diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index 161bf41952..0d7e52c210 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -28,7 +28,7 @@ items: - name: Autopatch groups overview href: deploy/windows-autopatch-groups-overview.md - - name: Autopatch group registration overview + - name: Autopatch groups registration overview href: deploy/windows-autopatch-device-registration-overview.md - name: Register devices with Autopatch groups href: deploy/windows-autopatch-register-devices.md diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md index 6040e0d206..a5edca8e5b 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md @@ -62,8 +62,8 @@ An Autopatch group is a function app that is part of the device registration mic | Step | Description | | ----- | ----- | | Step 1: Create an Autopatch group | Create an Autopatch group. Autopatch groups register devices with the Windows Autopatch service when you either [create](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) or [edit an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group). | -| Step 2: Windows Autopatch uses Microsoft Graph to create Microsoft Entra ID and policy assignments | Windows Autopatch service uses Microsoft Graph to coordinate the creation of: | -| Step 3: Intune assigns software update policies | Once Microsoft Entra groups are created in the Microsoft Entra service, Intune is used to assign the software update policies to these groups and provide the number of devices that need the software update policies to the Windows Update for Business (WUfB) service. | +| Step 2: Windows Autopatch uses Microsoft Graph to create Microsoft Entra ID and policy assignments | Windows Autopatch service uses Microsoft Graph to coordinate the creation of: | +| Step 3: Intune assigns software update policies | Once Microsoft Entra groups are created in the Microsoft Entra service, Intune is used to assign the software update policies to these groups and provide the number of devices that need the software update policies. | | Step 4: Windows Autopatch responsibilities | Windows Autopatch service is responsible for: | ## Autopatch group deployment rings @@ -135,6 +135,6 @@ Autopatch groups work with the following software update workloads: Windows Autopatch supports up to 300 Autopatch groups in your tenant. Each Autopatch group supports up to 15 deployment rings. > [!NOTE] -> If you reach the maximum number of Autopatch groups supported (50), and try to create more Autopatch groups, the "Create" option in the Autopatch groups blade is greyed out. +> If you reach the maximum number of Autopatch groups supported (300), and try to create more Autopatch groups, the "Create" option in the Autopatch groups blade is greyed out. To manage your Autopatch groups, see [Manage Windows Autopatch groups](../manage/windows-autopatch-manage-autopatch-groups.md). diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 64c04f55c4..ac9de45be2 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -31,7 +31,7 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto | ----- | ----- | | **Step 1: Assign Entra Groups** | IT admin identifies the Microsoft Entra group they want to assign when they [create an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) or [edit an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group). | | **Step 2: Discover devices** | The Windows Autopatch Discover Devices function discovers devices (hourly) that were previously added by the IT admin from Microsoft Entra groups used with Autopatch groups in **step #1**. The Microsoft Entra device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Microsoft Entra ID when registering devices into its service.
  1. Once devices are discovered from the Microsoft Entra group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Microsoft Entra ID in this step:
    1. **AzureADDeviceID**
    2. **OperatingSystem**
    3. **DisplayName (Device name)**
    4. **AccountEnabled**
    5. **RegistrationDateTime**
    6. **ApproximateLastSignInDateTime**
  2. In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements before registration.
| -| **Step 3: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:
  1. **If the device is Intune-managed or not.**
    1. Windows Autopatch looks to see **if the Microsoft Entra device ID has an Intune device ID associated with it**.
      1. If **yes**, it means this device is enrolled into Intune.
      2. If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
    2. **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name, and other attributes. When this happens, the Windows Autopatch service uses the Microsoft Entra device attributes gathered and saved to its memory in **step 3a**.
      1. Once it has the device attributes gathered from Microsoft Entra ID in **step 3a**, the device is flagged with the **Prerequisite failed** status, and the device's Autopatch readiness status appears as **Not registered** in the [**Autopatch groups membership report**](#autopatch-groups-membership-report). The IT admin can review the reasons the device wasn't registered into Windows Autopatch. The IT admin remediates these devices. In this case, the IT admin should check why the device wasn't enrolled into Intune.
      2. A common reason is when the Microsoft Entra device ID is stale, it doesn't have an Intune device ID associated with it anymore. To remediate, [clean up any stale Microsoft Entra device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
    3. **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device checked into Intune in the last 28 days.
  2. **If the device is a Windows device or not.**
    1. Windows Autopatch looks to see if the device is a Windows and corporate-owned device.
      1. **If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.
      2. **If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.
  3. **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
    1. **Enterprise**
    2. **Pro**
    3. **Pro Workstation**
  4. **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
    1. **Only managed by Intune.**
      1. If the device is only managed by Intune, the device is marked as Passed all prerequisites.
    2. **Co-managed by both Configuration Manager and Intune.**
      1. If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
        1. **Windows Updates Policies**
        2. **Device Configuration**
        3. **Office Click to Run**
      2. If Windows Autopatch determines that one of these workloads isn't enabled on the device, the service marks the device as **Prerequisite failed** and the device's Autopatch readiness status appears as **Not registered** in the **Autopatch groups membership report**.
| +| **Step 3: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:
  1. **If the device is Intune-managed or not.**
    1. Windows Autopatch looks to see **if the Microsoft Entra device ID has an Intune device ID associated with it**.
      1. If **yes**, it means this device is enrolled into Intune.
      2. If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
    2. **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name, and other attributes. When this happens, the Windows Autopatch service uses the Microsoft Entra device attributes gathered and saved to its memory in **step 3a**.
      1. Once it has the device attributes gathered from Microsoft Entra ID in **step 3a**, the device is flagged with the **Prerequisite failed** status, and the device's Autopatch readiness status appears as **Not registered** in the [**Autopatch groups membership report**](#autopatch-groups-membership-report). The IT admin can review the reasons the device wasn't registered into Windows Autopatch. The IT admin remediates these devices. In this case, the IT admin should check why the device wasn't enrolled into Intune.
      2. A common reason is when the Microsoft Entra device ID is stale, it doesn't have an Intune device ID associated with it anymore. To remediate, [clean up any stale Microsoft Entra device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
    3. **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device checked into Intune in the last 28 days.
  2. **If the device is a Windows device or not.**
    1. Windows Autopatch looks to see if the device is a Windows and corporate-owned device.
      1. **If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.
      2. **If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.
  3. **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
    1. **Enterprise**
    2. **Pro**
    3. **Pro Workstation**
    4. **Education**
    5. **Pro Education**
  4. **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
    1. **Only managed by Intune.**
      1. If the device is only managed by Intune, the device is marked as Passed all prerequisites.
    2. **Co-managed by both Configuration Manager and Intune.**
      1. If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
        1. **Windows Updates Policies**
        2. **Device Configuration**
        3. **Office Click to Run**
      2. If Windows Autopatch determines that one of these workloads isn't enabled on the device, the service marks the device as **Prerequisite failed** and the device's Autopatch readiness status appears as **Not registered** in the **Autopatch groups membership report**.
| | **Step 4: Calculate dynamic distribution and assign devices** | Microsoft Entra Groups, which are directly assigned to a deployment ring, adds those devices to the Microsoft Entra Group that Autopatch creates for that deployment ring.

If you choose to use dynamic distribution, the Autopatch service distributes the devices you selected. The service takes a percentage of the devices in the dynamic pool and adds them to the relevant Microsoft Entra groups. Devices that are members of Microsoft Entra groups that are directly assigned aren't included in the dynamic pool.

If you have fewer than 100 devices in an Autopatch group, the distribution might not match your selection.

| | **Step 5: Post-device registration** | If you deployed the [**Windows Autopatch Client Broker**](../deploy/windows-autopatch-post-reg-readiness-checks.md#install-the-windows-autopatch-client-broker), post-device registration actions occur. For more information, see [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md#post-device-registration-readiness-checks-workflow). | | **Step 6: Review device registration status** | IT admins review the device's Autopatch readiness status. Devices are either **Registered** or **Not registered** in the **[**Autopatch groups membership report**](#autopatch-groups-membership-report)**.
  1. If the device was **successfully registered**, the device's Autopatch readiness status appears as **Registered** in the **Autopatch groups membership report**.
  2. If **not**, the device's Autopatch readiness status appears as **Not registered** in the **Autopatch groups membership report**.
| @@ -45,7 +45,7 @@ As described in **step #3** in the previous [Detailed device registration workfl ## Autopatch groups membership report -Windows Autopatch has an Autopatch groups membership report that allows you to see: +Windows Autopatch has an Autopatch groups membership report provides the following information: - Autopatch group membership (only if the device is added to an Autopatch group) - Update status diff --git a/windows/deployment/windows-autopatch/includes/windows-autopatch-driver-policy-considerations.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-driver-policy-considerations.md index 080b40a056..6f2d96bdcb 100644 --- a/windows/deployment/windows-autopatch/includes/windows-autopatch-driver-policy-considerations.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-driver-policy-considerations.md @@ -35,7 +35,7 @@ The following policies define the source for driver updates as either Windows Up - **Group Policy**: `\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\Specify source service for specific classes of Windows Updates` set to `enabled` with the `Driver Updates` option set to `Windows Update` - **CSP**: [SetPolicyDrivenUpdateSourceForDriverUpdates](/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourcefordriverupdates) set to `0` for Windows Update as the source - **Registry**: `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetPolicyDrivenUpdateSourceForDriverUpdates` set to `0`. Under `\AU`, `UseUpdateClassPolicySource` also needs to be set to `1` - - **Intune**: Not applicable. Intune deploys updates using Windows Update for Business. [Co-managed clients from Configuration Manager](/mem/configmgr/comanage/overview?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json) with the workload for Windows Update policies set to Intune will also use Windows Update for Business. + - **Intune**: Not applicable. Intune deploys updates using Windows Update client policies. [Co-managed clients from Configuration Manager](/mem/configmgr/comanage/overview?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json) with the workload for Windows Update policies set to Intune will also use Windows Update client policies. **Behavior**: Devices with these update source policies that are enrolled for **drivers** and added to an audience: - Will display the applicable driver content diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md index a49bce722c..409b518326 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md @@ -102,4 +102,4 @@ Currently, Windows Autopatch can't pause or resume Microsoft Edge updates. ## Incidents and outages -If you're experiencing issues related to Microsoft Edge updates, [submit a support request](../operate/windows-autopatch-support-request.md). You can only submit a support request if you have E3+ or F licenses. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities) +If you're experiencing issues related to Microsoft Edge updates, [submit a support request](../operate/windows-autopatch-support-request.md). You can only submit a support request if you have E3+ or F licenses. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-groups-policies.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-groups-policies.md index f4712f163c..4646e51661 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-groups-policies.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-groups-policies.md @@ -42,13 +42,3 @@ To achieve this outcome, the feature update policy is configured for immediate s > [!IMPORTANT] > To safely deploy a new feature update, Autopatch recommends using a custom Windows feature update release. The custom release allows you to choose how and when different deployment rings receive the update. Autopatch doesn't recommend updating the minimum version within an Autopatch group until your rollout is complete. Doing so initiates a rollout which starts immediately for all members of that group.

Once you create a custom Windows feature update release, the Autopatch group's deployment rings are unassigned from that group’s feature update policy.

- -Autopatch groups set up the [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates) for each of its deployment rings in the Default Autopatch group, see the following default policy values: - -| Policy name |Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | -| ----- | ----- | ----- | ----- | ----- | ----- | ----- | -| Autopatch group name - DSS Policy [Test]| Windows 10 21H2 | Make update available as soon as possible | N/A | N/A | N/A | June 11, 2024 | -| Autopatch group name - DSS Policy [Ring1] | Windows 10 21H2 | Make update available as soon as possible | N/A | N/A | N/A | June 11, 2024 | -| Autopatch group name - DSS Policy [Ring2] | Windows 10 21H2 | Make update available as soon as possible | December 14, 2022 | December 21, 2022 | 1 | June 11, 2024 | -| Autopatch group name - DSS Policy [Ring3] | Windows 10 21H2 | Make update available as soon as possible | December 15, 2022 | December 29, 2022 | 1 | June 11, 2024 | -| Autopatch group name - DSS Policy [Last] | Windows 10 21H2 | Make update available as soon as possible | December 15, 2022 | December 29, 2022 | 1 | June 11, 2024 | diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md index 6b60b3a9ba..29fc0d54bf 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-autopatch-groups.md @@ -60,10 +60,10 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat 1. The approval method for driver updates 1. The channel for Microsoft Edge updates 1. Select **Next: Release schedules**. In this page, select one of the following release schedule presets from the **Select a release schedule preset** dropdown menu: - 1. Information worker: Single-user devices that are used in most workplaces - 1. Shared device: Devices that are used by multiple users over a period of time - 1. Kiosks and billboards: High uptime devices used to accomplish a specific task that hides notifications and restart at specific times - 1. Reboot-sensitive devices: Devices that can’t be interrupted in the middle of a task and only update at a scheduled time + 1. **Information worker**: Single-user devices that are used in most workplaces + 1. **Shared device**: Devices that are used by multiple users over a period of time + 1. **Kiosks and billboards**: High uptime devices used to accomplish a specific task that hides notifications and restart at specific times + 1. **Reboot-sensitive devices**: Devices that can’t be interrupted in the middle of a task and only update at a scheduled time 1. The Windows update installation, reboot, and notification behavior setting is based on the selected release schedule preset (in step 11). The setting determines how the Windows Update client behaves for all update types that you selected in Step 9. You can: 1. Edit the deferrals, deadlines, grace periods as needed 1. Edit the deployment rings as necessary @@ -98,7 +98,7 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat > Windows Autopatch creates the device-based Microsoft Entra ID assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience. > [!CAUTION] -> If a device that was previously added to an Autopatch group uses a Microsoft Entra group (via Assigned groups or Dynamic distribution method) is removed from the Microsoft Entra group, the device is removed and deregistered from the Autopatch service. The removed device no longer has any Autopatch service-created policies applied to it and the device doesn't appear in the Autopatch groups membership report. +> If a device that was previously added to an Autopatch group uses a Microsoft Entra group (via Assigned groups or Dynamic distribution method) is removed from the Microsoft Entra group, the device is removed and deregistered from the Autopatch service. The removed device no longer has any Autopatch service-created policies applied to it and the device doesn't appear in the [Autopatch groups membership report](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report). ## Rename an Autopatch group @@ -124,7 +124,7 @@ Before you start managing Autopatch groups, ensure you meet the [Windows Autopat Overlap in device membership is a common scenario when working with device-based Microsoft Entra groups. Sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Microsoft Entra groups. -Since Autopatch groups allow you to use your existing Microsoft Entra groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that might occur. +Since Autopatch groups uses your existing Microsoft Entra groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that might occur. > [!CAUTION] > A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that is already used, an error occurs that prevents you from creating or editing the Autopatch group. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-apps-enterprise.md index 854013fc48..820fd843d4 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-microsoft-365-apps-enterprise.md @@ -74,7 +74,7 @@ To ensure that users are receiving automatic updates, Windows Autopatch prevents With the expanded Autopatch group capabilities, you can choose to turn on Microsoft 365 Apps updates on a per Autopatch group level. Depending on your tenant settings, one of the following scenarios occurs: -- Tenants that previously turned on Autopatch Microsoft 365 Apps update, has the Microsoft 365 Apps updates Update Type checkbox selected and have the updated policies applied to each Autopatch group. +- Tenants that previously turned on Autopatch Microsoft 365 Apps update, has the Microsoft 365 Apps updates Update Type checkbox selected and the updated policies applied to each Autopatch group. - Tenants that previously turned off Autopatch Microsoft 365 Apps updates, or are new to Windows Autopatch, Autopatch Microsoft 365 Apps updates remain turned off. If you [created an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) and selected Microsoft 365 apps updates as a content type, the **Update Type** checkbox is **selected**, with new policies created, and any available old policies are removed. If you didn’t select Microsoft 365 apps updates as a content type upon creating an Autopatch group, the **Update Type** checkbox is **unselected**. Any available customized policies are retained and appear in the **Policies** tab. @@ -151,4 +151,4 @@ A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-wi ## Incidents and outages -If you're experiencing issues related to Microsoft 365 Apps for enterprise updates, [submit a support request](../manage/windows-autopatch-support-request.md). You can only submit a support request if you have E3+ or F licenses. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities) +If you're experiencing issues related to Microsoft 365 Apps for enterprise updates, [submit a support request](../manage/windows-autopatch-support-request.md). You can only submit a support request if you have E3+ or F licenses. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md index 7de0ad34ed..e0eacd5946 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md @@ -17,6 +17,9 @@ ms.collection: # Submit a support request +> [!IMPORTANT] +> You can only submit a support request if you have E3+ or F licenses. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). + Support requests are triaged and responded to as they're received. **To submit a new support request:** diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md index a0d998ae5b..90b420fa4a 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md @@ -53,4 +53,4 @@ Windows Autopatch can't pause or resume Teams updates. ## Incidents and outages -If you're experiencing issues related to Teams updates, [submit a support request](../operate/windows-autopatch-support-request.md). +If you're experiencing issues related to Teams updates, [submit a support request](../operate/windows-autopatch-support-request.md). You can only submit a support request if you have E3+ or F licenses. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md index 4a66bee616..be526d3e0b 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md @@ -20,11 +20,11 @@ ms.collection: Windows Autopatch provides tools to assist with the controlled roll out of annual Windows feature updates. These policies provide tools to allow version targeting, phased releases, and even Windows 10 to Windows 11 update options. For more information about how to configure feature update profiles, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates). > [!IMPORTANT] -> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. +> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update client policies and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. ## Multi-phase feature update -Multi-phase feature update allows you to create customizable feature update deployments using multiple phases for your [existing Autopatch groups](../manage/windows-autopatch-manage-autopatch-groups.md). These phased releases can be tailored to meet your organizational unique needs. +With multi-phase feature updates, you can create customizable feature update deployments using multiple phases for your [existing Autopatch groups](../manage/windows-autopatch-manage-autopatch-groups.md). These phased releases can be tailored to meet your organizational unique needs. ### Release statuses diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md index 0711c5d7c5..cc33c57b01 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp.md @@ -70,6 +70,6 @@ In the following example: ## Minimize user disruption due to updates -Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. By default, [Active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart) are configured dynamically based on device usage patterns. Device restarts occur outside of active hours until the deadline is reached. +Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. By default, [Active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart) are configured dynamically based on device usage patterns. Device restarts occur outside of active hours until the deadline is reached. -Windows Autopatch doesn't modify the existing Windows Update notifications. If you wish to modify the end-user update notification experience, see [Use CSPs and MDMs to configure Windows Update for Business](/windows/deployment/update/waas-wufb-csp-mdm). +Windows Autopatch doesn't modify the existing Windows Update notifications. If you wish to modify the end-user update notification experience, see [Use CSPs and MDMs to configure Windows Update client policies](/windows/deployment/update/waas-wufb-csp-mdm). diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md index d241191e50..38ab913df0 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md @@ -50,7 +50,7 @@ The service level objective for each of these states is calculated as: > Targeted deployment ring refers to the deployment ring value of the device in question. If a device has a five day deferral with a two day deadline, and two day grace period, the SLO for the device would be calculated to `5 + 2 + 5 = 12`-day service level objective from the second Tuesday of the month. The five day reporting period is one established by Windows Autopatch to allow enough time for device check-in reporting and data evaluation within the service. > [!IMPORTANT] -> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. +> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update client policies and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. ## Pause and resume a release diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md index d91f9205f3..67ddbea0cc 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md @@ -30,7 +30,6 @@ Windows Autopatch and Windows Updates use Device alerts to provide notifications Windows Autopatch alerts are alerts specific to the Windows Autopatch service. These alerts include: - [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) -- [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) ## Windows quality and feature update alerts @@ -53,7 +52,7 @@ Alert resolutions are provided through the Windows Update service and provide th | ----- | ----- | ----- | | `CancelledByUser` | User canceled the update | The Windows Update service reported the update was canceled by the user.

It's recommended to work with the end user to allow updates to execute as scheduled.

| | `DamagedMedia` | The update file or hard drive is damaged | The Windows Update service indicated the update payload might be damaged or corrupt.

It's recommended to run `Chkdsk /F` on the device with administrator privileges, then retry the update. For more information, see [chkdsk](/windows-server/administration/windows-commands/chkdsk?tabs=event-viewer).

| -| `DeploymentConflict` | Device is in more than one deployment of the same update type. Only the first deployment assigned is effective. | The Windows Update service reported a policy conflict.

For more information, see the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| +| `DeploymentConflict` | Device is in more than one deployment of the same update type. Only the first deployment assigned is effective. | The Windows Update service reported a policy conflict.

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| | `DeviceRegistrationInvalidAzureADDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Microsoft Entra Device ID. | The Windows Update service reported a device registration issue.

For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| | `DeviceRegistrationInvalidGlobalDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Global Device ID. |The Windows Update service reported that the MSA Service might be disabled preventing Global Device ID assignment.

Check that the MSA Service is running or able to run on device.

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| | `DeviceRegistrationIssue` | The device isn't able to register or authenticate properly with Windows Update. | The Windows Update service reported a device registration issue.

For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| @@ -81,9 +80,9 @@ Alert resolutions are provided through the Windows Update service and provide th | `InstallOutOfMemory` | The installation couldn't be completed because Windows ran out of memory. | The Windows Update service reported the system doesn't have sufficient system memory to perform the update.

Restart Windows, then try the installation again.

If it still fails, allocate more memory to the device, or increase the size of the virtual memory pagefiles. For more information, see [How to determine the appropriate page file size for 64-bit versions of Windows](/troubleshoot/windows-client/performance/how-to-determine-the-appropriate-page-file-size-for-64-bit-versions-of-windows).

| | `InstallSetupBlock` | There's an application or driver blocking the upgrade. | The Windows Update service detected that an application or driver is hindering the upgrade process. Utilize the SetupDiag utility to identify and diagnose any compatibility problems.

For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).

| | `InstallSetupError` | Windows Setup encountered an error while installing. | The Windows Update service reported an error during installation. Review the last reported HEX error code in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) to further investigate.

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| -| `PolicyConflict` | There are client policies (MDM, GP) that conflict with Windows Update settings. | The Windows Update service reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| -| `PolicyConflictDeferral` | The Deferral Policy configured on the device is preventing the update from installing. | The Windows Update service reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| -| `PolicyConflictPause` | Updates are paused on the device, preventing the update from installing. | The Windows Update service reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| +| `PolicyConflict` | There are client policies (MDM, GP) that conflict with Windows Update settings. | The Windows Update service reported a policy conflict.

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| +| `PolicyConflictDeferral` | The Deferral Policy configured on the device is preventing the update from installing. | The Windows Update service reported a policy conflict.

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| +| `PolicyConflictPause` | Updates are paused on the device, preventing the update from installing. | The Windows Update service reported a policy conflict.

If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

| | `PostRestartIssue` | Windows Update couldn't determine the results of installing the update. The error is false, and the update probably succeeded. | The Windows Update Service reported the update you're trying to install isn't available.

No action is required.

If the update is still available, retry the installation.

| | `RollbackInitiated` | A rollback was started on this device, indicating a catastrophic issue occurred during the Windows Setup install process. | The Windows Update service reported a failure with the update. Run the Setup Diagnostics Tool on the Device or review the HEX error in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md). **Don't** retry the installation until the impact is understood.

For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).

| | `SafeguardHold` | Update can't install because of a known Safeguard Hold. | The Windows Update Service reported a [Safeguard Hold](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds) which applies to this device.

For more information about safeguards, see [Windows 10/11 release information for the affected versions](/windows/release-health/release-information).

| diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md index 02548f836e..aacf1432f3 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md @@ -22,10 +22,6 @@ If any of the following items apply to your environment, make the adjustments as > [!NOTE] > If you make changes to policies in Microsoft Intune, Microsoft Entra ID, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly. -## Windows Autopatch configurations - -Windows Autopatch deploys, manages, and maintains all configurations related to the operation of the service. Don't make any changes to any of the Windows Autopatch configurations. - ## Windows Autopatch tenant management ### Windows Autopatch tenant actions diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 40e8e3904b..899e555ff1 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -28,7 +28,7 @@ sections: Windows Autopatch isn't currently supported for government cloud (GCC) customers. Although Windows 365 Enterprise is in the Azure Commercial cloud, when Windows 365 Enterprise is used with a GCC customer tenant, Autopatch is not supported. - question: How do I access Windows Autopatch? answer: | - You can access Windows Autopatch through Intune. For more information, see [Start using Windows Autopatch](../prepare/windows-autopatch-feature-activation.md#use-microsoft-intune-for-windows-autopatch) and [Prerequisites](../prepare/windows-autopatch-prerequisites.md) to ensure you meet the licensing requirements. + You can access Windows Autopatch through Intune. For more information, see [Start using Windows Autopatch](../prepare/windows-autopatch-start-using-autopatch.md#use-microsoft-intune-for-windows-autopatch) and [Prerequisites](../prepare/windows-autopatch-prerequisites.md) to ensure you meet the licensing requirements. - name: Requirements questions: - question: What are the licensing requirements for Windows Autopatch? diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md index f83682d76c..7cddd12fef 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md @@ -54,7 +54,6 @@ The goal of Windows Autopatch is to deliver software updates to registered devic | [Microsoft Teams updates](../manage/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. | | [Intune reports](/mem/intune/fundamentals/reports) | Use Intune reports to monitor the health and activity of endpoints in your organization.| | [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) | Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. | -| [Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md) | When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch raises alerts and detailed recommended actions to ensure healthy operation of the service. | | Enhanced [Windows quality and feature update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md) and [device alerts](../monitor/windows-autopatch-device-alerts.md) | Using Windows quality and feature update reports, you can monitor and remediate managed devices that are Not up to Date and resolve any device alerts to bring managed devices back into compliance. | ### Features included with E3+ and F3 licenses only diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md index 7c74041fa6..7a2f526a80 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md @@ -110,8 +110,6 @@ For Data Subject Requests from other products related to the service, see the fo - [Microsoft Intune data](/compliance/regulatory/gdpr-dsr-intune) - [Microsoft Entra data](/compliance/regulatory/gdpr-dsr-azure) -### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-f3-data-subjects) - ## Legal The following is Microsoft's privacy notice to end users of products provided by organizational customers. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md index d213b60868..f1b9194cc1 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md @@ -30,8 +30,8 @@ There are URLs from several Microsoft products that must be in the allowed list | ----- | ----- | | Microsoft Entra ID | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports)

[Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))

| | Microsoft Intune | [Intune network configuration requirements](/mem/intune/fundamentals/network-bandwidth-use)

[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

| -| Windows Update for Business (WUfB) | [Windows Update for Business firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) | -| Windows 10/11 Enterprise including Windows Update for Business | [Manage connection endpoints for Windows 10 Enterprise, version 1909](/windows/privacy/manage-windows-1909-endpoints)

[Manage connection endpoints for Windows 10 Enterprise, version 2004](/windows/privacy/manage-windows-2004-endpoints)

[Connection endpoints for Windows 10 Enterprise, version 20H2](/windows/privacy/manage-windows-20h2-endpoints)

[Manage connection endpoints for Windows 10 Enterprise, version 21H1](/windows/privacy/manage-windows-21h1-endpoints)

[Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints)

[Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints)

| +| Windows Update client policies | [Windows Update client policies firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) | +| Windows 10/11 Enterprise including Windows Update client policies | [Manage connection endpoints for Windows 10 Enterprise, version 1909](/windows/privacy/manage-windows-1909-endpoints)

[Manage connection endpoints for Windows 10 Enterprise, version 2004](/windows/privacy/manage-windows-2004-endpoints)

[Connection endpoints for Windows 10 Enterprise, version 20H2](/windows/privacy/manage-windows-20h2-endpoints)

[Manage connection endpoints for Windows 10 Enterprise, version 21H1](/windows/privacy/manage-windows-21h1-endpoints)

[Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints)

[Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints)

| | Microsoft 365 | [Microsoft 365 URL and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true) | | Microsoft Edge | [Allowlist for Microsoft Edge Endpoints](/deployedge/microsoft-edge-security-endpoints) | | Microsoft Teams | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) | diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index fdb50b7ebd..e8847397bb 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -21,7 +21,7 @@ ms.collection: Windows Autopatch is available to the following licenses: -- Microsoft 365 Business Premium (for more information on available licenses, see Microsoft 365 licensing) +- Microsoft 365 Business Premium (for more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/business/compare-all-microsoft-365-business-products-b)) - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) - Windows 10/11 Enterprise E3 or E5 VDA @@ -53,7 +53,6 @@ For more information about feature entitlement, see [Features and capabilities]( | New feature and change management communications | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| | Release schedule and status communications | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| | Support requests | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:| -| Policy health | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| #### Reporting @@ -76,8 +75,10 @@ For more information about feature entitlement, see [Features and capabilities]( ## Windows editions, build version, and architecture -> [!IMPORTANT] -> The following Windows editions, build version, and architecture **applies if you have**: +The following Windows editions, build version, and architecture **applies if you have**: + +- Business Premium, A3+, E3+ or F3 licenses +- [Registered devices with Windows Autopatch](../deploy/windows-autopatch-register-devices.md) The following Windows 10/11 editions, build version, and architecture are supported when [devices are registered with Windows Autopatch](../deploy/windows-autopatch-register-devices.md): @@ -89,18 +90,20 @@ The following Windows 10/11 editions, build version, and architecture are suppor Windows Autopatch service supports Windows client devices on the **General Availability Channel**. > [!IMPORTANT] -> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. +> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update client policies and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. ## Configuration Manager co-management requirements -> [!IMPORTANT] -> The following Windows editions, build version, and architecture **applies if you have**: +The following Windows editions, build version, and architecture **applies if you have**: + +- Business Premium, A3+, E3+ or F3 licenses +- [Registered devices with Windows Autopatch](../deploy/windows-autopatch-register-devices.md) | Requirement | Description | | --- | --- | | Supported Configuration Manager version | Use a currently supported [Configuration Manager version](/mem/configmgr/core/servers/manage/updates#supported-versions). | | Configuration Manager must be [cloud-attached with Intune (co-management)](/mem/configmgr/cloud-attach/overview) | Must have the following co-management workloads enabled and set to either **Intune** or **Pilot Intune**:

If you’re using **Pilot Intune**, in the **Staging** tab, the device must be in the collections that correspond to the three workloads that Windows Autopatch requires.

**You or your Configuration Manager administrator are responsible for adding your Autopatch devices to these collections. Windows Autopatch doesn’t change or add to these collections.**

For more information, see [paths to co-management](/mem/configmgr/comanage/quickstart-paths).

| -| Create a Custom client setting |Create a Custom client setting in Configuration Manager to disable the Software Updates agent for Intune/Pilot Intune co-managed devices.
  1. Under **Disable Software Updates > Device Settings > Enable software updates on clients**, select **No**.
  2. Under **CoMgmtSettingsProd Properties > Staging tab > Office Click-to-Run apps, set to Co-Management – O365 Workload**.
  3. Under **CoMgmtSettingsProd Properties > Staging tab > Windows Update policies, set to Co-Management – WUfB Workload**.
  4. Ensure the **Disable Software Updates** setting has a lower priority than your default client settings and target your co-management collection.
    1. If the co-management workload is set to Intune, deploy the Client Setting to a collection that includes all co-management devices, for example, Co-management Eligible Devices.
  5. Configuration Manager **disables** the Software Updates agent in the next policy cycle. However, because the Software Updates Scan Cycle is **removed**, Configuration Manager might not remove the Windows Server Update Service (WSUS) registry keys.
    1. Remove the registry values under **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate** because Windows Update for Business (WUfB) policies control the process.
| +| Create a Custom client setting |Create a Custom client setting in Configuration Manager to disable the Software Updates agent for Intune/Pilot Intune co-managed devices.
  1. Under **Disable Software Updates > Device Settings > Enable software updates on clients**, select **No**.
  2. Under **CoMgmtSettingsProd Properties > Staging tab > Office Click-to-Run apps, set to Co-Management – O365 Workload**.
  3. Under **CoMgmtSettingsProd Properties > Staging tab > Windows Update policies, set to Co-Management – WUfB Workload**.
  4. Ensure the **Disable Software Updates** setting has a lower priority than your default client settings and target your co-management collection.
    1. If the co-management workload is set to Intune, deploy the Client Setting to a collection that includes all co-management devices, for example, Co-management Eligible Devices.
  5. Configuration Manager **disables** the Software Updates agent in the next policy cycle. However, because the Software Updates Scan Cycle is **removed**, Configuration Manager might not remove the Windows Server Update Service (WSUS) registry keys.
    1. Remove the registry values under **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate** because Windows Update client policies control the process.
| ## Required Intune permissions diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index 8605d49f4d..7a603bbfc4 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -104,7 +104,6 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md) | General Availability | | [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md) | General Availability | | [Windows quality and feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md) | General Availability | -| [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) | General Availability | ### July service releases @@ -158,7 +157,6 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | [Windows feature update status report](../operate/windows-autopatch-groups-windows-feature-update-status-report.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | | [Windows feature update trending report](../operate/windows-autopatch-groups-windows-feature-update-trending-report.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | | [Windows quality and feature update device alerts](../operate/windows-autopatch-device-alerts.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | -| [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) | Add new Policy health and remediation feature. This feature is in public preview | | [Windows Autopatch groups public preview addendum](../references/windows-autopatch-groups-public-preview-addendum.md) | Added addendum for the Windows Autopatch groups public preview | ### May service releases