These settings configure the network connections for Chromebook devices and include the following settings categories:
Windows 8.1 deployment planning
Explore key considerations and questions that should be answered when planning for Windows 8.1 deployment.
Windows 8.1 deployment to PCs
Get an overview of Windows 8.1 deployment to PCs in an educational environment.
BYOD
Explore Bring Your Own Device (BYOD) considerations, including device types, infrastructure, and deployment models.
Deploying Windows RT 8.1
Get step-by-step instructions on how to configure and deploy Windows RT devices (like Surface and other tablets) in educational environments.
Virtual Desktop Infrastructure
Learn how to address challenges related to BYOD scenarios using Virtual Desktop Infrastructure (VDI).
Microsoft Store apps
Explore Microsoft Store app deployment strategies and considerations for educational institutions running Windows 8.1.
Windows To Go
Learn about the benefits, limitations, and processes involved in deploying Windows To Go.
The root node. +The root node. -
Supported operation is Get. +Supported operation is Get. **ApprovedUpdates** -
Node for update approvals and EULA acceptance on behalf of the end-user. +Node for update approvals and EULA acceptance on behalf of the end-user. > [!NOTE] > When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. -
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. +The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. -
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. +The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. > [!NOTE] > For the Windows 10 build, the client may need to reboot after additional updates are added. -
Supported operations are Get and Add. +Supported operations are Get and Add. **ApprovedUpdates/_Approved Update Guid_** -
Specifies the update GUID. +Specifies the update GUID. -
To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. +To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. -
Supported operations are Get and Add. +Supported operations are Get and Add. -
Sample syncml:
+Sample syncml:
```
Specifies the time the update gets approved. +Specifies the time the update gets approved. -
Supported operations are Get and Add. +Supported operations are Get and Add. **FailedUpdates** -
Specifies the approved updates that failed to install on a device. +Specifies the approved updates that failed to install on a device. -
Supported operation is Get. +Supported operation is Get. **FailedUpdates/_Failed Update Guid_** -
Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. +Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. -
Supported operation is Get. +Supported operation is Get. **FailedUpdates/*Failed Update Guid*/HResult** -
The update failure error code. +The update failure error code. -
Supported operation is Get. +Supported operation is Get. -**FailedUpdates/*Failed Update Guid*/Status** -
Specifies the failed update status (for example, download, install). +**FailedUpdates/*Failed Update Guid*/State** +Specifies the failed update state. -
Supported operation is Get. +| Update Status | Integer Value | +| -------------------------- | ------------- | +| UpdateStatusNewUpdate | 1 | +| UpdateStatusReadyToDownload| 2 | +| UpdateStatusDownloading | 4 | +| UpdateStatusDownloadBlocked| 8 | +| UpdateStatusDownloadFailed | 16 | +| UpdateStatusReadyToInstall | 32 | +| UpdateStatusInstalling | 64 | +| UpdateStatusInstallBlocked | 128 | +| UpdateStatusInstallFailed | 256 | +| UpdateStatusRebootRequired | 512 | +| UpdateStatusUpdateCompleted| 1024 | +| UpdateStatusCommitFailed | 2048 | +| UpdateStatusPostReboot | 4096 | + +Supported operation is Get. **FailedUpdates/*Failed Update Guid*/RevisionNumber** -
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **InstalledUpdates** -
The updates that are installed on the device. +The updates that are installed on the device. -
Supported operation is Get. +Supported operation is Get. **InstalledUpdates/_Installed Update Guid_** -
UpdateIDs that represent the updates installed on a device. +UpdateIDs that represent the updates installed on a device. -
Supported operation is Get. +Supported operation is Get. **InstalledUpdates/*Installed Update Guid*/RevisionNumber** -
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates** -
The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved. +The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved. -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates/_Installable Update Guid_** -
Update identifiers that represent the updates applicable and not installed on a device. +Update identifiers that represent the updates applicable and not installed on a device. -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates/*Installable Update Guid*/Type** -
The UpdateClassification value of the update. Valid values are: +The UpdateClassification value of the update. Valid values are: - 0 - None - 1 - Security - 2 - Critical -
Supported operation is Get. +Supported operation is Get. **InstallableUpdates/*Installable Update Guid*/RevisionNumber** -
The revision number for the update that must be passed in server to server sync to get the metadata for the update. +The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates** -
The updates that require a reboot to complete the update session. +The updates that require a reboot to complete the update session. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/_Pending Reboot Update Guid_** -
Update identifiers for the pending reboot state. +Update identifiers for the pending reboot state. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime** -
The time the update is installed. +The time the update is installed. -
Supported operation is Get. +Supported operation is Get. **PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber** -
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +Supported operation is Get. **LastSuccessfulScanTime** -
The last successful scan time. +The last successful scan time. -
Supported operation is Get. +Supported operation is Get. **DeferUpgrade** -
Upgrades deferred until the next period. +Upgrades deferred until the next period. -
Supported operation is Get.
+Supported operation is Get.
**Rollback**
Added in Windows 10, version 1803. Node for the rollback operations.
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index 99272efc31..3e5e3a5468 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -964,7 +964,7 @@ Determines the level of data encryption required for the connection.
-Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN.
+Nodes under DeviceCompliance can be used to enable Microsoft Entra ID based Conditional Access for VPN.
@@ -1003,7 +1003,7 @@ Nodes under DeviceCompliance can be used to enable AAD based Conditional Access
-Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
+Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Microsoft Entra ID to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Microsoft Entra ID.
@@ -5261,7 +5261,7 @@ Determines the level of data encryption required for the connection.
-Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN.
+Nodes under DeviceCompliance can be used to enable Microsoft Entra ID based Conditional Access for VPN.
@@ -5300,7 +5300,7 @@ Nodes under DeviceCompliance can be used to enable AAD based Conditional Access
-Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory.
+Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Microsoft Entra ID to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Microsoft Entra ID.
diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md
index 2bb3347699..20a3da3401 100644
--- a/windows/client-management/mdm/vpnv2-ddf-file.md
+++ b/windows/client-management/mdm/vpnv2-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 12/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -46,7 +46,7 @@ The following XML file contains the device description framework (DDF) for the V
- Windows 10, version 1703 (legacy version of Cortana)
For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
-|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn't required. |
+|Microsoft Entra ID | While all employees signing into Cortana need a Microsoft Entra account, a Microsoft Entra ID P1 or P2 tenant isn't required. |
|Additional policies (Group Policy and Mobile Device Management (MDM)) |There's a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn off Cortana. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. |
>[!NOTE]
>For Windows 11, Cortana is no longer pinned to the taskbar by default. You can still pin the Cortana app to the taskbar as you would any other app. In addition, the keyboard shortcut that launched Cortana (Win+C) no longer opens Cortana.
-## Signing in using Azure AD
+
-Your organization must have an Azure AD tenant and your employees' devices must all be Azure AD-joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but won't be able to use their enterprise email or calendar.) For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [Azure Active Directory documentation.](/azure/active-directory/)
+## Signing in using Microsoft Entra ID
+
+Your organization must have a Microsoft Entra tenant and your employees' devices must all be Microsoft Entra joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but won't be able to use their enterprise email or calendar.) For info about what a Microsoft Entra tenant is, how to get your devices joined, and other Microsoft Entra maintenance info, see [Microsoft Entra documentation.](/azure/active-directory/)
## How is my data processed by Cortana?
@@ -54,7 +56,7 @@ Cortana's approach to integration with Microsoft 365 has changed with Windows 10
### Cortana in Windows 10, version 2004 and later, or Windows 11
-Cortana enterprise services that can be accessed using Azure AD through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
+Cortana enterprise services that can be accessed using Microsoft Entra ID through Cortana meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
#### How does Microsoft store, retain, process, and use Customer Data in Cortana?
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index 8cfe781f37..e0881606c0 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -72,7 +72,7 @@ For specific info about how to set, manage, and use each of these MDM policies t
- **AllowMicrosoftAccountConnection**
- **Group policy**: None
- **MDM policy CSP**: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection)
- - **Description**: Specifies whether to allow users to sign in using a Microsoft account (MSA) from Windows apps. If you only want to allow users to sign in with their Azure AD account, then disable this setting.
+ - **Description**: Specifies whether to allow users to sign in using a Microsoft account (MSA) from Windows apps. If you only want to allow users to sign in with their Microsoft Entra account, then disable this setting.
- **Allow search and Cortana to use location**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location`
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
index 421e8959d9..28baf34fab 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md
@@ -1,5 +1,5 @@
---
-title: Sign into Azure AD, enable the wake word, and try a voice query
+title: Sign into Microsoft Entra ID, enable the wake word, and try a voice query
description: A test scenario walking you through signing in and managing the notebook.
ms.prod: windows-client
ms.collection: tier3
@@ -13,14 +13,14 @@ ms.date: 12/31/2017
ms.topic: article
---
-# Test scenario 1 – Sign into Azure AD, enable the wake word, and try a voice query
+# Test scenario 1 – Sign into Microsoft Entra ID, enable the wake word, and try a voice query
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
>[!NOTE]
>The wake word has been re-enabled in the latest version of Cortana in Windows. If you're on Windows 10, version 2004, be sure that you've updated to build 19041.329 or later to use the wake word with Cortana. For earlier builds, you can still click on the microphone button to use your voice with Cortana.
-1. Select the **Cortana** icon in the task bar and sign in using your Azure AD account.
+1. Select the **Cortana** icon in the task bar and sign in using your Microsoft Entra account.
2. Select the "…" menu and select **Talking to Cortana**.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
index 6a8fa6528d..9260043d11 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md
@@ -19,7 +19,7 @@ ms.technology: itpro-configure
We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
-- [Sign into Azure AD, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md)
+- [Sign into Microsoft Entra ID, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md)
- [Perform a Bing search with Cortana](cortana-at-work-scenario-2.md)
- [Set a reminder](cortana-at-work-scenario-3.md)
- [Use Cortana to find free time on your calendar](cortana-at-work-scenario-4.md)
diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
index 01d6c2db85..b9fd7b9023 100644
--- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
+++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
@@ -49,4 +49,4 @@ When a user enters a search query (by speech or text), Cortana evaluates if the
Bing Answers is enabled by default for all users. However, admins can configure and change this setting for specific users and user groups in their organization.
## How the Bing Answer policy configuration is applied
-Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an Azure Active Directory group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes.
+Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of a Microsoft Entra group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes.
diff --git a/windows/configuration/cortana-at-work/test-scenario-1.md b/windows/configuration/cortana-at-work/test-scenario-1.md
index 6f3ffd8173..cd72adceb2 100644
--- a/windows/configuration/cortana-at-work/test-scenario-1.md
+++ b/windows/configuration/cortana-at-work/test-scenario-1.md
@@ -16,11 +16,11 @@ ms.technology: itpro-configure
[!INCLUDE [Deprecation of Cortana in Windows](./includes/cortana-deprecation.md)]
-This scenario turns on Azure AD and lets your employee use Cortana to manage an entry in the notebook.
+This scenario turns on Microsoft Entra ID and lets your employee use Cortana to manage an entry in the notebook.
## Sign in with your work or school account
-This process helps you to sign out of a Microsoft Account and to sign into an Azure AD account.
+This process helps you to sign out of a Microsoft Account and to sign into a Microsoft Entra account.
1. Click on the **Cortana** icon in the taskbar, then click the profile picture in the navigation to open Cortana settings.
diff --git a/windows/configuration/cortana-at-work/test-scenario-4.md b/windows/configuration/cortana-at-work/test-scenario-4.md
index 081ea5877a..206010600b 100644
--- a/windows/configuration/cortana-at-work/test-scenario-4.md
+++ b/windows/configuration/cortana-at-work/test-scenario-4.md
@@ -28,7 +28,7 @@ This scenario helps you search for both general upcoming meetings, and specific
This process helps you find your upcoming meetings.
-1. Check to make sure your work calendar is connected and synchronized with your Azure AD account.
+1. Check to make sure your work calendar is connected and synchronized with your Microsoft Entra account.
2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
diff --git a/windows/configuration/cortana-at-work/test-scenario-5.md b/windows/configuration/cortana-at-work/test-scenario-5.md
index 17a27dc786..f8dfb7cf8e 100644
--- a/windows/configuration/cortana-at-work/test-scenario-5.md
+++ b/windows/configuration/cortana-at-work/test-scenario-5.md
@@ -25,7 +25,7 @@ This scenario helps you to send an email to a co-worker listed in your work addr
This process helps you to send a quick message to a co-worker from the work address book.
-1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Azure AD account.
+1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Microsoft Entra account.
2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar.
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index c7298fc1d3..2173e2ee20 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -10,7 +10,6 @@ ms.topic: how-to
ms.localizationpriority: medium
ms.date: 08/18/2023
ms.collection:
- - highpri
- tier1
ms.technology: itpro-configure
---
diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md
index 7ef410564c..2e959a035a 100644
--- a/windows/configuration/customize-start-menu-layout-windows-11.md
+++ b/windows/configuration/customize-start-menu-layout-windows-11.md
@@ -1,16 +1,9 @@
---
title: Add or remove pinned apps on the Start menu in Windows 11
description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices.
-manager: aaroncz
author: lizgt2000
ms.author: lizlong
ms.reviewer: ericpapa
-ms.prod: windows-client
-ms.localizationpriority: medium
-ms.collection:
- - highpri
- - tier1
-ms.technology: itpro-configure
ms.date: 01/10/2023
ms.topic: article
---
diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md
index a38e34c05c..72a4298b7c 100644
--- a/windows/configuration/customize-taskbar-windows-11.md
+++ b/windows/configuration/customize-taskbar-windows-11.md
@@ -8,7 +8,6 @@ ms.prod: windows-client
author: lizgt2000
ms.localizationpriority: medium
ms.collection:
- - highpri
- tier1
ms.technology: itpro-configure
ms.date: 08/17/2023
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index 40b7d5daac..94641458ae 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -3,15 +3,8 @@ title: Customize Windows 10 Start and taskbar with group policy
description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain.
ms.reviewer:
manager: aaroncz
-ms.prod: windows-client
author: lizgt2000
-ms.localizationpriority: medium
ms.author: lizlong
-ms.topic: article
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
ms.date: 12/31/2017
---
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index 0ab80c34f4..6d8d824a07 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -38,13 +38,15 @@
"ms.collection": [
"tier2"
],
+ "zone_pivot_group_filename": "resources/zone-pivot-groups.json",
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.technology": "itpro-configure",
"ms.topic": "article",
- "feedback_system": "GitHub",
- "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
- "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
+ "ms.prod": "windows-client",
+ "manager": "aaroncz",
+ "feedback_system": "Standard",
+ "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-configuration",
@@ -60,7 +62,10 @@
"jborsecnik",
"tiburd",
"garycentric",
- "beccarobins"
+ "beccarobins",
+ "Stacyrch140",
+ "v-stsavell",
+ "American-Dipper"
],
"searchScope": ["Windows 10"]
},
diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
index ee9ad89242..5b78101494 100644
--- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
+++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
@@ -1,17 +1,10 @@
---
title: Find the Application User Model ID of an installed app
ms.reviewer: sybruckm
-manager: aaroncz
description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device.
author: lizgt2000
ms.author: lizlong
ms.topic: article
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
ms.date: 12/31/2017
---
# Find the Application User Model ID of an installed app
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index f1159c1544..95bcd1a788 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -1,16 +1,10 @@
---
title: Guidelines for choosing an app for assigned access
description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
-ms.prod: windows-client
author: lizgt2000
-ms.localizationpriority: medium
ms.author: lizlong
ms.topic: article
ms.reviewer: sybruckm
-manager: aaroncz
-ms.collection:
- - highpri
- - tier2
ms.technology: itpro-configure
ms.date: 12/31/2017
---
diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml
index 0eace6a656..4bcaa16c51 100644
--- a/windows/configuration/index.yml
+++ b/windows/configuration/index.yml
@@ -1,7 +1,7 @@
### YamlMime:Landing
title: Configure Windows client # < 60 chars
-summary: Find out how to apply custom configurations to Windows client devices. Windows provides many features and methods to help you configure or lock down specific parts of Windows client. # < 160 chars
+summary: Find out how to apply custom configurations to Windows client devices. # < 160 chars
metadata:
title: Configure Windows client # Required; page title displayed in search results. Include the brand. < 60 chars.
@@ -9,12 +9,11 @@ metadata:
ms.topic: landing-page # Required
ms.prod: windows-client
ms.collection:
- - highpri
- tier1
author: aczechowski
ms.author: aaroncz
manager: aaroncz
- ms.date: 08/05/2021 #Required; mm/dd/yyyy format.
+ ms.date: 12/20/2023
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@@ -23,52 +22,62 @@ landingContent:
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
- - title: Manage Windows client settings
+ - title: Customize the appearance
linkLists:
- - linkListType: overview
+ - linkListType: how-to-guide
links:
- - text: Manage the Windows 10 Start and taskbar layout
- url: windows-10-start-layout-options-and-policies.md
+ - text: Customize the Windows 11 Start menu layout
+ url: customize-start-menu-layout-windows-11.md
+ - text: Customize the Windows 11 taskbar
+ url: customize-taskbar-windows-11.md
- text: Configure Windows Spotlight on the lock screen
url: windows-spotlight.md
- - text: Customize the Windows 10 Start and taskbar with Group Policy
- url: customize-windows-10-start-screens-by-using-group-policy.md
+ - text: Accessibility information for IT pros
+ url: windows-accessibility-for-itpros.md
# Card (optional)
- title: Configure a Windows kiosk
linkLists:
- - linkListType: overview
+ - linkListType: how-to-guide
links:
- - text: Guidelines for choosing an app for assigned access
- url: guidelines-for-assigned-access-app.md
+ - text: Configure kiosks and digital signs
+ url: kiosk-methods.md
- text: Set up a single-app kiosk
url: kiosk-single-app.md
- - text: Set up a multi-app kiosk
- url: lock-down-windows-10-to-specific-apps.md
+ - text: Set up a multi-app kiosk for Windows 11
+ url: lock-down-windows-11-to-specific-apps.md
+ - text: Manage multi-user and guest devices
+ url: shared-devices-concepts.md
# Card (optional)
- - title: Windows client provisioning packages
+ - title: Use provisioning packages
linkLists:
- - linkListType: overview
+ - linkListType: how-to-guide
links:
+ - text: Provisioning packages for Windows
+ url: provisioning-packages/provisioning-packages.md
- text: Install Windows Configuration Designer
url: provisioning-packages/provisioning-install-icd.md
- - text: Provisioning packages for Windows 10
- url: provisioning-packages/provisioning-packages.md
+ - text: Create a provisioning package
+ url: provisioning-packages/provisioning-create-package.md
+ - text: Apply a provisioning package
+ url: provisioning-packages/provisioning-apply-package.md
# Card (optional)
- title: Use Windows Configuration Designer (WCD)
linkLists:
- - linkListType: overview
+ - linkListType: reference
links:
- text: Windows Configuration Designer (WCD) reference
url: wcd/wcd.md
- - text: WCD policies reference
+ - text: Policies
url: wcd/wcd-policies.md
- - text: WCD OOBE reference
- url: wcd/wcd-oobe.md
+ - text: ProvisioningCommands
+ url: wcd/wcd-provisioningcommands.md
+ - text: Accounts
+ url: wcd/wcd-accounts.md
# Card (optional)
- title: Configure Cortana in Windows client
diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md
index 0fdc2d15c1..7dc2ae5f02 100644
--- a/windows/configuration/kiosk-methods.md
+++ b/windows/configuration/kiosk-methods.md
@@ -65,7 +65,7 @@ There are several kiosk configuration methods that you can choose from, dependin
- The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
+ The kiosk account can be a local standard user account, a local administrator account, a domain account, or a Microsoft Entra account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
>[!IMPORTANT]
@@ -79,9 +79,9 @@ You can use this method | For this edition | For this kiosk account type
--- | --- | ---
[Assigned access in Settings](kiosk-single-app.md#local) | Pro, Ent, Edu | Local standard user
[Assigned access cmdlets](kiosk-single-app.md#powershell) | Pro, Ent, Edu | Local standard user
-[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Azure AD
-[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
-[Shell Launcher](kiosk-shelllauncher.md) v2 | Ent, Edu | Local standard user, Active Directory, Azure AD
+[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
+[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Microsoft Entra ID
+[Shell Launcher](kiosk-shelllauncher.md) v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
@@ -89,9 +89,9 @@ You can use this method | For this edition | For this kiosk account type
You can use this method | For this edition | For this kiosk account type
--- | --- | ---
-[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD
-[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD
-[Shell Launcher](kiosk-shelllauncher.md) v1 and v2 | Ent, Edu | Local standard user, Active Directory, Azure AD
+[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
+[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Microsoft Entra ID
+[Shell Launcher](kiosk-shelllauncher.md) v1 and v2 | Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
@@ -99,9 +99,9 @@ You can use this method | For this edition | For this kiosk account type
You can use this method | For this edition | For this kiosk account type
--- | --- | ---
-[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD
-[Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Azure AD
-[MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD
+[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
+[Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Microsoft Entra ID
+[MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Microsoft Entra ID
## Summary of kiosk configuration methods
@@ -109,11 +109,11 @@ Method | App type | Account type | Single-app kiosk | Multi-app kiosk
--- | --- | --- | :---: | :---:
[Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | ✔️ |
[Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | ✔️ |
-[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ |
-[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ | ✔️
-Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | ✔️ | ✔️
-[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | ✔️ |
-[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | | ✔️
+[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✔️ |
+[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✔️ | ✔️
+Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Microsoft Entra ID | ✔️ | ✔️
+[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | ✔️ |
+[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Microsoft Entra ID | | ✔️
>[!NOTE]
diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md
index 7891caf75d..9e599f8790 100644
--- a/windows/configuration/kiosk-policies.md
+++ b/windows/configuration/kiosk-policies.md
@@ -29,7 +29,7 @@ When the assigned access kiosk configuration is applied on the device, certain p
## Group Policy
-The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. These users include local users, domain users, and Azure Active Directory users.
+The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. These users include local users, domain users, and Microsoft Entra users.
| Setting | Value |
| --- | --- |
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index 0443a3047c..05323a4d02 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -216,7 +216,7 @@ Logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-exper
You may also want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, from an update or power outage, you can sign in the assigned access account manually. Or, you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device don't prevent automatic sign in.
> [!NOTE]
-> If you are using a Windows client device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
+> If you are using a Windows client device restriction CSP to set "Preferred Microsoft Entra tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
> [!TIP]
> If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML.
diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md
index fc9e86e27c..4bd3071b0d 100644
--- a/windows/configuration/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk-shelllauncher.md
@@ -52,7 +52,7 @@ For sample XML configurations for the different app combinations, see [Samples f
>
>- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell.
-- A domain, Azure Active Directory, or local user account.
+- A domain, Microsoft Entra ID, or local user account.
- A Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index db0f2a955f..0218a198e2 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -2,16 +2,11 @@
title: Set up a single-app kiosk on Windows
description: A single-use device is easy to set up in Windows Pro, Enterprise, and Education editions.
ms.reviewer: sybruckm
-manager: aaroncz
ms.author: lizlong
-ms.prod: windows-client
author: lizgt2000
-ms.localizationpriority: medium
ms.topic: article
ms.collection:
- - highpri
- tier1
-ms.technology: itpro-configure
ms.date: 07/12/2023
---
@@ -85,7 +80,7 @@ You have several options for configuring your single-app kiosk.
You can use **Settings** to quickly configure one or a few devices as a kiosk.
-When your kiosk is a local device that isn't managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
+When your kiosk is a local device that isn't managed by Active Directory or Microsoft Entra ID, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
- If you want the kiosk account to sign in automatically, and the kiosk app launched when the device restarts, then you don't need to do anything.
@@ -235,17 +230,17 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
3. Enable account management:
- :::image type="content" source="images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Azure AD, or create a local admin account.":::
+ :::image type="content" source="images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Microsoft Entra ID, or create a local admin account.":::
If you want to enable account management, select **Account Management**, and configure the following settings:
- **Manage organization/school accounts**: Choose how devices are enrolled. Your options:
- **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain.
- - **Azure Active Directory**: Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Azure AD tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
+ - **Microsoft Entra ID**: Before you use a Windows Configuration Designer wizard to configure bulk Microsoft Entra enrollment, [set up Microsoft Entra join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Microsoft Entra tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
- If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Azure AD, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
+ If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Microsoft Entra ID, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
- You must run Windows Configuration Designer on Windows client to configure Azure AD enrollment using any of the wizards.
+ You must run Windows Configuration Designer on Windows client to configure Microsoft Entra enrollment using any of the wizards.
- **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in.
@@ -323,7 +318,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
>
>Account type:
> - Local standard user
-> - Azure AD
+> - Microsoft Entra ID
Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 0df2e63128..a32e707e87 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -1,26 +1,19 @@
---
title: Set up a multi-app kiosk on Windows 10
description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps.
-ms.prod: windows-client
-ms.technology: itpro-configure
author: lizgt2000
ms.author: lizlong
-manager: aaroncz
ms.reviewer: sybruckm
-ms.localizationpriority: medium
ms.topic: how-to
-ms.collection:
- - highpri
- - tier2
-ms.date: 12/31/2017
+ms.date: 11/08/2023
+appliesto:
+ - ✅ Windows 10 Pro
+ - ✅ Windows 10 Enterprise
+ - ✅ Windows 10 Education
---
# Set up a multi-app kiosk on Windows 10 devices
-**Applies to**
-
-- Windows 10 Pro, Enterprise, and Education
-
> [!NOTE]
> The use of multiple monitors isn't supported for multi-app kiosk mode in Windows 10.
@@ -33,13 +26,13 @@ The following table lists changes to multi-app kiosk in recent updates.
| - Configure [a single-app kiosk profile](#profile) in your XML file
- Assign [group accounts to a config profile](#config-for-group-accounts)
- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 |
| - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)
- [Automatically launch an app](#allowedapps) when the user signs in
- Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809
**Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `https://schemas.microsoft.com/AssignedAccess/201810/config`. |
->[!WARNING]
->The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
+> [!WARNING]
+> The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision).
->[!TIP]
->Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
+> [!TIP]
+> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
@@ -62,7 +55,7 @@ Process:
Watch how to use a provisioning package to configure a multi-app kiosk.
->[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#use-mdm-to-deploy-the-multi-app-configuration), or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md).
@@ -71,8 +64,8 @@ If you don't want to use a provisioning package, you can deploy the configuratio
- Windows Configuration Designer (Windows 10, version 1709 or later)
- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later
->[!NOTE]
->For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
+> [!NOTE]
+> For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
### Create XML file
@@ -198,7 +191,7 @@ Starting in Windows 10 version 1809, you can explicitly allow some known folders
The following example shows how to allow user access to the Downloads folder in the common file dialog box.
->[!TIP]
+> [!TIP]
> To grant access to the Downloads folder through File Explorer, add "Explorer.exe" to the list of allowed apps, and pin a file explorer shortcut to the kiosk start menu.
```xml
@@ -278,8 +271,8 @@ The following example pins Groove Music, Movies & TV, Photos, Weather, Calculato
```
->[!NOTE]
->If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
+> [!NOTE]
+> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
@@ -299,8 +292,8 @@ The following example hides the taskbar:
+- [Overview of Windows 11](/windows/whats-new/windows-11).
+- [Plan for Windows 11](/windows/whats-new/windows-11-plan).
+- [Prepare for Windows 11](/windows/whats-new/windows-11-prepare).
+- [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is available.
## Deployment tools
-[SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later, and Windows 11.
-New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
-VPN support is added to [Windows Autopilot](#windows-autopilot)
-An in-place upgrade wizard is available in [Configuration Manager](#microsoft-configuration-manager).
-The Windows 10 deployment and update [landing page](index.yml) has been redesigned, with more content added and more content coming soon.
+- [SetupDiag](#setupdiag) is included with all currently supported versions of Windows.
+- New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
+- VPN support is added to [Windows Autopilot](#windows-autopilot).
+- An in-place upgrade wizard is available in [Configuration Manager](#microsoft-configuration-manager).
## The Modern Desktop Deployment Center
-The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Microsoft 365 Apps for enterprise.
+The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home) has content to help you with large-scale deployment of supported version of Windows and Microsoft 365 Apps for enterprise.
## Microsoft 365
-Microsoft 365 is a new offering from Microsoft that combines
+Microsoft 365 is a new offering from Microsoft that combines:
-- Windows 10
-- Office 365
+- A currently supported version of Windows.
+- Office 365.
- Enterprise Mobility and Security (EMS).
-See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [Microsoft 365 Enterprise poster](deploy-m365.md#microsoft-365-enterprise-poster).
+See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a [Microsoft 365 Enterprise poster](deploy-m365.md#microsoft-365-enterprise-poster).
-## Windows 10 servicing and support
+## Windows servicing and support
### Delivery Optimization
-Windows PowerShell cmdlets for Delivery Optimization have been improved:
+Windows PowerShell cmdlets for Delivery Optimization is improved:
-- **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peek behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
+- **Get-DeliveryOptimizationStatus** has the **-PeerInfo** option for a real-time peek behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections.
- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting.
@@ -79,29 +75,36 @@ Other improvements in [Delivery Optimization](./do/waas-delivery-optimization.md
The following Delivery Optimization policies are removed in the Windows 10, version 2004 release:
-- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
- - Reason: Replaced with separate policies for foreground and background
-- Max Upload Bandwidth (DOMaxUploadBandwidth)
+- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth).
+ - Reason: Replaced with separate policies for foreground and background.
+- Max Upload Bandwidth (DOMaxUploadBandwidth).
- Reason: impacts uploads to internet peers only, which isn't used in enterprises.
-- Absolute max throttle (DOMaxDownloadBandwidth)
- - Reason: separated to foreground and background
+- Absolute max throttle (DOMaxDownloadBandwidth).
+ - Reason: separated to foreground and background.
### Windows Update for Business
[Windows Update for Business](./update/waas-manage-updates-wufb.md) enhancements in this release include:
-- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
-- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we've created a new policy that enables admins to opt devices out of the built-in safeguard holds.
+- **Intune console updates**: target version is now available allowing you to specify which supported version of Windows you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
+
+- **Validation improvements**: To ensure devices and end users stay productive and protected, Microsoft blocks devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, a new policy is available that enables admins to opt devices out of the built-in safeguard holds.
+
+- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows automatically signs in as the user and locks their device in order to complete the update. This automatic sign-on ensures that when the user returns and unlocks the device, the update is completed.
+
+- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There's now a single, common start date for phased deployments (no more SAC-T designation). In addition, there's a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
-- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically sign in as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
-- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
-- **Pause updates**: We've extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you'll need to update your device before pausing again.
-- **Improved update notifications**: When there's an update requiring you to restart your device, you'll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
-- **Intelligent active hours**: To further enhance active hours, users now can let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
-- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
-Microsoft previously announced that we're [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. These editions include all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there's no change for these editions). These support policies are summarized in the table below.
+- **Pause updates**: The ability to pause updates for both feature and monthly updates is extended. This extension ability is for all currently supported editions of Windows, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, the device needs to update before pausing again.
+
+- **Improved update notifications**: When there's an update requiring you to restart your device, a colored dot appears on the Power button in the Start menu and on the Windows icon in the taskbar.
+
+- **Intelligent active hours**: To further enhance active hours, users now can let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
+
+- **Improved update orchestration to improve system responsiveness**: This feature improves system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
+
+Microsoft previously announced that we're [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. These editions include all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there's no change for these editions). These support policies are summarized in the following table:
@@ -111,7 +114,7 @@ Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Mi
Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
-For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md)
+For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
## Deployment solutions and tools
@@ -119,17 +122,17 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris
[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose, and recover devices.
-With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
+With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Microsoft Entra hybrid join with VPN support.
-If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, these language settings were only supported with self-deploying profiles.
+If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios now skip the language, locale, and keyboard pages. In previous versions, these language settings were only supported with self-deploying profiles.
The following Windows Autopilot features are available in Windows 10, version 1903 and later:
-- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in Windows 10, version 1903. "White glove" deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
+- [Windows Autopilot for pre-provisioned deployment](/autopilot/pre-provision) is new in Windows 10, version 1903. Pre-provisioned deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
-- Windows Autopilot is self-updating during OOBE. From Windows 10 onward, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
-- Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
+- Windows Autopilot is self-updating during OOBE. From Windows 10 onward, version 1903 Autopilot functional and critical updates begin downloading automatically during OOBE.
+- Windows Autopilot sets the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
### Microsoft Configuration Manager
@@ -137,25 +140,21 @@ An in-place upgrade wizard is available in Configuration Manager. For more infor
### Windows 10 Subscription Activation
-Windows 10 Education support has been added to Windows 10 Subscription Activation.
+Windows 10 Education support is added to Windows 10 Subscription Activation.
With Windows 10, version 1903, you can step up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions - Windows 10 Education. For more information, see [Windows 10 Subscription Activation](./windows-10-subscription-activation.md).
### SetupDiag
-[SetupDiag](upgrade/setupdiag.md) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues.
+[SetupDiag](upgrade/setupdiag.md) is a command-line tool that can help diagnose why an update of Windows failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues.
-In Windows 10, version 2004, SetupDiag is now automatically installed.
-
-During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there's an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup.
+During the upgrade process, Windows Setup extracts all its sources files to the `%SystemDrive%\$Windows.~bt\Sources` directory. **SetupDiag.exe** is also installed to this directory. If there's an issue with the upgrade, SetupDiag automatically runs to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under `%SystemDrive%\Windows.Old` for cleanup.
### Upgrade Readiness
-The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
+Upgrade Readiness helps you ensure that applications and drivers are ready for an upgrade of Windows. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
-Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
-
-The development of Upgrade Readiness has been heavily influenced by input from the community; the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
+Input from the community heavily influenced the development of Upgrade Readiness and the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
For more information about Upgrade Readiness, see the following articles:
@@ -164,7 +163,7 @@ For more information about Upgrade Readiness, see the following articles:
### Update Compliance
-Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
+Update Compliance helps you to keep supported Windows devices in your organization secure and up-to-date.
Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
@@ -172,31 +171,35 @@ For more information about Update Compliance, see [Monitor Windows Updates with
### Device Health
-Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes. Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](/mem/configmgr/desktop-analytics/overview)
+Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes. Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](/mem/configmgr/desktop-analytics/overview).
### MBR2GPT
MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT.
-There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
+There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of supported versions of Windows that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
For more information, see [MBR2GPT.EXE](mbr-to-gpt.md).
### Microsoft Deployment Toolkit (MDT)
-MDT version 8456 supports Windows 10, version 2004 and earlier operating systems, including Windows Server 2019. There's currently an issue that causes MDT to incorrectly detect that UEFI is present in Windows 10, version 2004. This issue is currently under investigation.
+MDT version 8456 supports Windows 10, version 2004 and earlier operating systems, including Windows Server 2019.
For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes).
+> [!IMPORTANT]
+>
+> MDT doesn't support versions of Windows after Windows 10 and Windows Server 2019.
+
### Windows Assessment and Deployment Kit (ADK)
-The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
+IT Pros can use the tools in the Windows Assessment and Deployment Kit (Windows ADK) to deploy Windows.
Download the Windows ADK and Windows PE add-on for Windows 11 [here](/windows-hardware/get-started/adk-install).
For information about what's new in the ADK, see [What's new in the Windows ADK](/windows-hardware/get-started/what-s-new-in-kits-and-tools).
-Also see [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
+Also see [Windows ADK for Windows scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
## Testing and validation guidance
@@ -206,19 +209,19 @@ The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual
For more information, see the following guides:
-- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
-- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
-- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md)
+- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md).
+- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md).
+- [Deploy Windows 10 in a test lab using Microsoft Configuration Manager](windows-10-poc-sc-config-mgr.md).
## Troubleshooting guidance
-[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The article provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
+[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) was published in October of 2016 and continues to be updated with new fixes. The article provides a detailed explanation of the Windows upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
## Related articles
-[Overview of Windows as a service](update/waas-overview.md)
-[Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
-[Windows 10 release information](/windows/windows-10/release-information)
-[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications)
-[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
-[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
+- [Overview of Windows as a service](update/waas-overview.md).
+- [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md).
+- [Windows 10 release information](/windows/windows-10/release-information).
+- [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications).
+- [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md).
+- [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md).
diff --git a/windows/deployment/do/images/assigning-ip-2.png b/windows/deployment/do/images/assigning-ip-2.png
new file mode 100644
index 0000000000..4403b7e68b
Binary files /dev/null and b/windows/deployment/do/images/assigning-ip-2.png differ
diff --git a/windows/deployment/do/images/external-switch-1.jpg b/windows/deployment/do/images/external-switch-1.jpg
new file mode 100644
index 0000000000..7248d30ebe
Binary files /dev/null and b/windows/deployment/do/images/external-switch-1.jpg differ
diff --git a/windows/deployment/do/images/installation-complete-7.png b/windows/deployment/do/images/installation-complete-7.png
new file mode 100644
index 0000000000..8b1517348a
Binary files /dev/null and b/windows/deployment/do/images/installation-complete-7.png differ
diff --git a/windows/deployment/do/images/installation-info-4.png b/windows/deployment/do/images/installation-info-4.png
new file mode 100644
index 0000000000..41c2121e72
Binary files /dev/null and b/windows/deployment/do/images/installation-info-4.png differ
diff --git a/windows/deployment/do/images/memory-storage-5.png b/windows/deployment/do/images/memory-storage-5.png
new file mode 100644
index 0000000000..8e5b56f5c2
Binary files /dev/null and b/windows/deployment/do/images/memory-storage-5.png differ
diff --git a/windows/deployment/do/images/portal-installation-instructions-6.png b/windows/deployment/do/images/portal-installation-instructions-6.png
new file mode 100644
index 0000000000..201a1aa1d6
Binary files /dev/null and b/windows/deployment/do/images/portal-installation-instructions-6.png differ
diff --git a/windows/deployment/do/images/use-custom-dns-3.png b/windows/deployment/do/images/use-custom-dns-3.png
new file mode 100644
index 0000000000..90ef151c05
Binary files /dev/null and b/windows/deployment/do/images/use-custom-dns-3.png differ
diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md
index 10f5b9cddf..65d63be915 100644
--- a/windows/deployment/do/mcc-enterprise-deploy.md
+++ b/windows/deployment/do/mcc-enterprise-deploy.md
@@ -13,7 +13,7 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Microsoft Connected Cache for Enterprise and Education
-ms.date: 03/10/2023
+ms.date: 11/09/2023
---
# Deploy your cache node
@@ -29,7 +29,7 @@ To deploy MCC to your server:
1. [Create an MCC Node](#create-an-mcc-node-in-azure)
1. [Edit Cache Node Information](#edit-cache-node-information)
1. [Install MCC on a physical server or VM](#install-mcc-on-windows)
-1. [Verify proper functioning MCC server](#verify-proper-functioning-mcc-server)
+1. [Verify MCC functionality](#verify-mcc-server-functionality)
1. [Review common Issues](#common-issues) if needed.
For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com)
@@ -194,12 +194,15 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
>
> [D] Do not run **[R] Run once** [S] Suspend [?] Help (default is "D"):
-1. Choose whether you would like to create a new virtual switch or select an existing one. Name your switch and select the Net Adapter to use for the switch. A computer restart will be required if you're creating a new switch.
+1. Choose whether you would like to create a new external virtual switch or select an existing external virtual switch.
+ If creating a new external virtual switch, name your switch and be sure to choose a Local Area Connection (USB adapters work as well however, we do not recommend using Wi-Fi). A computer restart will be required if you're creating a new switch.
> [!NOTE]
> Restarting your computer after creating a switch is recommended. You'll notice network delays during installation if the computer has not been restarted.
- If you restarted your computer after creating a switch, start from Step 2 above and skip step 5.
+ If you restarted your computer after creating a switch, start from step 2 above and skip to step 5.
+
+ If you opt to use an existing external switch, select the switch from the presented options. Local Area Connection (or USB) is preferable to Wi-Fi.
:::image type="content" source="./images/ent-mcc-script-new-switch.png" alt-text="Screenshot of the installer script running in PowerShell when a new switch is created." lightbox="./images/ent-mcc-script-new-switch.png":::
@@ -207,34 +210,46 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
:::image type="content" source="./images/ent-mcc-script-existing-switch.png" alt-text="Screenshot of the installer script running in PowerShell when using an existing switch." lightbox="./images/ent-mcc-script-existing-switch.png":::
-1. Decide whether you would like to use dynamic or static address for the Eflow VM
+1. Decide whether you would like to use dynamic or static address for the Eflow VM. If you choose to use a static IP, do not use the IP address of the server. It is a VM, and it will have its own IP.
:::image type="content" source="./images/ent-mcc-script-dynamic-address.png" alt-text="Screenshot of the installer script running in PowerShell asking if you'd like to use a dynamic address." lightbox="./images/ent-mcc-script-dynamic-address.png":::
> [!NOTE]
> Choosing a dynamic IP address might assign a different IP address when the MCC restarts. A static IP address is recommended so you don't have to change this value in your management solution when MCC restarts.
-1. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and how many cores you would like to allocate for the VM. For this example, we chose the default values for all prompts.
-
-1. Follow the Azure Device Login link and sign into the Azure portal.
-
- :::image type="content" source="./images/ent-mcc-script-device-code.png" alt-text="Screenshot of the installer script running in PowerShell displaying the code and URL to use for the Azure portal." lightbox="./images/ent-mcc-script-device-code.png":::
-
-1. If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub.
+ The IP address you assign to the EFLOW VM should be within the same subnet as the host server (based on the subnet mask) and not used by any other machine on the network.
+ For example, for host configuration where the server IP Address is 192.168.1.202 and the subnet mask is 255.255.255.0, the static IP can be anything 192.168.1.* except 192.168.1.202.
+
+ :::image type="content" source="./images/external-switch-1.jpg" alt-text="Screenshot of a sample output of ipconfig command showing example of subnet mask." lightbox="./images/external-switch-1.jpg":::
+ :::image type="content" source="./images/assigning-ip-2.png" alt-text="Screenshot of multiple installer questions about ipv4 address for Eflow." lightbox="./images/assigning-ip-2.png":::
+
+ If you would like to use your own DNS server instead of Google DNS 8.8.8.8, select **n** and set your own DNS server IP.
+ :::image type="content" source="./images/use-custom-dns-3.png" alt-text="Screenshot of multiple installer questions about setting an alternate DNS server." lightbox="./images/use-custom-dns-3.png":::
+ If you use a dynamic IP address, the DHCP server will automatically configure the IP address and DNS settings.
+
+1. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and how many cores you would like to allocate for the VM. For this example, we chose the default values for download path, install path, and virtual hard disk path.
+
+ :::image type="content" source="./images/installation-info-4.png" alt-text="Screenshot of multiple installer questions about memory and storage for EFLOW." lightbox="./images/installation-info-4.png":::
+ For more information, see [Sizing Recommendations](mcc-enterprise-prerequisites.md#sizing-recommendations) for memory, virtual storage, and CPU cores. For this example we chose the recommend values for a Branch Office/Small Enterprise deployment.
+
+ :::image type="content" source="./images/memory-storage-5.png" alt-text="Screenshot of multiple installer questions about memory and storage." lightbox="./images/memory-storage-5.png":::
+
+1. When the installation is complete, you should see the following output (the values below will be your own)
:::image type="content" source="./images/ent-mcc-script-complete.png" alt-text="Screenshot of the installer script displaying the completion summary in PowerShell." lightbox="./images/ent-mcc-script-complete.png":::
-
+
+ :::image type="content" source="./images/installation-complete-7.png" alt-text="Screenshot of expected output when installation is complete." lightbox="./images/installation-complete-7.png":::
1. Your MCC deployment is now complete.
+ If you don't see any errors, continue to the next section to validate your MCC deployment. Your VM will not appear in Hyper-V Manager as it is an EFLOW VM.
+ - After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC.
+ - If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article.
- 1. If you don't see any errors, continue to the next section to validate your MCC deployment. Your VM will not appear in Hyper-V Manager as it is an EFLOW VM.
- 1. After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC.
- 1. If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article.
-
-## Verify proper functioning MCC server
+## Verify MCC server functionality
#### Verify client side
@@ -251,14 +266,20 @@ Connect to the EFLOW VM and check if MCC is properly running:
:::image type="content" source="./images/ent-mcc-connect-eflowvm.png" alt-text="Screenshot of running connect-EflowVm, sudo -s, and iotedge list from PowerShell." lightbox="./images/ent-mcc-connect-eflowvm.png":::
-You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy.
+You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy. If iotedge list times out, you can run docker ps -a to list the running containers.
+If the 3 containers are still not running, run the following commands to check if DNS resolution is working correctly:
+```bash
+ping www.microsoft.com
+resolvectl query microsoft.com
+```
+See the [common issues](#common-issues) section for more information.
#### Verify server side
-For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace
**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.|
+|**/allowFullOS**| By default, `MBR2GPT.exe` can only run from Windows PE and is blocked from running in full Windows. This option overrides this block and enables disk conversion while running in the full Windows environment.
**Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new EFI system partition is created by shrinking the OS partition.|
## Examples
@@ -83,7 +82,7 @@ If any of these checks fails, the conversion won't proceed, and an error will be
In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location of **`%windir%`**.
```cmd
-X:\>mbr2gpt.exe /validate /disk:0
+X:\> mbr2gpt.exe /validate /disk:0
MBR2GPT: Attempting to validate disk 0
MBR2GPT: Retrieving layout of disk
MBR2GPT: Validating layout, disk sector size is: 512
@@ -94,19 +93,24 @@ MBR2GPT: Validation completed successfully
In the following example:
-1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
+1. The current disk partition layout is displayed prior to conversion using DiskPart - three partitions are present on the MBR disk (disk 0):
-2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type.
+ - A system reserved partition.
+ - A Windows partition.
+ - A recovery partition.
+ - A DVD-ROM is also present as volume 0.
-3. The MBR2GPT tool is used to convert disk 0.
+1. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type.
-4. The DiskPart tool displays that disk 0 is now using the GPT format.
+1. The MBR2GPT tool is used to convert disk 0.
-5. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
+1. The DiskPart tool displays that disk 0 is now using the GPT format.
-6. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
+1. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
-As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly.
+1. The OS volume is selected again. The detail displays that the OS volume is converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
+
+As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition boots properly.
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
-
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index 2a900b672d..b3911601ff 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -23,7 +23,7 @@ For many years, organizations have deployed new versions of Windows using a "wip
Windows 10 also introduces two additional scenarios that organizations should consider:
-- **In-place upgrade**, which provides a simple, automated process that leverages the Windows setup process to automatically upgrade from an earlier version of Windows. This process automatically migrates existing data, settings, drivers, and applications.
+- **In-place upgrade**, which provides a simple, automated process that uses the Windows setup process to automatically upgrade from an earlier version of Windows. This process automatically migrates existing data, settings, drivers, and applications.
- **Dynamic provisioning**, which enables organizations to configure new Windows 10 devices for organization use without having to deploy a new custom organization image to the device.
@@ -33,8 +33,8 @@ Windows 10 also introduces two additional scenarios that organizations should co
| Consider ... | For these scenarios |
|---|---|
-| In-place upgrade | - When you want to keep all (or at least most) existing applications
- When you do not plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)
- To migrate from Windows 10 to a later Windows 10 release |
-| Traditional wipe-and-load | - When you upgrade significant numbers of applications along with the new Windows OS
- When you make significant device or operating system configuration changes
- When you "start clean". For example, scenarios where it is not necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs
- When you migrate from Windows Vista or other previous operating system versions |
+| In-place upgrade | - When you want to keep all (or at least most) existing applications
- When you don't plan to significantly change the device configuration (for example, BIOS to UEFI) or operating system configuration (for example, x86 to x64, language changes, Administrators to non-Administrators, Active Directory domain consolidations)
- To migrate from Windows 10 to a later Windows 10 release |
+| Traditional wipe-and-load | - When you upgrade significant numbers of applications along with the new Windows OS
- When you make significant device or operating system configuration changes
- When you "start clean". For example, scenarios where it isn't necessary to preserve existing apps or data (for example, call centers) or when you move from unmanaged to well-managed PCs
- When you migrate from Windows Vista or other previous operating system versions |
| Dynamic provisioning | - For new devices, especially in "choose your own device" scenarios when simple configuration (not reimaging) is all that is required.
- When used in combination with a management tool (for example, an MDM service like Microsoft Intune) that enables self-service installation of user-specific or role-specific apps |
## Migration from previous Windows versions
@@ -45,19 +45,19 @@ The original Windows 8 release was only supported until January 2016. For device
For PCs running operating systems older than Windows 7, you can perform wipe-and-load (OS refresh) deployments when you use compatible hardware.
-For organizations with Software Assurance for Windows, both in-place upgrade or wipe-and-load can be leveraged (with in-place upgrade being the preferred method, as previously discussed).
+For organizations with Software Assurance for Windows, both in-place upgrade or wipe-and-load can be used (with in-place upgrade being the preferred method, as previously discussed).
-For organizations that did not take advantage of the free upgrade offer and are not enrolled in Software Assurance for Windows, Windows 10 upgrade licenses are available for purchase through existing Volume License (VL) agreements.
+For organizations that didn't take advantage of the free upgrade offer and aren't enrolled in Software Assurance for Windows, Windows 10 upgrade licenses are available for purchase through existing Volume License (VL) agreements.
## Setting up new computers
-For new computers acquired with Windows 10 preinstalled, you can leverage dynamic provisioning scenarios to transform the device from its initial state into a fully-configured organization PC. There are two primary dynamic provisioning scenarios you can use:
+For new computers acquired with Windows 10 preinstalled, you can use dynamic provisioning scenarios to transform the device from its initial state into a fully configured organization PC. There are two primary dynamic provisioning scenarios you can use:
-- **User-driven, from the cloud.** By joining a device into Azure Active Directory and leveraging the automatic mobile device management (MDM) provisioning capabilities at the same time, an end user can initiate the provisioning process themselves just by entering the Azure Active Directory account and password (called their "work or school account" within Windows 10). The MDM service can then transform the device into a fully-configured organization PC. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
+- **User-driven, from the cloud.** By joining a device into Microsoft Entra ID and leveraging the automatic mobile device management (MDM) provisioning capabilities at the same time, an end user can initiate the provisioning process themselves just by entering the Microsoft Entra account and password (called their "work or school account" within Windows 10). The MDM service can then transform the device into a fully configured organization PC. For more information, see [Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
-- **IT admin-driven, using new tools.** Using the new Windows Imaging and Configuration Designer (ICD) tool, IT administrators can create provisioning packages that can be applied to a computer to transform it into a fully-configured organization PC. For more information, see [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
+- **IT admin-driven, using new tools.** Using the new Windows Imaging and Configuration Designer (ICD) tool, IT administrators can create provisioning packages that can be applied to a computer to transform it into a fully configured organization PC. For more information, see [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
-In either of these scenarios, you can make a variety of configuration changes to the PC:
+In either of these scenarios, you can make various configuration changes to the PC:
- Transform the edition (SKU) of Windows 10 that is in use.
- Apply configuration and settings to the device (for example, security settings, device restrictions, policies, Wi-Fi and VPN profiles, certificates, and so on).
@@ -66,18 +66,18 @@ In either of these scenarios, you can make a variety of configuration changes to
## Stay up to date
-For computers using the [General Availability Channel](../update/waas-overview.md#general-availability-channel), you can deploy these upgrades by using a variety of methods:
+For computers using the [General Availability Channel](../update/waas-overview.md#general-availability-channel), you can deploy these upgrades by using various methods:
- Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet.
-- Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they are approved (deploying like an update).
+- Windows Server Update Services (WSUS), for devices configured to pull updates from internal servers after they're approved (deploying like an update).
- Configuration Manager task sequences.
- Configuration Manager software update capabilities (deploying like an update).
-These upgrades (which are installed differently than monthly updates) leverage an in-place upgrade process. Unlike updates, which are relatively small, these upgrades will include a full operating system image (around 3 GB for 64-bit operating systems), which requires time (1-2 hours) and disk space (approximately 10 GB) to complete. Ensure that the deployment method you use can support the required network bandwidth and/or disk space requirements.
+These upgrades (which are installed differently than monthly updates) use an in-place upgrade process. Unlike updates, which are relatively small, these upgrades include a full operating system image (around 3 GB for 64-bit operating systems), which requires time (1-2 hours) and disk space (approximately 10 GB) to complete. Ensure that the deployment method you use can support the required network bandwidth and/or disk space requirements.
The upgrade process is also optimized to reduce the overall time and network bandwidth consumed.
-## Related topics
+## Related articles
[Windows 10 compatibility](windows-10-compatibility.md)
-[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
\ No newline at end of file
+[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index d20d9c067f..f49339b0fd 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -37,7 +37,7 @@ Save your files to your favorite cloud, like OneDrive or Dropbox, and access the
Windows in S mode is built for [modern management](/windows/client-management/manage-windows-10-in-your-organization-modern-management), which means using [Windows Autopilot](/mem/autopilot/windows-autopilot) for deployment, and a Mobile Device Management (MDM) solution for management, like Microsoft Intune.
-Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic device that can only be used to join the company Azure AD tenant or Active Directory domain. Policies are then deployed automatically through MDM, to customize the device to the user and the desired environment.
+Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic device that can only be used to join the company Microsoft Entra tenant or Active Directory domain. Policies are then deployed automatically through MDM, to customize the device to the user and the desired environment.
For the devices that are shipped in S mode, you can either keep them in S mode, use Windows Autopilot to switch them out of S mode during the first run process, or later using MDM, if desired.
diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md
index 89a981ff58..f5f57bd6c5 100644
--- a/windows/deployment/update/create-deployment-plan.md
+++ b/windows/deployment/update/create-deployment-plan.md
@@ -18,9 +18,9 @@ ms.date: 12/31/2017
# Create a deployment plan
-A "service management" mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once you use this process for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity.
+A "service management" mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. Once you use this process for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity.
-When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We've found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They're simply a method to separate devices into a deployment timeline.
+When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We've found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows clients are similar to the deployment groups most organizations constructed for previous major revision upgrades. They're simply a method to separate devices into a deployment timeline.
At the highest level, each ring comprises a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur.
@@ -43,10 +43,10 @@ There are no definite rules for exactly how many rings to have for your deployme
## Advancing between rings
-There are basically two strategies for moving deployments from one ring to the next. One is service-based, the other project based.
+There are basically two strategies for moving deployments from one ring to the next. One is service-based, the other project-based.
-- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the "red button" to stop further distribution.
-- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the "green button" to push the content to the next ring.
+- "Red button" (service-based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the "red button" to stop further distribution.
+- "Green button" (project-based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the "green button" to push the content to the next ring.
When it comes to deployments, having manual steps in the process usually impedes update velocity. A "red button" strategy is better when that is your goal.
@@ -60,9 +60,9 @@ The purpose of the Preview ring is to evaluate the new features of the update. I
### Who goes in the Preview ring?
-The Preview ring users are the most tech savvy and resilient people, who won't lose productivity if something goes wrong. In general, these users are IT pros, and perhaps a few people in the business organization.
+The Preview ring users are the most tech-savvy and resilient people, who won't lose productivity if something goes wrong. In general, these users are IT pros, and perhaps a few people in the business organization.
-During your plan and prepare phases, you should focus on the following activities:
+During your plan and preparation phases, you should focus on the following activities:
- Work with Windows Insider Preview builds.
- Identify the features and functionality your organization can or wants to use.
@@ -87,7 +87,7 @@ Analytics can help with defining a good Limited ring of representative devices a
The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented. It's important that the people selected for this ring are using their devices regularly to generate the data you'll need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don't have the applications or device drivers that are truly a representative sample of your network.
-During your pilot and validate phases, you should focus on the following activities:
+During your pilot and validation phases, you should focus on the following activities:
- Deploy new innovations.
- Assess and act if issues are encountered.
@@ -104,7 +104,7 @@ Once the devices in the Limited ring have had a sufficient stabilization period,
In most businesses, the Broad ring includes the rest of your organization. Because of the work in the previous ring to vet stability and minimize disruption (with diagnostic data to support your decision), a broad deployment can occur relatively quickly.
> [!NOTE]
-> In some instances, you might hold back on mission-critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows client feature updates to mission critical-devices.
+> In some instances, you might hold back on mission-critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows client feature updates to mission-critical devices.
During the broad deployment phase, you should focus on the following activities:
diff --git a/windows/deployment/update/deployment-service-drivers.md b/windows/deployment/update/deployment-service-drivers.md
index 39d270bf63..4373f59f58 100644
--- a/windows/deployment/update/deployment-service-drivers.md
+++ b/windows/deployment/update/deployment-service-drivers.md
@@ -187,7 +187,7 @@ content-type: application/json
Once Windows Update for Business deployment service has scan results from devices, the applicability for driver and firmware updates can be displayed for a deployment audience. Each applicable update returns the following information:
- An `id` for its [catalog entry](/graph/api/resources/windowsupdates-catalogentry)
-- The **Azure AD ID** of the devices it's applicable to
+- The **Microsoft Entra ID** of the devices it's applicable to
- Information describing the update such as the name and version.
To display [applicable content](/graph/api/resources/windowsupdates-applicablecontent), run a query using the **Audience ID**, for example `d39ad1ce-0123-4567-89ab-cdef01234567`:
@@ -197,7 +197,7 @@ GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d
```
The following truncated response displays:
- - An **Azure AD ID** of `01234567-89ab-cdef-0123-456789abcdef`
+ - An **Microsoft Entra ID** of `01234567-89ab-cdef-0123-456789abcdef`
- The **Catalog ID** of `5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c`
```json
@@ -337,4 +337,4 @@ GET https://graph.microsoft.com/beta/admin/windows/updates/deployments?orderby=c
## Policy considerations for drivers
-[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)]
\ No newline at end of file
+[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)]
diff --git a/windows/deployment/update/deployment-service-expedited-updates.md b/windows/deployment/update/deployment-service-expedited-updates.md
index a7e5e6a58f..9279a5e9d4 100644
--- a/windows/deployment/update/deployment-service-expedited-updates.md
+++ b/windows/deployment/update/deployment-service-expedited-updates.md
@@ -256,7 +256,7 @@ The request returns a 201 Created response code and a [deployment](/graph/api/re
The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update will be expedited.
-The following example adds two devices to the deployment audience using the **Azure AD ID** for each device:
+The following example adds two devices to the deployment audience using the **Microsoft Entra ID** for each device:
```msgraph-interactive
POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience
@@ -295,4 +295,4 @@ DELETE https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e
-[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)]
\ No newline at end of file
+[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)]
diff --git a/windows/deployment/update/deployment-service-feature-updates.md b/windows/deployment/update/deployment-service-feature-updates.md
index f9ba6dd147..070ecd8914 100644
--- a/windows/deployment/update/deployment-service-feature-updates.md
+++ b/windows/deployment/update/deployment-service-feature-updates.md
@@ -61,7 +61,7 @@ When you enroll devices into feature update management, the deployment service b
As long as a device remains enrolled in feature update management through the deployment service, the device doesn't receive any other feature updates from Windows Update unless explicitly deployed using the deployment service. A device is offered the specified feature update if it hasn't already received the update. For example, if you deploy Windows 11 feature update version 22H2 to a device that's enrolled into feature update management and is currently on an older version of Windows 11, the device updates to version 22H2. If the device is already running version 22H2 or a later version, it stays on its current version.
> [!TIP]
-> Windows Update for Business reports has a [workbook](wufb-reports-workbook.md#feature-updates-tab) that displays the current operating system version for devices. In the workbook, go to the **Feature updates** tab and in the **In Service feature update** tile, select the **View details** link to open the details flyout. The OS version and Azure AD ID of devices can easily be exported into a .csv file or opened in [Azure Monitor Logs](/azure/azure-monitor/logs/log-query-overview) to help when creating a deployment audience.
+> Windows Update for Business reports has a [workbook](wufb-reports-workbook.md#feature-updates-tab) that displays the current operating system version for devices. In the workbook, go to the **Feature updates** tab and in the **In Service feature update** tile, select the **View details** link to open the details flyout. The OS version and Microsoft Entra ID of devices can easily be exported into a .csv file or opened in [Azure Monitor Logs](/azure/azure-monitor/logs/log-query-overview) to help when creating a deployment audience.
[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-enroll-device-graph-explorer.md)]
@@ -230,7 +230,7 @@ GET https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e12-
The **Audience ID**, `d39ad1ce-0123-4567-89ab-cdef01234567`, was created when the deployment was created. The **Audience ID** is used to add members to the deployment audience. After the deployment audience is updated, Windows Update starts offering the update to the devices according to the deployment settings. As long as the deployment exists and the device is in the audience, the update will be offered.
-The following example adds three devices to the deployment audience using the **Azure AD ID** for each device:
+The following example adds three devices to the deployment audience using the **Microsoft Entra ID** for each device:
```msgraph-interactive
POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience
diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md
index 58d36aae43..b3fa2680c5 100644
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@@ -27,7 +27,7 @@ Windows Update for Business product family has three elements:
- [Windows Update for Business reports](wufb-reports-overview.md) to monitor update deployment
- Deployment service APIs to approve and schedule specific updates for deployment, which are available through the Microsoft Graph and associated SDKs (including PowerShell)
-The deployment service complements existing Windows Update for Business capabilities, including existing device policies and the[Windows Update for Business reports workbook](wufb-reports-workbook.md).
+The deployment service complements existing Windows Update for Business capabilities, including existing device policies and the [Windows Update for Business reports workbook](wufb-reports-workbook.md).
:::image type="content" source="media/7512398-deployment-service-overview.png" alt-text="Diagram displaying the three elements that are parts of the Windows Update for Business family.":::
diff --git a/windows/deployment/update/deployment-service-prerequisites.md b/windows/deployment/update/deployment-service-prerequisites.md
index de71ad0223..d4dbc2e5e1 100644
--- a/windows/deployment/update/deployment-service-prerequisites.md
+++ b/windows/deployment/update/deployment-service-prerequisites.md
@@ -21,12 +21,14 @@ ms.date: 02/14/2023
Before you begin the process of deploying updates with Windows Update for Business deployment service, ensure you meet the prerequisites.
-## Azure and Azure Active Directory
+
-- An Azure subscription with [Azure Active Directory](/azure/active-directory/)
-- Devices must be Azure Active Directory-joined and meet the below OSrequirements.
- - Devices can be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
- - Devices that are [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business
+## Azure and Microsoft Entra ID
+
+- An Azure subscription with [Microsoft Entra ID](/azure/active-directory/)
+- Devices must be Microsoft Entra joined and meet the below OSrequirements.
+ - Devices can be [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) or [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+ - Devices that are [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business
## Licensing
diff --git a/windows/deployment/update/deployment-service-troubleshoot.md b/windows/deployment/update/deployment-service-troubleshoot.md
index 2d4052bbba..65a6b7777a 100644
--- a/windows/deployment/update/deployment-service-troubleshoot.md
+++ b/windows/deployment/update/deployment-service-troubleshoot.md
@@ -27,13 +27,13 @@ This troubleshooting guide addresses the most common issues that IT administrato
- **Feature updates only**: The device might have a safeguard hold applied for the given feature update version. For more about safeguard holds, see [Safeguard holds](safeguard-holds.md) and [Opt out of safeguard holds](safeguard-opt-out.md).
- Check that the deployment to which the device is assigned has the state *offering*. Deployments that have the states *paused* or *scheduled* won't deploy content to devices.
- Check that the device has scanned for updates and is scanning the Windows Update service. To learn more about scanning for updates, see [Scanning updates](how-windows-update-works.md#scanning-updates).
-- **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is successfully enrolled will be represented by an Azure AD device resource with an update management enrollment for feature updates and have no Azure AD device registration errors.
+- **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is successfully enrolled will be represented by a Microsoft Entra device resource with an update management enrollment for feature updates and have no Microsoft Entra device registration errors.
- **Expedited quality updates only**: Check that the device has the Update Health Tools installed (available for Windows 10 version 1809 or later in the update described in [KB 4023057 - Update for Windows 10 Update Service components](https://support.microsoft.com/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a), or a more recent quality update). The Update Health Tools are required for a device to receive an expedited quality update. On a device, the program can be located at **C:\\Program Files\\Microsoft Update Health Tools**. You can verify its presence by reviewing **Add or Remove Programs** or using the following PowerShell script: `Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match "Microsoft Update Health Tools"}`.
## The device is receiving an update that I didn't deploy
- Check that the device is scanning the Windows Update service and not a different endpoint. If the device is scanning for updates from a WSUS endpoint, for example, it might receive different updates. To learn more about scanning for updates, see [Scanning updates](how-windows-update-works.md#scanning-updates).
-- **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is not successfully enrolled might receive different updates according to its feature update deferral period, for example. A device that is successfully enrolled will be represented by an Azure AD device resource with an update management enrollment for feature updates and have no Azure AD device registration errors.
+- **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is not successfully enrolled might receive different updates according to its feature update deferral period, for example. A device that is successfully enrolled will be represented by a Microsoft Entra device resource with an update management enrollment for feature updates and have no Microsoft Entra device registration errors.
### The device installed a newer update then the expedited update I deployed
diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md
index 6a83bab027..9352455d20 100644
--- a/windows/deployment/update/eval-infra-tools.md
+++ b/windows/deployment/update/eval-infra-tools.md
@@ -11,22 +11,22 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 12/31/2017
+ms.date: 10/31/2023
---
# Evaluate infrastructure and tools
-Before you deploy an update, it's best to assess your deployment infrastructure (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness.
+Before you deploy an update, assess your deployment infrastructure. For example, management systems like Configuration Manager, Microsoft Intune, or similar. Also assess current configurations such as security baselines, administrative templates, and policies that affect updates. Then set some criteria to define your operational readiness.
## Infrastructure
Do your deployment tools need updates?
-- If you use Configuration Manager, is it on the Current Branch with the latest release installed.? Being on this branch ensures that it supports the next Windows client feature update. Configuration Manager releases are supported for 18 months.
+- If you use Configuration Manager, is it on the current branch with the latest release installed? Being on this branch ensures that it supports the next Windows client feature update. Configuration Manager releases are supported for 18 months.
- Using a cloud-based management tool like Microsoft Intune reduces support challenges, since no related products need to be updated.
- If you use a non-Microsoft tool, check with its product support to make sure you're using the current version and that it supports the next Windows client feature update.
-Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered while doing so.
+Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered.
## Device settings
@@ -36,35 +36,35 @@ Make sure your security baseline, administrative templates, and policies have th
Keep security baselines current to help ensure that your environment is secure and that new security feature in the coming Windows client update are set properly.
-- **Microsoft security baselines**: You should implement security baselines from Microsoft. They are included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them.
-- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows client you are about to deploy.
+- **Microsoft security baselines**: You should implement security baselines from Microsoft. They're included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them.
+- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows client you're about to deploy.
### Configuration updates
-There are a number of Windows policies (set by Group Policy, Intune, or other methods) that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. Check these policies to make sure they are set appropriately.
+There are several Windows policies that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. For example, policies set by group policy, Intune, or other methods. Check these policies to make sure they're set appropriately.
-- **Windows Administrative templates**: Each Windows client feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 11, version 22H2](https://www.microsoft.com/download/details.aspx?id=104593).
-- **Policies for update compliance and end-user experience**: A number of settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones.
+- **Windows Administrative templates**: Each Windows client feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 11, version 23H2](https://www.microsoft.com/download/details.aspx?id=105667).
+- **Policies for update compliance and end-user experience**: Several settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones.
## Define operational readiness criteria
-When you’ve deployed an update, you’ll need to make sure the update isn’t introducing new operational issues. And you’ll also ensure that if incidents arise, the needed documentation and processes are available. Work with your operations and support team to define acceptable trends and what documents or processes require updating:
+When you deploy an update, you need to make sure the update isn't introducing new operational issues. If incidents arise, make sure the needed documentation and processes are available. Work with your operations and support team to define acceptable trends and what documents or processes require updating:
- **Call trend**: Define what percentage increase in calls relating to Windows client feature updates are acceptable or can be supported.
- **Incident trend**: Define what percentage of increase in calls asking for support relating to Windows client feature updates are acceptable or can be supported.
- **Support documentation**: Review supporting documentation that requires an update to support new infrastructure tooling or configuration as part of the Windows client feature update.
-- **Process changes:** Define and update any processes that will change as a result of the Windows 10 feature update.
+- **Process changes:** Define and update any processes that will change as a result of the Windows feature update.
-Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get this information so you can gain the right insight.
+Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get this information so you can gain the right insight.
## Tasks
Finally, you can begin to carry out the work needed to ensure your infrastructure and configuration can support the update. To help you keep track, you can classify the work into the following overarching tasks:
-- **Review infrastructure requirements**: Go over the details of requirements to support the update, and ensure they’ve all been defined.
-- **Validate infrastructure against requirements**: Compare your infrastructure against the requirements that have been identified for the update.
+- **Review infrastructure requirements**: Go over the details of requirements to support the update, and ensure they've all been defined.
+- **Validate infrastructure against requirements**: Compare your infrastructure against the requirements that you identified for the update.
- **Define infrastructure update plan**: Detail how your infrastructure must change to support the update.
-- **Review current support volume**: Understand the current support volume to understand how much of an effect the update has when it’s been deployed.
-- **Identify gaps that require attention**: Identify issues that will need to be addressed to successfully deploy the update. For example, will your infrastructure engineer have to research how a new feature that comes with the update might affect the infrastructure?
+- **Review current support volume**: Understand the current support volume to understand how much of an effect the update has when you deploy it.
+- **Identify gaps that require attention**: Identify issues that you'll need to address to successfully deploy the update. For example, will your infrastructure engineer have to research how a new feature that comes with the update might affect the infrastructure?
- **Define operational update plan**: Detail how your operational services and processes must change to support the update.
diff --git a/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md
index fda5f5a881..24da4ab44e 100644
--- a/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-audience-graph-explorer.md
@@ -32,7 +32,7 @@ A deployment audience is a collection of devices that you want to deploy updates
```
-1. Add devices, using their **Azure AD ID**, to the deployment audience so they become audience members. Specify the deployment **Audience ID** in the URL field and the devices to add in the request body. The `id` property specifies the **Azure AD ID** of the device.
+1. Add devices, using their **Microsoft Entra ID**, to the deployment audience so they become audience members. Specify the deployment **Audience ID** in the URL field and the devices to add in the request body. The `id` property specifies the **Microsoft Entra ID** of the device.
```msgraph-interactive
POST https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d39ad1ce-0123-4567-89ab-cdef01234567/updateAudience
diff --git a/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md
index 0ae067e62f..ed62f731f1 100644
--- a/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-enroll-device-graph-explorer.md
@@ -17,7 +17,7 @@ You enroll devices based on the types of updates you want them to receive. Curre
1. Enter the following request into the URL field:
`https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/enrollAssets`
1. In the **Request body** tab, enter the following JSON, supplying the following information:
- - **Azure AD Device ID** as `id`
+ - **Microsoft Entra Device ID** as `id`
- Either `feature` or `driver` for the updateCategory
```json
diff --git a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md
index b2f438598f..336236ee43 100644
--- a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md
@@ -27,7 +27,7 @@ Use the [device](/graph/api/resources/device) resource type to find clients to e
### Add a request header for advanced queries
-For the next requests, set the **ConsistencyLevel** header to `eventual`. For more information about advanced query parameters, see [Advanced query capabilities on Azure AD directory objects](/graph/aad-advanced-queries).
+For the next requests, set the **ConsistencyLevel** header to `eventual`. For more information about advanced query parameters, see [Advanced query capabilities on Microsoft Entra directory objects](/graph/aad-advanced-queries).
1. In Graph Explorer, select the **Request headers** tab.
1. For **Key** type in `ConsistencyLevel` and for **Value**, type `eventual`.
@@ -49,6 +49,6 @@ For the next requests, set the **ConsistencyLevel** header to `eventual`. For mo
> [!Tip]
> Requests using the [device](/graph/api/resources/device) resource type typically have both an `id` and a `deviceid`:
-> - The `deviceid` is the **Azure AD Device ID** and will be used in this article.
+> - The `deviceid` is the **Microsoft Entra Device ID** and will be used in this article.
> - Later in this article, this `deviceid` will be used as an `id` when you make certain requests such as adding a device to a deployment audience.
-> - The `id` from the [device](/graph/api/resources/device) resource type is usually the Azure AD Object ID, which won't be used in this article.
+> - The `id` from the [device](/graph/api/resources/device) resource type is usually the Microsoft Entra Object ID, which won't be used in this article.
diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
index 3b19cd934d..8d869d1f69 100644
--- a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
+++ b/windows/deployment/update/includes/wufb-deployment-graph-explorer.md
@@ -17,7 +17,7 @@ For this article, you'll use Graph Explorer to make requests to the [Microsoft G
> - Requests listed in this article require signing in with a Microsoft 365 account. If needed, a free one month trial is available for [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium).
> - Using a test tenant to learn and verify the deployment process is highly recommended. Graph Explorer is intended to be a learning tool. Ensure you understand [granting consent](/graph/security-authorization) and the [consent type](/graph/api/resources/oauth2permissiongrant#properties) for Graph Explorer before proceeding.
-1. From a browser, go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) and sign in using an Azure Active Directory (Azure AD) user account.
+1. From a browser, go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) and sign in using a Microsoft Entra user account.
1. You may need to enable the [`WindowsUpdates.ReadWrite.All` permission](/graph/permissions-reference#windows-updates-permissions) to use the queries in this article. To enable the permission:
1. Select the **Modify permissions** tab in Graph Explorer.
1. In the permissions dialog box, select the **WindowsUpdates.ReadWrite.All** permission then select **Consent**. You may need to sign in again to grant consent.
diff --git a/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md b/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md
index f85f158a63..682134eb32 100644
--- a/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md
+++ b/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md
@@ -10,14 +10,14 @@ ms.localizationpriority: medium
---
-When a device no longer needs to be managed by the deployment service, unenroll it. Just like [enrolling a device](#enroll-devices), specify either `driver` or `feature` as the value for the `updateCategory`. The device will no longer receive updates from the deployment service for the specified update category. Depending on the device's configuration, it may start to receive updates from Windows Update. For instance, if a device is still enrolled for feature updates, but it's unenrolled from drivers:
+When a device no longer requires management, unenroll it from the deployment service. Just like [enrolling a device](#enroll-devices), specify either `driver` or `feature` as the value for the `updateCategory`. The device will no longer receive updates from the deployment service for the specified update category. Depending on the device's configuration, it may start to receive updates from Windows Update. For instance, if a device is still enrolled for feature updates, but it's unenrolled from drivers:
- Existing driver deployments from the service won't be offered to the device
-- The device will continue to receive feature updates from the deployment service
+- The device continues to receive feature updates from the deployment service
- Drivers may start being installed from Windows Update depending on the device's configuration
To unenroll a device, POST to [updatableAssets](/graph/api/resources/windowsupdates-updatableasset) using [unenrollAssets](/graph/api/windowsupdates-updatableasset-unenrollassets). In the request body, specify:
-- **Azure AD Device ID** as `id` for the device
+- **Microsoft Entra Device ID** as `id` for the device
- Either `feature` or `driver` for the updateCategory
The following example removes `driver` enrollment for two devices, `01234567-89ab-cdef-0123-456789abcdef` and `01234567-89ab-cdef-0123-456789abcde0`:
diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
index 342b6d4210..da738e8991 100644
--- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
+++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
@@ -11,17 +11,17 @@ ms.localizationpriority: medium
Accessing Windows Update for Business reports typcially requires permissions from multiple sources including:
-- [Azure Active Directory (Azure AD)](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
+- [Microsoft Entra ID](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
- [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace
-- [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain Azure AD roles access to sign in
+- [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain Microsoft Entra roles access to sign in
**Roles that can enroll into Windows Update for Business reports**
To [enroll](../wufb-reports-enable.md#bkmk_enroll) into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
-- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) Azure AD role
-- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) Azure AD role
-- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) Azure AD role
+- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) Microsoft Entra role
+- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) Microsoft Entra role
+- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) Microsoft Entra role
- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Microsoft Intune role
- Microsoft Intune RBAC roles don't allow access to the Microsoft 365 admin center
@@ -43,4 +43,4 @@ Examples of commonly assigned roles for Windows Update for Business reports user
| [Global reader](/azure/active-directory/roles/permissions-reference#global-reader) + Log Analytics reader | No | No | Yes | Yes | No |
> [!NOTE]
-> The Azure AD roles discussed in this article for the Microsoft 365 admin center access apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).
+> The Microsoft Entra roles discussed in this article for the Microsoft 365 admin center access apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).
diff --git a/windows/deployment/update/includes/wufb-reports-endpoints.md b/windows/deployment/update/includes/wufb-reports-endpoints.md
index 388592c36c..88fd5d146e 100644
--- a/windows/deployment/update/includes/wufb-reports-endpoints.md
+++ b/windows/deployment/update/includes/wufb-reports-endpoints.md
@@ -5,10 +5,11 @@ manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
-ms.date: 08/21/2023
+ms.date: 12/15/2023
ms.localizationpriority: medium
---
-
+
+
Devices must be able to contact the following endpoints in order to authenticate and send diagnostic data:
@@ -20,5 +21,5 @@ Devices must be able to contact the following endpoints in order to authenticate
| `settings-win.data.microsoft.com` | Used by Windows components and applications to dynamically update their configuration. Required for Windows Update functionality. |
| `adl.windows.com` | Required for Windows Update functionality. |
| `oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors if there are certain crashes. |
-| `login.live.com` | This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices won't be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). |
-| `*.blob.core.windows.net` | Azure blob data storage.|
\ No newline at end of file
+| `login.live.com` | This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices aren't visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). |
+| `ceuswatcab01.blob.core.windows.net`
`ceuswatcab02.blob.core.windows.net`
`eaus2watcab01.blob.core.windows.net`
`eaus2watcab02.blob.core.windows.net`
`weus2watcab01.blob.core.windows.net`
`weus2watcab02.blob.core.windows.net` | Azure blob data storage. |
diff --git a/windows/deployment/update/includes/wufb-reports-script-error-codes.md b/windows/deployment/update/includes/wufb-reports-script-error-codes.md
index a6ca5fedc8..479b5a9eff 100644
--- a/windows/deployment/update/includes/wufb-reports-script-error-codes.md
+++ b/windows/deployment/update/includes/wufb-reports-script-error-codes.md
@@ -44,6 +44,6 @@ ms.localizationpriority: medium
| 66 | Failed to verify UTC connectivity and recent uploads.|
| 67 | Unexpected failure when verifying UTC CSP.|
| 99 | Device isn't Windows 10 or Windows 11.|
-| 100 | Device must be Azure AD joined or hybrid Azure AD joined to use Windows Update for Business reports.|
-| 101 | Check Azure AD join failed with unexpected exception.|
+| 100 | Device must be Microsoft Entra joined or Microsoft Entra hybrid joined to use Windows Update for Business reports.|
+| 101 | Check Microsoft Entra join failed with unexpected exception.|
| 102 | DisableOneSettingsDownloads policy shouldn't be enabled. Please disable this policy.|
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index e2f3ab0e3c..baae39d605 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -12,7 +12,8 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 07/17/2023
+- ✅ Windows Server
+ms.date: 12/05/2023
---
# Update Windows installation media with Dynamic Update
@@ -83,24 +84,24 @@ Properly updating the installation media involves a large number of actions oper
This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding boot manager from WinPE to the new media (28).
-|Task |WinRE (winre.wim) |WinPE (boot.wim) |Operating system (install.wim) | New media |
-|-----------------------------------|-------------------|------------------|--------------------------------|-----------|
-|Add servicing stack Dynamic Update | 1 | 9 | 18 | |
-|Add language pack | 2 | 10 | 19 | |
-|Add localized optional packages | 3 | 11 | | |
-|Add font support | 4 | 12 | | |
-|Add text-to-speech | 5 | 13 | | |
-|Update Lang.ini | | 14 | | |
-|Add Features on Demand | | | 20 | |
-|Add Safe OS Dynamic Update | 6 | | | |
-|Add Setup Dynamic Update | | | | 26 |
-|Add setup.exe from WinPE | | | | 27 |
-|Add boot manager from WinPE | | | | 28 |
-|Add latest cumulative update | | 15 | 21 | |
-|Clean up the image | 7 | 16 | 22 | |
-|Add Optional Components | | | 23 | |
-|Add .NET and .NET cumulative updates | | | 24 | |
-|Export image | 8 | 17 | 25 | |
+|Task |WinRE (winre.wim) |Operating system (install.wim) | WinPE (boot.wim) | New media |
+|-----------------------------------|-------------------|--------------------------------|------------------|-----------|
+|Add servicing stack Dynamic Update | 1 | 9 | 17 | |
+|Add language pack | 2 | 10 | 18 | |
+|Add localized optional packages | 3 | | 19 | |
+|Add font support | 4 | | 20 | |
+|Add text-to-speech | 5 | | 21 | |
+|Update Lang.ini | | | 22 | |
+|Add Features on Demand | | 11 | | |
+|Add Safe OS Dynamic Update | 6 | | | |
+|Add Setup Dynamic Update | | | | 26 |
+|Add setup.exe from WinPE | | | | 27 |
+|Add boot manager from WinPE | | | | 28 |
+|Add latest cumulative update | | 12 | 23 | |
+|Clean up the image | 7 | 13 | 24 | |
+|Add Optional Components | | 14 | | |
+|Add .NET and .NET cumulative updates | | 15 | | |
+|Export image | 8 | 16 | 25 | |
> [!NOTE]
> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
@@ -110,13 +111,13 @@ This table shows the correct sequence for applying the various tasks to the file
### Multiple Windows editions
-The main operating system file (install.wim) contains multiple editions of Windows. It's possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
+The main operating system file (install.wim) might contain multiple editions of Windows. It's possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
### Additional languages and features
-You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
+You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what's in your starting image. When you add more languages and features, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
-Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
+Optional Components, along with the .NET feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid the cleanup failure. One option is to skip the image cleanup step, though that results in a larger install.wim. Another option is to install the .NET and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you'll have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
## Windows PowerShell scripts to apply Dynamic Updates to an existing image
@@ -130,7 +131,7 @@ These examples are for illustration only, and therefore lack error handling. The
### Get started
-The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only.
+The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there's a script error and it's necessary to start over from a known state. Also, it provides a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they aren't read-only.
```powershell
#Requires -RunAsAdministrator
@@ -194,128 +195,231 @@ Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse
Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
```
-### Update WinRE
+### Update WinRE and each main OS Windows edition
-The script assumes that only a single edition is being updated, indicated by Index = 1 (Windows 10 Education Edition). Then the script mounts the image, saves Winre.wim to the working folder, and mounts it. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package.
+The script will update each edition of Windows within the main operating system file (install.wim). For each edition, the main OS image is mounted.
-It finishes by cleaning and exporting the image to reduce the image size.
+For the first image, Winre.wim is copied to the working folder, and mounted. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package. It finishes by cleaning and exporting the image to reduce the image size.
+
+Next, for the mounted OS image, the script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image. You can install Optional Components, along with the .NET feature, offline, but that requires the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
+
+This process is repeated for each edition of Windows within the main operating system file. To reduce size, the serviced Winre.wim file from the first image is saved, and used to update each subsequent Windows edition. This reduces the final size of install.wim.
```powershell
-# Mount the main operating system, used throughout the script
-Write-Output "$(Get-TS): Mounting main OS"
-Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
-
#
-# update Windows Recovery Environment (WinRE)
+# Update each main OS Windows image including the Windows Recovery Environment (WinRE)
#
-Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null
-Write-Output "$(Get-TS): Mounting WinRE"
-Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
-# Add servicing stack update (Step 1 from the table)
+# Get the list of images contained within WinPE
+$WINOS_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim"
-# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
-# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
-# cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
-# Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published separately; the combined
-# cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
-# cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
-# combined cumulative update can be installed.
+Foreach ($IMAGE in $WINOS_IMAGES) {
-# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
-# Write-Output "$(Get-TS): Adding package $SSU_PATH"
-# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
+ # first mount the main OS image
+ Write-Output "$(Get-TS): Mounting main OS, image index $($IMAGE.ImageIndex)"
+ Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index $IMAGE.ImageIndex -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
-# Now, attempt the combined cumulative update.
-# There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should
-# be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct
-# packages installed.
+ if ($IMAGE.ImageIndex -eq "1") {
-try
-{
- Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null
-}
-Catch
-{
- $theError = $_
- Write-Output "$(Get-TS): $theError"
+ #
+ # update Windows Recovery Environment (WinRE) within this OS image
+ #
+ Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null
+ Write-Output "$(Get-TS): Mounting WinRE"
+ Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
+
+ # Add servicing stack update (Step 1 from the table)
+
+ # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
+ # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined
+ # cumulative update that includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and
+ # Windows 11, version 22H2 are examples. In these cases, the servicing stack update is not published seperately; the combined
+ # cumulative update should be used for this step. However, in hopefully rare cases, there may breaking change in the combined
+ # cumulative update format, that requires a standalone servicing stack update to be published, and installed first before the
+ # combined cumulative update can be installed.
+
+ # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
+ # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+ # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
+
+ # Now, attempt the combined cumulative update.
+ # There is a known issue where the servicing stack update is installed, but the cumulative update will fail. This error should
+ # be caught and ignored, as the last step will be to apply the Safe OS update and thus the image will be left with the correct
+ # packages installed.
+
+ try
+ {
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $LCU_PATH | Out-Null
+ }
+ Catch
+ {
+ $theError = $_
+ Write-Output "$(Get-TS): $theError"
- if ($theError.Exception -like "*0x8007007e*") {
- Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
- }
- else {
- throw
- }
-}
-
-# The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
-# but instead continue to have a separate servicing stack update published. In this case, we'll install the SSU
-# update. This second approach is commented out below.
-
-# Write-Output "$(Get-TS): Adding package $SSU_PATH"
-# Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
-
-#
-# Optional: Add the language to recovery environment
-#
-# Install lp.cab cab
-Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
-Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
-
-# Install language cabs for each optional package installed
-$WINRE_INSTALLED_OC = Get-WindowsPackage -Path $WINRE_MOUNT
-Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
-
- if ( ($PACKAGE.PackageState -eq "Installed") `
- -and ($PACKAGE.PackageName.startsWith("WinPE-")) `
- -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
-
- $INDEX = $PACKAGE.PackageName.IndexOf("-Package")
- if ($INDEX -ge 0) {
- $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
- if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
- $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
- Write-Output "$(Get-TS): Adding package $OC_CAB_PATH"
- Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
+ if ($theError.Exception -like "*0x8007007e*") {
+ Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
+ }
+ else {
+ throw
}
}
+
+ # The second approach for Step 1 is for Windows releases that have not adopted the combined cumulative update
+ # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+ # update. This second approach is commented out below.
+
+ # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+ # Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
+
+ #
+ # Optional: Add the language to recovery environment
+ #
+ # Install lp.cab cab
+ Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
+
+ # Install language cabs for each optional package installed
+ $WINRE_INSTALLED_OC = Get-WindowsPackage -Path $WINRE_MOUNT
+ Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
+
+ if ( ($PACKAGE.PackageState -eq "Installed") `
+ -and ($PACKAGE.PackageName.startsWith("WinPE-")) `
+ -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
+
+ $INDEX = $PACKAGE.PackageName.IndexOf("-Package")
+ if ($INDEX -ge 0) {
+ $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
+ if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
+ $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
+ Write-Output "$(Get-TS): Adding package $OC_CAB_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
+ }
+ }
+ }
+ }
+
+ # Add font support for the new language
+ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
+ Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
+ }
+
+ # Add TTS support for the new language
+ if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
+ if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
+
+ Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
+
+ Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
+ }
+ }
+
+ # Add Safe OS
+ Write-Output "$(Get-TS): Adding package $SAFE_OS_DU_PATH"
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction stop | Out-Null
+
+ # Perform image cleanup
+ Write-Output "$(Get-TS): Performing image cleanup on WinRE"
+ DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
+
+ # Dismount
+ Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
+
+ # Export
+ Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\winre.wim"
+ Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim" -ErrorAction stop | Out-Null
+
}
+
+ Copy-Item -Path $WORKING_PATH"\winre2.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -ErrorAction stop | Out-Null
+
+ #
+ # update Main OS
+ #
+
+ # Add servicing stack update (Step 18 from the table)
+
+ # Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
+ # The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
+ # includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
+ # cases, the servicing stack update is not published seperately; the combined cumulative update should be used for this step. However, in hopefully
+ # rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published,
+ # and installed first before the combined cumulative update can be installed.
+
+ # This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
+ # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+ # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
+
+ # Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
+ Write-Output "$(Get-TS): Adding package $LCU_PATH"
+ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null
+
+ # The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
+ # but instead continue to have a seperate servicing stack update published. In this case, we'll install the SSU
+ # update. This second approach is commented out below.
+
+ # Write-Output "$(Get-TS): Adding package $SSU_PATH"
+ # Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
+
+ # Optional: Add language to main OS
+ Write-Output "$(Get-TS): Adding package $OS_LP_PATH"
+ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null
+
+ # Optional: Add a Features on Demand to the image
+ Write-Output "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0"
+ Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ Write-Output "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0"
+ Add-WindowsCapability -Name "Language.Basic~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ Write-Output "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0"
+ Add-WindowsCapability -Name "Language.OCR~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ Write-Output "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0"
+ Add-WindowsCapability -Name "Language.Handwriting~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ Write-Output "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0"
+ Add-WindowsCapability -Name "Language.TextToSpeech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ Write-Output "$(Get-TS): Adding language FOD:Language.Speech~~~$LANG~0.0.1.0"
+ Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ # Note: If I wanted to enable additional Features on Demand, I'd add these here.
+
+ # Add latest cumulative update
+ Write-Output "$(Get-TS): Adding package $LCU_PATH"
+ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
+
+ # Perform image cleanup
+ Write-Output "$(Get-TS): Performing image cleanup on main OS"
+ DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
+
+ #
+ # Note: If I wanted to enable additional Optional Components, I'd add these here.
+ # In addition, we'll add .NET 3.5 here as well. Both .NET and Optional Components might require
+ # the image to be booted, and thus if we tried to cleanup after installation, it would fail.
+ #
+
+ Write-Output "$(Get-TS): Adding NetFX3~~~~"
+ Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
+
+ # Add .NET Cumulative Update
+ Write-Output "$(Get-TS): Adding package $DOTNET_CU_PATH"
+ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorAction stop | Out-Null
+
+ # Dismount
+ Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Save -ErrorAction stop | Out-Null
+
+ # Export
+ Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
+ Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
+
}
-# Add font support for the new language
-if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
- Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
- Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
-}
-
-# Add TTS support for the new language
-if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
- if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
-
- Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
- Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
-
- Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
- Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
- }
-}
-
-# Add Safe OS
-Write-Output "$(Get-TS): Adding package $SAFE_OS_DU_PATH"
-Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction stop | Out-Null
-
-# Perform image cleanup
-Write-Output "$(Get-TS): Performing image cleanup on WinRE"
-DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup /ResetBase /Defer | Out-Null
-
-# Dismount
-Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
-
-# Export
-Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim"
-Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim" -ErrorAction stop | Out-Null
-Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null
+Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
```
### Update WinPE
@@ -459,103 +563,6 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\boot.wim" -Force -ErrorAction stop | Out-Null
```
-### Update the main operating system
-
-For this next phase, there's no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it uses `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
-
-Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
-
-You can install Optional Components, along with the .NET feature, offline, but that requires the device to be restarted. This is why the script installs .NET and Optional Components after cleanup and before export.
-
-```powershell
-#
-# update Main OS
-#
-
-# Add servicing stack update (Step 18 from the table)
-
-# Depending on the Windows release that you are updating, there are 2 different approaches for updating the servicing stack
-# The first approach is to use the combined cumulative update. This is for Windows releases that are shipping a combined cumulative update that
-# includes the servicing stack updates (i.e. SSU + LCU are combined). Windows 11, version 21H2 and Windows 11, version 22H2 are examples. In these
-# cases, the servicing stack update is not published separately; the combined cumulative update should be used for this step. However, in hopefully
-# rare cases, there may breaking change in the combined cumulative update format, that requires a standalone servicing stack update to be published,
-# and installed first before the combined cumulative update can be installed.
-
-# This is the code to handle the rare case that the SSU is published and required for the combined cumulative update
-# Write-Output "$(Get-TS): Adding package $SSU_PATH"
-# Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
-
-# Now, attempt the combined cumulative update. Unlike WinRE and WinPE, we don't need to check for error 0x8007007e
-Write-Output "$(Get-TS): Adding package $LCU_PATH"
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH | Out-Null
-
-# The second approach for Step 18 is for Windows releases that have not adopted the combined cumulative update
-# but instead continue to have a separate servicing stack update published. In this case, we'll install the SSU
-# update. This second approach is commented out below.
-
-# Write-Output "$(Get-TS): Adding package $SSU_PATH"
-# Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH | Out-Null
-
-# Optional: Add language to main OS
-Write-Output "$(Get-TS): Adding package $OS_LP_PATH"
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null
-
-# Optional: Add a Features on Demand to the image
-Write-Output "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0"
-Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-Write-Output "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0"
-Add-WindowsCapability -Name "Language.Basic~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-Write-Output "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0"
-Add-WindowsCapability -Name "Language.OCR~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-Write-Output "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0"
-Add-WindowsCapability -Name "Language.Handwriting~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-Write-Output "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0"
-Add-WindowsCapability -Name "Language.TextToSpeech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-Write-Output "$(Get-TS): Adding language FOD:Language.Speech~~~$LANG~0.0.1.0"
-Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-# Note: If I wanted to enable additional Features on Demand, I'd add these here.
-
-# Add latest cumulative update
-Write-Output "$(Get-TS): Adding package $LCU_PATH"
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
-
-# Copy our updated recovery image from earlier into the main OS
-# Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file
-# into each edition to enable single instancing
-Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -ErrorAction stop | Out-Null
-
-# Perform image cleanup
-Write-Output "$(Get-TS): Performing image cleanup on main OS"
-DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
-
-#
-# Note: If I wanted to enable additional Optional Components, I'd add these here.
-# In addition, we'll add .NET 3.5 here as well. Both .NET and Optional Components might require
-# the image to be booted, and thus if we tried to cleanup after installation, it would fail.
-#
-
-Write-Output "$(Get-TS): Adding NetFX3~~~~"
-Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-
-# Add .NET Cumulative Update
-Write-Output "$(Get-TS): Adding package $DOTNET_CU_PATH"
-Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorAction stop | Out-Null
-
-# Dismount
-Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Save -ErrorAction stop | Out-Null
-
-# Export
-Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
-Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
-Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
-```
-
### Update remaining media files
This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings in updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe and boot manager files using the previously saved versions from WinPE.
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index fd0efc4571..7aa9bf3ff1 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -15,21 +15,22 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Windows Server
-ms.date: 12/31/2017
+ms.date: 12/08/2023
---
# Servicing stack updates
## What is a servicing stack update?
-Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically doesn't have updates released every month.
+
+Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the component-based servicing stack (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. [CBS](https://techcommunity.microsoft.com/t5/ask-the-performance-team/understanding-component-based-servicing/ba-p/373012) is a small component that typically doesn't have updates released every month.
## Why should servicing stack updates be installed and kept up to date?
-Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
+Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't have the latest servicing stack update installed, there's a risk that your device can't be updated with the latest Microsoft security fixes.
## When are they released?
-Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical."
+Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions, a servicing stack update might need to be released out of band to address an issue impacting systems installing the monthly security update. New servicing stack updates are classified as `Security` with a severity rating of `Critical`.
## What's the difference between a servicing stack update and a cumulative update?
@@ -38,14 +39,14 @@ Both Windows client and Windows Server use the cumulative update mechanism, in w
Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest monthly security update release and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
-Microsoft publishes all cumulative updates and SSUs for Windows 10, version 2004 and later together as one cumulative monthly update to the normal release category in WSUS.
+Microsoft publishes all cumulative updates and servicing stack updates for Windows 10, version 2004 and later together as one cumulative monthly update to the normal release category in Windows Server Update Services (WSUS).
## Is there any special guidance?
-Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
-
Typically, the improvements are reliability and performance improvements that don't require any specific special guidance. If there's any significant impact, it will be present in the release notes.
+Most users don't need to install an isolated servicing stack update. In the rare case that you need to install an isolated servicing stack update, Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
+
## Installation notes
* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
@@ -56,6 +57,6 @@ Typically, the improvements are reliability and performance improvements that do
## Simplifying on-premises deployment of servicing stack updates
-With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update includes the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you'll only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update is available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.
+With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update includes the latest servicing stack updates, to provide a single cumulative update payload to both WSUS and the Microsoft Update Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you'll only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update is available on Windows 10, version 2004 and later starting with [KB4601382](https://support.microsoft.com/kb/4601382), released in February of 2021.
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index 840ea3d5a7..05c5f63d80 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -9,9 +9,8 @@ ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
appliesto:
-- ✅ Windows 11
- ✅ Windows 10
-ms.date: 12/31/2017
+ms.date: 11/16/2023
---
# Configure BranchCache for Windows client updates
@@ -33,7 +32,10 @@ For detailed information about how Distributed Cache mode and Hosted Cache mode
Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](/previous-versions/windows/it-pro/windows-7/dd637820(v=ws.10)) in the [BranchCache Early Adopter's Guide](/previous-versions/windows/it-pro/windows-7/dd637762(v=ws.10)).
-In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
+In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows client, set the Delivery Optimization **Download mode** to '100' (Bypass) to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
+
+> [!Note]
+> Setting [Download mode](../do/waas-delivery-optimization-reference.md#download-mode) to '100' (Bypass) is only available in Windows 10, version 1607 and later, not in Windows 11. BranchCache isn't supported for Windows 11.
## Configure servers for BranchCache
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 6af6c31910..2a1baa5255 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -16,7 +16,7 @@ appliesto:
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
-ms.date: 08/22/2023
+ms.date: 11/30/2023
---
# Configure Windows Update for Business
@@ -210,7 +210,7 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving
| MDM for Windows 10, version 1607 and later: ../Vendor/MSFT/Policy/Config/Update/**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
## Enable optional updates
-
+
In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Enable optional updates** policy.
To keep the timing of updates consistent, the **Enable optional updates** policy respects the [deferral period for quality updates](#configure-when-devices-receive-quality-updates). This policy allows you to choose if devices should receive CFRs in addition to the optional nonsecurity preview releases, or if the end-user can make the decision to install optional updates. This policy can change the behavior of the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**.
@@ -243,8 +243,8 @@ The following options are available for the policy:
| Policy | Sets registry key under HKLM\Software |
| --- | --- |
-| GPO for Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > **Enable optional updates**| \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
-| MDM for Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later: ./Device/Vendor/MSFT/Policy/Config/Update/**[AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent)** | \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
+| **GPO applies to**:
**GPO location**: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > **Enable optional updates**| \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
+| **MDM applies to**:
**MDM location**: ./Device/Vendor/MSFT/Policy/Config/Update/**[AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent)** | \Policies\Microsoft\Windows\WindowsUpdate\AllowOptionalContent |
## Enable features that are behind temporary enterprise feature control
@@ -269,7 +269,7 @@ The following are quick-reference tables of the supported policy values for Wind
| GPO Key | Key type | Value |
| --- | --- | --- |
-| AllowOptionalContent *Added in Windows 11, version 22H2*| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
+| AllowOptionalContent *Added in*:
| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
| AllowTemporaryEnterpriseFeatureControl *Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled. Other value or absent: Features that are shipped turned off by default will remain off |
| BranchReadinessLevel | REG_DWORD | 2: Systems take feature updates for the Windows Insider build - Fast 4: Systems take feature updates for the Windows Insider build - Slow 8: Systems take feature updates for the Release Windows Insider build Other value or absent: Receive all applicable updates |
| DeferFeatureUpdates | REG_DWORD | 1: Defer feature updatesOther value or absent: Don't defer feature updates |
@@ -285,7 +285,7 @@ The following are quick-reference tables of the supported policy values for Wind
| MDM Key | Key type | Value |
| --- | --- | --- |
-| AllowOptionalContent *Added in Windows 11, version 22H2*| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
+| AllowOptionalContent *Added in*:
| REG_DWORD | 1: Automatically receive optional updates (including CFRs) 2: Automatically receive optional updates 3: Users can select which optional updates to receive Other value or absent: Don't receive optional updates|
| AllowTemporaryEnterpriseFeatureControl *Added in Windows 11, version 22H2*| REG_DWORD | 1: Allowed. All features in the latest monthly cumulative update are enabled. Other value or absent: Features that are shipped turned off by default will remain off |
| BranchReadinessLevel | REG_DWORD |2: Systems take feature updates for the Windows Insider build - Fast 4: Systems take feature updates for the Windows Insider build - Slow 8: Systems take feature updates for the Release Windows Insider build 32: Systems take feature updates from General Availability Channel Note: Other value or absent: Receive all applicable updates |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days |
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 58343cf36e..070ded3d1e 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -13,66 +13,70 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 12/31/2017
+ms.date: 11/07/2023
---
# What is Windows Update for Business?
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
Windows Update for Business is a free service that is available for the following editions of Windows 10 and Windows 11:
+
- Pro, including Pro for Workstations
- Education
- Enterprise, including Enterprise LTSC, IoT Enterprise, and IoT Enterprise LTSC
-Windows Update for Business enables IT administrators to keep the Windows client devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when devices are updated.
+Windows Update for Business enables IT administrators to keep their organization's Windows client devices always up to date with the latest security updates and Windows features by directly connecting these systems to the Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions, such as Microsoft Intune, to configure the Windows Update for Business settings that control how and when devices are updated.
Specifically, Windows Update for Business lets you control update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization. It also provides a positive update experience for people in your organization.
## What can I do with Windows Update for Business?
-Windows Update for Business enables commercial customers to manage which Windows Updates are received when as well as the experience a device has when it receives them.
+Windows Update for Business enables commercial customers to manage which Windows Updates are received along with the experience a device has when it receives them.
-You can control Windows Update for Business policies by using either Mobile Device Management (MDM) tools such as Microsoft Intune or Group Policy management tools such as local group policy or the Group Policy Management Console (GPMC), as well as various other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud policy).
+You can control Windows Update for Business policies by using either MDM tools or Group Policy management, such as local group policy or the Group Policy Management Console (GPMC), and various other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud Policy).
+### Manage deployment of Windows Updates
-### Manage deployment of Windows Updates
-By using Windows Update for Business, you can control which types of Windows Updates are offered to devices in your ecosystem, when updates are applied, and deployment to devices in your organization in waves.
+By using Windows Update for Business, you can:
+- Control the types of Windows Updates are offered to devices in your organization
+- Control when updates are applied to the devices
+- Deploy updates to devices in your organization in waves
-### Manage which updates are offered
-Windows Update for Business enables an IT administrator to receive and manage a variety of different types of Windows Updates.
+### Manage which updates are offered
+
+Windows Update for Business enables an IT administrator to receive and manage various types of Windows Updates.
## Types of updates managed by Windows Update for Business
Windows Update for Business provides management policies for several types of updates to Windows 10 devices:
-- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released as soon as they become available. Feature updates aren't available for LTSC devices.
-- **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates.
-- **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer.
+- **Feature updates:** Previously referred to as upgrades, feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released as soon as they become available. Feature updates aren't available for LTSC devices.
+- **Quality updates:** Quality updates are traditional operating system updates. Typically quality updates are released on the second Tuesday of each month, though they can be released at any time. These include security, critical, and driver updates.
+- **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer.
- **Microsoft product updates**: Updates for other Microsoft products, such as versions of Office that are installed by using Windows Installer (MSI). Versions of Office that are installed by using Click-to-Run can't be updated by using Windows Update for Business. Product updates are off by default. You can turn them on by using Windows Update for Business policies.
-
## Offering
-You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period.
+
+You can control when updates are applied. For example, you can defer when an update is installed on a device or by pausing updates for a certain period.
### Manage when updates are offered
+
You can defer or pause the installation of updates for a set period of time.
#### Enroll in prerelease updates
The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both prerelease and released updates:
-- Windows Insider Canary
-- Windows Insider Dev
-- Windows Insider Beta
-- Windows Insider Preview
-- General Availability Channel
+- Windows Insider Canary channel
+- Windows Insider Dev channel
+- Windows Insider Beta channel
+- Windows Insider Release Preview channel
#### Defer an update
-A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they're pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it's offered to a device. That is, if you set a feature update deferral period of 365 days, the device won't install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and feature updates are Received** policy.
-
+An administrator can defer the installation of both feature and quality updates from deploying to devices within a range of time based on when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they're pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it's offered to a device. That is, if you set a feature update deferral period of 365 days, the device won't install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and feature updates are Received** policy.
|Category |Maximum deferral period |
|---------|---------|
@@ -85,13 +89,12 @@ A Windows Update for Business administrator can defer the installation of both f
#### Pause an update
-If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated.
-If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set.
+If you discover a problem while deploying a feature or quality update, you can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated. If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set.
To pause feature updates, use the **Select when Preview Builds and feature updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates).
Built-in benefits:
-When updating from Windows Update, you get the added benefits of built-in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks.
+When updating from Windows Update, you get the added benefits of built-in compatibility checks to prevent against a poor update experience for your device and a check to prevent repeated rollbacks.
### Recommendations
@@ -104,28 +107,38 @@ For the best experience with Windows Update, follow these guidelines:
### Manage the end-user experience when receiving Windows Updates
-Windows Update for Business provides controls to help meet your organization's security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience.
+Windows Update for Business provides controls to help meet your organization's security standards and provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience.
#### Recommended experience settings
Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features:
1. Automatically download, install, and restart (default if no restart policies are set up or enabled).
-2. Use the default notifications.
-3. Set update deadlines.
+1. Use the default notifications.
+1. Set update deadlines.
-##### Setting deadlines
+##### Setting deadlines
-A compliance deadline policy (released in June 2019) enables you to set separate deadlines and grace periods for feature and quality updates.
+A compliance deadline policy enables you to set separate deadlines and grace periods for feature and quality updates.
This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This approach is useful in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation.
#### Update Baseline
+> [!NOTE]
+> The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you're using deferrals or target version to manage which updates are offered to your devices when. Update Baseline is not currently supported for Windows 11.
+
The large number of different policies offered can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more.
The Update Baseline toolkit makes it easy by providing a single command for IT Admins to apply the Update Baseline to devices. You can get the Update Baseline toolkit from the [Download Center](https://www.microsoft.com/download/details.aspx?id=101056).
->[!NOTE]
->The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices when. Update Baseline is not currently supported for Windows 11.
+## Other Windows Update for Business services
+The following services are part of the Windows Update for Business product family:
+
+- [Windows Update for Business reports](wufb-reports-overview.md) is a cloud-based solution that provides information about your Microsoft Entra joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the Azure portal. Windows Update for Business reports helps you:
+ - Monitor security, quality, driver, and feature updates for Windows 11 and Windows 10 devices
+ - Report on devices with update compliance issues
+ - Analyze and display your data in multiple ways
+
+- The [Windows Update for Business deployment service](deployment-service-overview.md) is a cloud service designed to work with your existing Windows Update for Business policies and Windows Update for Business reports. The deployment service provides additional control over the approval, scheduling, and safeguarding of updates delivered from Windows Update to managed devices.
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index 007852b8af..18b0aa011f 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 12/31/2017
+ms.date: 10/10/2023
---
# Manage device restarts after updates
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 3fd3990153..894cb7361b 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -44,8 +44,8 @@ The General Availability Channel is the default servicing channel for all Window
To get started with the Windows Insider Program for Business, follow these steps:
-1. On the [Windows Insider](https://www.microsoft.com/windowsinsider/for-business) website, select **Register** to register your organizational Azure AD account.
-2. Follow the prompts to register your tenant.**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register.
+1. On the [Windows Insider](https://www.microsoft.com/windowsinsider/for-business) website, select **Register** to register your organizational Microsoft Entra account.
+2. Follow the prompts to register your tenant.**Note:** The signed-in user needs to be a **Global Administrator** of the Microsoft Entra domain in order to be able to register.
3. Make sure the **Allow Telemetry** setting is set to **2** or higher.
4. For Windows devices, set policies to manage preview builds and their delivery:
@@ -70,4 +70,3 @@ To prevent devices in your organization from being enrolled in the Insider Progr
>Starting with Windows 10, version 1709, this policy is replaced by **Manage preview builds** policy.
> * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
> * MDM: **Update/ManagePreviewBuilds**
-
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 5ffafc24a9..b370409adb 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -35,7 +35,7 @@ You can use Group Policy settings or mobile device management (MDM) to configure
| [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All |
| [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
| [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
-| | [Windows Update notifications display organization name](#display-organization-name-in-windows-update-notifications) *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered |
+| | [Windows Update notifications display organization name](#display-organization-name-in-windows-update-notifications) *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Microsoft Entra joined or registered |
| | [Allow Windows updates to install before initial user sign-in](#allow-windows-updates-to-install-before-initial-user-sign-in) (registry only)| Windows 11 version 22H2 with 2023-04 Cumulative Update Preview, or a later cumulative update |
@@ -257,12 +257,12 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
## Display organization name in Windows Update notifications
-When Windows 11 clients are associated with an Azure AD tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update for Business, the user notification will display a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11.
+When Windows 11 clients are associated with a Microsoft Entra tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update for Business, the user notification will display a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11.
-The organization name appears automatically for Windows 11 clients that are associated with Azure AD in any of the following ways:
-- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join)
-- [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register)
-- [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
+The organization name appears automatically for Windows 11 clients that are associated with Microsoft Entra ID in any of the following ways:
+- [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join)
+- [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register)
+- [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
To disable displaying the organization name in Windows Update notifications, add or modify the following in the registry:
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index 3d79d66cd5..cc945db4c2 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 02/28/2023
+ms.date: 11/30/2023
---
# Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
@@ -39,7 +39,7 @@ You can control when updates are applied, for example by deferring when an updat
Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device.
-To enable Microsoft Updates, use [Update/AllwMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice).
+To enable Microsoft Updates, use [Update/AllowMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice).
Drivers are automatically enabled because they're beneficial to device systems. We recommend that you allow the driver policy to allow drivers to be updated on devices (the default), but you can turn off this setting if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use Update/[ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#update-excludewudriversinqualityupdate).
@@ -47,19 +47,19 @@ Drivers are automatically enabled because they're beneficial to device systems.
### Set when devices receive feature and quality updates
-#### I want to receive pre-release versions of the next feature update
+#### I want to receive prerelease versions of the next feature update
-1. Ensure that you're enrolled in the Windows Insider Program for Business. This is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
+1. Ensure that you're enrolled in the Windows Insider Program for Business. Windows Insider is a free program available to commercial customers to aid them in their validation of feature updates before they're released. Joining the program enables you to receive updates prior to their release as well as receive emails and content related to what is coming in the next updates.
-1. For any of test devices you want to install pre-release builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set this to **Enable preview builds**.
+1. For any of test devices you want to install prerelease builds, use [Update/ManagePreviewBuilds](/windows/client-management/mdm/policy-csp-update#update-managepreviewbuilds). Set the option to **Enable preview builds**.
-1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using pre-release builds for validation.
+1. Use [Update/BranchReadinessLevel](/windows/client-management/mdm/policy-csp-update#update-branchreadinesslevel) and select one of the preview Builds. Windows Insider Program Slow is the recommended channel for commercial customers who are using prerelease builds for validation.
-1. Additionally, you can defer pre-release feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This ensures that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
+1. Additionally, you can defer prerelease feature updates the same way as released updates, by setting a deferral period up to 14 days by using [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays). If you're testing with Windows Insider Program Slow builds, we recommend that you receive the preview updates to your IT department on day 0, when the update is released, and then have a 7-10 day deferral before rolling out to your group of testers. This schedule helps ensure that if a problem is discovered, you can pause the rollout of the preview update before it reaches your tests.
#### I want to manage which released feature update my devices receive
-A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you won't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
+A Windows Update for Business administrator can defer or pause updates. You can defer feature updates for up to 365 days and defer quality updates for up to 30 days. Deferring simply means that you don't receive the update until it has been released for at least the number of deferral days you specified (offer date = release date + deferral date). You can pause feature or quality updates for up to 35 days from a given start date that you specify.
- To defer a feature update: [Update/DeferFeatureUpdatesPeriodInDays](/windows/client-management/mdm/policy-csp-update#update-deferfeatureupdatesperiodindays)
- To pause a feature update: [Update/PauseFeatureUpdatesStartTime](/windows/client-management/mdm/policy-csp-update#update-pausefeatureupdatesstarttime)
@@ -72,7 +72,7 @@ In this example, there are three rings for quality updates. The first ring ("pil
-When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates.
+When the quality update is released, it's offered to devices in the pilot ring the next time they scan for updates.
##### Five days later
The devices in the fast ring are offered the quality update the next time they scan for updates.
@@ -80,11 +80,11 @@ The devices in the fast ring are offered the quality update the next time they s
##### Ten days later
-Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates.
+Ten days after the quality update is released, it's offered to the devices in the slow ring the next time they scan for updates.
-If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves.
+If no problems occur, all of the devices that scan for updates are offered the quality update within ten days of its release, in three waves.
##### What if a problem occurs with the update?
@@ -109,13 +109,13 @@ If you need a device to stay on a version beyond the point when deferrals on the
#### I want to manage when devices download, install, and restart after updates
-We recommended that you allow to update automatically--this is the default behavior. If you don't set an automatic update policy, the device will attempt to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours and smart busy check.
+We recommended that you allow to update automatically, which is the default behavior. If you don't set an automatic update policy, the device attempts to download, install, and restart at the best times for the user by using built-in intelligence such as intelligent active hours and smart busy check.
For more granular control, you can set the maximum period of active hours the user can set with [Update/ActiveHoursMaxRange](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange). You could also set specific start and end times for active ours with [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) and [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart).
-It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates are not disabled and provides a better experience when users can set their own active hours.
+It's best to refrain from setting the active hours policy because it's enabled by default when automatic updates aren't disabled and provides a better experience when users can set their own active hours.
-To update outside of the active hours, use [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) with Option 2 (which is the default setting). For even more granular control, consider using automatic updates to schedule the install time, day, or week. To do this, use Option 3, and then set the following policies as appropriate for your plan:
+To update outside of the active hours, use [Update/AllowAutoUpdate](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) with Option 2 (which is the default setting). For even more granular control, consider using automatic updates to schedule the install time, day, or week. To use a schedule, use Option 3, and then set the following policies as appropriate for your plan:
- [Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
- [Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek)
@@ -132,14 +132,15 @@ If you don't want to allow any automatic updates prior to the deadline, set [Upd
#### I want to keep devices secure and compliant with update deadlines
-We recommend that you use set specific deadlines for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. This works by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart. Use these settings:
+We recommend that you use set specific deadlines for feature and quality updates to ensure that devices stay secure on Windows 10, version 1709 and later. Deadlines work by enabling you to specify the number of days that can elapse after an update is offered to a device before it must be installed. Also you can set the number of days that can elapse after a pending restart before the user is forced to restart. Use these settings:
- [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates ](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
-- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod)
+- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod)
+- [Update/ConfigureDeadlineGracePeriodForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates)
- [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
-These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.
+These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point, the device automatically schedules a restart regardless of active hours.
These notifications are what the user sees depending on the settings you choose:
@@ -171,7 +172,7 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
There are additional settings that affect the notifications.
-We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
+We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you set. If you do have further needs that aren't met by the default notification settings, you can use the [Update/UpdateNotificationLevel](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) policy with these values:
**0** (default) - Use the default Windows Update notifications
**1** - Turn off all notifications, excluding restart warnings
@@ -180,14 +181,14 @@ We recommend that you use the default notifications as they aim to provide the b
> [!NOTE]
> Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.
-Still more options are available in [Update/ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#update-schedulerestartwarning). This setting allows you to specify the period for auto-restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update. You can also specify the period for auto-restart imminent warning notifications with [Update/ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#update-scheduleimminentrestartwarning) (15-60 minutes is the default). We recommend using the default notifications.
+Still more options are available in [Update/ScheduleRestartWarning](/windows/client-management/mdm/policy-csp-update#update-schedulerestartwarning). This setting allows you to specify the period for auto restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update. You can also specify the period for auto restart imminent warning notifications with [Update/ScheduleImminentRestartWarning](/windows/client-management/mdm/policy-csp-update#update-scheduleimminentrestartwarning) (15-60 minutes is the default). We recommend using the default notifications.
#### I want to manage the update settings a user can access
-Every Windows device provides users with a variety of controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
+Every Windows device provides users with various controls they can use to manage Windows Updates. They can access these controls by Search to find Windows Updates or by going selecting **Updates and Security** in **Settings**. We provide the ability to disable a variety of these controls that are accessible to users.
Users with access to update pause settings can prevent both feature and quality updates for 7 days. You can prevent users from pausing updates through the Windows Update settings page by using [Update/SetDisablePauseUXAccess](/windows/client-management/mdm/policy-csp-update#update-setdisablepauseuxaccess).
-When you disable this setting, users will see **Some settings are managed by your organization** and the update pause settings are greyed out.
+When you disable this setting, users see **Some settings are managed by your organization** and the update pause settings are greyed out.
If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use [Update/SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#update-setdisableuxwuaccess).
@@ -204,3 +205,11 @@ The features that are turned off by default from servicing updates will be enabl
- **0** (default): Allowed. All features in the latest monthly cumulative update are enabled.
- When the policy is set to **0**, all features that are currently turned off will turn on when the device next reboots
- **1** - Not allowed. Features that are shipped turned off by default will remain off
+
+#### I want to enable optional updates
+
+*Applies to:*
+- Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later
+- Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed
+
+In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using [AllowOptionalContent](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalcontent). For more information about optional content, see [Enable optional updates](waas-configure-wufb.md#enable-optional-updates).
\ No newline at end of file
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 7c431a1818..22c937a71a 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -17,7 +17,7 @@ appliesto:
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
-ms.date: 08/22/2023
+ms.date: 11/30/2023
---
# Walkthrough: Use Group Policy to configure Windows Update for Business
@@ -202,7 +202,9 @@ If you use Windows Server Update Server (WSUS), you can prevent users from scann
#### I want to enable optional updates
-(*Starting in Windows 11, version 22H2 or later*)
+*Applies to:*
+- Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later
+- Windows 10, version 22H2 with [KB5032278](https://support.microsoft.com/help/5032278), or a later cumulative update installed
In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update > Enable optional updates** policy.
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index 2279f4318c..b75a881dc0 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -13,7 +13,7 @@ ms.collection:
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 12/31/2017
+ms.date: 12/08/2023
---
# Windows Update log files
@@ -24,18 +24,20 @@ The following table describes the log files created by Windows Update.
|Log file|Location|Description|When to use |
|-|-|-|-|
-|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update, you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.|
-|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these .etl files.|When you see that the updates are available but download is not getting triggered.
When Updates are downloaded but installation is not triggered.
When Updates are installed but reboot is not triggered. |
+|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update, you can use the information included in the Windowsupdate.log log file to troubleshoot the issue.|
+|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator Service is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these .etl files.|
|
|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by NotificationUxBroker.exe. |When you want to check whether the notification was triggered or not. |
|CBS.log|%systemroot%\Logs\CBS|This log provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to Windows Update installation.|
-## Generating WindowsUpdate.log
+## Generating WindowsUpdate.log
+
To merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](/powershell/module/windowsupdate/get-windowsupdatelog?preserve-view=tru&view=win10-ps).
>[!NOTE]
>When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpdate.log unless you run **Get-WindowsUpdateLog** again.
-### Windows Update log components
+## Windows Update log components
+
The Windows Update engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file:
- AGENT- Windows Update agent
@@ -54,7 +56,7 @@ The Windows Update engine has different component names. The following are some
- PT- Synchronizes updates information to the local datastore
- REPORT- Collects reporting information
- SERVICE- Startup/shutdown of the Automatic Updates service
-- SETUP- Installs new versions of the Windows Update client when it is available
+- SETUP- Installs new versions of the Windows Update client when it's available
- SHUTDWN- Install at shutdown feature
- WUREDIR- The Windows Update redirector files
- WUWEB- The Windows Update ActiveX control
@@ -68,7 +70,7 @@ The Windows Update engine has different component names. The following are some
>[!NOTE]
>Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what's important.
-### Windows Update log structure
+## Windows Update log structure
The Windows update log structure is separated into four main identities:
- Time Stamps
@@ -82,7 +84,7 @@ The Windows update log structure is separated into four main identities:
The WindowsUpdate.log structure is discussed in the following sections.
-#### Time stamps
+### Time stamps
The time stamp indicates the time at which the logging occurs.
- Messages are usually in chronological order, but there may be exceptions.
- A pause during a sync can indicate a network problem, even if the scan succeeds.
@@ -90,15 +92,15 @@ The time stamp indicates the time at which the logging occurs.
-#### Process ID and thread ID
+### Process ID and thread ID
The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log.
-- The first four hex digits are the process ID.
-- The next four hex digits are the thread ID.
+- The first four digits, in hex, are the process ID.
+- The next four digits, in hex, are the thread ID.
- Each component, such as the USO, Windows Update engine, COM API callers, and Windows Update installer handlers, has its own process ID.
-#### Component name
+### Component name
Search for and identify the components that are associated with the IDs. Different parts of the Windows Update engine have different component names. Some of them are as follows:
- ProtocolTalker - Client-server sync
@@ -111,31 +113,36 @@ Search for and identify the components that are associated with the IDs. Differe
-#### Update identifiers
+### Update identifiers
+
+The following items are update identifiers:
+
+#### Update ID and revision number
-##### Update ID and revision number
There are different identifiers for the same update in different contexts. It's important to know the identifier schemes.
-- Update ID: A GUID (indicated in the previous screenshot) that's assigned to a given update at publication time
+- Update ID: A GUID (indicated in the previous screenshot) assigned to a given update at publication time
- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service
- Revision numbers are reused from one update to another (not a unique identifier).
- The update ID and revision number are often shown together as "{GUID}.revision."
-##### Revision ID
-- A Revision ID (don't confuse this value with "revision number") is a serial number that's issued when an update is initially published or revised on a given service.
-- An existing update that's revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a new revision ID that is not related to the previous ID.
+#### Revision ID
+
+- A Revision ID (don't confuse this value with "revision number") is a serial number issued when an update is initially published or revised on a given service.
+- An existing update that is revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a new revision ID that isn't related to the previous ID.
- Revision IDs are unique on a given update source, but not across multiple sources.
- The same update revision might have different revision IDs on Windows Update and WSUS.
- The same revision ID might represent different updates on Windows Update and WSUS.
-##### Local ID
-- Local ID is a serial number issued when an update is received from a service by a given Windows Update client
+#### Local ID
+
+- Local ID is a serial number issued by a given Windows Update client when an update is received from a service.
- Typically seen in debug logs, especially involving the local cache for update info (Datastore)
-- Different client PCs will assign different Local IDs to the same update
+- Different client PCs assign different Local IDs to the same update
- You can find the local IDs that a client is using by getting the client's %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file
-##### Inconsistent terminology
+#### Inconsistent terminology
- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs.
- Recognize IDs by form and context:
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index e29c2d0a8e..714ea509f5 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -12,36 +12,60 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 05/12/2023
+ms.date: 10/10/2023
---
# Enforcing compliance deadlines for updates
Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions.
-With a current version, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and later: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings:
+With a current version, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and later: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as separate settings:
-- Update/ConfigureDeadlineForFeatureUpdates
-- Update/ConfigureDeadlineForQualityUpdates
-- Update/ConfigureDeadlineGracePeriod
-- Update/ConfigureDeadlineNoAutoReboot
+- [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates)
+- [Update/ConfigureDeadlineForQualityUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
+- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod)
+- [Update/ConfigureDeadlineGracePeriodForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates) (Windows 11, version 22H2 or later)
+- [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
-## Policy setting overview
+
+## Policy setting overview for clients running Windows 11, version 22H2 and later
+
+|Policy| Description |
+|-|-|
+| Specify deadlines for automatic updates and restarts | This policy lets you specify the number of days before quality and feature updates are installed on devices automatically, and a grace period, after which required restarts occur automatically. This policy includes an option to opt out of automatic restarts until the end of the grace period is reached. |
+
+### Suggested configurations for clients running Windows 11, version 22H2 and later
+
+| Policy | Location | Quality updates deadline in days | Quality updates grace period in days | Feature updates deadline in days | Feature updates grace period in days |
+|-|-|-|-|-|-|
+| Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 2 | 2 | 7 |
+
+When **Specify deadlines for automatic updates and restarts** is set:
+
+The deadline calculation for both quality and feature updates is based off the time the client's update scan initially discovered the update. Previously, the deadline was based off the release date of the update for quality updates and the reboot pending date for feature updates. The change for deadline calculation was made to improve the predictability of restart.
+
+The grace period for both quality and feature updates starts its countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, users are able to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose not to schedule restarts. Once the *effective deadline* is reached, the device tries to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.) Grace periods are useful for users who may be coming back from vacation, or other extended time away from their device, to ensure a forced reboot doesn't occur immediately after they return.
+
+> [!NOTE]
+> When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.
+
+## Policy setting overview for clients running Windows 11, version 21H2 and earlier
|Policy|Description |
|-|-|
| (Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | This policy includes a deadline and a configurable grace period with the option to opt out of automatic restarts until the deadline is reached. This is the recommended policy for Windows 10, version 1709 and later.|
-## Suggested configurations
+### Suggested configurations for clients running Windows 11, version 21H2 and earlier
|Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days|
|-|-|-|-|-|
-|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 2 | 2 | 5 |
+|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 2 | 7 | 2 |
When **Specify deadlines for automatic updates and restarts** is set (Windows 10, version 1709 and later):
-For feature updates, the deadline and grace period start their countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, the device will try to update outside of active hours. Once the *effective deadline* is reached, the device will try to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.)
+For feature updates, the deadline and grace period start their countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, the device tries to update outside of active hours. Once the *effective deadline* is reached, the device tries to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.)
-For quality updates, the deadline countdown starts from the time the update is *offered* (not downloaded or installed). The grace period countdown starts from the time of the pending restart. The device will try to download and install the update at a time based on your other download and installation policies (the default is to automatically download and install in in the background). When the pending restart time is reached, the device will notify the user and try to update outside of active hours. Once the effective deadline is reached, the device will try to restart during active hours.
+For quality updates, the deadline countdown starts from the time the update is *offered* (not downloaded or installed). The grace period countdown starts from the time of the pending restart. The device tries to download and install the update at a time based on your other download and installation policies (the default is to automatically download and install in the background). When the pending restart time is reached, the device notifies the user and tries to update outside of active hours. Once the effective deadline is reached, the device tries to restart during active hours.
> [!NOTE]
-> When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.
+> - When using the newer policy that contains **Feature updates grace period in days**, this setting is ignored by clients that are running Windows 11 version 21H2 and earlier. The grace period for quality updates is used for both quality updates and feature updates for these clients.
+> - When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.
diff --git a/windows/deployment/update/wufb-reports-configuration-manual.md b/windows/deployment/update/wufb-reports-configuration-manual.md
index 3f3c8c7937..7c76c5ad32 100644
--- a/windows/deployment/update/wufb-reports-configuration-manual.md
+++ b/windows/deployment/update/wufb-reports-configuration-manual.md
@@ -4,7 +4,7 @@ titleSuffix: Windows Update for Business reports
description: How to manually configure devices for Windows Update for Business reports using a PowerShell script.
ms.prod: windows-client
ms.technology: itpro-updates
-ms.topic: conceptual
+ms.topic: how-to
author: mestew
ms.author: mstewart
manager: aaroncz
@@ -12,61 +12,60 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 11/15/2022
+ms.date: 12/15/2023
---
-# Manually configuring devices for Windows Update for Business reports
+# Manually configure devices for Windows Update for Business reports
-There are a number of requirements to consider when manually configuring devices for Windows Update for Business reports. These requirements can potentially change with newer versions of Windows client. The [Windows Update for Business reports configuration script](wufb-reports-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
+There are many requirements to consider when manually configuring devices for Windows Update for Business reports. These requirements can potentially change with later versions of Windows client. When any configuration requirements change, we'll update the [Windows Update for Business reports configuration script](wufb-reports-configuration-script.md). If that happens, you only need to redeploy the script.
The requirements are separated into different categories:
1. Ensuring the [**required policies**](#required-policies) for Windows Update for Business reports are correctly configured.
2. Devices in every network topography must send data to the [**required endpoints**](#required-endpoints) for Windows Update for Business reports. For example, devices in both main and satellite offices, which might have different network configurations, must be able to reach the endpoints.
-3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It's recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality.
-
+3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. For proper functionality, leave Windows services set to their out-of-box default configurations.
## Required policies
-Windows Update for Business reports has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Windows Update for Business reports. Thee policies are listed below, separated by whether the policies will be configured via [Mobile Device Management](/windows/client-management/mdm/) (MDM) or Group Policy. For both tables:
+The Windows Update for Business reports service has several policies that you need to configure appropriately. These policies allow Microsoft to process your devices and show them in Windows Update for Business reports. The policies are listed in the following subsections, separated by [mobile device management](/windows/client-management/mdm/) (MDM) or group policy.
-- **Policy** corresponds to the location and name of the policy.
-- **Value** Indicates what value the policy must be set to. Windows Update for Business reports requires *at least* Basic (or Required) diagnostic data, but can function off Enhanced or Full (or Optional).
-- **Function** details why the policy is required and what function it serves for Windows Update for Business reports. It will also detail a minimum version the policy is required, if any.
+The following definitions apply for both tables:
-### Mobile Device Management policies
+- **Policy**: The location and name of the policy.
+- **Value**: Set the policy to this value. Windows Update for Business reports requires at least *Required* (previously *Basic*) diagnostic data, but can function with *Enhanced* or *Optional* (previously *Full*).
+- **Function**: Details for why the policy is required and what function it serves for Windows Update for Business reports. It also details a minimum version the policy requires, if any.
-Each MDM Policy links to its documentation in the configuration service provider (CSP) hierarchy, providing its exact location in the hierarchy and more details.
+### MDM policies
-| Policy | Data type | Value | Function | Required or recommended|
+Each MDM policy links to more detailed documentation in the configuration service provider (CSP) hierarchy.
+
+| Policy | Data type | Value | Function | Required or recommended |
|---|---|---|---|---|
-|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. | Required |
-|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | Recommended |
-|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name won't be sent and won't be visible in Windows Update for Business reports, showing `#` instead. | Recommended |
-| **System/**[**ConfigureTelemetryOptInChangeNotification**](/windows/client-management/mdm/policy-csp-system#configuretelemetryoptinchangenotification) | Integer | 1 - Disabled | Disables user notifications that appear for changes to the diagnostic data level. | Recommended |
+| **System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#allowtelemetry) | Integer | `1`: Basic (Required) | Configures the device to send the minimum required diagnostic data. | Required |
+| **System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#configuretelemetryoptinsettingsux) | Integer | `1`: Disable diagnostic data opt-in settings | Determines whether users of the device can adjust diagnostic data to levels lower than you define by the *AllowTelemetry* policy. Set the recommended value to disable opt-in settings, or users can change the effective diagnostic data level that might not be sufficient. | Recommended |
+| **System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#allowdevicenameindiagnosticdata) | Integer | `1`: Allowed | Allows the device to send its name with Windows diagnostic data. If you don't configure this policy or set it to `0`: Disabled, then the data doesn't include the device name. If the data doesn't include the device name, you can't see the device in Windows Update for Business reports. In this instance, the reports show `#` instead. | Recommended |
+| **System/**[**ConfigureTelemetryOptInChangeNotification**](/windows/client-management/mdm/policy-csp-system#configuretelemetryoptinchangenotification) | Integer | `1`: Disabled | Disables user notifications that appear for changes to the diagnostic data level. | Recommended |
### Group policies
-All Group policies that need to be configured for Windows Update for Business reports are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.
+All group policies that you need to configure for Windows Update for Business reports are under the following path: **Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value*.
| Policy | Value | Function | Required or recommended|
|---|---|---|---|
-|**Allow Diagnostic Data** | Send required diagnostic data (minimum) | Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the **Configure diagnostic data opt-in setting user interface**. | Required |
-|**Configure diagnostic data opt-in setting user interface** | Disable diagnostic data opt in settings | Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. | Recommended |
-|**Allow device name to be sent in Windows diagnostic data** | Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name won't be sent and won't be visible in Windows Update for Business reports, showing `#` instead. | Recommended |
-|**Configure diagnostic data opt-in change notifications** | Disable diagnostic data change notifications | Disables user notifications that appear for changes to the diagnostic data level. | Recommended |
+| **Allow Diagnostic Data** | Send required diagnostic data | Configures the device to send the minimum required diagnostic data. | Required |
+| **Configure diagnostic data opt-in setting user interface** | Disable diagnostic data opt-in settings | Determines whether users of the device can adjust diagnostic data to levels lower than you define by the *Allow Diagnostic Data* policy. Set the recommended value to disable opt-in settings, or users can change the effective diagnostic data level that might not be sufficient. | Recommended |
+| **Allow device name to be sent in Windows diagnostic data** | Enabled | Allows the device to send its name with Windows diagnostic data. If you don't configure this policy or set it to *Disabled*, then the data doesn't include the device name. If the data doesn't include the device name, you can't see the device in Windows Update for Business reports. In this instance, the reports show `#` instead. | Recommended |
+| **Configure diagnostic data opt-in change notifications** | Disable diagnostic data change notifications | Disables user notifications that appear for changes to the diagnostic data level. | Recommended |
## Required endpoints
-To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to allow devices to contact the below endpoints.
-
[!INCLUDE [Endpoints for Windows Update for Business reports](./includes/wufb-reports-endpoints.md)]
## Required services
-Many Windows and Microsoft services are required to ensure that not only the device can function, but Windows Update for Business reports can see device data. It's recommended that you allow all default services from the out-of-box experience to remain running. The [Windows Update for Business reports Configuration Script](wufb-reports-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically.
+Many Windows services are required for Windows Update for Business reports to see device data. Allow all default services from the out-of-box experience to remain running. Use the [Windows Update for Business reports configuration script](wufb-reports-configuration-script.md) to check whether required services are running or are allowed to run automatically.
## Next steps
diff --git a/windows/deployment/update/wufb-reports-faq.yml b/windows/deployment/update/wufb-reports-faq.yml
index 60f9460966..fe8f250ece 100644
--- a/windows/deployment/update/wufb-reports-faq.yml
+++ b/windows/deployment/update/wufb-reports-faq.yml
@@ -55,7 +55,7 @@ sections:
questions:
- question: What is Windows Update for Business reports?
answer: |
- Windows Update for Business reports is a cloud-based solution that provides information about your Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses.
+ Windows Update for Business reports is a cloud-based solution that provides information about your Microsoft Entra joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses.
- question: Is Windows Update for Business reports free?
answer: |
Data ingested into your Log Analytics workspace can be retained at no charge for up to first 31 days (or 90 days if [Microsoft Sentinel](/azure/sentinel/overview) is enabled on the workspace). Data ingested into [Application Insights](/azure/azure-monitor/app/app-insights-overview), either classic or workspace-based, is retained for 90 days without any charge.
@@ -180,4 +180,4 @@ sections:
[Delivery Optimization PowerShell cmdlets](waas-delivery-optimization-setup.md#monitor-delivery-optimization) can be a powerful tool used to monitor Delivery Optimization data on the device. These cmdlets use the cache on the device. The data calculated in the report is taken from the Delivery Optimization events.
- question: The report represents the last 28 days of data, why do some queries include >= seven days?
answer: |
- The data in the report does represent the last 28 days of data. The query for last seven days is just to get the data for the latest snapshot from past seven days. It's possible that data is delayed for sometime and not available for current day, so we look for past seven day snapshot in log analytics and show the latest snapshot.
\ No newline at end of file
+ The data in the report does represent the last 28 days of data. The query for last seven days is just to get the data for the latest snapshot from past seven days. It's possible that data is delayed for sometime and not available for current day, so we look for past seven day snapshot in log analytics and show the latest snapshot.
diff --git a/windows/deployment/update/wufb-reports-overview.md b/windows/deployment/update/wufb-reports-overview.md
index a4321c74d6..a38066595f 100644
--- a/windows/deployment/update/wufb-reports-overview.md
+++ b/windows/deployment/update/wufb-reports-overview.md
@@ -16,7 +16,7 @@ ms.date: 11/15/2022
# Windows Update for Business reports overview
-Windows Update for Business reports is a cloud-based solution that provides information about your Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Windows Update for Business reports helps you:
+Windows Update for Business reports is a cloud-based solution that provides information about your Microsoft Entra joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Windows Update for Business reports helps you:
- Monitor security, quality, driver, and feature updates for Windows 11 and Windows 10 devices
- Report on devices with update compliance issues
@@ -56,7 +56,7 @@ Windows Update for Business reports is a Windows service hosted in Azure that us
## How Windows Update for Business reports works
-You'll set up Windows Update for Business reports by enrolling into the service from the Azure portal. Then you'll configure your Azure AD-joined devices to send Windows client diagnostic data to the service. Windows Update for Business reports uses [Log Analytics in Azure Monitor](/azure/azure-monitor/logs/log-analytics-overview) to store the diagnostic data the clients send. You can use this data for reporting on updates for your devices. Windows Update for Business reports collects system data such as:
+You'll set up Windows Update for Business reports by enrolling into the service from the Azure portal. Then you'll configure your Microsoft Entra joined devices to send Windows client diagnostic data to the service. Windows Update for Business reports uses [Log Analytics in Azure Monitor](/azure/azure-monitor/logs/log-analytics-overview) to store the diagnostic data the clients send. You can use this data for reporting on updates for your devices. Windows Update for Business reports collects system data such as:
- Update deployment progress
- Delivery Optimization usage data
diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md
index b418f74af8..c81cd3c96b 100644
--- a/windows/deployment/update/wufb-reports-prerequisites.md
+++ b/windows/deployment/update/wufb-reports-prerequisites.md
@@ -11,21 +11,23 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 08/30/2023
+ms.date: 12/15/2023
---
# Windows Update for Business reports prerequisites
Before you begin the process of adding Windows Update for Business reports to your Azure subscription, ensure you meet the prerequisites.
-## Azure and Azure Active Directory
+
-- An Azure subscription with [Azure Active Directory](/azure/active-directory/)
-- Devices must be Azure Active Directory-joined and meet the below OS, diagnostic, and endpoint access requirements.
- - Devices can be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
-- Devices that are [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business reports.
-- The Log Analytics workspace must be in a [supported region](#log-analytics-regions)
-- Data in the **Driver update** tab of the [workbook](wufb-reports-workbook.md) is only available for devices that receive driver and firmware updates from the [Windows Update for Business deployment service](deployment-service-overview.md)
+## Azure and Microsoft Entra ID
+
+- An Azure subscription with [Microsoft Entra ID](/azure/active-directory/).
+- Devices must be Microsoft Entra joined and meet the below OS, diagnostic, and endpoint access requirements.
+ - Devices can be [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) or [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+- Devices that are [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register) only (workplace joined) aren't supported with Windows Update for Business reports.
+- The Log Analytics workspace must be in a [supported region](#log-analytics-regions).
+- Data in the **Driver update** tab of the [workbook](wufb-reports-workbook.md) is only available for devices that receive driver and firmware updates from the [Windows Update for Business deployment service](deployment-service-overview.md).
## Permissions
@@ -36,7 +38,7 @@ Before you begin the process of adding Windows Update for Business reports to yo
- Windows 11 Professional, Education, Enterprise, and [Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq) editions
- Windows 10 Professional, Education, Enterprise, and [Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq) editions
-Windows Update for Business reports only provides data for the standard Desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions.
+Windows Update for Business reports only provides data for the standard desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions.
## Windows client servicing channels
@@ -47,27 +49,25 @@ Windows Update for Business reports supports Windows client devices on the follo
### Windows operating system updates
-- For [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data), installing the January 2023 release preview cumulative update, or a later equivalent update, is recommended
+For [changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data), installing the January 2023 release preview cumulative update, or a later equivalent update, is recommended.
## Diagnostic data requirements
-At minimum, Windows Update for Business reports requires devices to send diagnostic data at the *Required* level (previously *Basic*). For more information about what's included in different diagnostic levels, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization).
+At minimum, Windows Update for Business reports requires devices to send diagnostic data at the *Required* level (previously *Basic*). For more information about what data each diagnostic level includes, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization).
The following levels are recommended, but not required:
-- The *Enhanced* level for Windows 10 devices
-- The *Optional* level for Windows 11 devices (previously *Full*)
-Device names don't appear in Windows Update for Business reports unless you individually opt-in devices by using a policy. The configuration script does this for you, but when using other client configuration methods, set one of the following to display device names:
+- The *Enhanced* level for Windows 10 devices.
+- The *Optional* level for Windows 11 devices (previously *Full*).
-
- - CSP: System/[AllowDeviceNameInDiagnosticData](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata)
- - Group Policy: **Allow device name to be sent in Windows diagnostic data** under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds**
+Device names don't appear in Windows Update for Business reports unless you individually opt in devices by using a policy. The configuration script does this action for you, but when using other client configuration methods, set one of the following policies to display device names:
+- CSP: System/[AllowDeviceNameInDiagnosticData](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata)
+- Group Policy: **Allow device name to be sent in Windows diagnostic data** under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds**
> [!TIP]
> Windows Update for Business reports uses [services configuration](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#bkmk-svccfg), also called OneSettings. Disabling the services configuration can cause some of the client data to be incorrect or missing in reports. For more information, see the [DisableOneSettingsDownloads](/windows/client-management/mdm/policy-csp-system#disableonesettingsdownloads) policy settings.
-
Microsoft is committed to providing you with effective controls over your data and ongoing transparency into our data handling practices. For more information about data handling and privacy for Windows diagnostic data, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) and [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data).
## Endpoints
diff --git a/windows/deployment/update/wufb-reports-schema-enumerated-types.md b/windows/deployment/update/wufb-reports-schema-enumerated-types.md
new file mode 100644
index 0000000000..af84c4b582
--- /dev/null
+++ b/windows/deployment/update/wufb-reports-schema-enumerated-types.md
@@ -0,0 +1,280 @@
+---
+title: Enumerated types
+titleSuffix: Windows Update for Business reports
+description: Enumerated types for Windows Update for Business reports.
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: reference
+author: mestew
+ms.author: mstewart
+manager: aaroncz
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+ms.date: 12/06/2023
+---
+
+# Enumerated types for Windows Update for Business reports
+
+The following enumerated types are used in Windows Update for Business reports:
+
+## OSEdition
+
+SKU of Windows the device is running.
+
+|Value | Description |
+|---|---|
+| **Enterprise** | Windows Enterprise |
+| **Professional** | Windows Professional |
+| **ProfessionalWorkstation** | Windows Professional workstation |
+| **ProfessionalN** | Similar to Windows Professional edition but doesn't include Windows media player. |
+| **Education** | Windows Education |
+
+## OSArchitecture
+
+Architecture of the OS running on the client.
+
+|Value | Description |
+|---|---|
+| **amd64** | OS is 64-bit |
+| **x86** | OS is 32-bit |
+| **Unknown** | The OS architecture is unknown |
+
+## OSFeatureUpdateStatus
+
+Feature updates status
+
+|Value | Description |
+|---|---|
+| **Unknown** | Default, sent if client data unavailable. |
+| **InService** | Client is on a version of Windows 10 that is serviced. |
+| **EndOfService** | Client is on a version of Windows 10 that is no longer serviced. |
+
+## OSQualityUpdateStatus
+
+Quality updates status
+
+|Value | Description |
+|---|---|
+| **Latest** | Client is on the latest quality update |
+| **NotLatest** | Client isn't on the latest quality update |
+
+## OSSecurityUpdateStatus
+
+Security updates status
+
+|Value | Description |
+|---|---|
+| **Latest** | Client is on the latest security update |
+| **NotLatest** | Client isn't on the latest security update |
+| **MultipleSecurityUpdatesMissing** | Client is missing multiple security updates |
+
+## OSFeatureUpdateComplianceStatus, OSSecurityUpdateComplianceStatus, OSQualityUpdateComplianceStatus
+
+Compliance status
+
+|Value | Description |
+|---|---|
+| **Compliant** | The latest deployment from the Windows Update for Business deployment service is installed on the client |
+| **NotCompliant** | The latest deployment from the Windows Update for Business deployment service isn't installed on the client|
+| **NotApplicable** | Client isn't part of any Windows Update for Business deployment service deployments |
+
+## OSServicingChannel
+
+Servicing channel of client
+
+|Value | Description |
+|---|---|
+| **Unknown** | Default, release branch can't be defined. |
+| **SAC** | Semi-annual release channel |
+| **LTSC** | Long-term servicing channel |
+| **WIP-S** | Windows Insider Preview - Slow ring |
+| **WIP-F**| Windows Insider Preview - Fast ring |
+| **Internal** | An identifiable, but internal release ring |
+
+## ServiceState
+
+High-level service state OSServicingChannel
+
+|Value | Description |
+|---|---|
+| **Pending** | Windows Update for Business deployment service isn't targeting this update to this device because the update isn't ready. |
+| **Offering** | Service is offering the update to the device. The update is available for the device to get if it scans Windows Update. |
+| **OnHold** | Service is holding off on offering update to the device indefinitely. Until either the service or admin changes some condition, devices remain in this state. |
+| **Canceled** | Service canceled offering update to the device, and the device is confirmed to not be installing the update. |
+
+## ServiceSubstate
+
+Lower-level service state
+
+| Value | ServiceState |
+|---|---|
+| **Validation** | Update can't be offered to the device because a validation issue with the device and deployment service. |
+| **Scheduled** | Update isn't ready to be offered to the device, but is scheduled for offering at a later date. |
+| **OfferReady** | Update is currently being offered to the device from Windows Update. |
+| **RemovedFromDeployment** | Update offering was canceled because it was removed from the deployment because of an explicit administrator action. |
+| **AdminCancelled** | Update offering was canceled because of an explicit administrator action. |
+| **ServiceCancelled** | Update offering was canceled because of an automatic action by the deployment service. |
+| **AdminPaused** | Update is on hold because the deployment was paused with an explicit administrator action. |
+| **ServicePaused** | Update is on hold because of an automatic action by the deployment service. |
+| **SafeguardHold** | Update isn't offered because an existing safeguard hold on the device. |
+
+## ClientState
+
+High-level client state
+
+|Value | Description |
+|---|---|
+| **Unknown** | Default value, if ClientSubstate is unknown (in other words, no client data) |
+| **Offering** | Update is being offered to device |
+| **Installing** | Update is in progress on device |
+| **Uninstalling** | Update is being uninstalled from device |
+| **Installed** | Update has been installed to device |
+| **Uninstalled** | Update has been uninstalled from device |
+| **Canceled** | Update has been canceled from device |
+| **OnHold** | Update has been on Hold |
+
+## ClientSubstate
+
+Lower-level client state
+
+|Value | Description |
+|---|---|
+| **Unknown** | Default value, if ClientSubstate is unknown (in other words, no client data) |
+| **Offering** | Update is being offered to device |
+| **Installing** | Update is in progress on device |
+| **Uninstalling** | Update is being uninstalled from device |
+| **Installed** | Update has been installed to device |
+| **Uninstalled** | Update has been uninstalled from device |
+| **Canceled** | Update has been canceled from device |
+| **OnHold** | Update has been on Hold |
+
+## UpdateCategory
+
+Type of update.
+
+|Value | Description |
+|---|---|
+| **WindowsQualityUpdate** | Windows feature update |
+| **WindowsFeatureUpdate** | Windows quality update |
+| **DriverUpdate** | Driver update |
+
+## UpdateClassification
+
+Whether this update is an upgrade, security, nonsecurity, or driver
+
+|Value | Description |
+|---|---|
+| **Security** | Update is a quality update containing security fixes |
+| **NonSecurity** | Update is a quality update not containing security fixes |
+| **Upgrade** | Update is a feature update |
+
+## UpdateSource
+
+Source of the update
+
+|Value | Description |
+|---|---|
+| **Inferred** | |
+| **MuV6** | Update through old Windows Update, or via WSUS (uses old protocol) |
+| **UUP** | Update through modern Windows Update |
+
+## ReadinessStatus
+
+Whether the device is capable of taking target OS and version.
+
+|Value | Description |
+|---|---|
+| **Capable** | The device meets all requirements to upgrade to Windows 11. |
+| **Not Capable** | The device doesn't meet the requirements to upgrade to Windows 11. Check Readiness Reason for the reason. |
+| **Unknown** | Microsoft doesn't have enough data points to determine the eligibility status. |
+
+## ReadinessReason
+
+Reason why the device isn't capable of updating to target OS and version.
+
+|Value | Description |
+|---|---|
+| **tpm** | [Trusted Platform Module](/windows/security/hardware-security/tpm/trusted-platform-module-overview) (TPM) version 2.0 is required. If your device doesn't meet the minimum requirements because of TPM, see [Enable TPM 2.0 on your PC](https://support.microsoft.com/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c) to see if there are any remediation steps you can take. |
+| **cpufms** | CPU not supported. For more information, see [Windows Processor Requirements](/windows-hardware/design/minimum/windows-processor-requirements) |
+| **sysdrivesize** | 64 GB or larger storage device required. If your PC doesn't have a large enough storage drive, sometimes there are options for upgrading the drive. Consult your PC manufacturer's website or with a retailer to see if there are options to meet the minimum requirements for Windows 11. |
+| **UefiSecureBoot** | UEFI (Unified Extensible Firmware Interface) and Secure Boot capability. If your device doesn't meet the minimum requirements because it's not Secure Boot capable. For more information, see [Windows 11 and Secure Boot](https://support.microsoft.com/topic/a8ff1202-c0d9-42f5-940f-843abef64fad) to see if you're able to enable Secure Boot. Secure Boot can only be enabled with UEFI. |
+
+
+## AlertType
+
+Type of alert.
+
+|Value | Description |
+|---|---|
+| **ServiceUpdateAlert** | Alert is relevant to Windows Update for Business deployment service's offering of the content to the client. |
+| **ClientUpdateAlert** | Alert is relevant to client's ability to progress through the installation of the update content. |
+| **ServiceDeviceAlert** | Alert is relevant to device's status within Windows Update for Business deployment service |
+| **ClientDeviceAlert** | Alert is relevant to device's state |
+| **DeploymentAlert** | Alert is relevant to an entire deployment, or a significant number of devices in the deployment. |
+
+## AlertSubtype
+
+Subtype of alert.
+
+| Value | Description |
+|---|---|
+| **CancelledByUser** | The user canceled the update. |
+| **CertificateIssue** | An expired certificate was encountered. |
+| **DamagedMedia** | The update file appears to be damaged. |
+| **DeviceRegistrationInvalidAzureADJoin** | Device isn't able to register or authenticate properly with the deployment service due to not being device-level Entra ID joined. Devices that are workplace-joined aren't compatible with the deployment service. |
+| **DiskFull** | An operation couldn't be completed because the disk is full. |
+| **DiskIssue** | Windows Update has found disk corruption. |
+| **DownloadCancelled** | The download was canceled. |
+| **DownloadCredentialsIssue** | A proxy server or firewall on your network might require credentials. |
+| **DownloadIssue** | There was a download issue. |
+| **DownloadIssueServiceDisabled** | The service the download depends on is disabled. |
+| **DownloadTimeout** | A timeout occurred. |
+| **EndOfService** | Client OS is no longer being serviced |
+| **EndOfServiceApproaching** | Client OS servicing period completes in less than 60 days |
+| **FileNotFound** | The installer couldn't find a Windows component that it needs. |
+| **InstallAccessDenied** | Access denied. |
+| **InstallCancelled** | Install canceled. |
+| **InstallFileLocked** | Couldn't access the file because it's already in use. |
+| **InstallIssue** | There was an installation issue. |
+| **InstallSetupBlock** | There's an application or driver blocking the upgrade. |
+| **InstallSetupError** | Encountered an error while installing the new version of Windows. |
+| **InstallSetupRestartRequired** | A restart is required. |
+| **InstallSharingViolation** | An application is likely interfering with Windows Update. |
+| **InstallSystemError** | A system error occurred while installing the new version of Windows. |
+| **InsufficientUpdateConnectivity** | Device hasn't had sufficient connectivity to Windows Update to progress through the update process and will experience delays. |
+| **MultipleSecurityUpdatesMissing** | Client is missing multiple security updates |
+| **NetworkIssue** | The server timed out waiting for the requested. |
+| **PathNotFound** | The specified path can't be found. |
+| **RestartIssue** | The restart to apply updates is being blocked by one or more applications. |
+| **SafeguardHold** | Update can't be installed due to a known Safeguard Hold. |
+| **UnexpectedShutdown** | The installation stopped because Windows was shutting down or restarting. |
+| **WindowsComponentCorruption** | This device has a corrupted Windows component |
+| **WUBusy** | Windows Update tried to install an update while another installation process was already running. |
+| **WUComponentMissing** | Windows Update might be missing a component or the update file might be damaged. |
+| **WUDamaged** | The update file might be damaged. |
+| **WUFileCorruption** | Windows Update encountered corrupted files. |
+| **WUIssue** | An unexpected issue was encountered during the installation. |
+| **WUSetupError** | The setup process was suspended. |
+
+
+## AlertStatus
+
+Status of alert
+
+|Value | Description |
+|---|---|
+| **Active** | Alert is active, still requires attention. |
+| **Resolved** | Alert is resolved and no longer requires attention. |
+| **Deleted** | Alert was deleted from the backend system. |
+
+### AlertClassification
+
+Whether this alert is an error, a warning, or informational.
+
+| **Value** | Description |
+|---|---|
+| **Informational** | Alert is informational in nature. |
+| **Warning** | Alert is a warning |
+| **Error** | Alert is an error, or is related to an error. There should be an error code that maps to either something from the client or from the service. |
+| **Recommendation** | Alert is a recommendation, something to optimize. |
diff --git a/windows/deployment/update/wufb-reports-schema-ucclient.md b/windows/deployment/update/wufb-reports-schema-ucclient.md
index 6cf7e6e2a8..b5383c4ad8 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclient.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclient.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 08/09/2023
+ms.date: 12/06/2023
---
# UCClient
@@ -19,41 +19,63 @@ ms.date: 08/09/2023
UCClient acts as an individual device's record. It contains data such as the currently installed build, the device's name, the OS edition, and active hours (quantitative).
## Schema for UCClient
-
-|Field |Type |Example |Description |
-|---|---|---|---|
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID |
-| **Country** | [string](/azure/kusto/query/scalar-data-types/string) | `US` | The last-reported location of device (country or region), based on IP address. Shown as country code. |
-| **DeviceFamily** | [string](/azure/kusto/query/scalar-data-types/string) | `PC, Phone` | The device family such as PC, Phone. |
-| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Client-provided device name |
-| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | The global device identifier |
-| **LastCensusScanTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The last time this device performed a successful census scan, if any. |
-| **LastWUScanTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The last time this device performed a successful Windows Update scan, if any. |
-| **OSArchitecture** | [string](/azure/kusto/query/scalar-data-types/string) | `x86` | The architecture of the operating system (not the device) this device is currently on. |
-| **OSBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.22621.1702` | The full operating system build installed on this device, such as Major.Minor.Build.Revision |
-| **OSBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `22621` | The major build number, in int format, the device is using. |
-| **OSEdition** | [string](/azure/kusto/query/scalar-data-types/string) | `Professional` | The Windows edition |
-| **OSFeatureUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string)| `Compliant` | Whether or not the device is on the latest feature update that's offered from the Windows Update for Business deployment service, else NotApplicable. |
-| **OSFeatureUpdateEOSTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The end of service date of the feature update currently installed on the device. |
-| **OSFeatureUpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the feature update currently installed on the device. |
-| **OSFeatureUpdateStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `InService;EndOfService` | Whether or not the device is on the latest available feature update, for its feature update. |
-| **OSQualityUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `NotCompliant` | Whether or not the device is on the latest quality update that's offered from the Windows Update for Business deployment service, else NotApplicable. |
-| **OSQualityUpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the quality update currently installed on the device. |
-| **OSQualityUpdateStatus** | [string](/azure/kusto/query/scalar-data-types/string)| `Latest;NotLatest` | Whether or not the device is on the latest available quality update, for its feature update. |
-| **OSRevisionNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `836` | The revision, in int format, this device is on. |
-| **OSSecurityUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `NotCompliant` | Whether or not the device is on the latest security update (quality update where the Classification=Security) that's offered from the Windows Update for Business deployment service, else NotApplicable. |
-| **OSSecurityUpdateStatus** | [string](/azure/kusto/query/scalar-data-types/string)| `Latest;NotLatest;MultipleSecurityUpdatesMissing` | Whether or not the device is on the latest available security update, for its feature update. |
-| **OSServicingChannel** | [string](/azure/kusto/query/scalar-data-types/string) | `SAC` | The elected Windows 10 servicing channel of the device. |
-| **OSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 operating system version currently installed on the device, such as 19H2, 20H1, 20H2. |
-| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID, if available. |
-| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This field is to determine to which batch snapshot this record belongs. |
-| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `DeviceEvent` | The EntityType. |
-| **WUFeatureDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | `0` | CSP: ConfigureDeadlineForFeatureUpdates. The Windows update feature update deadline configuration in days. `-1` indicates not configured, `0` indicates configured but set to `0`. Values > `0` indicate the deadline in days. |
-| **WUFeatureDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | `0` | CSP: DeferFeatureUpdates. The Windows update feature update deferral configuration in days. `-1` indicates not configured, `0` indicates configured but set to `0`. Values > `0` indicate the policy setting. |
-| **WUFeatureGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | `7` | The Windows Update grace period for feature update in days. -1 indicates not configured, `0` indicates configured and set to `0`. Values greater than `0` indicate the grace period in days. |
-| **WUFeaturePauseState** | [string](/azure/kusto/query/scalar-data-types/string) | `NotConfigured` | Indicates pause status of device for feature updates, possible values are Paused, NotPaused, NotConfigured. |
-| **WUQualityDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | `7` | CSP: ConfigureDeadlineForQualityUpdates. The Windows update quality update deadline configuration in days. `-1` indicates not configured, `0` indicates configured but set to `0`. Values > `0` indicate the deadline in days. |
-| **WUQualityDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | `-1` | CSP: DeferQualityUpdates. The Windows Update quality update deferral configuration in days. `-1` indicates not configured, `0` indicates configured but set to `0`. Values greater than `0` indicate the policy setting. |
-| **WUQualityGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | `0` | The Windows Update grace period for quality update in days. `-1` indicates not configured, `0` indicates configured and set to `0`. Values greater than `0` indicate the grace period in days. |
-| **WUQualityPauseState** | [string](/azure/kusto/query/scalar-data-types/string) | `NotConfigured` | Indicates pause status of device for quality updates, possible values are Paused, NotPaused, NotConfigured. |
+
+| Field |Type | Enumerated type |Example |Description |
+|---|---|---|---|---|
+| **AzureADDeviceID** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **City** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. Device city, based on IP address. |
+| **Country** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `US` | The last-reported location of device (country or region), based on IP address. Shown as country code. |
+| **DeviceFamily** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `PC, Phone` | The device family such as PC, Phone. |
+| **DeviceFormFactor** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Notebook, Desktop, Phone.` | Currently, data isn't gathered to populate this field. The device form factor |
+| **DeviceManufacturer** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Hewlett-Packard.` | Currently, data isn't gathered to populate this field. The device OEM manufacturer |
+| **DeviceModel** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `The device's OEM model ` | Currently, data isn't gathered to populate this field. The device OEM model |
+| **DeviceName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `JohnPC-Contoso` | Client-provided device name |
+| **GlobalDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `g:9832741921341` | The global device identifier |
+| **IsVirtual** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | No | `Yes, No` | Whether device is a virtual device. |
+| **LastCensusScanTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The last time this device performed a successful census scan, if any. |
+| **LastWUScanTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The last time this device performed a successful Windows Update scan, if any. |
+| **NewTest_CF [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. |
+| **OSArchitecture** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `x86` | The architecture of the operating system (not the device) this device is currently on. |
+| **OSBuild** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10.0.22621.1702` | The full operating system build installed on this device, such as Major.Minor.Build.Revision |
+| **OSBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | No | `22621` | The major build number, in int format, the device is using. |
+| **OSEdition** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Professional` | The Windows edition |
+| **OSFeatureUpdateComplianceStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Compliant` | Whether the device is on the latest feature update that's offered from the Windows Update for Business deployment service, else NotApplicable. |
+| **OSFeatureUpdateEOSTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The end of service date of the feature update currently installed on the device. |
+| **OSFeatureUpdateReleaseTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The release date of the feature update currently installed on the device. |
+| **OSFeatureUpdateStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `InService;EndOfService` | Whether the device is on the latest available feature update, for its feature update. |
+| **OSQualityUpdateComplianceStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `NotCompliant` | Whether the device is on the latest quality update that's offered from the Windows Update for Business deployment service, else NotApplicable. |
+| **OSQualityUpdateReleaseTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The release date of the quality update currently installed on the device. |
+| **OSQualityUpdateStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Latest;NotLatest` | Whether the device is on the latest available quality update, for its feature update. |
+| **OSRevisionNumber** | [int](/azure/kusto/query/scalar-data-types/int) | No | `836` | The revision, in int format, this device is on. |
+| **OSSecurityUpdateComplianceStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `NotCompliant` | Whether the device is on the latest security update (quality update where the Classification=Security) that's offered from the Windows Update for Business deployment service, else NotApplicable. |
+| **OSSecurityUpdateStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Latest;NotLatest;MultipleSecurityUpdatesMissing` | Whether the device is on the latest available security update, for its feature update. |
+| **OSServicingChannel** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `SAC` | The elected Windows 10 servicing channel of the device. |
+| **OSVersion** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `1909` | The Windows 10 operating system version currently installed on the device, such as 19H2, 20H1, 20H2. |
+| **PrimaryDiskFreeCapacityMb** | | No | | Currently, data isn't gathered to populate this field. Free disk capacity of the primary disk in Megabytes. |
+| **SCCMClientId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID, if available. |
+| **SourceSystem** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Azure` | |
+| **TenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
+| **TimeGenerated [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This field is to determine to which batch snapshot this record belongs. |
+| **Type** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `UCClient` | The entity type |
+| **UpdateConnectivityLevel** | | Yes | | Currently, data isn't gathered to populate this field. Whether or not this device is maintaining a sufficiently cumulative and continuous connection to Windows Update so the update can progress optimally. |
+| **WUAutomaticUpdates** | | No | | Currently, data isn't gathered to populate this field. Manage automatic update behavior to scan, download, and install updates. |
+| **WUDeadlineNoAutoRestart** | | No | | Currently, data isn't gathered to populate this field. Devices won't automatically restart outside of active hours until the deadline is reached - It's 1 by default and indicates enabled, 0 indicates disabled |
+| **WUDODownloadMode** | | No | | Currently, data isn't gathered to populate this field. The Windows Update DO DownloadMode configuration. |
+| **WUFeatureDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | CSP: ConfigureDeadlineForFeatureUpdates. The Windows Update feature update deadline configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the deadline in days. |
+| **WUFeatureDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | CSP: DeferFeatureUpdates. The Windows Update feature update deferral configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the policy setting. |
+| **WUFeatureGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `7` | The Windows Update grace period for feature update in days. -1 indicates not configured, 0 indicates configured and set to 0. Values greater than 0 indicate the grace period in days. |
+| **WUFeaturePauseEndTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update feature update pause will end, if activated, else null. |
+| **WUFeaturePauseStartTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update feature update pause was activated, if activated, else null. Feature updates are paused for 35 days from the specified start date. |
+| **WUFeaturePauseState** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `NotConfigured` | Indicates pause status of device for feature updates. Possible values are Paused, NotPaused, NotConfigured. |
+| **WUNotificationLevel** | | No | | Currently, data isn't gathered to populate this field. This policy allows you to define what Windows Update notifications users see. 0 (default) - Use the default Windows Update notifications. 1 - Turn off all notifications, excluding restart warnings. 2 - Turn off all notifications, including restart warnings |
+| **WUPauseUXDisabled** | | No | | Currently, data isn't gathered to populate this field. This policy allows the IT admin to disable the Pause Updates feature. When this policy is enabled, the user can't access the Pause updates' feature. Supported values 0, 1. |
+| **WUQualityDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `7` | CSP: ConfigureDeadlineForQualityUpdates. The Windows update quality update deadline configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the deadline in days. |
+| **WUQualityDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `-1` | CSP: DeferQualityUpdates. The Windows Update quality update deferral configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values greater than 0 indicate the policy setting. |
+| **WUQualityGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | No | `0` | The Windows Update grace period for quality update in days. -1 indicates not configured, 0 indicates configured and set to 0. Values greater than 0 indicate the grace period in days. |
+| **WUQualityPauseEndTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update quality update pause- will end, if activated, else null. |
+| **WUQualityPauseStartTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The time Windows Update quality update pause- was activated; if activated; else null. |
+| **WUQualityPauseState** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `NotConfigured` | Indicates pause status of device for quality updates. Possible values are Paused, NotPaused, NotConfigured. |
+| **WURestartNotification** | | No | | Currently, data isn't gathered to populate this field. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed. The following list shows the supported values: 1 (default) = Auto Dismissal. 2 - User Dismissal. |
+| **WUServiceURLConfigured**| | No | | Currently, data isn't gathered to populate this field. The device checks for updates from Microsoft Update. Set to a URL, such as http://abcd-srv:8530. The device checks for updates from the WSUS server at the specified URL. Not configured. The device checks for updates from Microsoft Update. Set to a URL, such as http://abcd-srv:8530. The device checks for updates from the WSUS server at the specified URL. |
+| **WUUXDisabled** | | No | | Currently, data isn't gathered to populate this field. This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user can't access the Windows Update scan, download, and install features. Default is 0. Supported values 0, 1. |
diff --git a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
index 2e6bcaa89c..59208c8193 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/06/2022
+ms.date: 12/06/2023
---
# UCClientReadinessStatus
@@ -20,26 +20,29 @@ ms.date: 06/06/2022
UCClientReadinessStatus is an individual device's record about its readiness for updating to Windows 11. If the device isn't capable of running Windows 11, the record includes which Windows 11 [hardware requirements](/windows/whats-new/windows-11-requirements#hardware-requirements) the device doesn't meet.
## Schema for UCClientReadinessStatus
-
-|Field |Type |Example |Description |
-|---|---|---|---|
-| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Client-provided device name |
-| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | The global device identifier. |
-| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager Client ID, if available. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID |
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
-| **OSName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10` | The operating system name. |
-| **OSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Win10 OS Version (such as 19H2, 20H1, 20H2) currently installed on the device. |
-| **OSBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full OS build installed on this device, such as Major.Minor.Build.Revision |
-| **TargetOSName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 11` | The name of the operating system being targeted to the device for this readiness record.|
-| **TargetOSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `21H2` | The operating system version being targeted to the device for this readiness record.|
-| **TargetOSBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.22000.1` | The full operating system build number that's being targeted to the device for this readiness record.|
-| **ReadinessStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `Not capable` | The readiness status of the device is either capable, not capable, or unknown. This status is determined by Windows Update.|
-| **ReadinessReason** | [string](/azure/kusto/query/scalar-data-types/string) | `CPU;TPM` | Lists which [hardware requirements](/windows/whats-new/windows-11-requirements#hardware-requirements) are blocking the device from being capable of installing Windows 11. Field is null if the device is capable. This status is determined by the Windows Update applicability. |
-| **ReadinessScanTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The date and time when readiness was assessed and the assessment was sent.|
-| **ReadinessExpiryTime**| [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The date and time when the readiness assessment will expire.|
-| **SetupReadinessStatus**| [string](/azure/kusto/query/scalar-data-types/string) | `Not capable` | The readiness status of the device is either capable, not capable, or unknown. This status is determined by Windows setup.|
-| **SetupReadinessReason** | [string](/azure/kusto/query/scalar-data-types/string) | `CPU;TPM` | Lists which [hardware requirements](/windows/whats-new/windows-11-requirements#hardware-requirements) are blocking the device from being capable of installing Windows 11. Field is null if the device is capable. This status is determined by Windows setup. |
-| **SetupReadinessTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The date and time when readiness was assessed by setup and the assessment was sent.|
-| **SetupReadinessExpiryTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The date and time when the setup readiness assessment will expire.|
-| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 10:26:03.478039` | The date and time when Azure Monitor Logs ingested this record for your Log Analytics workspace.|
+
+|Field |Type | Enumerated type |Example |Description |
+|---|---|---|---|---|
+| **AzureADDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **DeviceName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `JohnPC-Contoso` | Client-provided device name |
+| **GlobalDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `g:9832741921341` | The global device identifier. |
+| **OSBuild** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10.0.18363.836` | The full OS build installed on this device, such as Major.Minor.Build.Revision |
+| **OSName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Windows 10` | The operating system name. |
+| **OSVersion** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `1909` | The Win10 OS version (such as 19H2, 20H1, 20H2) currently installed on the device. |
+| **ReadinessExpiryTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The date and time when the readiness assessment will expire. |
+| **ReadinessReason** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `CPU;TPM` | Lists which hardware requirements are blocking the device from being capable of installing Windows 11. Field is null if the device is capable. This status is determined by the Windows Update applicability. |
+| **ReadinessScanTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The date and time when readiness was assessed and the assessment was sent. |
+| **ReadinessStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Not capable` | The readiness status of the device is either capable, not capable, or unknown. This status is determined by Windows Update. |
+| **SCCMClientId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager Client ID, if available. |
+| **SetupReadinessExpiryTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The date and time when the setup readiness assessment will expire. |
+| **SetupReadinessReason** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `CPU;TPM` | Lists which hardware requirements are blocking the device from being capable of installing Windows 11. Field is null if the device is capable. This status is determined by Windows setup. |
+| **SetupReadinessStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Not capable` | The readiness status of the device is either capable, not capable, or unknown. This status is determined by Windows setup. |
+| **SetupReadinessTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The date and time when readiness was assessed by setup and the assessment was sent. |
+| **SourceSystem** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Azure` | |
+| **TargetOSBuild** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10.0.22000.1` | The full operating system build number that's being targeted to the device for this readiness record. |
+| **TargetOSName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Windows 11` | The name of the operating system being targeted to the device for this readiness record. |
+| **TargetOSVersion** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `21H2` | The operating system version being targeted to the device for this readiness record. |
+| **TenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
+| **TimeGenerated [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The date and time when Azure Monitor Logs ingested this record for your Log Analytics workspace. |
+| **Type** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `UCClientReadinessStatus` | The entity type |
diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
index 1373eed6d6..058a649dd6 100644
--- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/05/2023
+ms.date: 12/06/2023
---
# UCClientUpdateStatus
@@ -20,39 +20,47 @@ ms.date: 06/05/2023
Update Event that combines the latest client-based data with the latest service-based data to create a complete picture for one device (client) and one update.
## Schema for UCClientUpdateStatus
-
-| Field | Type | Example | Description |
-|---|---|---|---|
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | A string corresponding to the Azure AD tenant to which the device belongs. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A string corresponding to this device's Azure AD device ID |
-|**CatalogId** | [string](/azure/kusto/query/scalar-data-types/string) | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | The update catalog ID |
-| **ClientState** | [string](/azure/kusto/query/scalar-data-types/string) | `Installing` | Higher-level bucket of ClientSubstate. |
-| **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | Last-known state of this update relative to the device, from the client. |
-| **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Ranking of client substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together. |
-| **ClientSubstateTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time of last client substate transition |
-| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The identifier of the deployment that is targeting this update to this device, else empty. |
-| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Device's given name |
-| **FurthestClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadComplete` | Furthest clientSubstate |
-| **FurthestClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2400` | Ranking of furthest clientSubstate |
-| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft internal global device identifier |
-| **IsUpdateHealty** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | `1` | True: No issues preventing this device from updating to this update have been found. False: There is something that may prevent this device from updating. |
-| **OfferReceivedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time when device last reported entering OfferReceived, else empty. |
-| **RestartRequiredTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time when device first reported entering RebootRequired (or RebootPending), else empty. |
-| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | A string corresponding to the Configuration Manager Client ID on the device. |
-| **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)| `Azure`| |
-| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this value would correspond to the full build (10.0.14393.385). |
-| **TargetBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `18363` | Integer of the Major portion of Build. |
-| **TargetKBNumber** | [string](/azure/kusto/query/scalar-data-types/string) | `KB4524570` | KB Article. |
-| **TargetRevisionNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `836` | Integer or the minor (or revision) portion of the build. |
-| **TargetVersion** | [int](/azure/kusto/query/scalar-data-types/int) | `1909` | The target operating system version, such as 1909. |
-| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
-| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `DeviceUpdateEvent` | The EntityType |
-| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
-| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether the update classification is an upgrade (feature update), security (quality update), non-security (quality update), or driver |
-| **UpdateDisplayName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) |
-| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update|
-| **UpdateInstalledTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | DateTime when event transitioned to UpdateInstalled, else empty. |
-| **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. |
-| **UpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the update |
-| **UpdateSource** | [string](/azure/kusto/query/scalar-data-types/string) | `UUP` | The source of the update such as UUP, MUv6, Media |
-
\ No newline at end of file
+
+|Field |Type | Enumerated type |Example |Description |
+|---|---|---|---|---|
+| **AzureADDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **CatalogId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | This field applies to drivers only. The Catalog ID of the update from Windows Update for Business deployment service. |
+| **ClientState** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Installing` | This field applies to drivers only. Higher-level bucket of ClientSubstate. |
+| **ClientSubstate** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `DownloadStart` | Last-known state of this update relative to the device, from the client. |
+| **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | No | `2300` | Ranking of client substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together. |
+| **ClientSubstateTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | Date and time of last client substate transition |
+| **DeploymentId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The identifier of the deployment that is targeting this update to this device, else empty. |
+| **DeviceName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `JohnPC-Contoso` | Device's given name |
+| **EventData** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. Json to fill with arbitrary K/V pairs. Used to populate contextual data that would otherwise be sparsely populated if elevated to a field always present in the schema. |
+| **FurthestClientSubstate** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `DownloadComplete` | Furthest clientSubstate |
+| **FurthestClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | No | `2400` | Ranking of furthest clientSubstate |
+| **GlobalDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `g:9832741921341` | Microsoft internal global device identifier |
+| **IsUpdateHealthy** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `1` | Currently, data isn't gathered to populate this field. True: No issues preventing this device from updating to this update have been found. False: There's something that may prevent this device from updating. |
+| **OfferReceivedTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | Date and time when device last reported entering OfferReceived, else empty. |
+| **RestartRequiredTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | Date and time when device first reported entering RebootRequired (or RebootPending), else empty. |
+| **SCCMClientId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | A string corresponding to the Configuration Manager Client ID on the device. |
+| **SourceSystem** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Azure` | |
+| **TargetBuild** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10.0.18363.836` | The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this value would correspond to the full build (10.0.14393.385). |
+| **TargetBuildNumber** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `18363` | Integer of the Major portion of Build. |
+| **TargetKBNumber** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `KB4524570` | KB Article. |
+| **TargetRevisionNumber** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `836` | Integer or the minor (or revision) portion of the build. |
+| **TargetVersion** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `1909` | The target operating system version, such as 1909. |
+| **TenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
+| **TimeGenerated [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
+| **Type** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `UCClientUpdateStatus` | The entity type |
+| **UpdateCategory** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
+| **UpdateClassification** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Upgrade` | Whether the update classification is an upgrade (feature update), security (quality update), nonsecurity (quality update), or driver |
+| **UpdateConnectivityLevel** | | Yes | | Currently, data isn't gathered to populate this field. Whether or not this device is maintaining a sufficiently cumulative and continuous connection to Windows Update so the update can progress optimally. |
+| **UpdateDisplayName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) |
+| **UpdateHealthGroupL1** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. Grouping design to describe the current update installation's "health", L1 (highest-level). |
+| **UpdateHealthGroupL2** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. Integer for ranking the L1 UpdateHealthGroup. |
+| **UpdateHealthGroupL3** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. Second grouping, subset of L1, more detailed. |
+| **UpdateHealthGroupRankL1** | [int](/azure/kusto/query/scalar-data-types/int) | No | | Currently, data isn't gathered to populate this field. Integer for ranking the L2 UpdateHealthGroup. |
+| **UpdateHealthGroupRankL2** | [int](/azure/kusto/query/scalar-data-types/int) | No | | Currently, data isn't gathered to populate this field. Third grouping, subset of L3, more detailed. |
+| **UpdateHealthGroupRankL3** | [int](/azure/kusto/query/scalar-data-types/int) | No | | Currently, data isn't gathered to populate this field. Integer for ranking the L3 UpdateHealthGroup. |
+| **UpdateId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10e519f0-06ae-4141-8f53-afee63e995f0` | This field applies to drivers only. Update ID of the targeted update |
+| **UpdateInstalledTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | DateTime when event transitioned to UpdateInstalled, else empty. |
+| **UpdateManufacturer** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Microsoft` | This field applies to drivers only. Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. |
+| **UpdateReleaseTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020/05/14 09:26:03.478 AM` | The release date of the update |
+| **UpdateSource** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `UUP` | The source of the update such as UUP, MUv6, Media |
diff --git a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
index 435324d2db..e5dfa88144 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdevicealert.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/06/2022
+ms.date: 12/06/2023
---
# UCDeviceAlert
@@ -19,32 +19,29 @@ ms.date: 06/06/2022
These alerts are activated as a result of an issue that is device-specific. It isn't specific to the combination of a specific update and a specific device. Like UpdateAlerts, the AlertType indicates where the Alert comes from (ServiceDeviceAlert, ClientDeviceAlert). For example, an EndOfService alert is a ClientDeviceAlert, as a build no longer being serviced (EOS) is a client-wide state. Meanwhile, DeviceRegistrationIssues in the Windows Update for Business deployment service will be a ServiceDeviceAlert, as it's a device-wide state in the service to not be correctly registered.
## Schema for UCDeviceAlert
-
-|Field |Type |Example |Description |
-|---|---|---|---|
-| **AlertClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Error` | Whether this alert is an Error, a Warning, or Informational |
-| **AlertId** | [string](/azure/kusto/query/scalar-data-types/string) | `9e107d9d372bb6826bd81d3542a419d6` | The unique identifier of this alert |
-| **AlertRank** | [int](/azure/kusto/query/scalar-data-types/int) | `1000` | Integer ranking of alert for prioritization during troubleshooting |
-| **AlertStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `Active` | Whether this alert is Active, Resolved, or Deleted |
-| **AlertSubtype** | [string](/azure/kusto/query/scalar-data-types/string) | `DiskFull` | The subtype of alert. |
-| **AlertType** | [string](/azure/kusto/query/scalar-data-types/string) | `ClientUpdateAlert` | The type of alert such as ClientUpdateAlert or ServiceUpdateAlert. Indicates which fields will be present. |
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD device ID of the device, if available. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD tenant ID of the device. |
-| **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | If the alert is from the client, the ClientSubstate at the time this alert was activated or updated, else empty. |
-| **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Rank of ClientSubstate |
-| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The deployment this alert is relative to, if there's one. |
-| **Description** | [string](/azure/kusto/query/scalar-data-types/string) | `Disk full` | A localized string translated from a combination of other alert fields + language preference that describes the issue in detail. |
-| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | The given device's name |
-| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:1298371934870` | Internal Microsoft global identifier, if available. |
-| **Recommendation** | [string](/azure/kusto/query/scalar-data-types/string) | `Free up disk space.` | A localized string translated from RecommendedAction, Message, and other fields (depending on source of alert) that provides a recommended action. |
-| **ResolvedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was resolved, else empty. |
-| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID of the device, if available. |
-| **ServiceSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `OfferReady` | If the alert is from the service, the ServiceSubstate at the time this alert was activated or updated, else Empty. |
-| **ServiceSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `100` | Rank of ServiceSubstate |
-| **StartTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was activated. |
-| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `18363.836` | The Windows 10 Major. Revision this UpdateAlert is relative to. |
-| **TargetVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 build this UpdateAlert is relative to. |
-| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
-| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UpdateAlert` | The entity type. |
-| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
-| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this content is an upgrade (feature update), security (quality update), non-security (quality update), or driver |
+
+|Field |Type | Enumerated type |Example |Description |
+|---|---|---|---|---|
+| **AlertClassification** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Error` | Whether this alert is an Error, a Warning, or Informational |
+| **AlertData** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. An optional string formatted as a json payload containing metadata for the alert. |
+| **AlertId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `9e107d9d372bb6826bd81d3542a419d6` | The unique identifier of this alert |
+| **AlertRank** | [int](/azure/kusto/query/scalar-data-types/int) | No | `1000` | Integer ranking of alert for prioritization during troubleshooting |
+| **AlertStatus** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Active` | Whether this alert is Active, Resolved, or Deleted |
+| **AlertSubtype** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `DiskFull` | The subtype of alert. |
+| **AlertType** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `ClientUpdateAlert` | The type of alert such as ClientUpdateAlert or ServiceUpdateAlert. Indicates which fields are present. |
+| **AzureADDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **Description** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Disk full` | A localized string translated from a combination of other alert fields + language preference that describes the issue in detail. |
+| **DeviceName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `JohnPC-Contoso` | The given device's name |
+| **ErrorCode** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. The Error Code, if any, that triggered this Alert. In the case of Client-based explicit alerts, error codes can have extended error codes, which are appended to the error code with an underscore separator. |
+| **ErrorSymName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. The symbolic name that maps to the Error Code, if any. Otherwise empty. |
+| **GlobalDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `g:1298371934870` | Internal Microsoft global identifier, if available. |
+| **Recommendation** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Free up disk space.` | A localized string translated from RecommendedAction, Message, and other fields (depending on source of alert) that provides a recommended action. |
+| **ResolvedTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time this alert was resolved, else empty. |
+| **SCCMClientId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID of the device, if available. |
+| **SourceSystem** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Azure` | |
+| **StartTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time this alert was activated. |
+| **TenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
+| **TimeGenerated [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
+| **Type** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `UCDeviceAlert` | The entity type |
+| **URL** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `aka.ms/errordetail32152` | Currently, data isn't gathered to populate this field. An optional URL to get more in-depth information related to this alert. |
diff --git a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
index a7012d9409..33540428e2 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdoaggregatedstatus.md
@@ -12,7 +12,7 @@ ms.reviewer: carmenf
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 11/17/2022
+ms.date: 12/06/2023
---
# UCDOAggregatedStatus
@@ -24,8 +24,8 @@ UCDOAggregatedStatus is an aggregation of all individual UDDOStatus records acro
|Field |Type |Example |Description |
|---|---|---|---|
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID |
+| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.|
| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). |
| **BytesFromCDN** | [long](/azure/kusto/query/scalar-data-types/long) | `11463008693388` | Total number of bytes that were delivered from a Content Delivery Network (CDN). |
diff --git a/windows/deployment/update/wufb-reports-schema-ucdostatus.md b/windows/deployment/update/wufb-reports-schema-ucdostatus.md
index a76acc8512..98e6832a40 100644
--- a/windows/deployment/update/wufb-reports-schema-ucdostatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucdostatus.md
@@ -11,7 +11,7 @@ ms.reviewer: carmenf
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 11/17/2022
+ms.date: 12/06/2023
---
# UCDOStatus
@@ -22,8 +22,8 @@ UCDOStatus provides information, for a single device, on its bandwidth utilizati
|Field |Type |Example |Description |
|---|---|---|---|
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID |
+| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
| **BWOptPercent28Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 28-day basis.|
| **BWOptPercent7Days** | [real](/azure/kusto/query/scalar-data-types/real) | `10.61` | Bandwidth optimization (as a percentage of savings of total bandwidth otherwise incurred) for this device. A rolling 7-day basis.|
| **BytesFromCache** | [long](/azure/kusto/query/scalar-data-types/long) | `285212672` | Total number of bytes that were delivered from Microsoft Connected Cache (MCC). |
diff --git a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
index 52989b6baf..c78b2c076d 100644
--- a/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
+++ b/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/06/2022
+ms.date: 12/06/2023
---
# UCServiceUpdateStatus
@@ -19,38 +19,41 @@ ms.date: 06/06/2022
Update Event that comes directly from the service-side. The event has only service-side information for one device (client), and one update, in one deployment. This event has certain fields removed from it in favor of being able to show data in near real time.
## Schema for UCServiceUpdateStatus
-
-| Field | Type | Example | Description |
-|---|---|---|---|
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A GUID corresponding to the Azure AD tenant to which the device belongs. |
-|**CatalogId** | [string](/azure/kusto/query/scalar-data-types/string) | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | The update catalog ID |
-| **DeploymentApprovedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time of the update approval |
-| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) |`cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. |
-| **DeploymentName** | [string](/azure/kusto/query/scalar-data-types/string) |`My deployment` | Friendly name of the created deployment |
-| **DeploymentIsExpedited** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | `1` | Whether the content is being expedited |
-| **DeploymentRevokeTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time the update was revoked |
-| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft internal global device identifier |
-| **OfferReadyTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | DateTime of OfferReady transition. If empty, not yet been offered. |
-| **PolicyCreatedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time the policy was created |
-| **PolicyId** | [string](/azure/kusto/query/scalar-data-types/string) | `9011c330-1234-5678-9abc-def012345678` | The policy identifier targeting the update to this device |
-| **PolicyName** | [string](/azure/kusto/query/scalar-data-types/string) | `My policy` | Friendly name of the policy |
-| **ServiceState** | [string](/azure/kusto/query/scalar-data-types/string) | `Offering` | High-level state of update's status relative to device, service-side. |
-| **ServiceSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `OfferReady` | Low-level state of update's status relative to device, service-side. |
-| **ServiceSubstateTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time of last ServiceSubstate transition. |
-| **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)| `Azure`| |
-| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build for the content this event is tracking. For Windows 10, this string corresponds to "10.0.Build.Revision" |
-| **TargetVersion** | [int](/azure/kusto/query/scalar-data-types/int) | `1909` | The version of content this DeviceUpdateEvent is tracking. For Windows 10 updates, this number would correspond to the year/month version format used, such as 1903. |
-| **TenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `9011c330-1234-5678-9abc-def012345678` | Azure AD tenant ID |
-| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Time the snapshot ran can also be the same as EventDateTimeUTC in some cases. |
-| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `ServiceUpdateEvent` | The EntityType |
-| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
-| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update), or driver |
-| **UpdateDisplayName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) |
-| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update|
-| **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. |
-|**UpdateProvider** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Update provider of drivers and firmware |
-| **UpdateRecommendedTime** |[datetime](/azure/kusto/query/scalar-data-types/datetime) | `2022-05-14 09:26:03.478039` | Date and time when the update was recommended to the device |
-| **UpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the update |
-|**UpdateVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `20.0.19.3` | Update version of drivers or firmware |
-| **UpdateVersionTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Update version date time stamp for drivers and firmware |
+
+| Field |Type | Enumerated type |Example |Description |
+|---|---|---|---|---|
+| **AzureADDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **CatalogId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | This field applies to drivers only. The Catalog ID of the update from Windows Update for Business deployment service. |
+| **DeploymentApprovedTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | This field applies to drivers only. Date and time of the update approval |
+| **DeploymentId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID maps to that policy, otherwise it's empty. |
+| **DeploymentIsExpedited** | [bool](/azure/data-explorer/kusto/query/scalar-data-types/bool) | No | `1` | Currently, data isn't gathered to populate this field. It indicated whether the content is being expedited |
+| **DeploymentName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `My deployment` | Currently, data isn't gathered to populate this field. Friendly name of the created deployment |
+| **DeploymentRevokeTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | This field applies to drivers only. Date and time the update was revoked |
+| **GlobalDeviceId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `g:9832741921341` | Currently, data isn't gathered to populate this field. Microsoft internal global device identifier |
+| **OfferReadyTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | DateTime of OfferReady transition. If empty, not yet been offered. |
+| **PolicyCreatedTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | This field applies to drivers only. Date and time the policy was created |
+| **PolicyId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `9011c330-1234-5678-9abc-def012345678` | This field applies to drivers only. The policy identifier targeting the update to this device |
+| **PolicyName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `My policy` | Currently, data isn't gathered to populate this field. This field applies to drivers only. Friendly name of the policy. |
+| **ProjectedOfferReadyTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Projected time update will be offered to device. If empty, unknown. |
+| **ServiceState** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Offering` | High-level state of update's status relative to device, service-side. |
+| **ServiceSubstate** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `OfferReady` | Low-level state of update's status relative to device, service-side. |
+| **ServiceSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | No | | Currently, data isn't gathered to populate this field. Ranking of Substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together. |
+| **ServiceSubstateTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Date and time of last ServiceSubstate transition. |
+| **SourceSystem** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Azure` | |
+| **TargetBuild** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10.0.18363.836` | The full build for the content this event is tracking. For Windows 10, this string corresponds to "10.0.Build.Revision" |
+| **TargetVersion** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `1909` | The version of content this DeviceUpdateEvent is tracking. For Windows 10 updates, this number would correspond to the year/month version format used, such as 1903. |
+| **TenantId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `9011c330-1234-5678-9abc-def012345678` | Microsoft Entra tenant ID |
+| **TimeGenerated [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | | `2020-05-14 09:26:03.478039` | Time the snapshot ran can also be the same as EventDateTimeUTC in some cases. |
+| **Type** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `UCServiceUpdateStatus` | The entity type |
+| **UdpateIsSystemManifest** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | | Currently, data isn't gathered to populate this field. This field applies to drivers only. |
+| **UpdateCategory** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
+| **UpdateClassification** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), nonsecurity (quality update), or driver |
+| **UpdateDisplayName** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) |
+| **UpdateId** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10e519f0-06ae-4141-8f53-afee63e995f0` | This field applies to drivers only. Update ID of the targeted update |
+| **UpdateManufacturer** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Microsoft` | This field applies to drivers only. Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. |
+| **UpdateProvider** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Microsoft` | This field applies to drivers only. Update provider of drivers and firmware |
+| **UpdateRecommendedTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | This field applies to drivers only. Date and time when the update was recommended to the device |
+| **UpdateReleaseTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | Currently, data isn't gathered to populate this field. The release date of the update |
+| **UpdateVersion** | [string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `20.0.19.3` | This field applies to drivers only. Update version of drivers or firmware |
+| **UpdateVersionTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | This field applies to drivers only. Update version date time stamp for drivers and firmware |
diff --git a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
index c85d070cc9..588cbd8cb6 100644
--- a/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
+++ b/windows/deployment/update/wufb-reports-schema-ucupdatealert.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 06/06/2022
+ms.date: 12/06/2023
---
# UCUpdateAlert
@@ -20,36 +20,39 @@ Alert for both client and service updates. Contains information that needs atten
## Schema for UCUpdateAlert
-|Field |Type |Example |Description |
-|---|---|---|---|
-| **AlertClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Error` | Whether this alert is an Error, a Warning, or Informational |
-| **AlertData** | [string](/azure/kusto/query/scalar-data-types/string) {json} | `{ "freeDiskCapacityMb": 3213, "contentSizeMb": 4381}` | An optional string formatted as a json payload containing metadata for the alert. |
-| **AlertId** | [string](/azure/kusto/query/scalar-data-types/string) | `9e107d9d372bb6826bd81d3542a419d6` | The unique identifier of this alert |
-| **AlertRank** | [int](/azure/kusto/query/scalar-data-types/int) | `1000` | Integer ranking of alert for prioritization during troubleshooting |
-| **AlertStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `Active` | Whether this alert is Active, Resolved, or Deleted |
-| **AlertSubtype** | [string](/azure/kusto/query/scalar-data-types/string) | `DiskFull` | The subtype of alert |
-| **AlertType** | [string](/azure/kusto/query/scalar-data-types/string) | `ClientUpdateAlert` | The type of alert such as ClientUpdateAlert or ServiceUpdateAlert. Indicates which fields will be present |
-| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD device ID of the device, if available. |
-| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD tenant ID of the device. |
-| **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | If the alert is from the client, the ClientSubstate at the time this alert was activated or updated, else empty. |
-| **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Rank of ClientSubstate |
-| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The deployment this alert is relative to, if there's one. |
-| **Description** | [string](/azure/kusto/query/scalar-data-types/string) | `Disk full` | A localized string translated from a combination of other Alert fields + language preference that describes the issue in detail. |
-| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | The given device's name |
-| **ErrorCode** | [string](/azure/kusto/query/scalar-data-types/string) | `0x8326CFA2D_C3FD` | The error code, if any, that triggered this alert. In the case of client-based explicit alerts, error codes can have extended error codes, which are appended to the error code with an underscore separator. |
-| **ErrorSymName** | [string](/azure/kusto/query/scalar-data-types/string) | `WU_E_DISK_FULL` | The symbolic name that maps to the error code, if any, otherwise empty. |
-| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:1298371934870` | Internal Microsoft Global identifier, if available. |
-| **Recommendation** | [string](/azure/kusto/query/scalar-data-types/string) | `Free up disk space.` | A localized string translated from RecommendedAction, Message, and other fields (depending on the source of the alert) that provides a recommended action. |
-| **ResolvedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was resolved, else empty. |
-| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID of the device, if available. |
-| **ServiceSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `OfferReady` | If the alert is from the service, the ServiceSubstate at the time this alert was activated or updated, else empty. |
-| **StartTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was activated. |
-| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `18363.836` | The Windows 10 Major. Revision this UpdateAlert is relative to. |
-| **TargetVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 build this UpdateAlert is relative to. |
-| **TenantId** |[string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD tenant ID of the device. |
-| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
-| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UpdateAlert` | The entity type. |
-| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
-| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update), or driver |
-| **URL** | [string](/azure/kusto/query/scalar-data-types/string) | `aka.ms/errordetail32152` | An optional URL to get more in-depth information related to this alert. |
-| **UpdateId** | [string](/azure/kusto/query/scalar-data-types/string) | `10e519f0-06ae-4141-8f53-afee63e995f0` |Update ID of the targeted update|
+|Field |Type | ENUM |Example |Description |
+|---|---|---|---|---|
+| **AlertClassification** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Error` | Whether this alert is an error, a warning, or informational |
+| **AlertData** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `{ "freeDiskCapacityMb": 3213, "contentSizeMb": 4381}` | An optional string formatted as a json payload containing metadata for the alert. |
+| **AlertId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `9e107d9d372bb6826bd81d3542a419d6` | The unique identifier of this alert |
+| **AlertRank** |[int](/azure/kusto/query/scalar-data-types/int) | No | `1000` | Integer ranking of alert for prioritization during troubleshooting |
+| **AlertStatus** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Active` | Whether this alert is active, resolved, or deleted |
+| **AlertSubtype** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `DiskFull` | The subtype of alert |
+| **AlertType** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `ClientUpdateAlert` | The type of alert such as ClientUpdateAlert or ServiceUpdateAlert. Indicates which fields are present. |
+| **AzureADDeviceId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Microsoft Entra Device ID |
+| **AzureADTenantId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID |
+| **CatalogId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `b0f410599615e2ce15e6614ac3fc4ec62d80324020351e172edef89091a64f2f` | This field applies to drivers only. The Catalog ID of the update from Windows Update for Business deployment service. |
+| **ClientSubstate** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `DownloadStart` | If the alert is from the client, the ClientSubstate at the time this alert was activated or updated, else empty. |
+| **ClientSubstateRank** |[int](/azure/kusto/query/scalar-data-types/int) | No | `2300` | Rank of ClientSubstate |
+| **DeploymentId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The deployment this alert is relative to, if there's one. |
+| **Description** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Disk full` | A localized string translated from a combination of other Alert fields + language preference that describes the issue in detail. |
+| **DeviceName** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `JohnPC-Contoso` | The given device's name |
+| **ErrorCode** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `0x8326CFA2D_C3FD` | The error code, if any, that triggered this alert. In the case of client-based explicit alerts, error codes can have extended error codes, which are appended to the error code with an underscore separator. |
+| **ErrorSymName** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `WU_E_DISK_FULL` | The symbolic name that maps to the error code, if any, otherwise empty. |
+| **GlobalDeviceId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `g:1298371934870` | Internal Microsoft Global identifier, if available. |
+| **Recommendation** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Free up disk space.` | A localized string translated from RecommendedAction, Message, and other fields (depending on the source of the alert) that provides a recommended action. |
+| **ResolvedTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time this alert was resolved, else empty. |
+| **SCCMClientId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration manager client ID of the device, if available. |
+| **ServiceSubstate** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `OfferReady` | If the alert is from the service, the ServiceSubstate at the time this alert was activated or updated, else empty. |
+| **ServiceSubstateRank** |[int](/azure/kusto/query/scalar-data-types/int) | No | | Rank of 'ClientSubstate' |
+| **SourceSystem** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `Azure` | |
+| **StartTime [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time this alert was activated. |
+| **TargetBuild** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `18363.836` | The Windows 10 Major. Revision this 'UpdateAlert' is relative to. |
+| **TargetVersion** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `1909` | The Windows 10 build this UpdateAlert is relative to. |
+| **TenantId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Microsoft Entra tenant ID of the device. |
+| **TimeGenerated [UTC]** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | No | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. |
+| **Type** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `UCUpdateAlert` | The entity type |
+| **UpdateCategory** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. |
+| **UpdateClassification** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | Yes | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), nonsecurity (quality update), or driver |
+| **UpdateId** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `10e519f0-06ae-4141-8f53-afee63e995f0` | This field applies to drivers only. The Update ID of the targeted update. |
+| **URL** |[string](/azure/data-explorer/kusto/query/scalar-data-types/string) | No | `aka.ms/errordetail32152` | An optional URL to get more in-depth information related to this alert. |
diff --git a/windows/deployment/update/wufb-reports-schema.md b/windows/deployment/update/wufb-reports-schema.md
index 8a4fc45ecb..75cdcb5587 100644
--- a/windows/deployment/update/wufb-reports-schema.md
+++ b/windows/deployment/update/wufb-reports-schema.md
@@ -11,7 +11,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 11/15/2022
+ms.date: 12/06/2023
---
# Windows Update for Business reports schema
diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
index 81fcb592e6..4a534442ee 100644
--- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
+++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
@@ -37,7 +37,7 @@ You can use USMT to automate migration during large deployments of the Windows o
> [!IMPORTANT]
>
-> USMT only supports devices that are joined to a local Active Directory domain. USMT doesn't support Azure AD joined devices.
+> USMT only supports devices that are joined to a local Active Directory domain. USMT doesn't support Microsoft Entra joined devices.
## Upgrade and migration considerations
Whether you're upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations:
diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
index b8a8f9f4dc..e32b8c614c 100644
--- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
+++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
@@ -248,9 +248,11 @@ You should also note the following items:
Starting in Windows 10, version 1607 the USMT doesn't migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](/troubleshoot/windows-client/deployment/usmt-common-issues#usmt-doesnt-migrate-the-start-layout).
-### User profiles from Active Directory to Azure Active Directory
+
-USMT doesn't support migrating user profiles from Active Directory to Azure Active Directory.
+### User profiles from Active Directory to Microsoft Entra ID
+
+USMT doesn't support migrating user profiles from Active Directory to Microsoft Entra ID.
## Related articles
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index bfd4b4c563..aefcd10aa4 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -9,7 +9,7 @@ ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: how-to
-ms.date: 11/23/2022
+ms.date: 11/14/2023
---
# Configure VDA for Windows subscription activation
@@ -24,14 +24,14 @@ This document describes how to configure virtual machines (VMs) to enable [Windo
Deployment instructions are provided for the following scenarios:
1. [Active Directory-joined VMs](#active-directory-joined-vms)
-2. [Azure Active Directory-joined VMs](#azure-active-directory-joined-vms)
+2. [Microsoft Entra joined VMs](#azure-active-directory-joined-vms)
3. [Azure Gallery VMs](#azure-gallery-vms)
## Requirements
- VMs must be running a supported version of Windows Pro edition.
-- VMs must be joined to Active Directory or Azure Active Directory (Azure AD).
-- VMs must be hosted by a Qualified Multitenant Hoster (QMTH). For more information, download the PDF that describes the [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
+- VMs must be joined to Active Directory or Microsoft Entra ID.
+- VMs must be hosted by a Qualified Multitenant Hoster (QMTH).
## Activation
@@ -40,13 +40,13 @@ Deployment instructions are provided for the following scenarios:
- The VM is running a supported version of Windows.
- The VM is hosted in Azure, an authorized outsourcer, or another Qualified Multitenant Hoster (QMTH).
- When a user with VDA rights signs in to the VM using their Azure AD credentials, the VM is automatically stepped-up to Enterprise and activated. There's no need to do Windows Pro activation. This functionality eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure.
+ When a user with VDA rights signs in to the VM using their Microsoft Entra credentials, the VM is automatically stepped-up to Enterprise and activated. There's no need to do Windows Pro activation. This functionality eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure.
### Scenario 2
- The Hyper-V host and the VM are both running a supported version of Windows.
- [Inherited Activation](./windows-10-subscription-activation.md#inherited-activation) is enabled. All VMs created by a user with a Windows E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure AD account.
+ [Inherited Activation](./windows-10-subscription-activation.md#inherited-activation) is enabled. All VMs created by a user with a Windows E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using a Microsoft Entra account.
### Scenario 3
@@ -91,7 +91,7 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl
6. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
> [!NOTE]
- > This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms).
+ > This step is different for [Microsoft Entra joined VMs](#azure-active-directory-joined-vms).
7. On the Add applications page, add applications if desired. This step is optional.
@@ -111,16 +111,18 @@ For examples of activation issues, see [Troubleshoot the user experience](./depl
8. See the instructions at [Upload and create VM from generalized VHD](/azure/virtual-machines/windows/upload-generalized-managed#upload-the-vhd) to sign in to Azure, get your storage account details, upload the VHD, and create a managed image.
-## Azure Active Directory-joined VMs
+
+
+## Microsoft Entra joined VMs
> [!IMPORTANT]
-> Azure AD provisioning packages have a 180 day limit on bulk token usage. After 180 days, you'll need to update the provisioning package and re-inject it into the image. Existing virtual machines that are Azure AD-joined and deployed won't need to be recreated.
+> Microsoft Entra provisioning packages have a 180 day limit on bulk token usage. After 180 days, you'll need to update the provisioning package and re-inject it into the image. Existing virtual machines that are Microsoft Entra joined and deployed won't need to be recreated.
-For Azure AD-joined VMs, follow the same instructions as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions:
+For Microsoft Entra joined VMs, follow the same instructions as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions:
- During setup with Windows Configuration Designer, under **Name**, enter a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
-- During setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organization's credentials.
+- During setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Microsoft Entra ID**, select **Get Bulk Token**, sign in, and add the bulk token using your organization's credentials.
- When entering the PackagePath, use the project name you previously entered. For example, **Desktop Bulk Enrollment Token Pro GVLK.ppkg**
@@ -154,7 +156,7 @@ For Azure AD-joined VMs, follow the same instructions as for [Active Directory-j
9. On the Set up network page, choose **Off**.
-10. On the Account Management page, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials.
+10. On the Account Management page, choose **Enroll in Microsoft Entra ID**, select **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials.
11. On the Add applications page, add applications if desired. This step is optional.
@@ -186,7 +188,7 @@ For Azure AD-joined VMs, follow the same instructions as for [Active Directory-j
The values `enablecredsspsupport` and `authentication level` should each appear only once in the file.
-6. Save your changes, and then use this custom RDP file with your Azure AD credentials to connect to the Azure VM.
+6. Save your changes, and then use this custom RDP file with your Microsoft Entra credentials to connect to the Azure VM.
## Related articles
diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
index 1cc96ae7ed..71a14f511f 100644
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@@ -16,6 +16,7 @@ ms.date: 11/07/2022
**Applies to:**
+- Windows 11
- Windows 10
- Windows 8.1
- Windows 8
@@ -87,8 +88,7 @@ Telephone activation is primarily used in situations where a computer is isolate
- Active Directory-based activation
> [!NOTE]
-> Token-based activation is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact your Microsoft Account Team or your service representative.
-Token-based Activation option is available for Windows 10 Enterprise LTSB editions (Version 1507 and 1607).
+> Token-based activation for Windows Enterprise (including LTSC) and Windows Server is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact your Microsoft Account Team or your service representative.
### Multiple activation key
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 18e44ca25b..c216cfa830 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -44,7 +44,7 @@ The following tables summarize various Windows 10 deployment scenarios. The scen
|Scenario|Description|More information|
|--- |--- |--- |
|[Subscription Activation](#windows-10-subscription-activation)|Switch from Windows 10 Pro to Enterprise when a subscribed user signs in.|[Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)|
-|[Azure Active Directory / MDM](#dynamic-provisioning)|The device is automatically joined to Azure Active Directory and configured by MDM.|[Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm)|
+|[Microsoft Entra ID / MDM](#dynamic-provisioning)|The device is automatically joined to Microsoft Entra ID and configured by MDM.|[Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm)|
|[Provisioning packages](#dynamic-provisioning)|Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.|[Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)|
### Traditional
@@ -110,9 +110,11 @@ The goal of dynamic provisioning is to take a new PC out of the box, turn it on,
Windows 10 Subscription Activation is a dynamic deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation).
-### Azure Active Directory (Azure AD) join with automatic mobile device management (MDM) enrollment
+
-In this scenario, the organization member just needs to provide their work or school user ID and password. The device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no other user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
+### Microsoft Entra join with automatic mobile device management (MDM) enrollment
+
+In this scenario, the organization member just needs to provide their work or school user ID and password. The device can then be automatically joined to Microsoft Entra ID and enrolled in a mobile device management (MDM) solution with no other user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Microsoft Entra integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
### Provisioning package configuration
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index 241c5344cc..93cf409b93 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -23,9 +23,9 @@ Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel o
Windows 10/11 Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following prerequisites:
- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded.
-- Azure Active Directory (Azure AD) available for identity management
+- Microsoft Entra available for identity management
-You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before with no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro.
+You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before with no keys and no reboots. After one of your users enters the Microsoft Entra credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro.
Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise or Windows 11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Enterprise edition features.
@@ -183,6 +183,6 @@ The Managed User Experience feature is a set of Windows 10 Enterprise edition fe
## Related articles
[Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md)
-[Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)
+[Connect domain-joined devices to Microsoft Entra ID for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)
[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 40769fc671..11b304e822 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -225,26 +225,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
> [!IMPORTANT]
> Don't attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, don't start the VM outside the PoC network.
-If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM:
-
-1. Open the [Download virtual machines](https://developer.microsoft.com/microsoft-edge/tools/vms/) page.
-
- > [!NOTE]
- > The above link may not be available in all locales.
-
-2. Under **Virtual machine**, choose **IE11 on Win7**.
-
-3. Under **Select platform**, choose **HyperV (Windows)**.
-
-4. Select **Download .zip**. The download is 3.31 GB.
-
-5. Extract the zip file. Three directories are created.
-
-6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory.
-
-7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx).
-
-8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**.
+
If you have a PC available to convert to VM (computer 2):
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 59914650f4..b5fc8eb923 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -11,7 +11,7 @@ ms.collection:
- highpri
- tier2
ms.topic: conceptual
-ms.date: 11/23/2022
+ms.date: 11/14/2023
appliesto:
- ✅ Windows 10
- ✅ Windows 11
@@ -39,7 +39,15 @@ This article covers the following information:
For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
> [!NOTE]
-> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their Conditional Access policies using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
+>
+> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**:
+>
+> - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+> - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+>
+> Although the app ID is the same in both instances, the name of the cloud app will depend on the tenant.
+>
+> For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
## Subscription activation for Enterprise
@@ -48,7 +56,7 @@ Windows Enterprise E3 and E5 are available as online services via subscription.
- Devices with a current Windows Pro edition license can be seamlessly upgraded to Windows Enterprise.
- Product key-based Windows Enterprise software licenses can be transitioned to Windows Enterprise subscriptions.
-Organizations that have an enterprise agreement can also benefit from the service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure Active Directory (Azure AD) using [Azure AD Connect Sync](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
+Organizations that have an enterprise agreement can also benefit from the service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Microsoft Entra ID using [Microsoft Entra Connect Sync](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
> [!NOTE]
> Subscription activation is available for qualifying devices running Windows 10 or Windows 11. You can't use subscription activation to upgrade from Windows 10 to Windows 11.
@@ -59,7 +67,7 @@ Subscription activation for Education works the same as the Enterprise edition,
## Inherited activation
-Inherited activation allows Windows virtual machines to inherit activation state from their Windows client host. When a user with a Windows E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10 or Windows 11 host, the VM inherits the activation state from a host machine. This behavior is independent of whether the user signs on with a local account or uses an Azure AD account on a VM.
+Inherited activation allows Windows virtual machines to inherit activation state from their Windows client host. When a user with a Windows E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10 or Windows 11 host, the VM inherits the activation state from a host machine. This behavior is independent of whether the user signs on with a local account or uses a Microsoft Entra account on a VM.
To support inherited activation, both the host computer and the VM must be running a supported version of Windows 10 or Windows 11. The hypervisor platform must also be Windows Hyper-V.
@@ -80,7 +88,7 @@ The following list illustrates how deploying Windows client has evolved with eac
- **Windows 10, version 1703** made this "step-up" from Windows 10 Pro to Windows 10 Enterprise automatic for devices that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
-- **Windows 10, version 1709** added support for Windows 10 subscription activation, similar to the CSP support but for large enterprises. This feature enabled the use of Azure AD for assigning licenses to users. When users sign in to a device that's joined to Active Directory or Azure AD, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
+- **Windows 10, version 1709** added support for Windows 10 subscription activation, similar to the CSP support but for large enterprises. This feature enabled the use of Microsoft Entra ID for assigning licenses to users. When users sign in to a device that's joined to Active Directory or Microsoft Entra ID, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
- **Windows 10, version 1803** updated Windows 10 subscription activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It was no longer necessary to run a script to activate Windows 10 Pro before activating Enterprise. For virtual machines and hosts running Windows 10, version 1803, [inherited activation](#inherited-activation) was also enabled.
@@ -96,7 +104,7 @@ The following list illustrates how deploying Windows client has evolved with eac
### Windows Enterprise requirements
> [!NOTE]
-> The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems).
+> The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Microsoft Entra joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems).
> [!IMPORTANT]
> As of October 1, 2022, subscription activation is available for *commercial* and *GCC* tenants. It's currently not available on GCC High or DoD tenants. For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
@@ -104,8 +112,8 @@ The following list illustrates how deploying Windows client has evolved with eac
For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements:
- A supported version of Windows Pro or Enterprise edition installed on the devices to be upgraded.
-- Azure AD available for identity management.
-- Devices must be Azure AD-joined or hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported.
+- Microsoft Entra available for identity management.
+- Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-joined or Microsoft Entra registered devices aren't supported.
For Microsoft customers that don't have EA or MPSA, you can get Windows Enterprise E3/E5 or A3/A5 licenses through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses. For more information about getting Windows Enterprise E3 through your CSP, see [Windows Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
@@ -114,7 +122,7 @@ For Microsoft customers that don't have EA or MPSA, you can get Windows Enterpri
- A supported version of Windows Pro Education installed on the devices to be upgraded.
- A device with a Windows Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**.
- The Education tenant must have an active subscription to Microsoft 365 with a Windows Enterprise license, or a Windows Enterprise or Education subscription.
-- Devices must be Azure AD-joined or hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported.
+- Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined. Workgroup-joined or Microsoft Entra registered devices aren't supported.
> [!IMPORTANT]
> If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
@@ -130,7 +138,7 @@ To compare Windows 10 editions and review pricing, see the following sites:
You can benefit by moving to Windows as an online service in the following ways:
-- Licenses for Windows Enterprise and Education are checked based on Azure AD credentials. You have a systematic way to assign licenses to end users and groups in your organization.
+- Licenses for Windows Enterprise and Education are checked based on Microsoft Entra credentials. You have a systematic way to assign licenses to end users and groups in your organization.
- User sign-in triggers a silent edition upgrade, with no reboot required.
@@ -145,13 +153,13 @@ You can benefit by moving to Windows as an online service in the following ways:
> [!NOTE]
> The following examples use Windows 10 Pro to Enterprise edition. The examples also apply to Windows 11, and Education editions.
-The device is Azure AD-joined from **Settings** > **Accounts** > **Access work or school**.
+The device is Microsoft Entra joined from **Settings** > **Accounts** > **Access work or school**.
You assign Windows 10 Enterprise to a user:
-When a licensed user signs in to a device that meets requirements using their Azure AD credentials, Windows steps up from Pro edition to Enterprise. Then all of the Enterprise features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro edition, once the current subscription validity expires.
+When a licensed user signs in to a device that meets requirements using their Microsoft Entra credentials, Windows steps up from Pro edition to Enterprise. Then all of the Enterprise features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro edition, once the current subscription validity expires.
> [!NOTE]
> Devices running a supported version of Windows 10 Pro Education can get Windows 10 Enterprise or Education general availability channel on up to five devices for each user covered by the license. This benefit doesn't include the long term servicing channel.
@@ -176,7 +184,7 @@ All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise. When a
#### Scenario #2
-You're using Azure AD-joined devices or Active Directory-joined devices running a supported version of Windows 10. You configured Azure AD synchronization. You follow the steps in [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md) to get a $0 SKU, and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. You then assign that license to all of your Azure AD users, which can be Active Directory-synced accounts. When that user signs in, the device will automatically change from Windows 10 Pro to Windows 10 Enterprise.
+You're using Microsoft Entra joined devices or Active Directory-joined devices running a supported version of Windows 10. You configured Microsoft Entra synchronization. You follow the steps in [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md) to get a $0 SKU, and get a new Windows 10 Enterprise E3 or E5 license in Microsoft Entra ID. You then assign that license to all of your Microsoft Entra users, which can be Active Directory-synced accounts. When that user signs in, the device will automatically change from Windows 10 Pro to Windows 10 Enterprise.
#### Earlier versions of Windows
@@ -196,7 +204,7 @@ The following policies apply to acquisition and renewal of licenses on devices:
Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
-When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal).
+When you have the required Microsoft Entra subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal).
### Existing Enterprise deployments
@@ -213,13 +221,15 @@ If the computer has never been activated with a Pro key, use the following scrip
$(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;changepk.exe /Productkey $_ } else { Write-Host "No key present" } }
```
-### Obtaining an Azure AD license
+
+
+### Obtaining a Microsoft Entra ID license
If your organization has an Enterprise Agreement (EA) or Software Assurance (SA):
-- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD. Ideally, you assign the licenses to groups using the Azure AD Premium feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
+- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Microsoft Entra ID. Ideally, you assign the licenses to groups using the Microsoft Entra ID P1 or P2 feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea).
-- The license administrator can assign seats to Azure AD users with the same process that's used for Microsoft 365 Apps.
+- The license administrator can assign seats to Microsoft Entra users with the same process that's used for Microsoft 365 Apps.
- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
@@ -237,13 +247,13 @@ For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise
## Virtual Desktop Access (VDA)
-Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another [qualified multitenant hoster (QMTH)](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
+Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another qualified multitenant hoster (QMTH).
-Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
+Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
## Related sites
-Connect domain-joined devices to Azure AD for Windows experiences. For more information, see [Plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
+Connect domain-joined devices to Microsoft Entra ID for Windows experiences. For more information, see [Plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
[Compare Windows editions](https://www.microsoft.com/windows/business/compare-windows-11)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
index 7bb3547dba..f9ce34d2ae 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
@@ -26,12 +26,12 @@ The overall device registration process is as follows:
:::image type="content" source="../media/windows-autopatch-device-registration-overview.png" alt-text="Overview of the device registration process" lightbox="../media/windows-autopatch-device-registration-overview.png":::
1. IT admin reviews [Windows Autopatch device registration prerequisites](windows-autopatch-register-devices.md#prerequisites-for-device-registration) prior to register devices with Windows Autopatch.
-2. IT admin identifies devices to be managed by Windows Autopatch through either adding device-based Azure AD groups as part of the [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md) or the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md).
+2. IT admin identifies devices to be managed by Windows Autopatch through either adding device-based Microsoft Entra groups as part of the [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md) or the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md).
3. Windows Autopatch then:
1. Performs device readiness prior registration (prerequisite checks).
2. Calculates the deployment ring distribution.
3. Assigns devices to one of the deployment rings based on the previous calculation.
- 4. Assigns devices to other Azure AD groups required for management.
+ 4. Assigns devices to other Microsoft Entra groups required for management.
5. Marks devices as active for management so it can apply its update deployment policies.
4. IT admin then monitors the device registration trends and the update deployment reports.
@@ -46,13 +46,13 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto
| Step | Description |
| ----- | ----- |
| **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. |
-| **Step 2: Add devices** | IT admin adds devices through Direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group when using adding existing device-based Azure AD groups while [creating](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group)/[editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) Custom Autopatch groups, or [editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) the Default Autopatch group
Devices will fail to register with the service and will be sent to the **Not registered** tab. You’re required to make sure the Azure AD groups that are used with the Custom Autopatch groups don’t have device membership overlaps.
| +| Devices are in the Custom-to-Custom Autopatch group device conflict scenario | You must resolve this conflict.Devices will fail to register with the service and will be sent to the **Not registered** tab. You’re required to make sure the Microsoft Entra groups that are used with the Custom Autopatch groups don’t have device membership overlaps.
| #### Device conflict post device registration diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md index a706404138..b482faa489 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md @@ -21,7 +21,7 @@ As organizations move to a managed-service model where Microsoft manages update ## What are Windows Autopatch groups? -Autopatch groups is a logical container or unit that groups several [Azure AD groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates). +Autopatch groups is a logical container or unit that groups several [Microsoft Entra groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates). ## Key benefits @@ -29,9 +29,9 @@ Autopatch groups help Microsoft Cloud-Managed services meet organizations where | Benefit | Description | | ----- | ----- | -| Replicating your organizational structure | You can set up Autopatch groups to replicate your organizational structures represented by your existing device-based Azure AD group targeting logic. | +| Replicating your organizational structure | You can set up Autopatch groups to replicate your organizational structures represented by your existing device-based Microsoft Entra group targeting logic. | | Having a flexible number of deployments | Autopatch groups give you the flexibility of having the right number of deployment rings that work within your organization. You can set up to 15 deployment rings per Autopatch group. | -| Deciding which device(s) belong to deployment rings | Along with using your existing device-based Azure AD groups and choosing the number of deployment rings, you can also decide which devices belong to deployment rings during the device registration process when setting up Autopatch groups. | +| Deciding which device(s) belong to deployment rings | Along with using your existing device-based Microsoft Entra groups and choosing the number of deployment rings, you can also decide which devices belong to deployment rings during the device registration process when setting up Autopatch groups. | | Choosing the deployment cadence | You choose the right software update deployment cadence for your business. | ## High-level architecture diagram overview @@ -43,8 +43,8 @@ Autopatch groups is a function app that is part of the device registration micro | Step | Description | | ----- | ----- | | Step 1: Create an Autopatch group | Create an Autopatch group. | -| Step 2: Windows Autopatch uses Microsoft Graph to create Azure AD and policy assignments | Windows Autopatch service uses Microsoft Graph to coordinate the creation of:Azure AD groups that are used with the Dynamic distribution type can be used to distribute devices across several deployment rings based on percentage values that can be customized.
| -| Assigned | You can use one single device-based Azure AD group, either dynamic query-based, or assigned to use in your deployment ring composition. | +| Dynamic | You can use one or more device-based Microsoft Entra groups, either dynamic query-based or assigned to use in your deployment ring composition.Microsoft Entra groups that are used with the Dynamic distribution type can be used to distribute devices across several deployment rings based on percentage values that can be customized.
| +| Assigned | You can use one single device-based Microsoft Entra group, either dynamic query-based, or assigned to use in your deployment ring composition. | | Combination of Dynamic and Assigned | To provide a greater level of flexibility when working on deployment ring compositions, you can combine both device distribution types in Autopatch groups.The combination of Dynamic and Assigned device distribution is **not** supported for the Test and Last deployment ring in Autopatch groups.
| #### About the Test and Last deployment rings @@ -147,7 +147,7 @@ If you only keep Test and Last deployment rings in your Default Autopatch group, > Both the **Test** and **Last** deployment rings **can't** be removed or renamed from the Default or Custom Autopatch groups. Autopatch groups don't support the use of one single deployment ring as part of its deployment ring composition because you need at least two deployment rings for their gradual rollout. If you must implement a specific scenario with a single deployment ring, and gradual rollout isn’t required, consider managing these devices outside Windows Autopatch. > [!TIP] -> Both the **Test** and **Last** deployment rings only support one single Azure AD group assignment at a time. If you need to assign more than one Azure AD group, you can nest the other Azure AD groups under the ones you plan to use with the **Test** and **Last** deployment rings. Only one level of Azure AD group nesting is supported. +> Both the **Test** and **Last** deployment rings only support one single Microsoft Entra group assignment at a time. If you need to assign more than one Microsoft Entra group, you can nest the other Microsoft Entra groups under the ones you plan to use with the **Test** and **Last** deployment rings. Only one level of Microsoft Entra group nesting is supported. #### Service-based versus software update-based deployment rings @@ -160,7 +160,7 @@ Autopatch groups creates two different layers. Each layer contains its own deplo The service-based deployment ring set is exclusively used to keep Windows Autopatch updated with both service and device-level configuration policies, apps and APIs needed for core functions of the service. -The following are the Azure AD assigned groups that represent the service-based deployment rings. These groups can't be deleted or renamed: +The following are the Microsoft Entra ID assigned groups that represent the service-based deployment rings. These groups can't be deleted or renamed: - Modern Workplace Devices-Windows Autopatch-Test - Modern Workplace Devices-Windows Autopatch-First @@ -168,13 +168,13 @@ The following are the Azure AD assigned groups that represent the service-based - Modern Workplace Devices-Windows Autopatch-Broad > [!CAUTION] -> **Don’t** modify the Azure AD group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly.Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Azure AD group created by Autopatch groups.
+> **Don’t** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly.Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.
##### Software-based deployment rings The software-based deployment ring set is exclusively used with software update management policies, such as the Windows update ring and feature update policies, in the Default Windows Autopatch group. -The following are the Azure AD assigned groups that represent the software updates-based deployment rings. These groups can't be deleted or renamed: +The following are the Microsoft Entra ID assigned groups that represent the software updates-based deployment rings. These groups can't be deleted or renamed: - Windows Autopatch - Test - Windows Autopatch – Ring1 @@ -183,14 +183,14 @@ The following are the Azure AD assigned groups that represent the software updat - Windows Autopatch – Last > [!IMPORTANT] -> Additional Azure AD assigned groups are created and added to list when you add more deployment rings to the Default Autopatch group. +> Additional Microsoft Entra ID assigned groups are created and added to list when you add more deployment rings to the Default Autopatch group. > [!CAUTION] -> **Don’t** modify the Azure AD group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly.Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Azure AD group created by Autopatch groups.
+> **Don’t** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly.Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.
### About device registration -Autopatch groups register devices with the Windows Autopatch service when you either [create](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) or [edit a Custom Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group), and/or when you [edit the Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to use your existing Azure AD groups instead of the Windows Autopatch Device Registration group provided by the service. +Autopatch groups register devices with the Windows Autopatch service when you either [create](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) or [edit a Custom Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group), and/or when you [edit the Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to use your existing Microsoft Entra groups instead of the Windows Autopatch Device Registration group provided by the service. ## Common ways to use Autopatch groups diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md index eb2f5d26d5..e41d8e60f4 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md @@ -1,7 +1,7 @@ --- title: Post-device registration readiness checks description: This article details how post-device registration readiness checks are performed in Windows Autopatch -ms.date: 09/16/2022 +ms.date: 09/16/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index a2734bb584..4cb39e3d34 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -31,44 +31,48 @@ Windows Autopatch can take over software update management control of devices th ### Windows Autopatch groups device registration -When you either create/edit a [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or edit the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) to add or remove deployment rings, the device-based Azure AD groups you use when setting up your deployment rings are scanned to see if devices need to be registered with the Windows Autopatch service. +When you either create/edit a [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or edit the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) to add or remove deployment rings, the device-based Microsoft Entra groups you use when setting up your deployment rings are scanned to see if devices need to be registered with the Windows Autopatch service. -If devices aren’t registered, Autopatch groups starts the device registration process by using your existing device-based Azure AD groups instead of the Windows Autopatch Device Registration group. +If devices aren’t registered, Autopatch groups starts the device registration process by using your existing device-based Microsoft Entra groups instead of the Windows Autopatch Device Registration group. For more information, see [create Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) and [edit Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to register devices using the Autopatch groups device registration method. -#### Supported scenarios when nesting other Azure AD groups + -Windows Autopatch also supports the following Azure AD nested group scenarios: +#### Supported scenarios when nesting other Microsoft Entra groups -Azure AD groups synced up from: +Windows Autopatch also supports the following Microsoft Entra nested group scenarios: + +Microsoft Entra groups synced up from: - On-premises Active Directory groups (Windows Server AD) - [Configuration Manager collections](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync) > [!WARNING] -> It isn't recommended to sync Configuration Manager collections straight to the **Windows Autopatch Device Registration** Azure AD group. Use a different Azure AD group when syncing Configuration Manager collections to Azure AD groups then you can nest this or these groups into the **Windows Autopatch Device Registration** Azure AD group. +> It isn't recommended to sync Configuration Manager collections straight to the **Windows Autopatch Device Registration** Microsoft Entra group. Use a different Microsoft Entra group when syncing Configuration Manager collections to Microsoft Entra groups then you can nest this or these groups into the **Windows Autopatch Device Registration** Microsoft Entra group. > [!IMPORTANT] -> The **Windows Autopatch Device Registration** Azure AD group only supports **one level** of Azure AD nested groups. +> The **Windows Autopatch Device Registration** Microsoft Entra group only supports **one level** of Microsoft Entra nested groups. -### Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant + -An [Azure AD dual state](/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state) occurs when a device is initially connected to Azure AD as an [Azure AD Registered](/azure/active-directory/devices/concept-azure-ad-register) device. However, when you enable Hybrid Azure AD join, the same device is connected twice to Azure AD but as a [Hybrid Azure AD device](/azure/active-directory/devices/concept-azure-ad-join-hybrid). +### Clean up dual state of Microsoft Entra hybrid joined and Azure registered devices in your Microsoft Entra tenant -In the dual state, you end up having two Azure AD device records with different join types for the same device. In this case, the Hybrid Azure AD device record takes precedence over the Azure AD registered device record for any type of authentication in Azure AD, which makes the Azure AD registered device record stale. +An [Microsoft Entra dual state](/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state) occurs when a device is initially connected to Microsoft Entra ID as an [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register) device. However, when you enable Microsoft Entra hybrid join, the same device is connected twice to Microsoft Entra ID but as a [Hybrid Microsoft Entra device](/azure/active-directory/devices/concept-azure-ad-join-hybrid). -It's recommended to detect and clean up stale devices in Azure AD before registering devices with Windows Autopatch, see [How To: Manage state devices in Azure AD](/azure/active-directory/devices/manage-stale-devices). +In the dual state, you end up having two Microsoft Entra device records with different join types for the same device. In this case, the Hybrid Microsoft Entra device record takes precedence over the Microsoft Entra registered device record for any type of authentication in Microsoft Entra ID, which makes the Microsoft Entra registered device record stale. + +It's recommended to detect and clean up stale devices in Microsoft Entra ID before registering devices with Windows Autopatch, see [How To: Manage state devices in Microsoft Entra ID](/azure/active-directory/devices/manage-stale-devices). > [!WARNING] -> If you don't clean up stale devices in Azure AD before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the **Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed)** pre-requisite check in the **Not ready** tab because it's expected that these stale Azure AD devices aren't enrolled into the Intune service anymore. +> If you don't clean up stale devices in Microsoft Entra ID before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the **Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed)** pre-requisite check in the **Not ready** tab because it's expected that these stale Microsoft Entra devices aren't enrolled into the Intune service anymore. ## Prerequisites for device registration To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites: - Windows 10 (1809+)/11 Enterprise or Professional editions (only x64 architecture). -- Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported). +- Either [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Microsoft Entra joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported). - Managed by Microsoft Intune. - [Already enrolled into Microsoft Intune](/mem/intune/user-help/enroll-windows-10-device) and/or [Configuration Manager co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#configuration-manager-co-management-requirements). - Must switch the following Microsoft Configuration Manager [co-management workloads](/mem/configmgr/comanage/how-to-switch-workloads) to Microsoft Intune (either set to Pilot Intune or Intune): @@ -114,20 +118,20 @@ The following are the possible device readiness statuses in Windows Autopatch: A role defines the set of permissions granted to users assigned to that role. You can use one of the following built-in roles in Windows Autopatch to register devices: -- Azure AD Global Administrator +- Microsoft Entra Global Administrator - Intune Service Administrator -For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control). +For more information, see [Microsoft Entra built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control). -If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Azure AD groups created during the [tenant enrollment](../prepare/windows-autopatch-enroll-tenant.md) process: +If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Microsoft Entra groups created during the [tenant enrollment](../prepare/windows-autopatch-enroll-tenant.md) process: -| Azure AD Group name | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions | +| Microsoft Entra group name | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions | | ----- | ----- | ----- | ----- | ----- | ----- | | Modern Workplace Roles - Service Administrator | Yes | Yes | Yes | Yes | Yes | | Modern Workplace Roles - Service Reader | No | Yes | Yes | Yes | No | > [!TIP] -> If you're adding less-privileged user accounts into the **Modern Workplace Roles - Service Administrator** Azure AD group, it's recommended to add the same users as owners of the **Windows Autopatch Device Registration** Azure AD group. Owners of the **Windows Autopatch Device Registration** Azure AD group can add new devices as members of the group for registration purposes.For more information, see [assign an owner of member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group).
+> If you're adding less-privileged user accounts into the **Modern Workplace Roles - Service Administrator** Microsoft Entra group, it's recommended to add the same users as owners of the **Windows Autopatch Device Registration** Microsoft Entra group. Owners of the **Windows Autopatch Device Registration** Microsoft Entra group can add new devices as members of the group for registration purposes.For more information, see [assign an owner of member of a group in Microsoft Entra ID](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group).
## Details about the device registration process @@ -206,7 +210,7 @@ There's a few more device management lifecycle scenarios to consider when planni If a device was previously registered into the Windows Autopatch service, but it needs to be reimaged, you must run one of the device provisioning processes available in Microsoft Intune to reimage the device. -The device will be rejoined to Azure AD (either Hybrid or Azure AD-only). Then, re-enrolled into Intune as well. No further action is required from you or the Windows Autopatch service, because the Azure AD device ID record of that device remains the same. +The device will be rejoined to Microsoft Entra ID (either Hybrid or Microsoft Entra-only). Then, re-enrolled into Intune as well. No further action is required from you or the Windows Autopatch service, because the Microsoft Entra device ID record of that device remains the same. ### Device repair and hardware replacement @@ -216,7 +220,7 @@ If you need to repair a device that was previously registered into the Windows A - MAC address (non-removable NICs) - OS hard drive's serial, model, manufacturer information -When one of these hardware changes occurs, Azure AD creates a new device ID record for that device, even if it's technically the same device. +When one of these hardware changes occurs, Microsoft Entra ID creates a new device ID record for that device, even if it's technically the same device. > [!IMPORTANT] -> If a new Azure AD device ID is generated for a device that was previously registered into the Windows Autopatch service, even if it's technically same device, the new Azure AD device ID must be added either through device direct membership or through nested Azure AD dynamic/assigned group into the **Windows Autopatch Device Registration** Azure AD group. This process guarantees that the newly generated Azure AD device ID is registered with Windows Autopatch and that the device continues to have its software updates managed by the service. +> If a new Microsoft Entra device ID is generated for a device that was previously registered into the Windows Autopatch service, even if it's technically same device, the new Microsoft Entra device ID must be added either through device direct membership or through nested Microsoft Entra dynamic/assigned group into the **Windows Autopatch Device Registration** Microsoft Entra group. This process guarantees that the newly generated Microsoft Entra device ID is registered with Windows Autopatch and that the device continues to have its software updates managed by the service. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md index 0f80250e80..563e6370c5 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md @@ -54,7 +54,7 @@ Alert resolutions are provided through the Windows Update service and provide th | `CancelledByUser` | User canceled the update | The Windows Update service has reported the update was canceled by the user.It's recommended to work with the end user to allow updates to execute as scheduled.
| | `DamagedMedia` | The update file or hard drive is damaged | The Windows Update service has indicated the update payload might be damaged or corrupt.It's recommended to run `Chkdsk /F` on the device with administrator privileges, then retry the update. For more information, see [chkdsk](/windows-server/administration/windows-commands/chkdsk?tabs=event-viewer).
| | `DeploymentConflict` | Device is in more than one deployment of the same update type. Only the first deployment assigned is effective. | The Windows Update service has reported a policy conflict.For more information, see the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `DeviceRegistrationInvalidAzureADDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Azure AD Device ID. | The Windows Update service has reported a device registration issue.For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `DeviceRegistrationInvalidAzureADDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Microsoft Entra Device ID. | The Windows Update service has reported a device registration issue.For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| | `DeviceRegistrationInvalidGlobalDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Global Device ID. |The Windows Update service has reported that the MSA Service may be disabled preventing Global Device ID assignment.Check that the MSA Service is running or able to run on device.
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| | `DeviceRegistrationIssue` | The device isn't able to register or authenticate properly with Windows Update. | The Windows Update service has reported a device registration issue.For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| | `DeviceRegistrationNoTrustType` | The device isn't able to register or authenticate properly with Windows Update because it can't establish Trust. | The Windows Update service has reported a device registration issue.For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md index c41dd12e0c..843b7e8d3c 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-exclude-device.md @@ -16,12 +16,12 @@ ms.collection: # Exclude a device -To avoid end-user disruption, excluding a device in Windows Autopatch only deletes the Windows Autopatch device record itself. Excluding a device can't delete the Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity. +To avoid end-user disruption, excluding a device in Windows Autopatch only deletes the Windows Autopatch device record itself. Excluding a device can't delete the Microsoft Intune and/or the Microsoft Entra device records. Microsoft assumes you'll keep managing those devices yourself in some capacity. -When you exclude a device from the Windows Autopatch service, the device is flagged as **excluded** so Windows Autopatch doesn't try to restore the device into the service again, since the exclusion command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** group, or any other Azure AD group, used with Autopatch groups. +When you exclude a device from the Windows Autopatch service, the device is flagged as **excluded** so Windows Autopatch doesn't try to restore the device into the service again, since the exclusion command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** group, or any other Microsoft Entra group, used with Autopatch groups. > [!IMPORTANT] -> The Azure AD team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues. +> The Microsoft Entra team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues. **To exclude a device:** @@ -32,7 +32,7 @@ When you exclude a device from the Windows Autopatch service, the device is flag 1. Once a device or multiple devices are selected, select **Device actions**. Then, select **Exclude device**. > [!WARNING] -> Excluding devices from the Windows Autopatch Device Registration group, or any other Azure AD group, used with Autopatch groups doesn't exclude devices from the Windows Autopatch service. +> Excluding devices from the Windows Autopatch Device Registration group, or any other Microsoft Entra group, used with Autopatch groups doesn't exclude devices from the Windows Autopatch service. ## Only view excluded devices diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md index 12e39f7f30..66164cc373 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md @@ -34,7 +34,7 @@ Keeping your devices up to date is a balance of speed and stability. Windows Aut Autopatch groups help Microsoft Cloud-Managed services meet all organizations where they are at in their update management journey. -Autopatch groups is a logical container that groups several [Azure AD groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as Windows Update rings and feature update policies, together. +Autopatch groups is a logical container that groups several [Microsoft Entra groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as Windows Update rings and feature update policies, together. For more information on key benefits and how to use Autopatch groups, see [Autopatch groups overview](../deploy/windows-autopatch-groups-overview.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md index f2522d91fa..8ffc66a28a 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md @@ -64,7 +64,7 @@ Windows Autopatch’s default Windows feature update release is a service-driven > [!TIP] > Windows Autopatch allows you to [create custom Windows feature update releases](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#create-a-custom-release). -When devices are registered by manually adding them to the Windows Autopatch Device Registration Azure AD assigned group, devices are assigned to deployment rings as part of the default Autopatch group. Each deployment ring has its own Windows feature update policy assigned to them. This is intended to minimize unexpected Windows OS upgrades once new devices register with the service. +When devices are registered by manually adding them to the Windows Autopatch Device Registration Microsoft Entra ID assigned group, devices are assigned to deployment rings as part of the default Autopatch group. Each deployment ring has its own Windows feature update policy assigned to them. This is intended to minimize unexpected Windows OS upgrades once new devices register with the service. The policies: @@ -98,7 +98,7 @@ There are two scenarios that the Global release is used: | Scenario | Description | | ----- | ----- | -| Scenario #1 | You assign Azure AD groups to be used with the deployment ring (Last) or you add additional deployment rings when you customize the [Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group).A global Windows feature update policy is automatically assigned behind the scenes to the newly added deployment rings or when you assigned Azure AD groups to the deployment ring (Last) in the Default Autopatch group.
| +| Scenario #1 | You assign Microsoft Entra groups to be used with the deployment ring (Last) or you add additional deployment rings when you customize the [Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group).A global Windows feature update policy is automatically assigned behind the scenes to the newly added deployment rings or when you assigned Microsoft Entra groups to the deployment ring (Last) in the Default Autopatch group.
| | Scenario #2 | You create new [Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group).The global Windows feature policy is automatically assigned behind the scenes to all deployment rings as part of the Custom Autopatch groups you create.
| > [!NOTE] @@ -142,7 +142,7 @@ Feature update policies work with Windows Update rings policies. Windows Update The following table details the default Windows Update rings policy values that affect either the default or custom Windows feature updates releases: -| Policy name | Azure AD group assignment | Quality updates deferral in days | Feature updates deferral in days | Feature updates uninstall window in days | Deadline for quality updates in days | Deadline for feature updates in days | Grace period | Auto restart before deadline | +| Policy name | Microsoft Entra group assignment | Quality updates deferral in days | Feature updates deferral in days | Feature updates uninstall window in days | Deadline for quality updates in days | Deadline for feature updates in days | Grace period | Auto restart before deadline | | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | | Windows Autopatch Update Policy - default - Test | Windows Autopatch - Test | 0 | 0 | 30 | 0 | 5 | 0 | Yes | | Windows Autopatch Update Policy - default - Ring1 | Windows Autopatch - Ring1 | 1 | 0 | 30 | 2 | 5 |2 | Yes | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md index da80289277..8fe50bb86f 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md @@ -48,7 +48,7 @@ The following information is available as optional columns in the Feature update | Column name | Description | | ----- | ----- | -| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device | +| Microsoft Entra device ID | The current Microsoft Entra ID recorded device ID for the device | | Serial number | The current Intune recorded serial number for the device | | Intune last check in time | The last time the device checked in to Intune | | Service State | The Service State provided from Windows Update | @@ -73,7 +73,7 @@ The following options are available: | Option | Description | | ----- | ----- | -| Search | Use to search by device name, Azure AD device ID or serial number | +| Search | Use to search by device name, Microsoft Entra device ID or serial number | | Sort | Select the **column headings** to sort the report data in ascending and descending order. | | Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | | Filter | Select either the **Add filters** or at the top of the report to filter the results. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md index 34a3b93fab..6082093e6d 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md @@ -95,7 +95,7 @@ For the deployment rings that have passed quality updates deferral date, the OOB 2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates. You can also view the schedules for OOB update releases in the Release Schedule tab. > [!NOTE] -> Announcements abd OOB update schedules will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused. +> Announcements and OOB update schedules will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused. ### Pause and resume a release diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md index 703ee03554..af916925f0 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md @@ -51,7 +51,7 @@ The following information is available as optional columns in the Quality update | Column name | Description | | ----- | ----- | -| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device | +| Microsoft Entra device ID | The current Microsoft Entra ID recorded device ID for the device | | Serial number | The current Intune recorded serial number for the device | | Intune last check in time | The last time the device checked in to Intune | | Service State | The Service State provided from Windows Update | @@ -75,7 +75,7 @@ The following options are available: | Option | Description | | ----- | ----- | -| Search | Use to search by device name, Azure AD device ID or serial number | +| Search | Use to search by device name, Microsoft Entra device ID or serial number | | Sort | Select the **column headings** to sort the report data in ascending and descending order. | | Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | | Filter | Select either the **Add filters** or at the top of the report to filter the results. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md index e68ee4d6bd..71b96ec441 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md @@ -1,7 +1,7 @@ --- title: Quality update trending report description: Provides a visual representation of the update status trend for all devices over the last 90 days with Autopatch groups. -ms.date: 05/01/2023 +ms.date: 09/01/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md index cab93e35da..fe9d6b3321 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md @@ -1,7 +1,7 @@ --- title: Maintain the Windows Autopatch environment description: This article details how to maintain the Windows Autopatch environment -ms.date: 05/15/2023 +ms.date: 09/15/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -23,13 +23,13 @@ After you've completed enrollment in Windows Autopatch, some management settings 1. If any of the items apply to your environment, make the adjustments as described. > [!NOTE] -> As your operations continue in the following months, if you make changes after enrollment to policies in Microsoft Intune, Azure Active Directory, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly. To avoid problems with the service, check the specific settings described in [Fix issues found by the readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) before you change the policies listed there. +> As your operations continue in the following months, if you make changes after enrollment to policies in Microsoft Intune, Microsoft Entra ID, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly. To avoid problems with the service, check the specific settings described in [Fix issues found by the readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) before you change the policies listed there. ## Microsoft Intune settings | Setting | Description | | ----- | ----- | -| Deployment rings for Windows 10 or later | For any deployment rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Azure AD group from each policy. For more information, see [Create and assign deployment rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).Windows Autopatch creates some update ring policies. These policies have "**Modern Workplace**" in the name. For example:
When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Azure AD group from the policies that Windows Autopatch created.
**To resolve the Not ready result:**
After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group. For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
**To resolve the Advisory result:**
For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
| +| Deployment rings for Windows 10 or later | For any deployment rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Microsoft Entra group from each policy. For more information, see [Create and assign deployment rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).Windows Autopatch creates some update ring policies. These policies have "**Modern Workplace**" in the name. For example:
When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Microsoft Entra group from the policies that Windows Autopatch created.
**To resolve the Not ready result:**
After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Microsoft Entra group. For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
**To resolve the Advisory result:**
For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
| ## Windows Autopatch configurations @@ -56,7 +56,7 @@ The type of banner that appears depends on the severity of the action. Currently | Action type | Severity | Description | | ----- | ----- | ----- | -| Maintain tenant access | Critical | Required licenses have expired. The licenses include:To take action on missing licenses, you can visit the Microsoft 365 admin center or contact your Microsoft account manager. Until you have renewed the required licenses to run the service, Windows Autopatch marks your tenant as **inactive**. For more information, see [Microsoft 365 - What happens after my subscription expires?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires)
| +| Maintain tenant access | Critical | Required licenses have expired. The licenses include:To take action on missing licenses, you can visit the Microsoft 365 admin center or contact your Microsoft account manager. Until you have renewed the required licenses to run the service, Windows Autopatch marks your tenant as **inactive**. For more information, see [Microsoft 365 - What happens after my subscription expires?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires)
| | Maintain tenant access | Critical | Address tenant access issues. Windows Autopatch currently can’t manage your tenant. Until you take action, your tenant is marked as **inactive**, and you have only limited access to the Windows Autopatch portal.Reasons for tenant access issues:
Take action by consenting to allow Windows Autopatch to make the appropriate changes on your behalf. You must be a Global Administrator to consent to this action. Once you provide consent, Windows Autopatch remediates this critical action for you.
For more information, see [Windows Autopatch enterprise applications](../overview/windows-autopatch-privacy.md#tenant-access).
| ### Inactive status diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md index 06e2e12c09..3120c809f3 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md @@ -1,7 +1,7 @@ --- title: Microsoft 365 Apps for enterprise description: This article explains how Windows Autopatch manages Microsoft 365 Apps for enterprise updates -ms.date: 06/23/2023 +ms.date: 10/27/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -81,7 +81,15 @@ Windows Autopatch doesn't allow you to pause or roll back an update in the Micro ## Allow or block Microsoft 365 App updates -For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices. When the Microsoft 365 App update setting is set to **Block**, Windows Autopatch doesn't provide Microsoft 365 App updates on your behalf, and your organizations have full control over these updates. For example, you can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). +> [!IMPORTANT] +> You must be an Intune Administrator to make changes to the setting. + +For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices. + +| Microsoft 365 App setting | Description | +| ----- | ----- | +| **Allow** | When set to **Allow**, Windows Autopatch moves all Autopatch managed devices to the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview) and manages updates automatically. To manage updates manually, set the Microsoft 365 App update setting to **Block**. | +| **Block** | When set to **Block**, Windows Autopatch doesn't provide Microsoft 365 App updates on your behalf, and your organizations have full control over these updates. You can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). | **To allow or block Microsoft 365 App updates:** diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md index 690e61a507..20c341551a 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md @@ -1,7 +1,7 @@ --- title: Submit a support request description: Details how to contact the Windows Autopatch Service Engineering Team and submit support requests -ms.date: 01/06/2023 +ms.date: 09/06/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md index ecc8f356a9..2c89d2a8ce 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md @@ -25,7 +25,7 @@ If you're looking to unenroll your tenant from Windows Autopatch, this article d Unenrolling from Windows Autopatch requires manual actions from both you and from the Windows Autopatch Service Engineering Team. The Windows Autopatch Service Engineering Team will: - Remove Windows Autopatch access to your tenant. -- Exclude your devices from the Windows Autopatch service. Excluding your devices from Windows Autopatch won't remove your devices from Intune, Azure AD or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in [Exclude a device](../operate/windows-autopatch-exclude-device.md). +- Exclude your devices from the Windows Autopatch service. Excluding your devices from Windows Autopatch won't remove your devices from Intune, Microsoft Entra ID or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in [Exclude a device](../operate/windows-autopatch-exclude-device.md). - Delete all data that we've stored in the Windows Autopatch data storage. > [!NOTE] @@ -36,7 +36,7 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro | Responsibility | Description | | ----- | ----- | | Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won’t make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../overview/windows-autopatch-privacy.md). | -| Excluding devices | Windows Autopatch will exclude all devices previously registered with the service. Only the Windows Autopatch device record is deleted. We won't delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Exclude a device](../operate/windows-autopatch-exclude-device.md). | +| Excluding devices | Windows Autopatch will exclude all devices previously registered with the service. Only the Windows Autopatch device record is deleted. We won't delete Microsoft Intune and/or Microsoft Entra device records. For more information, see [Exclude a device](../operate/windows-autopatch-exclude-device.md). | ## Your responsibilities after unenrolling your tenant diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md index fb1b851773..7fc5bce674 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md @@ -66,7 +66,7 @@ The following deployment steps can be used as a guide to help you to create your | ----- | ----- | | **1A: Set up the service** |[Manage connection endpoints for Windows 10 Enterprise, version 2004](/windows/privacy/manage-windows-2004-endpoints)
[Connection endpoints for Windows 10 Enterprise, version 20H2](/windows/privacy/manage-windows-20h2-endpoints)
[Manage connection endpoints for Windows 10 Enterprise, version 21H1](/windows/privacy/manage-windows-21h1-endpoints)
[Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints)
[Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints)
| | Microsoft 365 | [Microsoft 365 URL and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true) | -| Azure Active Directory | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports)[Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))
| +| Microsoft Entra ID | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports)[Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))
| | Microsoft Intune | [Intune network configuration requirements](/intune/network-bandwidth-use)[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
| Microsoft Edge | [Allowlist for Microsoft Edge Endpoints](/deployedge/microsoft-edge-security-endpoints) | | Microsoft Teams | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) | diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md index 3a6e0a1197..95f0ed85fc 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md @@ -33,7 +33,7 @@ To start using the Windows Autopatch service, ensure you meet the [Windows Autop > [!IMPORTANT] > The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you'll no longer be able to access the tool again. -The Readiness assessment tool checks the settings in [Microsoft Intune](#microsoft-intune-settings) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure the settings work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements). +The Readiness assessment tool checks the settings in [Microsoft Intune](#microsoft-intune-settings) and [Microsoft Entra ID](#azure-active-directory-settings) (Microsoft Entra ID) to ensure the settings work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements). **To access and run the Readiness assessment tool:** @@ -56,9 +56,11 @@ The following are the Microsoft Intune settings: | ----- | ----- | | Deployment rings for Windows 10 or later | Verifies that Intune's deployment rings for Windows 10 or later policy doesn't target all users or all devices. Policies of this type shouldn't target any Windows Autopatch devices. For more information, see [Configure deployment rings for Windows 10 and later in Intune](/mem/intune/protect/windows-10-update-rings). | -### Azure Active Directory settings + -The following are the Azure Active Directory settings: +### Microsoft Entra settings + +The following are the Microsoft Entra settings: | Check | Description | | ----- | ----- | @@ -74,7 +76,7 @@ For each check, the tool reports one of four possible results: | Ready | No action is required before completing enrollment. | | Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.You can complete enrollment, but you must fix these issues before you deploy your first device. | | Not ready | You must fix these issues before enrollment. You can't enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. | -| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. | +| Error | The Microsoft Entra role you're using doesn't have sufficient permissions to run this check. | ## Step 3: Fix issues with your tenant @@ -104,7 +106,7 @@ Once these actions are complete, you've now successfully enrolled your tenant. You can choose to delete the data we collect directly within the Readiness assessment tool. -Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a deidentified form. +Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Microsoft Entra organization (tenant). After 12 months, we retain the data in a deidentified form. > [!NOTE] > Windows Autopatch will only delete the results we collect within the Readiness assessment tool; Autopatch won't delete any other tenant-level data. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md index 6588ea5a13..bc26753af7 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md @@ -1,7 +1,7 @@ --- title: Submit a tenant enrollment support request description: This article details how to submit a tenant enrollment support request -ms.date: 01/13/2023 +ms.date: 09/13/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md index 39f30591e9..f7a2045294 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -1,7 +1,7 @@ --- title: Fix issues found by the Readiness assessment tool description: This article details how to fix issues found by the Readiness assessment tool. -ms.date: 01/12/2023 +ms.date: 09/12/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -31,10 +31,10 @@ For each check, the tool reports one of four possible results: | Ready | No action is required before completing enrollment. | | Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.
You can complete enrollment, but you must fix these issues before you deploy your first device. | | Not ready | You must fix these issues before enrollment. You can't enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. | -| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permission to run this check or your tenant isn't properly licensed for Microsoft Intune. | +| Error | The Microsoft Entra role you're using doesn't have sufficient permission to run this check or your tenant isn't properly licensed for Microsoft Intune. | > [!NOTE] -> The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Azure Active Directory (AD), or Microsoft 365, items that were "Ready" can become "Not ready". To avoid problems with Windows Autopatch operations, review the specific settings described in this article before you change any policies. +> The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Microsoft Entra ID, or Microsoft 365, items that were "Ready" can become "Not ready". To avoid problems with Windows Autopatch operations, review the specific settings described in this article before you change any policies. ## Microsoft Intune settings @@ -48,9 +48,11 @@ Your "Update rings for Windows 10 or later" policy in Intune must not target any | ----- | ----- | | Advisory | You have an "update ring" policy that targets all devices, all users, or both. Windows Autopatch creates our own update ring policies during enrollment. To avoid conflicts with Windows Autopatch devices, we exclude our devices group from your existing update ring policies that target all devices, all users, or both. You must consent to this change when you go to enroll your tenant.
| -## Azure Active Directory settings + -You can access Azure Active Directory (AD) settings in the [Azure portal](https://portal.azure.com/). +## Microsoft Entra settings + +You can access Microsoft Entra settings in the [Azure portal](https://portal.azure.com/). ### Co-management @@ -66,4 +68,4 @@ Windows Autopatch requires the following licenses: | Result | Meaning | | ----- | ----- | -| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). | +| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Microsoft Entra ID P1 or P2, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). | diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index 90e7324a39..f1351f3709 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -1,7 +1,7 @@ --- title: Prerequisites description: This article details the prerequisites needed for Windows Autopatch -ms.date: 04/24/2023 +ms.date: 12/04/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -21,9 +21,9 @@ Getting started with Windows Autopatch has been designed to be easy. This articl | Area | Prerequisite details | | ----- | ----- | -| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). | +| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher), or F3 to be assigned to your users. Additionally, Microsoft Entra ID P1 or P2 and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).
For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). | | Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.
For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
-| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.
At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements).
Other device management prerequisites include:
See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works with Windows Autopatch.
For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).
| | Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../overview/windows-autopatch-privacy.md). | @@ -46,6 +46,10 @@ Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-b | [Windows 10/11 Enterprise E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E3 | 6a0f6da5-0b87-4190-a6ae-9bb5a2b9546a | | [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 | | [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 | +| [Microsoft 365 F3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_F1 | 66b55226-6b4f-492c-910c-a3b7a3c9d993 | +| Microsoft 365 F3 (self-service) | Microsoft_365_F3_Department |6803cf1e-c822-41a1-864e-a31377bcdb7e | +| Microsoft 365 F3 (for Department) | Microsoft_365_F3_DEPT |45972061-34c4-44c8-9e83-ad97815acc34 | +| Microsoft 365 F3 EEA (no Teams) | Microsoft_365_F3_EEA_(no_Teams) | f7ee79a7-7aec-4ca4-9fb9-34d6b930ad87 | The following Windows 10 editions, build version and architecture are supported to be [registered](../deploy/windows-autopatch-register-devices.md) with Windows Autopatch: diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index f0c9059f9c..be2b2ce1b9 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -1,7 +1,7 @@ --- title: Changes made at tenant enrollment description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch -ms.date: 06/23/2023 +ms.date: 12/13/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: reference @@ -32,15 +32,9 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr | ----- | ------ | ----- | | Modern Workplace Management | The Modern Workplace Management application: