diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index 451a64865c..c29fcd0299 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -14,22 +14,21 @@ msreviewer: andredm7 # Windows feature updates -Microsoft provides robust modern device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and fundamental tasks by IT organizations because Windows feature updates provide: +Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation. -- Fixes for security vulnerabilities and known bugs to keep Windows devices protected against advanced malicious attacks. +- Fixes known bugs to keep Windows devices protected against behavioral issues. - New features to boost end-user productivity. Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date so you can focus on running your core businesses while Windows Autopatch runs update management on your behalf. ## Enforcing a minimum Windows OS version -Once devices are registered with Windows Autopatch, they’re assigned to deployment rings. Each deployment ring has its Windows feature update policy assigned to them. +Once devices are registered with Windows Autopatch, they’re assigned to deployment rings. Each of the four deployment rings have its Windows feature update policy assigned to them. This is intended to minimize unexpected Windows OS upgrades once new devices register with the service. The policies: - Contain the minimum Windows 10 version being currently serviced by the [Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). The current minimum OS version is **Windows 10 20H2**. - Set a bare minimum Windows OS version required by the service once devices are registered with the service. -- Minimize unexpected Windows OS upgrades once new devices register with Windows Autopatch. If a device is registered with Windows Autopatch, and the device is: @@ -50,17 +49,23 @@ If your tenant is enrolled with Windows Autopatch, you can see the following pol > [!IMPORTANT] > If you’re ahead of the current minimum OS version enforced by Windows Autopatch in your organization, you can [edit Windows Autopatch’s default Windows feature update policy and select your desired targeted version](/mem/intune/protect/windows-10-feature-updates#create-and-assign-feature-updates-for-windows-10-and-later-policy). +> [!NOTE] +> The four minimum Windows 10 OS version feature update policies were introduced in Windows Autopatch in the 2212 release milestone. Its creation automatically unassigns the previous four feature update policies targeting Windows 10 21H2 from all four Windows Autopatch deployment rings:

**Modern Workplace DSS Policy [Test]**

**Modern Workplace DSS Policy [First]**

**Modern Workplace DSS Policy [Fast]**

**Modern Workplace DSS Policy [Broad]**

Since the new feature update policies setting the minimum Windows 10 OS version are in place, the policies above can be removed from your tenant.

+ ## Test Windows 11 feature updates -You can test Windows 11 deployments by adding devices either through direct membership or by bulk importing them into the Modern Workplace - Windows 11 Pre-Release Test Devices Azure AD group. There’s a separate Windows feature update policy (**Modern Workplace DSS Policy [Windows 11]**) targeted to this Azure AD group, and its configuration is set as follows: +You can test Windows 11 deployments by adding devices either through direct membership or by bulk importing them into the **Modern Workplace - Windows 11 Pre-Release Test Devices** Azure AD group. There’s a separate Windows feature update policy (**Modern Workplace DSS Policy [Windows 11]**) targeted to this Azure AD group, and its configuration is set as follows: | Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | | ----- | ----- | ----- | ----- | ----- | ----- | ----- | | Modern Workplace DSS Policy [Windows 11] | Windows 11 22H2 | Make update available as soon as possible | N/A | N/A | N/A | 10/13/2025, 7:00PM | +> [!IMPORTANT] +> Windows Autopatch neither applies its deployment ring distribution, nor configure [Windows Update for Business gradual rollout settings](https://learn.microsoft.com/mem/intune/protect/windows-update-rollout-options) in the Feature update policy **Modern Workplace DSS Policy [Windows 11]**.

Once devices are added into the **Modern Workplace - Windows 11 Pre-Release Test Devices** Azure AD group, they can all apply the Windows 11 22H2 feature update with no gradual rollout or deployment ring capabilities.

+ ## Manage Windows feature update deployments -Windows Autopatch uses Microsoft Intune’s built-in solution, which uses configuration service providers (CSPs), for pausing and resuming both [Windows quality](windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release) and feature updates. +Windows Autopatch uses Microsoft Intune’s built-in solution, which uses configuration service providers (CSPs), for pausing and resuming both [Windows quality and feature updates](windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release). Windows Autopatch provides a permanent pause of a Windows feature update deployment. The Windows Autopatch service automatically extends the 35 day pause limit (permanent pause) established by Microsoft Intune on your behalf. The deployment remains permanently paused until you decide to resume it. @@ -86,7 +91,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym Windows Autopatch doesn’t support the rollback of Windows Feature updates. > [!CAUTION] -> It’s not recommended to use [Microsoft Intune’s capabilities](/mem/intune/protect/windows-10-update-rings#manage-your-windows-update-rings) to pause and rollback a Windows feature update. However, if you choose to pause, resume and/or roll back from Intune, Windows Autopatch is **not** responsible for any problems that arise from rolling back the feature update. +> It’s not recommended to use [Microsoft Intune’s capabilities](/mem/intune/protect/windows-10-update-rings#manage-your-windows-update-rings) to pause and rollback a Windows feature update. However, if you choose to pause, resume and/or roll back from Intune, Windows Autopatch is **not** responsible for any problems that arise from rolling back the Windows feature update. ## Contact support