The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.
Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.|
+| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.
The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.
|
+| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.|
+| Last | **zero** | The Last ring is intended to be used for either specialized devices or devices that belong to VIP/executives in an organization. Windows Autopatch doesn't automatically add devices to this deployment ring. |
+
+## Software update-based to service-based deployment ring mapping
+
+There’s a one-to-one mapping in between the service-based and software updates-based deployment rings introduced with Autopatch groups. This mapping is intended to help move devices in between deployment rings for other software update workloads that don’t yet support Autopatch groups such as Microsoft 365 Apps and Microsoft Edge.
+
+| If moving a device to | The device also moves to |
+| ----- | ----- |
+| Windows Autopatch – Test | Modern Workplace Devices-Windows Autopatch-Test |
+| Windows Autopatch – Ring1 | Modern Workplace Devices-Windows Autopatch-First |
+| Windows Autopatch – Ring2 | Modern Workplace Devices-Windows Autopatch-Fast |
+| Windows Autopatch – Ring3 | Modern Workplace Devices-Windows Autopatch-Broad |
+| Windows Autopatch – Last | Modern Workplace Devices-Windows Autopatch-Broad |
+
+If your Autopatch groups have more than five deployment rings, and you must move devices to deployment rings after Ring3. For example, ``. The devices will be moved to **Modern Workplace Devices-Windows Autopatch-Broad**.
+
+## Moving devices in between deployment rings
+
+If you want to move devices to different deployment rings (either service or software update-based), after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Registered** tab.
+
+> [!IMPORTANT]
+> You can only move devices in between deployment rings within the **same** Autopatch group. You can't move devices in between deployment rings across different Autopatch groups. If you try to select a device that belongs to one Autopatch group, and another device that belongs to a different Autopatch group, you'll receive the following error message on the top right corner of the Microsoft Intune portal: "**An error occurred. Please select devices within the same Autopatch group**.
+
+**To move devices in between deployment rings:**
+
+> [!NOTE]
+> You can only move devices to other deployment rings when they're in an active state in the **Registered** tab.
+
+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane.
+1. In the **Windows Autopatch** section, select **Devices**.
+1. In the **Registered** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify.
+1. Select **Device actions** from the menu.
+1. Select **Assign ring**. A fly-in opens.
+1. Use the dropdown menu to select the deployment ring to move devices to, and then select Save. The Ring assigned by column will change to Pending.
+1. When the assignment is complete, the **Ring assigned by** column changes to Admin (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment.
+
+If you don't see the Ring assigned by column change to **Pending** in Step 5, check to see whether the device exists in Microsoft Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory).
+
+> [!WARNING]
+> Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings.
+
+## Automated deployment ring remediation functions
+
+Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch – Test** and **Windows Autopatch – Last** rings, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either:
+
+- Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or
+- An issue occurred which prevented devices from getting a deployment ring assigned during the device registration process.
+
+There are two automated deployment ring remediation functions:
+
+| Function | Description |
+| ----- | ----- |
+| Check device deployment ring membership | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch – Test and Windows Autopatch – Last** rings). |
+| Multi-deployment ring device remediator | Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch – Test** and **Windows Autopatch – Last** rings). If a device is part of multiple deployment rings, Windows Autopatch randomly removes the device until the device is only part of one deployment ring. |
+
+> [!IMPORTANT]
+> Windows Autopatch automated deployment ring functions don’t assign or remove devices to or from the following deployment rings:**Modern Workplace Devices-Windows Autopatch-Test****Windows Autopatch – Test****Windows Autopatch – Last**
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
new file mode 100644
index 0000000000..9831d4850d
--- /dev/null
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
@@ -0,0 +1,230 @@
+---
+title: Manage Windows Autopatch groups
+description: This article explains how to manage Autopatch groups
+ms.date: 05/11/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: andredm7
+---
+
+# Manage Windows Autopatch groups (public preview)
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+Autopatch groups help Microsoft Cloud-Managed services meet organizations where they are in their update management journey.
+
+Autopatch groups is a logical container or unit that groups several [Azure AD groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates policy for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates).
+
+## Autopatch groups prerequisites
+
+Before you start managing Autopatch groups, ensure you’ve met the following prerequisites:
+
+- Review [Windows Autopatch groups overview documentation](../deploy/windows-autopatch-groups-overview.md) to understand [key benefits](../deploy/windows-autopatch-groups-overview.md#key-benefits), [concepts](../deploy/windows-autopatch-groups-overview.md#key-concepts) and [common ways to use Autopatch groups](../deploy/windows-autopatch-groups-overview.md#common-ways-to-use-autopatch-groups) within your organization.
+- Ensure the following [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) are created in your tenant:
+ - Modern Workplace Update Policy [Test]-[Windows Autopatch]
+ - Modern Workplace Update Policy [First]-[Windows Autopatch]
+ - Modern Workplace Update Policy [Fast]-[Windows Autopatch]
+ - Modern Workplace Update Policy [Broad]-[Windows Autopatch]
+- Ensure the following [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) are created in your tenant:
+ - Windows Autopatch – DSS Policy [Test]
+ - Windows Autopatch – DSS Policy [First]
+ - Windows Autopatch – DSS Policy [Fast]
+ - Windows Autopatch – DSS Policy [Broad]
+- Ensure the following Azure AD assigned groups are in your tenant before using Autopatch groups. **Don’t** modify the Azure AD group membership types (Assigned or Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups and causes the Autopatch groups feature and other service-related operations to not work properly.
+ - Modern Workplace Devices-Windows Autopatch-Test
+ - Modern Workplace Devices-Windows Autopatch-First
+ - Modern Workplace Devices-Windows Autopatch-Fast
+ - Modern Workplace Devices-Windows Autopatch-Broad
+ - Windows Autopatch – Test
+ - Windows Autopatch – Ring1
+ - Windows Autopatch – Ring2
+ - Windows Autopatch – Ring3
+ - Windows Autopatch – Last
+- Additionally, **don't** modify the Azure AD group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. If the ownership is modified, you must add the **Modern Workplace Management** Service Principal as the owner of these groups.
+ - For more information, see [assign an owner or member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) for steps on how to add owners to Azure Azure AD groups.
+- Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won’t work properly. Autopatch uses app-only auth to:
+ - Read device attributes to successfully register devices.
+ - Manage all configurations related to the operation of the service.
+- Make sure that all device-based Azure AD groups you intend to use with Autopatch groups are created prior to using the feature.
+ - Review your existing Azure AD group dynamic queries and direct device memberships to avoid having device membership overlaps in between device-based Azure AD groups that are going to be used with Autopatch groups. This can help prevent device conflicts within an Autopatch group or across several Autopatch groups. **Autopatch groups doesn't support user-based Azure AD groups**.
+- Ensure devices used with your existing Azure AD groups meet [device registration prerequisite checks](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) when being registered with the service. Autopatch groups register devices on your behalf, and devices can be moved to **Registered** or **Not registered** tabs in the Devices blade accordingly.
+
+> [!TIP]
+> [Update rings](/mem/intune/protect/windows-10-update-rings) and [feature updates](/mem/intune/protect/windows-10-feature-updates) for Windows 10 and later policies that are created and managed by Windows Autopatch can be restored using the [Policy health](../operate/windows-autopatch-policy-health-and-remediation.md) feature. For more information on remediation actions, see [restore Windows update policies](../operate/windows-autopatch-policy-health-and-remediation.md#restore-windows-update-policies).
+
+> [!NOTE]
+> During the public preview, Autopatch groups opt-in page will show a banner to let you know when one or more prerequisites are failing. Once you remediate the issue to meet the prerequisites, it can take up to an hour for your tenant to have the "Use preview" button available.
+
+## Create a Custom Autopatch group
+
+> [!NOTE]
+> The Default Autopatch group is recommended for organizations that can meet their business needs using the pre-configured five deployment ring composition.
+
+**To create a Custom Autopatch group:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Devices** from the left navigation menu.
+1. Under the **Windows Autopatch** section, select **Release management**.
+1. In the **Release management** blade, select **Autopatch groups (preview)**.
+1. Only during the public preview:
+ 1. Review the [Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md) and the [Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md).
+ 1. Select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Autopatch groups. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+1. In the **Autopatch groups** blade, select **Create**.
+1. In **Basics** page, enter a **name** and a **description** then select **Next: Deployment rings**.
+ 1. Enter up to 64 characters for the Autopatch group name and 150 characters maximum for the description. The Autopatch group name is appended to both the update rings and the DSS policy names that get created once the Custom Autopatch group is created.
+1. In **Deployment rings** page, select **Add deployment ring** to add the number of deployment rings to the Custom Autopatch group.
+1. Each new deployment ring added must have either an Azure AD device group assigned to it, or an Azure AD group that is dynamically distributed across your deployments rings using defined percentages.
+ 1. In the **Dynamic groups** area, select **Add groups** to select one or more existing device-based Azure AD groups to be used for Dynamic group distribution.
+ 1. In the **Dynamic group distribution** column, select the desired deployment ring checkbox. Then, either:
+ 1. Enter the percentage of devices that should be added from the Azure AD groups selected in step 9. The percentage calculation for devices must equal to 100%, or
+ 1. Select **Apply default dynamic group distribution** to use the default values.
+1. In the **Assigned group** column, select **Add group to ring** to add an existing Azure AD group to any of the defined deployment rings. The **Test** and **Last** deployment rings only support Assigned group distribution. These deployment rings don't support Dynamic distribution.
+1. Select **Next: Windows Update settings**.
+1. Select the **horizontal ellipses (…)** > **Manage deployment cadence** to [customize your gradual rollout of Windows quality and feature updates](../operate/windows-autopatch-windows-update.md). Select **Save**.
+1. Select the **horizontal ellipses (…)** > **Manage notifications** to customize the end-user experience when receiving Windows updates. Select **Save**.
+1. Select **Review + create** to review all changes made.
+1. Once the review is done, select **Create** to save your custom Autopatch group.
+
+> [!CAUTION]
+> A device-based Azure AD group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Azure AD group that’s been already used, you'll receive an error that prevents you from finish creating or editing the Autopatch group (Default or Custom).
+
+> [!IMPORTANT]
+> Windows Autopatch creates the device-based Azure AD assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience.
+
+## Edit the Default or a Custom Autopatch group
+
+**To edit either the Default or a Custom Autopatch group:**
+
+1. Select the **horizontal ellipses (…)** > **Edit** for the Autopatch group you want to edit.
+1. You can only modify the **description** of the Default or a Custom Autopatch group. You **can’t** modify the name. Once the description is modified, select **Next: Deployment rings**.
+1. Make the necessary changes in the **Deployment rings** page, then select **Next: Windows Update settings**.
+1. Make the necessary changes in the **Windows Update settings** page, then select **Next: Review + save**.
+1. Select **Review + create** to review all changes made.
+1. Once the review is done, select **Save** to finish editing the Autopatch group.
+
+> [!IMPORTANT]
+> Windows Autopatch creates the device-based Azure AD assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience.
+
+## Delete a Custom Autopatch group
+
+You **can’t** delete the Default Autopatch group. However, you can delete a Custom Autopatch group.
+
+**To delete a Custom Autopatch group:**
+
+1. Select the **horizontal ellipses (…)** > **Delete** for the Custom Autopatch group you want to delete.
+1. Select **Yes** to confirm you want to delete the Custom Autopatch group.
+
+> [!CAUTION]
+> You can’t delete a Custom Autopatch group when it’s being used as part of one or more active or paused feature update releases. However, you can delete a Custom Autopatch group when the release for either Windows quality or feature updates have either the **Scheduled** or **Paused** statuses.
+
+## Manage device conflict scenarios when using Autopatch groups
+
+> [!IMPORTANT]
+> The Windows Autopatch groups functionaliy is in **public preview**. This feature is being actively developed and not all device conflict detection and resolution scenarios are working as expected.
+> For more information on what to expect for this scenario during public preview, see [Known issues](#known-issues).
+
+Overlap in device membership is a common scenario when working with device-based Azure AD groups since sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Azure AD groups.
+
+Since Autopatch groups allow you to use your existing Azure AD groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that may occur.
+
+> [!CAUTION]
+> A device-based Azure AD group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Azure AD group that’s been already used, you'll receive an error that prevents you from creating or editing the Autopatch group (Default or Custom).
+
+### Device conflict in deployment rings within an Autopatch group
+
+Autopatch groups uses the following logic to solve device conflicts on your behalf within an Autopatch group:
+
+| Step | Description |
+| ----- | ----- |
+| Step 1: Checks for the deployment ring distribution type (**Assigned** or **Dynamic**) that the device belongs to. | For example, if a device is part of one deployment ring with **Dynamic** distribution (Ring3), and one deployment ring with **Assigned** distribution (Test,) within the same Autopatch group, the deployment ring with **Assigned** distribution (Test) takes precedence over the one with the **Dynamic** distribution type (Ring3). |
+| Step 2: Checks for deployment ring ordering when device belongs to one or more deployment ring with the same distribution type (**Assigned** or **Dynamic**) | For example, if a device is part of one deployment ring with **Assigned** distribution (Test), and in another deployment ring with **Assigned** distribution (Ring3) within the **same** Autopatch group, the deployment ring that comes later (Ring3) takes precedence over the deployment ring that comes earlier (Test) in the deployment ring order. |
+
+> [!IMPORTANT]
+> When a device belongs to a deployment ring that has combined distribution types (**Assigned** and **Dynamic**), and a deployment ring that has only the **Dynamic** distribution type, the deployment ring with the combined distribution types takes precedence over the one with only the **Dynamic** distribution. If a device belongs to two deployment rings that have combined distribution types (**Assigned** and **Dynamic**), the deployment ring that comes later takes precedence over the deployment ring that comes earlier in the deployment ring order.
+
+### Device conflict across different Autopatch groups
+
+Device conflict across different deployment rings in different Autopatch groups may occur, review the following examples about how the Windows Autopatch services handles the following scenarios:
+
+#### Default to Custom Autopatch group device conflict
+
+| Conflict scenario | Conflict resolution |
+| ----- | ----- |
+| You, the IT admin at Contoso Ltd., starts using only the Default Autopatch group, but later decides to create an Autopatch group called “Marketing”.However, you notice that the same devices that belong to the deployment rings in the Default Autopatch group are now also part of the new deployment rings in the Marketing Autopatch group.
| Autopatch groups automatically resolve this conflict on your behalf.In this example, devices that belong to the deployment rings as part of the “Marketing” Autopatch group take precedence over devices that belong to the deployment ring in the Default Autopatch group, because you, the IT admin, demonstrated clear intent on managing deployment rings using a Custom Autopatch group outside the Default Autopatch group.
|
+
+#### Custom to Custom Autopatch group device conflict
+
+| Conflict scenario | Conflict resolution |
+| ----- | ----- |
+| You, the IT admin at Contoso Ltd., are using several Custom Autopatch groups. While navigating through devices in the Windows Autopatch Devices blade (**Not ready** tab), you notice that the same device is part of different deployment rings across several different Custom Autopatch groups. | You must resolve this conflict.Autopatch groups informs you about the device conflict in the **Devices** > **Not ready** tab. You’re required to manually indicate which of the existing Custom Autopatch groups the device should exclusively belong to.
|
+
+#### Device conflict prior device registration
+
+When you create or edit the Custom or Default Autopatch group, Windows Autopatch checks if the devices that are part of the Azure AD groups, used in Autopatch groups’ deployment rings, are registered with the service.
+
+| Conflict scenario | Conflict resolution |
+| ----- | ----- |
+| Devices are in the Custom-to-Custom Autopatch group device conflict scenario | You must resolve this conflict.Devices will fail to register with the service and will be sent to the **Not registered** tab. You’re required to make sure the Azure AD groups that are used with the Custom Autopatch groups don’t have device membership overlaps.
|
+
+#### Device conflict post device registration
+
+Autopatch groups will keep monitoring for all device conflict scenarios listed in the [Manage device conflict scenarios when using Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#manage-device-conflict-scenarios-when-using-autopatch-groups) section even after devices were successfully registered with the service.
+
+## Known issues
+
+This section lists known issues with Autopatch groups during its public preview.
+
+### Device conflict scenarios when using Autopatch groups
+
+- **Status: Active**
+
+The Windows Autopatch team is aware that all device conflict scenarios listed below are currently being evaluated during the device registration process to make sure devices are properly registered with the service, and not evaluated post-device registration. The Windows Autopatch team is currently developing detection and resolution for the followin device conflict scenarios, and plan to make them available during public preview.
+
+- Default to Custom Autopatch device conflict detection and resolution.
+- Device conflict detection and resolution within an Autopatch group.
+- Custom to Custom Autopatch group device conflict detection.
+
+> [!TIP]
+> Use the following two best practices to help minimize device conflict scenarios when using Autopatch groups during the public preview:
+>
+> - Review your software update deployment requirements thoroughly. If your deployment requirements allow, try using the Default Autopatch group as much as possible, instead of start creating Custom Autopatch groups. You can customize the Default Autopatch to have up to 15 deployment rings, and you can use your existing device-based Azure AD groups with custom update deployment cadences.
+> - If creating Custom Autopatch groups, try to avoid using device-based Azure AD groups that have device membership overlaps with the devices that are already registered with Windows Autopatch, and already belong to the Default Autopatch group.
+
+### Autopatch group Azure AD group remediator
+
+- **Status: Active**
+
+The Windows Autopatch team is aware that the Windows Autopatch service isn't automatically restoring the Azure AD groups that get created during the Autopatch groups creation/editing process. If the following Azure AD groups, that belong to the Default Autopatch group and other Azure AD groups that get created with Custom Autopatch groups, are deleted or renamed, they won't be automatically remediated on your behalf yet:
+
+- Windows Autopatch – Test
+- Windows Autopatch – Ring1
+- Windows Autopatch – Ring2
+- Windows Autopatch – Ring3
+- Windows Autopatch – Last
+
+The Windows Autopatch team is currently developing the Autopatch group Azure AD group remediator feature and plan to make it available during public preview.
+
+> [!NOTE]
+> The Autopatch group remediator won't remediate the service-based deployment rings:
+>
+> - Modern Workplace Devices-Windows Autopatch-Test
+> - Modern Workplace Devices-Windows Autopatch-First
+> - Modern Workplace Devices-Windows Autopatch-Fast
+> - Modern Workplace Devices-Windows Autopatch-Broad
+>
+> Use the [Policy health feature](../operate/windows-autopatch-policy-health-and-remediation.md) to restore these groups, if needed. For more information, see [restore deployment groups](../operate/windows-autopatch-policy-health-and-remediation.md#restore-deployment-groups).
+
+### Rename an Autopatch group
+
+- **Status: Active**
+
+You can't rename an Autopatch group yet. The Autopatch group name is appended to all deployment ring names in the Autopatch group. Windows Autopatch is currently developing the rename feature.
+
+> [!IMPORTANT]
+> During the public preview, if you try to rename either the [Update rings](/mem/intune/protect/windows-10-update-rings) or [feature updates](/mem/intune/protect/windows-10-feature-updates) for Windows 10 and later policies directly in the Microsoft Intune end-user experience, the policy names are reverted back to the name defined by the Autopatch group end-user experience interface.
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
new file mode 100644
index 0000000000..730fc16ec4
--- /dev/null
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
@@ -0,0 +1,253 @@
+---
+title: Windows Autopatch groups overview
+description: This article explains what Autopatch groups are
+ms.date: 05/03/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: andredm7
+---
+
+# Windows Autopatch groups overview (public preview)
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+As organizations move to a managed-service model where Microsoft manages update processes on their behalf, they’re challenged with having the right representation of their organizational structures followed by their own deployment cadence. Windows Autopatch groups helps organizations manage updates in a way that makes sense for their businesses with no extra cost or unplanned disruptions.
+
+## What are Windows Autopatch groups?
+
+Autopatch groups is a logical container or unit that groups several [Azure AD groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates).
+
+## Key benefits
+
+Autopatch groups help Microsoft Cloud-Managed services meet organizations where they are in their update management journey. Key benefits include:
+
+| Benefit | Description |
+| ----- | ----- |
+| Replicating your organizational structure | You can set up Autopatch groups to replicate your organizational structures represented by your existing device-based Azure AD group targeting logic. |
+| Having a flexible number of deployments | Autopatch groups give you the flexibility of having the right number of deployment rings that work within your organization. You can set up to 15 deployment rings per Autopatch group. |
+| Deciding which device(s) belong to deployment rings | Along with using your existing device-based Azure AD groups and choosing the number of deployment rings, you can also decide which devices belong to deployment rings during the device registration process when setting up Autopatch groups. |
+| Choosing the deployment cadence | You choose the right software update deployment cadence for your business. |
+
+## High-level architecture diagram overview
+
+:::image type="content" source="../media/windows-autopatch-groups-high-level-architecture-diagram.png" alt-text="Overview of the device registration process" lightbox="../media/windows-autopatch-groups-high-level-architecture-diagram.png":::
+
+Autopatch groups is a function app that is part of the device registration micro service within the Windows Autopatch service. The following table explains the high-level workflow:
+
+| Step | Description |
+| ----- | ----- |
+| Step 1: Create an Autopatch group | Create an Autopatch group. |
+| Step 2: Windows Autopatch uses Microsoft Graph to create Azure AD and policy assignments | Windows Autopatch service uses Microsoft Graph to coordinate the creation of:- Azure AD groups
- Software update policy assignments with other Microsoft services, such as Azure AD, Intune, and Windows Update for Business (WUfB) based on IT admin choices when you create or edit an Autopatch group.
|
+| Step 3: Intune assigns software update policies | Once Azure AD groups are created in the Azure AD service, Intune is used to assign the software update policies to these groups and provide the number of devices that need the software update policies to the Windows Update for Business (WUfB) service. |
+| Step 4: Windows Update for Business responsibilities | Windows Update for Business (WUfB) is the service responsible for:- Delivering those update policies
- Retrieving update deployment statuses back from devices
- Sending back the status information to Microsoft Intune, and then to the Windows Autopatch service
|
+
+## Key concepts
+
+There are a few key concepts to be familiar with before using Autopatch groups.
+
+### About the Default Autopatch group
+
+> [!NOTE]
+> The Default Autopatch group is recommended for organizations that can meet their business needs using the pre-configured five deployment ring composition.
+
+The Default Autopatch group uses Windows Autopatch’s default update management process recommendation. The Default Autopatch group contains:
+
+- A set of **[five deployment rings](#default-deployment-ring-composition)**
+- A default update deployment cadence for both [Windows quality](../operate/windows-autopatch-groups-windows-quality-update-overview.md) and [feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md).
+
+The Default Autopatch group is intended to serve organizations that are looking to:
+
+- Enroll into the service
+- Align to Windows Autopatch’s default update management process without requiring additional customizations.
+
+The Default Autopatch group **can’t** be deleted or renamed. However, you can customize its deployment ring composition to add and/or remove deployment rings, and you can also customize the update deployment cadences for each deployment ring within it.
+
+#### Default deployment ring composition
+
+By default, the following [software update-based deployment rings](#software-based-deployment-rings), represented by Azure AD assigned groups, are used:
+
+- Windows Autopatch – Test
+- Windows Autopatch – Ring1
+- Windows Autopatch – Ring2
+- Windows Autopatch – Ring3
+- Windows Autopatch – Last
+
+**Windows Autopatch – Test** and **Last** can be only used as **Assigned** device distributions. **Windows Autopatch – Ring1**, **Ring2** and **Ring3** can be used with either **Assigned** or **Dynamic** device distributions, or have a combination of both device distribution types.
+
+> [!TIP]
+> For more information about the differences between **Assigned** and **Dynamic** deployment ring distribution types, see [about deployment rings](#about-deployment-rings). Only deployment rings that are placed in between the **Test** and the **Last** deployment rings can be used with the **Dynamic** deployment ring distributions.
+
+> [!CAUTION]
+> These and other Azure AD assigned groups created by Autopatch groups **can't** be missing in your tenant, otherwise, Autopatch groups might not function properly.
+
+The **Last** deployment ring, the fifth deployment ring in the Default Autopatch group, is intended to provide coverage for scenarios where a group of specialized devices and/or VIP/Executive users. They must receive software update deployments after the organization’s general population to mitigate disruptions to your organization’s critical businesses.
+
+#### Default update deployment cadences
+
+The Default Autopatch group provides a default update deployment cadence for its deployment rings except for the **Last** (fifth) deployment ring.
+
+##### Update rings policy for Windows 10 and later
+
+Autopatch groups set up the [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) for each of its deployment rings in the Default Autopatch group. See the following default policy values:
+
+| Policy name | Azure AD group assignment | Quality updates deferral in days | Feature updates deferral in days | Feature updates uninstall window in days | Deadline for quality updates in days | Deadline for feature updates in days | Grace period | Auto restart before deadline |
+| ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
+| Windows Autopatch Update Policy - default - Test | Windows Autopatch - Test | 0 | 0 | 30 | 0 | 5 | 0 | Yes |
+| Windows Autopatch Update Policy - default - Ring1 | Windows Autopatch - Ring1 | 1 | 0 | 30 | 2 | 5 |2 | Yes |
+| Windows Autopatch Update Policy - default - Ring2 | Windows Autopatch - Ring2 | 6 | 0 | 30 | 2 | 5 | 2 | Yes |
+| Windows Autopatch Update Policy - default - Ring3 | Windows Autopatch - Ring3 | 9 | 0 | 30 | 5 | 5 | 2 | Yes |
+| Windows Autopatch Update Policy - default - Last | Windows Autopatch - Last | 11 | 0 | 30 | 3 | 5 | 2 | Yes |
+
+##### Feature update policy for Windows 10 and later
+
+Autopatch groups set up the [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates) for each of its deployment rings in the Default Autopatch group, see the following default policy values:
+
+| Policy name | Azure AD group assignment |Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
+| ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
+| Windows Autopatch - DSS Policy [Test] | Windows Autopatch - Test | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | May 8, 2023; 7:00PM |
+| Windows Autopatch - DSS Policy [Ring1] | Windows Autopatch - Ring1 | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | May 8, 2023; 7:00PM |
+| Windows Autopatch - DSS Policy [Ring2] | Windows Autopatch - Ring2 | Windows 10 20H2 | Make update available as soon as possible | December 14, 2022 | December 21, 2022 | 1 | May 8, 2023; 7:00PM |
+| Windows Autopatch - DSS Policy [Ring3] | Windows Autopatch - Ring3 | Windows 10 20H2 | Make update available as soon as possible | December 15, 2022 | December 29, 2022 | 1 | May 8, 2023; 7:00PM |
+| Windows Autopatch - DSS Policy [Last] | Windows Autopatch - Last | Windows 10 20H2 | Make update available as soon as possible | December 15, 2022 | December 29, 2022 | 1 | May 8, 2023; 7:00PM |
+
+### About Custom Autopatch groups
+
+> [!NOTE]
+> The [Default Autopatch group](#about-the-default-autopatch-group) is recommended for organizations that can meet their business needs using the pre-configured five deployment ring composition.
+
+Custom Autopatch groups are intended to help organizations that require a more precise representation of their organization's structures along with their own update deployment cadence in the service.
+
+By default, a Custom Autopatch group has the Test and Last deployment rings automatically present. For more information, see [Test and Last deployment rings](#about-the-test-and-last-deployment-rings).
+
+### About deployment rings
+
+Deployment rings make it possible for an Autopatch group to have software update deployments sequentially delivered in a gradual rollout within the Autopatch group.
+
+Windows Autopatch aligns with Azure AD and Intune terminology for device group management. There are two types of deployment ring group distribution in Autopatch groups:
+
+| Deployment ring distribution | Description |
+| ----- | ----- |
+| Dynamic | You can use one or more device-based Azure AD groups, either dynamic query-based or assigned to use in your deployment ring composition.Azure AD groups that are used with the Dynamic distribution type can be used to distribute devices across several deployment rings based on percentage values that can be customized.
|
+| Assigned | You can use one single device-based Azure AD group, either dynamic query-based, or assigned to use in your deployment ring composition. |
+| Combination of Dynamic and Assigned | To provide a greater level of flexibility when working on deployment ring compositions, you can combine both device distribution types in Autopatch groups.The combination of Dynamic and Assigned device distribution is **not** supported for the Test and Last deployment ring in Autopatch groups.
|
+
+#### About the Test and Last deployment rings
+
+Both the **Test** and **Last** deployment rings are default deployment rings that are automatically present in the Default Autopatch group and Custom Autopatch groups. These default deployment rings provide the recommended minimum number of deployment rings that an Autopatch group should have.
+
+If you only keep Test and Last deployment rings in your Default Autopatch group, or you don't add more deployment rings when creating a Custom Autopatch group, the Test deployment ring can be used as the pilot deployment ring and Last can be used as the production deployment ring.
+
+> [!IMPORTANT]
+> Both the **Test** and **Last** deployment rings **can't** be removed or renamed from the Default or Custom Autopatch groups. Autopatch groups don't support the use of one single deployment ring as part of its deployment ring composition because you need at least two deployment rings for their gradual rollout. If you must implement a specific scenario with a single deployment ring, and gradual rollout isn’t required, consider managing these devices outside Windows Autopatch.
+
+> [!TIP]
+> Both the **Test** and **Last** deployment rings only support one single Azure AD group assignment at a time. If you need to assign more than one Azure AD group, you can nest the other Azure AD groups under the ones you plan to use with the **Test** and **Last** deployment rings. Only one level of Azure AD group nesting is supported.
+
+#### Service-based versus software update-based deployment rings
+
+Autopatch groups creates two different layers. Each layer contains its own deployment ring set.
+
+> [!IMPORTANT]
+> Both service-based and software update-based deployment ring sets are, by default, assigned to devices that successfully register with Windows Autopatch.
+
+##### Service-based deployment rings
+
+The service-based deployment ring set is exclusively used to keep Windows Autopatch updated with both service and device-level configuration policies, apps and APIs needed for core functions of the service.
+
+The following are the Azure AD assigned groups that represent the service-based deployment rings. These groups cannot be deleted or renamed:
+
+- Modern Workplace Devices-Windows Autopatch-Test
+- Modern Workplace Devices-Windows Autopatch-First
+- Modern Workplace Devices-Windows Autopatch-Fast
+- Modern Workplace Devices-Windows Autopatch-Broad
+
+> [!CAUTION]
+> **Don’t** modify the Azure AD group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly. Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Azure AD group created by Autopatch groups.
+
+##### Software-based deployment rings
+
+The software-based deployment ring set is exclusively used with software update management policies, such as the Windows update ring and feature update policies, in the Default Windows Autopatch group.
+
+The following are the Azure AD assigned groups that represent the software updates-based deployment rings. These groups cannot be deleted or renamed:
+
+- Windows Autopatch - Test
+- Windows Autopatch – Ring1
+- Windows Autopatch – Ring2
+- Windows Autopatch – Ring3
+- Windows Autopatch – Last
+
+> [!IMPORTANT]
+> Additional Azure AD assigned groups are created and added to list when you add more deployment rings to the Default Autopatch group.
+
+> [!CAUTION]
+> **Don’t** modify the Azure AD group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly. Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Azure AD group created by Autopatch groups.
+
+### About device registration
+
+Autopatch groups register devices with the Windows Autopatch service when you either [create](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) or [edit a Custom Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group), and/or when you [edit the Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to use your existing Azure AD groups instead of the Windows Autopatch Device Registration group provided by the service.
+
+## Common ways to use Autopatch groups
+
+The following are three common uses for using Autopatch groups.
+
+### Use case #1
+
+> [!NOTE]
+> The [Default Autopatch group](#about-the-default-autopatch-group) is recommended for organizations that can meet their business needs using the pre-configured five deployment ring composition.
+
+| Scenario | Solution |
+| ----- | ----- |
+| You’re working as the IT admin at Contoso Ltd. And manage several Microsoft and non-Microsoft cloud services. You don’t have extra time to spend setting up and managing several Autopatch groups.Your organization currently operates its update management by using five deployment rings, but there’s an opportunity to have flexible deployment cadences if it’s pre-communicated to your end-users.
| If you don’t have thousands of devices to manage, use the Default Autopatch group for your organization. You can edit the Default Autopatch group to include additional deployment rings and/or slightly modify some of its default deployment cadences.The Default Autopatch group is pre-configured and doesn’t require extra configurations when registering devices with the Windows Autopatch service.
The following is a visual representation of a gradual rollout for the Default Autopatch group pre-configured and fully managed by the Windows Autopatch service.
|
+
+:::image type="content" source="../media/autopatch-groups-default-autopatch-group.png" alt-text="Default Autopatch group" lightbox="../media/autopatch-groups-default-autopatch-group.png":::
+
+### Use case #2
+
+| Scenario | Solution |
+| ----- | ----- |
+| You’re working as the IT admin at Contoso Ltd. Your organization needs to plan a gradual rollout of software updates within specific critical business units or departments to help mitigate the risk of end-user disruption. | You can create a Custom Autopatch group for each of your business units, for example, the finance department and breakdown the deployment ring composition per the different user personas or based on how critical certain user groups can be for the department and subsequently for the business.The following is a visual representation of a gradual rollout for Contoso’s Finance department.
|
+
+:::image type="content" source="../media/autopatch-groups-finance-department-example.png" alt-text="Finance department example" lightbox="../media/autopatch-groups-finance-department-example.png":::
+
+> [!IMPORTANT]
+> Once Autopatch groups are setup, the release of either Windows quality or feature updates will be deployed sequentially through its deployment rings.
+
+### Use case #3
+
+| Scenario | Solution |
+| ----- | ----- |
+| You’re working as the IT admin at Contoso Ltd. Your branch location in Chicago needs to plan a gradual rollout of software updates within specific departments to make sure the Chicago office doesn’t experience disruptions in its operations. | You can create a Custom Autopatch group for the branch location in Chicago and breakdown the deployment ring composition per the departments within the branch location.The following is a visual representation of a gradual rollout for the Contoso Chicago branch location.
|
+
+:::image type="content" source="../media/autopatch-groups-contoso-chicago-example.png" alt-text="Contoso Chicago example" lightbox="../media/autopatch-groups-contoso-chicago-example.png":::
+
+> [!IMPORTANT]
+> Once Autopatch groups are setup, the release of either Windows quality or feature updates will be deployed sequentially through its deployment rings.
+
+## Supported configurations
+
+The following configurations are supported when using Autopatch groups.
+
+### Software update workloads
+
+Autopatch groups works with the following software update workloads:
+
+- [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md)
+- [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md)
+
+> [!IMPORTANT]
+> [Microsoft Edge](../operate/windows-autopatch-edge.md) and [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) are supported through the (classic) service-based deployment rings. Other software update workloads aren’t currently supported.
+
+### Maximum number of Autopatch groups
+
+Windows Autopatch will support up to 50 Autopatch groups in your tenant. You can create up to 49 [Custom Autopatch groups](#about-custom-autopatch-groups) in addition to the [Default Autopatch group](#about-the-default-autopatch-group). Each Autopatch group supports up to 15 deployment rings.
+
+> [!TIP]
+> If you reach the maximum number of Autopatch groups supported (50), and try to create more Custom Autopatch groups, the "**Create**" option in the Autopatch groups blade will be greyed out.
+
+To manage your Autopatch groups, see [Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md).
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index 209062f4b0..55ddc49938 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -1,7 +1,7 @@
---
title: Register your devices
description: This article details how to register devices in Autopatch
-ms.date: 04/24/2023
+ms.date: 05/01/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@@ -20,14 +20,25 @@ Before Microsoft can manage your devices in Windows Autopatch, you must have dev
Windows Autopatch can take over software update management control of devices that meet software-based prerequisites as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes the following software update workloads:
-- [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md)
-- [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md)
-- [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
-- [Microsoft Edge updates](../operate/windows-autopatch-edge.md)
-- [Microsoft Teams updates](../operate/windows-autopatch-teams.md)
+- Windows quality updates
+ - [Autopatch groups experience](../operate/windows-autopatch-groups-windows-quality-update-overview.md)
+ - [Classic experience](../operate/windows-autopatch-windows-quality-update-overview.md)
+- Windows feature updates
+ - [Autopatch groups experience](../operate/windows-autopatch-groups-windows-feature-update-overview.md)
+ - [Classic experience](../operate/windows-autopatch-windows-feature-update-overview.md)
+- The following software update workloads use the Classic experience:
+ - [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
+ - [Microsoft Edge updates](../operate/windows-autopatch-edge.md)
+ - [Microsoft Teams updates](../operate/windows-autopatch-teams.md)
### About the use of an Azure AD group to register devices
+Windows Autopatch provides two methods of registering devices with its service, the [Classic](#classic-device-registration-method) and the Autopatch groups device registration method.
+
+#### Classic device registration method
+
+This method is intended to help organizations that don’t require the use of [Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or additional customizations to the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) to register devices.
+
You must choose what devices to manage with Windows Autopatch by adding them to the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can be added using the following methods:
- Direct membership
@@ -36,17 +47,31 @@ You must choose what devices to manage with Windows Autopatch by adding them to
Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices.
-> [!NOTE]
-> Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the **Ready** or **Not ready** tab to register devices on demand.
+You can also use the **Discover devices** button in either the Registered or Not ready tab to register devices on demand. The **Discover devices** button scans for devices to be registered in the **Windows Autopatch Device Registration** or any other Azure AD group used with either the Default or Custom Autopatch groups.
-#### Supported scenarios when nesting other Azure AD groups
+#### Windows Autopatch groups device registration method
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+This method is intended to help organizations that require the use of [Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or additional customizations to the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group).
+
+When you either create/edit a Custom Autopatch group or edit the Default Autopatch group to add or remove deployment rings, the device-based Azure AD groups you use when setting up your deployment rings are scanned to see if devices need to be registered with the Windows Autopatch service.
+
+If devices aren’t registered, Autopatch groups starts the device registration process by using your existing device-based Azure AD groups instead of the Windows Autopatch Device Registration group.
+
+For more information, see [create Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) and [edit Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to register devices using the Autopatch groups device registration method.
+
+##### Supported scenarios when nesting other Azure AD groups
Windows Autopatch also supports the following Azure AD nested group scenarios:
Azure AD groups synced up from:
-- On-premises Active Directory groups (Windows Server AD).
-- [Configuration Manager collections](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync).
+- On-premises Active Directory groups (Windows Server AD)
+- [Configuration Manager collections](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync)
+
+The Azure AD groups apply to both the [Classic](#classic-device-registration-method) and the [Autopatch group device registration](#windows-autopatch-groups-device-registration-method) methods.
> [!WARNING]
> It isn't recommended to sync Configuration Manager collections straight to the **Windows Autopatch Device Registration** Azure AD group. Use a different Azure AD group when syncing Configuration Manager collections to Azure AD groups then you can nest this or these groups into the **Windows Autopatch Device Registration** Azure AD group.
@@ -63,10 +88,13 @@ In the dual state, you end up having two Azure AD device records with different
It's recommended to detect and clean up stale devices in Azure AD before registering devices with Windows Autopatch, see [How To: Manage state devices in Azure AD](/azure/active-directory/devices/manage-stale-devices).
> [!WARNING]
-> If you don't clean up stale devices in Azure AD before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the **Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed)** pre-requisite check in the **Not ready** tab because it's expected that these stale Azure AD devices are not enrolled into the Intune service anymore.
+> If you don't clean up stale devices in Azure AD before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the **Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed)** pre-requisite check in the **Not ready** tab because it's expected that these stale Azure AD devices aren't enrolled into the Intune service anymore.
## Prerequisites for device registration
+> [!IMPORTANT]
+> The following prerequisites apply to both the [Classic](#classic-device-registration-method) and the [Autopatch groups device registration](#windows-autopatch-groups-device-registration-method) methods.
+
To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites:
- Windows 10 (1809+)/11 Enterprise or Professional editions (only x64 architecture).
@@ -88,26 +116,29 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set
For more information, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md).
-## About the Ready, Not ready and Not registered tabs
+## About the Registered, Not ready and Not registered tabs
-Windows Autopatch has three tabs within its device blade. Each tab is designed to provide a different set of device readiness statuses so IT admin knows where to go to monitor, and fix potential device health issues.
+> [!IMPORTANT]
+> Devices registered through either the [Classic](#classic-device-registration-method) or the [Autopatch groups device registration method](#windows-autopatch-groups-device-registration-method) can appear in the Registered, Not ready, or Not registered tabs. When devices successfully register with the service, the devices are listed in the Registered tab. However, even if the device(s)is successfully registered, they can be part of Not ready tab. If devices fail to register, the devices are listed in the Not registered tab.
+
+Windows Autopatch has three tabs within its device blade. Each tab is designed to provide a different set of device readiness statuses so the IT admin knows where to go to monitor, and fix potential device health issues.
| Device blade tab | Purpose | Expected device readiness status |
| ----- | ----- | ----- |
-| Ready | The purpose of this tab is to show devices that were successfully registered with the Windows Autopatch service. | Active |
+| Registered | The purpose of this tab is to show devices that were successfully registered with the Windows Autopatch service. | Active |
| Not ready | The purpose of this tab is to help you identify and remediate devices that failed to pass one or more post-device registration readiness checks. Devices showing up in this tab were successfully registered with Windows Autopatch. However, these devices aren't ready to have one or more software update workloads managed by the service. | Readiness failed and/or Inactive |
-| Not registered | The purpose of this tab is to help you identify and remediate devices that don't meet one or more prerequisite checks to successfully register with the Windows Autopatch service. | Pre-requisites failed |
+| Not registered | The purpose of this tab is to help you identify and remediate devices that don't meet one or more prerequisite checks to successfully register with the Windows Autopatch service. | Prerequisites failed |
## Device readiness statuses
-See all possible device readiness statuses in Windows Autopatch:
+The following are the possible device readiness statuses in Windows Autopatch:
| Readiness status | Description | Device blade tab |
| ----- | ----- | ----- |
-| Active | Devices with this status successfully passed all prerequisite checks and then successfully registered with Windows Autopatch. Additionally, devices with this status successfully passed all post-device registration readiness checks. | Ready |
+| Active | Devices with this status successfully passed all prerequisite checks and then successfully registered with Windows Autopatch. Additionally, devices with this status successfully passed all post-device registration readiness checks. | Registered |
| Readiness failed | Devices with this status haven't passed one or more post-device registration readiness checks. These devices aren't ready to have one or more software update workloads managed by Windows Autopatch. | Not ready |
| Inactive | Devices with this status haven't communicated with Microsoft Intune in the last 28 days. | Not ready |
-| Pre-requisites failed | Devices with this status haven't passed one or more pre-requisite checks and haven't successfully registered with Windows Autopatch | Not registered |
+| Prerequisites failed | Devices with this status haven't passed one or more prerequisite checks and haven't successfully registered with Windows Autopatch | Not registered |
## Built-in roles required for device registration
@@ -120,7 +151,7 @@ For more information, see [Azure AD built-in roles](/azure/active-directory/role
If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Azure AD groups created during the [tenant enrollment](../prepare/windows-autopatch-enroll-tenant.md) process:
-| Role | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions |
+| Azure AD Group name | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions |
| ----- | ----- | ----- | ----- | ----- | ----- |
| Modern Workplace Roles - Service Administrator | Yes | Yes | Yes | Yes | Yes |
| Modern Workplace Roles - Service Reader | No | Yes | Yes | Yes | No |
@@ -133,30 +164,36 @@ If you want to assign less-privileged user accounts to perform specific tasks in
Registering your devices with Windows Autopatch does the following:
1. Makes a record of devices in the service.
-2. Assign devices to the [deployment rings](../operate/windows-autopatch-update-management.md) and other groups required for software update management.
+2. Assign devices to the [two deployment ring sets](../deploy/windows-autopatch-groups-overview.md#about-deployment-rings) and other groups required for software update management.
For more information, see [Device registration overview](../deploy/windows-autopatch-device-registration-overview.md).
-## Steps to register devices
+## Steps to register devices using the classic method
+
+> [!IMPORTANT]
+> For more information, see [Create Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) and [Edit Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) on how to register devices using the Autopatch groups device registration method.
+
+Any device (either physical or virtual) that contains an Azure AD device ID, can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices should be registered with Windows Autopatch from the Windows 365 provisioning policy.
+
+For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads).
-Any device (either physical or virtual) that contains an Azure AD device ID, can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices should be registered with Windows Autopatch from the Windows 365 provisioning policy. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads).
Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID, these devices can be added into the **Windows Autopatch Device Registration** Azure group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group.
-**To register devices with Windows Autopatch:**
+**To register devices with Windows Autopatch using the classic method:**
1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** from the left navigation menu.
3. Under the **Windows Autopatch** section, select **Devices**.
-4. Select either the **Ready** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens.
+4. Select either the **Registered** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens.
5. Add either devices through direct membership, or other Azure AD dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group.
> [!NOTE]
-> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not registered** tabs.
+> The **Windows Autopatch Device Registration** hyperlink is in the center of the Registered tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Registered** and **Not registered** tabs.
Once devices or other Azure AD groups (either dynamic or assigned) containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch's device discovery hourly function discovers these devices, and runs software-based prerequisite checks to try to register them with its service.
> [!TIP]
-> You can also use the **Discover Devices** button in either one of the **Ready**, **Not ready**, or **Not registered** device blade tabs to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. On demand means you don't have to wait for Windows Autopatch to discover devices from the Azure AD group on your behalf.
+> You can also use the **Discover Devices** button in either one of the **Registered**, **Not ready**, or **Not registered** device blade tabs to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. On demand means you don't have to wait for Windows Autopatch to discover devices from the Azure AD group on your behalf.
### Windows Autopatch on Windows 365 Enterprise Workloads
@@ -177,11 +214,14 @@ Windows 365 Enterprise gives IT admins the option to register devices with the W
For more information, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy).
+> [!IMPORTANT]
+> Starting in May 2023, Windows 365 Cloud PC devices are assigned to two deployment ring sets, the service-based and the software-based deployment rings. Additionally, once registered with Windows Autopatch, Windows 365 Cloud PC devices are automatically added to the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group). For more information, see [service-based versus software update-based deployment ring sets](../deploy/windows-autopatch-groups-overview.md#service-based-versus-software-update-based-deployment-rings).
+
### Windows Autopatch on Azure Virtual Desktop workloads
-Windows Autopatch is available for your Azure Virtual Desktop workloads. Enterprise admins can provision their Azure Virtual Desktop workloads to be managed by Windows Autopatch using the existing [device registration process](#steps-to-register-devices).
+Windows Autopatch is available for your Azure Virtual Desktop workloads. Enterprise admins can provision their Azure Virtual Desktop workloads to be managed by Windows Autopatch using the existing device registration process.
-Windows Autopatch provides the same scope of service with virtual machines as it does with [physical devices](#steps-to-register-devices). However, Windows Autopatch defers any Azure Virtual Desktop specific support to [Azure support](#contact-support-for-device-registration-related-incidents), unless otherwise specified.
+Windows Autopatch provides the same scope of service with virtual machines as it does with [physical devices](#steps-to-register-devices-using-the-classic-method). However, Windows Autopatch defers any Azure Virtual Desktop specific support to [Azure support](#contact-support-for-device-registration-related-incidents), unless otherwise specified.
#### Prerequisites
@@ -199,7 +239,7 @@ The following Azure Virtual Desktop features aren’t supported:
#### Deploy Autopatch on Azure Virtual Desktop
-Azure Virtual Desktop workloads can be registered into Windows Autopatch by using the same method as your [physical devices](#steps-to-register-devices). For more information, see [Register your devices](#steps-to-register-devices).
+Azure Virtual Desktop workloads can be registered into Windows Autopatch by using the same method as your [physical devices](#steps-to-register-devices-using-the-classic-method).
For ease of deployment, we recommend nesting a dynamic device group in your Autopatch device registration group. The dynamic device group would target the **Name** prefix defined in your session host, but **exclude** any Multi-Session Session Hosts. For example:
diff --git a/windows/deployment/windows-autopatch/media/autopatch-groups-contoso-chicago-example.png b/windows/deployment/windows-autopatch/media/autopatch-groups-contoso-chicago-example.png
new file mode 100644
index 0000000000..44580586e9
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/autopatch-groups-contoso-chicago-example.png differ
diff --git a/windows/deployment/windows-autopatch/media/autopatch-groups-default-autopatch-group.png b/windows/deployment/windows-autopatch/media/autopatch-groups-default-autopatch-group.png
new file mode 100644
index 0000000000..73a32e8635
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/autopatch-groups-default-autopatch-group.png differ
diff --git a/windows/deployment/windows-autopatch/media/autopatch-groups-finance-department-example.png b/windows/deployment/windows-autopatch/media/autopatch-groups-finance-department-example.png
new file mode 100644
index 0000000000..259dcafcdf
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/autopatch-groups-finance-department-example.png differ
diff --git a/windows/deployment/windows-autopatch/media/autopatch-groups-manage-feature-release-case-1.png b/windows/deployment/windows-autopatch/media/autopatch-groups-manage-feature-release-case-1.png
new file mode 100644
index 0000000000..fe35744633
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/autopatch-groups-manage-feature-release-case-1.png differ
diff --git a/windows/deployment/windows-autopatch/media/autopatch-groups-manage-feature-release-case-2.png b/windows/deployment/windows-autopatch/media/autopatch-groups-manage-feature-release-case-2.png
new file mode 100644
index 0000000000..bd2b2ec92c
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/autopatch-groups-manage-feature-release-case-2.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png
index a2e0785741..f77684b8c4 100644
Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png
index f5a8284a8c..abd0c884b1 100644
Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-groups-high-level-architecture-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-groups-high-level-architecture-diagram.png
new file mode 100644
index 0000000000..1be4b61b37
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-groups-high-level-architecture-diagram.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png b/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png
deleted file mode 100644
index 17b51a71f8..0000000000
Binary files a/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png and /dev/null differ
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
new file mode 100644
index 0000000000..fe0551604d
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
@@ -0,0 +1,103 @@
+---
+title: Device alerts
+description: Provide notifications and information about the necessary steps to keep your devices up to date.
+ms.date: 05/01/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: adnich
+---
+
+# Device alerts (public preview)
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+Windows Autopatch and Windows Updates use Device alerts to provide notifications and information about the necessary steps to keep your devices up to date. In Windows Autopatch reporting, every device is provided with a section for alerts. If no alerts are listed, no action is needed. Navigate to **Reports** > **Quality update status** or **Feature update status** > **Device** > select the **Device alerts** column. The provided information will help you understand:
+
+- The action(s) that have either been performed by Microsoft and/or Windows Autopatch to keep the device properly updated.
+- The actions you must perform so the device can properly be updated.
+
+> [!NOTE]
+> At any given point, one or both of these actions can be present in your tenant.
+
+## Windows Autopatch alerts
+
+Windows Autopatch alerts are alerts specific to the Windows Autopatch service. These alerts include:
+
+- [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md)
+- [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md)
+
+## Windows quality and feature update alerts
+
+These alerts represent data reported to the Windows Update service related to Windows quality and feature updates. These alerts can help identify actions that must be performed if an update doesn't apply as expected. Alerts are only provided by device that actively reports to the Windows Update service.
+
+## Customer and Microsoft Actions
+
+Windows Autopatch assigns alerts to either Microsoft Action or Customer Action. These assignments give a clear understanding of who has the responsibility to remediate the alert.
+
+| Assignment | Description |
+| ----- | ----- |
+| Microsoft Action | Refers to the responsibility of the Windows Autopatch service to remediate. The actions are performed by Windows Autopatch automatically. |
+| Customer Action | Refers to your responsibility to carry out the appropriate action(s) to resolve the reported alert. |
+
+## Alert resolutions
+
+Alert resolutions are provided through the Windows Update service and provide the reason why an update didn’t perform as expected. The recommended actions are general recommendations and if additional assistance is needed, [submit a support request](../operate/windows-autopatch-support-request.md)
+
+| Alert message | Description | Windows Autopatch recommendation(s) |
+| ----- | ----- | ----- |
+| `CancelledByUser` | User canceled the update | The Windows Update service has reported the update was canceled by the user.It's recommended to work with the end user to allow updates to execute as scheduled.
|
+| `DamagedMedia` | The update file or hard drive is damaged | The Windows Update service has indicated the update payload might be damaged or corrupt. It's recommended to run `Chkdsk /F` on the device with administrator privileges, then retry the update. For more information, see [chkdsk](/windows-server/administration/windows-commands/chkdsk?tabs=event-viewer).
|
+| `DeploymentConflict` | Device is in more than one deployment of the same update type. Only the first deployment assigned is effective. | The Windows Update service has reported a policy conflict.For more information, see the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `DeviceRegistrationInvalidAzureADDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Azure AD Device ID. | The Windows Update service has reported a device registration issue.For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `DeviceRegistrationInvalidGlobalDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Global Device ID. |The Windows Update service has reported that the MSA Service may be disabled preventing Global Device ID assignment.Check that the MSA Service is running or able to run on device.
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `DeviceRegistrationIssue` | The device isn't able to register or authenticate properly with Windows Update. | The Windows Update service has reported a device registration issue.For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `DeviceRegistrationNoTrustType` | The device isn't able to register or authenticate properly with Windows Update because it can't establish Trust. | The Windows Update service has reported a device registration issue.For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `DiskFull` | The installation couldn't be completed because the Windows partition is full. | The Windows Update service has reported there's insufficient disk space to perform the update. Free up disk space on the Windows partition and retry the installation.For more information, see [Free up space for Windows Updates](https://support.microsoft.com/windows/free-up-space-for-windows-updates-429b12ba-f514-be0b-4924-ca6d16fa1d65).
|
+| `DownloadCancelled` | Windows Update couldn't download the update because the update server stopped the connection. | The Windows Update service has reported an issue with your update server. Validate your network is working and retry the download. If the alert persists, review your network configuration to make sure that this computer can access the internet.For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).
|
+| `DownloadConnectionIssue` | Windows Update couldn't connect to the update server and the update couldn't download. | The Windows Update service has reported an issue connecting to Windows Update. Review your network configuration, and to make sure that this computer can access the internet and Windows Update Online.For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `DownloadCredentialsIssue` | Windows Update couldn't download the file because the Background Intelligent Transfer Service ([BITS](/windows/win32/bits/about-bits)) couldn't connect to the internet. A proxy server or firewall on your network might require credentials. | The Windows Update service Windows has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client. Retry the download.Review your network configuration to make sure that this computer can access the internet. Validate and/or allowlist Windows Update and Delivery Optimization endpoint.
For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `DownloadIssue` | There was an issue downloading the update. | The Windows Update service has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client.For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `DownloadIssueServiceDisabled` | There was a problem with the Background Intelligent Transfer Service (BITS). The BITS service or a service it depends on might be disabled. | The Windows Updates service has reported that the BITS service is disabled. In the local client services, make sure that the Background Intelligent Transfer Service is enabled. If the service isn't running, try starting it manually. For more information, see [Issues with BITS](/windows/win32/bits/about-bits).If it will not start, check the event log for errors or [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `DownloadTimeout` | A timeout occurred while Windows tried to contact the update service or the server containing the update's payload. | The Windows Update service has reported it attempted to download the payload and the connection timed out.Retry downloading the payload. If not successful, review your network configuration to make sure that this computer can access the internet.
For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5). |
+| `EndOfService` | The device is on a version of Windows that has passed its end of service date. | Windows Update service has reported the current version is past End of Service. Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).
|
+| `EndOfServiceApproaching` | The device is on a version of Windows that is approaching its end of service date. | Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).
|
+| `FailureResponseThreshold` | The failure response threshold setting was met for a deployment to which the device belongs. | The Windows Update service has reported the client has hit the Failure Response Threshold. Consider pausing the deployment and assess for issues. If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md). |
+| `FileNotFound` | The downloaded update files can't be found. The Disk Cleanup utility or a non-Microsoft software cleaning tool might have removed the files during cleanup. | Windows Update has reported that the update files couldn't be found, download the update again, and then retry the installation.This can often occur with third party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `Incompatible` | The system doesn't meet the minimum requirements to install the update. | The Windows Update service has reported the update is incompatible with this device for more details please review the `ScanResult.xml` file in the `C:\WINDOWS\PANTHER folder for "Block Type=Hard`.If this is occurring on a Windows Autopatch managed device, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `IncompatibleArchitecture` | This update is for a different CPU architecture. | The Windows Update service has reported the update architecture doesn't match the destination architecture, make sure the target operating system architecture matches the host operating system architecture.This is **not** typical for Windows Update based environments.
If this is occurring on a Windows Autopatch managed device, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `IncompatibleServicingChannel` | Device is in a servicing channel that is incompatible with a deployment to which the device belongs. | The Windows Update service has reported the servicing channel on the client isn't compatible with the targeted payload.We recommend configuring the device's servicing channel to the [Semi-Annual Enterprise Channel](/windows-server/get-started/servicing-channels-comparison#semi-annual-channel).
|
+| `InstallAccessDenied` | Installer doesn't have permission to access or replace a file. The installer might have tried to replace a file that an antivirus, anti-malware, or a backup program is currently scanning. | The Windows Update service has reported it couldn't access the necessary system locations, ensure no other service has a lock or handle on the windows update client folders and retry the installation.This can often occur with third party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).
|
+| `InstalledCancelled` | The installation was canceled. | The Windows Update service has reported the update was canceled by the user.It's recommended to work with the end user to allow updates to execute as scheduled.
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `InstallFileLocked` | Installer couldn't access a file that is already in use. The installer might have tried to replace a file that an antivirus, anti-malware, or backup program is currently scanning. | The Windows Update service has reported it couldn't access the necessary system locations.Check the files under the `%SystemDrive%\$Windows.~bt` directory and retry the installation.
This can often occur with third party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `InstallIssue` | There was an issue installing the update. | The Windows Update service has reported the update installation has failed.If the alert persists, run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges, then retry the update.
For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `InstallIssueRedirection` | A known folder that doesn't support redirection to another drive might have been redirected to another drive. | The Windows Update service has reported that the Windows Update file location may be redirected to an invalid location. Check your Windows Installation, and retry the update.If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `InstallMissingInfo` | Windows Update doesn't have the information it needs about the update to finish the installation. | The Windows Update service has reported that another update may have replaced the one you're trying to install. Check the update, and then try reinstalling it. |
+| `InstallOutOfMemory` | The installation couldn't be completed because Windows ran out of memory. | The Windows Update service has reported the system doesn't have sufficient system memory to perform the update.Restart Windows, then try the installation again.
If it still fails, allocate more memory to the device, or increase the size of the virtual memory pagefile(s). For more information, see [How to determine the appropriate page file size for 64-bit versions of Windows](/troubleshoot/windows-client/performance/how-to-determine-the-appropriate-page-file-size-for-64-bit-versions-of-windows).
|
+| `InstallSetupError` | Windows Setup encountered an error while installing. | The Windows Update service has reported an error during installation.Review the last reported HEX error code in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) to further investigate.If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `PolicyConflict` | There are client policies (MDM, GP) that conflict with Windows Update settings. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `PolicyConflictDeferral` | The Deferral Policy configured on the device is preventing the update from installing. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `PolicyConflictPause` | Updates are paused on the device, preventing the update from installing. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+| `PostRestartIssue` | Windows Update couldn't determine the results of installing the update. The error is usually false, and the update probably succeeded. | The Windows Update Service has reported the update you're trying to install isn't available.No action is required.
If the update is still available, retry the installation.
|
+| `RollbackInitiated` | A rollback was started on this device, indicating a catastrophic issue occurred during the Windows Setup install process. | The Windows Update service has reported a failure with the update. Run the Setup Diagnostics Tool on the Device or review the HEX error in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md). **Don’t** retry the installation until the impact is understood.For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).
|
+| `SafeguardHold` | Update can't install because of a known Safeguard Hold. | The Windows Update Service has reported a [Safeguard Hold](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds) which applies to this device.For more information about safeguards, see [Windows 10/11 release information for the affected version(s)](/windows/release-health/release-information).
|
+| `UnexpectedShutdown` | The installation was stopped because a Windows shutdown or restart was in progress. | The Windows Update service has reported Windows was unexpectedly restarted during the update process.No action is necessary the update should retry when windows is available.
If the alert persists, ensure the device remains on during Windows installation.
|
+| `VersionMismatch` | Device is on a version of Windows that wasn't intended by Windows Update. | The Windows Update service has reported that the version of Windows wasn't intended.Confirm whether the device is on the intended version.
|
+| `WindowsRepairRequired` | The current version of Windows needs to be repaired before it can be updated. | The Windows Update service has indicated that the service is in need of repair. Run the Startup Repair Tool on this device.For more information, see [Windows boot issues – troubleshooting](/troubleshoot/windows-client/performance/windows-boot-issues-troubleshooting#method-1-startup-repair-tool).
|
+| `WUBusy` | Windows Update can't do this task because it's busy. | The Windows Update service has reported that Windows Update is busy. No action is needed. Restart Windows should and retry the installation. |
+| `WUComponentMissing` | Windows Update might be missing a component, or the update file might be damaged. | The Windows Update service has reported key components for windows update are missing.Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges, to repair these components. Then retry the update.
For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.
|
+| `WUDamaged` | Windows Update or the update file might be damaged. | The Windows Update service has reported key components for windows update are missing.Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges to repair these components. Then retry the update.
For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.
|
+| `WUDecryptionIssue` | Windows Update couldn't decrypt the encrypted update file because it couldn't find the proper key. | The Windows Update service has reported it couldn't decrypt the update payload.This alert could be a network transit error and may be resolved on its own. If the alert persists, validate any network Riverbeds, Application or http proxies and retry.
|
+| `WUDiskError` | Windows Update encountered an error while reading or writing to the system drive. | The Windows Update service has reported an alert reading or writing to the system disk. This alert is often a client issue with the target system. We recommend running the Windows Update Troubleshooter on the device. Retry the installation.For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/windows/windows-update-troubleshooter-19bc41ca-ad72-ae67-af3c-89ce169755dd).
|
+| `WUIssue` | Windows Update couldn't understand the metadata provided by the update service. This error usually indicates a problem with the update. | The Windows Update service has reported an issue with the Update payload. This could be a transient alert.If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
|
+
+## Additional resources
+
+- [Troubleshoot problems updating Windows](https://support.microsoft.com/windows/troubleshoot-problems-updating-windows-188c2b0f-10a7-d72f-65b8-32d177eb136c)
+- [How to use the PC Health Check app](https://support.microsoft.com/windows/how-to-use-the-pc-health-check-app-9c8abd9b-03ba-4e67-81ef-36f37caa7844)
+- [Windows Update Troubleshooter](https://support.microsoft.com/windows/windows-update-troubleshooter-19bc41ca-ad72-ae67-af3c-89ce169755dd)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md
new file mode 100644
index 0000000000..fab7bbabbc
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md
@@ -0,0 +1,213 @@
+---
+title: Manage Windows feature update releases
+description: This article explains how you can manage Windows feature updates with Autopatch groups
+ms.date: 05/05/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: andredm7
+---
+
+# Manage Windows feature update releases: Windows Autopatch groups experience (public preview)
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+You can create custom releases for Windows feature update deployments in Windows Autopatch.
+
+## Before you begin
+
+Before you start managing custom Windows feature update releases, consider the following:
+
+- If you’re planning on using either the [Default or Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#key-concepts) ensure:
+ - The Default Autopatch group has all deployment rings and deployment cadences you need.
+ - You have created all your Custom Autopatch groups prior to creating custom releases.
+- Review [Windows feature update prerequisites](/mem/intune/protect/windows-10-feature-updates#prerequisites).
+- Review the [Windows feature updates policy limitations](/mem/intune/protect/windows-10-feature-updates#limitations-for-feature-updates-for-windows-10-and-later-policy).
+
+## About the auto-populate automation for release phases
+
+By default, the deployment rings of each Autopatch group will be sequentially assigned to a phase. For example, the first deployment ring of each Autopatch group is assigned to Phase 1, and the second deployment ring of each Autopatch group is assigned to Phase 2, etc.
+
+The following table explains the auto-populating assignment of your deployments rights if you have two Autopatch groups. One Autopatch group is named Finance and the other is named Marketing; each Autopatch group has four (Finance) and five (Marketing) deployment rings respectively.
+
+| Phases | Finance | Marketing
+| ----- | ----- | ----- |
+| Phase 1 | Test | Test |
+| Phase 2 | Ring1 | Ring1 |
+| Phase 3 | Ring2 | Ring2 |
+| Phase 4 | Last | Ring3 |
+
+If the Autopatch groups are edited after a release is created (Active status), the changes to the Autopatch group won’t be reflected unless you create a new custom release.
+
+If you wish to change the auto-populating assignment of your deployment rings to release phases, you can do so by adding, removing, or editing the auto-populated phases.
+
+### More information about the completion date of a phase
+
+The goal completion date of a phase is calculated using the following formula:
+
+` + ( – 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days).`
+
+This formula is only applicable for **Deadline-driven** not for Scheduled-driven deployment cadences. For more information, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md).
+
+> [!IMPORTANT]
+> By default, both the **Deadline for feature updates** and the **Grace period** values are set by Windows Autopatch in every [Update rings for Windows 10 and later policy](/mem/intune/protect/windows-10-update-rings) created by Autopatch groups.
+
+### How to use the Windows feature update blade
+
+Use the Windows feature update blade to check in the overall status of the [default release](../operate/windows-autopatch-groups-windows-feature-update-overview.md#default-release) and the custom ones you create.
+
+**To access the Windows feature update blade:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Devices** from the left navigation menu.
+1. Under the **Windows Autopatch** section, select **Release management**.
+1. In the **Release management** blade, under the **Release schedule** tab, select **Windows feature updates**.
+1. In the **Windows feature updates** blade, you can see all the information about the releases. The columns are described in the following table:
+
+| Status | Description |
+| ----- | ----- |
+| Release name | Name of the release |
+| Version to deploy | Version to deploy for the applicable release or phase |
+| Status | Status of the applicable release or phase:- Scheduled
- Active
- Inactive
- Paused
- Canceled
|
+| First deployment |- The date the deployment for the applicable release or phase will begin.
- Feature update policy for Windows 10 and later is created 24 hours prior to the first deployment date. The service automation runs twice a day at 4:00AM and 4:00PM (UTC).
- Not all devices within a phase will be offered the feature update on the same date when using gradual rollout.
|
+| Goal completion date | The date the devices within the release or phases are expected to finish updating. The completion date is calculated using the following formula:` + ( - 1) * Days in between groups (7) + Deadline for feature updates (5) + Grace Period (2)`
|
+
+#### About release and phase statuses
+
+##### Release statuses
+
+A release is made of one or more phases. The release status is based on the calculation and consolidation of each phase status.
+
+The release statuses are described in the following table:
+
+| Release status | Definition | Options |
+| ----- | ----- | ----- |
+| Scheduled | Release is scheduled and not all phases have yet created its Windows feature update policies |- Releases with the **Scheduled status** can't be canceled but can have its deployment cadence edited as not all phases have yet created its Windows feature update policies.
- Autopatch groups and its deployment rings that belong to a **Scheduled** release can't be assigned to another release.
|
+| Active | All phases in the release are active. This means all phases have reached their first deployment date, which created the Windows feature update policies. |- Release can be paused but can't be edited or canceled since the Windows feature update policy was already created for its phases.
- Autopatch groups and their deployment rings can be assigned to another release.
|
+| Inactive | All the Autopatch groups within the release have been assigned to a new release. As a result, the Windows feature update policies were unassigned from all phases from within the release. |- Release can be viewed as a historical record.
- Releases can't be deleted, edited, or canceled.
|
+| Paused | All phases in the release are paused. The release will remain paused until you resume it. | - Releases with Paused status can't be edited or canceled since the Windows feature update policy was already created for its phases.
- Release can be resumed.
|
+
+##### Phase statuses
+
+A phase is made of one or more Autopatch group deployment rings. Each phase reports its status to its release.
+
+> [!IMPORTANT]
+> The determining factor that makes a phase status transition from **Scheduled** to **Active** is when the service automatically creates the Windows feature update policy for each Autopatch group deployment ring. Additionally, the phase status transition from **Active** to **Inactive** occurs when Windows feature update policies are unassigned from the Autopatch groups that belong to a phase. This can happen when an Autopatch group and its deployment rings are re-used as part of a new release.
+
+| Phase status | Definition |
+| ----- | ----- |
+| Scheduled | The phase is scheduled but hasn’t reached its first deployment date yet. The Windows feature update policy hasn’t been created for the respective phase yet. |
+| Active | The first deployment date has been reached. The Windows feature update policy has been created for the respective phase. |
+| Inactive | All Autopatch groups within the phase were re-assigned to a new release. All Windows feature update policies were unassigned from the Autopatch groups. |
+| Paused | Phase is paused. You must resume the phase. |
+
+#### Details about Windows feature update policies
+
+Windows Autopatch creates one Windows feature update policy per phase using the following naming convention:
+
+`Windows Autopatch – DSS policy – – Phase `
+
+These policies can be viewed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+The following table is an example of the Windows feature update policies that were created for phases within a release:
+
+| Policy name | Feature update version | Rollout options | First deployment date| Final deployment date availability | Day between groups | Support end date |
+| ----- | ----- | ----- | ----- | ----- | ----- | ----- |
+| Windows Autopatch - DSS Policy - My feature update release – Phase 1 | Windows 10 21H2 | Make update available as soon as possible | April 24, 2023 | April 24, 2023 | N/A | June 10, 2024 |
+| Windows Autopatch - DSS Policy - My feature update release – Phase 2 | Windows 10 21H2 | Make update available as soon as possible | June 26, 2023 | July 17, 2023 | 7 | June 10, 2024 |
+| Windows Autopatch - DSS Policy - My feature update release – Phase 3 | Windows 10 21H2 | Make update available as soon as possible | July 24, 2023 | August 14, 2023 | 7 | June 10, 2024 |
+| Windows Autopatch - DSS Policy - My feature update release – Phase 4 | Windows 10 21H2 | Make update available as soon as possible | August 28, 2023 | September 10, 2023 | 7 | June 10, 2024 |
+| Windows Autopatch - DSS Policy - My feature update release – Phase 5 | Windows 10 21H2 | Make update available as soon as possible | September 25, 2023 | October 16, 2023 | 7 | June 10, 2024 |
+
+## Create a custom release
+
+**To create a custom release:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Devices** from the left navigation menu.
+1. Under the **Windows Autopatch** section, select **Release management**.
+1. In the **Release management** blade, select **Release schedule**, then **Windows feature updates**.
+1. In the **Windows feature updates** blade, select **New release**.
+1. In the **Basics** page:
+ 1. Enter a **Name** for the custom release.
+ 2. Select the **Version** to deploy.
+ 3. Enter a **Description** for the custom release.
+ 4. Select **Next**.
+1. In the **Autopatch groups** page, choose one or more existing Autopatch groups you want to include in the custom release, then select Next.
+1. You can't choose Autopatch groups that are already part of an existing custom release. Select **Autopatch groups assigned to other releases** to review existing assignments.
+1. In the Release phases page, review the number of auto-populated phases. You can Edit, Delete and Add phase based on your needs. Once you’re ready, select **Next**. **Before you proceed to the next step**, all deployment rings must be assigned to a phase, and all phases must have deployment rings assigned.
+1. In the **Release schedule** page, choose **First deployment date**, and the number of **Gradual rollout groups**, then select **Next**. **You can only select the next day**, not the current day, as the first deployment date. The service creates feature update policy for Windows 10 and later twice a day at 4:00AM and 4:00PM (UTC) and can’t guarantee that the release will start at the current day given the UTC variance across the globe.
+ 1. The **Goal completion date** only applies to the [Deadline-driven deployment cadence type](../operate/windows-autopatch-groups-windows-update.md#deadline-driven). The Deadline-drive deployment cadence type can be specified when you configure the Windows Updates settings during the Autopatch group creation/editing flow.
+ 2. Additionally, the formula for the goal completion date is ` + ( – 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days)`.
+1. In the **Review + create** page, review all settings. Once you’re ready, select **Create**.
+
+## Edit a release
+
+> [!NOTE]
+> Only custom releases that have the **Scheduled** status can be edited. A release phase can only be edited prior to reaching its first deployment date. Additionally, you can only edit the deployment dates when editing a release.
+
+**To edit a custom release:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Devices** from the left navigation menu.
+1. Under the **Windows Autopatch** section, select **Release management**.
+1. In the **Release schedule** tab, select **Windows feature updates**.
+1. In the **Windows feature updates** blade, select the **horizontal ellipses (…)** > Edit to customize your gradual rollout of your feature updates release, then select **Save**.
+ 1. Only the release schedule can be customized when using the edit function. You can't add or remove Autopatch groups or modify the phase order when editing a release.
+1. Select **Review + Create**.
+1. Select **Apply** to save your changes.
+
+## Pause and resume a release
+
+> [!CAUTION]
+> You should only pause and resume [Windows quality](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) and [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices.
+
+> [!IMPORTANT]
+> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates. For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
+
+**To pause or resume a release:**
+
+> [!NOTE]
+> If you've paused an update, the specified release will have the **Paused** status. The Windows Autopatch service can't overwrite IT admin's pause. You must select **Resume** to resume the update. The **Paused by Service Pause** status **only** applies to Windows quality updates. Windows Autopatch doesn't pause Windows feature updates on your behalf.
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Devices** from the left navigation menu.
+1. Under the **Windows Autopatch** section, select **Release management**.
+1. In the **Release schedule** tab, select **Windows feature updates**.
+1. In the **Windows feature updates** blade, select the **horizontal ellipses (…)** > **Pause** or **Resume** to pause or resume your feature updates release.
+1. Select a reason from the dropdown menu.
+1. Optional. Enter details about why you're pausing or resuming the selected update.
+1. If you're resuming an update, you can select one or more deployment rings.
+1. Select **Pause deployment** or **Resume deployment** to save your changes.
+
+## Cancel a release
+
+> [!IMPORTANT]
+> You can only cancel a release under the Scheduled status. You cannot cancel a release under the **Active**, **Inactive** or **Paused** statuses.
+
+**To cancel a release:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Devices** from the left navigation menu.
+1. Under the **Windows Autopatch** section, select **Release management**.
+1. In the **Release schedule** tab, select **Windows feature updates**.
+1. In the **Windows feature updates** blade, select the **horizontal ellipses (…)** > **Cancel** to cancel your feature updates release.
+1. Select a reason for cancellation from the dropdown menu.
+1. Optional. Enter details about why you're pausing or resuming the selected update.
+1. Select **Cancel deployment** to save your changes.
+
+## Roll back a release
+
+> [!CAUTION]
+> Do **not** use Microsoft Intune’s end-user flows to rollback Windows feature update deployments for Windows Autopatch managed devices. If you need assistance with rolling back deployments, [submit a support request](../operate/windows-autopatch-support-request.md).
+
+Windows Autopatch **doesn’t** support the rollback of Windows feature updates through its end-user experience flows.
+
+## Contact support
+
+If you’re experiencing issues related to Windows feature update deployments, [submit a support request](../operate/windows-autopatch-support-request.md).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
new file mode 100644
index 0000000000..e6730c53fb
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
@@ -0,0 +1,61 @@
+---
+title: Software update management for Autopatch groups
+description: This article provides an overview of how updates are handled with Autopatch groups
+ms.date: 05/01/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: overview
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: andredm7
+---
+
+# Software update management: Windows Autopatch groups experience (public preview)
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates on your behalf.
+
+## Software update workloads
+
+| Software update workload | Description |
+| ----- | ----- |
+| Windows quality update | Windows Autopatch uses four deployment rings to manage Windows quality updates. For more detailed information, see:- [Windows Autopatch groups experience](../operate/windows-autopatch-groups-windows-quality-update-overview.md)
- [Classic experience](../operate/windows-autopatch-windows-quality-update-overview.md) |
+| Windows feature update | Windows Autopatch uses four deployment rings to manage Windows feature updates. For more detailed information, see:
- [Windows Autopatch groups experience](windows-autopatch-groups-windows-feature-update-overview.md)
- [Classic experience](windows-autopatch-windows-feature-update-overview.md)
|
+| Anti-virus definition | Updated with each scan. |
+| Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). This software update workload uses the classic experience. |
+| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). This software update workload uses the classic experience. |
+| Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). This software update workload uses the classic experience. |
+
+## Autopatch groups
+
+Autopatch groups help Microsoft Cloud-Managed services meet all organizations where they are at in their update management journey.
+
+Autopatch groups is a logical container that groups several [Azure AD groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as Windows Update rings and feature update policies, together.
+
+For more information on key benefits and how to use Autopatch groups, see [Autopatch groups overview](../deploy/windows-autopatch-groups-overview.md).
+
+## Windows quality updates
+
+Windows Autopatch deploys the [Monthly security update releases](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month.
+
+To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. For more information, see [Windows quality updates overview](../operate/windows-autopatch-groups-windows-quality-update-overview.md).
+
+## Windows feature updates
+
+You’re in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version.
+
+The Window feature update release management experience makes it easier and less expensive for you to keep your Windows devices up to date. You can focus on running your core businesses while Windows Autopatch runs update management on your behalf.
+
+For more information, see [Windows feature updates overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).
+
+## Reports
+
+Using [Windows quality and feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md), you can monitor and remediate Windows Autopatch managed devices that are Not up to Date and resolve any device alerts to bring Windows Autopatch managed devices back into compliance.
+
+## Policy health and remediation
+
+Windows Autopatch deploys Intune policies for Windows quality and feature update management. Windows Update policies must remain healthy for devices to receive Windows updates and stay up to date. We continuously monitor the health of the policies and raise alerts and provide remediation actions. For more information, see [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) and [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
new file mode 100644
index 0000000000..b49b0c5ba4
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
@@ -0,0 +1,169 @@
+---
+title: Windows feature updates overview with Autopatch groups
+description: This article explains how Windows feature updates are managed with Autopatch groups
+ms.date: 05/03/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: andredm7
+---
+
+# Windows feature updates overview: Autopatch groups experience (public preview)
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation.
+
+Windows feature updates consist of:
+
+- Keeping Windows devices protected against behavioral issues.
+- Providing new features to boost end-user productivity.
+
+Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date. You can focus on running your core businesses while Windows Autopatch runs update management on your behalf.
+
+## Service level objective
+
+Windows Autopatch’s service level objective for Windows feature updates aims to keep **95%** of eligible devices on the targeted Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) for its default and global releases maintained by the service, and custom releases created and managed by you.
+
+## Device eligibility criteria
+
+Windows Autopatch’s device eligibility criteria for Windows feature updates aligns with [Windows Update for Business and Microsoft Intune’s device eligibility criteria](/mem/intune/protect/windows-10-feature-updates#prerequisites).
+
+> [!IMPORTANT]
+> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
+
+## Key benefits
+
+- Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date. You can focus on running your core businesses while Windows Autopatch runs update management on your behalf.
+- You’re in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version.
+ - Combined with custom releases, Autopatch Groups gives your organization great control and flexibility to help you plan your gradual rollout in a way that works for your organization.
+- Simplified end-user experience with rich controls for gradual rollouts, deployment cadence and speed.
+- No need to manually modify the default Windows feature update policies (default release) to be on the Windows OS version your organization is currently ready for.
+- Allows for scenarios where you can deploy a single release across several Autopatch groups and its deployment rings.
+
+## Key concepts
+
+- A release is made of one or more deployment phases and contains the required OS version to be gradually rolled out throughout its deployment phases.
+- A phase (deployment phase) is made of one or more Autopatch group deployment rings. A phase:
+ - Works as an additional layer of deployment cadence settings that can be defined by IT admins (only for Windows feature updates) on top of Autopatch group deployment rings (Windows update rings policies).
+ - Deploys Windows feature updates across one or more Autopatch groups.
+- There are three types of releases:
+ - Default
+ - Global
+ - Custom
+
+### Default release
+
+Windows Autopatch’s default Windows feature update release is a service-driven release that enforces the minimum Windows OS version currently serviced by the Windows servicing channels for the deployment rings in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group).
+
+> [!TIP]
+> Windows Autopatch allows you to [create custom Windows feature update releases](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#create-a-custom-release).
+
+When devices are registered by manually adding them to the Windows Autopatch Device Registration Azure AD assigned group, devices are assigned to deployment rings as part of the default Autopatch group. Each deployment ring has its own Windows feature update policy assigned to them. This is intended to minimize unexpected Windows OS upgrades once new devices register with the service.
+
+The policies:
+
+- Contain the minimum Windows 10 version currently serviced by the [Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). The current minimum Windows OS version is **Windows 10 21H2**.
+- Set a bare minimum Windows OS version required by the service once devices are registered with the service.
+
+If the device is registered with Windows Autopatch, and the device is:
+
+- Below the service's currently targeted Windows feature update, that device will be automatically upgraded to the service's target version when the device meets the [device eligibility criteria](#device-eligibility-criteria).
+- On, or above the currently targeted Windows feature update version, there won't be any Windows OS upgrades available to that device.
+
+#### Policy configuration for the default release
+
+If your tenant is enrolled with Windows Autopatch, you can see the following default policies created by the service in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431):
+
+| Policy name | Phase mapping | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
+| ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
+| Windows Autopatch – DSS Policy [Test] | Phase 1 | Windows 10 21H2 | Make update available as soon as possible | May 9, 2023 | N/A | N/A | June 10, 2024 |
+| Windows Autopatch – DSS Policy [First] | Phase 2 | Windows 10 21H2 | Make update available as soon as possible | May 16, 2023 | N/A | N/A | June 10, 2024 |
+| Windows Autopatch – DSS Policy [Fast] | Phase 3 | Windows 10 21H2 | Make update available as soon as possible | May 23, 2023 | N/A | N/A | June 10, 2024 |
+| Windows Autopatch – DSS Policy [Broad] | Phase 4 | Windows 10 21H2 | Make update available as soon as possible | May 30, 2023 | N/A | N/A | June 10, 2024 |
+
+> [!NOTE]
+> Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually).
+
+### Global release
+
+Windows Autopatch’s global Windows feature update release is a service-driven release. Like the [default release](#default-release), the Global release enforces the [minimum Windows OS version currently serviced by the Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2).
+
+There are two scenarios that the Global release is used:
+
+| Scenario | Description |
+| ----- | ----- |
+| Scenario #1 | You assign Azure AD groups to be used with the deployment ring (Last) or you add additional deployment rings when you customize the [Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group).A global Windows feature update policy is automatically assigned behind the scenes to the newly added deployment rings or when you assigned Azure AD groups to the deployment ring (Last) in the Default Autopatch group.
|
+| Scenario #2 | You create new [Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group).The global Windows feature policy is automatically assigned behind the scenes to all deployment rings as part of the Custom Autopatch groups you create.
|
+
+#### Policy configuration values
+
+See the following table on how Windows Autopatch configures the values for its global Windows feature update policy. If your tenant is enrolled with Windows Autopatch, you can see the following default policies created by the service in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431):
+
+| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
+| ----- | ----- | ----- | ----- | ----- | ----- | ----- |
+| Windows Autopatch – Global DSS Policy [Test] | Windows 10 21H2 | Make update available as soon as possible | N/A | N/A | N/A | June 10, 2024 |
+
+> [!NOTE]
+> Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to be a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually).
+
+### Differences between the default and global Windows feature update policies
+
+> [!IMPORTANT]
+> Once you create a custom Windows feature update release, both the global and the default Windows feature update policies are unassigned from Autopatch group’s deployment rings behind the scenes.
+
+The differences in between the global and the default Windows feature update policy values are:
+
+| Default Windows feature update policy | Global Windows feature update policy |
+| ----- | ----- |
+| - Set by default with the Default Autopatch group and assigned to Test, Ring1, Ring2, Ring3. The default policy isn't automatically assigned to the Last ring in the Default Autopatch group.
- The Windows Autopatch service keeps its minimum Windows OS version updated following the recommendation of minimum Windows OS version [currently serviced by the Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2).
| - Set by default and assigned to all new deployment rings added as part of the Default Autopatch group customization.
- Set by default and assigned to all deployment rings created as part of Custom Autopatch groups.
+
+### Custom release
+
+A custom release is the release that you create to tell Windows Autopatch how you want the service to manage Windows OS upgrades on your behalf.
+
+Custom releases gives you flexibility to do Windows OS upgrades on your pace, but still relying on Windows Autopatch to give you insights of how your OS upgrades are going and additional deployment controls through the Windows feature updates release management experience.
+
+When a custom release is created and assigned to Autopatch groups, either the default or global releases are unassigned to avoid feature update policy for Windows 10 and later conflicts.
+
+For more information on how to create a custom release, see [Manage Windows feature update release](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#create-a-custom-release).
+
+### About Windows Update rings policies
+
+Feature update policies work with Windows Update rings policies. Windows Update rings policies are created for each deployment ring for the [Default or a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#key-concepts) based on the deployment settings you define. The policy name convention is `Windows Autopatch Update Policy – – `.
+
+The following table details the default Windows Update rings policy values that affect either the default or custom Windows feature updates releases:
+
+| Policy name | Azure AD group assignment | Quality updates deferral in days | Feature updates deferral in days | Feature updates uninstall window in days | Deadline for quality updates in days | Deadline for feature updates in days | Grace period | Auto restart before deadline |
+| ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
+| Windows Autopatch Update Policy - default - Test | Windows Autopatch - Test | 0 | 0 | 30 | 0 | 5 | 0 | Yes |
+| Windows Autopatch Update Policy - default - Ring1 | Windows Autopatch - Ring1 | 1 | 0 | 30 | 2 | 5 |2 | Yes |
+| Windows Autopatch Update Policy - default - Ring2 | Windows Autopatch - Ring2 | 6 | 0 | 30 | 2 | 5 | 2 | Yes |
+| Windows Autopatch Update Policy - default - Ring3 | Windows Autopatch - Ring3 | 9 | 0 | 30 | 5 | 5 | 2 | Yes |
+| Windows Autopatch Update Policy - default - Last | Windows Autopatch - Last | 11 | 0 | 30 | 3 | 5 | 2 | Yes |
+
+> [!IMPORTANT]
+> When you create a custom Windows feature update release, new Windows feature update policies are:- Created corresponding to the settings you defined while creating the release.
- Assigned to the Autopatch group’s deployment rings you select to be included in the release.
+
+## Common ways to manage releases
+
+### Use case #1
+
+| Scenario | Solution |
+| ----- | ----- |
+| You’re working as the IT admin at Contoso Ltd., and you need to gradually rollout of Windows 11’s latest version to several business units across your organization. | Custom Windows feature update releases deliver OS upgrades horizontally, through phases, to one or more Autopatch groups.
Phases:- Set your organization’s deployment cadence.
- Work like deployment rings on top of Autopatch group’s deployment rings. Phases group one or more deployment rings across one or more Autopatch groups.
See the following visual for a representation of Phases with custom releases. |
+
+:::image type="content" source="../media/autopatch-groups-manage-feature-release-case-1.png" alt-text="Manage Windows feature update release use case one" lightbox="../media/autopatch-groups-manage-feature-release-case-1.png":::
+
+### Use case #2
+
+| Scenario | Solution |
+| ----- | ----- |
+| You’re working as the IT admin at Contoso Ltd. and your organization isn’t ready to upgrade its devices to either Windows 11 or the newest Windows 10 OS versions due to conflicting project priorities within your organization.However, you want to keep Windows Autopatch managed devices supported and receiving monthly updates that are critical to security and the health of the Windows ecosystem.
| Default Windows feature update releases deliver the minimum Windows OS upgrade vertically to each Windows Autopatch group (either [Default](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [Custom](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)). The Default Windows Autopatch group is pre-configured with the [default Windows feature update release](#default-release) and no additional configuration is required from IT admins as Autopatch manages the default release on your behalf.If you decide to edit the default Windows Autopatch group to add additional deployment rings, these rings receive a [global Windows feature update policy](#global-release) set to offer the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) to devices. Every custom Autopatch group you create gets a [global Windows feature update policy](#global-release) that enforces the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2).
See the following visual for a representation of default releases.
|
+
+:::image type="content" source="../media/autopatch-groups-manage-feature-release-case-2.png" alt-text="Manage Windows feature update release use case two" lightbox="../media/autopatch-groups-manage-feature-release-case-2.png":::
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
new file mode 100644
index 0000000000..fc177682b7
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md
@@ -0,0 +1,76 @@
+---
+title: Feature update status report
+description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
+ms.date: 05/01/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: andredm7
+---
+
+# Feature update status report (public preview)
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+The Feature update status report provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
+
+**To view the Feature update status report:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows feature updates (preview)**.
+1. Select the **Reports** tab.
+1. Select **Feature update status**.
+
+## Report information
+
+### Default columns
+
+The following information is available as default columns in the Feature update status report:
+
+| Column name | Description |
+| ----- | ----- |
+| Device name | The name of the device. |
+| Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. |
+| Update status | The current update status for the device. For more information, see [Windows feature update statuses](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses). |
+| Pause status | The current pause status whether Customer or Service initiated. For more information, see [Pause and resume a release](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#pause-and-resume-a-release). |
+| Current version | The current version or build number of the device. For more information, see [Windows Versions](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). |
+| Readiness | The device readiness evaluation status. For more information, see [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md). |
+| Alerts | The summary of any alerts affecting the device. For more information, see [Device alerts](../operate/windows-autopatch-device-alerts.md). |
+
+### Optional columns
+
+The following information is available as optional columns in the Feature update status report:
+
+| Column name | Description |
+| ----- | ----- |
+| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device |
+| Serial number | The current Intune recorded serial number for the device |
+| Intune last check in time | The last time the device checked in to Intune |
+| Service State | The Service State provided from Windows Update |
+| Service Substate | The Service Substate provided from Windows Update |
+| Client State | The Client State provided from Windows Update |
+| Client Substate | The Client Substate provided from Windows Update |
+| Servicing Channel | The Servicing Channel provided from Windows Update |
+| User Last Logged On | The last user who logged on as reported from Intune |
+| Primary User UPN | The Primary User UPN as reported from Intune |
+| Hex Error Code | The hex error provided from Windows Update |
+
+> [!NOTE]
+> The Service State, Service Substate, Client State, Client Substate, Servicing Channel, and Hex Error Code columns may not display any values. These columns are supplemental and might not display for all devices
+
+## Report options
+
+The following options are available:
+
+| Option | Description |
+| ----- | ----- |
+| Search | Use to search by device name, Azure AD device ID or serial number |
+| Sort | Select the **column headings** to sort the report data in ascending and descending order. |
+| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
+| Filter | Select either the **Add filters** or at the top of the report to filter the results. |
+| Columns | Select a column to add or remove the column from the report. |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
new file mode 100644
index 0000000000..63c6483b4d
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
@@ -0,0 +1,52 @@
+---
+title: Windows feature update summary dashboard
+description: Provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
+ms.date: 05/01/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: andredm7
+---
+
+# Windows feature update summary dashboard (public preview)
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+The summary dashboard provides a broader view of the current Windows OS update status for all devices registered with Windows Autopatch.
+
+The first part of the summary dashboard provides you with an all-devices trend report where you can follow the deployment trends within your organization. You can view if updates were successfully installed, failing, in progress, not ready or have their Windows feature update paused.
+
+**To view a generated summary dashboard for your Windows feature update deployments:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Reports** from the left navigation menu.
+1. Under the **Windows Autopatch** section, select **Windows feature updates (preview)**.
+
+## Report information
+
+The following information is available in the summary dashboard:
+
+| Column name | Description |
+| ----- | ----- |
+| Release | The release name and its phases. For more information, see [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md). |
+| Version to deploy | The version being deployed to the device based on which Windows feature update release the device is assigned. |
+| Device count | Total device count per Autopatch group or deployment ring. |
+| Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
+| Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
+| In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). |
+| Paused | Total device count reporting the status of the pause whether it’s Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
+| Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
+
+## Report options
+
+The following options are available:
+
+| Option | Description |
+| ----- | ----- |
+| Refresh | The option to **Refresh** the summary dashboard is available at the top of the page. This process will ensure that the summary dashboard view is updated to the latest available dataset from within the last 24-hour period. |
+| Summary links | Each column represents the summary of included devices. Select the hyperlinked number to produce a filtered report in a new browser tab. |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md
new file mode 100644
index 0000000000..d6c6955600
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md
@@ -0,0 +1,42 @@
+---
+title: Feature update trending report
+description: Provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days.
+ms.date: 05/01/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: andredm7
+---
+
+# Feature update trending report (public preview)
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+Windows Autopatch provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days.
+
+**To view the Feature update trending report:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows feature updates (public preview)**.
+1. Select the **Reports** tab.
+1. Select **Feature update trending**.
+
+> [!NOTE]
+> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page.
+
+## Report options
+
+The following options are available:
+
+| Option | Description |
+| ----- | ----- |
+| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
+| By percentage | Select **by percentage** to show your trending graphs and indicators by percentage. |
+| By device count | Select **by device count** to show your trending graphs and indicators by numeric value. |
+
+For a description of the displayed device status trends, see [Windows feature update statuses](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
new file mode 100644
index 0000000000..8f10b41042
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
@@ -0,0 +1,109 @@
+---
+title: Windows quality and feature update reports overview with Windows Autopatch Groups experience
+description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch groups
+ms.date: 05/01/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: adnich
+---
+
+# Windows quality and feature update reports overview: Windows Autopatch groups experience (public preview)
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+## Windows quality reports
+
+The Windows quality reports provide you with information about:
+
+Quality update device readiness
+Device update health
+Device update alerts
+Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch.
+
+The Windows quality report types are organized into the following focus areas:
+
+| Focus area | Description |
+| ----- | ----- |
+| Organizational | The [Summary dashboard](../operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md) provide the current update status summary for all devices.The [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) provides the current update status of all devices at the device level. |
+| Device trends | The [Quality update trending report](../operate/windows-autopatch-groups-windows-quality-update-trending-report.md) provides the update status trend of all devices over the last 90 days. |
+
+## Windows feature update reports
+
+The Windows feature update reports monitor the health and activity of your deployments and help you understand if your devices are maintaining update compliance targets.
+
+If update deployments aren’t successful, Windows Autopatch provides information on update deployment failures and who needs to remediate. Certain update deployment failures might require either Windows Autopatch to act on your behalf or you to fix the issue.
+
+The Windows feature update report types are organized into the following focus areas:
+
+| Focus area | Description |
+| ----- | ----- |
+| Organizational | The [Summary dashboard](../operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md) provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. |
+| Operational | The [Feature update status report](../operate/windows-autopatch-groups-windows-feature-update-status-report.md) provides a per device view of the current Windows OS update status for all devices registered with Windows Autopatch. |
+| Device trends | The [Quality update trending report](../operate/windows-autopatch-groups-windows-feature-update-trending-report.md) provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days. |
+
+## Who can access the reports?
+
+Users with the following permissions can access the reports:
+
+- Global Administrator
+- Intune Service Administrator
+- Global Reader
+- Services Support Administrator
+
+## About data latency
+
+The data source for these reports is Windows [diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 48 hours.
+
+## Windows quality and feature update statuses
+
+The following statuses are used throughout the Windows Autopatch reporting suite to describe the quality update status for devices:
+
+- [Up to Date devices](#up-to-date-devices)
+- [Not up to Date devices](#not-up-to-date-devices)
+- [Not Ready devices](#not-ready-devices)
+
+Each status has its own set of sub statuses to further describe the status.
+
+### Up to Date devices
+
+Up to date devices are devices that meet all of the following prerequisites:
+
+- [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
+- [Prerequisites for device registration](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration)
+- [Windows quality and feature update device readiness](../deploy/windows-autopatch-post-reg-readiness-checks.md)
+- [Post-device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md)
+- Have applied the current monthly cumulative updates
+
+> [!NOTE]
+> [Up to Date devices](#up-to-date-devices) will remain with the **In Progress** status for the 21-day service level objective period until the device either applies the current monthly cumulative update or receives an [alert](../operate/windows-autopatch-device-alerts.md). If the device receives an alert, the device’s status will change to [Not up to Date](#not-up-to-date-devices).
+
+#### Up to Date sub statuses
+
+| Sub status | Description |
+| ----- | ----- |
+| In Progress | Devices are currently installing the latest [quality update](../operate/windows-autopatch-groups-windows-quality-update-overview.md#release-schedule) or [feature update](../operate/windows-autopatch-groups-windows-feature-update-overview.md#default-release) deployed through the Windows Autopatch release schedule. |
+| Paused | Devices that are currently paused due to a Windows Autopatch or customer-initiated Release management pause. For more information, see pausing and resuming a [Windows quality update](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) or [Windows feature update](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#pause-and-resume-a-release). |
+
+### Not up to Date devices
+
+Not Up to Date means a device isn’t up to date when the:
+
+- Quality or feature update is out of date, or the device is on the previous update.
+- Device is more than 21 days overdue from the last release.
+- Device has an [alert](../operate/windows-autopatch-device-alerts.md) resulting in an error and action must be taken.
+
+### Not Ready devices
+
+Not Ready refers to the responsibility of the designated IT administrator to carry out the appropriate action to resolve the reported device sub status.
+
+Within each 24-hour reporting period, devices that are Not Ready are reevaluated using the [Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).
+
+## Data export
+
+Select **Export devices** to export data for each report type. Only selected columns will be exported.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md
new file mode 100644
index 0000000000..cd1653f964
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md
@@ -0,0 +1,69 @@
+---
+title: Windows quality update communications for Autopatch groups
+description: This article explains Windows quality update communications for Autopatch groups
+ms.date: 05/01/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: hathind
+---
+
+# Windows quality update communications: Windows Autopatch groups experience (public preview)
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.
The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+
+There are three categories of communication that are sent out during a Windows quality and feature update:
+
+- [Standard communications](#standard-communications)
+- [Communications during release](#communications-during-release)
+- [Incident communications](#incident-communications)
+
+Communications are posted to, as appropriate for the type of communication, to the:
+
+- Message center
+- Service health dashboard
+- Windows Autopatch messages section of the Microsoft Intune admin center
+
+:::image type="content" source="../media/update-communications.png" alt-text="Update communications timeline" lightbox="../media/update-communications.png":::
+
+## Standard communications
+
+| Communication | Location | Timing | Description |
+| ----- | ----- | ----- | ----- |
+| Release schedule | - Messages blade
- Email sent to your specified [admin contacts](../deploy/windows-autopatch-admin-contacts.md)
| At least seven days prior to the second Tuesday of the month| Notification of the planned release window for each ring. |
+| Release start | Same as release schedule | The second Tuesday of every month. | Notification that the update is now being released into your environment. |
+| Release summary | Same as release schedule | The fourth Tuesday of every month. | Informs you of the percentage of eligible devices that were patched during the release. |
+
+### Opt out of receiving emails for standard communications
+
+> [!IMPORTANT]
+> This feature is in **public preview**. This feature is being actively developed and may not be complete. You can test and use these features in production environments and provide feedback.
+
+If you don't want to receive standard communications for Windows Updates releases via email, you can choose to opt out.
+
+**To opt out of receiving emails for standard communications:**
+
+1. Go to the **[Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)**.
+2. Go to **Windows Autopatch** > **Tenant administration** > select **Admin contacts**.
+3. Select the admin contact you want to opt out for.
+4. Select **Edit Contact**.
+5. Clear the **Send me emails for Windows update releases and status** checkbox in the fly-in pane.
+6. Select **Save** to apply the changes.
+
+## Communications during release
+
+The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) shortly after Autopatch becomes aware of the new information.
+
+There are some circumstances where Autopatch will need to change the release schedule based on new information.
+
+For example, new threat intelligence may require us to expedite a release, or we may pause due to user experience concerns. If the schedule of a quality update is changed, paused, resumed, or expedited, we'll inform you as quickly as possible so that you can adapt to the new information.
+
+## Incident communications
+
+Despite the best intentions, every service should plan for failure and success. When there's an incident, timely and transparent communication is key to building and maintaining your trust. If insufficient numbers of devices have been updated to meet the service level objective, devices will experience an interruption to productivity, and an incident will be raised. Microsoft will update the status of the incident at least once every 24 hours.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md
new file mode 100644
index 0000000000..25705531f4
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md
@@ -0,0 +1,69 @@
+---
+title: Windows quality update end user experience for Autopatch groups
+description: This article explains the Windows quality update end user experience using the Autopatch groups exp
+ms.date: 05/01/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: adnich
+---
+
+# Windows quality update end user experience: Windows Autopatch groups experience (public preview)
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+## User notifications
+
+In this section we'll review what an end user would see in the following three scenarios:
+
+1. Typical update experience
+2. Quality update deadline forces an update
+3. Quality update grace period
+
+> [!NOTE]
+> The "It's almost time to restart" and "Your organization requires your device to restart" notifications won't disappear until the user interacts with the notification.
+
+### Typical update experience
+
+The Windows quality update is published and devices in the Broad ring have a deferral period of nine days. Devices will wait nine days before downloading the latest quality update.
+
+Once the deferral period has passed, the device will download the update and notify the end user that updates are ready to install. The end user can either:
+
+- Restart immediately to install the updates
+- Schedule the installation, or
+- Snooze the device will attempt to install outside of [active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart).
+
+In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline.
+
+:::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience" lightbox="../media/windows-quality-typical-update-experience.png":::
+
+### Quality update deadline forces an update
+
+In the following example, the user:
+
+- Ignores the notification and selects snooze.
+- Further notifications are received, which the user ignores.
+- The device is unable to install the updates outside of active hours.
+
+The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the [active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart) and force a restart to complete the update installation. The user will receive a 15-minute warning, after which, the device will install the update and restart.
+
+:::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update" lightbox="../media/windows-quality-force-update.png":::
+
+### Quality update grace period
+
+In the following example, the user is on holiday and the device is offline beyond the quality update deadline. The user then returns to work and the device is turned back on.
+
+Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification.
+
+:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period" lightbox="../media/windows-quality-update-grace-period.png":::
+
+## Minimize user disruption due to updates
+
+Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. By default, [Active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart) are configured dynamically based on device usage patterns. Device restarts occur outside of active hours until the deadline is reached.
+
+Windows Autopatch understands the importance of not disrupting critical devices but also updating the devices quickly. If you wish to configure a specific installation time or [Active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart), use the [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md), and select the [**ScheduledInstall**](../operate/windows-autopatch-groups-windows-update.md#scheduled-install) option. Using this option removes the deadline enforced for a device restart. Devices with this configuration will also **not** be counted towards the [service level objective](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
new file mode 100644
index 0000000000..559e317784
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
@@ -0,0 +1,133 @@
+---
+title: Windows quality updates overview with Autopatch groups experience
+description: This article explains how Windows quality updates are managed with Autopatch groups
+ms.date: 05/01/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: andredm7
+---
+
+# Windows quality updates: Windows Autopatch groups experience (public preview)
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+Windows Autopatch deploys the [Monthly security update releases](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month.
+
+To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. There are three primary policies that are used to control Windows quality updates:
+
+| Policy | Description |
+| ----- | ----- |
+| [Deferrals](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) | Deferral policies delay the time the update is offered to the device by a specific number of days. The "offer" date for Windows quality updates is equal to the number of days specified in the deferral policy after the second Tuesday of each month. |
+| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. |
+| [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. |
+
+For devices in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), Windows Autopatch configures these policies differently across deployment rings to gradually release the update. Devices in the Test ring receive changes first and devices in the Last ring receive changes last. For more information about the Test and Last deployment rings, see [About the Test and Last deployment rings in Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-the-test-and-last-deployment-rings). With Windows Autopatch groups you can also customize the [Default Deployment Group’s deployment ring composition](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition) to add and/or remove deployment rings and can customize the update deployment cadences for each deployment ring. To learn more about customizing Windows Quality updates deployment cadence, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md).
+
+> [!IMPORTANT]
+> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed. These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective).
+
+## Service level objective
+
+Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. Note that devices that have cadence type set to Schedule install won't be eligible for Windows quality update SLO. For more information about the Schedule Install cadence type, see [Deployment cadence types](../operate/windows-autopatch-groups-windows-update.md#deployment-cadence).
+
+> [!IMPORTANT]
+> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
+
+## Release management
+
+> [!NOTE]
+> To access the Release management blade, you must have the correct [role-based access control](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration).
+
+In the Release management blade, you can:
+
+- Track the [Windows quality update schedule](#release-schedule).
+- [Turn off expedited Windows quality updates](#turn-off-service-driven-expedited-quality-update-releases).
+- Review release announcements and knowledge based articles for regular and [Out of Band (OOB) Windows quality updates](#out-of-band-releases).
+
+### Release schedule
+
+For each [deployment ring](windows-autopatch-update-management.md#windows-autopatch-deployment-rings), the **Release schedule** tab contains:
+
+- The status of the update. Releases will appear as **Active**. The update schedule is based on the values of the [Windows 10 Update Ring policies](/mem/intune/protect/windows-update-for-business-configure), which have been configured on your behalf.
+- The date the update is available.
+- The target completion date of the update.
+- In the **Release schedule** tab, you can either [**Pause** and/or **Resume**](#pause-and-resume-a-release) a Windows quality update release.
+
+### Expedited releases
+
+Threat and vulnerability information about a new revision of Windows becomes available on the second Tuesday of each month. Windows Autopatch assesses that information shortly afterwards. If the service determines that it's critical to security, it may be expedited. The quality update is also evaluated on an ongoing basis throughout the release and Windows Autopatch may choose to expedite at any time during the release.
+
+When running an expedited release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update quickly.
+
+| Release type | Group | Deferral | Deadline | Grace period |
+| ----- | ----- | ----- | ----- | ----- |
+| Expedited release | All devices | 0 | 1 | 1 |
+
+#### Turn off service-driven expedited quality update releases
+
+Windows Autopatch provides the option to turn off of service-driven expedited quality updates.
+
+By default, the service expedites quality updates as needed. For those organizations seeking greater control, you can disable expedited quality updates for Windows Autopatch-enrolled devices using Microsoft Intune.
+
+**To turn off service-driven expedited quality updates:**
+
+1. Go to **[Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**.
+2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited quality updates** setting.
+
+> [!NOTE]
+> Windows Autopatch doesn't allow customers to request expedited releases.
+
+### Out of Band releases
+
+Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule.
+
+For the deployment rings that have passed quality updates deferral date, the OOB release schedule will be expedited and deployed on the same day. For the deployment rings that have deferral upcoming, OOBs will be released as per the set deferral dates.
+
+**To view deployed Out of Band quality updates:**
+
+1. Go to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**.
+2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates. You can also view the schedules for OOB update releases in the Release Schedule tab.
+
+> [!NOTE]
+> Announcements abd OOB update schedules will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused.
+
+### Pause and resume a release
+
+> [!CAUTION]
+> You should only pause and resume [Windows quality](#pause-and-resume-a-release) and [Windows feature updates](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#pause-and-resume-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices.
+
+The service-level pause is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft.
+
+If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-groups-windows-quality-update-signals.md), we may decide to pause that release.
+
+> [!IMPORTANT]
+> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
+
+**To pause or resume a Windows quality update:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Devices** from the left navigation menu.
+1. Under the **Windows Autopatch** section, select **Release management**.
+1. In the **Release management** blade, got to the **Release schedule** tab and select **Windows quality updates**.
+1. Select the Autopatch group that you want to pause or resume. Select either: **Pause** or **Resume**. Alternatively, you can select the **horizontal ellipses (...)** of the Autopatch group you want to pause or resume. Select, **Pause** or **Resume** from the dropdown menu.
+1. Select a reason from the dropdown menu.
+1. Optional. Enter details about why you're pausing or resuming the selected update.
+1. If you're resuming an update, you can select one or more deployment rings.
+1. Select **Okay**.
+
+The three following statuses are associated with paused quality updates:
+
+| Status | Description |
+| ----- | ------ |
+| Paused by Service | If the Windows Autopatch service has paused an update, the release will have the **Paused by Service** status. The Paused by Service only applies to rings that aren't Paused by the Tenant. |
+| Paused by Tenant | If you've paused an update, the release will have the **Paused by Tenant** status. The Windows Autopatch service can't overwrite a tenant pause. You must select **Resume** to resume the update. |
+
+## Remediating Not ready and/or Not up to Date devices
+
+To ensure your devices receive Windows quality updates, Windows Autopatch provides information on how you can [remediate Windows Autopatch device alerts](../operate/windows-autopatch-device-alerts.md).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md
new file mode 100644
index 0000000000..556a292eb3
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md
@@ -0,0 +1,62 @@
+---
+title: Windows quality update release signals with Autopatch groups
+description: This article explains the Windows quality update release signals with Autopatch groups
+ms.date: 05/01/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: hathind
+---
+
+# Windows quality update signals: Windows Autopatch groups experience (public preview)
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+Windows Autopatch monitors a specific set of signals and aims to release the monthly security update both quickly and safely. The service doesn't comprehensively monitor every use case in Windows.
+
+If there's a scenario that is critical to your business, which isn't monitored by Windows Autopatch, you're responsible for testing and taking any follow-up actions, like requesting to pause the release.
+
+## Pre-release signals
+
+Before being released to the Test ring in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), Windows Autopatch reviews several data sources to determine if we need to send any customer advisories or need to pause the update. Situations where Windows Autopatch doesn't release an update to the Test ring are seldom occurrences.
+
+| Pre-release signal | Description |
+| ----- | ----- |
+| Windows Payload Review | The contents of the monthly security update release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-groups-windows-quality-update-communications.md#communications-during-release) will be sent out. |
+| Optional non-security preview release review - Internal Signals | Windows Autopatch reviews active incidents associated with the previous optional non-security preview release to understand potential risks in the monthly security update release. |
+| Optional non-security preview release review - Social Signals | Windows Autopatch monitors social signals to better understand potential risks associated with the monthly security update release. |
+
+## Early signals
+
+The update is released to the Test ring in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) on the second Tuesday of the month. Those test devices will update, allowing you to conduct early testing of critical scenarios in your environment. There are also several Microsoft internal signals that are monitored throughout the release.
+
+| Device reliability signal | Description | Microsoft will |
+| ----- | ----- | ----- |
+| Security Risk Profile | As soon as the update is released, the criticality of the security content is assessed. | - Consider expediting the release
- Update customers with a risk profile
+| B-Release - Internal Signals | Windows Autopatch reviews any active incidents associated with the current release. | - Determine if a customer advisory is necessary
- Pause the release if there's significant user impact
|
+| B-Release - Social Signals | Windows Autopatch monitors social signals to understand risks associated with the release. | Determine if a customer advisory is necessary |
+
+## Device reliability signals
+
+Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service.
+
+The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices in your tenant have upgraded to the new version.
+
+As more devices update, the confidence of the analysis increases and gives us a clearer picture of release quality. If we determine that the user experience is impaired, Autopatch will either post a customer advisory or pause the release, depending on the criticality of the update.
+
+Autopatch monitors the following reliability signals:
+
+| Device reliability signal | Description |
+| ----- | ----- |
+| Blue screens | These events are highly disruptive to end users. These events are closely monitored. |
+| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known limitation with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. |
+| Microsoft Office reliability | Tracks the number of Office crashes and freezes per application per device. |
+| Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. |
+| Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. |
+
+When the update is released to the First ring in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), the service crosses the 500 device threshold. Therefore, Autopatch can detect regressions that are common to all customers. At this point in the release, we'll decide if we need to expedite the release schedule or pause for all customers.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
new file mode 100644
index 0000000000..4cd9aa18af
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md
@@ -0,0 +1,79 @@
+---
+title: Quality update status report
+description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices with Autopatch groups.
+ms.date: 05/01/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: adnich
+---
+
+# Quality update status report (public preview)
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+The Quality update status report provides a per device view of the current update status for all Windows Autopatch enrolled devices.
+
+**To view the Quality update status report:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**.
+1. Select the **Reports** tab.
+1. Select **Quality update status**.
+
+> [!NOTE]
+> The data in this report is refreshed every 24 hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
+
+## Report information
+
+### Default columns
+
+The following information is available as default columns in the Quality update status report:
+
+| Column name | Description |
+| ----- | ----- |
+| Device name | The name of the device. |
+| Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. |
+| Update status | The current update status for the device. For more information, see [Windows quality update statuses](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses). |
+| Pause status | The current pause status whether Customer or Service initiated. For more information, see [Pause and resume a release](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release). |
+| Current version | The current version or build number of the device. For more information, see [Windows Versions](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). |
+| Readiness | The device readiness evaluation status. For more information, see [Post registration device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md). |
+| Alerts | The summary of any alerts affecting the device. For more information, see [Device alerts](../operate/windows-autopatch-device-alerts.md). |
+
+### Optional columns
+
+The following information is available as optional columns in the Quality update status report:
+
+| Column name | Description |
+| ----- | ----- |
+| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device |
+| Serial number | The current Intune recorded serial number for the device |
+| Intune last check in time | The last time the device checked in to Intune |
+| Service State | The Service State provided from Windows Update |
+| Service Substate | The Service Substate provided from Windows Update |
+| Client State | The Client State provided from Windows Update |
+| Client Substate | The Client Substate provided from Windows Update |
+| Servicing Channel | The Servicing Channel provided from Windows Update |
+| User Last Logged On | The last user who logged on as reported from Intune |
+| Primary User UPN | The Primary User UPN as reported from Intune |
+| Hex Error Code | The hex error provided from Windows Update |
+
+> [!NOTE]
+> The Service State, Service Substate, Client State, Client Substate, Servicing Channel, and Hex Error Code columns may not display any values. These columns are supplemental and might not display for all devices
+
+## Report options
+
+The following options are available:
+
+| Option | Description |
+| ----- | ----- |
+| Search | Use to search by device name, Azure AD device ID or serial number |
+| Sort | Select the **column headings** to sort the report data in ascending and descending order. |
+| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
+| Filter | Select either the **Add filters** or at the top of the report to filter the results. |
+| Columns | Select a column to add or remove the column from the report. |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
new file mode 100644
index 0000000000..31ca5e6fac
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
@@ -0,0 +1,51 @@
+---
+title: Windows quality update summary dashboard
+description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch with Autopatch groups
+ms.date: 05/01/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: adnich
+---
+
+# Windows quality update summary dashboard (public preview)
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+The summary dashboard provides a summary view of the current update status for all devices enrolled into Windows Autopatch.
+
+**To view the current update status for all your enrolled devices:**
+
+1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**.
+
+> [!NOTE]
+> The data in this report is refreshed every 24 hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
+
+## Report information
+
+The following information is available in the summary dashboard:
+
+| Column name | Description |
+| ----- | ----- |
+| Autopatch group | The Autopatch group and deployment ring. For more information, see [Windows Autopatch groups](../deploy/windows-autopatch-groups-overview.md). |
+| Device count | Total device count per Autopatch group or deployment ring. |
+| Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
+| Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
+| In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). |
+| Paused | Total device count reporting the status of the pause whether it’s Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
+| Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
+
+## Report options
+
+The following options are available:
+
+| Option | Description |
+| ----- | ----- |
+| Refresh | The option to **Refresh** the summary dashboard is available at the top of the page. This process will ensure that the summary dashboard view is updated to the latest available dataset from within the last 24-hour period. |
+| Summary links | Each column represents the summary of included devices. Select the hyperlinked number to produce a filtered report in a new browser tab. |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
new file mode 100644
index 0000000000..935bb616af
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md
@@ -0,0 +1,42 @@
+---
+title: Quality update trending report
+description: Provides a visual representation of the update status trend for all devices over the last 90 days with Autopatch groups.
+ms.date: 05/01/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: adnich
+---
+
+# Quality update trending report (public preview)
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+The Quality update trending report provides a visual representation of the update status trend for all devices over the last 90 days.
+
+**To view the Quality update trending report:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**.
+1. Select the **Reports** tab.
+1. Select **Quality update trending**.
+
+> [!NOTE]
+> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page.
+
+## Report options
+
+The following options are available:
+
+| Option | Description |
+| ----- | ----- |
+| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
+| By percentage | Select **by percentage** to show your trending graphs and indicators by percentage. |
+| By device count | Select **by device count** to show your trending graphs and indicators by numeric value. |
+
+For a description of the displayed device status trends, see [Windows quality update statuses](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md
new file mode 100644
index 0000000000..7d03bd8c1e
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md
@@ -0,0 +1,125 @@
+---
+title: Customize Windows Update settings Autopatch groups experience
+description: How to customize Windows Updates with Autopatch groups
+ms.date: 05/01/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: rekhanr
+---
+
+# Customize Windows Update settings: Autopatch groups experience (public preview)
+
+> [!IMPORTANT]
+> This feature is in **public preview**. The feature is being actively developed, and may not be complete. You can test and use these features in production environments and provide feedback.
+
+> [!IMPORTANT]
+> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.
**To opt-in to use Windows Autopatch groups:**- Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
- Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
- Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
+
+You can customize the Windows Update deployment schedule for each deployment ring in Windows Autopatch groups per your business and organizational needs. This capability is allowed for both [Default](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) and [Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups). However, we recommend that you remain within service defined boundaries to maintain compliance.
+
+When the deployment cadence is customized, Windows Autopatch will override our service defaults with your preferred deployment cadence. Depending on the selected options, devices with [customized schedules](#scheduled-install) may not count towards the Windows Autopatch [Windows quality update service level objective](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective).
+
+## Deployment cadence
+
+### Cadence types
+
+For each tenant, at the deployment ring level, there are two cadence types to configure and manage your Windows Update deployments for all the devices in those deployment rings:
+
+- [Deadline-driven](#deadline-driven)
+- [Scheduled install](#scheduled-install)
+
+> [!NOTE]
+> Windows Autopatch uses the [Update rings policy for Windows 10 and later in Microsoft Intune](/mem/intune/protect/windows-10-update-rings) to apply either **Deadline-driven** or **Scheduled install** cadence types. Microsoft Intune implements [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) using the settings available in the [Update policy CSP](/windows/client-management/mdm/policy-csp-update).
+
+#### Deadline-driven
+
+With the deadline-drive cadence type, you can control and customize the deferral, deadline, and grace period to meet your specific business needs and organizational requirements.
+
+There are certain limits that Windows Autopatch defines and you'll only be able to make changes with those boundaries. The following boundaries are implemented so that Windows Autopatch can maintain update compliance.
+
+| Boundary | Description |
+| ----- | ----- |
+| Deferrals and deadlines | Windows Autopatch will enforce that deadline plus deferral days for a deployment ring to be less than or equal to 14 days. |
+| Grace period | The permitted customization range is zero to seven days. |
+
+> [!NOTE]
+> The configured grace period will apply to both Windows quality updates and Windows feature updates.
+
+Each deployment ring can be scheduled independent of the others, and there are no dependencies that the previous deployment ring must be scheduled before the next ring. Further, if the cadence type is set as **Deadline-driven**, the automatic update behavior setting, **Reset to default** in the Windows Update for Business policy, will be applied.
+
+It's possible for you to change the cadence from the Windows Autopatch Release management blade while update deployments are in progress. Windows Autopatch will abide by the principle to always respect your preferences over service-defined values.
+
+However, if an update has already started for a particular deployment ring, Windows Autopatch won't be able to change the cadence for that ring during that ongoing update cycle. The changes will only be effective in the next update cycle.
+
+#### Scheduled install
+
+> [!NOTE]
+>If you select the Schedule install cadence type, the devices in that ring won’t be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective).
+
+While the Windows Autopatch default options will meet the majority of the needs for regular users with corporate devices, we understand there are devices that run critical activities and can only receive Windows Updates at specific times. The **Scheduled install** cadence type will minimize disruptions by preventing forced restarts and interruptions to critical business activities for end users. Upon selecting the **Scheduled install** cadence type, any previously set deadlines and grace periods will be removed. Devices will only update and restart according to the time specified.
+
+If other applications force a device to restart outside of the specified time and a Windows Update is pending a restart, the Windows Update will complete its installation at this time. For this reason, ensure that you consider your update and restart scenarios for devices running business critical activities, or restart sensitive workloads before using the Scheduled Install option.
+
+> [!NOTE]
+> The compliance deadline and grace period for Windows quality updates won't be configured for the Scheduled Install cadence type.
+
+Devices **must** be active and available at the time when the device is scheduled for installation to ensure the optimal experience. If the device is consistently unavailable during the scheduled install time, the device can remain unprotected and unsecured, or the device may have the Windows Update scan and install during active hours.
+
+##### Scheduled install types
+
+> [!NOTE]
+> For devices with **Active hours** configured, if the device is consistently unavailable, Windows will attempt to keep the devices up to date, including installation of updates during Active hours.For Windows 10 devices, Windows Update can start 30 minutes prior to the specified install time. If the installation start time is specified at 2:00 AM, some of the devices may start the installation 30 mins prior.
+
+The Scheduled install cadence has two options:
+
+| Option | Description |
+| ----- | ----- |
+| Active hours | The period (daily) that the user normally does their work, or the device is busy performing business critical actions.The time outside of active hours is when the device is available for Windows to perform an update and restart the device (daily). The max range for Active hours is 18 hours. The six-hour period outside of the active hours is the deployment period, when Windows Update for Business will scan, install and restart the device.
+| Schedule install and restart | Use this option to prevent the service from installing Windows Updates except during the specified start time. You can specify the following occurrence options:Select a time when the device has low activity for the updates to complete. Ensure that the Windows Update has three to four hours to complete the installation and restart the device.
|
+
+> [!NOTE]
+> Changes made in one deployment ring won't impact other rings in your tenant.Configured **Active hours** and **Scheduled install and restart** options will apply to both Windows quality updates and Windows feature updates.
+
+### User notifications
+
+In addition to the cadence type, you can also manage the end user notification settings. End users will receive all update notifications by default. For critical devices or devices where notifications need to be hidden, use the **Manage notifications** option to configure notifications. For each tenant, at the deployment ring level, there are four options for you to configure end user update notification settings:
+
+- Not configured
+- Use the default Windows Update notifications
+- Turn off all notifications excluding restart warnings
+- Turn off all notifications including restart warnings
+
+For more information, see [Windows Update settings you can manage with Intune update ring policies for Windows 10/11 devices](/mem/intune/protect/windows-update-settings).
+
+## Customize the Windows Update deployment cadence
+
+> [!IMPORTANT]
+> The Windows update setting customizations can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to apply new software update settings.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
+
+**To customize the Windows Update deployment cadence:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release settings** select **Autopatch groups**. Select the **horizontal ellipses (…)** > **Edit** for the Autopatch group you want to edit.
+3. Select the **horizontal ellipses (…)** across each ring to manage the deployment cadence or notification settings.
+4. Select **Next** to navigate to the Windows update settings page. The page lists the existing settings for each of the deployment rings in the Autopatch group.
+5. Select [**Manage deployment cadence**](#cadence-types) to customize Windows Update settings.
+ 1. Select one of the cadence types for the ring:
+ 1. Select **Deadline-driven** to configure the deferral, deadline, and grace periods. This option will enforce forced restarts based on the selected deadline and grace period. In the event you want to switch back to the service recommended defaults, for each of the settings, select the option tagged as "default".
+ 1. Select **Scheduled install** to opt-out of deadline-based forced restart.
+ 1. Select either **Active hours** or **Schedule install and restart time**.
+ 2. Select **Save**.
+6. Select **Manage notifications**. A fly-in pane opens.
+ 1. Select one of following [Windows Update restart notifications](#user-notifications) for your devices that are part of the selected deployment ring. By default, Windows Autopatch recommends that you enable all notifications.
+ 1. Not configured
+ 1. Use the default Windows Update notifications
+ 1. Turn off all notifications excluding restart warnings
+ 1. Turn off all notifications included restart warnings
+ 1. Select **Save** once you select the preferred setting.
+7. Repeat the same process to customize each of the rings. Once done, select **Next**.
+8. In **Review + apply**, you’ll be able to review the selected settings for each of the rings.
+9. Select **Apply** to apply the changes to the ring policy. Once the settings are applied, the saved changes can be verified in the **Release schedule** tab. The Windows quality update schedule on the **Release schedule** tab will be updated as per the customized settings.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md
new file mode 100644
index 0000000000..8e4b4794f4
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md
@@ -0,0 +1,106 @@
+---
+title: policy health and remediation
+description: Describes what Autopatch does it detects policies in the tenant are either missing or modified to states that affect the service
+ms.date: 05/01/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: rekhanr
+---
+
+# Policy health and remediation (public preview)
+
+> [!IMPORTANT]
+> This feature is in **public preview**. This feature is being actively developed and may not be complete. You can test and use these features in production environments and provide feedback.
+
+Windows Autopatch uses Microsoft Intune policies to set configurations and deliver the service. Windows Autopatch continuously monitors the policies and maintains all configurations related to the operation of the service.
+
+> [!IMPORTANT]
+> Don't change, edit, add to, or remove any of the Windows Autopatch policies or groups. Doing so can cause unintended configuration changes and impact the Windows Autopatch service. For more information about Windows Autopatch configurations, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md).
+
+When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch will raise alerts and detailed recommended actions to ensure healthy operation of the service.
+
+IT admins must respond to the service-generated alerts to ensure that Autopatch services can be delivered, and devices remain eligible for the service.
+
+With this feature, IT admins can:
+
+- View alerts, in line with the features you commonly use:
+ - Windows Update related alerts in the Release management blade.
+ - Device configuration alerts in the **Tenant management** > **Alert actions** tab.
+- Initiate action for the Autopatch service to restore policies without having to raise an incident.
+- Initiate action for the Autopatch service to restore the deployment rings without having to raise an incident.
+
+> [!NOTE]
+> You can rename your policies to meet your organization’s requirements. Do **not** rename the underlying Autopatch deployment groups.
+
+## Check policy health
+
+Alerts are raised when deployment rings don't have the required policies and the settings that impact devices within the ring. The remediation actions from the displayed alerts are intended to keep the deployment rings in a healthy state. Devices in each ring may continue to report different states, including errors and conflicts. This occurs due to multiple policies targeted at the same device or other conditions on the device. Policy conflicts and other device errors aren't addressed by these alerts.
+
+## Built-in roles required for remediation actions
+
+The minimum role required to restore configurations is **Intune Service Administrator**. You can also perform these actions in the Global administrator role.
+
+## Restore device configuration policy
+
+**To initiate remediation action for device configuration alerts:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Tenant administration** > **Tenant management** > **Actions**.
+1. Select **Restore missing policy** to launch the workflow.
+1. Review the message and select **Restore policy**.
+1. If the **Change modified policy alert** appears, select this alert to launch the workflow.
+1. Select **Submit changes** to restore to service required values.
+
+There will be an alert for each policy that is missing or has deviated from the service defined values.
+
+## Restore Windows update policies
+
+**To initiate remediation actions for Windows quality update policies:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release schedule** > **Windows quality updates** > **Status**.
+1. Select **Policy Error** to launch the Policy error workflow.
+1. Review the message:
+ 1. If this is a missing policy error, select **Restore policy** to complete the workflow.
+ 2. If this is a modified policy, select **Submit changes** to restore to service required values.
+
+**To initiate remediation actions for Windows feature update policies:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release schedule** > **Windows feature updates** > **Status**.
+1. Select **Policy Error** to launch the Policy error workflow.
+1. Review the message.
+ 1. If this is a missing policy error, select **Restore policy** to complete the workflow.
+ 2. If this is a modified policy, select **Submit changes** to restore to service required values.
+
+## Restore deployment groups
+
+**To initiate remediation action for missing groups:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Tenant administration** > **Tenant management** > **Actions**.
+1. Select **Restore missing group** to launch the workflow.
+1. Review the message and select **Restore group**.
+
+When a missing deployment group is restored, the policies will be reassigned back to the deployment groups. In the Release management blade, the service will raise a Policy Error that you'll need to complete to repair Windows Update policies. Due to the asynchronous run of service detectors, it may take up to four (4) hours for this error to be displayed.
+
+> [!NOTE]
+> While Windows Autopatch continuously monitors the policies, all policy alerts are raised within four (4) hours of detection.Alerts will remain active until an IT admin completes the action to restore them to a healthy state.
+
+There are no Autopatch reports for policy alerts and actions at this time.
+
+## Use audit logs to track actions in Microsoft Intune
+
+You can review audit logs in Intune to review the activities completed on the tenant.
+
+**To review audit logs in Intune:**
+
+1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Tenant administration** > **Audit logs**.
+
+The entries with enterprise application name, Modern Workplace Management, are the actions requested by Windows Autopatch.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
index 10b2232d41..95b3391bd5 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@@ -1,7 +1,7 @@
---
title: Windows feature updates
description: This article explains how Windows feature updates are managed in Autopatch
-ms.date: 02/17/2023
+ms.date: 05/02/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -85,7 +85,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
> You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
> [!IMPORTANT]
-> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
+> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
**To pause or resume a Windows feature update:**
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index 943537d1bc..f12b686427 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -1,7 +1,7 @@
---
title: Windows quality updates
description: This article explains how Windows quality updates are managed in Autopatch
-ms.date: 04/24/2023
+ms.date: 05/02/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -86,6 +86,9 @@ When running an expedited release, the regular goal of 95% of devices in 21 days
| Standard release | TestFirst
Fast
Broad | 0
1
6
9 | 0
2
2
5 | 0
2
2
2 |
| Expedited release | All devices | 0 | 1 | 1 |
+> [!IMPORTANT]
+> Expedited updates **don't** work with devices under the [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/). For more information, see [expedite Windows quality updates in Microsoft Intune](/mem/intune/protect/windows-10-expedite-updates).
+
#### Turn off service-driven expedited quality update releases
Windows Autopatch provides the option to turn off of service-driven expedited quality updates.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md
index 9f3d420192..50453deea1 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md
@@ -1,7 +1,7 @@
---
title: Customize Windows Update settings
description: This article explains how to customize Windows Updates in Windows Autopatch
-ms.date: 03/08/2023
+ms.date: 05/02/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@@ -30,6 +30,9 @@ For each tenant, at the deployment ring level, there are two cadence types to co
- [Deadline-driven](#deadline-driven)
- [Scheduled install](#scheduled-install)
+> [!NOTE]
+> Windows Autopatch uses the [Update rings policy for Windows 10 and later in Microsoft Intune](/mem/intune/protect/windows-10-update-rings) to apply either **Deadline-driven** or **Scheduled install** cadence types. Microsoft Intune implements [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) using the settings available in the [Update policy CSP](/windows/client-management/mdm/policy-csp-update).
+
#### Deadline-driven
With the deadline-drive cadence type, you can control and customize the deferral, deadline, and grace period to meet your specific business needs and organizational requirements.
@@ -92,6 +95,9 @@ For more information, see [Windows Update settings you can manage with Intune up
## Customize the Windows Update deployment cadence
+> [!IMPORTANT]
+> The Windows update setting customizations can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to apply new software update settings.
For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
+
**To customize the Windows Update deployment cadence:**
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 0b990ea9b6..7eaead607a 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -4,7 +4,7 @@ metadata:
description: Answers to frequently asked questions about Windows Autopatch.
ms.prod: windows-client
ms.topic: faq
- ms.date: 02/28/2023
+ ms.date: 05/04/2023
audience: itpro
ms.localizationpriority: medium
manager: dougeby
@@ -77,6 +77,9 @@ sections:
- question: Can you change the policies and configurations created by Windows Autopatch?
answer: |
No. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. For more information about policies and configurations, see [Changes made at tenant enrollment](/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant).
+ - question: How can I represent our organizational structure with our own deployment cadence?
+ answer: |
+ [Windows Autopatch groups](../deploy/windows-autopatch-groups-overview.md) helps you manage updates in a way that makes sense for your businesses. For more information, see [Windows Autopatch groups overview](../deploy/windows-autopatch-groups-overview.md) and [Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md).
- name: Update management
questions:
- question: What systems does Windows Autopatch update?
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
index d185fe21d6..3525a20488 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
@@ -45,8 +45,8 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| [Turn on or off expedited Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases) | :heavy_check_mark: | :x: |
| [Allow or block Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates) | :heavy_check_mark: | :x: |
| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | :heavy_check_mark: | :x: |
-| [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md#steps-to-register-devices) | :heavy_check_mark: | :x: |
-| [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-ready-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: |
+| [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md#steps-to-register-devices-using-the-classic-method) | :heavy_check_mark: | :x: |
+| [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-registered-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: |
| [Automatically assign devices to First, Fast & Broad deployment rings at device registration](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :x: | :heavy_check_mark: |
| [Manually override device assignments to First, Fast & Broad deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings) | :heavy_check_mark: | :x: |
| [Remediate devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade) | :heavy_check_mark: | :x: |
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
index 7e202554d2..4ca771cece 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
@@ -52,7 +52,6 @@ The following are the Microsoft Intune settings:
| Check | Description |
| ----- | ----- |
| Deployment rings for Windows 10 or later | Verifies that Intune's deployment rings for Windows 10 or later policy doesn't target all users or all devices. Policies of this type shouldn't target any Windows Autopatch devices. For more information, see [Configure deployment rings for Windows 10 and later in Intune](/mem/intune/protect/windows-10-update-rings). |
-| Unlicensed admin | Verifies that this setting is enabled to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. For more information, see [Unlicensed admins in Microsoft Intune](/mem/intune/fundamentals/unlicensed-admins). |
### Azure Active Directory settings
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index a180a874ec..413d997112 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -37,14 +37,6 @@ For each check, the tool will report one of four possible results:
You can access Intune settings at the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-### Unlicensed admins
-
-This setting must be turned on to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization.
-
-| Result | Meaning |
-| ----- | ----- |
-| Not ready | Allow access to unlicensed admins should be turned on. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). |
-
### Update rings for Windows 10 or later
Your "Update rings for Windows 10 or later" policy in Intune must not target any Windows Autopatch devices.
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-groups-public-preview-addendum.md b/windows/deployment/windows-autopatch/references/windows-autopatch-groups-public-preview-addendum.md
new file mode 100644
index 0000000000..29795eceb9
--- /dev/null
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-groups-public-preview-addendum.md
@@ -0,0 +1,29 @@
+---
+title: Autopatch groups Public Preview Addendum
+description: Addendum for Windows Autopatch groups public preview
+ms.date: 05/01/2023
+ms.prod: windows-client
+ms.technology: itpro-updates
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+ms.reviewer: andredm7
+---
+
+# Windows Autopatch groups Public Preview Addendum
+
+**This is the Autopatch groups Public Preview Addendum ("Addendum") to the Microsoft Product Terms’ Universal License Terms for Online Services** (as provided at: [Microsoft Product Terms](https://www.microsoft.com/licensing/terms/product/ForallOnlineServices/all) (the "**Product Terms**")) is entered into between Microsoft Corporation, a Washington corporation having its principal place of business at One Microsoft Way, Redmond, Washington, USA 98052-6399 (or based on where Customer lives, one of Microsoft's affiliates) ("**Microsoft**"), and you ("**Customer**").
+
+For good and valuable consideration, the receipt and sufficiency of which is acknowledged, the parties agree as follows:
+
+Microsoft desires to preview the Autopatch groups service it is developing ("**Autopatch groups Preview**”) in order to evaluate it. Customer would like to particulate this Autopatch groups Preview under the Product Terms and this Addendum. Autopatch groups Preview consists of features and services that are in preview, beta, or other pre-release form. Autopatch groups Preview is subject to the "preview" terms set forth in the Product Terms’ Universal License Terms for Online Services.
+
+## Definitions
+
+Capitalized terms used but not defined herein have the meanings given in the Product Terms.
+
+## Data Handling
+
+Autopatch groups Preview integrates Customer Data from other Products, including Windows, Microsoft Intune, Azure Active Directory, and Office (collectively for purposes of this provision "Windows Autopatch Input Services"). Once Customer Data from Windows Autopatch Input Services is integrated into Autopatch groups Preview, only the Product Terms and [DPA provisions](https://www.microsoft.com/licensing/terms/product/Glossary/all) applicable to Autopatch groups Preview apply to that data.
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index 9c2e3531ae..a279da8f47 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 04/18/2023
+ms.date: 05/01/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@@ -18,6 +18,35 @@ This article lists new and updated feature releases, and service releases, with
Minor corrections such as typos, style, or formatting issues aren't listed.
+## May 2023
+
+### May 2023 feature release
+
+| Article | Description |
+| ----- | ----- |
+| [Device registration overview](../deploy/windows-autopatch-device-registration-overview.md) | Updated article to include Windows Autopatch groups. The Windows Autopatch groups feature is in public preview |
+| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Updated article to include Windows Autopatch groups. The Windows Autopatch groups feature is in public preview |
+| [Windows Autopatch groups overview](../deploy/windows-autopatch-groups-overview.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
+| [Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
+| [Software update management](../operate/windows-autopatch-groups-update-management.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
+| [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
+| [Windows quality update overview](../operate/windows-autopatch-groups-windows-quality-update-overview.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
+| [Windows quality update end user experience](../operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
+| [Windows quality update signals](../operate/windows-autopatch-groups-windows-quality-update-signals.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
+| [Windows quality update communications](../operate/windows-autopatch-groups-windows-quality-update-communications.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
+| [Windows feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
+| [Manage Windows feature update](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
+| [Windows quality and feature update reports overview](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
+| [Windows quality update summary dashboard](../operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
+| [Windows quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
+| [Windows quality update trending report](../operate/windows-autopatch-groups-windows-quality-update-trending-report.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
+| [Windows feature update summary dashboard](../operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
+| [Windows feature update status report](../operate/windows-autopatch-groups-windows-feature-update-status-report.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
+| [Windows feature update trending report](../operate/windows-autopatch-groups-windows-feature-update-trending-report.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
+| [Windows quality and feature update device alerts](../operate/windows-autopatch-device-alerts.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview |
+| [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) | Add new Policy health and remediation feature. This feature is in public preview |
+| [Windows Autopatch groups public preview addendum](../references/windows-autopatch-groups-public-preview-addendum.md) | Added addendum for the Windows Autopatch groups public preview |
+
## April 2023
### April feature releases or updates
diff --git a/windows/deployment/windows-autopilot/images/all-groups.png b/windows/deployment/windows-autopilot/images/all-groups.png
deleted file mode 100644
index 6ae904ed62..0000000000
Binary files a/windows/deployment/windows-autopilot/images/all-groups.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/allow-white-glove-oobe.png b/windows/deployment/windows-autopilot/images/allow-white-glove-oobe.png
deleted file mode 100644
index 0f458e9306..0000000000
Binary files a/windows/deployment/windows-autopilot/images/allow-white-glove-oobe.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/ap-ts-1.png b/windows/deployment/windows-autopilot/images/ap-ts-1.png
deleted file mode 100644
index 5f4c33fd51..0000000000
Binary files a/windows/deployment/windows-autopilot/images/ap-ts-1.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/ap-ts.png b/windows/deployment/windows-autopilot/images/ap-ts.png
deleted file mode 100644
index 7c343176d0..0000000000
Binary files a/windows/deployment/windows-autopilot/images/ap-ts.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/autopilot-aad-configure.jpg b/windows/deployment/windows-autopilot/images/autopilot-aad-configure.jpg
deleted file mode 100644
index 3a16c0f219..0000000000
Binary files a/windows/deployment/windows-autopilot/images/autopilot-aad-configure.jpg and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.jpg b/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.jpg
deleted file mode 100644
index 3a8f1578cb..0000000000
Binary files a/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.jpg and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.png b/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.png
deleted file mode 100644
index 1533f68c7c..0000000000
Binary files a/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/autopilot-devices-add.jpg b/windows/deployment/windows-autopilot/images/autopilot-devices-add.jpg
deleted file mode 100644
index 137b6ca431..0000000000
Binary files a/windows/deployment/windows-autopilot/images/autopilot-devices-add.jpg and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/autopilot-intune-profile-add.jpg b/windows/deployment/windows-autopilot/images/autopilot-intune-profile-add.jpg
deleted file mode 100644
index bc4bed8920..0000000000
Binary files a/windows/deployment/windows-autopilot/images/autopilot-intune-profile-add.jpg and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/autopilot-intune-profile-assign.jpg b/windows/deployment/windows-autopilot/images/autopilot-intune-profile-assign.jpg
deleted file mode 100644
index 7604382113..0000000000
Binary files a/windows/deployment/windows-autopilot/images/autopilot-intune-profile-assign.jpg and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/autopilot-intune-profile-configure.jpg b/windows/deployment/windows-autopilot/images/autopilot-intune-profile-configure.jpg
deleted file mode 100644
index c3c5307ce4..0000000000
Binary files a/windows/deployment/windows-autopilot/images/autopilot-intune-profile-configure.jpg and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/autopilot-intune-sync.jpg b/windows/deployment/windows-autopilot/images/autopilot-intune-sync.jpg
deleted file mode 100644
index a2717c68be..0000000000
Binary files a/windows/deployment/windows-autopilot/images/autopilot-intune-sync.jpg and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/autopilot-oobe.jpg b/windows/deployment/windows-autopilot/images/autopilot-oobe.jpg
deleted file mode 100644
index bb2d641155..0000000000
Binary files a/windows/deployment/windows-autopilot/images/autopilot-oobe.jpg and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/autopilot-reset-customlogin.png b/windows/deployment/windows-autopilot/images/autopilot-reset-customlogin.png
deleted file mode 100644
index d86cb57895..0000000000
Binary files a/windows/deployment/windows-autopilot/images/autopilot-reset-customlogin.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/autopilot-reset-lockscreen.png b/windows/deployment/windows-autopilot/images/autopilot-reset-lockscreen.png
deleted file mode 100644
index f6fa6d3467..0000000000
Binary files a/windows/deployment/windows-autopilot/images/autopilot-reset-lockscreen.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/bitlocker-encryption.png b/windows/deployment/windows-autopilot/images/bitlocker-encryption.png
deleted file mode 100644
index 96e2d94fb3..0000000000
Binary files a/windows/deployment/windows-autopilot/images/bitlocker-encryption.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/choice.png b/windows/deployment/windows-autopilot/images/choice.png
deleted file mode 100644
index 881744eec5..0000000000
Binary files a/windows/deployment/windows-autopilot/images/choice.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/connector-fail.png b/windows/deployment/windows-autopilot/images/connector-fail.png
deleted file mode 100644
index 2d8abb5785..0000000000
Binary files a/windows/deployment/windows-autopilot/images/connector-fail.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/csp1.png b/windows/deployment/windows-autopilot/images/csp1.png
deleted file mode 100644
index 81e59080c8..0000000000
Binary files a/windows/deployment/windows-autopilot/images/csp1.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/csp2.png b/windows/deployment/windows-autopilot/images/csp2.png
deleted file mode 100644
index 06cc80fe95..0000000000
Binary files a/windows/deployment/windows-autopilot/images/csp2.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/csp3.png b/windows/deployment/windows-autopilot/images/csp3.png
deleted file mode 100644
index 8b0647e4b4..0000000000
Binary files a/windows/deployment/windows-autopilot/images/csp3.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/csp3a.png b/windows/deployment/windows-autopilot/images/csp3a.png
deleted file mode 100644
index 3fb1291370..0000000000
Binary files a/windows/deployment/windows-autopilot/images/csp3a.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/csp3b.png b/windows/deployment/windows-autopilot/images/csp3b.png
deleted file mode 100644
index c2034c1ebc..0000000000
Binary files a/windows/deployment/windows-autopilot/images/csp3b.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/csp4.png b/windows/deployment/windows-autopilot/images/csp4.png
deleted file mode 100644
index ddada725b2..0000000000
Binary files a/windows/deployment/windows-autopilot/images/csp4.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/csp5.png b/windows/deployment/windows-autopilot/images/csp5.png
deleted file mode 100644
index f43097c62b..0000000000
Binary files a/windows/deployment/windows-autopilot/images/csp5.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/csp6.png b/windows/deployment/windows-autopilot/images/csp6.png
deleted file mode 100644
index 8b0647e4b4..0000000000
Binary files a/windows/deployment/windows-autopilot/images/csp6.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/csp7.png b/windows/deployment/windows-autopilot/images/csp7.png
deleted file mode 100644
index 608128e5ab..0000000000
Binary files a/windows/deployment/windows-autopilot/images/csp7.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device3.png b/windows/deployment/windows-autopilot/images/delete-device3.png
deleted file mode 100644
index a2daa1c39a..0000000000
Binary files a/windows/deployment/windows-autopilot/images/delete-device3.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device4.png b/windows/deployment/windows-autopilot/images/delete-device4.png
deleted file mode 100644
index c0119fbc39..0000000000
Binary files a/windows/deployment/windows-autopilot/images/delete-device4.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device5.png b/windows/deployment/windows-autopilot/images/delete-device5.png
deleted file mode 100644
index 33b539d33c..0000000000
Binary files a/windows/deployment/windows-autopilot/images/delete-device5.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device6.png b/windows/deployment/windows-autopilot/images/delete-device6.png
deleted file mode 100644
index 23cbcb7c44..0000000000
Binary files a/windows/deployment/windows-autopilot/images/delete-device6.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device7.png b/windows/deployment/windows-autopilot/images/delete-device7.png
deleted file mode 100644
index dcdeee5205..0000000000
Binary files a/windows/deployment/windows-autopilot/images/delete-device7.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/deployment-profiles.png b/windows/deployment/windows-autopilot/images/deployment-profiles.png
deleted file mode 100644
index 7888da55d1..0000000000
Binary files a/windows/deployment/windows-autopilot/images/deployment-profiles.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/deployment-profiles2.png b/windows/deployment/windows-autopilot/images/deployment-profiles2.png
deleted file mode 100644
index 6ff9fbb89e..0000000000
Binary files a/windows/deployment/windows-autopilot/images/deployment-profiles2.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/device-import.png b/windows/deployment/windows-autopilot/images/device-import.png
deleted file mode 100644
index 3be4cff996..0000000000
Binary files a/windows/deployment/windows-autopilot/images/device-import.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/device2.png b/windows/deployment/windows-autopilot/images/device2.png
deleted file mode 100644
index 6f7d1a5df0..0000000000
Binary files a/windows/deployment/windows-autopilot/images/device2.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/device3.png b/windows/deployment/windows-autopilot/images/device3.png
deleted file mode 100644
index adf9c7a875..0000000000
Binary files a/windows/deployment/windows-autopilot/images/device3.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/devices.png b/windows/deployment/windows-autopilot/images/devices.png
deleted file mode 100644
index a5b0dd1899..0000000000
Binary files a/windows/deployment/windows-autopilot/images/devices.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/dfci.png b/windows/deployment/windows-autopilot/images/dfci.png
deleted file mode 100644
index 6c68ed8b80..0000000000
Binary files a/windows/deployment/windows-autopilot/images/dfci.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/enabled-device.png b/windows/deployment/windows-autopilot/images/enabled-device.png
deleted file mode 100644
index 96dc935309..0000000000
Binary files a/windows/deployment/windows-autopilot/images/enabled-device.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/enrollment-status-page.png b/windows/deployment/windows-autopilot/images/enrollment-status-page.png
deleted file mode 100644
index 9bb550c20b..0000000000
Binary files a/windows/deployment/windows-autopilot/images/enrollment-status-page.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/esp-config.png b/windows/deployment/windows-autopilot/images/esp-config.png
deleted file mode 100644
index eb9f94661f..0000000000
Binary files a/windows/deployment/windows-autopilot/images/esp-config.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/esp-settings.png b/windows/deployment/windows-autopilot/images/esp-settings.png
deleted file mode 100644
index df0fe655e9..0000000000
Binary files a/windows/deployment/windows-autopilot/images/esp-settings.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/hh.png b/windows/deployment/windows-autopilot/images/hh.png
deleted file mode 100644
index 98fbc3cd7b..0000000000
Binary files a/windows/deployment/windows-autopilot/images/hh.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/hwid-csv.png b/windows/deployment/windows-autopilot/images/hwid-csv.png
deleted file mode 100644
index ac177e0b5a..0000000000
Binary files a/windows/deployment/windows-autopilot/images/hwid-csv.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/image1.png b/windows/deployment/windows-autopilot/images/image1.png
deleted file mode 100644
index e5bd9e3cba..0000000000
Binary files a/windows/deployment/windows-autopilot/images/image1.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/image2.png b/windows/deployment/windows-autopilot/images/image2.png
deleted file mode 100644
index 9790d50b35..0000000000
Binary files a/windows/deployment/windows-autopilot/images/image2.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/import-vm.png b/windows/deployment/windows-autopilot/images/import-vm.png
deleted file mode 100644
index 5fb97cda5d..0000000000
Binary files a/windows/deployment/windows-autopilot/images/import-vm.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/include-group.png b/windows/deployment/windows-autopilot/images/include-group.png
deleted file mode 100644
index fb7bca7efa..0000000000
Binary files a/windows/deployment/windows-autopilot/images/include-group.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/include-group2.png b/windows/deployment/windows-autopilot/images/include-group2.png
deleted file mode 100644
index 585d006bac..0000000000
Binary files a/windows/deployment/windows-autopilot/images/include-group2.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/intune-devices.png b/windows/deployment/windows-autopilot/images/intune-devices.png
deleted file mode 100644
index bc29c76511..0000000000
Binary files a/windows/deployment/windows-autopilot/images/intune-devices.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/landing.png b/windows/deployment/windows-autopilot/images/landing.png
deleted file mode 100644
index 13dea20b07..0000000000
Binary files a/windows/deployment/windows-autopilot/images/landing.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/mdm-config.png b/windows/deployment/windows-autopilot/images/mdm-config.png
deleted file mode 100644
index 0b2dd14a53..0000000000
Binary files a/windows/deployment/windows-autopilot/images/mdm-config.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/mdm-intune.png b/windows/deployment/windows-autopilot/images/mdm-intune.png
deleted file mode 100644
index db9b144fad..0000000000
Binary files a/windows/deployment/windows-autopilot/images/mdm-intune.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-manage2.png b/windows/deployment/windows-autopilot/images/msfb-manage2.png
deleted file mode 100644
index 406aaf5948..0000000000
Binary files a/windows/deployment/windows-autopilot/images/msfb-manage2.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-manage3.png b/windows/deployment/windows-autopilot/images/msfb-manage3.png
deleted file mode 100644
index bf5fb1ccf9..0000000000
Binary files a/windows/deployment/windows-autopilot/images/msfb-manage3.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/new-group.png b/windows/deployment/windows-autopilot/images/new-group.png
deleted file mode 100644
index c18c1865f6..0000000000
Binary files a/windows/deployment/windows-autopilot/images/new-group.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/notepad.png b/windows/deployment/windows-autopilot/images/notepad.png
deleted file mode 100644
index 0f243f95d6..0000000000
Binary files a/windows/deployment/windows-autopilot/images/notepad.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/pc-01a.png b/windows/deployment/windows-autopilot/images/pc-01a.png
deleted file mode 100644
index a3d0f4cdea..0000000000
Binary files a/windows/deployment/windows-autopilot/images/pc-01a.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/pc-01b.png b/windows/deployment/windows-autopilot/images/pc-01b.png
deleted file mode 100644
index 07eda6e4bb..0000000000
Binary files a/windows/deployment/windows-autopilot/images/pc-01b.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/pwd.png b/windows/deployment/windows-autopilot/images/pwd.png
deleted file mode 100644
index c9b0e7837c..0000000000
Binary files a/windows/deployment/windows-autopilot/images/pwd.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/reset.png b/windows/deployment/windows-autopilot/images/reset.png
deleted file mode 100644
index 0619b7fa03..0000000000
Binary files a/windows/deployment/windows-autopilot/images/reset.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/sc.png b/windows/deployment/windows-autopilot/images/sc.png
deleted file mode 100644
index bb326e6406..0000000000
Binary files a/windows/deployment/windows-autopilot/images/sc.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/sc1.png b/windows/deployment/windows-autopilot/images/sc1.png
deleted file mode 100644
index 380887a45c..0000000000
Binary files a/windows/deployment/windows-autopilot/images/sc1.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/self-deploy-welcome.png b/windows/deployment/windows-autopilot/images/self-deploy-welcome.png
deleted file mode 100644
index 3ab1e4b304..0000000000
Binary files a/windows/deployment/windows-autopilot/images/self-deploy-welcome.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/up-1.PNG b/windows/deployment/windows-autopilot/images/up-1.PNG
deleted file mode 100644
index c1284c53d2..0000000000
Binary files a/windows/deployment/windows-autopilot/images/up-1.PNG and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/up-2.PNG b/windows/deployment/windows-autopilot/images/up-2.PNG
deleted file mode 100644
index 4891a3873a..0000000000
Binary files a/windows/deployment/windows-autopilot/images/up-2.PNG and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/up-3.PNG b/windows/deployment/windows-autopilot/images/up-3.PNG
deleted file mode 100644
index 8b1e356f92..0000000000
Binary files a/windows/deployment/windows-autopilot/images/up-3.PNG and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/update-flow.png b/windows/deployment/windows-autopilot/images/update-flow.png
deleted file mode 100644
index c90f54e96c..0000000000
Binary files a/windows/deployment/windows-autopilot/images/update-flow.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/update1.png b/windows/deployment/windows-autopilot/images/update1.png
deleted file mode 100644
index 83d98a29b5..0000000000
Binary files a/windows/deployment/windows-autopilot/images/update1.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/update2.png b/windows/deployment/windows-autopilot/images/update2.png
deleted file mode 100644
index 04dbcaddc1..0000000000
Binary files a/windows/deployment/windows-autopilot/images/update2.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/update3.png b/windows/deployment/windows-autopilot/images/update3.png
deleted file mode 100644
index 851adb58ec..0000000000
Binary files a/windows/deployment/windows-autopilot/images/update3.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/wg01.png b/windows/deployment/windows-autopilot/images/wg01.png
deleted file mode 100644
index fa08be3f48..0000000000
Binary files a/windows/deployment/windows-autopilot/images/wg01.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/wg02.png b/windows/deployment/windows-autopilot/images/wg02.png
deleted file mode 100644
index 5de01d6803..0000000000
Binary files a/windows/deployment/windows-autopilot/images/wg02.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/wg03.png b/windows/deployment/windows-autopilot/images/wg03.png
deleted file mode 100644
index 89ac12747c..0000000000
Binary files a/windows/deployment/windows-autopilot/images/wg03.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/wg04.png b/windows/deployment/windows-autopilot/images/wg04.png
deleted file mode 100644
index a59ea766b7..0000000000
Binary files a/windows/deployment/windows-autopilot/images/wg04.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/wg05.png b/windows/deployment/windows-autopilot/images/wg05.png
deleted file mode 100644
index cea36fb6bd..0000000000
Binary files a/windows/deployment/windows-autopilot/images/wg05.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/wg06.png b/windows/deployment/windows-autopilot/images/wg06.png
deleted file mode 100644
index 68cd29c24d..0000000000
Binary files a/windows/deployment/windows-autopilot/images/wg06.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/wg07.png b/windows/deployment/windows-autopilot/images/wg07.png
deleted file mode 100644
index bc5a81bb3f..0000000000
Binary files a/windows/deployment/windows-autopilot/images/wg07.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/white-glove-result.png b/windows/deployment/windows-autopilot/images/white-glove-result.png
deleted file mode 100644
index de3701e76d..0000000000
Binary files a/windows/deployment/windows-autopilot/images/white-glove-result.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/windows_glyph.png b/windows/deployment/windows-autopilot/images/windows_glyph.png
deleted file mode 100644
index 3a41d4dfb1..0000000000
Binary files a/windows/deployment/windows-autopilot/images/windows_glyph.png and /dev/null differ
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
index 63adeb04ea..0c78b4dfbe 100644
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@@ -1,448 +1,28 @@
- name: Windows security
href: index.yml
-- name: Zero Trust and Windows
- href: zero-trust-windows-device-health.md
expanded: true
+- name: Introduction
+ items:
+ - name: Windows security overview
+ href: introduction/index.md
+ - name: Zero Trust and Windows
+ href: zero-trust-windows-device-health.md
+ - name: Security features and edition requirements
+ href: introduction/security-features-edition-requirements.md
+ - name: Security features and licensing requirements
+ href: introduction/security-features-licensing-requirements.md
- name: Hardware security
- items:
- - name: Overview
- href: hardware.md
- - name: Microsoft Pluton security processor
- items:
- - name: Microsoft Pluton overview
- href: information-protection/pluton/microsoft-pluton-security-processor.md
- - name: Microsoft Pluton as TPM
- href: information-protection/pluton/pluton-as-tpm.md
- - name: Trusted Platform Module
- href: information-protection/tpm/trusted-platform-module-top-node.md
- items:
- - name: Trusted Platform Module overview
- href: information-protection/tpm/trusted-platform-module-overview.md
- - name: TPM fundamentals
- href: information-protection/tpm/tpm-fundamentals.md
- - name: How Windows uses the TPM
- href: information-protection/tpm/how-windows-uses-the-tpm.md
- - name: Manage TPM commands
- href: information-protection/tpm/manage-tpm-commands.md
- - name: Manager TPM Lockout
- href: information-protection/tpm/manage-tpm-lockout.md
- - name: Change the TPM password
- href: information-protection/tpm/change-the-tpm-owner-password.md
- - name: TPM Group Policy settings
- href: information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
- - name: Back up the TPM recovery information to AD DS
- href: information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
- - name: View status, clear, or troubleshoot the TPM
- href: information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
- - name: Understanding PCR banks on TPM 2.0 devices
- href: information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
- - name: TPM recommendations
- href: information-protection/tpm/tpm-recommendations.md
-
- - name: Hardware-based root of trust
- href: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
- - name: System Guard Secure Launch and SMM protection
- href: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
- - name: Enable virtualization-based protection of code integrity
- href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
- - name: Kernel DMA Protection
- href: information-protection/kernel-dma-protection-for-thunderbolt.md
- - name: Windows secured-core devices
- href: /windows-hardware/design/device-experiences/oem-highly-secure
+ href: hardware-security/toc.yml
- name: Operating system security
- items:
- - name: Overview
- href: operating-system.md
- - name: System security
- items:
- - name: Secure the Windows boot process
- href: information-protection/secure-the-windows-10-boot-process.md
- - name: Trusted Boot
- href: trusted-boot.md
- - name: Cryptography and certificate management
- href: cryptography-certificate-mgmt.md
- - name: The Windows Security app
- href: threat-protection/windows-defender-security-center/windows-defender-security-center.md
- items:
- - name: Virus & threat protection
- href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
- - name: Account protection
- href: threat-protection\windows-defender-security-center\wdsc-account-protection.md
- - name: Firewall & network protection
- href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
- - name: App & browser control
- href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
- - name: Device security
- href: threat-protection\windows-defender-security-center\wdsc-device-security.md
- - name: Device performance & health
- href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
- - name: Family options
- href: threat-protection\windows-defender-security-center\wdsc-family-options.md
- - name: Security policy settings
- href: threat-protection/security-policy-settings/security-policy-settings.md
- - name: Security auditing
- href: threat-protection/auditing/security-auditing-overview.md
- - name: Encryption and data protection
- href: encryption-data-protection.md
- items:
- - name: Encrypted Hard Drive
- href: information-protection/encrypted-hard-drive.md
- - name: BitLocker
- href: information-protection/bitlocker/bitlocker-overview.md
- items:
- - name: Overview of BitLocker Device Encryption in Windows
- href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
- - name: BitLocker frequently asked questions (FAQ)
- href: information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
- items:
- - name: Overview and requirements
- href: information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
- - name: Upgrading
- href: information-protection/bitlocker/bitlocker-upgrading-faq.yml
- - name: Deployment and administration
- href: information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
- - name: Key management
- href: information-protection/bitlocker/bitlocker-key-management-faq.yml
- - name: BitLocker To Go
- href: information-protection/bitlocker/bitlocker-to-go-faq.yml
- - name: Active Directory Domain Services
- href: information-protection/bitlocker/bitlocker-and-adds-faq.yml
- - name: Security
- href: information-protection/bitlocker/bitlocker-security-faq.yml
- - name: BitLocker Network Unlock
- href: information-protection/bitlocker/bitlocker-network-unlock-faq.yml
- - name: General
- href: information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
- - name: "Prepare your organization for BitLocker: Planning and policies"
- href: information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
- - name: BitLocker deployment comparison
- href: information-protection/bitlocker/bitlocker-deployment-comparison.md
- - name: BitLocker basic deployment
- href: information-protection/bitlocker/bitlocker-basic-deployment.md
- - name: Deploy BitLocker on Windows Server 2012 and later
- href: information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
- - name: BitLocker management for enterprises
- href: information-protection/bitlocker/bitlocker-management-for-enterprises.md
- - name: Enable Network Unlock with BitLocker
- href: information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
- - name: Use BitLocker Drive Encryption Tools to manage BitLocker
- href: information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
- - name: Use BitLocker Recovery Password Viewer
- href: information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
- - name: BitLocker Group Policy settings
- href: information-protection/bitlocker/bitlocker-group-policy-settings.md
- - name: BCD settings and BitLocker
- href: information-protection/bitlocker/bcd-settings-and-bitlocker.md
- - name: BitLocker Recovery Guide
- href: information-protection/bitlocker/bitlocker-recovery-guide-plan.md
- - name: BitLocker Countermeasures
- href: information-protection/bitlocker/bitlocker-countermeasures.md
- - name: Protecting cluster shared volumes and storage area networks with BitLocker
- href: information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
- - name: Troubleshoot BitLocker
- items:
- - name: Troubleshoot BitLocker
- href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting
- - name: "BitLocker cannot encrypt a drive: known issues"
- href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues
- - name: "Enforcing BitLocker policies by using Intune: known issues"
- href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues
- - name: "BitLocker Network Unlock: known issues"
- href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues
- - name: "BitLocker recovery: known issues"
- href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues
- - name: "BitLocker configuration: known issues"
- href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues
- - name: Troubleshoot BitLocker and TPM issues
- items:
- - name: "BitLocker cannot encrypt a drive: known TPM issues"
- href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues
- - name: "BitLocker and TPM: other known issues"
- href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues
- - name: Decode Measured Boot logs to track PCR changes
- href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes
- - name: Personal Data Encryption (PDE)
- items:
- - name: Personal Data Encryption (PDE) overview
- href: information-protection/personal-data-encryption/overview-pde.md
- - name: Personal Data Encryption (PDE) frequently asked questions (FAQ)
- href: information-protection/personal-data-encryption/faq-pde.yml
- - name: Configure Personal Data Encryption (PDE) in Intune
- items:
- - name: Configure Personal Data Encryption (PDE) in Intune
- href: information-protection/personal-data-encryption/configure-pde-in-intune.md
- - name: Enable Personal Data Encryption (PDE)
- href: information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md
- - name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
- href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md
- - name: Disable kernel-mode crash dumps and live dumps for PDE
- href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md
- - name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
- href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md
- - name: Disable hibernation for PDE
- href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md
- - name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
- href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md
- - name: Configure S/MIME for Windows
- href: identity-protection/configure-s-mime.md
- - name: Network security
- items:
- - name: VPN technical guide
- href: identity-protection/vpn/vpn-guide.md
- items:
- - name: VPN connection types
- href: identity-protection/vpn/vpn-connection-type.md
- - name: VPN routing decisions
- href: identity-protection/vpn/vpn-routing.md
- - name: VPN authentication options
- href: identity-protection/vpn/vpn-authentication.md
- - name: VPN and conditional access
- href: identity-protection/vpn/vpn-conditional-access.md
- - name: VPN name resolution
- href: identity-protection/vpn/vpn-name-resolution.md
- - name: VPN auto-triggered profile options
- href: identity-protection/vpn/vpn-auto-trigger-profile.md
- - name: VPN security features
- href: identity-protection/vpn/vpn-security-features.md
- - name: VPN profile options
- href: identity-protection/vpn/vpn-profile-options.md
- - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections
- href: identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
- - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections
- href: identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
- - name: Optimizing Office 365 traffic with the Windows VPN client
- href: identity-protection/vpn/vpn-office-365-optimization.md
- - name: Windows Defender Firewall
- href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
- - name: Windows security baselines
- href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
- items:
- - name: Security Compliance Toolkit
- href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
- - name: Get support
- href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
- - name: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
- href: threat-protection/mbsa-removal-and-guidance.md
- - name: Virus & threat protection
- items:
- - name: Overview
- href: threat-protection/index.md
- - name: Microsoft Defender Antivirus
- href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows
- - name: Attack surface reduction rules
- href: /microsoft-365/security/defender-endpoint/attack-surface-reduction
- - name: Tamper protection
- href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
- - name: Network protection
- href: /microsoft-365/security/defender-endpoint/network-protection
- - name: Controlled folder access
- href: /microsoft-365/security/defender-endpoint/controlled-folders
- - name: Exploit protection
- href: /microsoft-365/security/defender-endpoint/exploit-protection
- - name: Microsoft Defender for Endpoint
- href: /microsoft-365/security/defender-endpoint
- - name: More Windows security
- items:
- - name: Override Process Mitigation Options to help enforce app-related security policies
- href: threat-protection/override-mitigation-options-for-app-related-security-policies.md
- - name: Use Windows Event Forwarding to help with intrusion detection
- href: threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
- - name: Block untrusted fonts in an enterprise
- href: threat-protection/block-untrusted-fonts-in-enterprise.md
- - name: Windows Information Protection (WIP)
- href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
- items:
- - name: Create a WIP policy using Microsoft Intune
- href: information-protection/windows-information-protection/overview-create-wip-policy.md
- items:
- - name: Create a WIP policy in Microsoft Intune
- href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
- items:
- - name: Deploy your WIP policy in Microsoft Intune
- href: information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
- - name: Associate and deploy a VPN policy for WIP in Microsoft Intune
- href: information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
- - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
- href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
- - name: Determine the enterprise context of an app running in WIP
- href: information-protection/windows-information-protection/wip-app-enterprise-context.md
- - name: Create a WIP policy using Microsoft Configuration Manager
- href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
- items:
- - name: Create and deploy a WIP policy in Configuration Manager
- href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
- - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
- href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
- - name: Determine the enterprise context of an app running in WIP
- href: information-protection/windows-information-protection/wip-app-enterprise-context.md
- - name: Mandatory tasks and settings required to turn on WIP
- href: information-protection/windows-information-protection/mandatory-settings-for-wip.md
- - name: Testing scenarios for WIP
- href: information-protection/windows-information-protection/testing-scenarios-for-wip.md
- - name: Limitations while using WIP
- href: information-protection/windows-information-protection/limitations-with-wip.md
- - name: How to collect WIP audit event logs
- href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md
- - name: General guidance and best practices for WIP
- href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md
- items:
- - name: Enlightened apps for use with WIP
- href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
- - name: Unenlightened and enlightened app behavior while using WIP
- href: information-protection/windows-information-protection/app-behavior-with-wip.md
- - name: Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP
- href: information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
- - name: Using Outlook Web Access with WIP
- href: information-protection/windows-information-protection/using-owa-with-wip.md
- - name: Fine-tune WIP Learning
- href: information-protection/windows-information-protection/wip-learning.md
- - name: Disable WIP
- href: information-protection/windows-information-protection/how-to-disable-wip.md
+ href: operating-system-security/toc.yml
- name: Application security
- items:
- - name: Overview
- href: apps.md
- - name: Windows Defender Application Control and virtualization-based protection of code integrity
- href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- - name: Windows Defender Application Control
- href: threat-protection\windows-defender-application-control\windows-defender-application-control.md
- - name: Microsoft Defender Application Guard
- href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
- - name: Windows Sandbox
- href: threat-protection/windows-sandbox/windows-sandbox-overview.md
- items:
- - name: Windows Sandbox architecture
- href: threat-protection/windows-sandbox/windows-sandbox-architecture.md
- - name: Windows Sandbox configuration
- href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
- - name: Microsoft Defender SmartScreen overview
- href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
- items:
- - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
- href: threat-protection\microsoft-defender-smartscreen\phishing-protection-microsoft-defender-smartscreen.md
- - name: Configure S/MIME for Windows
- href: identity-protection\configure-s-mime.md
- - name: Windows Credential Theft Mitigation Guide Abstract
- href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md
-- name: User security and secured identity
- items:
- - name: Overview
- href: identity.md
- - name: Windows credential theft mitigation guide
- href: identity-protection/windows-credential-theft-mitigation-guide-abstract.md
- - name: Passwordless
- items:
- - name: Windows Hello for Business ⇒
- href: identity-protection/hello-for-business/index.yml
- - name: FIDO 2 security keys
- href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key?context=/windows/security/context/context
- - name: Local Administrator Password Solution (LAPS)
- href: /windows-server/identity/laps/laps-overview?context=/windows/security/context/context
- - name: Enterprise Certificate Pinning
- href: identity-protection/enterprise-certificate-pinning.md
- - name: Credential Guard
- items:
- - name: Protect derived domain credentials with Credential Guard
- href: identity-protection/credential-guard/credential-guard.md
- - name: How Credential Guard works
- href: identity-protection/credential-guard/credential-guard-how-it-works.md
- - name: Requirements
- href: identity-protection/credential-guard/credential-guard-requirements.md
- - name: Manage Credential Guard
- href: identity-protection/credential-guard/credential-guard-manage.md
- - name: Credential Guard protection limits
- href: identity-protection/credential-guard/credential-guard-protection-limits.md
- - name: Considerations when using Credential Guard
- href: identity-protection/credential-guard/credential-guard-considerations.md
- - name: Additional mitigations
- href: identity-protection/credential-guard/additional-mitigations.md
- - name: Known issues
- href: identity-protection/credential-guard/credential-guard-known-issues.md
- - name: Remote Credential Guard
- href: identity-protection/remote-credential-guard.md
- - name: Configuring LSA Protection
- href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json
- - name: Technical support policy for lost or forgotten passwords
- href: identity-protection/password-support-policy.md
- - name: Access Control
- items:
- - name: Overview
- href: identity-protection/access-control/access-control.md
- - name: Local Accounts
- href: identity-protection/access-control/local-accounts.md
- - name: User Account Control (UAC)
- items:
- - name: Overview
- href: identity-protection/user-account-control/user-account-control-overview.md
- - name: How User Account Control works
- href: identity-protection/user-account-control/how-user-account-control-works.md
- - name: User Account Control security policy settings
- href: identity-protection/user-account-control/user-account-control-security-policy-settings.md
- - name: User Account Control Group Policy and registry key settings
- href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
- - name: Smart Cards
- href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
- items:
- - name: How Smart Card Sign-in Works in Windows
- href: identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
- items:
- - name: Smart Card Architecture
- href: identity-protection/smart-cards/smart-card-architecture.md
- - name: Certificate Requirements and Enumeration
- href: identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
- - name: Smart Card and Remote Desktop Services
- href: identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
- - name: Smart Cards for Windows Service
- href: identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
- - name: Certificate Propagation Service
- href: identity-protection/smart-cards/smart-card-certificate-propagation-service.md
- - name: Smart Card Removal Policy Service
- href: identity-protection/smart-cards/smart-card-removal-policy-service.md
- - name: Smart Card Tools and Settings
- href: identity-protection/smart-cards/smart-card-tools-and-settings.md
- items:
- - name: Smart Cards Debugging Information
- href: identity-protection/smart-cards/smart-card-debugging-information.md
- - name: Smart Card Group Policy and Registry Settings
- href: identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
- - name: Smart Card Events
- href: identity-protection/smart-cards/smart-card-events.md
- - name: Virtual smart cards
- href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
- items:
- - name: Understand and evaluate virtual smart cards
- href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
- items:
- - name: Get started with virtual smart cards
- href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
- - name: Use virtual smart cards
- href: identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
- - name: Deploy virtual smart cards
- href: identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
- - name: Evaluate virtual smart card security
- href: identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
- - name: Tpmvscmgr
- href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
-- name: Cloud services
- items:
- - name: Overview
- href: cloud.md
- - name: Mobile device management
- href: /windows/client-management/mdm/
- - name: Windows 365 Cloud PCs
- href: /windows-365/overview
- - name: Azure Virtual Desktop
- href: /azure/virtual-desktop/
+ href: application-security/toc.yml
+- name: Identity protection
+ href: identity-protection/toc.yml
+- name: Windows Privacy 🔗
+ href: /windows/privacy
- name: Security foundations
- items:
- - name: Overview
- href: security-foundations.md
- - name: Microsoft Security Development Lifecycle
- href: threat-protection/msft-security-dev-lifecycle.md
- - name: FIPS 140-2 Validation
- href: threat-protection/fips-140-validation.md
- - name: Common Criteria Certifications
- href: threat-protection/windows-platform-common-criteria.md
-- name: Windows Privacy
- href: /windows/privacy/windows-10-and-privacy-compliance
+ href: security-foundations/toc.yml
+- name: Cloud security
+ href: cloud-security/toc.yml
\ No newline at end of file
diff --git a/windows/security/application-security/application-control/toc.yml b/windows/security/application-security/application-control/toc.yml
new file mode 100644
index 0000000000..5cea979d61
--- /dev/null
+++ b/windows/security/application-security/application-control/toc.yml
@@ -0,0 +1,17 @@
+items:
+- name: User Account Control (UAC)
+ items:
+ - name: Overview
+ href: ../../identity-protection/user-account-control/user-account-control-overview.md
+ - name: How User Account Control works
+ href: ../../identity-protection/user-account-control/how-user-account-control-works.md
+ - name: User Account Control security policy settings
+ href: ../../identity-protection/user-account-control/user-account-control-security-policy-settings.md
+ - name: User Account Control Group Policy and registry key settings
+ href: ../../identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+- name: Windows Defender Application Control and virtualization-based protection of code integrity
+ href: ../../threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+- name: Windows Defender Application Control
+ href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md
+- name: Smart App Control
+ href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md
\ No newline at end of file
diff --git a/windows/security/application-security/application-isolation/toc.yml b/windows/security/application-security/application-isolation/toc.yml
new file mode 100644
index 0000000000..8c17971749
--- /dev/null
+++ b/windows/security/application-security/application-isolation/toc.yml
@@ -0,0 +1,20 @@
+items:
+- name: Microsoft Defender Application Guard (MDAG)
+ href: ../../threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
+- name: MDAG for Edge standalone mode
+ href: ../../threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+- name: MDAG for Edge enterprise mode and enterprise management 🔗
+ href: /deployedge/microsoft-edge-security-windows-defender-application-guard
+- name: MDAG for Microsoft Office
+ href: https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46
+- name: MDAG configure via MDM 🔗
+ href: /windows/client-management/mdm/windowsdefenderapplicationguard-csp
+- name: Windows containers 🔗
+ href: /virtualization/windowscontainers/about
+- name: Windows Sandbox
+ href: ../../threat-protection/windows-sandbox/windows-sandbox-overview.md
+ items:
+ - name: Windows Sandbox architecture
+ href: ../../threat-protection/windows-sandbox/windows-sandbox-architecture.md
+ - name: Windows Sandbox configuration
+ href: ../../threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
\ No newline at end of file
diff --git a/windows/security/application-security/toc.yml b/windows/security/application-security/toc.yml
new file mode 100644
index 0000000000..5e2bd70284
--- /dev/null
+++ b/windows/security/application-security/toc.yml
@@ -0,0 +1,8 @@
+items:
+- name: Overview
+ href: ../apps.md
+- name: Application Control
+ href: application-control/toc.yml
+- name: Application Isolation
+ href: application-isolation/toc.yml
+
diff --git a/windows/security/cloud-security/toc.yml b/windows/security/cloud-security/toc.yml
new file mode 100644
index 0000000000..a927cf5384
--- /dev/null
+++ b/windows/security/cloud-security/toc.yml
@@ -0,0 +1,18 @@
+items:
+- name: Overview
+ href: ../cloud.md
+- name: Join Active Directory and Azure AD with single sign-on (SSO) 🔗
+ href: /azure/active-directory/devices/concept-azure-ad-join
+- name: Security baselines with Intune 🔗
+ href: /mem/intune/protect/security-baselines
+- name: Remote wipe (Autopilot reset) 🔗
+ href: /windows/client-management/mdm/remotewipe-csp
+- name: Mobile Device Management (MDM) 🔗
+ href: /windows/client-management/mdm/
+- name: Universal Print 🔗
+ href: /universal-print
+- name: Windows Autopatch 🔗
+ href: /windows/deployment/windows-autopatch
+- name: Windows Autopilot 🔗
+ href: /windows/deployment/windows-autopilot
+
diff --git a/windows/security/hardware-security/toc.yml b/windows/security/hardware-security/toc.yml
new file mode 100644
index 0000000000..6cd5d10c39
--- /dev/null
+++ b/windows/security/hardware-security/toc.yml
@@ -0,0 +1,54 @@
+items:
+ - name: Overview
+ href: ../hardware.md
+ - name: Hardware root of trust
+ items:
+ - name: Windows Defender System Guard
+ href: ../threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+ - name: Trusted Platform Module
+ href: ../information-protection/tpm/trusted-platform-module-top-node.md
+ items:
+ - name: Trusted Platform Module overview
+ href: ../information-protection/tpm/trusted-platform-module-overview.md
+ - name: TPM fundamentals
+ href: ../information-protection/tpm/tpm-fundamentals.md
+ - name: How Windows uses the TPM
+ href: ../information-protection/tpm/how-windows-uses-the-tpm.md
+ - name: Manage TPM commands
+ href: ../information-protection/tpm/manage-tpm-commands.md
+ - name: Manager TPM Lockout
+ href: ../information-protection/tpm/manage-tpm-lockout.md
+ - name: Change the TPM password
+ href: ../information-protection/tpm/change-the-tpm-owner-password.md
+ - name: TPM Group Policy settings
+ href: ../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+ - name: Back up the TPM recovery information to AD DS
+ href: ../information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+ - name: View status, clear, or troubleshoot the TPM
+ href: ../information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+ - name: Understanding PCR banks on TPM 2.0 devices
+ href: ../information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+ - name: TPM recommendations
+ href: ../information-protection/tpm/tpm-recommendations.md
+ - name: Microsoft Pluton security processor
+ items:
+ - name: Microsoft Pluton overview
+ href: ../information-protection/pluton/microsoft-pluton-security-processor.md
+ - name: Microsoft Pluton as TPM
+ href: ../information-protection/pluton/pluton-as-tpm.md
+ - name: Silicon assisted security
+ items:
+ - name: Virtualization-based security (VBS)
+ href: /windows-hardware/design/device-experiences/oem-vbs
+ - name: Memory integrity (HVCI)
+ href: ../threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+ - name: Memory integrity and VBS enablement 🔗
+ href: /windows-hardware/design/device-experiences/oem-hvci-enablement
+ - name: Hardware-enforced stack protection
+ href: https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815
+ - name: Secured-core PC 🔗
+ href: /windows-hardware/design/device-experiences/oem-highly-secure-11
+ - name: Kernel Direct Memory Access (DMA) protection
+ href: ../information-protection/kernel-dma-protection-for-thunderbolt.md
+ - name: System Guard Secure Launch
+ href: ../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 6bec9ee14c..b1ca0e2e0f 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -39,6 +39,8 @@ This content set contains:
- [Service Accounts](/windows-server/identity/ad-ds/manage/understand-service-accounts)
- [Active Directory Security Groups](/windows-server/identity/ad-ds/manage/understand-security-groups)
+[!INCLUDE [access-control-aclsscals](../../../../includes/licensing/access-control-aclsscals.md)]
+
## Practical applications
Administrators who use the supported version of Windows can refine the application and management of access control to objects and subjects to provide the following security:
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index 317ef89a50..510e690593 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -20,6 +20,8 @@ Encrypted messages can be read only by recipients who have a certificate. If you
A digitally signed message reassures the recipient that the message hasn't been tampered with and verifies the identity of the sender. Recipients can only verify the digital signature if they're using an email client that supports S/MIME.
+[!INCLUDE [email-encryption-smime](../../../includes/licensing/email-encryption-smime.md)]
+
## Prerequisites
- [S/MIME is enabled for Exchange accounts](/microsoft-365/security/office-365-security/s-mime-for-message-signing-and-encryption) (on-premises and Office 365). Users can't use S/MIME signing and encryption with a personal account such as Outlook.com.
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index ca9c7acd52..32967fd8b7 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -18,7 +18,6 @@ Credential theft attacks allow the attacker to steal secrets from one device and
Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
-
- Users need to be in domains that are running Windows Server 2012 R2 or higher
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index ea7bf02bae..2afb9f4a6a 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -66,6 +66,8 @@ Applications may cause performance issues when they attempt to hook the isolated
Services or protocols that rely on Kerberos, such as file shares, remote desktop, or BranchCache, continue to work and are not affected by Windows Defender Credential Guard.
+[!INCLUDE [windows-defender-credential-guard](../../../../includes/licensing/windows-defender-credential-guard.md)]
+
## Security considerations
All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard.
@@ -96,7 +98,7 @@ The following tables describe baseline protections, plus protections for improve
|Protections for Improved Security|Description|
|---|---|
|Hardware: **IOMMU** (input/output memory management unit)|**Requirement**: - VT-D or AMD Vi IOMMU **Security benefits**: - An IOMMU can enhance system resiliency against memory attacks. For more information, see [Advanced Configuration and Power Interface (ACPI) description tables](/windows-hardware/drivers/bringup/acpi-system-description-tables)|
-|Firmware: **Securing Boot Configuration and Management**|**Requirements**: - BIOS password or stronger authentication must be supported. - In the BIOS configuration, BIOS authentication must be set. - There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system. - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.|
+|Firmware: **Securing Boot Configuration and Management**|**Requirements**: - BIOS password or stronger authentication must be supported. - In the BIOS configuration, BIOS authentication must be set. - There must be support for protected BIOS option to configure list of permitted boot devices (for example, "Boot only from internal hard drive") and boot device order, overriding BOOTORDER modification made by operating system. - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.|
|Firmware: **Secure MOR, revision 2 implementation**|**Requirement**: - Secure MOR, revision 2 implementation|
### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
diff --git a/windows/security/identity-protection/credential-guard/toc.yml b/windows/security/identity-protection/credential-guard/toc.yml
new file mode 100644
index 0000000000..3661af7b0e
--- /dev/null
+++ b/windows/security/identity-protection/credential-guard/toc.yml
@@ -0,0 +1,17 @@
+items:
+- name: Protect derived domain credentials with Credential Guard
+ href: credential-guard.md
+- name: How Credential Guard works
+ href: credential-guard-how-it-works.md
+- name: Requirements
+ href: credential-guard-requirements.md
+- name: Manage Credential Guard
+ href: credential-guard-manage.md
+- name: Credential Guard protection limits
+ href: credential-guard-protection-limits.md
+- name: Considerations when using Credential Guard
+ href: credential-guard-considerations.md
+- name: Additional mitigations
+ href: additional-mitigations.md
+- name: Known issues
+ href: credential-guard-known-issues.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index c4e5d43423..cf9c8484b0 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -29,6 +29,9 @@ The policy setting has three components:
## Configure unlock factors
+> [!CAUTION]
+> On Windows 11, when the [DontDisplayLastUserName](/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name) security policy is enabled, it is known to interfere with the ability to use multi factor unlock.
+
The **First unlock factor credential providers** and **Second unlock factor credential providers** portion of the policy setting each contain a comma separated list of credential providers.
Supported credential providers include:
@@ -40,8 +43,8 @@ Supported credential providers include:
|Facial Recognition| `{8AF662BF-65A0-4D0A-A540-A338A999D36F}`|
|Trusted Signal
(Phone proximity, Network location) | `{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}`|
->[!NOTE]
->Multifactor unlock does not support third-party credential providers or credential providers not listed in the above table.
+> [!NOTE]
+> Multifactor unlock does not support third-party credential providers or credential providers not listed in the above table.
The default credential providers for the **First unlock factor credential provider** include:
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 629d9c561e..934a3f70de 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -139,7 +139,7 @@ To configure Windows Hello for Business using an *account protection* policy:
1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available
- These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes**
- For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business)
-1. Under *Enable to certificate for on-premises resources*, select **Disabled** and multiple policies become available
+1. Under *Enable to certificate for on-premises resources*, select **YES**
1. Select **Next**
1. Optionally, add *scope tags* > **Next**
1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
@@ -195,4 +195,4 @@ The certificate authority validates the certificate was signed by the registrati
[MEM-3]: /mem/intune/configuration/custom-settings-configure
[MEM-4]: /windows/client-management/mdm/passportforwork-csp
[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy
-[MEM-6]: /mem/intune/protect/identity-protection-configure
\ No newline at end of file
+[MEM-6]: /mem/intune/protect/identity-protection-configure
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
index 1367cb8301..9cd071eac6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
@@ -67,7 +67,7 @@ To configure Windows Hello for Business using an account protection policy:
1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available.
- These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes**.
- For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business).
-1. Under **Enable to certificate for on-premises resources**, select **Disabled** and multiple policies become available.
+1. Under **Enable to certificate for on-premises resources**, select **Not configured**
1. Select **Next**.
1. Optionally, add **scope tags** and select **Next**.
1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**.
@@ -138,7 +138,7 @@ You can configure Windows Hello for Business cloud Kerberos trust using a Group
---
> [!IMPORTANT]
-> If the **Use certificate for on-premises authentication** policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy **not configured** or **disabled**.
+> If the **Use certificate for on-premises authentication** policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy **not configured**.
## Provision Windows Hello for Business
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 005fb6c685..84acf6b19c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -1,11 +1,11 @@
---
-title: Windows Hello for Business Overview (Windows)
-description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11.
+title: Windows Hello for Business Overview
+description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices.
ms.collection:
- highpri
- tier1
ms.topic: conceptual
-ms.date: 12/31/2017
+ms.date: 04/24/2023
---
# Windows Hello for Business Overview
@@ -65,6 +65,8 @@ Imagine that someone is looking over your shoulder as you get money from an ATM
Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
+[!INCLUDE [windows-hello-for-business](../../../../includes/licensing/windows-hello-for-business.md)]
+
## How Windows Hello for Business works: key points
- Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 64e9869d2a..c492d78079 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -20,9 +20,7 @@ Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard
Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device.
> [!IMPORTANT]
-> For information on Remote Desktop connection scenarios involving helpdesk support, see [Remote Desktop connections and helpdesk support scenarios](#helpdesk) in this article.
-
-
+> For information on Remote Desktop connection scenarios involving helpdesk support, see [Remote Desktop connections and helpdesk support scenarios](#remote-desktop-connections-and-helpdesk-support-scenarios) in this article.
## Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options
@@ -30,43 +28,28 @@ The following diagram helps you to understand how a standard Remote Desktop sess
-
-
The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option:
-
As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection.
-
-
Use the following table to compare different Remote Desktop connection security options:
-
-
-
-
| Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
-|--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server |
-| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.
For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). |
-| **Helps prevent** | N/A |
- Pass-the-Hash
- Use of a credential after disconnection
| - Pass-the-Hash
- Use of domain identity during connection
|
-| **Credentials supported from the remote desktop client device** | - Signed on credentials
- Supplied credentials
- Saved credentials
| - Signed on credentials only |
- Signed on credentials
- Supplied credentials
- Saved credentials
|
-| **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. |
-| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host's identity**. |
-| **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account |
-| **Supported authentication** | Any negotiable protocol. | Kerberos only. | Any negotiable protocol |
-
-
+|--|--|--|--|
+| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server |
+| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.
For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). |
+| **Helps prevent** | N/A | - Pass-the-Hash
- Use of a credential after disconnection
| - Pass-the-Hash
- Use of domain identity during connection
|
+| **Credentials supported from the remote desktop client device** | - Signed on credentials
- Supplied credentials
- Saved credentials
| - Signed on credentials only |
- Signed on credentials
- Supplied credentials
- Saved credentials
|
+| **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. |
+| **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host's identity**. |
+| **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account |
+| **Supported authentication** | Any negotiable protocol. | Kerberos only. | Any negotiable protocol |
For further technical information, see [Remote Desktop Protocol](/windows/win32/termserv/remote-desktop-protocol)
and [How Kerberos works](/previous-versions/windows/it-pro/windows-2000-server/cc961963(v=technet.10)).
-
-
-
-
## Remote Desktop connections and helpdesk support scenarios
For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user's resources for a limited time (a few hours) after the session disconnects.
@@ -77,8 +60,7 @@ To further harden security, we also recommend that you implement Local Administr
For further information on LAPS, see [Microsoft Security Advisory 3062591](https://technet.microsoft.com/library/security/3062591.aspx).
-
-
+[!INCLUDE [windows-defender-remote-credential-guard](../../../includes/licensing/windows-defender-remote-credential-guard.md)]
## Remote Credential Guard requirements
@@ -86,20 +68,17 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r
The Remote Desktop client device:
-- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine.
-
-- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user's signed-in credentials. This requires the user's account be able to sign in to both the client device and the remote host.
-
-- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
-
-- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.
+- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine
+- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user's signed-in credentials. This requires the user's account be able to sign in to both the client device and the remote host
+- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard
+- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk
The Remote Desktop remote host:
-- Must be running at least Windows 10, version 1607 or Windows Server 2016.
-- Must allow Restricted Admin connections.
-- Must allow the client's domain user to access Remote Desktop connections.
-- Must allow delegation of non-exportable credentials.
+- Must be running at least Windows 10, version 1607 or Windows Server 2016.
+- Must allow Restricted Admin connections.
+- Must allow the client's domain user to access Remote Desktop connections.
+- Must allow delegation of non-exportable credentials.
There are no hardware requirements for Windows Defender Remote Credential Guard.
@@ -109,31 +88,26 @@ There are no hardware requirements for Windows Defender Remote Credential Guard.
> GPO [Remote host allows delegation of non-exportable credentials](/windows/client-management/mdm/policy-csp-credentialsdelegation) should be enabled for delegation of non-exportable credentials.
- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication.
-
- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
-
- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard.
## Enable Windows Defender Remote Credential Guard
You must enable Restricted Admin or Windows Defender Remote Credential Guard on the remote host by using the Registry.
-1. Open Registry Editor on the remote host.
+1. Open Registry Editor on the remote host
+1. Enable Restricted Admin and Windows Defender Remote Credential Guard:
-2. Enable Restricted Admin and Windows Defender Remote Credential Guard:
+ - Go to `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa`
+ - Add a new DWORD value named **DisableRestrictedAdmin**
+ - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0
- - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
-
- - Add a new DWORD value named **DisableRestrictedAdmin**.
-
- - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0.
-
-3. Close Registry Editor.
+1. Close Registry Editor
You can add this by running the following command from an elevated command prompt:
-```console
-reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
+```cmd
+reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
```
## Using Windows Defender Remote Credential Guard
@@ -142,36 +116,28 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
### Turn on Windows Defender Remote Credential Guard by using Group Policy
-1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**.
-
-2. Double-click **Restrict delegation of credentials to remote servers**.
-
+1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**
+1. Double-click **Restrict delegation of credentials to remote servers**
-
-3. Under **Use the following restricted mode**:
-
- - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
+1. Under **Use the following restricted mode**:
+ - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used
> [!NOTE]
> Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
- > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Windows Defender Remote Credential Guard.
+ > When **Restrict Credential Delegation** is enabled, the /restrictedAdmin switch will be ignored. Windows will enforce the policy configuration instead and will use Windows Defender Remote Credential Guard.
- - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic.
-
- - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic.
-
-4. Click **OK**.
-
-5. Close the Group Policy Management Console.
-
-6. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied.
+ - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#remote-credential-guard-requirements) listed earlier in this topic.
+ - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-windows-defender-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic.
+1. Click **OK**
+1. Close the Group Policy Management Console
+1. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied
### Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection
If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.
-```console
+```cmd
mstsc.exe /remoteGuard
```
@@ -180,12 +146,8 @@ mstsc.exe /remoteGuard
## Considerations when using Windows Defender Remote Credential Guard
-- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied.
-
-- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory.
-
-- Remote Desktop Credential Guard only works with the RDP protocol.
-
-- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own.
-
-- The server and client must authenticate using Kerberos.
+- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied
+- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory
+- Remote Desktop Credential Guard only works with the RDP protocol
+- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own
+- The server and client must authenticate using Kerberos
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index a44e2533fc..5d498cb152 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -21,3 +21,5 @@ This topic for IT professional provides links to resources about the implementat
- [Certificate Propagation Service](smart-card-certificate-propagation-service.md): Learn about how the certificate propagation service works when a smart card is inserted into a computer.
- [Smart Card Removal Policy Service](smart-card-removal-policy-service.md): Learn about using Group Policy to control what happens when a user removes a smart card.
+
+[!INCLUDE [smart-cards-for-windows-service](../../../../includes/licensing/smart-cards-for-windows-service.md)]
\ No newline at end of file
diff --git a/windows/security/identity-protection/smart-cards/toc.yml b/windows/security/identity-protection/smart-cards/toc.yml
new file mode 100644
index 0000000000..0d82f8c3a7
--- /dev/null
+++ b/windows/security/identity-protection/smart-cards/toc.yml
@@ -0,0 +1,28 @@
+items:
+- name: Smart Card Technical Reference
+ href: smart-card-windows-smart-card-technical-reference.md
+ items:
+ - name: How Smart Card Sign-in Works in Windows
+ href: smart-card-how-smart-card-sign-in-works-in-windows.md
+ items:
+ - name: Smart Card Architecture
+ href: smart-card-architecture.md
+ - name: Certificate Requirements and Enumeration
+ href: smart-card-certificate-requirements-and-enumeration.md
+ - name: Smart Card and Remote Desktop Services
+ href: smart-card-and-remote-desktop-services.md
+ - name: Smart Cards for Windows Service
+ href: smart-card-smart-cards-for-windows-service.md
+ - name: Certificate Propagation Service
+ href: smart-card-certificate-propagation-service.md
+ - name: Smart Card Removal Policy Service
+ href: smart-card-removal-policy-service.md
+ - name: Smart Card Tools and Settings
+ href: smart-card-tools-and-settings.md
+ items:
+ - name: Smart Cards Debugging Information
+ href: smart-card-debugging-information.md
+ - name: Smart Card Group Policy and Registry Settings
+ href: smart-card-group-policy-and-registry-settings.md
+ - name: Smart Card Events
+ href: smart-card-events.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml
new file mode 100644
index 0000000000..c90f5b2316
--- /dev/null
+++ b/windows/security/identity-protection/toc.yml
@@ -0,0 +1,49 @@
+items:
+ - name: Overview
+ href: ../identity.md
+ - name: Windows credential theft mitigation guide
+ href: windows-credential-theft-mitigation-guide-abstract.md
+ - name: Passwordless sign-in
+ items:
+ - name: Windows Hello for Business 🔗
+ href: hello-for-business/index.yml
+ - name: Windows presence sensing
+ href: https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb
+ - name: Windows Hello for Business Enhanced Security Sign-in (ESS) 🔗
+ href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
+ - name: FIDO 2 security key 🔗
+ href: /azure/active-directory/authentication/howto-authentication-passwordless-security-key
+ - name: Federated sign-in 🔗
+ href: /education/windows/federated-sign-in
+ - name: Smart Cards
+ href: smart-cards/toc.yml
+ - name: Virtual smart cards
+ href: virtual-smart-cards/toc.yml
+ displayName: VSC
+ - name: Enterprise Certificate Pinning
+ href: enterprise-certificate-pinning.md
+ - name: Advanced credential protection
+ items:
+ - name: Account Lockout Policy 🔗
+ href: ../threat-protection/security-policy-settings/account-lockout-policy.md
+ - name: Technical support policy for lost or forgotten passwords
+ href: password-support-policy.md
+ - name: Windows LAPS (Local Administrator Password Solution) 🔗
+ displayName: LAPS
+ href: /windows-server/identity/laps/laps-overview
+ - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
+ href: ../threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
+ displayName: EPP
+ - name: Access Control
+ items:
+ - name: Overview
+ href: access-control/access-control.md
+ displayName: ACL
+ - name: Local Accounts
+ href: access-control/local-accounts.md
+ - name: Security policy settings 🔗
+ href: ../threat-protection/security-policy-settings/security-policy-settings.md
+ - name: Windows Defender Credential Guard
+ href: credential-guard/toc.yml
+ - name: Windows Defender Remote Credential Guard
+ href: remote-credential-guard.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index e85aae3ab9..ad89a60ec7 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -18,6 +18,8 @@ Other apps, especially those that were not specifically designed with security s
When an app needs to run with more than standard user rights, UAC allows users to run apps with their administrator token (with administrative groups and privileges) instead of their default, standard user access token. Users continue to operate in the standard user security context, while enabling certain apps to run with elevated privileges, if needed.
+[!INCLUDE [user-account-control-uac](../../../../includes/licensing/user-account-control-uac.md)]
+
## Practical applications
Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.
diff --git a/windows/security/identity-protection/virtual-smart-cards/toc.yml b/windows/security/identity-protection/virtual-smart-cards/toc.yml
new file mode 100644
index 0000000000..68842b6001
--- /dev/null
+++ b/windows/security/identity-protection/virtual-smart-cards/toc.yml
@@ -0,0 +1,17 @@
+items:
+- name: Virtual Smart Card overview
+ href: virtual-smart-card-overview.md
+ items:
+ - name: Understand and evaluate virtual smart cards
+ href: virtual-smart-card-understanding-and-evaluating.md
+ items:
+ - name: Get started with virtual smart cards
+ href: virtual-smart-card-get-started.md
+ - name: Use virtual smart cards
+ href: virtual-smart-card-use-virtual-smart-cards.md
+ - name: Deploy virtual smart cards
+ href: virtual-smart-card-deploy-virtual-smart-cards.md
+ - name: Evaluate virtual smart card security
+ href: virtual-smart-card-evaluate-security.md
+ - name: Tpmvscmgr
+ href: virtual-smart-card-tpmvscmgr.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md
index 15f788082b..8a775eea81 100644
--- a/windows/security/identity-protection/vpn/vpn-guide.md
+++ b/windows/security/identity-protection/vpn/vpn-guide.md
@@ -14,6 +14,8 @@ To create a Windows 10 VPN device configuration profile see: [Windows 10 and Win
> [!NOTE]
> This guide does not explain server deployment.
+[!INCLUDE [virtual-private-network-vpn](../../../../includes/licensing/virtual-private-network-vpn.md)]
+
## In this guide
| Article | Description |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index a3b7a72ca1..d6c02185e3 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -52,6 +52,8 @@ BitLocker control panel, and they're appropriate to be used for automated deploy
To find out what's new in BitLocker for Windows, such as support for the XTS-AES encryption algorithm, see [What's new in Windows 10, versions 1507 and 1511 for IT Pros: BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker).
+[!INCLUDE [bitlocker](../../../../includes/licensing/bitlocker.md)]
+
## System requirements
BitLocker has the following hardware requirements:
diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md
index 4523cd4552..035d511240 100644
--- a/windows/security/information-protection/encrypted-hard-drive.md
+++ b/windows/security/information-protection/encrypted-hard-drive.md
@@ -48,6 +48,8 @@ Encrypted hard drives are supported natively in the operating system through the
If you're a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](/previous-versions/windows/hardware/design/dn653989(v=vs.85)).
+[!INCLUDE [encrypted-hard-drive](../../../includes/licensing/encrypted-hard-drive.md)]
+
## System Requirements
To use encrypted hard drives, the following system requirements apply:
diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md
deleted file mode 100644
index f84702dd1c..0000000000
--- a/windows/security/information-protection/index.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Information protection (Windows 10)
-description: Learn more about how to protect sensitive data across your organization.
-ms.prod: windows-client
-author: paolomatarazzo
-ms.author: paoloma
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 03/09/2023
-ms.technology: itpro-security
----
-
-# Information protection
-
-Learn more about how to secure documents and other data across your organization.
-
-| Section | Description |
-|-|-|
-| [BitLocker](bitlocker/bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. |
-| [Encrypted Hard Drive](encrypted-hard-drive.md)| Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. |
-| [Kernel DMA Protection](kernel-dma-protection-for-thunderbolt.md)| Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to PCI accessible ports, such as Thunderbolt™ 3 ports. |
-| [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.|
-| [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Windows 10 supports features to help prevent rootkits and bootkits from loading during the startup process. |
-| [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)| Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. |
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index eb8db70020..f0503ef3a9 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -41,6 +41,8 @@ When Kernel DMA Protection is enabled:
- Peripherals with DMA Remapping-compatible device drivers will be automatically enumerated and started
- Peripherals with DMA Remapping-incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. The peripheral will continue to function normally if the user locks the screen or signs out of the system.
+[!INCLUDE [kernel-direct-memory-access-dma-protection](../../../includes/licensing/kernel-direct-memory-access-dma-protection.md)]
+
## System compatibility
Kernel DMA Protection requires UEFI firmware support, and Virtualization-based Security (VBS) isn't required.
diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md
index a88c9d276a..c7efa3d342 100644
--- a/windows/security/information-protection/personal-data-encryption/overview-pde.md
+++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md
@@ -23,6 +23,8 @@ ms.date: 03/13/2023
[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
+[!INCLUDE [personal-data-encryption-pde](../../../../includes/licensing/personal-data-encryption-pde.md)]
+
## Prerequisites
### Required
diff --git a/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md b/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md
index 5274334565..d2d8321257 100644
--- a/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md
+++ b/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md
@@ -18,7 +18,7 @@ ms.technology: itpro-security
Microsoft Pluton security processor is a chip-to-cloud security technology built with [Zero Trust](/security/zero-trust/zero-trust-overview) principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem.
-Microsoft Pluton is currently available on devices with Ryzen 6000 and Qualcomm Snapdragon® 8cx Gen 3 series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2.
+Microsoft Pluton is currently available on devices with Ryzen 6000 and Qualcomm Snapdragon® 8cx Gen 3 series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2.
## What is Microsoft Pluton?
@@ -46,6 +46,8 @@ When the system boots, Pluton hardware initialization is performed by loading th
+[!INCLUDE [microsoft-pluton-security-processor](../../../../includes/licensing/microsoft-pluton-security-processor.md)]
+
## Related topics
[Microsoft Pluton as TPM](pluton-as-tpm.md)
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index 2c2f23d5cb..d3a0a6e2b7 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -50,6 +50,8 @@ Anti-malware software can use the boot measurements of the operating system star
The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
+[!INCLUDE [trusted-platform-module-tpm-20](../../../../includes/licensing/trusted-platform-module-tpm-20.md)]
+
## New and changed functionality
For more info on new and changed functionality for Trusted Platform Module in Windows, see [What's new in Trusted Platform Module?](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module)
diff --git a/windows/security/introduction/index.md b/windows/security/introduction/index.md
new file mode 100644
index 0000000000..f051acac9f
--- /dev/null
+++ b/windows/security/introduction/index.md
@@ -0,0 +1,57 @@
+---
+title: Introduction to Windows security
+description: System security book.
+ms.date: 04/24/2023
+ms.topic: tutorial
+ms.author: paoloma
+ms.custom: ai-gen-docs
+author: paolomatarazzo
+appliesto:
+ - ✅ Windows 11
+---
+
+# Introduction to Windows security
+
+The acceleration of digital transformation and the expansion of both remote and hybrid work brings new opportunities to organizations, communities, and individuals. This expansion introduces new threats and risks.
+
+Organizations worldwide are adopting a **Zero Trust** security model based on the premise that no person or device anywhere can have access until safety and integrity is proven. Windows 11 is built on Zero Trust principles to enable hybrid productivity and new experiences anywhere, without compromising security. Windows 11 raises the [security baselines](../threat-protection/windows-security-configuration-framework/windows-security-baselines.md) with new requirements for advanced hardware and software protection that extends from chip to cloud.
+
+## How Windows 11 enables Zero Trust protection
+
+A Zero Trust security model gives the right people the right access at the right time. Zero Trust security is based on three principles:
+
+1. Reduce risk by explicitly verifying data points such as user identity, location, and device health for every access request, without exception
+1. When verified, give people and devices access to only necessary resources for the necessary amount of time
+1. Use continuous analytics to drive threat detection and improve defenses
+
+For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](../identity-protection/hello-for-business/hello-overview.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
+
+### Security, by default
+
+Windows 11 is a natural evolution of its predecessor, Windows 10. We have collaborated with our manufacturer and silicon partners to incorporate extra hardware security measures that address the increasingly complex security threats of today. These measures not only enable the hybrid work and learning that many organizations now embrace but also help bolster our already strong foundation and resilience against attacks.
+
+### Enhanced hardware and operating system security
+
+With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind other barriers separated from the operating system. As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering.
+
+In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](../trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
+
+### Robust application security and privacy controls
+
+To help keep personal and business information protected and private, Windows 11 has multiple layers of application security that safeguard critical data and code integrity. Application isolation and controls, code integrity, privacy controls, and least-privilege principles enable developers to build in security and privacy from the ground up. This integrated security protects against breaches and malware, helps keep data private, and gives IT administrators the controls they need.
+
+In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/device-experiences/oem-app-guard) uses Hyper-V virtualization technology to isolate untrusted websites and Microsoft Office files in containers, separate from and unable to access the host operating system and enterprise data. To protect privacy, Windows 11 also provides more controls over which apps and features can collect and use data such as the device's location, or access resources like camera and microphone.
+
+### Secured identities
+
+Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](../information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](../identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](../identity-protection/hello-for-business/hello-overview.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
+
+### Connecting to cloud services
+
+Microsoft offers comprehensive cloud services for identity, storage, and access management in addition to the tools needed to attest that Windows devices connecting to your network are trustworthy. You can also enforce compliance and conditional access with a modern device management (MDM) service such as Microsoft Intune, which works with Azure Active Directory and Microsoft Azure Attestation to control access to applications and data through the cloud.
+
+## Next steps
+
+To learn more about the security features included in Windows 11, download the [Windows 11 Security Book: Powerful security from chip to cloud](https://aka.ms/Windows11SecurityBook).
+
+[!INCLUDE [ai-disclaimer-generic](../../../includes/ai-disclaimer-generic.md)]
\ No newline at end of file
diff --git a/windows/security/introduction/security-features-edition-requirements.md b/windows/security/introduction/security-features-edition-requirements.md
new file mode 100644
index 0000000000..0cffb54f8f
--- /dev/null
+++ b/windows/security/introduction/security-features-edition-requirements.md
@@ -0,0 +1,26 @@
+---
+title: Windows security features and edition requirements
+description: Learn about Windows edition requirements for the feature included in Windows.
+ms.prod: windows-client
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.collection:
+- tier3
+ms.topic: conceptual
+ms.date: 05/04/2023
+appliesto:
+- ✅ Windows 11
+ms.technology: itpro-security
+---
+
+# Windows security features and edition requirements
+
+This article lists the security features that are available in Windows, and the Windows editions that support them.
+
+> [!NOTE]
+> The **Windows edition** requirements listed in the following table may be different from the **licensing** requirements. If you're looking for licensing requirements, see [Windows security features and licensing requirements](security-features-licensing-requirements.md).
+
+[!INCLUDE [_edition-requirements](../../../includes/licensing/_edition-requirements.md)]
+
+For more information about Windows licensing, see [Windows Commercial Licensing overview](/windows/whats-new/windows-licensing).
diff --git a/windows/security/introduction/security-features-licensing-requirements.md b/windows/security/introduction/security-features-licensing-requirements.md
new file mode 100644
index 0000000000..df7e5bdcec
--- /dev/null
+++ b/windows/security/introduction/security-features-licensing-requirements.md
@@ -0,0 +1,26 @@
+---
+title: Windows security features and licensing requirements
+description: Learn about Windows features and licensing requirements for the feature included in Windows.
+ms.prod: windows-client
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.collection:
+- tier3
+ms.topic: conceptual
+ms.date: 04/24/2023
+appliesto:
+- ✅ Windows 11
+ms.technology: itpro-security
+---
+
+# Windows security features and licensing requirements
+
+This article lists the security features that are available in Windows, and the licensing requirements to use them.
+
+> [!NOTE]
+> The **licensing** requirements listed in the following table may be different from the **Windows edition** requirements. If you're looking for Windows edition requirements, see [Windows security features and edition requirements](security-features-edition-requirements.md).
+
+[!INCLUDE [_licensing-requirements](../../../includes/licensing/_licensing-requirements.md)]
+
+For more information about Windows licensing, see [Windows Commercial Licensing overview](/windows/whats-new/windows-licensing).
diff --git a/windows/security/operating-system-security/data-protection/toc.yml b/windows/security/operating-system-security/data-protection/toc.yml
new file mode 100644
index 0000000000..56500215a0
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/toc.yml
@@ -0,0 +1,152 @@
+items:
+- name: Overview
+ href: ../../encryption-data-protection.md
+- name: BitLocker
+ href: ../../information-protection/bitlocker/bitlocker-overview.md
+ items:
+ - name: Overview of BitLocker Device Encryption in Windows
+ href: ../../information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+ - name: BitLocker frequently asked questions (FAQ)
+ href: ../../information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
+ items:
+ - name: Overview and requirements
+ href: ../../information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
+ - name: Upgrading
+ href: ../../information-protection/bitlocker/bitlocker-upgrading-faq.yml
+ - name: Deployment and administration
+ href: ../../information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
+ - name: Key management
+ href: ../../information-protection/bitlocker/bitlocker-key-management-faq.yml
+ - name: BitLocker To Go
+ href: ../../information-protection/bitlocker/bitlocker-to-go-faq.yml
+ - name: Active Directory Domain Services
+ href: ../../information-protection/bitlocker/bitlocker-and-adds-faq.yml
+ - name: Security
+ href: ../../information-protection/bitlocker/bitlocker-security-faq.yml
+ - name: BitLocker Network Unlock
+ href: ../../information-protection/bitlocker/bitlocker-network-unlock-faq.yml
+ - name: General
+ href: ../../information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
+ - name: "Prepare your organization for BitLocker: Planning and policies"
+ href: ../../information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+ - name: BitLocker deployment comparison
+ href: ../../information-protection/bitlocker/bitlocker-deployment-comparison.md
+ - name: BitLocker basic deployment
+ href: ../../information-protection/bitlocker/bitlocker-basic-deployment.md
+ - name: Deploy BitLocker on Windows Server 2012 and later
+ href: ../../information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+ - name: BitLocker management for enterprises
+ href: ../../information-protection/bitlocker/bitlocker-management-for-enterprises.md
+ - name: Enable Network Unlock with BitLocker
+ href: ../../information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+ - name: Use BitLocker Drive Encryption Tools to manage BitLocker
+ href: ../../information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+ - name: Use BitLocker Recovery Password Viewer
+ href: ../../information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+ - name: BitLocker Group Policy settings
+ href: ../../information-protection/bitlocker/bitlocker-group-policy-settings.md
+ - name: BCD settings and BitLocker
+ href: ../../information-protection/bitlocker/bcd-settings-and-bitlocker.md
+ - name: BitLocker Recovery Guide
+ href: ../../information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+ - name: BitLocker Countermeasures
+ href: ../../information-protection/bitlocker/bitlocker-countermeasures.md
+ - name: Protecting cluster shared volumes and storage area networks with BitLocker
+ href: ../../information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+ - name: Troubleshoot BitLocker
+ items:
+ - name: Troubleshoot BitLocker
+ href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting
+ - name: "BitLocker cannot encrypt a drive: known issues"
+ href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues
+ - name: "Enforcing BitLocker policies by using Intune: known issues"
+ href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues
+ - name: "BitLocker Network Unlock: known issues"
+ href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues
+ - name: "BitLocker recovery: known issues"
+ href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues
+ - name: "BitLocker configuration: known issues"
+ href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues
+ - name: Troubleshoot BitLocker and TPM issues
+ items:
+ - name: "BitLocker cannot encrypt a drive: known TPM issues"
+ href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues
+ - name: "BitLocker and TPM: other known issues"
+ href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues
+ - name: Decode Measured Boot logs to track PCR changes
+ href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes
+- name: Encrypted Hard Drive
+ href: ../../information-protection/encrypted-hard-drive.md
+- name: Personal Data Encryption (PDE)
+ items:
+ - name: Personal Data Encryption (PDE) overview
+ href: ../../information-protection/personal-data-encryption/overview-pde.md
+ - name: Personal Data Encryption (PDE) frequently asked questions (FAQ)
+ href: ../../information-protection/personal-data-encryption/faq-pde.yml
+ - name: Configure Personal Data Encryption (PDE) in Intune
+ items:
+ - name: Configure Personal Data Encryption (PDE) in Intune
+ href: ../../information-protection/personal-data-encryption/configure-pde-in-intune.md
+ - name: Enable Personal Data Encryption (PDE)
+ href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md
+ - name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
+ href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md
+ - name: Disable kernel-mode crash dumps and live dumps for PDE
+ href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md
+ - name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
+ href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md
+ - name: Disable hibernation for PDE
+ href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md
+ - name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
+ href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md
+- name: Configure S/MIME for Windows
+ href: ../../identity-protection/configure-s-mime.md
+- name: Windows Information Protection (WIP)
+ href: ../../information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+ items:
+ - name: Create a WIP policy using Microsoft Intune
+ href: ../../information-protection/windows-information-protection/overview-create-wip-policy.md
+ items:
+ - name: Create a WIP policy in Microsoft Intune
+ href: ../../information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+ items:
+ - name: Deploy your WIP policy in Microsoft Intune
+ href: ../../information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+ - name: Associate and deploy a VPN policy for WIP in Microsoft Intune
+ href: ../../information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+ - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
+ href: ../../information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+ - name: Determine the enterprise context of an app running in WIP
+ href: ../../information-protection/windows-information-protection/wip-app-enterprise-context.md
+ - name: Create a WIP policy using Microsoft Configuration Manager
+ href: ../../information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
+ items:
+ - name: Create and deploy a WIP policy in Configuration Manager
+ href: ../../information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+ - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
+ href: ../../information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+ - name: Determine the enterprise context of an app running in WIP
+ href: ../../information-protection/windows-information-protection/wip-app-enterprise-context.md
+ - name: Mandatory tasks and settings required to turn on WIP
+ href: ../../information-protection/windows-information-protection/mandatory-settings-for-wip.md
+ - name: Testing scenarios for WIP
+ href: ../../information-protection/windows-information-protection/testing-scenarios-for-wip.md
+ - name: Limitations while using WIP
+ href: ../../information-protection/windows-information-protection/limitations-with-wip.md
+ - name: How to collect WIP audit event logs
+ href: ../../information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+ - name: General guidance and best practices for WIP
+ href: ../../information-protection/windows-information-protection/guidance-and-best-practices-wip.md
+ items:
+ - name: Enlightened apps for use with WIP
+ href: ../../information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+ - name: Unenlightened and enlightened app behavior while using WIP
+ href: ../../information-protection/windows-information-protection/app-behavior-with-wip.md
+ - name: Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP
+ href: ../../information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+ - name: Using Outlook Web Access with WIP
+ href: ../../information-protection/windows-information-protection/using-owa-with-wip.md
+ - name: Fine-tune WIP Learning
+ href: ../../information-protection/windows-information-protection/wip-learning.md
+ - name: Disable WIP
+ href: ../../information-protection/windows-information-protection/how-to-disable-wip.md
\ No newline at end of file
diff --git a/windows/security/operating-system-security/device-management/toc.yml b/windows/security/operating-system-security/device-management/toc.yml
new file mode 100644
index 0000000000..239b2eb2a6
--- /dev/null
+++ b/windows/security/operating-system-security/device-management/toc.yml
@@ -0,0 +1,26 @@
+items:
+ - name: Security policy settings
+ href: ../../threat-protection/security-policy-settings/security-policy-settings.md
+ - name: Security auditing
+ href: ../../threat-protection/auditing/security-auditing-overview.md
+ - name: Secured-core configuration lock
+ href: /windows/client-management/config-lock
+ - name: Assigned Access (kiosk mode)
+ href: /windows/configuration/kiosk-methods
+ - name: Security baselines
+ href: ../../threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+ items:
+ - name: Security Compliance Toolkit
+ href: ../../threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+ - name: Get support
+ href: ../../threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+ - name: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
+ href: ../../threat-protection/mbsa-removal-and-guidance.md
+ - name: More Windows security
+ items:
+ - name: Override Process Mitigation Options to help enforce app-related security policies
+ href: ../../threat-protection/override-mitigation-options-for-app-related-security-policies.md
+ - name: Use Windows Event Forwarding to help with intrusion detection
+ href: ../../threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+ - name: Block untrusted fonts in an enterprise
+ href: ../../threat-protection/block-untrusted-fonts-in-enterprise.md
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/toc.yml b/windows/security/operating-system-security/network-security/toc.yml
new file mode 100644
index 0000000000..af372280a4
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/toc.yml
@@ -0,0 +1,40 @@
+items:
+- name: Transport layer security (TLS)
+ href: /windows-server/security/tls/tls-ssl-schannel-ssp-overview
+- name: WiFi Security
+ href: https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09
+- name: Windows Firewall
+ href: ../../threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+- name: Virtual Private Network (VPN)
+ href: ../../identity-protection/vpn/vpn-guide.md
+ items:
+ - name: VPN connection types
+ href: ../../identity-protection/vpn/vpn-connection-type.md
+ - name: VPN routing decisions
+ href: ../../identity-protection/vpn/vpn-routing.md
+ - name: VPN authentication options
+ href: ../../identity-protection/vpn/vpn-authentication.md
+ - name: VPN and conditional access
+ href: ../../identity-protection/vpn/vpn-conditional-access.md
+ - name: VPN name resolution
+ href: ../../identity-protection/vpn/vpn-name-resolution.md
+ - name: VPN auto-triggered profile options
+ href: ../../identity-protection/vpn/vpn-auto-trigger-profile.md
+ - name: VPN security features
+ href: ../../identity-protection/vpn/vpn-security-features.md
+ - name: VPN profile options
+ href: ../../identity-protection/vpn/vpn-profile-options.md
+ - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections
+ href: ../../identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+ - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections
+ href: ../../identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+ - name: Optimizing Office 365 traffic with the Windows VPN client
+ href: ../../identity-protection/vpn/vpn-office-365-optimization.md
+- name: Always On VPN
+ href: /windows-server/remote/remote-access/vpn/always-on-vpn/
+- name: Direct Access
+ href: /windows-server/remote/remote-access/directaccess/directaccess
+- name: Server Message Block (SMB) file service
+ href: /windows-server/storage/file-server/file-server-smb-overview
+- name: Server Message Block Direct (SMB Direct)
+ href: /windows-server/storage/file-server/smb-direct
\ No newline at end of file
diff --git a/windows/security/operating-system-security/system-security/toc.yml b/windows/security/operating-system-security/system-security/toc.yml
new file mode 100644
index 0000000000..86abf54e55
--- /dev/null
+++ b/windows/security/operating-system-security/system-security/toc.yml
@@ -0,0 +1,28 @@
+items:
+- name: Secure the Windows boot process
+ href: ../../information-protection/secure-the-windows-10-boot-process.md
+- name: Secure Boot and Trusted Boot
+ href: ../../trusted-boot.md
+- name: Measured Boot
+ href: /windows/compatibility/measured-boot
+- name: Device health attestation service
+ href: ../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+- name: Cryptography and certificate management
+ href: ../../cryptography-certificate-mgmt.md
+- name: The Windows Security app
+ href: ../../threat-protection/windows-defender-security-center/windows-defender-security-center.md
+ items:
+ - name: Virus & threat protection
+ href: ../../threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
+ - name: Account protection
+ href: ../../threat-protection\windows-defender-security-center\wdsc-account-protection.md
+ - name: Firewall & network protection
+ href: ../../threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
+ - name: App & browser control
+ href: ../../threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
+ - name: Device security
+ href: ../../threat-protection\windows-defender-security-center\wdsc-device-security.md
+ - name: Device performance & health
+ href: ../../threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
+ - name: Family options
+ href: ../../threat-protection\windows-defender-security-center\wdsc-family-options.md
\ No newline at end of file
diff --git a/windows/security/operating-system-security/toc.yml b/windows/security/operating-system-security/toc.yml
new file mode 100644
index 0000000000..a0ee50c4bb
--- /dev/null
+++ b/windows/security/operating-system-security/toc.yml
@@ -0,0 +1,13 @@
+items:
+- name: Overview
+ href: ../operating-system.md
+- name: System security
+ href: system-security/toc.yml
+- name: Virus and threat protection
+ href: virus-and-threat-protection/toc.yml
+- name: Network security
+ href: network-security/toc.yml
+- name: Data protection
+ href: data-protection/toc.yml
+- name: Device management
+ href: device-management/toc.yml
\ No newline at end of file
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
new file mode 100644
index 0000000000..a8c5cdf1e5
--- /dev/null
+++ b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
@@ -0,0 +1,21 @@
+items:
+- name: Overview
+ href: ../../threat-protection/index.md
+- name: Microsoft Defender Antivirus
+ href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows
+- name: Configuring LSA Protection
+ href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json
+- name: Attack surface reduction (ASR)
+ href: /microsoft-365/security/defender-endpoint/attack-surface-reduction
+- name: Tamper protection for MDE
+ href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
+- name: Microsoft Vulnerable Driver Blocklist
+ href: ../../threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+- name: Controlled folder access
+ href: /microsoft-365/security/defender-endpoint/controlled-folders
+- name: Exploit protection
+ href: /microsoft-365/security/defender-endpoint/exploit-protection
+- name: Microsoft Defender SmartScreen
+ href: ../../threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+- name: Microsoft Defender for Endpoint
+ href: /microsoft-365/security/defender-endpoint
\ No newline at end of file
diff --git a/windows/security/security-foundations/certification/toc.yml b/windows/security/security-foundations/certification/toc.yml
new file mode 100644
index 0000000000..70d9d800b8
--- /dev/null
+++ b/windows/security/security-foundations/certification/toc.yml
@@ -0,0 +1,5 @@
+items:
+- name: FIPS 140-2 Validation
+ href: ../../threat-protection/fips-140-validation.md
+- name: Common Criteria Certifications
+ href: ../../threat-protection/windows-platform-common-criteria.md
\ No newline at end of file
diff --git a/windows/security/security-foundations/toc.yml b/windows/security/security-foundations/toc.yml
new file mode 100644
index 0000000000..d52c477387
--- /dev/null
+++ b/windows/security/security-foundations/toc.yml
@@ -0,0 +1,7 @@
+items:
+- name: Overview
+ href: ../security-foundations.md
+- name: Microsoft Security Development Lifecycle
+ href: ../threat-protection/msft-security-dev-lifecycle.md
+- name: Certification
+ href: certification/toc.yml
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md
index 98746150c6..ea8fbab15b 100644
--- a/windows/security/threat-protection/auditing/event-4769.md
+++ b/windows/security/threat-protection/auditing/event-4769.md
@@ -179,8 +179,7 @@ The most common values:
| 28 | Enc-tkt-in-skey | No information. |
| 29 | Unused | - |
| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field hasn't passed. The ticket to be renewed is passed in the padata field as part of the authentication header. |
-| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Shouldn't be in use, because postdated tickets aren't supported by KILE. |
-| ## Table 4. Kerberos encryption types | | |
+| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Shouldn't be in use, because postdated tickets aren't supported by KILE. |
- **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used for issued TGS.
@@ -252,7 +251,7 @@ The table below contains the list of the most common error codes for this event:
| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after the user-supplied checksum in the Authenticator MUST be verified against the contents of the request, and the message MUST be rejected if the checksums don't match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum isn't collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). |
| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. |
| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. |
-| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.
Multiple recent password changes hanven't propagated.
Crypto subsystem error caused by running out of memory.
SPN too long.
SPN has too many parts. |
+| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.
Multiple recent password changes haven't propagated.
Crypto subsystem error caused by running out of memory.
SPN too long.
SPN has too many parts. |
| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that doesn't understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. |
| 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when user’s smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) isn't trusted by the domain controller. |
| 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client doesn't possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. |
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index afc6aaef79..f6a9150ebc 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
-ms.date: 09/09/2021
+ms.date: 05/01/2023
ms.reviewer:
manager: aaroncz
ms.custom: asr
@@ -49,6 +49,8 @@ Application Guard has been created to target several types of devices:
- **Personal devices**. These personally owned desktops or mobile laptops aren't domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.
+[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-standalone-mode](../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md)]
+
## Related articles
|Article |Description |
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
index 8723d513d2..3c1ed6dcea 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
@@ -1,59 +1,57 @@
---
-title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows)
+title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
ms.prod: windows-client
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/28/2020
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
ms.topic: reference
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
---
# Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
-**Applies to:**
-
-- Windows 10
-- Windows 11
Microsoft Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Microsoft Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely.
-See [Windows 10 (and Windows 11) settings to protect devices using Intune](/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune.
-
+See [Windows 10 and Windows 11 settings to protect devices using Intune](/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune.
## Group Policy settings
+
SmartScreen uses registry-based Administrative Template policy settings.
Setting|Supported on|Description|
|--- |--- |--- |
|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen
**Windows 10, Version 1607 and earlier:** Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen
**At least Windows Server 2012, Windows 8 or Windows RT**|This policy setting turns on Microsoft Defender SmartScreen.
If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).
If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.
If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.|
-|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.
This setting does not protect against malicious content from USB devices, network shares, or other non-internet sources.
**Important:** Using a trustworthy browser helps ensure that these protections work as expected.|
+|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.
This setting doesn't protect against malicious content from USB devices, network shares, or other non-internet sources.
**Important:** Using a trustworthy browser helps ensure that these protections work as expected.|
|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)
Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)
**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)
Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)
**Windows 10, Version 1607 and earlier:** Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen|Microsoft Edge on Windows 10 or Windows 11|This policy setting turns on Microsoft Defender SmartScreen.
If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.
If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.
If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.|
|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)
Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)
**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)
Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)
**Windows 10, Version 1511 and 1607:** Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files|Microsoft Edge on Windows 10, version 1511 or later|This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.
If you enable this setting, it stops employees from bypassing the warning, stopping the file download.
If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.|
|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)
Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)
**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)
Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)
**Windows 10, Version 1511 and 1607:** Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites|Microsoft Edge on Windows 10, version 1511 or later|This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.
If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.
If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.|
-|Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter|Internet Explorer 9 or later|This policy setting prevents the employee from managing Microsoft Defender SmartScreen.
If you enable this policy setting, the employee isn't prompted to turn on Microsoft Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.
If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Microsoft Defender SmartScreen during the first-run experience.|
+|Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter|Internet Explorer 9 or later|This policy setting prevents the employee from managing Microsoft Defender SmartScreen.
If you enable this policy setting, the employee isn't prompted to turn on Microsoft Defender SmartScreen. All website addresses that aren't on the filter's allowlist are sent automatically to Microsoft without prompting the employee.
If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Microsoft Defender SmartScreen during the first-run experience.|
|Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings|Internet Explorer 8 or later|This policy setting determines whether an employee can bypass warnings from Microsoft Defender SmartScreen.
If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.
If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.|
-|Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet|Internet Explorer 9 or later|This policy setting determines whether the employee can bypass warnings from Microsoft Defender SmartScreen. Microsoft Defender SmartScreen warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.
If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.
If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.|
-
+|Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that aren't commonly downloaded from the Internet|Internet Explorer 9 or later|This policy setting determines whether the employee can bypass warnings from Microsoft Defender SmartScreen. Microsoft Defender SmartScreen warns the employee about executable files that Internet Explorer users don't commonly download from the Internet.
If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.
If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.|
## MDM settings
-If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support desktop computers running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune.
+
+If you manage your policies using Microsoft Intune, use these MDM policy settings. All settings support desktop computers running Windows 10/11 Pro or Windows 10/11 Enterprise, enrolled with Microsoft Intune.
+
For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser](/windows/client-management/mdm/policy-csp-browser).
|Setting|Supported versions|Details|
|--- |--- |--- |
-|AllowSmartScreen|Windows 10| - **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
- **Data type.** Integer**Allowed values:**
- **0 .** Turns off Microsoft Defender SmartScreen in Edge.
- **1.** Turns on Microsoft Defender SmartScreen in Edge.|
-|EnableAppInstallControl|Windows 10, version 1703|
- **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
- **Data type.** Integer**Allowed values:**
- **0 .** Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
- **1.** Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.|
-|EnableSmartScreenInShell|Windows 10, version 1703|
- **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
- **Data type.** Integer**Allowed values:**
- **0 .** Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
- **1.** Turns on Microsoft Defender SmartScreen in Windows for app and file execution.|
-|PreventOverrideForFilesInShell|Windows 10, version 1703|
- **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
- **Data type.** Integer**Allowed values:**
- **0 .** Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
- **1.** Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.|
-|PreventSmartScreenPromptOverride|Windows 10, Version 1511 and Windows 11|
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
- **Data type.** Integer**Allowed values:**
- **0 .** Employees can ignore Microsoft Defender SmartScreen warnings.
- **1.** Employees can't ignore Microsoft Defender SmartScreen warnings.|
-|PreventSmartScreenPromptOverrideForFiles|Windows 10, Version 1511 and Windows 11|
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
- **Data type.** Integer**Allowed values:**
- **0 .** Employees can ignore Microsoft Defender SmartScreen warnings for files.
- **1.** Employees can't ignore Microsoft Defender SmartScreen warnings for files.|
+|AllowSmartScreen|Windows 10|
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
- **Data type.** Integer
- **Allowed values:**
- **0 .** Turns off Microsoft Defender SmartScreen in Microsoft Edge.
- **1.** Turns on Microsoft Defender SmartScreen in Microsoft Edge.|
+|EnableAppInstallControl|Windows 10, version 1703|
- **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
- **Data type.** Integer
- **Allowed values:**
- **0 .** Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
- **1.** Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.|
+|EnableSmartScreenInShell|Windows 10, version 1703|
- **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
- **Data type.** Integer
- **Allowed values:**
- **0 .** Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
- **1.** Turns on Microsoft Defender SmartScreen in Windows for app and file execution.|
+|PreventOverrideForFilesInShell|Windows 10, version 1703|
- **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
- **Data type.** Integer
- **Allowed values:**
- **0 .** Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
- **1.** Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.|
+|PreventSmartScreenPromptOverride|Windows 10, Version 1511 and Windows 11|
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
- **Data type.** Integer
- **Allowed values:**
- **0 .** Employees can ignore Microsoft Defender SmartScreen warnings.
- **1.** Employees can't ignore Microsoft Defender SmartScreen warnings.|
+|PreventSmartScreenPromptOverrideForFiles|Windows 10, Version 1511 and Windows 11|
- **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
- **Data type.** Integer
- **Allowed values:**
- **0 .** Employees can ignore Microsoft Defender SmartScreen warnings for files.
- **1.** Employees can't ignore Microsoft Defender SmartScreen warnings for files.|
## Recommended Group Policy and MDM settings for your organization
+
By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this feature can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning.
To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.
@@ -73,10 +71,6 @@ To better help you protect your organization, we recommend turning on and using
|SmartScreen/EnableSmartScreenInShell|**1.** Turns on Microsoft Defender SmartScreen in Windows.
Requires at least Windows 10, version 1703.|
|SmartScreen/PreventOverrideForFilesInShell|**1.** Stops employees from ignoring warning messages about malicious files downloaded from the Internet.
Requires at least Windows 10, version 1703.|
-## Related topics
-
-- [Threat protection](../index.md)
-
-- [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen-overview.md)
+## Related articles
- [Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies)
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index dbb586c517..b58a2be3ac 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -14,34 +14,32 @@ ms.collection:
- highpri
ms.date: 03/20/2023
ms.topic: article
+appliesto:
+- ✅ Windows 11
+- ✅ Windows 10
+- ✅ Microsoft Edge
---
# Microsoft Defender SmartScreen
-**Applies to:**
-
-- Windows 10
-- Windows 11
-- Microsoft Edge
-
Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
**Microsoft Defender SmartScreen determines whether a site is potentially malicious by:**
-- Analyzing visited webpages and looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution.
+- Analyzing visited webpages and looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it shows a warning page to advise caution.
- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious.
**Microsoft Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:**
- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious.
-- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Microsoft Defender SmartScreen shows a warning, advising caution.
+- Checking downloaded files against a list of files that are well known and downloaded frequently. If the file isn't on that list, Microsoft Defender SmartScreen shows a warning, advising caution.
## Benefits of Microsoft Defender SmartScreen
Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially engineered attack. The primary benefits are:
- **Anti-phishing and anti-malware support:** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user doesn't select or download anything on the page, the danger often goes unnoticed. For more information about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/).
-- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If there's no reputation, the item is marked as a higher risk and presents a warning to the user.
+- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users don't see any warnings. If there's no reputation, the item is marked as a higher risk and presents a warning to the user.
- **Operating system integration:** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) that attempts to download and run.
- **Improved heuristics and diagnostic data:** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files.
- **Management through group policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both group policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md).
@@ -50,6 +48,8 @@ Microsoft Defender SmartScreen provide an early warning system against websites
> [!IMPORTANT]
> SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.
+[!INCLUDE [microsoft-defender-smartscreen](../../../../includes/licensing/microsoft-defender-smartscreen.md)]
+
## Submit files to Microsoft Defender SmartScreen for review
If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more information, see [Submit files for analysis](/microsoft-365/security/intelligence/submission-guide).
@@ -58,32 +58,6 @@ When submitting a file for Microsoft Defender SmartScreen, make sure to select *
-## Viewing Microsoft Defender SmartScreen anti-phishing events
-
-> [!NOTE]
-> No SmartScreen events are logged when using Microsoft Edge version 77 or later.
-
-When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565657(v=vs.85)).
-
-## Viewing Windows event logs for Microsoft Defender SmartScreen
-
-Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log, in the Event Viewer.
-
-Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it:
-
-```console
-wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true
-```
-
-> [!NOTE]
-> For information on how to use the Event Viewer, see [Windows Event Viewer](/host-integration-server/core/windows-event-viewer1).
-
-| EventID | Description |
-|---|---|
-| 1000 | Application Windows Defender SmartScreen Event |
-| 1001 | Uri Windows Defender SmartScreen Event |
-| 1002 | User Decision Windows Defender SmartScreen Event |
-
## Related articles
- [SmartScreen frequently asked questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
index 8597ee9893..7ca1ed702c 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
@@ -10,21 +10,19 @@ manager: aaroncz
ms.localizationpriority: medium
ms.date: 10/07/2022
adobe-target: true
-appliesto:
- - ✅ Windows 11, version 22H2
+appliesto:
+- ✅ Windows 11, version 22H2
ms.topic: conceptual
---
-# Enhanced Phishing Protection in Microsoft Defender SmartScreen
+# Enhanced Phishing Protection in Microsoft Defender SmartScreen
Starting in Windows 11, version 22H2, Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
-Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school passwords used to sign into Windows 11 in three ways:
-
-- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection will alert them. It will also prompt them to change their password so attackers can't gain access to their account.
+Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school passwords used to sign into Windows 11 in these ways:
+- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection alerts them. It also prompts them to change their password so attackers can't gain access to their account.
- Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and prompt them to change their password.
-
- Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file.
## Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen
@@ -35,13 +33,15 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc
- **Secure operating system integration:** Enhanced Phishing Protection is integrated directly into the Windows 11 operating system, so it can understand users' password entry context (including process connections, URLs, certificate information) in any browser or app. Because Enhanced Phishing Protection has unparalleled insight into what is happening at the OS level, it can identify when users type their work or school password unsafely. If users do use their work or school password unsafely, the feature empowers users to change their password to minimize chances of their compromised credential being weaponized against them.
-- **Unparalleled telemetry shared throughout Microsoft's security suite:** Enhanced Phishing Protection is constantly learning from phishing attacks seen throughout the entire Microsoft security stack. It works alongside other Microsoft security products, to provide a layered approach to password security, especially for organizations early in their password-less authentication journey. If your organization uses Microsoft Defender for Endpoint, you'll be able to see valuable phishing sensors data in the Microsoft 365 Defender Portal. This portal lets you view Enhanced Phishing Protection alerts and reports for unsafe password usage in your environment.
+- **Unparalleled telemetry shared throughout Microsoft's security suite:** Enhanced Phishing Protection is constantly learning from phishing attacks seen throughout the entire Microsoft security stack. It works alongside other Microsoft security products, to provide a layered approach to password security, especially for organizations early in their password-less authentication journey. If your organization uses Microsoft Defender for Endpoint, you can see valuable phishing sensors data in the Microsoft 365 Defender Portal. This portal lets you view Enhanced Phishing Protection alerts and reports for unsafe password usage in your environment.
-- **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios will show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature will be in audit mode if the other settings, which correspond to notification policies, aren't enabled.
+- **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature is in audit mode if the other settings, which correspond to notification policies, aren't enabled.
+
+[!INCLUDE [enhanced-phishing-protection-with-smartscreen](../../../../includes/licensing/enhanced-phishing-protection-with-smartscreen.md)]
## Configure Enhanced Phishing Protection for your organization
-Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. Follow the instructions below to configure your devices using either Microsoft Intune, GPO or CSP.
+Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. Follow these instructions to configure your devices using either Microsoft Intune, GPO or CSP.
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
@@ -50,10 +50,9 @@ To configure devices using Microsoft Intune, create a [**Settings catalog** poli
|Setting|Description|
|---------|---------|
|Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. - If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
- If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
|
-|Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate- If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
- If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.|
-|Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
- If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
- If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.|
-|Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
- If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
- If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.|
-
+|Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
- If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
- If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above.|
+|Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
- If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
- If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password.|
+|Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
- If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
- If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps.|
Assign the policy to a security group that contains as members the devices or users that you want to configure.
@@ -64,9 +63,9 @@ Enhanced Phishing Protection can be configured using the following Administrativ
|Setting|Description|
|---------|---------|
|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
- If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
- If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate- If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
- If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
- If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
- If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
- If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
- If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
- If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
- If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
- If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
- If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
- If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
- If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps.|
#### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp)
@@ -83,7 +82,7 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][
### Recommended settings for your organization
-By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios.
+By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios.
To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings.
@@ -106,7 +105,7 @@ To better help you protect your organization, we recommend turning on and using
|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|**Enable**: Enhanced Phishing Protection warns users if they store their password in Notepad and Microsoft 365 Office Apps.|
#### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp)
-
+
|MDM setting|Recommendation|
|---------|---------|
|ServiceEnabled|**1**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.|
@@ -118,10 +117,8 @@ To better help you protect your organization, we recommend turning on and using
## Related articles
-- [Microsoft Defender SmartScreen](microsoft-defender-smartscreen-overview.md)
- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
- [Threat protection](../index.md)
-- [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md)
- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference)
------------
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index b6fcd28bd2..a29c0cb634 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -1,5 +1,5 @@
---
-title: Control the health of Windows 10-based devices (Windows 10)
+title: Control the health of Windows devices
description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.
ms.prod: windows-client
ms.date: 10/13/2017
@@ -11,7 +11,7 @@ manager: dougeby
ms.topic: conceptual
---
-# Control the health of Windows 10-based devices
+# Control the health of Windows devices
**Applies to**
@@ -327,6 +327,8 @@ For Windows 10-based devices, Microsoft introduces a new public API that will al
For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect-unhealthy) section.
+[!INCLUDE [device-health-attestation-service](../../../includes/licensing/device-health-attestation-service.md)]
+
### Hardware requirements
The following table details the hardware requirements for both virtualization-based security services and the health attestation feature. For more information, see [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview).
diff --git a/windows/security/threat-protection/security-policy-settings/TOC.yml b/windows/security/threat-protection/security-policy-settings/TOC.yml
index 1e4b1fa586..df9030461f 100644
--- a/windows/security/threat-protection/security-policy-settings/TOC.yml
+++ b/windows/security/threat-protection/security-policy-settings/TOC.yml
@@ -1,22 +1,22 @@
- name: Security policy settings
href: security-policy-settings.md
- items:
+ items:
- name: Administer security policy settings
href: administer-security-policy-settings.md
- items:
+ items:
- name: Network List Manager policies
href: network-list-manager-policies.md
- name: Configure security policy settings
href: how-to-configure-security-policy-settings.md
- name: Security policy settings reference
href: security-policy-settings-reference.md
- items:
+ items:
- name: Account Policies
href: account-policies.md
- items:
+ items:
- name: Password Policy
href: password-policy.md
- items:
+ items:
- name: Enforce password history
href: enforce-password-history.md
- name: Maximum password age
@@ -31,7 +31,7 @@
href: store-passwords-using-reversible-encryption.md
- name: Account Lockout Policy
href: account-lockout-policy.md
- items:
+ items:
- name: Account lockout duration
href: account-lockout-duration.md
- name: Account lockout threshold
@@ -40,7 +40,7 @@
href: reset-account-lockout-counter-after.md
- name: Kerberos Policy
href: kerberos-policy.md
- items:
+ items:
- name: Enforce user logon restrictions
href: enforce-user-logon-restrictions.md
- name: Maximum lifetime for service ticket
@@ -55,7 +55,7 @@
href: audit-policy.md
- name: Security Options
href: security-options.md
- items:
+ items:
- name: "Accounts: Administrator account status"
href: accounts-administrator-account-status.md
- name: "Accounts: Block Microsoft accounts"
@@ -92,6 +92,8 @@
href: devices-restrict-floppy-access-to-locally-logged-on-user-only.md
- name: "Domain controller: Allow server operators to schedule tasks"
href: domain-controller-allow-server-operators-to-schedule-tasks.md
+ - name: "Domain controller: LDAP server channel binding token requirements"
+ href: domain-controller-ldap-server-channel-binding-token-requirements.md
- name: "Domain controller: LDAP server signing requirements"
href: domain-controller-ldap-server-signing-requirements.md
- name: "Domain controller: Refuse machine account password changes"
@@ -250,7 +252,7 @@
href: secpol-advanced-security-audit-policy-settings.md
- name: User Rights Assignment
href: user-rights-assignment.md
- items:
+ items:
- name: Access Credential Manager as a trusted caller
href: access-credential-manager-as-a-trusted-caller.md
- name: Access this computer from the network
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
index 03d4f6bba0..301d74416d 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
@@ -32,6 +32,8 @@ The following topics provide a discussion of each policy setting's implementatio
>[!NOTE]
>Account lockout settings for remote access clients can be configured separately by editing the Registry on the server that manages the remote access. For more information, see [How to configure remote access client account lockout](/troubleshoot/windows-server/networking/configure-remote-access-client-account-lockout).
+[!INCLUDE [account-lockout-policy](../../../../includes/licensing/account-lockout-policy.md)]
+
## In this section
| Topic | Description |
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
new file mode 100644
index 0000000000..24614ad5c4
--- /dev/null
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md
@@ -0,0 +1,90 @@
+---
+title: Domain controller LDAP server channel binding token requirements
+description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server channel binding token requirements security policy setting.
+ms.reviewer: waynmc
+ms.author: waynmc
+ms.prod: windows-client
+ms.localizationpriority: medium
+author: vinaypamnani-msft
+manager: aaroncz
+ms.topic: conceptual
+ms.date: 04/26/2023
+ms.technology: itpro-security
+---
+
+# Domain controller: LDAP server channel binding token requirements
+
+**Applies to**:
+
+- Windows Server
+
+This article describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server channel binding token requirements** security policy setting.
+
+## Reference
+
+This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate channel bindings (EPA).
+
+Unsigned/Unprotected network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the example of an LDAP server, a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower this risk in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks difficult.
+
+- If channel binding is set to Always, LDAP clients who don't support channel bindings will be rejected.
+- If channel binding is set to when supported, only incorrect channel bindings will be blocked, and clients who don't support channel binding can continue to connect via LDAP over TLS.
+
+CBT or EPA is used with TLS sessions when a SASL authentication method is used to authenticate the user. SASL means you use NTLM or Kerberos for user authentication. LDAP Simple Bind over TLS doesn't offer channel binding token protection and is therefore not recommended.
+
+### Possible values
+
+- **Never**: No channel binding validation is performed. This is the behavior of all servers that haven't been updated.
+- **When Supported**: Clients that advertise support for Channel Binding Tokens must provide the correct token when authenticating over TLS/SSL connections; clients that don't advertise such support and/or don't use TLS/SSL connections aren't impacted. This is an intermediate option that allows for application compatibility.
+- **Always**: All clients must provide channel binding information over LDAPS. The server rejects LDAPS authentication requests from clients that don't do so.
+
+### Best practices
+
+We recommend that you set **Domain controller: LDAP server channel binding token requirements** to **Always**. Clients that don't support LDAP channel binding will be unable to execute LDAP queries against the domain controllers.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy's property page.
+
+| Server type or GPO | Default value |
+|--------------------------------------------|---------------|
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Not defined |
+| DC Effective Default Settings | None |
+| Member Server Effective Default Settings | None |
+| Client Computer Effective Default Settings | None |
+
+## Policy management
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
+
+## Security considerations
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+Unsigned/Unprotected network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Regarding LDAP servers, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks difficult.
+
+### Countermeasure
+
+Configure the **Domain controller: LDAP server channel binding token requirements** setting to **Always**.
+
+### Potential impact
+
+Client devices that don't support LDAP channel binding can't run LDAP queries against the domain controllers.
+
+## Related articles
+
+- [Security Options](security-options.md)
+- [LDAP session security settings and requirements after ADV190023 is installed](/troubleshoot/windows-server/identity/ldap-session-security-settings-requirements-adv190023)
+- [2020 LDAP channel binding and LDAP signing requirements for Windows (KB4520412)](https://support.microsoft.com/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a)
+- [KB4034879: Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure](https://support.microsoft.com/topic/kb4034879-use-the-ldapenforcechannelbinding-registry-entry-to-make-ldap-authentication-over-ssl-tls-more-secure-e9ecfa27-5e57-8519-6ba3-d2c06b21812e)
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index e5a2bba1d9..5cac6b5f49 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -71,6 +71,8 @@ The Security Settings extension of the Local Group Policy Editor includes the fo
- **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks by using cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address.
- **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under Local Policies.
+[!INCLUDE [windows-security-policy-settings-and-auditing](../../../../includes/licensing/windows-security-policy-settings-and-auditing.md)]
+
## Policy-based security settings management
The Security Settings extension to Group Policy provides an integrated policy-based management infrastructure to help you manage and enforce your security policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
index 04be400ff9..cc7b86329f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
@@ -13,7 +13,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
-ms.date: 03/24/2023
+ms.date: 05/09/2023
ms.technology: itpro-security
ms.topic: article
---
@@ -62,35 +62,35 @@ Represents why verification failed, or if it succeeded.
| VerificationError Value | Explanation |
|---|----------|
-| 0 | Successfully verified signature |
-| 1 | File has an invalid hash |
-| 2 | File contains shared writable sections |
-| 3 | File isn't signed|
-| 4 | Revoked signature |
-| 5 | Expired signature |
-| 6 | File is signed using a weak hashing algorithm, which doesn't meet the minimum policy |
-| 7 | Invalid root certificate |
-| 8 | Signature was unable to be validated; generic error |
-| 9 | Signing time not trusted |
-| 10 | The file must be signed using page hashes for this scenario |
-| 11 | Page hash mismatch |
-| 12 | Not valid for a PPL (Protected Process Light) |
-| 13 | Not valid for a PP (Protected Process) |
-| 14 | The signature is missing the required ARM processor EKU |
-| 15 | Failed WHQL check |
-| 16 | Default policy signing level not met |
-| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs |
-| 18 | Custom signing level not met; returned if signature fails to match `CISigners` in UMCI |
-| 19 | Binary is revoked based on its file hash |
-| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy |
-| 21 | Failed to pass Windows Defender Application Control policy |
-| 22 | Not Isolated User Mode (IUM)) signed; indicates an attempt to load a non-trustlet binary into a trustlet |
-| 23 | Invalid image hash |
-| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS |
-| 25 | Anti-cheat policy violation |
-| 26 | Explicitly denied by WADC policy |
-| 27 | The signing chain appears to be tampered/invalid |
-| 28 | Resource page hash mismatch |
+| 0 | Successfully verified signature. |
+| 1 | File has an invalid hash. |
+| 2 | File contains shared writable sections. |
+| 3 | File isn't signed. |
+| 4 | Revoked signature. |
+| 5 | Expired signature. |
+| 6 | File is signed using a weak hashing algorithm, which doesn't meet the minimum policy. |
+| 7 | Invalid root certificate. |
+| 8 | Signature was unable to be validated; generic error. |
+| 9 | Signing time not trusted. |
+| 10 | The file must be signed using page hashes for this scenario. |
+| 11 | Page hash mismatch. |
+| 12 | Not valid for a PPL (Protected Process Light). |
+| 13 | Not valid for a PP (Protected Process). |
+| 14 | The signature is missing the required ARM processor EKU. |
+| 15 | Failed WHQL check. |
+| 16 | Default policy signing level not met. |
+| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs. |
+| 18 | Custom signing level not met; returned if signature fails to match `CISigners` in UMCI. |
+| 19 | Binary is revoked based on its file hash. |
+| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy. |
+| 21 | Failed to pass Windows Defender Application Control policy. |
+| 22 | Not Isolated User Mode (IUM)) signed; indicates an attempt to load a standard Windows binary into a virtualization-based security (VBS) trustlet. |
+| 23 | Invalid image hash. This error can indicate file corruption or a problem with the file's signature. Signatures using elliptic curve cryptography (ECC), such as ECDSA, return this VerificationError. |
+| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS. |
+| 25 | Anti-cheat policy violation. |
+| 26 | Explicitly denied by WADC policy. |
+| 27 | The signing chain appears to be tampered/invalid. |
+| 28 | Resource page hash mismatch. |
## Policy activation event Options
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index 161e563a19..a03dd12363 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -59,6 +59,8 @@ The blocklist is updated with each new major release of Windows, typically 1-2 t
Customers who always want the most up-to-date driver blocklist can also use Windows Defender Application Control (WDAC) to apply the latest recommended driver blocklist contained in this article. For your convenience, we've provided a download of the most up-to-date vulnerable driver blocklist along with instructions to apply it on your computer at the end of this article. Otherwise, you can use the XML provided below to create your own custom WDAC policies.
+[!INCLUDE [microsoft-vulnerable-driver-blocklist](../../../../includes/licensing/microsoft-vulnerable-driver-blocklist.md)]
+
## Blocking vulnerable drivers using WDAC
Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking [this list of drivers](#vulnerable-driver-blocklist-xml) within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events.
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
index 0aa63e99f8..a9c0d42e86 100644
--- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
@@ -9,7 +9,7 @@ ms.reviewer: jogeurte
ms.author: jogeurte
ms.manager: jsuther
manager: aaroncz
-ms.date: 04/04/2023
+ms.date: 05/09/2023
ms.technology: itpro-security
ms.topic: article
ms.localizationpriority: medium
@@ -51,7 +51,7 @@ When the WDAC engine evaluates files against the active set of policies on the d
1. Explicit deny rules - if any explicit deny rule exists for the file, it's blocked even if other rules are created to try to allow it. Deny rules can use any [rule level](/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#windows-defender-application-control-file-rule-levels). Use the most specific rule level practical when creating deny rules to avoid blocking more than you intend.
-2. Explicit allow rules - if any explicit allow rul exists for the file, it's allowed by the policy.
+2. Explicit allow rules - if any explicit allow rule exists for the file, the file runs.
3. WDAC then checks for the [Managed Installer extended attribute (EA)](/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer) or the [Intelligent Security Graph (ISG) EA](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph) on the file. If either EA exists and the policy enables the corresponding option, then the file is allowed.
@@ -71,7 +71,11 @@ When Managed Installer and ISG are enabled, 3091 and 3092 events are logged when
### .NET native images may generate false positive block events
-In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written include error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image falls back to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window.
+In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written include error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image falls back to its corresponding assembly and .NET regenerates the native image at its next scheduled maintenance window.
+
+### Signatures using elliptical curve cryptography (ECC) aren't supported
+
+WDAC signer-based rules only work with RSA cryptography. ECC algorithms, such as ECDSA, aren't supported. If you try to allow files by signature based on ECC signatures, you'll see VerificationError = 23 on the corresponding 3089 signature information events. You can authorize the files instead by hash or file attribute rules, or using other signer rules if the file is also signed with signatures using RSA.
### MSI installers are treated as user writeable on Windows 10 when allowed by FilePath rule
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index aa785afde2..ac8c1073a4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -13,7 +13,7 @@ author: jgeurten
ms.reviewer: jsuther1974
ms.author: vinpa
manager: aaroncz
-ms.date: 04/05/2023
+ms.date: 05/09/2023
ms.technology: itpro-security
ms.topic: article
---
@@ -48,7 +48,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **1 Enabled:Boot Menu Protection** | This option isn't currently supported. | No |
| **2 Required:WHQL** | By default, kernel drivers that aren't Windows Hardware Quality Labs (WHQL) signed are allowed to run. Enabling this rule requires that every driver is WHQL signed and removes legacy driver support. Kernel drivers built for Windows 10 should be WHQL certified. | No |
| **3 Enabled:Audit Mode (Default)** | Instructs WDAC to log information about applications, binaries, and scripts that would have been blocked, if the policy was enforced. You can use this option to identify the potential impact of your WDAC policy, and use the audit events to refine the policy before enforcement. To enforce a WDAC policy, delete this option. | No |
-| **4 Disabled:Flight Signing** | If enabled, binaries from Windows Insider builds aren't trusted. This option is useful for organizations that only want to run released binaries, not pre-release Windows builds. | No |
+| **4 Disabled:Flight Signing** | If enabled, binaries from Windows Insider builds aren't trusted. This option is useful for organizations that only want to run released binaries, not prerelease Windows builds. | No |
| **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. | Yes |
| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and any supplemental policies must also be signed. The certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. Certificates that are trusted for supplemental policies must be identified in the SupplementalPolicySigners section. | Yes |
| **7 Allowed:Debug Policy Augmented** | This option isn't currently supported. | Yes |
@@ -72,6 +72,9 @@ File rule levels allow administrators to specify the level at which they want to
Each file rule level has advantages and disadvantages. Use Table 2 to select the appropriate protection level for your available administrative resources and WDAC deployment scenario.
+> [!NOTE]
+> WDAC signer-based rules only work with RSA cryptography. ECC algorithms, such as ECDSA, aren't supported. If you try to allow files by signature based on ECC signatures, you'll see VerificationError = 23 on the corresponding 3089 signature information events. Files can be allowed instead by hash or file attribute rules, or using other signer rules if the file is also signed with signatures using RSA.
+
### Table 2. Windows Defender Application Control policy - file rule levels
| Rule level | Description |
@@ -82,7 +85,7 @@ Each file rule level has advantages and disadvantages. Use Table 2 to select the
| **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. |
| **Publisher** | This level combines the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. You can use this rule level to trust a certificate issued by a particular CA and issued to a specific company you trust (such as Intel, for device drivers). |
| **FilePublisher** | This level combines the "FileName" attribute of the signed file, plus "Publisher" (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
-| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates typically have shorter validity periods than other certificate levels, so the WDAC policy must be updated whenever these certificates change. |
+| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates typically have shorter validity periods than other certificate levels, so the WDAC policy must be updated whenever these certificates change. |
| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root because the scan doesn't resolve the complete certificate chain via the local root stores or with an online check. |
| **RootCertificate** | Not supported. |
| **WHQL** | Only trusts binaries that have been submitted to Microsoft and signed by the Windows Hardware Qualification Lab (WHQL). This level is primarily for kernel binaries. |
@@ -175,7 +178,7 @@ The Authenticode/PE image hash can be calculated for digitally signed and unsign
The PowerShell cmdlet produces an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash.
During validation, WDAC selects which hashes are calculated based on how the file is signed and the scenario in which the file is used. For example, if the file is page-hash signed, WDAC validates each page of the file and avoids loading the entire file in memory to calculate the full sha256 authenticode hash.
-In the cmdlets, rather than try to predict which hash will be used, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient to changes in how the file is signed since your WDAC policy has more than one hash available for the file already.
+In the cmdlets, rather than try to predict which hash will be used, we precalculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient to changes in how the file is signed since your WDAC policy has more than one hash available for the file already.
### Why does scan create eight hash rules for certain XML files?
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index 2ba7d43f84..9f1f0f96d3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -73,6 +73,8 @@ Smart App Control enforces the [Microsoft Recommended Driver Block rules](micros
- Microsoft.Build.Framework.dll
- Wslhost.dll
+[!INCLUDE [windows-defender-application-control-wdac](../../../../includes/licensing/windows-defender-application-control-wdac.md)]
+
## Related articles
- [WDAC design guide](windows-defender-application-control-design-guide.md)
diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
index 10b4f41000..74e332cb87 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -30,7 +30,7 @@ With Windows 7, one of the means attackers would use to persist and evade detect
This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader.
-This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI).
+This hardware-based root of trust comes from the device's Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI).
This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup.
@@ -69,18 +69,20 @@ Paging protection can be implemented to lock certain code tables to be read-only
A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it doesn't access any part of the address space that it isn't supposed to.
SMM protection is built on top of the Secure Launch technology and requires it to function.
-In the future, Windows 10 will also measure this SMI Handler’s behavior and attest that no OS-owned memory has been tampered with.
+In the future, Windows 10 will also measure this SMI Handler's behavior and attest that no OS-owned memory has been tampered with.
## Validating platform integrity after Windows is running (run time)
-While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We can trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. For platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity.
+While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We can trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. For platform integrity, we can't just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device's integrity.
-As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch won't support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data isn't subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few.
+As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device's Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch won't support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data isn't subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device's firmware, hardware configuration state, and Windows boot-related components, just to name a few.
After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
+[!INCLUDE [windows-defender-system-guard](../../../../includes/licensing/windows-defender-system-guard.md)]
+
## System requirements for System Guard
This feature is available for the following processors:
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
index 282125d3bd..a5468a9a20 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -23,7 +23,7 @@ Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Serv
The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it doesn't provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
-
+[!INCLUDE [windows-firewall](../../../../includes/licensing/windows-firewall.md)]
## Feature description
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 74e81b1a05..8f3d7bd7de 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -32,10 +32,10 @@ Windows Sandbox has the following properties:
> [!IMPORTANT]
> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking).
+[!INCLUDE [windows-sandbox](../../../../includes/licensing/windows-sandbox.md)]
+
## Prerequisites
-- Windows 10, version 1903 and later, or Windows 11
-- Windows Pro, Enterprise or Education edition
- ARM64 (for Windows 11, version 22H2 and later) or AMD64 architecture
- Virtualization capabilities enabled in BIOS
- At least 4 GB of RAM (8 GB recommended)
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
index 238193ef00..b4829615f9 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@@ -41,6 +41,8 @@ For example, there are over 3,000 group policy settings for Windows 10, which do
In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to security settings to help mitigate these threats. To enable faster deployments and make managing Microsoft products easier, Microsoft provides customers with security baselines that are available in consumable formats, such as group policy object backups.
+[!INCLUDE [security-baselines](../../../../includes/licensing/security-baselines.md)]
+
## Baseline principles
Our recommendations follow a streamlined and efficient approach to baseline definitions. The foundation of that approach is essentially:
diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md
index ad5c50ecc7..8790964196 100644
--- a/windows/security/trusted-boot.md
+++ b/windows/security/trusted-boot.md
@@ -29,6 +29,8 @@ Trusted Boot picks up the process that started with Secure Boot. The Windows boo
Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally.
+[!INCLUDE [secure-boot-and-trusted-boot](../../includes/licensing/secure-boot-and-trusted-boot.md)]
+
## See also
[Secure the Windows boot process](information-protection/secure-the-windows-10-boot-process.md)
\ No newline at end of file
diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md
index d6159d39a6..64a4233745 100644
--- a/windows/security/zero-trust-windows-device-health.md
+++ b/windows/security/zero-trust-windows-device-health.md
@@ -13,7 +13,7 @@ ms.date: 12/31/2017
---
# Zero Trust and Windows device health
-Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they’re located. Implementing a Zero Trust model for security helps address today's complex environments.
+Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they're located. Implementing a Zero Trust model for security helps address today's complex environments.
The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are:
@@ -27,12 +27,12 @@ The Zero Trust concept of **verify explicitly** applies to the risks introduced
[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they're granted access to corporate resources.
-Windows 11 supports device health attestation, helping to confirm that devices are in a good state and haven't been tampered with. This capability helps users access corporate resources whether they’re in the office, at home, or when they’re traveling.
+Windows 11 supports device health attestation, helping to confirm that devices are in a good state and haven't been tampered with. This capability helps users access corporate resources whether they're in the office, at home, or when they're traveling.
Attestation helps verify the identity and status of essential components and that the device, firmware, and boot process haven't been altered. Information about the firmware, boot process, and software, is used to validate the security state of the device. This information is cryptographically stored in the security co-processor Trusted Platform Module (TPM). Once the device is attested, it can be granted access to resources.
## Device health attestation on Windows
- Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device’s health. Remote attestation determines:
+ Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device's health. Remote attestation determines:
- If the device can be trusted
- If the operating system booted correctly
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index 0e145097a8..b3ff701a34 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -24,6 +24,8 @@
href: whats-new-windows-10-version-21H1.md
- name: What's new in Windows 10, version 20H2
href: whats-new-windows-10-version-20H2.md
+- name: Windows commercial licensing overview
+ href: windows-licensing.md
- name: Deprecated and removed Windows features
expanded: false
items:
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index c988c8ebb4..f11b6dbc0c 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -32,6 +32,8 @@ landingContent:
url: windows-11-plan.md
- text: Prepare for Windows 11
url: windows-11-prepare.md
+ - text: Windows commercial licensing overview
+ url: windows-licensing.md
- title: Windows 10
linkLists:
diff --git a/windows/whats-new/windows-licensing.md b/windows/whats-new/windows-licensing.md
new file mode 100644
index 0000000000..212d022557
--- /dev/null
+++ b/windows/whats-new/windows-licensing.md
@@ -0,0 +1,212 @@
+---
+title: Windows commercial licensing overview
+description: Learn about products and use rights available through Windows commercial licensing.
+ms.prod: windows-client
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
+ms.collection:
+- tier2
+ms.topic: conceptual
+ms.date: 05/04/2023
+appliesto:
+- ✅ Windows 11
+ms.technology: itpro-security
+---
+
+# Windows Commercial Licensing overview
+
+This document provides an overview of the products and use rights available through Microsoft Commercial Licensing, information about the products that are eligible for upgrades, and the key choices you have for using Windows in your organization.
+
+> [!NOTE]
+> The content of this article doesn't replace or override other licensing documentation, such as the Windows 11 End User License Agreement or [Commercial Licensing Product Terms][EXT-4].
+
+## Windows 11 editions
+
+The following table lists the editions of Windows 11 available through each Microsoft distribution channel:
+
+| Full Packaged Product (Retail) | Preinstalled on device (OEM)|Commercial Licensing|
+|-|-|-|
+|Windows 11 Home
Windows 11 Pro|Windows 11 Home
Windows 11 Pro|Windows 11 Pro
Windows 11 Enterprise
Windows 11 Enterprise LTSC|
+
+## Windows desktop offerings available through Commercial Licensing
+
+The following offerings are available for purchase through [Microsoft Commercial Licensing][EXT-5]:
+
+|Product|Description|Availability|
+|-|-|-|
+|Windows 11 Pro Upgrade |Windows 11 Pro is designed for small and medium businesses. Windows 11 Pro enables organizations to manage devices and apps, protect their data, facilitate remote and mobile scenarios, while taking advantage of the cloud technologies that support their business. Windows 11 Pro devices are a good choice for organizations that support *choose your own device (CYOD)* programs and *prosumer* customers. | The Windows 11 Pro Upgrade in Commercial Licensing upgrades a device from a previous version of Windows Pro.|
+|Windows 11 Enterprise E3|Windows 11 Enterprise E3 is intended for large and medium-sized organizations. It includes Windows Enterprise edition with cloud-powered capabilities and subscription use rights. Examples include advanced identity protection, the broadest range of options for operating system deployment, update control, and device management. |Windows 11 Enterprise E3 is available **per-user** in Commercial Licensing programs. It requires Windows Pro as qualifying operating systems.|
+|Windows 11 Enterprise E5|Windows 11 Enterprise E5 is for organizations that want to take advantage of everything in Windows 11 Enterprise E3 with the addition of **Microsoft Defender for Endpoint Plan 2**, a service that helps enterprises detect, investigate, and respond to advanced cybersecurity attacks on their endpoints and networks.| Windows 11 Enterprise E5 is available **per-user** in Commercial Licensing programs. It requires Windows Pro as qualifying operating systems.|
+|Windows 10 Enterprise LTSC |Windows 10 Enterprise LTSC is designed for devices that have strict change-management policies with only security and critical bug fixes. By using a Long-Term Servicing Channel edition, you can apply monthly Windows 10 security updates for specialized devices while holding back new-feature updates for an extended period of time, up to five years. | Windows Enterprise LTSC is available in the **per-user** and **per-device** model, depending on the Volume Licensing program through which it's acquired.|
+|Windows Virtual Desktop Access (VDA) Subscription License|The Windows VDA subscription license provides the right to access virtual Windows desktop environments from devices that aren't covered by a Commercial Licensing offer that includes VDA rights, such as thin clients. |Windows VDA is available on a **per-device** and **per-user** basis.|
+
+## Windows 11 Pro Upgrade license
+
+Windows 11 Pro is designed for small and medium businesses. Windows 11 Pro enables you to manage your devices and apps, protect your business data, facilitate remote and mobile scenarios, and take advantage of the cloud technologies for your organization.
+
+The Windows 11 Pro Upgrade license is recommended if you want to:
+
+- Upgrade a Windows 10 Pro device to Windows 11 Pro
+- Upgrade Windows 7/8/8.1 Pro devices to Windows 10 Pro
+
+## Windows 11 Enterprise
+
+There are two core Windows 11 Enterprise offers: **Windows 11 Enterprise E3** and **Windows 11 Enterprise E5**. These offers can be purchased on a **per-user basis**, and are only available through **Commercial Licensing**, including the **Cloud Solution Provider** program.
+
+### Windows 11 Enterprise E3
+
+Windows 11 Enterprise E3 builds on Windows 11 Pro by adding more advanced features designed to address the needs of large and mid-size organizations. Examples include advanced protection against modern security threats, the broadest range of options for operating system deployment and update, and comprehensive device and app management.
+
+> [!NOTE]
+> Windows Enterprise E3 is a **per user subscription**, intended for organizations. It includes **Windows Enterprise edition** with cloud-powered capabilities and **subscription use rights**. Windows Enterprise E3 is usually licensed through Volume Licensing programs and is an upgrade from Windows Pro.
+
+#### Windows 11 Enterprise features
+
+The following table describes the unique Windows Enterprise edition features:
+
+| OS-based feature | Description |
+|-|-|
+|**[Windows Defender Credential Guard][WIN-1]**|Protects against user credential harvesting and pass-the-hash attacks or pass the token attacks.|
+|**[Managed Microsoft Defender Application Guard for Microsoft Edge][EDGE-1]**| Isolates enterprise-defined untrusted sites with virtualization-based security from Windows, protecting your organization while users browse the Internet.|
+|**[Modern BitLocker Management][WIN-2]** | Allows you to eliminate on-premises tools to monitor and support BitLocker recovery scenarios. |
+|**[Personal Data Encryption][WIN-3]**|Encrypts individual's content using Windows Hello for Business to link the encryption keys to user credentials.|
+|**[Direct Access][WINS-1]**|Connect remote users to the organization network without the need for traditional VPN connections.|
+|**[Always-On VPN device tunnel][WINS-2]**|Advanced security capabilities to restrict the type of traffic and which applications can use the VPN connection.|
+|**[Windows Experience customization][WIN-4]**|Settings to lock down the user experience of corporate desktops and Shell Launcher with Unified Write Filter for frontline workers devices or public kiosks.|
+
+#### Windows 11 Enterprise cloud-based capabilities
+
+The following table describes the unique Windows Enterprise cloud-based features:
+
+|Cloud-based feature | Description |
+|-|-|
+|**[Windows subscription activation][WIN-5]**|Enables you to *step-up* from **Windows Pro edition** to **Enterprise edition**. You can eliminate license key management and the deployment of Enterprise edition images.|
+|**[Windows Autopatch][WIN-6]**|Cloud service that puts Microsoft in control of automating updates to Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams.|
+|**[Windows Update For Business deployment service][WIN-7]**|This cloud service gives you the control over the approval, scheduling, and safeguarding of quality, feature upgrades, and driver updates delivered from Windows Update.|
+|**[Universal Print][UP-1]**|Removes the need for on-premises print servers and enables any endpoint to print to cloud registered printers.|
+|**[Microsoft Connected Cache][WIN-8]**|A software solution that caches app and OS updates on the local network to save Internet bandwidth in locations with limited connectivity.|
+|**[Endpoint analytics proactive remediation][MEM-1]**|Helps you fix common support issues before end-users notice them.|
+|**[Organizational messages][MEM-2]**|Keeps employees informed with organizational messages directly inserted in Windows UI surfaces.|
+
+#### Windows 11 Enterprise licensing use rights
+
+The following table describes the Windows Enterprise licensing use rights:
+
+|Licensing use rights|Description|
+|-|-|
+|**[Five Windows instances per licensed user][EXT-1]**|Allows your employees to simultaneously use a Windows laptop, a cloud PC and a specialized device with Windows LTSC, and more.|
+|**[36 months (3 years) support on annual feature releases][WIN-9]**|Get extra time to deploy feature releases.|
+|**[Azure Virtual Desktop, Windows 365 Enterprise and Virtual Desktop Access][AZ-1]**|Empower flexible work styles and smarter work with the included virtualization access rights. Includes FSLogix for a consistent experience of
+Windows user profiles in virtual desktop environments.|
+|**[Windows release health in the Microsoft 365 admin center][EXT-2]**|Gives you essential information about monthly quality and feature updates in the Microsoft 365 admin center.|
+|**[Windows feature update device readiness report][MEM-3]**|Provides per-device information about compatibility risks that are associated with an upgrade or update to a chosen version of Windows.|
+|**[Windows feature update compatibility risks reports][MEM-3]**|Provides a summary view of the top compatibility risks, so you understand which compatibility risks impact the greatest number of devices in your organization.|
+|**[Windows LTSC Enterprise][WIN-10]**|Intended for highly specialized devices that require limited changes due to regulations and certification|
+|**[Microsoft Desktop Optimization Pack (MDOP) ][MDOP-1]**|Help improve compatibility and management, reduce support costs, improve asset management, and improve policy control.|
+
+Learn more about [Windows 11 Enterprise E3][EXT-3].
+
+### Windows 11 Enterprise E5
+
+Windows 11 Enterprise E5 is for organizations that want to take advantage of everything in Windows 11 Enterprise E3 with the addition of **Microsoft Defender for Endpoint Plan 2**, a cloud service that helps enterprises detect, investigate, and respond to advanced cybersecurity attacks on their endpoints and networks.
+
+Building on the existing security defenses in Windows 11, Microsoft Defender for Device provides a post-breach layer of protection to the Windows 11 security stack. With a combination of client technology built into Windows 11 and a robust cloud service, it can help detect threats that have made it past other defenses, provide enterprises with information to investigate the breach across endpoints, and offer response recommendations.
+
+> [!NOTE]
+> Windows 11 Enterprise E5 is available per user in Commercial Licensing programs.
+
+### Windows Enterprise E3 in Microsoft 365 F3
+
+Windows Enterprise E3 subscription license in Microsoft 365 F3 has all the OS features, and most of the cloud services and use rights, included with regular Windows Enterprise E3.
+Windows Enterprise E3 in Microsoft 365 F3 does not include some use rights previously included in Software Assurance benefits that come with the regular E3 user subscription license. F3 does not come with:
+
+- Microsoft Desktop Optimization Pack (MDOP)
+- Windows LTSC Enterprise
+- Windows Autopatch
+
+## Use a Windows Pro device with the Windows Enterprise user subscription license
+
+In most cases, the Windows Pro edition comes pre-installed on a business-class device. Microsoft recommends upgrading your Windows Pro devices to Enterprise edition when you have acquired a user subscription licenses for Windows. However, there are cases that require to keep devices on the Pro edition and not upgrade them to Enterprise edition. With Windows 11 Enterprise E3, you can take advantage of features, services and use rights not licensed to the Windows Pro license bound to the device. It includes Windows Enterprise edition with cloud-powered capabilities and subscription use rights, and these capabilities are not always technically enforced. Some scenarios that may require to not upgrade to Windows Enterprise edition:
+
+- Devices not properly provisioned that don't automatically upgrade to Windows Enterprise edition
+- Devices may have been acquired for a business process that was not under control of a central IT department or outside of the IT department's knowledge
+- Devices may be used temporarily for a project by vendors and added to the IT infrastructure, but not upgraded to Enterprise edition
+- A developer that is developing applications that must be tested and certified on Pro, as that is how it will be delivered to customers
+- A Windows Pro device that was pre-configured for a specific purpose and is certified on Pro only
+
+In these cases, you want the PC to be configured, secured, monitored, and updated with the enterprise management and security tools that come with the Windows Enterprise user subscription. Your Windows Enterprise E3 subscriptions does not block these scenarios.
+
+The following table lists the Windows 11 Enterprise features and their Windows edition requirements:
+
+| OS-based feature |Windows Pro|Windows Enterprise|
+|-|-|-|
+|**[Windows Defender Credential Guard][WIN-1]**|❌|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Microsoft Edge][EDGE-1]**|Yes|Yes|
+|**[Modern BitLocker Management][WIN-2]**|Yes|Yes|
+|**[Personal data encryption (PDE)][WIN-3]**|❌|Yes|
+|**[Direct Access][WINS-1]**|Yes|Yes|
+|**[Always On VPN][WINS-2]**|Yes|Yes|
+|**[Windows Experience customization][WIN-4]**|❌|Yes|
+
+The following table lists the Windows 11 Enterprise cloud-based features and their Windows edition requirements:
+
+| Cloud-based feature |Windows Pro|Windows Enterprise|
+|-|-|-|
+|**[Windows subscription activation][WIN-5]**|Yes|Yes|
+|**[Windows Autopatch][WIN-6]**|Yes|Yes|
+|**[Windows Update For Business deployment service][WIN-7]**|Yes|Yes|
+|**[Universal Print][UP-1]**|Yes|Yes|
+|**[Microsoft Connected Cache][WIN-8]**|Yes|Yes|
+|**[Endpoint analytics proactive remediation][MEM-1]**|Yes|Yes|
+|**[Organizational messages][MEM-2]**|❌|Yes|
+
+The following table lists the Windows 11 Enterprise E3 licensing use rights and their Windows edition requirements:
+
+|Licensing use rights|Windows Pro|Windows Enterprise|
+|-|-|-|
+|**[Five Windows instances per licensed user][EXT-1]**|n/a|n/a|
+|**[36 months (3 years) support on annual feature releases][WIN-9]**|❌|Yes|
+|**[Azure Virtual Desktop, Windows 365 Enterprise and Virtual Desktop Access][AZ-1]**|n/a|n/a|
+|**[Windows release health in the Microsoft 365 admin center][EXT-2]**|n/a|n/a|
+|**[Windows feature update device readiness report][MEM-3]**|Yes|Yes|
+|**[Windows feature update compatibility risks reports][MEM-3]**|Yes|Yes|
+|**[Windows LTSC Enterprise][WIN-10]**|n/a|n/a|
+|**[Microsoft Desktop Optimization Pack (MDOP)][MDOP-1]**|Yes|Yes|
+
+## Next steps
+
+To learn more about Windows 11 Enterprise E3 and E5 licensing, download the [Windows 11 licensing guide][EXT-6]. The guide provides additional information to complement the information in this article, including:
+
+- Description of qualifying operating systems
+- Availability of Windows desktop operating system products in licensing programs
+- Deciding between per-device and per-user licensing
+- Windows 11 downgrade rights
+- Volume license activation methods
+- How to acquire licenses through Commercial Licensing
+
+[AZ-1]: /azure/virtual-desktop/prerequisites#operating-systems-and-licenses
+[EDGE-1]: /deployedge/microsoft-edge-security-windows-defender-application-guard
+[EXT-1]: https://www.microsoft.com/licensing/terms/productoffering/WindowsDesktopOperatingSystem/EAEAS
+[EXT-2]: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-release-health-now-available-in-the-microsoft-365-admin/ba-p/2235908
+[EXT-3]: https://windows.com/enterprise
+[EXT-4]: https://www.microsoft.com/licensing/product-licensing/products.aspx
+[EXT-5]: https://www.microsoft.com/licensing
+[EXT-6]: https://aka.ms/WindowsLicensingGuide
+[MDOP-1]: /microsoft-desktop-optimization-pack
+[MEM-1]: /mem/analytics/proactive-remediations
+[MEM-2]: /mem/intune/remote-actions/organizational-messages-overview
+[MEM-3]: /mem/intune/protect/windows-update-compatibility-reports
+[UP-1]: /universal-print/
+[WIN-1]: /windows/security/identity-protection/credential-guard/credential-guard
+[WIN-2]: /windows/security/information-protection/bitlocker/bitlocker-overview
+[WIN-3]: /windows/security/information-protection/personal-data-encryption/overview-pde
+[WIN-4]: /windows/client-management/mdm/policy-csp-experience
+[WIN-5]: /windows/deployment/windows-10-subscription-activation
+[WIN-6]: /windows/deployment/windows-autopatch
+[WIN-7]: /windows/deployment/update/deployment-service-overview
+[WIN-8]: /windows/deployment/do/waas-microsoft-connected-cache
+[WIN-9]: /windows/release-health/supported-versions-windows-client#enterprise-and-iot-enterprise-ltsbltsc-editions
+[WIN-10]: /windows/whats-new/ltsc/
+[WINS-1]: /windows-server/remote/remote-access/directaccess/directaccess
+[WINS-2]: /windows-server/remote/remote-access/vpn/always-on-vpn/