From 224ecdbd2d337a95e7d3f7c55f0a856116715504 Mon Sep 17 00:00:00 2001
From: tiaraquan <tiaraquan@microsoft.com>
Date: Wed, 12 Oct 2022 11:38:54 -0700
Subject: [PATCH 1/2] New Tenant management blade + service account replaced
 with first party enterprise application.

---
 .../windows-autopatch-maintain-environment.md | 15 ++++++++++++
 .../windows-autopatch-wqu-communications.md   |  4 ++--
 .../references/windows-autopatch-privacy.md   | 23 ++++++++++++++-----
 3 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
index 9fa7e60794..dc4f572c12 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
@@ -31,3 +31,18 @@ After you've completed enrollment in Windows Autopatch, some management settings
 ## Windows Autopatch configurations
 
 Windows Autopatch deploys, manages and maintains all configurations related to the operation of the service, as described in [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). Don't make any changes to any of the Windows Autopatch configurations.
+
+## Windows Autopatch tenant actions
+
+The **Tenant management** blade can be found by navigating to Tenant administration > Windows Autopatch > **Tenant management**.
+
+> [!IMPORTANT]
+> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [first party enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](../references/windows-autopatch-privacy.md#service-accounts), your Global admin must take action in the new Windows Autopatch Tenant management blade to approve the configuration change. To take action or see if you need to take action, visit the Tenant management blade in the Windows Autopatch portal.
+
+The type of banner that appears depends on the severity of the action. Currently, only critical actions are listed.
+
+### Tenant action severity types
+
+| Severity | Description |
+| ----- | ----- |
+| Critical | You must take action as soon as possible. If no action is taken, the Windows Autopatch service may be affected. |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md
index f4eab55834..783558abe7 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md
@@ -1,5 +1,5 @@
 ---
-title: Windows quality update communications
+title: Windows quality and feature update communications
 description:  This article explains Windows quality update communications
 ms.date: 05/30/2022
 ms.prod: w11
@@ -14,7 +14,7 @@ msreviewer: hathind
 
 # Windows quality update communications
 
-There are three categories of communication that are sent out during a Windows quality update:
+There are three categories of communication that are sent out during a Windows quality and feature update:
 
 - [Standard communications](#standard-communications)
 - [Communications during release](#communications-during-release)
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
index c90d19fae5..3bbe343ecc 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
@@ -52,7 +52,7 @@ Windows Autopatch uses [Windows 10/11 Enhanced diagnostic data](/windows/privacy
 
 The enhanced diagnostic data setting includes more detailed information about the devices enrolled in Windows Autopatch and their settings, capabilities, and device health. When enhanced diagnostic data is selected, data, including required diagnostic data, are collected. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection) about the Windows 10 diagnostic data setting and data collection.
 
-The diagnostic data terminology will change in future versions of Windows. Windows Autopatch is committed to processing only the data that the service needs. While this will mean the diagnostic level will change to **Optional**, Windows Autopatch will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection).
+The diagnostic data terminology will change in future versions of Windows. Windows Autopatch is committed to processing only the data that the service needs. The diagnostic level will change to **Optional**, but Windows Autopatch will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection).
 
 Windows Autopatch only processes and stores system-level data from Windows 10 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' personal data such as chat and browser history, voice, text, or speech data.
 
@@ -60,13 +60,24 @@ For more information about the diagnostic data collection of Microsoft Windows 1
 
 ## Tenant access
 
-Windows Autopatch creates and uses guest accounts leveraging just-in-time access functionality when signing into a customer tenant to manage the Windows Autopatch service. To provide additional locked down control, Windows Autopatch maintains a separate conditional access policy to restrict access to these accounts.
+Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service.
+
+| Enterprise application name | Usage | Permissions |
+| ----- | ----- | ----- |
+| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This account is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul>|
+
+### Service accounts
+
+> [!IMPORTANT]
+> Starting October 12, 2022, Windows Autopatch will manage your tenant with our [first party enterprise application](windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). If your tenant is still using the [Windows Autopatch service accounts](windows-autopatch-privacy.md#service-accounts), you must take action. To take action or see if you need to take action, visit the [Tenant management blade](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) in the Windows Autopatch portal.
+
+Windows Autopatch creates and uses guest accounts using just-in-time access functionality when signing into a customer tenant to manage the Windows Autopatch service. To provide additional locked down control, Windows Autopatch maintains a separate conditional access policy to restrict access to these accounts.
 
 | Account name | Usage | Mitigating controls |
 | ----- | ----- | -----|
-| MsAdmin@tenantDomain.onmicrosoft.com | <ul><li>This is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Windows Autopatch devices.</li><li>This account doesn't have interactive login permissions. The account performs operations only through the service.</li></ul> | Audited sign-ins |
-| MsAdminInt@tenantDomain.onmicrosoft.com |<ul><li>This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.</li><li>This account is used for interactive login to the customer’s tenant.</li><li>The use of this account is extremely limited as most operations are exclusively through MsAdmin (non-interactive) account.</li></ul> | <ul><li>Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy</li><li>Audited sign-ins</li</ul> |
-| MsTest@tenantDomain.onmicrosoft.com | This is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins |
+| MsAdmin@tenantDomain.onmicrosoft.com | <ul><li>This account is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Windows Autopatch devices.</li><li>This account doesn't have interactive sign-in permissions. The account performs operations only through the service.</li></ul> | Audited sign-ins |
+| MsAdminInt@tenantDomain.onmicrosoft.com |<ul><li>This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.</li><li>This account is used for interactive login to the customer’s tenant.</li><li>The use of this account is limited as most operations are exclusively through MsAdmin (non-interactive) account.</li></ul> | <ul><li>Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy</li><li>Audited sign-ins</li</ul> |
+| MsTest@tenantDomain.onmicrosoft.com | This account is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins |
 
 ## Microsoft Windows Update for Business
 
@@ -90,7 +101,7 @@ Microsoft 365 Apps for enterprise collects and shares data with Windows Autopatc
 
 Windows Autopatch follows a change control process as outlined in our service communication framework.
 
-We notify customers through the Microsoft 365 message center, and the Windows Autopatch admin center of both security incidents and major changes to the service.
+We notify customers through the Microsoft 365 message center, and the Windows Autopatch admin center about security incidents and major changes to the service.
 
 Changes to the types of data gathered and where it's stored are considered a material change. We'll provide a minimum of 30 days advanced notice of this change as it's standard practice for Microsoft 365 products and services.
 

From 8f84c74f03cdcd53c4cec65d59ee84267bd8916b Mon Sep 17 00:00:00 2001
From: tiaraquan <tiaraquan@microsoft.com>
Date: Wed, 12 Oct 2022 12:19:30 -0700
Subject: [PATCH 2/2] Word change.

---
 .../references/windows-autopatch-changes-to-tenant.md           | 2 +-
 .../windows-autopatch/references/windows-autopatch-privacy.md   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
index 698612aa82..d04beca815 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
@@ -52,7 +52,7 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr
 
 | Enterprise application name | Usage | Permissions |
 | ----- | ------ | ----- |
-| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This account is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul> |
+| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul> |
 
 > [!NOTE]
 > Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon.
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
index 3bbe343ecc..a1ada94b72 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
@@ -64,7 +64,7 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr
 
 | Enterprise application name | Usage | Permissions |
 | ----- | ----- | ----- |
-| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This account is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul>|
+| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This application is used to manage the service, publish baseline configuration updates, and maintain overall service health. | <ul><li>DeviceManagementApps.ReadWrite.All</li><li>DeviceManagementConfiguration.ReadWrite.All</li><li>DeviceManagementManagedDevices.PriviligedOperation.All</li><li>DeviceManagementManagedDevices.ReadWrite.All</li><li>DeviceManagementRBAC.ReadWrite.All</li><li>DeviceManagementServiceConfig.ReadWrite.All</li><li>Directory.Read.All</li><li>Group.Create</li><li>Policy.Read.All</li><li>WindowsUpdates.Read.Write.All</li></ul>|
 
 ### Service accounts