Additionally, it's not supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.
- -When you [start using Autopatch](../prepare/windows-autopatch-feature-activation.md), Windows Autopatch creates the following deployment ring set to organize devices. - -| Deployment ring | Description | -| --- | --- | -| Modern Workplace Devices-Windows Autopatch-Test | Deployment ring for testing service-based configuration, app deployments prior production rollout | -| Modern Workplace Devices-Windows Autopatch-First | First production deployment ring for early adopters. | -| Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption | -| Modern Workplace Devices-Windows Autopatch-Broad | Final deployment ring for broad rollout into the organization | - -> [!CAUTION] -> Adding or importing devices directly into any of these groups isn't supported. Doing so might affect the Windows Autopatch service. To move devices between these groups, see [Move devices in between deployment rings](../deploy/windows-autopatch-register-devices.md#move-devices-in-between-deployment-rings). - -> [!IMPORTANT] -> Windows Autopatch device registration doesn't assign devices to the Test deployment rings of either the service-based (**Modern Workplace Devices-Windows Autopatch-Test**), or your Autopatch groups. This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments. - -During the device registration process, Windows Autopatch assigns each device to a deployment ring so that the service has the proper representation of device diversity across your organization. -The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment. - -### Device record and deployment ring assignment - -When you register your devices, Windows Autopatch: - -1. Makes a record of devices in the service. -2. Assign devices to the [deployment ring set](#default-deployment-ring-calculation-logic) and other groups required for software update management. - -### Default deployment ring calculation logic - -The Windows Autopatch deployment ring calculation occurs during the device registration process: - -- If the Windows Autopatch tenant's existing managed device size is **≤ 200**, the deployment ring assignment is First **(5%)**, Fast **(15%)**, remaining devices go to the Broad ring **(80%)**. -- If the Windows Autopatch tenant's existing managed device size is **>200**, the deployment ring assignment is First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**. - -> [!NOTE] -> You can customize the deployment ring calculation logic by [editing an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group). - -| Deployment ring | Default device balancing percentage | Description | -| --- | --- | --- | -| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.
Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| -| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.
The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.
| -| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.| -| N/A | **zero** | The Last ring is intended to be used for either specialized devices or devices that belong to VIP/executives in an organization. Windows Autopatch doesn't automatically add devices to this deployment ring. | - -## Automated deployment ring remediation functions - -Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test** and **Windows Autopatch - Last** rings, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: - -- Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or -- An issue occurred which prevented devices from getting a deployment ring assigned during the device registration process. - -There are two automated deployment ring remediation functions: - -| Function | Description | -| ----- | ----- | -| Check device deployment ring membership | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test and Windows Autopatch - Last** rings). | -| Multi-deployment ring device remediator | Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test** and **Windows Autopatch - Last** rings). If a device is part of multiple deployment rings, Windows Autopatch randomly removes the device until the device is only part of one deployment ring. | - -> [!IMPORTANT] -> Windows Autopatch automated deployment ring functions don't assign or remove devices to or from the following deployment rings:If you choose to use dynamic distribution, the Autopatch service distributes the devices you selected. The service takes a percentage of the devices in the dynamic pool and adds them to the relevant Microsoft Entra groups. Devices that are members of Microsoft Entra groups that are directly assigned aren't included in the dynamic pool.
If you have fewer than 100 devices in an Autopatch group, the distribution might not match your selection.
| +| **Step 5: Post-device registration** | If you deployed the [**Windows Autopatch Client Broker**](../deploy/windows-autopatch-post-reg-readiness-checks.md#install-the-windows-autopatch-client-broker), post-device registration actions occur. For more information, see [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md#post-device-registration-readiness-checks-workflow). | +| **Step 6: Review device registration status** | IT admins review the device's Autopatch readiness status. Devices are either **Registered** or **Not registered** in the **[**Autopatch groups membership report**](#autopatch-groups-membership-report)**.[Feature activation](../prepare/windows-autopatch-feature-activation.md) is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.
For more information, see [Licenses and entitlements](../prepare/windows-autopatch-prerequisites.md#licenses-and-entitlements). If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in [Business premium and A3+ licenses](../overview/windows-autopatch-overview.md#business-premium-and-a3-licenses).
+> **The information in this article or section only applies if you have Windows Enterprise E3+ or F3 licenses (included in Microsoft 365 F3, E3, or E5) licenses and have activated Windows Autopatch features.**Feature activation is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.
For more information, see Licenses and entitlements. If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in Business premium and A3+ licenses.
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-customize-windows-update-settings.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-customize-windows-update-settings.md deleted file mode 100644 index 5cf7948782..0000000000 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-customize-windows-update-settings.md +++ /dev/null @@ -1,119 +0,0 @@ ---- -title: Customize Windows Update settings Autopatch groups experience -description: How to customize Windows Updates with Autopatch groups -ms.date: 09/16/2024 -ms.service: windows-client -ms.subservice: autopatch -ms.topic: how-to -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: aaroncz -ms.reviewer: rekhanr -ms.collection: - - highpri - - tier1 ---- - -# Customize Windows Update settings - -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - -You can customize the Windows Update deployment schedule for each deployment ring in Windows Autopatch groups per your business and organizational needs. However, we recommend that you remain within service defined boundaries to maintain compliance. - -When the deployment cadence is customized, Windows Autopatch overrides our service defaults with your preferred deployment cadence. Depending on the selected options, devices with [customized schedules](#scheduled-install) might not count towards the Windows Autopatch [Windows quality update service level objective](../manage/windows-autopatch-windows-quality-update-overview.md#service-level-objective). - -## Deployment cadence - -### Cadence types - -For each tenant, at the deployment ring level, there are two cadence types to configure and manage your Windows Update deployments for all the devices in those deployment rings: - -- [Deadline-driven](#deadline-driven) -- [Scheduled install](#scheduled-install) - -> [!NOTE] -> Windows Autopatch uses the [Update rings policy for Windows 10 and later in Microsoft Intune](/mem/intune/protect/windows-10-update-rings) to apply either **Deadline-driven** or **Scheduled install** cadence types. Microsoft Intune implements [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) using the settings available in the [Update policy CSP](/windows/client-management/mdm/policy-csp-update). - -#### Deadline-driven - -With the deadline-drive cadence type, you can control and customize the deferral, deadline, and grace period to meet your specific business needs and organizational requirements. - -> [!NOTE] -> The configured grace period will apply to both Windows quality updates and Windows feature updates. - -Each deployment ring can be scheduled independent of the others, and there are no dependencies that the previous deployment ring must be scheduled before the next ring. Further, if the cadence type is set as **Deadline-driven**, the automatic update behavior setting, **Reset to default** in the Windows Update for Business policy, are applied. - -It's possible for you to change the cadence from the Windows Autopatch groups blade while update deployments are in progress. Windows Autopatch abides by the principle to always respect your preferences over service-defined values. - -However, if an update already started for a particular deployment ring, Windows Autopatch isn't able to change the cadence for that ring during that ongoing update cycle. The changes will only be effective in the next update cycle. - -#### Scheduled install - -> [!NOTE] ->If you select the Schedule install cadence type, the devices in that ring won't be counted towards the [Windows quality update service level objective](../manage/windows-autopatch-windows-quality-update-overview.md#service-level-objective). - -While the Windows Autopatch default options meet most the needs for regular users with corporate devices, we understand there are devices that run critical activities and can only receive Windows Updates at specific times. - -The **Scheduled install** cadence type minimizes disruptions by preventing forced restarts and interruptions to critical business activities for end users. When you select the **Scheduled install** cadence type, any previously set deadlines and grace periods are removed. Devices will only update and restart according to the time specified. - -If other applications force a device to restart outside of the specified time and a Windows Update is pending a restart, the Windows Update completes its installation at this time. For this reason, ensure that you consider your update and restart scenarios for devices running business critical activities, or restart sensitive workloads before using the Scheduled Install option. - -> [!NOTE] -> The compliance deadline and grace period for Windows quality updates won't be configured for the Scheduled Install cadence type. - -Devices **must** be active and available at the time when the device is scheduled for installation to ensure the optimal experience. If the device is consistently unavailable during the scheduled install time, the device can remain unprotected and unsecured, or the device might have the Windows Update scan and install during active hours. - -##### Scheduled install types - -> [!NOTE] -> For devices with **Active hours** configured, if the device is consistently unavailable, Windows will attempt to keep the devices up to date, including installation of updates during Active hours.For Windows 10 devices, Windows Update can start 30 minutes prior to the specified install time. If the installation start time is specified at 2:00 AM, some of the devices may start the installation 30 mins prior.
- -The Scheduled install cadence has two options: - -| Option | Description | -| ----- | ----- | -| Active hours | The period (daily) that the user normally does their work, or the device is busy performing business critical actions.The time outside of active hours is when the device is available for Windows to perform an update and restart the device (daily). The max range for Active hours is 18 hours. The six-hour period outside of the active hours is the deployment period, when Windows Update for Business scans, install and restart the device.
-| Schedule install and restart | Use this option to prevent the service from installing Windows Updates except during the specified start time. You can specify the following occurrence options:Select a time when the device has low activity for the updates to complete. Ensure that the Windows Update has three to four hours to complete the installation and restart the device.
| - -> [!NOTE] -> Changes made in one deployment ring won't impact other rings in your tenant.Configured **Active hours** and **Scheduled install and restart** options will apply to both Windows quality updates and Windows feature updates.
- -### User notifications - -In addition to the cadence type, you can also manage the end user notification settings. End users receive all update notifications by default. For critical devices or devices where notifications need to be hidden, use the **Manage notifications** option to configure notifications. For each tenant, at the deployment ring level, there are four options for you to configure end user update notification settings: - -- Not configured -- Use the default Windows Update notifications -- Turn off all notifications excluding restart warnings -- Turn off all notifications including restart warnings - -For more information, see [Windows Update settings you can manage with Intune update ring policies for Windows 10/11 devices](/mem/intune/protect/windows-update-settings). - -## Customize the Windows Update deployment cadence - -> [!IMPORTANT] -> The Windows update setting customizations can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to apply new software update settings.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
- -**To customize the Windows Update deployment cadence:** - -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Navigate to **Tenant administration** > **Windows Autopatch** > **Autopatch groups**. Select the **horizontal ellipses (…)** > **Edit** for the Autopatch group you want to edit. -3. Select the **horizontal ellipses (…)** across each ring to manage the deployment cadence or notification settings. -4. Select **Next** to navigate to the Windows update settings page. The page lists the existing settings for each of the deployment rings in the Autopatch group. -5. Select [**Manage deployment cadence**](#cadence-types) to customize Windows Update settings. - 1. Select one of the cadence types for the ring: - 1. Select **Deadline-driven** to configure the deferral, deadline, and grace periods. This option enforces forced restarts based on the selected deadline and grace period. In the event you want to switch back to the service recommended defaults, for each of the settings, select the option tagged as "default". - 1. Select **Scheduled install** to opt-out of deadline-based forced restart. - 1. Select either **Active hours** or **Schedule install and restart time**. - 2. Select **Save**. -6. Select **Manage notifications**. A fly-in pane opens. - 1. Select one of following [Windows Update restart notifications](#user-notifications) for your devices that are part of the selected deployment ring. By default, Windows Autopatch recommends that you enable all notifications. - 1. Not configured - 1. Use the default Windows Update notifications - 1. Turn off all notifications excluding restart warnings - 1. Turn off all notifications included restart warnings - 1. Select **Save** once you select the preferred setting. -7. Repeat the same process to customize each of the rings. Once done, select **Next**. -8. In **Review + apply**, you're able to review the selected settings for each of the rings. -9. Select **Apply** to apply the changes to the ring policy. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md index a9fcc86c26..528758638d 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md @@ -14,7 +14,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 09/24/2024 +ms.date: 03/31/2025 --- # Programmatic controls for drivers and firmware updates diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md index 831fe0e8a1..409b518326 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md @@ -1,7 +1,7 @@ --- title: Microsoft Edge description: This article explains how Microsoft Edge updates are managed in Windows Autopatch -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,13 +17,8 @@ ms.collection: # Microsoft Edge -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - Windows Autopatch uses the [Stable Channel](/deployedge/microsoft-edge-channels#stable-channel) of Microsoft Edge. -> [!IMPORTANT] -> To update Microsoft 365 Apps for enterprise, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) first and **Microsoft Edge update setting** must be set to [**Allow**](#allow-or-block-microsoft-edge-updates). For more information on workloads supported by Windows Autopatch groups, see [Software update workloads](../deploy/windows-autopatch-groups-overview.md#software-update-workloads). - ## Device eligibility For a device to be eligible for Microsoft Edge updates as a part of Windows Autopatch, they must meet the following criteria: @@ -33,44 +28,65 @@ For a device to be eligible for Microsoft Edge updates as a part of Windows Auto - The device must be able to access the required network endpoints to reach the Microsoft Edge update service. - If Microsoft Edge is open, it must restart for the update process to complete. -## Allow or block Microsoft Edge updates +## Microsoft Edge update controls -> [!IMPORTANT] -> You must be an Intune Administrator to make changes to the setting. +With the expanded Autopatch group capabilities, you can choose to enable Microsoft Edge updates on a per Autopatch group level. Depending on your tenant settings, one of the following scenarios occurs: -For organizations seeking greater control, you can allow or block Microsoft Edge updates for Windows Autopatch-enrolled devices. +- Tenants that previously turned on Autopatch Microsoft Edge updates, has the Microsoft Edge updates Update Type checkbox selected, and the updated policies applied to each Autopatch group. +- Tenants that previously turned off Autopatch Microsoft Edge updates, or are new to Windows Autopatch, Autopatch Microsoft Edge updates remain turned off. -| Microsoft Edge setting | Description | -| ----- | ----- | -| **Allow** | When set to **Allow**, Windows Autopatch assigns devices to Microsoft Edge's [Stable Channel](/deployedge/microsoft-edge-channels#stable-channel). To manage updates manually, set the Microsoft Edge setting to **Block**. | -| **Block** | When set to **Block**, Windows Autopatch doesn't assign devices to Microsoft Edge's [Stable Channel](/deployedge/microsoft-edge-channels#stable-channel) updates on your behalf, and your organizations have full control over these updates. You can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). | +If you [created an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) and selected Microsoft Edge updates as a content type, the **Update Type** checkbox is **selected**, with new policies created and any available old policies are removed. If you didn’t select Microsoft Edge updates as a content type upon creating an Autopatch group, the **Update Type** checkbox is **unselected**. Any available customized policies are retained and appear in the **Policies** tab. -**To allow or block Edge updates:** +### Turn on Microsoft Edge updates + +**To turn on Microsoft Edge updates:** 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Navigate to **Tenant administration** > **Windows Autopatch** > **Autopatch groups** > **Update settings**. -1. Go to the **Edge updates** section. By default, the Allow/Block toggle is set to **Block**. -1. Turn off the **Allow** toggle (set to Block) to opt out of Microsoft Edge update policies. You see the notification: *Update in process. This setting will be unavailable until the update is complete.* -1. Once the update is complete, you receive the notification: *This setting is updated*. +1. Navigate to **Tenant Administration** > **Windows Autopatch** > **Autopatch groups**. +1. Select an Autopatch group to modify (repeat these steps for each group). +1. Next to **Update types**, select **Edit**. +1. Select **Microsoft Edge updates**. +1. Select **Next: Deployment settings** > **Next: Release schedules** > **Next: Review + save** > **Save** to save these changes. +1. We recommend deleting old Autopatch default policies to avoid policy conflict. Navigate to **Devices** > **Manage devices** > **Configuration** > **Policies** tab. +1. Manually remove the following profiles related to Microsoft Edge + 1. Windows Autopatch - Microsoft Edge Update Channel Beta + 1. Windows Autopatch - Microsoft Edge Update Channel Stable > [!NOTE] -> If the notification: *This setting couldn't be updated. Please try again or submit a support request.* appears, use the following steps:Once you create a custom Windows feature update release, the Autopatch group's deployment rings are unassigned from that group’s feature update policy.
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md index 0cf0c9260b..59e83f707a 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md @@ -1,7 +1,7 @@ --- title: Hotpatch updates description: Use Hotpatch updates to receive security updates without restarting your device -ms.date: 02/03/2025 +ms.date: 04/11/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -15,36 +15,26 @@ ms.collection: - tier1 --- -# Hotpatch updates (public preview) - -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] - -> [!IMPORTANT] -> This feature is in public preview. It's being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback. +# Hotpatch updates Hotpatch updates are designed to reduce downtime and disruptions. Hotpatch updates are [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) that install and take effect without requiring you to restart the device. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted. Hotpatch is an extension of Windows Update and requires Autopatch to create and deploy hotpatches to devices enrolled in the Autopatch quality update policy. -> [!NOTE] -> Hotpatch is also available on Windows Server and Windows 365. For more information, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition). - ## Key benefits - Hotpatch updates streamline the installation process and enhance compliance efficiency. - No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies. - The [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. -## Release cycles +## Prerequisites -For more information about the release calendar for Hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-public-preview-on-windows-11-version-24h2-enterprise-clients-c117ee02-fd35-4612-8ea9-949c5d0ba6d1). +To benefit from Hotpatch updates, devices must meet the following prerequisites: -| Quarter | Baseline updates (requires restart) | Hotpatch (no restart required) | -| ----- | ----- | ----- | -| 1 | January | February and March | -| 2 | April | May and June | -| 3 | July | August and September | -| 4 | October | November and December | +- For licensing requirements, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md) +- Windows 11 Enterprise version 24H2 or later +- Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true). +- Microsoft Intune to manage hotpatch update deployment with the [Windows quality update policy with hotpatch turned on](#enroll-devices-to-receive-hotpatch-updates). ## Operating system configuration prerequisites @@ -54,25 +44,30 @@ To prepare a device to receive Hotpatch updates, configure the following operati VBS must be turned on for a device to be offered Hotpatch updates. For information on how to set and detect if VBS is enabled, see [Virtualization-based Security (VBS)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security). +> [!NOTE] +> Devices might be temporarily ineligible because they don’t have VBS enabled or aren’t currently on the latest baseline release. To ensure that all your Windows devices are configured properly to be eligible for hotpatch updates, see [Troubleshoot hotpatch updates](#troubleshoot-hotpatch-updates). + ### Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only) -This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. To disable CHPE, create and/or set the following DWORD registry key: -Path: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management` -DWORD key value: HotPatchRestrictions=1 +> [!IMPORTANT] +> **Arm 64 devices are in public preview**. It's being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback. + +This requirement only applies to Arm 64 CPU devices when using Hotpatch updates. Hotpatch updates aren't compatible with servicing CHPE OS binaries located in the `%SystemRoot%\SyChpe32` folder. + +To ensure all the Hotpatch updates are applied, you must set the CHPE disable flag and restart the device to disable CHPE usage. You only need to set this flag one time. The registry setting remains applied through updates. > [!IMPORTANT] > This setting is required because it forces the operating system to use the emulation x86-only binaries instead of CHPE binaries on Arm 64 devices. CHPE binaries include native Arm 64 code to improve performance, excluding the CHPE binaries might affect performance or compatibility. Be sure to test application compatibility and performance before rolling out Hotpatch updates widely on Arm 64 CPU based devices. +To disable CHPE, create and/or set the following DWORD registry key: +Path: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management` +DWORD key value: HotPatchRestrictions=1 + +> [!NOTE] +> There are no plans to support hotpatch updates on Arm64 devices with CHPE enabled. Disabling CHPE is required only for Arm64 devices. AMD and Intel CPUs don’t have CHPE. + If you choose to no longer use Hotpatch updates, clear the CHPE disable flag (`HotPatchRestrictions=0`) then restart the device to turn on CHPE usage. -## Eligible devices - -To benefit from Hotpatch updates, devices must meet the following prerequisites: - -- Operating System: Devices must be running Windows 11 24H2 or later. -- VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates. -- Latest Baseline Release: Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true). - ## Ineligible devices Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases. @@ -82,6 +77,32 @@ LCUs requires you to restart the device, but the LCU ensures that the device rem > [!NOTE] > If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings. +## Release cycles + +For more information about the release calendar for hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-public-preview-on-windows-11-version-24h2-enterprise-clients-c117ee02-fd35-4612-8ea9-949c5d0ba6d1). + +- Baseline: Includes the latest security fixes, cumulative new features, and enhancements. Restart required. +- Hotpatch: Includes security updates. No restarted required. + +| Quarter | Baseline updates (requires restart) | Hotpatch (no restart required) | +| ----- | ----- | ----- | +| 1 | January | February and March | +| 2 | April | May and June | +| 3 | July | August and September | +| 4 | October | November and December | + +## Hotpatch on Windows 11 Enterprise or Windows Server 2025 + +> [!NOTE] +> Hotpatch is also available on Windows Server and Windows 365. For more information, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition). + +Hotpatch updates are similar between Windows 11 and Windows Server 2025. + +- Windows Autopatch manages Windows 11 updates +- Azure Update Manager and optional Azure Arc subscription for Windows 2025 Datacenter/Standard Editions (on-premises) manages Windows Server 2025 Datacenter Azure Edition. For more information, on Windows Server and Windows 365, see [Hotpatch for Windows Server Azure Edition](/windows-server/get-started/enable-hotpatch-azure-edition). + +The calendar dates, eight hotpatch months, and four baseline months, planned each year are the same for all the hotpatch-supported operating systems (OS). It’s possible for additional baseline months for one OS (for example, Windows Server 2022), while there are hotpatch months for another OS, such as Server 2025 or Windows 11, version 24H2. Review the release notes from [Windows release health](/windows/release-health/) to keep up to date. + ## Enroll devices to receive Hotpatch updates > [!NOTE] @@ -93,14 +114,14 @@ LCUs requires you to restart the device, but the LCU ensures that the device rem 1. Select **Devices** from the left navigation menu. 1. Under the **Manage updates** section, select **Windows updates**. 1. Go to the **Quality updates** tab. -1. Select **Create**, and select **Windows quality update policy (preview)**. +1. Select **Create**, and select **Windows quality update policy**. 1. Under the **Basics** section, enter a name for your new policy and select Next. 1. Under the **Settings** section, set **"When available, apply without restarting the device ("Hotpatch")** to **Allow**. Then, select **Next**. -1. Select the appropriate Scope tags or leave as Default and select **Next**. +1. Select the appropriate Scope tags or leave as Default. Then, select **Next**. 1. Assign the devices to the policy and select **Next**. 1. Review the policy and select **Create**. -These steps ensure that targeted devices, which are [eligible](#eligible-devices) to receive Hotpatch updates, are configured properly. [Ineligible devices](#ineligible-devices) are offered the latest cumulative updates (LCU). +These steps ensure that targeted devices, which are [eligible](#prerequisites) to receive Hotpatch updates, are configured properly. [Ineligible devices](#ineligible-devices) are offered the latest cumulative updates (LCU). > [!NOTE] > Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices. Deferral and active hour settings still apply. @@ -108,3 +129,48 @@ These steps ensure that targeted devices, which are [eligible](#eligible-devices ## Roll back a hotpatch update Automatic rollback of a Hotpatch update isn’t supported but you can uninstall them. If you experience an unexpected issue with hotpatch updates, you can investigate by uninstalling the hotpatch update and installing the latest standard cumulative update (LCU) and restart. Uninstalling a hotpatch update is quick, however, it does require a device restart. + +## Troubleshoot hotpatch updates + +### Step 1: Verify the device is eligible for hotpatch updates and on a hotpatch baseline before the hotpatch update is installed + +Hotpatching follows the hotpatch release cycle. Review the prerequisites to ensure the device is [eligible](#prerequisites) for hotpatch updates. For information on devices that don’t meet the prerequisites, see [Ineligible devices](#ineligible-devices). + +For the latest release schedule, see the [hotpatch release notes](https://support.microsoft.com/topic/release-notes-for-hotpatch-public-preview-on-windows-11-version-24h2-enterprise-clients-c117ee02-fd35-4612-8ea9-949c5d0ba6d1). For information on Windows update history, see [Windows 11, version 24H2 update history](https://support.microsoft.com/topic/windows-11-version-24h2-update-history-0929c747-1815-4543-8461-0160d16f15e5). + +### Step 2: Verify the device has Virtualization-based security (VBS) turned on + +1. Select **Start**, and enter `System information` in the Search. +1. Select **System information** from the results. +1. Under **System summary**, under the **Item column**, find **Virtualization-based security**. +1. Under the **Value column**, ensure it states **Running**. + +### Step 3: Verify the device is properly configured to turn on hotpatch updates + +1. In Intune, review your configured policies within Autopatch to see which groups of devices are targeted with a hotpatch policy by going to the **Windows Update** > **Quality Updates** page. +1. Ensure the hotpatch update policy is set to **Allow**. +1. On the device, select **Start** > **Settings** > **Windows Update** > **Advanced options** > **Configured update policies** > find **Enable hotpatching when available**. This setting indicates that the device is enrolled in hotpatch updates as configured by Autopatch. + +### Step 4: Disable compiled hybrid PE usage (CHPE) (Arm64 CPU only) + +For more information, see [Arm 64 devices must disable compiled hybrid PE usage (CHPE) (Arm 64 CPU Only)](#arm-64-devices-must-disable-compiled-hybrid-pe-usage-chpe-arm-64-cpu-only). + +### Step 5: Use Event viewer to verify the device has hotpatch updates turned on + +1. Right-click on the **Start** menu, and select **Event viewer**. +1. Search for **AllowRebootlessUpdates** in the filter. If AllowRebootlessUpdates is set to `1`, the device is enrolled in the Autopatch update policy and has hotpatch updates turned on: + +`` +"data": { +"payload": "{\"Orchestrator\":{\"UpdatePolicy\":{\"Update/AllowRebootlessUpdates\":true}}}", +"isEnrolled": 1, +"isCached": 1, +"vbsState": 2, +`` + +### Step 6: Check Windows Logs for any hotpatch errors + +Hotpatch updates provide an inbox monitor service that checks for the health of the updates installed on the device. If the monitor service detects an error, the service logs an event in the Windows Application Logs. If there's a critical error, the device installs the standard (LCU) update to ensure the device is fully secure. + +1. Right-click on the **Start** menu, and select **Event viewer**. +1. Search for **hotpatch** in the filter to view the logs. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md index ffcd082e07..29fc0d54bf 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md @@ -1,7 +1,7 @@ --- title: Manage Windows Autopatch groups description: This article explains how to manage Autopatch groups -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,21 +17,22 @@ ms.collection: # Manage Windows Autopatch groups -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - Autopatch groups help Microsoft Cloud-Managed services meet organizations where they are in their update management journey. -An Autopatch group is a logical container or unit that groups several [Microsoft Entra groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates policy for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates). +An Autopatch group is a logical container or unit that groups several [Microsoft Entra groups](/entra/fundamentals/groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings), [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates), [driver update policies](../manage/windows-autopatch-manage-driver-and-firmware-updates.md), [Microsoft 365 App update policies](../manage/windows-autopatch-microsoft-365-policies.md), and [Microsoft Edge update policies](../manage/windows-autopatch-edge.md). Before you start managing Autopatch groups, ensure you meet the [Windows Autopatch groups prerequisites](../deploy/windows-autopatch-groups-overview.md#prerequisites). +> [!NOTE] +> If you reach the maximum number of Autopatch groups supported (300), and try to create more Autopatch groups, the "Create" option in the Autopatch groups blade is greyed out. + ## Create an Autopatch group > [!IMPORTANT] > Windows Autopatch creates the device-based Microsoft Entra ID assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience. > [!TIP] -> For more information on workloads supported by Windows Autopatch groups, see [Supported software workloads](../deploy/windows-autopatch-groups-overview.md#software-update-workloads).Additionally, it's not supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.
+> **Don't** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service isn't able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly.Additionally, it's not supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.
> [!CAUTION] -> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that's been already used, you'll receive an error that prevents you from creating or editing the Autopatch group. +> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that is already used, an error occurs that prevents you from creating or editing the Autopatch group. ## Edit an Autopatch group > [!TIP] -> You can't edit an Autopatch group when there's one or more Windows feature update releases targeted to it. If you try to edit an Autopatch group with one or more ongoing Windows feature update releases targeted to it, you get the following informational banner message: "**Some settings are not allowed to be modified as there's one or more on-going Windows feature update release targeted to this Autopatch group.**" +> You can't edit an Autopatch group when there's one or more Windows feature update releases targeted to it. If you try to edit an Autopatch group with one or more ongoing Windows feature update releases targeted to it, you get the following informational banner message: "**Some settings are not allowed to be modified as there's one or more ongoing Windows feature update release targeted to this Autopatch group.**" > For more information on release and phase statuses, see [Windows feature update](../manage/windows-autopatch-windows-feature-update-overview.md). **To edit an Autopatch group:** 1. Select the **horizontal ellipses (…)** > **Edit** for the Autopatch group you want to edit. -1. You can only modify the **description** of an Autopatch group. You **can't** modify the name. Once the description is modified, select **Next: Deployment rings**. To rename an Autopatch group, see [Rename an Autopatch group](#rename-an-autopatch-group). -1. Make the necessary changes in the **Deployment rings** page, then select **Next: Windows Update settings**. -1. Make the necessary changes in the **Windows Update settings** page, then select **Next: Review + save**. +1. In the **Basics** page, you can only modify the **description** of an Autopatch group. You **can't** modify the name. Once the description is modified, or if you don't need to edit the description, select **Next: Deployment rings**. To rename an Autopatch group, see [Rename an Autopatch group](#rename-an-autopatch-group). +1. In the **Deployment rings** page, edit your deployment rings as necessary or select **Next: Update types**. +1. In the **Update types** page, add or remove update types as necessary, or select **Next: Deployment settings**. +1. In the **Deployment settings** page, edit the deployment settings as necessary, or select **Next: Release schedule**. +1. In the **Release schedule** page, edit the deferral and/or deadline day as necessary. If you need to change the release schedule preset, you must create a new Autopatch group. 1. Select **Review + create** to review all changes made. 1. Once the review is done, select **Save** to finish editing the Autopatch group. @@ -79,7 +98,7 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat > Windows Autopatch creates the device-based Microsoft Entra ID assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience. > [!CAUTION] -> If a device that was previously added to an Autopatch group uses an Entra group (via Assigned groups or Dynamic distribution method) is removed from the Entra group, the device is removed and de-registered from the Autopatch service. The removed device no longer has any Autopatch service-created policies applied to it and the device won't appear in the Autopatch devices reports. +> If a device that was previously added to an Autopatch group uses a Microsoft Entra group (via Assigned groups or Dynamic distribution method) is removed from the Microsoft Entra group, the device is removed and deregistered from the Autopatch service. The removed device no longer has any Autopatch service-created policies applied to it and the device doesn't appear in the [Autopatch groups membership report](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report). ## Rename an Autopatch group @@ -89,7 +108,7 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat 1. In the **New Autopatch group name**, enter the new Autopatch group name of your choice, then select **Rename group**. > [!IMPORTANT] -> Autopatch supports up to 64 characters for the Autopatch group name. Additionally, when you rename a Autopatch group all [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) associated with the Autopatch group are renamed to include the new Autopatch group name you define in its name string. Also, when renaming an Autopatch group all Microsoft Entra groups representing the Autopatch group's deployment rings are renamed to include the new Autopatch group name you define in its name string. +> Autopatch supports up to 64 characters for the Autopatch group name. Additionally, when you rename an Autopatch group all [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) associated with the Autopatch group are renamed to include the new Autopatch group name you define in its name string. Also, when renaming an Autopatch group all Microsoft Entra groups representing the Autopatch group's deployment rings are renamed to include the new Autopatch group name you define in its name string. ## Delete an Autopatch group @@ -99,16 +118,16 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat 1. Select **Yes** to confirm you want to delete the Autopatch group. > [!CAUTION] -> You can't delete an Autopatch group when it's being used as part of one or more active or paused feature update releases. However, you can delete an Autopatch group when the release for either Windows quality or feature updates have either the **Scheduled** or **Paused** statuses. +> You can't delete an Autopatch group when it's being used as part of one or more active or paused feature update releases. However, you can delete an Autopatch group when the release for either Windows quality or feature updates has either the **Scheduled** or **Paused** statuses. ## Manage device conflict scenarios when using Autopatch groups Overlap in device membership is a common scenario when working with device-based Microsoft Entra groups. Sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Microsoft Entra groups. -Since Autopatch groups allow you to use your existing Microsoft Entra groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that might occur. +Since Autopatch groups uses your existing Microsoft Entra groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that might occur. > [!CAUTION] -> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that's been already used, you'll receive an error that prevents you from creating or editing the Autopatch group. +> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that is already used, an error occurs that prevents you from creating or editing the Autopatch group. ### Device conflict in deployment rings within an Autopatch group @@ -120,7 +139,7 @@ Autopatch groups use the following logic to solve device conflicts on your behal | Step 2: Checks for deployment ring ordering when device belongs to one or more deployment ring with the same distribution type (**Assigned** or **Dynamic**) | For example, if a device is part of one deployment ring with **Assigned** distribution (Test), and in another deployment ring with **Assigned** distribution (Ring3) within the **same** Autopatch group, the deployment ring that comes later (Ring3) takes precedence over the deployment ring that comes earlier (Test) in the deployment ring order. | > [!IMPORTANT] -> When a device belongs to a deployment ring that has combined distribution types (**Assigned** and **Dynamic**), and a deployment ring that has only the **Dynamic** distribution type, the deployment ring with the combined distribution types takes precedence over the one with only the **Dynamic** distribution. If a device belongs to two deployment rings that have combined distribution types (**Assigned** and **Dynamic**), the deployment ring that comes later takes precedence over the deployment ring that comes earlier in the deployment ring order. +> When a device belongs to a deployment ring that contains combined distribution types (**Assigned** and **Dynamic**), and a deployment ring that has only the **Dynamic** distribution type, the deployment ring with the combined distribution types takes precedence over the one with only the **Dynamic** distribution. If a device belongs to two deployment rings that contains combined distribution types (**Assigned** and **Dynamic**), the deployment ring that comes later takes precedence over the deployment ring that comes earlier in the deployment ring order. ### Device conflict across different Autopatch groups @@ -130,7 +149,7 @@ Device conflict across different deployment rings in different Autopatch groups | Conflict scenario | Conflict resolution | | ----- | ----- | -| You, the IT admin at Contoso Ltd., are using several Autopatch groups. While navigating through devices in the Windows Autopatch Devices blade, you notice that the same device is part of different deployment rings across several different Autopatch groups. This device appears as **Not ready**. | You must resolve this conflict.Autopatch groups inform you about the device conflict in the [**Devices report**](../deploy/windows-autopatch-register-devices.md#devices-report). Select the **Not ready** status for the device you want to address. You're required to manually indicate which of the existing Autopatch groups the device should exclusively belong to.
| +| You, the IT admin at Contoso Ltd., are using several Autopatch groups. While navigating through devices in the Windows Autopatch Devices blade, you notice that the same device is part of different deployment rings across several different Autopatch groups. This device appears as **Not ready**. | You must resolve this conflict.Autopatch groups inform you about the device conflict in the [**Autopatch groups membership report**](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report). Select the **Not ready** status for the device you want to address. You're required to manually indicate which of the existing Autopatch groups the device should exclusively belong to.
| #### Device conflict before device registration diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md index e968491819..5fb0db6f49 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md @@ -1,7 +1,7 @@ --- title: Manage driver and firmware updates description: This article explains how you can manage driver and firmware updates with Windows Autopatch -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -21,8 +21,6 @@ You can manage driver and firmware profiles for Windows 10 and later devices. By ## Driver and firmware controls -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - You can manage and control your driver and firmware updates by: - Controlling the flow of all drivers to an Autopatch group or rings within an Autopatch group @@ -33,9 +31,6 @@ You can manage and control your driver and firmware updates by: The Autopatch service creates additional driver profiles on a per-deployment ring and per group basis within your tenant. -> [!NOTE] -> For more information about policies created for Driver updates for Windows 10 and later, see [Changes made at feature activation](../references/windows-autopatch-changes-made-at-feature-activation.md#driver-updates-for-windows-10-and-later). - Choosing between Automatic and Manual modes can be done per-deployment ring and/or per Autopatch group. For a single Autopatch group, a mix of both Automatic and Manual policies is allowed. If you were previously in Manual mode, we create Manual policies for all your group rings. If Automatic (the default) was previously used, we create Automatic policies instead. > [!IMPORTANT] @@ -55,10 +50,16 @@ Choosing between Automatic and Manual modes can be done per-deployment ring and/ 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Navigate to **Devices** > **Manage Updates** > **Windows Updates** > **Driver Updates** tab. -1. Select the groups you’d like to modify. Find the Driver update settings section, then select Edit. -1. Set the policy to be **Automatic** or **Manual** for each deployment ring within the previously selected group. - 1. If you select **Automatic**, you can choose a **Deferral period** in days from the dropdown menu. - 2. If you select **Manual**, the deferral day setting can’t be set and displays **Not applicable**. +1. Select the groups you’d like to modify. Find the Deployment settings section, then select Edit. +1. Select **Next: Deployment settings**. +1. Choose **Use the same approval method for all deployment rings** or **Use different approval methods for each deployment ring**. + 1. If you select **Use the same approval method for all deployment rings**, you must choose **Automatically approve** or **Manually review and approve**. All deployment rings use this setting. + 1. If you select **Use different approval methods for each deployment ring**, you must choose **Automatically approve** or **Manually review and approve** for each deployment ring. +1. Select **Next: Release schedules**. +1. If you selected **Automatically approve**, under **Quality and driver updates**, you can choose a Driver update deferral for each policy or Driver updates. **Manually review and approve** policies are displayed as *Not applicable*. + 1. Select **Edit** to the right of your deployment ring. + 1. Find **Driver update deferrals** and select **Deferral period in days** from the dropdown menu. + 1. Select **Save**. 1. Select **Review + Save** to review all changes made. 1. Once the review is done, select **Save** to commit your changes. @@ -79,7 +80,7 @@ The deferral period can be set from 0 to 30 days, and it can be different for ea Recommended drivers are the best match for the 'required' driver updates that Windows Update can identify for a device. To be a recommended update, the OEM or driver publisher must mark the update as required and the update must be the most recent update version marked as required. These updates are the same ones available through Windows Update and are almost always the most current update version for a driver. -When an OEM releases a newer update version that qualifies to be the new recommended driver, it replaces the previous update as the recommended driver update. If the older update version is still applicable to a device in the policy, it's moved to the **Other drivers** tab. If the older version was previously approved, it remains approved. +When an OEM releases a newer update version that qualifies to be the new recommended driver, it replaces the previous update as the recommended driver update. If the older update version is still applicable to a device in the policy, it moves to the **Other drivers** tab. If the older version was previously approved, it remains approved. ##### Approve and deploy recommended drivers @@ -102,7 +103,7 @@ Extensions and Plug and play driver updates might not require admin approval. | Driver update | Description | | ----- | ----- | -| Extensions | Windows Autopatch doesn't manage extension drivers. They're easily identified by the term 'extension' in the name. Extensions are typically minor updates to a base driver package that can enhance, modify, or filter the functionality provided by the base driver. They play a crucial role in facilitating effective communication between the operating system and the hardware. If the device hasn't received drivers from Windows Update for some time, the device might have multiple extension drivers offered during the first scan. For more information, see [Why do my devices have driver updates installed that didn't pass through an updates policy?](/mem/intune/protect/windows-driver-updates-overview#why-do-my-devices-have-driver-updates-installed-that-didnt-pass-through-an-updates-policy). | +| Extensions | Windows Autopatch doesn't manage extension drivers. They're easily identified by the term 'extension' in the name. Extensions are typically minor updates to a base driver package that can enhance, modify, or filter the functionality provided by the base driver. They play a crucial role in facilitating effective communication between the operating system and the hardware. If the device doesn't receive drivers from Windows Update for some time, the device might have multiple extension drivers offered during the first scan. For more information, see [Why do my devices have driver updates installed that didn't pass through an updates policy?](/intune/intune-service/protect/windows-driver-updates-overview#why-do-my-devices-have-driver-updates-installed-that-didnt-pass-through-an-updates-policy). | | Plug and play | When Windows detects a hardware or software component (such as, but not limited to, a mouse, keyboard, or webcam) without an existing driver, it automatically downloads and installs the latest driver to ensure the component functions properly to keep the end-user productive. After the initial installation, the driver becomes manageable. Any additional updates require approval before being offered to the device. | ### Other drivers and firmware diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-apps-enterprise.md index 2ba3d40763..820fd843d4 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-apps-enterprise.md @@ -1,7 +1,7 @@ --- title: Microsoft 365 Apps for enterprise description: This article explains how Windows Autopatch manages Microsoft 365 Apps for enterprise updates -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,13 +17,8 @@ ms.collection: # Microsoft 365 Apps for enterprise -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - ## Service level objective -> [!IMPORTANT] -> To update Microsoft 365 Apps for enterprise, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) first and **Microsoft 365 app update setting** must be set to [**Allow**](#allow-or-block-microsoft-365-app-updates). For more information on workloads supported by Windows Autopatch groups, see [Software update workloads](../deploy/windows-autopatch-groups-overview.md#software-update-workloads). - Windows Autopatch aims to keep at least 90% of eligible devices on a [supported version](/deployoffice/overview-update-channels#support-duration-for-monthly-enterprise-channel) of the Monthly Enterprise Channel (MEC) for the: - [Enterprise Standard Suite](/deployoffice/about-microsoft-365-apps). The Enterprise Standard Suite includes Access, Excel, OneNote, Outlook, PowerPoint, and Word. @@ -77,58 +72,77 @@ To ensure that users are receiving automatic updates, Windows Autopatch prevents ## Microsoft 365 Apps for enterprise update controls -Windows Autopatch doesn't allow you to pause or roll back an update in the Microsoft Intune admin center. +With the expanded Autopatch group capabilities, you can choose to turn on Microsoft 365 Apps updates on a per Autopatch group level. Depending on your tenant settings, one of the following scenarios occurs: -[Submit a support request](../manage/windows-autopatch-support-request.md) to the Windows Autopatch Service Engineering Team to pause or roll back an update when needed. +- Tenants that previously turned on Autopatch Microsoft 365 Apps update, has the Microsoft 365 Apps updates Update Type checkbox selected and the updated policies applied to each Autopatch group. +- Tenants that previously turned off Autopatch Microsoft 365 Apps updates, or are new to Windows Autopatch, Autopatch Microsoft 365 Apps updates remain turned off. + +If you [created an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) and selected Microsoft 365 apps updates as a content type, the **Update Type** checkbox is **selected**, with new policies created, and any available old policies are removed. If you didn’t select Microsoft 365 apps updates as a content type upon creating an Autopatch group, the **Update Type** checkbox is **unselected**. Any available customized policies are retained and appear in the **Policies** tab. + +### Turn on Microsoft 365 Apps updates + +**To turn on Microsoft 365 Apps updates:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Tenant Administration** > **Windows Autopatch** > **Autopatch groups**. +1. Select an Autopatch group to modify (repeat these steps for each group). +1. Next to **Update types**, select **Edit**. +1. Select **Microsoft 365 Apps updates**. +1. Select **Next: Deployment settings** > **Next: Release schedules** > **Next: Review + save** > **Save** to save these changes. +1. We recommend deleting old Autopatch default policies to avoid policy conflict. Navigate to **Devices** > **Manage devices** > **Configuration** > **Policies** tab. +1. Manually remove the following profiles related to Microsoft 365 Apps: + 1. Windows Autopatch - Office Configuration + 2. Windows Autopatch - Office Update Configuration [Test] + 3. Windows Autopatch - Office Update Configuration [First] + 4. Windows Autopatch - Office Update Configuration [Fast] + 5. Windows Autopatch - Office Update Configuration [Broad] + +> [!NOTE] +> If you previously selected **Microsoft 365 Apps updates** when [creating an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group), but your tenant isn't showing the new updates, there’s a possibility that you previously modified the policy. To ensure there are no disruptions, the Autopatch Service retains that policy. + +### Turn off Microsoft 365 Apps updates + +**To turn off Microsoft 365 Apps updates:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Tenant Administration** > **Windows Autopatch** > **Autopatch groups**. +1. Select an Autopatch group to modify (repeat these steps for each group). +1. Next to **Update types**, select **Edit**. +1. Unselect **Microsoft 365 Apps updates**. +1. Select **Next: Deployment settings** > **Next: Release schedules** > **Next: Review + save** > **Save** to save these changes. + +### Verify Microsoft 365 Apps updates policies + +**To verify Microsoft 365 Apps updates policies:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Tenant Administration** > **Windows Autopatch** > **Autopatch groups**. +1. Verify each Autopatch group has the **Microsoft 365 Apps Update Type** checkbox **selected**. +1. Navigate to **Devices** > **Manage devices** > **Configuration** > **Policies** tab. +1. The following new policies should be discoverable from the list of profiles: + 1. `"Windows Autopatch Microsoft 365 Update Policy -[Feature activation](../prepare/windows-autopatch-feature-activation.md) is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.
For more information, see [Licenses and entitlements](../prepare/windows-autopatch-prerequisites.md#licenses-and-entitlements). If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in [Business premium and A3+ licenses](../overview/windows-autopatch-overview.md#business-premium-and-a3-licenses).
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md index 6465a2a404..e0eacd5946 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md @@ -1,7 +1,7 @@ --- title: Submit a support request description: Details how to contact the Windows Autopatch Service Engineering Team and submit support requests -ms.date: 09/16/2024 +ms.date: 3/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,25 +17,23 @@ ms.collection: # Submit a support request -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - > [!IMPORTANT] -> Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with remediating issues. - -## Submit a new support request +> You can only submit a support request if you have E3+ or F licenses. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). Support requests are triaged and responded to as they're received. **To submit a new support request:** -1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant administration** menu. -1. In the **Windows Autopatch** section, select **Support requests**. -1. In the **Support requests** section, select **+ New support request**. -1. Enter your questions and/or a description of the problem. -1. Review all the information you provided for accuracy. -1. When you're ready, select **Create**. +1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to **Troubleshooting + support**. +1. In the **Troubleshooting + support** section, select **Help and support**. +1. In the **Help and support** section, select **Windows Autopatch**. +1. In the **Help** section, enter your questions and/or a description of the issue. +1. Review the links that are provided to try to help with the issue. +1. If the answers that were given don't help you resolve the issue, select **Contact support** at the bottom of the page. +1. Follow the instructions to file a support request with Windows Autopatch. Make sure you provide the correct primary contact information for this specific support ticket. +1. When you're ready, select **Contact me**. -### Premier and Unified support options +## Premier and Unified support options If you have a **Premier** or **Unified** support contract, when you submit a new request, or edit an active support request, you can: @@ -59,25 +57,11 @@ You can see the summary status of all your support requests. At any time, you ca **To view all your active support requests:** -1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu. -1. In the **Windows Autopatch** section, select **Support request**. -1. From this view, you can export the summary view or select any case to view the details. - -## Edit support request details - -You can edit support request details, for example, updating the primary case contact. - -**To edit support request details:** - -1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant Administration** menu. -1. In the **Windows Autopatch** section, select **Support request**. -1. In the **Support requests** section, use the search bar or filters to find the case you want to edit. -1. Select the case to open the request's details. -1. Scroll to the bottom of the request details and select **Edit**. -1. Update the editable information, add attachments to the case, or add a note for the Windows Autopatch Service Engineering Team. -1. Select **Save**. - -Once a support request is mitigated, it can no longer be edited. If a request was mitigated in less than 24 hours, you can reactivate instead of edit. Once reactivated, you can again edit the request. +1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to **Troubleshooting + support**. +1. In the **Troubleshooting + support** section, select **Help and support**. +1. In the **Help and support** section, select **Windows Autopatch**. +1. Under **Windows Autopatch**, select **Support History** to view all filed support requests. +1. Once a support request is mitigated, a survey appears. Using the survey, the primary contact can rate their experience. ## Microsoft FastTrack diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md index e6b32fd7ca..90b420fa4a 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md @@ -1,7 +1,7 @@ --- title: Microsoft Teams description: This article explains how Microsoft Teams updates are managed in Windows Autopatch -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Microsoft Teams -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - Windows Autopatch uses the [standard automatic update channel](/microsoftteams/teams-client-update#can-admins-deploy-updates-instead-of-teams-auto-updating) for Microsoft Teams. ## Device eligibility @@ -55,4 +53,4 @@ Windows Autopatch can't pause or resume Teams updates. ## Incidents and outages -If you're experiencing issues related to Teams updates, [submit a support request](../operate/windows-autopatch-support-request.md). +If you're experiencing issues related to Teams updates, [submit a support request](../operate/windows-autopatch-support-request.md). You can only submit a support request if you have E3+ or F licenses. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-troubleshoot-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-troubleshoot-programmatic-controls.md index 62a8d7c8e5..169146d992 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-troubleshoot-programmatic-controls.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-troubleshoot-programmatic-controls.md @@ -14,7 +14,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 09/16/2024 +ms.date: 03/31/2025 --- # Troubleshoot programmatic controls diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md index 81669a6614..64e0d1e9f7 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md @@ -1,7 +1,7 @@ --- title: Manage Update rings description: How to manage update rings -ms.date: 12/10/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,52 +17,4 @@ ms.collection: # Manage Update rings -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] - You can manage Update rings for Windows 10 and later devices with Windows Autopatch. Using Update rings, you can control when and how updates are installed on your devices. For more information, see [Configure Update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings). - -## Import Update rings for Windows 10 and later - -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - -You can import your organization’s existing Intune Update rings for Windows 10 and later into Windows Autopatch. Importing your organization’s Update rings provides the benefits of the Windows Autopatch's reporting and device readiness without the need to redeploy, or change your organization’s existing update rings. - -Imported rings automatically register all targeted devices into Windows Autopatch. For more information about device registration, see the [device registration workflow diagram](../deploy/windows-autopatch-register-devices.md#detailed-device-registration-workflow-diagram). - -> [!NOTE] -> Devices which are registered as part of an imported ring, might take up to 72 hours after the devices have received the latest version of the policy, to be reflected in Windows Autopatch devices blade and reporting. For more information about reporting, see [Windows quality and feature update reports overview](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md). - -> [!NOTE] -> Device registration failures don't affect your existing update schedule or targeting. However, devices that fail to register might affect Windows Autopatch's ability to provide reporting and insights. Any conflicts should be resolved as needed. For additional assistance, [submit a support request](../manage/windows-autopatch-support-request.md). - -### To import Update rings for Windows 10 and later - -**To import Update rings for Windows 10 and later:** - -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Devices** from the left navigation menu. -3. Under the **Manage updates** section, select **Windows updates**. -4. In the **Windows updates** blade, go to the **Update rings** tab. -5. Select **Enroll policies**. **This step only applies if you've gone through [feature activation](../prepare/windows-autopatch-feature-activation.md)**. -6. Select the existing rings you would like to import. -7. Select **Import**. - -### Remove an imported Update ring for Windows 10 and later - -**To remove an Imported Update rings for Windows 10 and later:** - -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Devices** from the left navigation menu. -3. Under the **Manage updates** section, select **Windows updates**. -4. In the **Windows updates** blade, go to the **Update rings**. -5. Select the Update rings for Windows 10 and later you would like to remove. -6. Select the **horizontal ellipses (...)** and select **Remove**. - -### Known limitations - -The following Windows Autopatch features aren't available with imported Intune Update rings: - -- [Autopatch groups](../deploy/windows-autopatch-groups-overview.md) and [features dependent on Autopatch groups](../deploy/windows-autopatch-groups-overview.md#supported-configurations) -- [Moving devices in between deployment rings in devices](../deploy/windows-autopatch-register-devices.md#move-devices-in-between-deployment-rings) -- [Automated deployment ring remediation functions](../deploy/windows-autopatch-device-registration-overview.md#automated-deployment-ring-remediation-functions) -- [Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md index b5259a8275..6e8f9565bc 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows feature updates overview description: This article explains how Windows feature updates are managed -ms.date: 11/20/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: overview @@ -17,16 +17,14 @@ ms.collection: # Windows feature update -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - Windows Autopatch provides tools to assist with the controlled roll out of annual Windows feature updates. These policies provide tools to allow version targeting, phased releases, and even Windows 10 to Windows 11 update options. For more information about how to configure feature update profiles, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates). > [!IMPORTANT] -> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. +> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update client policies and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. ## Multi-phase feature update -Multi-phase feature update allows you to create customizable feature update deployments using multiple phases for your [existing Autopatch groups](../manage/windows-autopatch-manage-autopatch-groups.md). These phased releases can be tailored to meet your organizational unique needs. +With multi-phase feature updates, you can create customizable feature update deployments using multiple phases for your [existing Autopatch groups](../manage/windows-autopatch-manage-autopatch-groups.md). These phased releases can be tailored to meet your organizational unique needs. ### Release statuses @@ -47,7 +45,7 @@ The release statuses are described in the following table: A phase is made of one or more [Autopatch group deployment rings](../deploy/windows-autopatch-groups-overview.md#autopatch-group-deployment-rings). Each phase reports its status to its release. > [!IMPORTANT] -> The determining factor that makes a phase status transition from **Scheduled** to **Active** is when the service automatically creates the Windows feature update policy for each Autopatch group deployment ring. Additionally, the phase status transition from **Active** to **Inactive** occurs when Windows feature update policies are unassigned from the Autopatch groups that belong to a phase. This can happen when an Autopatch group and its deployment rings are re-used as part of a new release. +> The determining factor that makes a phase status transition from **Scheduled** to **Active** is when the service automatically creates the Windows feature update policy for each Autopatch group deployment ring. Additionally, the phase status transition from **Active** to **Inactive** occurs when Windows feature update policies are unassigned from the Autopatch groups that belong to a phase. This can happen when an Autopatch group and its deployment rings are reused as part of a new release. | Phase status | Definition | | ----- | ----- | @@ -59,7 +57,21 @@ A phase is made of one or more [Autopatch group deployment rings](../deploy/wind #### Phase policy configuration -For more information about Windows feature update policies that are created for phases within a release, see [Windows feature update policies](../manage/windows-autopatch-windows-feature-update-policies.md). +Windows Autopatch creates one Windows feature update policy per phase using the following naming convention: + +**`Windows Autopatch - DSS policy -[Feature activation](../prepare/windows-autopatch-feature-activation.md) is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.
For more information, see [Licenses and entitlements](../prepare/windows-autopatch-prerequisites.md#licenses-and-entitlements). If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in [Business premium and A3+ licenses](../overview/windows-autopatch-overview.md#business-premium-and-a3-licenses).
- > [!NOTE] -> If you pause an update, the specified release has the **Paused** status. The Windows Autopatch service can't overwrite IT admin's pause. You must select **Resume** to resume the update. [The **Paused by Service Pause** status **only** applies to Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md#pause-and-resume-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf. +> If you pause an update, the specified release has the **Paused** status. You must select **Resume** to resume the update. 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Devices** from the left navigation menu. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-policies.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-policies.md deleted file mode 100644 index 47810fe194..0000000000 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-policies.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -title: Windows feature updates policies -description: This article describes Windows feature update policies used in Windows Autopatch -ms.date: 09/16/2024 -ms.service: windows-client -ms.subservice: autopatch -ms.topic: how-to -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: aaroncz -ms.reviewer: andredm7 -ms.collection: - - highpri - - tier1 ---- - -# Windows feature update policies - -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - -## Windows feature updates for Windows 10 and later - -These policies control the minimum target version of Windows that a device is meant to accept. Throughout the rest of the article, these policies are referred to as DSS policies. There are four of these policies in your tenant with the following naming convention: - -**`Modern Workplace DSS Policy [ring name]`** - -### Windows feature update deployment settings - -| Setting name | Test | First | Fast | Broad | -| ----- | ----- | ----- | ----- | ----- | -| Name | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows | -| Rollout options | Immediate start | Immediate start | Immediate start | Immediate start | - -### Windows feature update policy assignments - -| Setting name | Test | First | Fast | Broad | -| ----- | ----- | ----- | ----- | ----- | -| Included groups | Modern Workplace Devices-Windows Autopatch-Test | Modern Workplace Devices-Windows Autopatch-First | Modern Workplace Devices-Windows Autopatch-Fast | Modern Workplace Devices-Windows Autopatch-Broad | - -## Default release policy configuration - -You can see the following default policies created by the service in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431): - -| Policy name | Phase mapping | Feature update version | Rollout options | Support end date | -| ----- | ----- | ----- | ----- | ----- | -| Windows Autopatch - DSS Policy [Test] | Phase 1 | Windows 10 22H2 | Make update available as soon as possible | October 14, 2025 | -| Windows Autopatch - DSS Policy [First] | Phase 2 | Windows 10 22H2 | Make update available as soon as possible | October 14, 2025 | -| Windows Autopatch - DSS Policy [Fast] | Phase 3 | Windows 10 22H2 | Make update available as soon as possible | October 14, 2025 | -| Windows Autopatch - DSS Policy [Broad] | Phase 4 | Windows 10 22H2 | Make update available as soon as possible | October 14, 2025 | - -> [!NOTE] -> Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually). - -## Global release policy configuration - -Windows Autopatch configures the values for its global Windows feature update policy. See the following default policies created by the service in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431): - -| Policy name | Feature update version | Rollout options | Support end date | -| ----- | ----- | ----- | ----- | -| Windows Autopatch - Global DSS Policy [Test] | Windows 10 22H2 | Make update available as soon as possible | October 14, 2025 | - -> [!NOTE] -> Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to be a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually). - -### Difference between the default and global update policies - -> [!IMPORTANT] -> Once you create a custom Windows feature update release, both the global and the default Windows feature update policies are unassigned from Autopatch group's deployment rings behind the scenes. - -The differences in between the global and the default Windows feature update policy values are: - -| Default Windows feature update policy | Global Windows feature update policy | -| ----- | ----- | -|For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
+> **Pausing or resuming an update can take up to eight hours to be applied to devices**. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates. +> +> For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/intune/intune-service/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned). **To pause and resume a release:** -> [!IMPORTANT] -> **You can only pause an Autopatch group if you have Windows Enterprise E3+ or F3 licenses (included in Microsoft 365 F3, E3, or E5) licenses and have [activated Windows Autopatch features](../overview/windows-autopatch-overview.md#windows-enterprise-e3-and-f3-licenses).**[Feature activation](../prepare/windows-autopatch-feature-activation.md) is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.
For more information, see [Licenses and entitlements](../prepare/windows-autopatch-prerequisites.md#licenses-and-entitlements). If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in [Business premium and A3+ licenses](../overview/windows-autopatch-overview.md#business-premium-and-a3-licenses).
+> [!NOTE] +> If you pause an update, the specified release has the **Paused** status. You must select **Resume** to resume the update. 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Devices** from the left navigation menu. @@ -89,15 +72,6 @@ If Windows Autopatch detects a significant issue with a release, we might decide 1. If you're resuming an update, you can select one or more Autopatch groups or deployment rings. 1. Select **Pause or Resume deployment**. -The following statuses are associated with paused quality updates: - -| Status | Description | -| ----- | ------ | -| Paused by Service | If the Windows Autopatch service paused an update, the release has the **Paused by Service** status. The **Paused by Service** status only applies to rings that aren't Paused by the Tenant. | -| Paused by Tenant | If you paused an update, the release has the **Paused by Tenant** status. The Windows Autopatch service can't overwrite a tenant pause. You must select **Resume** to resume the update. | - ## Remediating Not ready and/or Not up to Date devices -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - To ensure your devices receive Windows quality updates, Windows Autopatch provides information on how you can [remediate Windows Autopatch device alerts](../monitor/windows-autopatch-device-alerts.md). diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md index 2aefa858cc..721d6a1169 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md @@ -14,7 +14,7 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 12/10/2024 +ms.date: 03/31/2025 --- # Programmatic controls for expedited Windows quality updates diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-update-policies.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-update-policies.md index 38ee9e58cb..65aded1caa 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-update-policies.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-update-policies.md @@ -1,7 +1,7 @@ --- title: Windows quality update policies description: This article explains Windows quality update policies in Windows Autopatch -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: concept-article @@ -16,8 +16,6 @@ ms.collection: # Windows quality update policies -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - ## Conflicting and unsupported policies Deploying any of the following policies to a Windows Autopatch device makes that device ineligible for management since the device prevents us from delivering the service as designed. diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png index bf4ba54006..186744f47f 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png index 18d4f8c542..4e89a69dea 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png differ diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md index aed2b1e644..67ddbea0cc 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md @@ -1,7 +1,7 @@ --- title: Device alerts description: Provide notifications and information about the necessary steps to keep your devices up to date. -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Device alerts -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - Windows Autopatch and Windows Updates use Device alerts to provide notifications and information about the necessary steps to keep your devices up to date. In Windows Autopatch reporting, every device is provided with a section for alerts. If no alerts are listed, no action is needed. Navigate to **Reports** > **Quality update status** or **Feature update status** > **Device** > select the **Device alerts** column. The provided information helps you understand: - Microsoft and/or Windows Autopatch performs the actions to keep the device properly updated. @@ -32,7 +30,6 @@ Windows Autopatch and Windows Updates use Device alerts to provide notifications Windows Autopatch alerts are alerts specific to the Windows Autopatch service. These alerts include: - [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) -- [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) ## Windows quality and feature update alerts @@ -55,7 +52,7 @@ Alert resolutions are provided through the Windows Update service and provide th | ----- | ----- | ----- | | `CancelledByUser` | User canceled the update | The Windows Update service reported the update was canceled by the user.It's recommended to work with the end user to allow updates to execute as scheduled.
| | `DamagedMedia` | The update file or hard drive is damaged | The Windows Update service indicated the update payload might be damaged or corrupt.It's recommended to run `Chkdsk /F` on the device with administrator privileges, then retry the update. For more information, see [chkdsk](/windows-server/administration/windows-commands/chkdsk?tabs=event-viewer).
| -| `DeploymentConflict` | Device is in more than one deployment of the same update type. Only the first deployment assigned is effective. | The Windows Update service reported a policy conflict.For more information, see the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `DeploymentConflict` | Device is in more than one deployment of the same update type. Only the first deployment assigned is effective. | The Windows Update service reported a policy conflict.If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| | `DeviceRegistrationInvalidAzureADDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Microsoft Entra Device ID. | The Windows Update service reported a device registration issue.For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| | `DeviceRegistrationInvalidGlobalDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Global Device ID. |The Windows Update service reported that the MSA Service might be disabled preventing Global Device ID assignment.Check that the MSA Service is running or able to run on device.
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| | `DeviceRegistrationIssue` | The device isn't able to register or authenticate properly with Windows Update. | The Windows Update service reported a device registration issue.For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| @@ -83,9 +80,9 @@ Alert resolutions are provided through the Windows Update service and provide th | `InstallOutOfMemory` | The installation couldn't be completed because Windows ran out of memory. | The Windows Update service reported the system doesn't have sufficient system memory to perform the update.Restart Windows, then try the installation again.
If it still fails, allocate more memory to the device, or increase the size of the virtual memory pagefiles. For more information, see [How to determine the appropriate page file size for 64-bit versions of Windows](/troubleshoot/windows-client/performance/how-to-determine-the-appropriate-page-file-size-for-64-bit-versions-of-windows).
| | `InstallSetupBlock` | There's an application or driver blocking the upgrade. | The Windows Update service detected that an application or driver is hindering the upgrade process. Utilize the SetupDiag utility to identify and diagnose any compatibility problems.For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).
| | `InstallSetupError` | Windows Setup encountered an error while installing. | The Windows Update service reported an error during installation. Review the last reported HEX error code in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) to further investigate.If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `PolicyConflict` | There are client policies (MDM, GP) that conflict with Windows Update settings. | The Windows Update service reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `PolicyConflictDeferral` | The Deferral Policy configured on the device is preventing the update from installing. | The Windows Update service reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `PolicyConflictPause` | Updates are paused on the device, preventing the update from installing. | The Windows Update service reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `PolicyConflict` | There are client policies (MDM, GP) that conflict with Windows Update settings. | The Windows Update service reported a policy conflict.If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `PolicyConflictDeferral` | The Deferral Policy configured on the device is preventing the update from installing. | The Windows Update service reported a policy conflict.If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `PolicyConflictPause` | Updates are paused on the device, preventing the update from installing. | The Windows Update service reported a policy conflict.If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| | `PostRestartIssue` | Windows Update couldn't determine the results of installing the update. The error is false, and the update probably succeeded. | The Windows Update Service reported the update you're trying to install isn't available.No action is required.
If the update is still available, retry the installation.
| | `RollbackInitiated` | A rollback was started on this device, indicating a catastrophic issue occurred during the Windows Setup install process. | The Windows Update service reported a failure with the update. Run the Setup Diagnostics Tool on the Device or review the HEX error in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md). **Don't** retry the installation until the impact is understood.For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).
| | `SafeguardHold` | Update can't install because of a known Safeguard Hold. | The Windows Update Service reported a [Safeguard Hold](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds) which applies to this device.For more information about safeguards, see [Windows 10/11 release information for the affected versions](/windows/release-health/release-information).
| diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md index afa0dfe072..fa37013aee 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md @@ -1,7 +1,7 @@ --- title: Hotpatch quality update report description: Use the Hotpatch quality update report to view the current update statuses for all devices that receive Hotpatch updates -ms.date: 11/19/2024 +ms.date: 04/04/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -15,12 +15,7 @@ ms.collection: - tier1 --- -# Hotpatch quality update report (public preview) - -[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] - -> [!IMPORTANT] -> This feature is in public preview. It is being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback. +# Hotpatch quality update report The Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. For more information about Hotpatching, see [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md). @@ -29,7 +24,7 @@ The Hotpatch quality update report provides a per policy level view of the curre 1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**. 1. Select the **Reports** tab. -1. Select **Hotpatch quality updates (preview)**. +1. Select **Hotpatch quality updates**. > [!NOTE] > The data in this report is refreshed every four hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#about-data-latency). @@ -40,9 +35,6 @@ The Hotpatch quality update report provides a visual representation of the updat ### Default columns -> [!IMPORTANT] -> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed. - The following information is available as default columns in the Hotpatch quality update report: | Column name | Description | @@ -55,7 +47,7 @@ The following information is available as default columns in the Hotpatch qualit | In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). | | % with the latest quality update | Percent of [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices on the most current Windows release and its build number | | Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | -| Paused | Total device count reporting the status of the pause whether it's Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | +| Paused | Total device count reporting the Paused status. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | ## Report options diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md index 735d7a1414..aacf1432f3 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md @@ -1,7 +1,7 @@ --- title: Maintain the Windows Autopatch environment description: This article details how to maintain the Windows Autopatch environment -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,16 +17,10 @@ ms.collection: # Maintain the Windows Autopatch environment -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - -After you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md), some management settings might need to be adjusted. If any of the following items apply to your environment, make the adjustments as described. +If any of the following items apply to your environment, make the adjustments as described. > [!NOTE] -> As your operations continue in the following months, if you make changes after enrollment to policies in Microsoft Intune, Microsoft Entra ID, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly. - -## Windows Autopatch configurations - -Windows Autopatch deploys, manages, and maintains all configurations related to the operation of the service, as described in [Changes made at feature activation](../references/windows-autopatch-changes-made-at-feature-activation.md). Don't make any changes to any of the Windows Autopatch configurations. +> If you make changes to policies in Microsoft Intune, Microsoft Entra ID, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly. ## Windows Autopatch tenant management @@ -35,7 +29,7 @@ Windows Autopatch deploys, manages, and maintains all configurations related to The Tenant management blade presents IT admins with any actions that are required to maintain Windows Autopatch service health. The **Tenant management** blade can be found by navigating to **Tenant administration** > **Windows Autopatch** > **Tenant management**. > [!IMPORTANT] -> If you have any critical actions in your tenant, you must take action as soon as possible as the Windows Autopatch service might not be able to manage your tenant. When a critical action is active on your tenant, Windows Autopatch will consider your tenant as **[inactive](#inactive-status)**. +> If you have any critical actions in your tenant, you must take action as soon as possible. When a critical action is active, you might not be able to use Windows Autopatch features, and your tenant may be considered [**inactive**](#inactive-status) by the service. The type of banner that appears depends on the severity of the action. Currently, only critical actions are listed. @@ -43,30 +37,22 @@ The type of banner that appears depends on the severity of the action. Currently | Severity | Description | | ----- | ----- | -| Critical | You must take action as soon as possible to avoid disruption to the Windows Autopatch service.If no action is taken, Windows Autopatch might not be able to manage devices in your tenant, and the Windows Autopatch service might be marked as **inactive**.
To restore service health and return to an active status, all critical pending actions must be resolved.
| +| Critical | You must take action as soon as possible to avoid disruption to the Windows Autopatch service.If no action is taken, you might lose access to Windows Autopatch features and your tenant could be marked as [**inactive**](#inactive-status).
To restore service health and return to an active status, all critical pending actions must be resolved.
| ### Critical actions | Action type | Severity | Description | | ----- | ----- | ----- | -| Maintain tenant access | Critical | Required licenses expired. The licenses include:To take action on missing licenses, you can visit the Microsoft 365 admin center or contact your Microsoft account manager. Until you renew the required licenses to run the service, Windows Autopatch marks your tenant as **inactive**. For more information, see [Microsoft 365 - What happens after my subscription expires?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires)
| -| Maintain tenant access | Critical | Address tenant access issues. Windows Autopatch currently can't manage your tenant. Until you take action, your tenant is marked as **inactive**, and you have only limited access to the Windows Autopatch portal.Reasons for tenant access issues:
Take action by consenting to allow Windows Autopatch to make the appropriate changes on your behalf. You must be a Global Administrator to consent to this action. Once you provide consent, Windows Autopatch remediates this critical action for you.
For more information, see [Windows Autopatch enterprise applications](../overview/windows-autopatch-privacy.md#tenant-access).
| +| Maintain tenant access | Critical | Required licenses expired. The licenses include:To take action on missing licenses, you can visit the Microsoft 365 admin center or contact your Microsoft account manager. Until you renew the required licenses to run the service, Windows Autopatch marks your tenant as **inactive**. For more information, see [Microsoft 365 - What happens after my subscription expires?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires)
| ### Inactive status > [!NOTE] -> Only the Windows Autopatch sections of your tenant will be marked as **inactive**. +> Only the Windows Autopatch sections of your tenant are marked as **inactive**. -When Windows Autopatch is **inactive**, you're alerted with banners on all Windows Autopatch blades. You only have access to the Tenant management and Support requests blades. All other blades return an error message and redirect you to Tenant management blade. +When Windows Autopatch is **inactive**, you're alerted with banners on all Windows Autopatch blades. You're alerted with banners on all Windows Autopatch blades and have minimal access to Windows Autopatch features. To be taken out of the **inactive** status, you must [resolve any critical actions shown in the Tenant management blade](#critical-actions). > [!NOTE] > Once critical actions are resolved, it can take up to two hours for Windows Autopatch to return to an **active** state. - -#### Impact to your tenant - -| Impact area | Description | -| ----- | ----- | -| Management | Windows Autopatch isn't able to manage your tenant and perform non-interactive actions we use to run the service. Non-interactive actions include:For more information, see [Windows Autopatch enterprise applications](../references/windows-autopatch-changes-made-at-feature-activation.md#windows-autopatch-enterprise-applications).
| -| Device updates | Changes to Windows Autopatch policies aren't pushed to your devices. The existing configurations on these devices remain unchanged, and they continue receiving updates. | diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md index c70e5b8f7a..f99254cf03 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md @@ -1,7 +1,7 @@ --- title: Feature update status report description: Provides a per device view of the current Windows OS upgrade status for all Intune devices. -ms.date: 11/20/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Feature update status report -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - The Feature update status report provides a per device view of the current Windows OS upgrade status for all Intune devices. **To view the Feature update status report:** @@ -32,9 +30,6 @@ The Feature update status report provides a per device view of the current Windo ### Default columns -> [!IMPORTANT] -> **Due to a recent change, we have identified an issue that prevents the Pause status column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed. - The following information is available as default columns in the Feature update status report: | Column name | Description | @@ -42,7 +37,7 @@ The following information is available as default columns in the Feature update | Device name | The name of the device. | | Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. | | Update status | The current update status for the device. For more information, see [Windows feature update statuses](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses). | -| Pause status | The current pause status whether Customer or Service initiated. For more information, see [Pause and resume a release](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#pause-and-resume-a-release). | +| Pause status | The current pause status. For more information, see [Pause and resume a release](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#pause-and-resume-a-release). | | Current version | The current version or build number of the device. For more information, see [Windows Versions](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). | | Readiness | The device readiness evaluation status. For more information, see [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md). | | Alerts | The summary of any alerts affecting the device. For more information, see [Device alerts](../operate/windows-autopatch-device-alerts.md). | diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md index fe310f106a..cd3667a8a2 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md @@ -1,7 +1,7 @@ --- title: Windows feature update summary dashboard description: Provides a broader view of the current Windows OS upgrade status for all Intune devices. -ms.date: 11/20/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Windows feature update summary dashboard -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - The Summary dashboard provides a broader view of the current Windows OS update status for all Intune devices. The first part of the Summary dashboard provides you with an all-devices trend report where you can follow the deployment trends within your organization. You can view if updates were successfully installed, failing, in progress, not ready or have their Windows feature update paused. @@ -31,9 +29,6 @@ The first part of the Summary dashboard provides you with an all-devices trend r ## Report information -> [!IMPORTANT] -> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed. - The following information is available in the Summary dashboard: | Column name | Description | @@ -44,7 +39,7 @@ The following information is available in the Summary dashboard: | Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | | Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | | In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). | -| Paused | Total device count reporting the status of the pause whether it's Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | +| Paused | Total device count reporting the Paused status. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | | Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | | % with the target feature update | Percent of [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices on the targeted feature update. | diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md index 7d7c71c4aa..674f5de9cc 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md @@ -1,7 +1,7 @@ --- title: Feature update trending report description: Provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days. -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Feature update trending report -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - Windows Autopatch provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days. **To view the Feature update trending report:** diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md index c678156938..66f0f3e54c 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality and feature update reports overview description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch. -ms.date: 03/03/2025 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: overview @@ -17,8 +17,6 @@ ms.collection: # Windows quality and feature update reports overview -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - ## Prerequisites Windows Autopatch requires, and uses Windows diagnostic data to display device update statuses in Autopatch reports. @@ -72,7 +70,9 @@ Users with the following permissions can access the reports: ## About data latency -The data source for these reports is Windows [diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately four hours. +The data source for these reports is Windows [diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data) and Microsoft Intune.The data typically uploads from enrolled devices every hour. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately four hours. + + ## Windows quality and feature update statuses @@ -102,7 +102,7 @@ Up to date devices are devices that meet all of the following prerequisites: | Sub status | Description | | ----- | ----- | | In Progress | Devices are currently installing the latest [quality update](../operate/windows-autopatch-groups-windows-quality-update-overview.md#release-schedule) or [feature update](../operate/windows-autopatch-groups-windows-feature-update-overview.md#default-release) deployed through the Windows Autopatch release schedule. | -| Paused | Devices that are currently paused due to a Windows Autopatch or customer-initiated pause. For more information, see pausing and resuming a [Windows quality update](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) or [Windows feature update](../operate/windows-autopatch-windows-feature-update-overview.md#pause-and-resume-a-release). | +| Paused | Devices that are currently paused due to a customer-initiated pause. For more information, see pausing and resuming a [Windows quality update](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) or [Windows feature update](../operate/windows-autopatch-windows-feature-update-overview.md#pause-and-resume-a-release). | ### Not up to Date devices diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md index abde6947cc..e310b53f31 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md @@ -1,7 +1,7 @@ --- title: Quality update status report description: Provides a per device view of the current update status for all Intune devices. -ms.date: 11/20/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Quality update status report -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - The Quality update status report provides a per device view of the current update status for all Intune devices. **To view the Quality update status report:** @@ -35,9 +33,6 @@ The Quality update status report provides a per device view of the current updat ### Default columns -> [!IMPORTANT] -> **Due to a recent change, we have identified an issue that prevents the Pause status column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed. - The following information is available as default columns in the Quality update status report: | Column name | Description | @@ -45,7 +40,7 @@ The following information is available as default columns in the Quality update | Device name | The name of the device. | | Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. | | Update status | The current update status for the device. For more information, see [Windows quality update statuses](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses). | -| Pause status | The current pause status whether Customer or Service initiated. For more information, see [Pause and resume a release](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release). | +| Pause status | The current pause status. For more information, see [Pause and resume a release](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release). | | Current version | The current version or build number of the device. For more information, see [Windows Versions](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). | | Readiness | The device readiness evaluation status. For more information, see [Post registration device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md). | | Alerts | The summary of any alerts affecting the device. For more information, see [Device alerts](../operate/windows-autopatch-device-alerts.md). | diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md index 52bb8e8d65..0d0528d557 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md @@ -1,7 +1,7 @@ --- title: Windows quality update summary dashboard description: Provides a summary view of the current update status for all Intune devices. -ms.date: 11/20/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Windows quality update summary dashboard -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - The Summary dashboard provides a summary view of the current update status for all Intune devices. **To view the current update status for all your enrolled devices:** @@ -43,7 +41,7 @@ The following information is available in the Summary dashboard: | Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | | Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | | In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). | -| Paused | Total device count reporting the status of the pause whether it's Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | +| Paused | Total device count reporting the Paused status. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | | Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | | % with the latest quality update | Percent of [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices on the most current Windows release and its build number | diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md index 6932c1db07..7ac39cf891 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md @@ -1,7 +1,7 @@ --- title: Quality update trending report description: Provides a visual representation of the update status trend for all devices over the last 90 days. -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,6 @@ ms.collection: # Quality update trending report -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - The Quality update trending report provides a visual representation of the update status trend for all devices over the last 90 days. **To view the Quality update trending report:** diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md deleted file mode 100644 index 9d2fd72bf2..0000000000 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md +++ /dev/null @@ -1,331 +0,0 @@ ---- -title: Windows Autopatch deployment guide -description: This guide explains how to successfully deploy Windows Autopatch in your environment -ms.date: 07/08/2024 -ms.service: windows-client -ms.subservice: autopatch -ms.topic: how-to -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: aaroncz -ms.reviewer: hathind -ms.collection: - - tier2 ---- - -# Windows Autopatch deployment guide - -As organizations move to support hybrid and remote workforces, and continue to adopt cloud-based endpoint management with services such as Intune, managing updates is critical. - -Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. - -A successful Windows Autopatch deployment starts with planning and determining your objectives. Use this deployment guide to plan your move or migration to Windows Autopatch. - -This guide: - -- Helps you plan your deployment and adopt Windows Autopatch -- Lists and describes some common objectives -- Provides a recommended deployment plan -- Provides migration considerations for Windows Update for Business (WUfB) and Microsoft Configuration Manager -- Lists some common general considerations when deploying Windows Autopatch -- Provides suggested business case benefits and communication guidance -- Gives additional guidance and how to join the Autopatch community - -## Determine your objectives - -This section details some common objectives when using Windows Autopatch. - -Once an organization is onboarded, Windows Autopatch automatically creates multiple progressive deployment rings and applies the latest updates according to Windows Autopatch recommended practices and your organization's custom configuration. While there are options to adjust configurations such as quality update cadence, the service provides you with a baseline to begin establishing your update objectives. - -Use Windows Autopatch to solve the following challenges: - -- Difficulty developing and defending update cadence and general best practices -- Increase visibility and improve issue reporting -- Achieving a consistent update success rate -- Standardize and optimize the configuration for devices, policies, tools and versions across their environment -- Transition to modern update management by configuring Intune and Windows Update for Business -- Make update processes more efficient and less reliant on IT admin resources -- Address vulnerabilities and Windows quality updates as soon as possible to improve security -- Assist with compliance to align with industry standards -- Invest more time on value-add IT projects rather than monthly updates -- Planning and managing Windows feature updates -- Transition to Windows 11 - -## Recommended deployment steps - -The following deployment steps can be used as a guide to help you to create your organization's specific deployment plan to adopt and deploy Windows Autopatch. - -:::image type="content" source="../media/windows-autopatch-deployment-journey.png" alt-text="Windows Autopatch deployment journey" lightbox="../media/windows-autopatch-deployment-journey.png"::: - -### Step one: Prepare - -[Review the prerequisites](../prepare/windows-autopatch-prerequisites.md) and [enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md) into the Windows Autopatch service. At this stage, your devices aren't affected. You can enroll your tenant and review the service options before registering your devices. - -| Step | Description | -| ----- | ----- | -| **1A: Set up the service** |An Autopatch group is a logical container or unit that groups several [Microsoft Entra groups](/entra/fundamentals/groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates policy for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates).
For more information about workloads supported by Autopatch groups, see [Software update workloads](../deploy/windows-autopatch-groups-overview.md#software-update-workloads).
| -| [Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md) | In addition to the [Business Premium and A3+ capabilities](#business-premium-and-a3-licenses), Windows Autopatch:[Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))
| | Microsoft Intune | [Intune network configuration requirements](/mem/intune/fundamentals/network-bandwidth-use)[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
| -| Windows Update for Business (WUfB) | [Windows Update for Business firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) | - -#### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-and-f3-licenses-required-microsoft-endpoints) - -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - -In addition to the Microsoft Entra ID, Intune and Windows Update for Business endpoints listed in the Business Premium and A3+ licenses section, the following endpoints apply to Windows E3+ and F3 licenses that have [activated Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md). There are URLs from several Microsoft products that must be in the allowed list so that devices can communicate with Windows Autopatch. Use the links to see the complete list for each product. - -| Microsoft service | URLs required on Allowlist | -| ----- | ----- | -| Windows 10/11 Enterprise including Windows Update for Business | [Manage connection endpoints for Windows 10 Enterprise, version 1909](/windows/privacy/manage-windows-1909-endpoints)[Manage connection endpoints for Windows 10 Enterprise, version 2004](/windows/privacy/manage-windows-2004-endpoints)
[Connection endpoints for Windows 10 Enterprise, version 20H2](/windows/privacy/manage-windows-20h2-endpoints)
[Manage connection endpoints for Windows 10 Enterprise, version 21H1](/windows/privacy/manage-windows-21h1-endpoints)
[Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints)
[Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints)
| +| Windows Update client policies | [Windows Update client policies firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) | +| Windows 10/11 Enterprise including Windows Update client policies | [Manage connection endpoints for Windows 10 Enterprise, version 1909](/windows/privacy/manage-windows-1909-endpoints)[Manage connection endpoints for Windows 10 Enterprise, version 2004](/windows/privacy/manage-windows-2004-endpoints)
[Connection endpoints for Windows 10 Enterprise, version 20H2](/windows/privacy/manage-windows-20h2-endpoints)
[Manage connection endpoints for Windows 10 Enterprise, version 21H1](/windows/privacy/manage-windows-21h1-endpoints)
[Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints)
[Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints)
| | Microsoft 365 | [Microsoft 365 URL and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true) | | Microsoft Edge | [Allowlist for Microsoft Edge Endpoints](/deployedge/microsoft-edge-security-endpoints) | | Microsoft Teams | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) | ---- - ### Required Windows Autopatch endpoints for proxy and firewall rules -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - Windows Autopatch is a cloud service. There's a set of endpoints that Windows Autopatch services must be able to reach for the various aspects of the Windows Autopatch service. You can optimize your network by sending all trusted Microsoft 365 network requests directly through your firewall or proxy to bypass authentication, and all additional packet-level inspection or processing. This process reduces latency and your perimeter capacity requirements. @@ -63,15 +46,10 @@ The following URLs must be on the allowed list of your proxy and firewall so tha | Microsoft service | URLs required on allowlist | | ----- | ----- | -| Windows Autopatch |Microsoft Entra ID must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Microsoft Entra Connect to enable Microsoft Entra hybrid join.
At a minimum, the Windows Update, Device configuration, and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements).
Other device management prerequisites include:
See [Register your devices](../deploy/windows-autopatch-register-devices.md) for more details on device prerequisites and on how the device registration process works with Windows Autopatch.
For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).
| -| Data and privacy |Deployment scheduling controls are always available. However, to take advantage of the unique deployment protections tailored to your population and to [deploy driver updates](/windows/deployment/update/deployment-service-drivers), devices must share diagnostic data with Microsoft. For these features, at minimum, the deployment service requires devices to send [diagnostic data](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) at the Required level (previously called *Basic*) for these features.When you use [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) with the deployment service, using diagnostic data at the following levels allows device names to appear in reporting:
For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../overview/windows-autopatch-privacy.md).
| +| Data and privacy |Deployment scheduling controls are always available. However, to take advantage of the unique deployment protections tailored to your population, devices must share diagnostic data with Microsoft. For these features, at minimum, the deployment service requires devices to send [diagnostic data](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) at the Required level (previously called *Basic*) for these features.For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../overview/windows-autopatch-privacy.md).
| ## Windows editions, build version, and architecture -> [!IMPORTANT] -> The following Windows editions, build version, and architecture **applies if you have**:If you’re using **Pilot Intune**, in the **Staging** tab, the device must be in the collections that correspond to the three workloads that Windows Autopatch requires.
**You or your Configuration Manager administrator are responsible for adding your Autopatch devices to these collections. Windows Autopatch doesn’t change or add to these collections.**
For more information, see [paths to co-management](/mem/configmgr/comanage/quickstart-paths).
| -| Create a Custom client setting |Create a Custom client setting in Configuration Manager to disable the Software Updates agent for Intune/Pilot Intune co-managed devices.To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle must be set to [**Allow**](../manage/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates).
- -- Windows Autopatch - Office Configuration -- Windows Autopatch - Office Update Configuration [Test] -- Windows Autopatch - Office Update Configuration [First] -- Windows Autopatch - Office Update Configuration [Fast] -- Windows Autopatch - Office Update Configuration [Broad] - -| Policy name | Policy description | Properties | Value | -| ----- | ----- | ----- | ----- | -| Windows Autopatch - Office Configuration | Sets Office Update Channel to the Monthly Enterprise servicing branch.Assigned to:
Assigned to:
Assigned to:
Assigned to:
To update Microsoft Edge, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle must be set to [**Allow**](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).
- -- Windows Autopatch - Edge Update Channel Stable -- Windows Autopatch - Edge Update Channel Beta - -| Policy name | Policy description | Properties | Value | -| ----- | ----- | ----- | ----- | -| Windows Autopatch - Edge Update Channel Stable | Deploys updates via the Edge Stable ChannelAssigned to:
Assigned to:
To update drivers and firmware, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle must be set to [**Allow**](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group).
- -- Windows Autopatch - Driver Update Policy [Test] -- Windows Autopatch - Driver Update Policy [First] -- Windows Autopatch - Driver Update Policy [Fast] -- Windows Autopatch - Driver Update Policy [Broad] - -## PowerShell scripts - -| Script | Description | -| ----- | ----- | -| Modern Workplace - Autopatch Client Setup v1.1 | Installs necessary client components for the Windows Autopatch service | diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md index a570c117ed..176db43f98 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md @@ -1,7 +1,7 @@ --- title: Conflicting configurations description: This article explains how to remediate conflicting configurations affecting the Windows Autopatch service. -ms.date: 09/16/2024 +ms.date: 03/31/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: concept-article @@ -17,8 +17,6 @@ ms.collection: # Conflicting configurations -[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] - During Readiness checks, if there are devices with conflicting registry configurations, notifications are listed in the **Not ready** tab. The notifications include a list of alerts that explain why the device isn't ready for updates. Instructions are provided on how to resolve the issues. You can review any device marked as **Not ready** and remediate them to a **Ready** state. Windows Autopatch monitors conflicting configurations. You're notified of the specific registry values that prevent Windows from updating properly. These registry keys should be removed to resolve the conflict. However, it's possible that other services write back the registry keys. It's recommended that you review common sources for conflicting configurations to ensure your devices continue to receive Windows Updates. diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index 285c7754e4..7a603bbfc4 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -27,7 +27,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | -| [Prerequisites](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) | Added F SKU licenses to the [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) section. Also see [FAQ](../overview/windows-autopatch-faq.yml)