deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 13:23:36 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into ap-updates-042623

Browse Source
This commit is contained in:
Tiara Quan
2023-04-26 13:01:10 -07:00
committed by GitHub
parent ad699b34ae c8c5dece47
commit bd2ab3ae1b
8 changed files with 111 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
windows/deployment/update/includes/wufb-reports-admin-center-permissions.md
View File

@ -5,25 +5,42 @@ manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
ms.date: 03/15/2023
ms.date: 04/26/2023
ms.localizationpriority: medium
---
<!--This file is shared by updates/wufb-reports-enable.md and the update/wufb-reports-admin-center.md articles. Headings may be driven by article context. -->
Accessing Windows Update for Business reports typcially requires permissions from multiple sources including:
To enroll into Windows Update for Business reports, edit configuration settings, display and edit the workbook, and view the **Windows** tab in the **Software Updates** page from the [Microsoft 365 admin center](https://admin.microsoft.com) use one of the following roles:
- [Azure Active Directory (Azure AD)](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports
- [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace
- [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain Azure AD roles access to sign in
- [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator)
- This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center
- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Intune role
- This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center
**Roles that can enroll into Windows Update for Business reports**
To display the workbook and view the **Windows** tab in the **Software Updates** page [Microsoft 365 admin center](https://admin.microsoft.com) use the following role:
- [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader)
To [enroll](../wufb-reports-enable.md#bkmk_enroll) into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles:
**Log Analytics permissions**:
- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) Azure AD role
- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) Azure AD role
- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) Azure AD role
- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Microsoft Intune role
- Microsoft Intune RBAC roles don't allow access to the Microsoft 365 admin center
**Azure roles that allow access to the Log Analytics workspace**
The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions for the workspace:
The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query data, users must have one of the following roles, or the equivalent permissions:
- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used to edit and write queries
- [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data
- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if creating a new workspace or write access is needed
Examples of commonly assigned roles for Windows Update for Business reports users:
| Roles | Enroll though the workbook | Enroll through Microsoft 365 admin center | Display the workbook | Microsoft 365 admin center access | Create Log Analytics workspace |
| --- | --- | --- | --- | --- | --- |
| Intune Administrator + Log Analytics Contributor | Yes | Yes | Yes | Yes | Yes |
| Windows Update deployment administrator + Log Analytics reader | Yes | Yes | Yes | Yes| No |
| Policy and profile manager (Intune role)+ Log Analytics reader | Yes | No | Yes | No | No |
| Log Analytics reader | No | No | Yes | No | No|
| [Global reader](/azure/active-directory/roles/permissions-reference#global-reader) + Log Analytics reader | No | No | Yes | Yes | No |
> [!NOTE]
> The Azure AD roles discussed in this article for the Microsoft 365 admin center access apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).

12
windows/deployment/update/wufb-reports-admin-center.md
View File

@ -7,7 +7,7 @@ author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
ms.date: 11/15/2022
ms.date: 04/26/2023
ms.technology: itpro-updates
---
@ -25,20 +25,14 @@ The **Software updates** page has following tabs to assist you in monitoring upd
:::image type="content" source="media/37063317-admin-center-software-updates.png" alt-text="Screenshot of the Microsoft 365 admin center displaying the software updates page with the Windows tab selected." lightbox="media/37063317-admin-center-software-updates.png":::
## Permissions
<!--Using include Microsoft 365 admin center permissions-->
[!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)]
> [!NOTE]
> These permissions for the Microsoft 365 admin center apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status).
## Limitations
Windows Update for Business reports is a Windows service hosted in Azure that uses Windows diagnostic data. Windows Update for Business reports is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers since it doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home).
## Get started
After verifying that you've met the [prerequisites and permissions](wufb-reports-prerequisites.md) for Windows Update for Business reports, enroll using the instructions below if needed:
<!--Using include for onboarding Windows Update for Business reports through the Microsoft 365 admin center-->
[!INCLUDE [Onboarding Windows Update for Business reports through the Microsoft 365 admin center](./includes/wufb-reports-onboard-admin-center.md)]

2
windows/deployment/update/wufb-reports-enable.md
View File

@ -6,7 +6,7 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.topic: article
ms.date: 11/15/2022
ms.date: 04/26/2023
ms.technology: itpro-updates
---

3
windows/deployment/update/wufb-reports-prerequisites.md
View File

@ -6,7 +6,7 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.topic: article
ms.date: 03/15/2023
ms.date: 04/26/2023
ms.technology: itpro-updates
---
@ -25,7 +25,6 @@ Before you begin the process of adding Windows Update for Business reports to yo
- The Log Analytics workspace must be in a [supported region](#log-analytics-regions)
- Data in the **Driver update** tab of the [workbook](wufb-reports-workbook.md) is only available for devices that receive driver and firmware updates from the [Windows Update for Business deployment service](deployment-service-overview.md)
## Permissions
[!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)]

3
windows/deployment/update/wufb-reports-workbook.md
View File

@ -6,7 +6,7 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.topic: article
ms.date: 04/12/2023
ms.date: 04/26/2023
ms.technology: itpro-updates
---
@ -97,7 +97,6 @@ The **Update deployment status** table displays the quality updates for each ope
The **Device status** group for quality updates contains the following items:
- **OS build number**: Chart containing a count of devices by OS build that are getting security updates.
- **Target version**: Chart containing how many devices by operating system version that are getting security updates.
- **Device alerts**: Chart containing the count of active device errors and warnings for quality updates.
- **Device compliance status**: Table containing a list of devices getting security updates and update installation information including active alerts for the devices.
- This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).

8
windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
View File

@ -74,10 +74,10 @@ The following groups target Windows Autopatch configurations to devices and mana
| Policy name | Policy description | OMA | Value |
| ----- | ----- | ----- | ----- |
| ModernWorkplaceUpdatePolicy[Test]-[WindowsAutopatch | WindowsUpdateforBusinessConfigurationfortheTestRing<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li></ul>|<ul><li>QualityUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesRollbackWindowInDays</li><li>BusinessReadyUpdatesOnly</li><li>AutomaticUpdateMode</li><li>InstallTime</li><li>DeadlineForFeatureUpdatesInDays</li><li>DeadlineForQualityUpdatesInDays</li><li>DeadlineGracePeriodInDays</li><li>PostponeRebootUntilAfterDeadline</li><li>DriversExcluded</li></ul>|<ul><li>0</li><li>0</li><li>30</li><li>All</li><li>WindowsDefault</li><li>3</li><li>5</li><li>0</li><li>0</li><li>False</li><li>False</li>|
| ModernWorkplaceUpdatePolicy[First]-[WindowsAutopatch] | WindowsUpdateforBusinessConfigurationfortheFirstRing <p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-First</li></ul>|<ul><li>QualityUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesRollbackWindowInDays</li><li>BusinessReadyUpdatesOnly</li><li>AutomaticUpdateMode</li><li>InstallTime</li><li>DeadlineForFeatureUpdatesInDays</li><li>DeadlineForQualityUpdatesInDays</li><li>DeadlineGracePeriodInDays</li><li>PostponeRebootUntilAfterDeadline</li><li>DriversExcluded</li></ul>|<ul><li>1</li><li>0</li><li>30</li><li>All</li><li>WindowsDefault</li><li>3</li><li>5</li><li>2</li><li>2</li><li>False</li><li>False</li>|
| ModernWorkplaceUpdatePolicy[Fast]-[WindowsAutopatch] | WindowsUpdateforBusinessConfigurationfortheFastRing<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Fast</li></ul>|<ul><li>QualityUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesRollbackWindowInDays</li><li>BusinessReadyUpdatesOnly</li><li>AutomaticUpdateMode</li><li>InstallTime</li><li>DeadlineForFeatureUpdatesInDays</li><li>DeadlineForQualityUpdatesInDays</li><li>DeadlineGracePeriodInDays</li><li>PostponeRebootUntilAfterDeadline</li><li>DriversExcluded</li></ul>|<ul><li>6</li><li>0</li><li>30</li><li>All</li><li>WindowsDefault</li><li>3</li><li>5</li><li>2</li><li>2</li><li>False</li><li>False</li>|
| ModernWorkplaceUpdatePolicy[Broad]-[WindowsAutopatch] | WindowsUpdateforBusinessConfigurationfortheBroadRing<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Broad</li></ul>|<ul><li>QualityUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesRollbackWindowInDays</li><li>BusinessReadyUpdatesOnly</li><li>AutomaticUpdateMode</li><li>InstallTime</li><li>DeadlineForFeatureUpdatesInDays</li><li>DeadlineForQualityUpdatesInDays</li><li>DeadlineGracePeriodInDays</li><li>PostponeRebootUntilAfterDeadline</li><li>DriversExcluded</li></ul>|<ul><li>9</li><li>0</li><li>30</li><li>All</li><li>WindowsDefault</li><li>3</li><li>5</li><li>5</li><li>2</li><li>False</li><li>False</li>|
| ModernWorkplaceUpdatePolicy[Test]-[WindowsAutopatch | WindowsUpdateforBusinessConfigurationfortheTestRing<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li></ul>|<ul><li>MicrosoftProductUpdates</li><li>EnablePrereleasebuilds</li><li>UpgradetoLatestWin11</li><li>QualityUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesRollbackWindowInDays</li><li>BusinessReadyUpdatesOnly</li><li>AutomaticUpdateMode</li><li>InstallTime</li><li>DeadlineForFeatureUpdatesInDays</li><li>DeadlineForQualityUpdatesInDays</li><li>DeadlineGracePeriodInDays</li><li>PostponeRebootUntilAfterDeadline</li><li>DriversExcluded</li><li>RestartChecks</li><li>SetDisablePauseUXAccess</li><li>SetUXtoCheckforUpdates</li></ul>|<ul><li>Allow</li><li>Not Configured</li><li>No</li><li>0</li><li>0</li><li>30</li><li>All</li><li>WindowsDefault</li><li>3</li><li>5</li><li>0</li><li>0</li><li>False</li><li>False</li><li>Allow</li><li>Disable</li><li>Enable</li>|
| ModernWorkplaceUpdatePolicy[First]-[WindowsAutopatch] | WindowsUpdateforBusinessConfigurationfortheFirstRing <p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-First</li></ul>|<ul><li>MicrosoftProductUpdates</li><li>EnablePrereleasebuilds</li><li>UpgradetoLatestWin11</li><li>QualityUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesRollbackWindowInDays</li><li>BusinessReadyUpdatesOnly</li><li>AutomaticUpdateMode</li><li>InstallTime</li><li>DeadlineForFeatureUpdatesInDays</li><li>DeadlineForQualityUpdatesInDays</li><li>DeadlineGracePeriodInDays</li><li>PostponeRebootUntilAfterDeadline</li><li>DriversExcluded</li><li>RestartChecks</li><li>SetDisablePauseUXAccess</li><li>SetUXtoCheckforUpdates</li></ul>|<ul><li>Allow</li><li>Not Configured</li><li>No</li><li>1</li><li>0</li><li>30</li><li>All</li><li>WindowsDefault</li><li>3</li><li>5</li><li>2</li><li>2</li><li>False</li><li>False</li><li>Allow</li><li>Disable</li><li>Enable</li>|
| ModernWorkplaceUpdatePolicy[Fast]-[WindowsAutopatch] | WindowsUpdateforBusinessConfigurationfortheFastRing<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Fast</li></ul>|<ul><li>MicrosoftProductUpdates</li><li>EnablePrereleasebuilds</li><li>UpgradetoLatestWin11</li><li>QualityUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesRollbackWindowInDays</li><li>BusinessReadyUpdatesOnly</li><li>AutomaticUpdateMode</li><li>InstallTime</li><li>DeadlineForFeatureUpdatesInDays</li><li>DeadlineForQualityUpdatesInDays</li><li>DeadlineGracePeriodInDays</li><li>PostponeRebootUntilAfterDeadline</li><li>DriversExcluded</li><li>RestartChecks</li><li>SetDisablePauseUXAccess</li><li>SetUXtoCheckforUpdates</li></ul>|<ul><li>Allow</li><li>Not Configured</li><li>No</li><li>6</li><li>0</li><li>30</li><li>All</li><li>WindowsDefault</li><li>3</li><li>5</li><li>2</li><li>2</li><li>False</li><li>False</li><li>Allow</li><li>Disable</li><li>Enable</li>|
| ModernWorkplaceUpdatePolicy[Broad]-[WindowsAutopatch] | WindowsUpdateforBusinessConfigurationfortheBroadRing<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Broad</li></ul>|<ul><li>MicrosoftProductUpdates</li><li>EnablePrereleasebuilds</li><li>UpgradetoLatestWin11</li><li>QualityUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesDeferralPeriodInDays</li><li>FeatureUpdatesRollbackWindowInDays</li><li>BusinessReadyUpdatesOnly</li><li>AutomaticUpdateMode</li><li>InstallTime</li><li>DeadlineForFeatureUpdatesInDays</li><li>DeadlineForQualityUpdatesInDays</li><li>DeadlineGracePeriodInDays</li><li>PostponeRebootUntilAfterDeadline</li><li>DriversExcluded</li><li>RestartChecks</li><li>SetDisablePauseUXAccess</li><li>SetUXtoCheckforUpdates</li></ul>|<ul><li>Allow</li><li>Not Configured</li><li>No</li><li>9</li><li>0</li><li>30</li><li>All</li><li>WindowsDefault</li><li>3</li><li>5</li><li>5</li><li>2</li><li>False</li><li>False</li><li>Allow</li><li>Disable</li><li>Enable</li>|
## Windows feature update policies