Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into FAQ-YML-Conversion-greglin

windows/deployment/TOC.yml

@@ -164,6 +164,11 @@
               href: update/waas-manage-updates-wufb.md
             - name: Configure Windows Update for Business
               href: update/waas-configure-wufb.md
+            - name: Windows Update for Business deployment service
+              href: update/deployment-service-overview.md
+              items:
+                - name: Troubleshoot the Windows Update for Business deployment service
+                  href: update/deployment-service-troubleshoot.md
             - name: Enforcing compliance deadlines for updates
               href: update/wufb-compliancedeadlines.md
             - name: Integrate Windows Update for Business with management solutions
@@ -249,6 +254,8 @@
                   href: update/windows-update-errors.md
                 - name: Windows Update error code reference
                   href: update/windows-update-error-reference.md
+                - name: Troubleshoot the Windows Update for Business deployment service
+                  href: update/deployment-service-troubleshoot.md
 
     - name: Reference
       items:

windows/deployment/deploy-enterprise-licenses.md

@@ -251,7 +251,7 @@ Use the following figures to help you troubleshoot when users experience these c
 
 ### Review requirements on devices
 
-Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
+Devices must be running Windows 10 Pro, version 1703 (or later), and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
 
 **To determine if a device is Azure Active Directory joined:**
 
@@ -264,4 +264,4 @@ At a command prompt, type: **winver**
 
 A popup window will display the Windows 10 version number and detailed OS build information.
 
-If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.
+If a device is running a version of Windows 10 Pro prior to version 1703 (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal.

windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md

@@ -194,7 +194,7 @@ On **MDT01**:
     2.  WinPE x64
     3.  Windows 10 x64
 3.  In the new Windows 10 x64 folder, create the following folder structure:
-    -   Dell Inc
+    -   Dell Inc.
         -   Latitude E7450
     -   Hewlett-Packard
         -   HP EliteBook 8560w
@@ -215,7 +215,7 @@ When you import drivers to the MDT driver repository, MDT creates a single insta
     2.  WinPE x64
     3.  Windows 10 x64
 3.  In the **Windows 10 x64** folder, create the following folder structure:
-    -   Dell Inc
+    -   Dell Inc.
         -   Latitude E7450
     -   Hewlett-Packard
         -   HP EliteBook 8560w
@@ -304,15 +304,15 @@ On **MDT01**:
 
 For the Dell Latitude E7450 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544).
 
-In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell Inc\\Latitude E7450** folder.
+In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell Inc.\\Latitude E7450** folder.
 
 On **MDT01**:
 
-1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc** node.
+1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc.** node.
 
 2.  Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: 
 
-    **D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450**
+    **D:\\Drivers\\Windows 10 x64\\Dell Inc.\\Latitude E7450**
 
 ### For the HP EliteBook 8560w
 

windows/deployment/update/deployment-service-overview.md

@@ -0,0 +1,175 @@
+---
+title: Windows Update for Business deployment service
+description: Overview of deployment service to control approval, scheduling, and safeguarding of Windows updates
+ms.custom: seo-marvel-apr2020
+ms.prod: w10
+ms.mktglfcycl: manage
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+
+
+# Windows Update for Business deployment service
+
+> Applies to: Windows 10
+
+The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. It's designed to work in harmony with your existing Windows Update for Business policies.
+
+The deployment service is designed for IT Pros who are looking for more control than is provided through deferral policies and deployment rings. It provides the following abilities:
+
+- You can schedule deployment of updates to start on a specific date (for example, deploy 20H2 to specified devices on March 14, 2021).
+- You can stage deployments over a period of days or weeks by using rich expressions (for example, deploy 20H2 to 500 devices per day, beginning on March 14, 2021).
+- You can bypass pre-configured Windows Update for Business policies to immediately deploy a security update across your organization when emergencies arise.
+- You can benefit from deployments with automatic piloting tailored to your unique device population to ensure coverage of hardware and software in your organization.
+
+The service is privacy focused and backed by leading industry compliance certifications.
+
+## How it works
+
+The deployment service complements existing Windows Update for Business capabilities, including existing device policies and [Update Compliance](update-compliance-monitor.md).
+
+:::image type="content" source="media/wufbds-product-large.png" alt-text="Elements in following text":::
+
+Windows Update for Business comprises three elements:
+- Client policy to govern update experiences and timing – available through Group Policy and CSPs
+- Deployment service APIs to approve and schedule specific updates – available through the Microsoft Graph and associated SDKs (including PowerShell)
+- Update Compliance to monitor update deployment – available through the Azure Marketplace
+
+Unlike existing client policy, the deployment service does not interact with devices directly. The service is native to the cloud and all operations take place between various Microsoft services. It creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an IT Pro.
+
+:::image type="content" source="media/wufbds-interaction-small.png" alt-text="Process described in following text":::
+
+Using the deployment service typically follows a common pattern:
+1. IT Pro uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app or a more complete management solution such as Microsoft Endpoint Manager.
+2. The chosen tool conveys your approval, scheduling, and device selection information to the deployment service.
+3. The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates.
+
+
+The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as Microsoft Endpoint Manager.
+
+## Prerequisites
+
+To work with the deployment service, devices must meet all these requirements:
+
+- Be running Windows 10, version 1709 or later
+- Be joined to Azure Active Directory (AD) or Hybrid AD
+- Have one of the following Windows 10 editions installed:
+    - Windows 10 Pro
+    - Windows 10 Enterprise
+    - Windows 10 Education
+    - Windows 10 Pro Education
+    - Windows 10 Pro for Workstations
+
+Additionally, your organization must have one of the following subscriptions:
+- Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
+- Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5)
+- Windows Virtual Desktop Access E3 or E5
+- Microsoft 365 Business Premium
+
+
+## Getting started
+
+To use the deployment service, you use a management tool built on the platform, script common actions using PowerShell, or build your own application.
+
+### Using Microsoft Endpoint Manager
+
+Microsoft Endpoint Manager integrates with the deployment service to provide Windows 10 update management capabilities. For more information, see [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates).
+
+### Scripting common actions using PowerShell
+
+The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/graph/powershell/get-started).
+
+
+### Building your own application
+
+Microsoft Graph makes deployment service APIs available through. Get started with these learning paths:
+- Learning Path: [Microsoft Graph Fundamentals](/learn/paths/m365-msgraph-fundamentals/)
+- Learning Path: [Build apps with Microsoft Graph](/learn/paths/m365-msgraph-associate/)
+
+Once you are familiar with Microsoft Graph development, see [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) for more.
+
+## Deployment protections
+
+The deployment service protects deployments through a combination of rollout controls and machine-learning algorithms that monitor deployments and react to issues during the rollout.
+
+### Schedule rollouts with automatic piloting
+
+The deployment service allows any update to be deployed over a period of days or weeks. Once an update has been scheduled, the deployment service optimizes the deployment based on the scheduling parameters and unique attributes spanning the devices being updated. The service follows these steps:
+
+1. Determine the number of devices to be updated in each deployment wave, based on scheduling parameters.
+2. Select devices for each deployment wave so that earlier waves have a diversity of hardware and software, to function as pilot device populations.
+3. Start deploying to earlier waves to build coverage of device attributes present in the population.
+4. Continue deploying at a uniform rate until all waves are complete and all devices are updated.
+
+This built-in piloting capability complements your existing ring structure and provides another support for reducing and managing risk during an update. Unlike tools such as Desktop Analytics, this capability is intended to operate within each ring. The deployment service does not provide a workflow for creating rings themselves.
+
+You should continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and additional protections within each ring.
+
+### Monitoring deployments to detect rollback issues
+
+During a feature update deployment, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues.
+
+
+### How to enable deployment protections
+
+Deployment scheduling controls are always available, but to take advantage of the unique deployment protections tailored to your organization, devices must share diagnostic data with Microsoft.
+
+#### Device prerequisites
+
+> [!NOTE]
+> Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect.
+
+- Diagnostic data is set to *Required* or *Optional*.
+- The **AllowWUfBCloudProcessing** policy is set to **1**.
+
+#### Set the **AllowWUfBCloudProcessing** policy
+
+To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy.
+
+> [!NOTE]
+> Setting this policy by using Group Policy isn't currently supported.
+
+| Policy                                                                                                       | Sets registry key under **HKLM\\Software**                                |
+|--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------|
+| MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing |
+
+Following is an example of setting the policy using Microsoft Endpoint Manager:
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **Devices** > **Configuration profiles** > **Create profile**.
+3. Select **Windows 10 and later** in **Platform**, select **Templates** in **Profile type**, select **Custom** in **Template name**, and then select **Create**.
+4. In **Basics**, enter a meaningful name and a description for the policy, and then select **Next**.
+5. In **Configuration settings**, select **Add**, enter the following settings, select **Save**, and then select **Next**.
+    - Name: **AllowWUfBCloudProcessing**
+    - Description: Enter a description.
+    - OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing`
+    - Data type: **String**
+    - Value: **1**
+6. In **Assignments**, select the groups that will receive the profile, and then select **Next**.
+7. In **Review + create**, review your settings, and then select **Create**.
+8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**.
+
+## Best practices
+Follow these suggestions for the best results with the service.
+
+### Device onboarding 
+
+- Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day).
+- Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to **0** days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors.
+
+### General
+
+Avoid using different channels to manage the same resources. If you use Microsoft Endpoint Manager along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it.
+
+
+## Next steps
+
+To learn more about the deployment service, try the following:
+
+- [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates)
+- [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview)

windows/deployment/update/deployment-service-troubleshoot.md

@@ -0,0 +1,35 @@
+---
+title: Troubleshoot the Windows Update for Business deployment service
+description: Solutions to common problems with the service
+ms.custom: seo-marvel-apr2020
+ms.prod: w10
+ms.mktglfcycl: manage
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+ms.reviewer:
+manager: laurawi
+ms.topic: article
+---
+
+
+
+# Troubleshoot the Windows Update for Business deployment service
+
+> Applies to: Windows 10
+
+This troubleshooting guide addresses the most common issues that IT administrators face when using the Windows Update for Business [deployment service](deployment-service-overview.md). For a general troubleshooting guide for Windows Update, see [Windows Update troubleshooting](windows-update-troubleshooting.md).
+
+## The device isn't receiving an update that I deployed
+
+- Check that the device doesn't have updates of the relevant category paused. See [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates).
+- **Feature updates only**: The device might have a safeguard hold applied for the given feature update version. For more about safeguard holds, see [Safeguard holds](safeguard-holds.md) and [Opt out of safeguard holds](safeguard-opt-out.md).
+- Check that the deployment to which the device is assigned has the state *offering*. Deployments that have the states *paused* or *scheduled* won't deploy content to devices.
+- Check that the device has scanned for updates and is scanning the Windows Update service. To learn more about scanning for updates, see [Scanning updates](how-windows-update-works.md#scanning-updates).
+- **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is successfully enrolled will be represented by an Azure AD device resource with an update management enrollment for feature updates and have no Azure AD device registration errors.
+-  **Expedited quality updates only**: Check that the device has the Update Health Tools installed (available for Windows 10 version 1809 or later in the update described in [KB 4023057 - Update for Windows 10 Update Service components](https://support.microsoft.com/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a), or a more recent quality update). The Update Health Tools are required for a device to receive an expedited quality update. On a device, the program can be located at **C:\\Program Files\\Microsoft Update Health Tools**. You can verify its presence by reviewing **Add or Remove Programs** or using the following PowerShell script: `Get-WmiObject -Class Win32\_Product \| Where-Object {$\_.Name -amatch "Microsoft Update Health Tools"}`.
+
+## The device is receiving an update that I didn't deploy
+
+- Check that the device is scanning the Windows Update service and not a different endpoint. If the device is scanning for updates from a WSUS endpoint, for example, it might receive different updates. To learn more about scanning for updates, see [Scanning updates](how-windows-update-works.md#scanning-updates).
+- **Feature updates only**: Check that the device is successfully enrolled in feature update management by the deployment service. A device that is not successfully enrolled might receive different updates according to its feature update deferral period, for example. A device that is successfully enrolled will be represented by an Azure AD device resource with an update management enrollment for feature updates and have no Azure AD device registration errors.

windows/deployment/upgrade/quick-fixes.md

@@ -297,7 +297,7 @@ When you run Disk Cleanup and enable the option to Clean up system files, you ca
 > [!TIP]
 > It is no longer necessary to open an elevated command prompt to run the [SetupDiag](setupdiag.md) tool. However, this is still the optimal way to run the tool.
 
-To launch an elevated command prompt, press the Windows key on your keyboard, type **cmd**, press Ctrl+Shift+Enter, and then Alt+C to confirm the elevation prompt. Screenshots and other steps to open an administrator (aka elevated) command prompt are [here](https://answers.microsoft.com/en-us/windows/forum/windows_7-security/command-prompt-admin-windows-7/6a188166-5e23-461f-b468-f325688ec8c7). 
+To launch an elevated command prompt, press the Windows key on your keyboard, type **cmd**, press Ctrl+Shift+Enter, and then click **Yes** to confirm the elevation prompt. Screenshots and other steps to open an elevated command prompt are [here](https://answers.microsoft.com/en-us/windows/forum/windows_7-security/command-prompt-admin-windows-7/6a188166-5e23-461f-b468-f325688ec8c7). 
 
 Note: When you open an elevated command prompt, you will usually start in the **C:\WINDOWS\system32** directory. To run a program that you recently downloaded, you must change to the directory where the program is located. Alternatively, you can move or copy the program to a location on the computer that is automatically searched. These directories are listed in the [PATH variable](https://answers.microsoft.com/windows/forum/windows_10-other_settings-winpc/adding-path-variable/97300613-20cb-4d85-8d0e-cc9d3549ba23).