overview and prreq edits

2025-05-12 05:17:22 +00:00 · 2023-02-10 12:09:20 -08:00 · 2023-02-10 12:09:20 -08:00 · d87f12a77a
commit d87f12a77a
parent 5d7033d60a
4 changed files with 93 additions and 97 deletions
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@ -178,7 +178,7 @@
            href: update/deployment-service-overview.md
          - name: Prerequisites for Windows Update for Business deployment service
            href: update/deployment-service-prerequisites.md
-          - name: Deploy updates with Windows Update for Business deployment service
+          - name: Deploy updates with the deployment service
            items:            
            - name: Deploy feature updates using Graph Explorer
              href: update/deployment-service-feature-updates.md
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@ -11,18 +11,43 @@ ms.technology: itpro-updates
 ms.date: 12/31/2017
 ---

-
-
 # Windows Update for Business deployment service

 ***(Applies to: Windows 11 & Windows 10)***

 The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It's designed to work with your existing [Windows Update for Business](waas-manage-updates-wufb.md) policies and [Windows Update for Business reports](wufb-reports-overview.md). The deployment service provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update to managed devices. The service is privacy focused and backed by leading industry compliance certifications.

-Windows Update for Business has three elements:
- Client policy, available through Group Policy settings and CSPs, which defines the timing and experience for updates
+Windows Update for Business product family has three elements:
+
+- Client policy to govern update experiences and timing, which are available through Group Policy and CSPs
 - [Windows Update for Business reports](wufb-reports-overview.md) to monitor update deployment
- Deployment service APIs for approving and scheduling specific updates - available through the Microsoft Graph and associated SDKs (including PowerShell)
+- Deployment service APIs to approve and schedule specific updates for deployment, which are available through the Microsoft Graph and associated SDKs (including PowerShell)
+
+## How the deployment service works
+
+With most update management solutions, usually update policies are set on the client itself using either registry edits, Group Policy, or an MDM solution that leverages CSPs. This means that the end user experience and deployment settings for updates are ultimately determined by the individual device settings. However, with Windows Update for Business deployment service, the service is the central point of control for update deployment behavior. Because the deployment service is directly integrated into Windows Update, once the admin defines the update deployment behavior, Windows Update is already aware of the how the device should be directed to install when a device scans
+
+the service ensures that the update is delivered to the device in the defined manner. 
+
+The deployment service complements existing Windows Update for Business capabilities, including existing device policies and [Windows Update for Business reports](wufb-reports-overview.md).
+
+:::image type="content" source="media/7512398-deployment-service-overview.png" alt-text="Diagram displaying the three elements that are parts of the Windows Update for Business family. ":::
+
+Windows Update for Business comprises three elements:
+- Client policy to govern update experiences and timing which are available through Group Policy and CSPs
+- Deployment service APIs to approve and schedule specific updates which are available through the Microsoft Graph and associated SDKs (including PowerShell)
+- Windows Update for Business reports to monitor update deployment
+
+Unlike existing client policy, the deployment service doesn't interact with devices directly. The service is native to the cloud and all operations take place between various Microsoft services. It creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an IT Pro.
+
+:::image type="content" source="media/wufbds-interaction-small.png" alt-text="Process described in following text.":::
+
+Using the deployment service typically follows a common pattern:
+1. IT Pro uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app or a more complete management solution such as Microsoft Intune.
+2. The chosen tool conveys your approval, scheduling, and device selection information to the deployment service.
+3. The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates.
+
+The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as Microsoft Intune.

 ## Capabilities of the Windows Update for Business deployment service

@ -45,56 +70,9 @@ Certain capabilities are available for specific update classifications:
 |Safeguard holds| | Yes | |


-## How the deployment service works

-With most update management solutions, usually update policies are set on the client itself using either registry edits, Group Policy, or an MDM solution that leverages CSPs. This means that the end user experience and deployment settings for updates are ultimately determined by the individual device settings. However, with Windows Update for Business deployment service, the service is the central point of control for update deployment behavior. Because the deployment service is directly integrated into Windows Update, once the admin defines the update deployment behavior, the service ensures that the update is delivered to the device in the defined manner. 

-The deployment service complements existing Windows Update for Business capabilities, including existing device policies and [Windows Update for Business reports](wufb-reports-overview.md).

-:::image type="content" source="media/7512398-deployment-service-overview.png" alt-text="Elements in following text.":::
-
-Windows Update for Business comprises three elements:
- Client policy to govern update experiences and timing - available through Group Policy and CSPs
- Deployment service APIs to approve and schedule specific updates - available through the Microsoft Graph and associated SDKs (including PowerShell)
- Windows Update for Business reports to monitor update deployment
-
-Unlike existing client policy, the deployment service doesn't interact with devices directly. The service is native to the cloud and all operations take place between various Microsoft services. It creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an IT Pro.
-
-:::image type="content" source="media/wufbds-interaction-small.png" alt-text="Process described in following text.":::
-
-Using the deployment service typically follows a common pattern:
-1. IT Pro uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app or a more complete management solution such as Microsoft Intune.
-2. The chosen tool conveys your approval, scheduling, and device selection information to the deployment service.
-3. The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates.
-
-The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as Microsoft Intune.
-
-## Prerequisites
-
-To work with the deployment service, devices must meet all these requirements:
-
- Devices must be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- Run one of the following operating systems:
-  - Windows 11
-  - Windows 10, version 1709 or later
-   
- Have one of the following Windows 10 or Windows 11 editions installed:
-    - Pro
-    - Enterprise
-    - Education
-    - Pro Education
-    - Pro for Workstations
-
-Additionally, your organization must have one of the following subscriptions:
-
- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows Virtual Desktop Access E3 or E5
- Microsoft 365 Business Premium
-
-## Limitations
-
-Windows Update for Business deployment service is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Windows Update for Business deployment service doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Windows Update for Business deployment service is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers.

 ## Getting started

@ -143,48 +121,6 @@ To verify whether a device is affected by a safeguard hold, see [Am I affected b

 During deployments of Windows 11 or Windows 10 feature updates, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues.

-### How to enable deployment protections
-
-Deployment scheduling controls are always available, but to take advantage of the unique deployment protections tailored to your population, devices must share diagnostic data with Microsoft.
-
-#### Device prerequisites
-
- Diagnostic data is set to *Required* or *Optional*.
- The **AllowWUfBCloudProcessing** policy is set to **8**.
-
-#### Set the **AllowWUfBCloudProcessing** policy
-
-To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy or Group Policy.
-
-| Policy| Sets registry key under `HKLM\Software`|
-|--|--|
-| GPO for Windows 10, version 1809 or later: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow WUfB Cloud Processing** | `\Policies\Microsoft\Windows\DataCollection\AllowWUfBCloudProcessing` |
-| MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | `\Microsoft\PolicyManager\current\device\System\AllowWUfBCloudProcessing` |
-
-Following is an example of setting the policy using Intune:
-
-1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-2. Select **Devices** > **Configuration profiles** > **Create profile**.
-
-3. Select **Windows 10 and later** in **Platform**, select **Templates** in **Profile type**, select **Custom** in **Template name**, and then select **Create**.
-
-4. In **Basics**, enter a meaningful name and a description for the policy, and then select **Next**.
-
-5. In **Configuration settings**, select **Add**, enter the following settings, select **Save**, and then select **Next**.
-    - Name: **AllowWUfBCloudProcessing**
-    - Description: Enter a description.
-    - OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing`
-    - Data type: **Integer**
-    - Value: **8**
-
-6. In **Assignments**, select the groups that will receive the profile, and then select **Next**.
-
-7. In **Review + create**, review your settings, and then select **Create**.
-
-8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: 
-
-   `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\System\AllowWUfBCloudProcessing`

 ## Best practices
 Follow these suggestions for the best results with the service.
--- a/windows/deployment/update/deployment-service-prerequisites.md
+++ b/windows/deployment/update/deployment-service-prerequisites.md
@ -15,4 +15,51 @@ ms.date: 02/14/2023
 <!--7512398-->
 ***(Applies to: Windows 11 & Windows 10)***

-## Prerequisites
+Before you begin the process of deploying updates with Windows Update for Business deployment service, ensure you meet the prerequisites.
+
+## Azure and Azure Active Directory
+
+- An Azure subscription with [Azure Active Directory](/azure/active-directory/)
+- Devices must be Azure Active Directory-joined and meet the below OSrequirements.
+  - Devices can be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+  - Devices that are [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) only (Workplace joined) aren't supported with Windows Update for Business
+
+## Licensing
+
+Windows Update for Business deployment service requires users of the devices to have one of the following licenses:
+
+- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
+- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
+- Windows Virtual Desktop Access E3 or E5
+- Microsoft 365 Business Premium
+
+## Operating systems and editions
+
+- Windows 11 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions
+- Windows 10 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions
+
+## Windows client servicing channels
+
+Windows Update for Business deployment service supports Windows client devices on the following channels:
+
+- General Availability Channel
+
+## Diagnostic data requirements
+
+Deployment scheduling controls are always available. However, to take advantage of the unique deployment protections tailored to your population and to [deploy driver updates](deployment-service-drivers.md), devices must share diagnostic data with Microsoft. At minimum, the deployment service requires devices to send [diagnostic data](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) at the *Required* level (previously called *Basic*) for these features. Some options for the deployment service require devices to send diagnostic data at the following levels:
+
+- *Optional* level (previously *Full*) for Windows 11 devices
+- *Enhanced* level for Windows 10 devices
+
+## Permissions
+
+- [Windows Update for Business deployment service](/graph/api/resources/windowsupdates) operations require [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions)
+  - Some roles, such as the [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator), already have the permissions.
+
+> [!NOTE]
+> Leveraging other parts of the Graph API might require additional permissions. For example, to display [device](/graph/api/resources/device) information, a minimum of [Device.Read.All](/graph/permissions-reference#device-permissions) permission is needed.
+
+## Limitations
+
+<!--Using include for deployment service limitations-->
+[!INCLUDE [Windows Update for Business deployment service limitations](./includes/wufb-deployment-limitations.md)]
--- a/windows/deployment/update/includes/wufb-deployment-limitations.md
+++ b/windows/deployment/update/includes/wufb-deployment-limitations.md
@ -0,0 +1,13 @@
+---
+author: mestew
+ms.author: mstewart
+manager: aaroncz
+ms.technology: itpro-updates
+ms.prod: windows-client
+ms.topic: include
+ms.date: 02/14/2023
+ms.localizationpriority: medium
+---
+<!--This file is shared by deployment-service-overview.md and the deployment-service-prerequisites.md articles. Headings may be driven by article context. 7512398 -->
+
+Windows Update for Business deployment service is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Windows Update for Business deployment service doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Windows Update for Business deployment service is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers.