary-6270627
This commit is contained in:
Shesh
GitHub
@ -263,7 +263,7 @@
|
||||
href: update/update-compliance-schema-waasupdatestatus.md
|
||||
- name: WaaSInsiderStatus
|
||||
href: update/update-compliance-schema-waasinsiderstatus.md
|
||||
- name: WaaSDepoymentStatus
|
||||
- name: WaaSDeploymentStatus
|
||||
href: update/update-compliance-schema-waasdeploymentstatus.md
|
||||
- name: WUDOStatus
|
||||
href: update/update-compliance-schema-wudostatus.md
|
||||
|
||||
@ -50,10 +50,10 @@ sections:
|
||||
- For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers aren't automatically installed, visit the manufacturer's support website for your device to download and manually install the drivers. If Windows 10 drivers aren't available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10.
|
||||
- For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable more functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability.
|
||||
- Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include:
|
||||
- [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html)
|
||||
- [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment)
|
||||
- [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984)
|
||||
- [Panasonic Driver Pack for Enterprise](http://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html)
|
||||
- [HP driver pack](https://www.hp.com/us-en/solutions/client-management-solutions/drivers-pack.html)
|
||||
- [Dell driver packs for enterprise client OS deployment](https://www.dell.com/support/kbdoc/en-us/000124139/dell-command-deploy-driver-packs-for-enterprise-client-os-deployment)
|
||||
- [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/solutions/ht074984)
|
||||
- [Panasonic Driver Pack for Enterprise](https://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html)
|
||||
|
||||
- question: |
|
||||
Where can I find out if an application or device is compatible with Windows 10?
|
||||
@ -125,7 +125,7 @@ sections:
|
||||
answer: |
|
||||
For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](/windows/whats-new/) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library.
|
||||
|
||||
Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you'll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10.
|
||||
Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog). Here you'll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10.
|
||||
|
||||
To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare).
|
||||
|
||||
@ -152,4 +152,3 @@ sections:
|
||||
- If you're an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet.
|
||||
- If you're an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum).
|
||||
- If you're a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev).
|
||||
- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home).
|
||||
|
||||
@ -22,7 +22,7 @@ WaaSDeploymentStatus records track a specific update's installation progress on
|
||||
|**DeferralDays** |[int](/azure/kusto/query/scalar-data-types/int) |`0` |The deferral policy for this content type or `UpdateCategory` (Windows `Feature` or `Quality`). |
|
||||
|**DeploymentError** |[string](/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there's either no string matching the error or there's no error. |
|
||||
|**DeploymentErrorCode** |[int](/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there's either no error or there's *no error code*, meaning that the issue raised doesn't correspond to an error, but some inferred issue. |
|
||||
|**DeploymentStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Failed` |The high-level status of installing this update on this device. Possible values are:<br><li> **Update completed**: Device has completed the update installation.<li> **In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.<li> **Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.<li> **Canceled**: The update was canceled.<li> **Blocked**: There's a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.<li> **Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that haven't sent any deployment data for that update will have the status `Unknown`.<li> **Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update. <li> **Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.|
|
||||
|**DeploymentStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Failed` |The high-level status of installing this update on this device. Possible values are:<br><li> **Update completed**: Device has completed the update installation.<li> **In Progress**: Device is in one of the various stages of installing an update, detailed in `DetailedStatus`.<li> **Deferred**: A device's deferral policy is preventing the update from being offered by Windows Update.<li> **Canceled**: The update was canceled.<li> **Blocked**: There's a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update.<li> **Unknown**: Update Compliance generated WaaSDeploymentStatus records for devices as soon as it detects an update newer than the one installed on the device. Devices that haven't sent any deployment data for that update will have the status `Unknown`.<li> **Update paused**: Devices are paused via Windows Update for Business Pause policies, preventing the update from being offered by Windows Update. <li> **Failed**: Device encountered a failure in the update process, preventing it from installing the update. This may result in an automatic retry in the case of Windows Update, unless the `DeploymentError` indicates the issue requires action before the update can continue.<li> **Progress stalled**: The update is in progress, but has not completed over a period of 7 days.|
|
||||
|**DetailedStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Reboot required` |A detailed status for the installation of this update on this device. Possible values are:<br><li> **Not Started**: Update hasn't started because the device isn't targeting the latest 2 builds<li> **Update deferred**: When a device's Windows Update for Business policy dictates the update is deferred.<li> **Update paused**: The device's Windows Update for Business policy dictates the update is paused from being offered.<li> **Update offered**: The device has been offered the update, but hasn't begun downloading it.<li> **Pre-Download tasks passed**: The device has finished all necessary tasks prior to downloading the update.<li> **Compatibility hold**: The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and won't resume the update until the hold has been cleared. For more information, see [Feature Update Status report](update-compliance-feature-update-status.md#safeguard-holds).<li> **Download started**: The update has begun downloading on the device.<li> **Download Succeeded**: The update has successfully completed downloading. <li> **Pre-Install Tasks Passed**: Tasks that must be completed prior to installing the update have been completed.<li> **Install Started**: Installation of the update has begun.<li> **Reboot Required**: The device has finished installing the update, and a reboot is required before the update can be completed.<li> **Reboot Pending**: The device has a scheduled reboot to apply the update.<li> **Reboot Initiated**: The scheduled reboot has been initiated.<li> **Commit**: Changes are being committed post-reboot. This is another step of the installation process.<li> **Update Completed**: The update has successfully installed.|
|
||||
|**ExpectedInstallDate** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/28/2020, 1:00:01.318 PM`|Rather than the expected date this update will be installed, this should be interpreted as the minimum date Windows Update will make the update available for the device. This takes into account Deferrals. |
|
||||
|**LastScan** |[datetime](/azure/kusto/query/scalar-data-types/datetime)|`3/22/2020, 1:00:01.318 PM`|The last point in time that this device sent Update Session data. |
|
||||
|
||||
@ -9,7 +9,7 @@ ms.author: mstewart
|
||||
ms.localizationpriority: medium
|
||||
ms.collection: M365-analytics
|
||||
ms.topic: article
|
||||
ms.date: 06/06/2022
|
||||
ms.date: 08/24/2022
|
||||
---
|
||||
|
||||
# Configuring Microsoft Endpoint Manager devices for Update Compliance (preview)
|
||||
@ -29,48 +29,79 @@ This article is specifically targeted at configuring devices enrolled to [Micros
|
||||
|
||||
## Create a configuration profile
|
||||
|
||||
Take the following steps to create a configuration profile that will set required policies for Update Compliance:
|
||||
Create a configuration profile that will set the required policies for Update Compliance. There are two profile types that can be used to create a configuration profile for Update Compliance:
|
||||
- The [settings catalog](#settings-catalog)
|
||||
- [Template](#custom-oma-uri-based-profile) for a custom OMA URI based profile
|
||||
|
||||
1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**.
|
||||
1. On the **Configuration profiles** view, select **Create a profile**.
|
||||
### Settings catalog
|
||||
|
||||
1. Go to the Admin portal in Endpoint Manager and navigate to **Devices** > **Windows** > **Configuration profiles**.
|
||||
1. On the **Configuration profiles** view, select **Create profile**.
|
||||
1. Select **Platform**="Windows 10 and later" and **Profile type**="Settings Catalog", and then select **Create**.
|
||||
1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
|
||||
1. On the **Configuration settings** page, you'll be adding multiple settings from the **System** category. Using the **Settings picker**, select the **System** category, then add the following settings and values:
|
||||
1. Required settings for Update Compliance:
|
||||
- **Setting**: Allow Commercial Data Pipeline
|
||||
- **Value**: Enabled
|
||||
- **Setting**: Allow Telemetry
|
||||
- **Value**: Basic (*Basic is the minimum value, but it can be safely set to a higher value*)
|
||||
- **Setting**: Allow Update Compliance Processing
|
||||
- **Value**: Enabled
|
||||
1. (*Recommended, but not required*) Add settings for **disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance:
|
||||
- **Setting**: Configure Telemetry Opt In Change Notification
|
||||
- **Value**: Disable telemetry change notifications
|
||||
- **Setting**: Configure Telemetry Opt In Settings Ux
|
||||
- **Value**: Disable Telemetry opt-in Settings
|
||||
1. (*Recommended, but not required*) Allow device name to be sent in Windows Diagnostic Data. If this policy is disabled, the device name won't be sent and won't be visible in Update Compliance:
|
||||
- **Setting**: Allow device name to be sent in Windows diagnostic data
|
||||
- **Value**: Allowed
|
||||
|
||||
1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
|
||||
1. Review the settings and then select **Create**.
|
||||
|
||||
### Custom OMA URI based profile
|
||||
|
||||
1. Go to the Admin portal in Endpoint Manager and navigate to **Devices** > **Windows** > **Configuration profiles**.
|
||||
1. On the **Configuration profiles** view, select **Create profile**.
|
||||
1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
|
||||
1. For **Template name**, select **Custom**, and then press **Create**.
|
||||
1. For **Template name**, select **Custom**, and then select **Create**.
|
||||
1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
|
||||
1. On the **Configuration settings** page, you'll be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md).
|
||||
|
||||
|
||||
1. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance:
|
||||
- **Name**: Allow commercial data pipeline
|
||||
- **Description**: Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device.
|
||||
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline`
|
||||
- **Data type**: Integer
|
||||
- **Value**: 1
|
||||
1. Add a setting configuring the **Windows Diagnostic Data level** for devices:
|
||||
- **Name**: Allow Telemetry
|
||||
- **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance.
|
||||
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry`
|
||||
- **Data type**: Integer
|
||||
- **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*).
|
||||
1. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this isn't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance:
|
||||
- **Name**: Disable Telemetry opt-in interface
|
||||
- **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting.
|
||||
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx`
|
||||
- **Data type**: Integer
|
||||
- **Value**: 1
|
||||
1. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance:
|
||||
- **Name**: Allow device name in Diagnostic Data
|
||||
- **Description**: Allows device name in Diagnostic Data.
|
||||
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData`
|
||||
- **Data type**: Integer
|
||||
- **Value**: 1
|
||||
- **Value**: 1 (*1 is the minimum value meaning basic, but it can be safely set to a higher value*).
|
||||
1. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance:
|
||||
- **Name**: Allow Update Compliance Processing
|
||||
- **Description**: Opts device data into Update Compliance processing. Required to see data.
|
||||
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing`
|
||||
- **Data type**: Integer
|
||||
- **Value**: 16
|
||||
1. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance:
|
||||
- **Name**: Allow commercial data pipeline
|
||||
- **Description**: Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device.
|
||||
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline`
|
||||
1. (*Recommended, but not required*) Add settings for **disabling devices' Diagnostic Data opt-in settings interface**. If these aren't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance:
|
||||
- **Name**: Disable Telemetry opt-in interface
|
||||
- **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting.
|
||||
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx`
|
||||
- **Data type**: Integer
|
||||
- **Value**: 1
|
||||
1. (*Recommended, but not required*) Add a setting to **Allow device name in diagnostic data**; otherwise, the device name won't be in Update Compliance:
|
||||
- **Name**: Allow device name in Diagnostic Data
|
||||
- **Description**: Allows device name in Diagnostic Data.
|
||||
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData`
|
||||
- **Data type**: Integer
|
||||
- **Value**: 1
|
||||
|
||||
|
||||
1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
|
||||
1. Review and select **Create**.
|
||||
1. Review the settings and then select **Create**.
|
||||
|
||||
## Deploy the configuration script
|
||||
|
||||
|
||||
@ -17,6 +17,8 @@ ms.collection: highpri
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
|
||||
<p class="alert is-flex is-primary"><span class="has-padding-left-medium has-padding-top-extra-small"><a class="button is-primary" href="https://vsa.services.microsoft.com/v1.0/?partnerId=7d74cf73-5217-4008-833f-87a1a278f2cb&flowId=DMC&initialQuery=31806295" target='_blank'><b>Try our Virtual Agent</b></a></span><span class="has-padding-small"> - It can help you quickly identify and fix common Windows Update issues</span>
|
||||
|
||||
The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them.
|
||||
|
||||
## 0x8024402F
|
||||
|
||||
@ -18,6 +18,8 @@ ms.topic: article
|
||||
> This is a 300 level topic (moderately advanced).<br>
|
||||
> See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
|
||||
|
||||
<p class="alert is-flex is-primary"><span class="has-padding-left-medium has-padding-top-extra-small"><a class="button is-primary" href="https://vsa.services.microsoft.com/v1.0/?partnerId=7d74cf73-5217-4008-833f-87a1a278f2cb&flowId=DMC&initialQuery=31806293" target='_blank'><b>Try our Virtual Agent</b></a></span><span class="has-padding-small"> - It can help you quickly identify and fix common Windows boot issues</span>
|
||||
|
||||
If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process.
|
||||
|
||||
> [!IMPORTANT]
|
||||
|
||||
@ -117,8 +117,8 @@ Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID
|
||||
**To register devices with Windows Autopatch:**
|
||||
|
||||
1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
|
||||
2. Select **Windows Autopatch** from the left navigation menu.
|
||||
3. Select **Devices**.
|
||||
2. Select **Devices** from the left navigation menu.
|
||||
3. Under the **Windows Autopatch** section, select **Devices**.
|
||||
4. Select either the **Ready** or the **Not ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens.
|
||||
5. Add either devices through direct membership, or other Azure AD dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group.
|
||||
|
||||
@ -148,6 +148,7 @@ Windows 365 Enterprise gives IT admins the option to register devices with the W
|
||||
1. Select **Create**. Now your newly provisioned Windows 365 Enterprise Cloud PCs will automatically be enrolled and managed by Windows Autopatch.
|
||||
|
||||
For more information, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy).
|
||||
|
||||
### Contact support for device registration-related incidents
|
||||
|
||||
Support is available either through Windows 365, or the Windows Autopatch Service Engineering team for device registration-related incidents.
|
||||
|
||||
@ -26,5 +26,4 @@ After you've completed enrollment in Windows Autopatch, some management settings
|
||||
|
||||
| Setting | Description |
|
||||
| ----- | ----- |
|
||||
| Conditional access policies | If you create any new conditional access or multi-factor authentication policies related to Azure AD, or Microsoft Intune after Windows Autopatch enrollment, exclude the Modern Workplace Service Accounts Azure AD group from them. For more information, see [Conditional Access: Users and groups](/azure/active-directory/conditional-access/concept-conditional-access-users-groups). Windows Autopatch maintains separate conditional access policies to restrict access to these accounts.<p>**To review the Windows Autopatch conditional access policy (Modern Workplace – Secure Workstation):**</p><p>Go to Microsoft Endpoint Manager and navigate to **Conditional Access** in **Endpoint Security**. Do **not** modify any Azure AD conditional access policies created by Windows Autopatch that have "**Modern Workplace**" in the name.</p> |
|
||||
| Update rings for Windows 10 or later | For any update rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Azure AD group from each policy. For more information, see [Create and assign update rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).<p>Windows Autopatch will also have created some update ring policies. all of which The policies will have "**Modern Workplace**" in the name. For example:</p><ul><li>Modern Workplace Update Policy [Broad]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [Fast]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [First]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [Test]-[Windows Autopatch]</li></ul><p>When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Azure AD group from the policies that Windows Autopatch created.</p><p>**To resolve the Not ready result:**</p><p>After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p><p>**To resolve the Advisory result:**</p><ol><li>Make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.</li> <li>If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also **exclude** the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).</li></ol><p>For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p> |
|
||||
|
||||
@ -41,8 +41,6 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
|
||||
| ----- | ----- |
|
||||
| Updates | After the Windows Autopatch service is unenrolled, we’ll no longer provide updates to your devices. You must ensure that your devices continue to receive updates through your own policies to ensure they're secure and up to date. |
|
||||
| Optional Windows Autopatch configuration | Windows Autopatch won’t remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you don’t wish to use these policies for your devices after unenrollment, you may safely delete them. For more information, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). |
|
||||
| Windows Autopatch cloud service accounts | After unenrollment, you may safely remove the cloud service accounts created during the enrollment process. The accounts are:<ul><li>MsAdmin</li><li>MsAdminInt</li><li>MsTest</li></ul> |
|
||||
| Conditional access policy | After unenrollment, you may safely remove the **Modern Workplace – Secure Workstation** conditional access policy. |
|
||||
| Microsoft Endpoint Manager roles | After unenrollment, you may safely remove the Modern Workplace Intune Admin role. |
|
||||
|
||||
## Unenroll from Windows Autopatch
|
||||
|
||||
@ -46,7 +46,7 @@ Each deployment ring has a different set of update deployment policies to contro
|
||||
Also, during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md), Windows Autopatch assigns each device being registered to one of its deployment rings so that the service has the proper representation of the device diversity across the organization in each deployment ring. The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment.
|
||||
|
||||
> [!NOTE]
|
||||
> Windows Autopatch deployment rings only apply to Windows quality updates. Additionally, you can't create additional deployment rings or use your own for devices managed by the Windows Autopatch service.
|
||||
> You can't create additional deployment rings or use your own for devices managed by the Windows Autopatch service.
|
||||
|
||||
### Deployment ring calculation logic
|
||||
|
||||
|
||||
@ -4,7 +4,7 @@ metadata:
|
||||
description: Answers to frequently asked questions about Windows Autopatch.
|
||||
ms.prod: w11
|
||||
ms.topic: faq
|
||||
ms.date: 08/08/2022
|
||||
ms.date: 08/26/2022
|
||||
audience: itpro
|
||||
ms.localizationpriority: medium
|
||||
manager: dougeby
|
||||
@ -67,10 +67,10 @@ sections:
|
||||
No, Windows 365 Enterprise Cloud PC's support all features of Windows Autopatch. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
|
||||
- question: Do my Cloud PCs appear any differently in the Windows Autopatch admin center?
|
||||
answer: |
|
||||
Cloud PC displays the model as the license type you have provisioned. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
|
||||
Cloud PC displays the model as the license type you have provisioned. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads).
|
||||
- question: Can I run Autopatch on my Windows 365 Business Workloads?
|
||||
answer: |
|
||||
No. Autopatch is only available on enterprise workloads. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
|
||||
No. Autopatch is only available on enterprise workloads. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads).
|
||||
- name: Update Management
|
||||
questions:
|
||||
- question: What systems does Windows Autopatch update?
|
||||
|
||||
@ -14,7 +14,7 @@ msreviewer: hathind
|
||||
|
||||
# Enroll your tenant
|
||||
|
||||
Before you enroll in Windows Autopatch, there are settings and other parameters you must set ahead of time.
|
||||
Before you enroll in Windows Autopatch, there are settings, and other parameters you must set ahead of time.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> You must be a Global Administrator to enroll your tenant.
|
||||
@ -30,7 +30,7 @@ To start using the Windows Autopatch service, ensure you meet the [Windows Autop
|
||||
> [!IMPORTANT]
|
||||
> The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you'll no longer be able to access the tool again.
|
||||
|
||||
The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager Co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements).
|
||||
The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements).
|
||||
|
||||
**To access and run the Readiness assessment tool:**
|
||||
|
||||
@ -43,8 +43,6 @@ The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager
|
||||
> [!IMPORTANT]
|
||||
> If you don't see the Tenant enrollment blade, this is because you don't meet the prerequisites or the proper licenses. For more information, see [Windows Autopatch prerequisites](windows-autopatch-prerequisites.md#more-about-licenses).
|
||||
|
||||
A Global Administrator should be used to run this tool. Other roles, such as the Global Reader and Intune Administrator have insufficient permissions to complete the checks on Conditional Access Policies and Multi-factor Authentication. For more information about the extra permissions, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies).
|
||||
|
||||
The Readiness assessment tool checks the following settings:
|
||||
|
||||
### Microsoft Intune settings
|
||||
@ -62,9 +60,7 @@ The following are the Azure Active Directory settings:
|
||||
|
||||
| Check | Description |
|
||||
| ----- | ----- |
|
||||
| Conditional access | Verifies that conditional access policies and multi-factor authentication aren't assigned to all users.<p><p>Your conditional access policies must not prevent our service accounts from accessing the service and must not require multi-factor authentication. For more information, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies). |
|
||||
| Windows Autopatch cloud service accounts | Checks that no usernames conflict with ones that Windows Autopatch reserves for its own use. The cloud service accounts are:<ul><li>MsAdmin</li><li>MsAdminInt</li><li>MsTest</li></ul> For more information, see [Tenant access](../references/windows-autopatch-privacy.md#tenant-access). |
|
||||
| Security defaults | Checks whether your Azure Active Directory organization has security defaults enabled. |
|
||||
| Co-management | This advisory check only applies if co-management is applied to your tenant. This check ensures that the proper workloads are in place for Windows Autopatch. If co-management doesn't apply to your tenant, this check can be safely disregarded, and won't block device deployment. |
|
||||
| Licenses | Checks that you've obtained the necessary [licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
|
||||
|
||||
### Check results
|
||||
|
||||
@ -25,7 +25,7 @@ For each check, the tool will report one of four possible results:
|
||||
| Ready | No action is required before completing enrollment. |
|
||||
| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.<p><p>You can complete enrollment, but you must fix these issues before you deploy your first device. |
|
||||
| Not ready | You must fix these issues before enrollment. You won’t be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
|
||||
| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permission to run this check or your tenant is not properly licensed for Microsoft Intune. |
|
||||
| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permission to run this check or your tenant isn't properly licensed for Microsoft Intune. |
|
||||
|
||||
> [!NOTE]
|
||||
> The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Azure Active Directory (AD), or Microsoft 365, items that were "Ready" can become "Not ready". To avoid problems with Windows Autopatch operations, review the specific settings described in this article before you change any policies.
|
||||
@ -55,14 +55,13 @@ Your "Windows 10 update ring" policy in Intune must not target any Windows Autop
|
||||
|
||||
You can access Azure Active Directory (AD) settings in the [Azure portal](https://portal.azure.com/).
|
||||
|
||||
### Conditional access policies
|
||||
### Co-management
|
||||
|
||||
Conditional access policies must not prevent Windows Autopatch from connecting to your tenant.
|
||||
Co-management enables you to concurrently manage Windows 10 or later devices by using both Configuration Manager and Microsoft Intune.
|
||||
|
||||
| Result | Meaning |
|
||||
| ----- | ----- |
|
||||
| Advisory | You have at least one conditional access policy that targets all users or at least one conditional access policy set as required for multi-factor authentication. These policies could prevent Windows Autopatch from managing the Windows Autopatch service.<p><p>During enrollment, we'll attempt to exclude Windows Autopatch service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. However, if we're unsuccessful, this can cause errors during your enrollment experience.<p><p>For best practice, [create an assignment that targets a specific Azure Active Directory (AD) group](/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) that doesn't include Windows Autopatch service accounts.</p> |
|
||||
| Error | The Intune Administrator role doesn't have sufficient permissions for this check. You'll also need to have these Azure Active Directory (AD) roles assigned to run this check:<br><ul><li>Security Reader</li><li>Security Administrator</li><li>Conditional Access Administrator</li><li>Global Reader</li><li>Devices Administrator</li></ul> |
|
||||
| Advisory | To successfully enroll devices that are co-managed into Windows Autopatch, it's necessary that the following co-managed workloads are set to **Intune**:<ul><li>Device configuration</li><li>Windows update policies</li><li>Office 365 client apps</li></ul><p>If co-management doesn't apply to your tenant, this check can be safely disregarded, and it won't block device deployment.</p> |
|
||||
|
||||
### Licenses
|
||||
|
||||
@ -71,19 +70,3 @@ Windows Autopatch requires the following licenses:
|
||||
| Result | Meaning |
|
||||
| ----- | ----- |
|
||||
| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
|
||||
|
||||
### Windows Autopatch cloud service accounts
|
||||
|
||||
Certain account names could conflict with account names created by Windows Autopatch.
|
||||
|
||||
| Result | Meaning |
|
||||
| ----- | ----- |
|
||||
| Not ready | You have at least one account name that will conflict with account names created by Windows Autopatch. The cloud service accounts are:<ul><li>MsAdmin</li><li>MsAdminInt</li><li>MsTest</li></ul><p>You must either rename or remove conflicting accounts to move forward with enrolling to the Windows Autopatch service as we'll create these accounts as part of running our service. For more information, see [Tenant Access](../references/windows-autopatch-privacy.md#tenant-access).</p> |
|
||||
|
||||
### Security defaults
|
||||
|
||||
Security defaults in Azure Active Directory (AD) will prevent Windows Autopatch from managing your devices.
|
||||
|
||||
| Result | Meaning |
|
||||
| ----- | ----- |
|
||||
| Not ready | You have Security defaults turned on. Turn off Security defaults and set up conditional access policies. For more information, see [Common conditional access policies](/azure/active-directory/conditional-access/concept-conditional-access-policy-common). |
|
||||
|
||||
@ -29,7 +29,7 @@ Getting started with Windows Autopatch has been designed to be easy. This articl
|
||||
|
||||
## More about licenses
|
||||
|
||||
Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. The following are the other licenses that grant entitlement to Windows Autopatch:
|
||||
Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). The following are the service plan SKUs that are eligible for Windows Autopatch:
|
||||
|
||||
| License | ID | GUID number |
|
||||
| ----- | ----- | ------|
|
||||
|
||||
@ -22,7 +22,7 @@ Windows Autopatch will create a service principal in your tenant allowing the se
|
||||
|
||||
## Azure Active Directory groups
|
||||
|
||||
Windows Autopatch will create Azure Active Directory groups that are required to operate the service. The following groups are used for targeting Windows Autopatch configurations to devices and management of the service by our service accounts.
|
||||
Windows Autopatch will create Azure Active Directory groups that are required to operate the service. The following groups are used for targeting Windows Autopatch configurations to devices and management of the service by our [first party enterprise applications](#windows-autopatch-enterprise-applications).
|
||||
|
||||
| Group name | Description |
|
||||
| ----- | ----- |
|
||||
@ -37,10 +37,6 @@ Windows Autopatch will create Azure Active Directory groups that are required to
|
||||
| Modern Workplace Devices Dynamic - Windows 11 | Microsoft Managed Desktop Devices with Windows 11<p>Group Rule:<ul><li>`(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`</li><li>`(device.deviceOSVersion -startsWith \"10.0.22000\")`</li></ul><br>Exclusions:<ul><li>Modern Workplace - Telemetry Settings for Windows 10</li></ul> |
|
||||
| Modern Workplace Roles - Service Administrator | All users granted access to Modern Workplace Service Administrator Role |
|
||||
| Modern Workplace Roles - Service Reader | All users granted access to Modern Workplace Service Reader Role |
|
||||
| Modern Workplace Service - Intune Admin All | Group for Intune Admins<p>Assigned to: <ul><li>Modern Workplace Service Accounts</li></ul>|
|
||||
| Modern Workplace Service - Intune Reader All | Group for Intune readers<p>Assigned to: <ul><li>Modern Workplace Service Accounts</li></ul>|
|
||||
| Modern Workplace Service - Intune Reader MMD | Group for Intune readers of MMD devices and users<p>Assigned to:<ul><li>Modern Workplace Service Accounts</li></ul>|
|
||||
| Modern Workplace Service Accounts | Group for Windows Autopatch service accounts |
|
||||
| Windows Autopatch Device Registration | Group for automatic device registration for Windows Autopatch |
|
||||
|
||||
## Windows Autopatch enterprise applications
|
||||
@ -56,19 +52,6 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr
|
||||
> [!NOTE]
|
||||
> Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon.
|
||||
|
||||
## Windows Autopatch cloud service accounts
|
||||
|
||||
Windows Autopatch will create three cloud service accounts in your tenant. These accounts are used to run the service and all need to be excluded from any multi-factor authentication controls.
|
||||
|
||||
> [!NOTE]
|
||||
> Effective Aug 15th, 2022, these accounts will no longer be added to newly enrolled tenants, and existing tenants will be provided an option to migrate to enterprise application-based authentication. These accounts will be removed with that transition.
|
||||
|
||||
| Cloud service account name | Usage | Mitigating controls |
|
||||
| ----- | ----- | ------ |
|
||||
| MsAdmin@tenantDomain.onmicrosoft.com | <ul><li>This account is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Microsoft Modern desktop devices.</li><li>This account doesn't have interactive sign-in permissions. The account performs operations only through the service.</li></ul> | Audited sign-ins |
|
||||
| MsAdminInt@tenantDomain.onmicrosoft.com | <ul><li>This account is an Intune and User administrator account used to define and configure the tenant for Modern Workplace devices.</li><li>This account is used for interactive sign-in to the customers’ tenant.</li><li>The use of this account is extremely limited as most operations are exclusively through msadmin (non-interactive).</li> | <ul><li>Restricted to be accessed only from defined secure access workstations (SAWs) through the Modern Workplace - Secure Workstation conditional access policy.</li><li>Audited sign-ins</li></ul> |
|
||||
| MsTest@tenantDomain.onmicrosoft.com | This is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins |
|
||||
|
||||
## Device configuration policies
|
||||
|
||||
- Modern Workplace - Set MDM to Win Over GPO
|
||||
@ -145,15 +128,6 @@ Windows Autopatch will create three cloud service accounts in your tenant. These
|
||||
| Modern Workplace - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled |
|
||||
| Modern Workplace - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel<p>Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Test </li></ul>| `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled |
|
||||
|
||||
## Conditional access policies
|
||||
|
||||
> [!NOTE]
|
||||
> Effective Aug 15, 2022, the following policy will no longer be added to newly enrolled tenants, and existing tenants will be provided an option to migrate to enterprise application-based authentication. This policy will be removed with that transition.
|
||||
|
||||
| Conditional access policy | Description |
|
||||
| ----- | ----- |
|
||||
| Modern Workplace - Secure Workstation | This policy is targeted to only the Windows Autopatch cloud service accounts. The policy blocks access to the tenant unless the user is accessing the tenant from a Microsoft authorized location. |
|
||||
|
||||
## PowerShell scripts
|
||||
|
||||
| Script | Description |
|
||||
|
||||
Reference in New Issue
Block a user