From df70f608ac0690c1e50c2e1bc34d4d43b603c976 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 27 Feb 2025 13:39:59 -0800 Subject: [PATCH 1/7] Reporting prereqs --- ...s-quality-and-feature-update-reports-overview.md | 13 +++++++++++-- ...-autopatch-changes-made-at-feature-activation.md | 10 +--------- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md index d897d0e216..c678156938 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality and feature update reports overview description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch. -ms.date: 02/27/2025 +ms.date: 03/03/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: overview @@ -19,6 +19,15 @@ ms.collection: [!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] +## Prerequisites + +Windows Autopatch requires, and uses Windows diagnostic data to display device update statuses in Autopatch reports. + +- Service state and substate data are included for all devices configured for Windows quality and feature updates. No data collection configuration is required. +- Client and substate data are collected from devices only if Windows data collection data is properly configured. + +This data collection configuration method using Windows diagnostic data in Intune is shared across Autopatch reports. To support Autopatch reporting, you must configure the [Enable Windows diagnostic data collection settings](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) from devices at the **Required** or higher level. + ## Windows quality update reports The Windows quality reports provide you with information about: @@ -86,7 +95,7 @@ Up to date devices are devices that meet all of the following prerequisites: - Applied the current monthly cumulative updates > [!NOTE] -> Device that are [Up to Date](#up-to-date-devices) will remain with the **In Progress** status until either the current monthly cumulative update is applied, or an [alert](../operate/windows-autopatch-device-alerts.md) is received. If the device receives an alert, the device's status will change to [Not up to Date](#not-up-to-date-devices). +> Devices that are [Up to Date](#up-to-date-devices) remain with the **In Progress** status until either the current monthly cumulative update is applied, or an [alert](../operate/windows-autopatch-device-alerts.md) is received. If the device receives an alert, the device's status changes to [Not up to Date](#not-up-to-date-devices). #### Up to Date sub statuses diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md index a39b3238a9..132fd4dedf 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md @@ -1,7 +1,7 @@ --- title: Changes made at feature activation description: This reference article details the changes made to your tenant when you activate Windows Autopatch -ms.date: 09/16/2024 +ms.date: 03/03/2025 ms.service: windows-client ms.subservice: autopatch ms.topic: concept-article @@ -49,14 +49,6 @@ The following groups target Windows Autopatch configurations to devices and mana | Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption | | Modern Workplace Devices-WindowsAutopatch-Broad | Final deployment ring for broad rollout into the organization | -## Device configuration policies - -- Windows Autopatch - Data Collection - -| Policy name | Policy description | Properties | Value | -| ----- | ----- | ----- | ----- | -| Windows Autopatch - Data Collection | Windows Autopatch and Telemetry settings processes diagnostic data from the Windows device.

Assigned to:

|
  1. [Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
  2. [Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
  3. [Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
  4. [Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
|
  1. Full
  2. Enabled
  3. Enabled
  4. Enabled
| - ## Windows feature update policies - Windows Autopatch - Global DSS Policy From 10b657110baa3b3f6694f6f198d9cbb1708be432 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 27 Feb 2025 13:46:46 -0800 Subject: [PATCH 2/7] Fixed Acrolinx score --- .../windows-autopatch-changes-made-at-feature-activation.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md index 132fd4dedf..432b2cc9ba 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md @@ -60,7 +60,7 @@ The following groups target Windows Autopatch configurations to devices and mana ## Microsoft Office update policies > [!IMPORTANT] -> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).

To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates).

+> By default, these policies aren't deployed. You can opt in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).

To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle must be set to [**Allow**](../manage/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates).

- Windows Autopatch - Office Configuration - Windows Autopatch - Office Update Configuration [Test] @@ -79,7 +79,7 @@ The following groups target Windows Autopatch configurations to devices and mana ## Microsoft Edge update policies > [!IMPORTANT] -> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).

To update Microsoft Edge, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).

+> By default, these policies aren't deployed. You can opt in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).

To update Microsoft Edge, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle must be set to [**Allow**](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).

- Windows Autopatch - Edge Update Channel Stable - Windows Autopatch - Edge Update Channel Beta @@ -92,7 +92,7 @@ The following groups target Windows Autopatch configurations to devices and mana ## Driver updates for Windows 10 and later > [!IMPORTANT] -> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).

To update drivers and firmware, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group).

+> By default, these policies aren't deployed. You can opt in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).

To update drivers and firmware, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle must be set to [**Allow**](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group).

- Windows Autopatch - Driver Update Policy [Test] - Windows Autopatch - Driver Update Policy [First] From b2b688c9dbb2a24a0121294694db4f3a05b66a92 Mon Sep 17 00:00:00 2001 From: Violet Hansen Date: Fri, 28 Feb 2025 09:07:35 +0200 Subject: [PATCH 3/7] Added note about Native AOT to the known issues and tips document Added note about Native AOT to the known issues and tips document. --- .../app-control-for-business/operations/known-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md b/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md index 4181691e76..70b974076b 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md @@ -62,7 +62,7 @@ Although App Control audit mode is designed to avoid impact to apps, some featur ### .NET native images may generate false positive block events -In some cases, the code integrity logs where App Control for Business errors and warnings are written include error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image falls back to its corresponding assembly and .NET regenerates the native image at its next scheduled maintenance window. +In some cases, the code integrity logs where App Control for Business errors and warnings are written include error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image falls back to its corresponding assembly and .NET regenerates the native image at its next scheduled maintenance window. To prevent that, consider compiling your .NET application ahead of time using the [Native AOT](https://learn.microsoft.com/dotnet/core/deploying/native-aot) feature. ### Signatures using elliptical curve cryptography (ECC) aren't supported From db72a89ac72ead657578d09ebdf773f1d98092e6 Mon Sep 17 00:00:00 2001 From: Kevin Sheehan <116211220+kbsheehan@users.noreply.github.com> Date: Fri, 28 Feb 2025 16:34:38 -0500 Subject: [PATCH 4/7] Update configuration-service-provider-ddf.md Added new DDFs --- .../mdm/configuration-service-provider-ddf.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-ddf.md b/windows/client-management/mdm/configuration-service-provider-ddf.md index bcb544c636..963ff93ebc 100644 --- a/windows/client-management/mdm/configuration-service-provider-ddf.md +++ b/windows/client-management/mdm/configuration-service-provider-ddf.md @@ -13,7 +13,7 @@ This article lists the OMA DM device description framework (DDF) files for vario As of December 2022, DDF XML schema was updated to include additional information such as OS build applicability. DDF v2 XML files for Windows 10 and Windows 11 are combined, and provided in a single download: -- [DDF v2 Files, September 2024](https://download.microsoft.com/download/a/a/a/aaadc008-67d4-4dcd-b864-70c479baf7d6/DDFv2September24.zip) +- [DDF v2 Files, February 2025](https://download.microsoft.com/download/a8922fbe-20a9-431d-b24f-9d5344dda25e/DDFv2Feb25.zip) ## DDF v2 schema @@ -574,6 +574,7 @@ DDF v2 XML schema definition is listed below along with the schema definition fo ## Older DDF files You can download the older DDF files for various CSPs from the links below: +- [Download all the DDF files for Windows 10 and 11 September 2024](https://download.microsoft.com/download/a/a/a/aaadc008-67d4-4dcd-b864-70c479baf7d6/DDFv2September24.zip) - [Download all the DDF files for Windows 10 and 11 May 2024](https://download.microsoft.com/download/f/6/1/f61445f7-1d38-45f7-bc8c-609b86e4aabc/DDFv2May24.zip) - [Download all the DDF files for Windows 10 and 11 September 2023](https://download.microsoft.com/download/0/e/c/0ec027e5-8971-49a2-9230-ec9352bc3ead/DDFv2September2023.zip) - [Download all the DDF files for Windows 10 and 11 December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip) From 0911f28aca716ccfd3419c987fc9da199c31643b Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 3 Mar 2025 08:13:50 -0500 Subject: [PATCH 5/7] update syntax for AppLocker rules --- windows/configuration/assigned-access/configuration-file.md | 2 +- .../assigned-access/includes/example-restricted-experience.md | 4 ++-- .../includes/quickstart-restricted-experience-intune.md | 4 ++-- .../includes/quickstart-restricted-experience-ps.md | 4 ++-- .../includes/quickstart-restricted-experience-xml.md | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/configuration/assigned-access/configuration-file.md b/windows/configuration/assigned-access/configuration-file.md index 26cb548ff8..d7a0a30536 100644 --- a/windows/configuration/assigned-access/configuration-file.md +++ b/windows/configuration/assigned-access/configuration-file.md @@ -149,7 +149,7 @@ Example: - + diff --git a/windows/configuration/assigned-access/includes/example-restricted-experience.md b/windows/configuration/assigned-access/includes/example-restricted-experience.md index 7ee28b6761..e8653f5e2f 100644 --- a/windows/configuration/assigned-access/includes/example-restricted-experience.md +++ b/windows/configuration/assigned-access/includes/example-restricted-experience.md @@ -23,7 +23,7 @@ ms.topic: include - + @@ -81,7 +81,7 @@ ms.topic: include - + diff --git a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md index 7267d16e53..4238a97dad 100644 --- a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md +++ b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-intune.md @@ -11,7 +11,7 @@ ms.topic: include POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations Content-Type: application/json -{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Restricted_User_Experience - Assigned Access - Windows 10", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n ]]>\n \n \n \n \n \n \n \n \n \n \n" } ] } +{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Restricted_User_Experience - Assigned Access - Windows 10", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n ]]>\n \n \n \n \n \n \n \n \n \n \n" } ] } ``` ::: zone-end @@ -22,7 +22,7 @@ Content-Type: application/json POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations Content-Type: application/json -{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Restricted_User_Experience - Assigned Access - Windows 11", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n" } ] } +{ "id": "00-0000-0000-0000-000000000000", "displayName": "_MSLearn_Example_Restricted_User_Experience - Assigned Access - Windows 11", "description": "This is a sample policy created from an article on learn.microsoft.com.", "roleScopeTagIds": [ "0" ], "@odata.type": "#microsoft.graph.windows10CustomConfiguration", "omaSettings": [ { "@odata.type": "#microsoft.graph.omaSettingString", "displayName": "AssignedAccess_Configuration", "description": null, "omaUri": "./Vendor/MSFT/AssignedAccess/Configuration", "secretReferenceValueId": null, "isEncrypted": true, "value": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n" } ] } ``` ::: zone-end \ No newline at end of file diff --git a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md index 35a15c446f..94bb914c0b 100644 --- a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md +++ b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-ps.md @@ -22,7 +22,7 @@ $assignedAccessConfiguration = @" - + @@ -88,7 +88,7 @@ $assignedAccessConfiguration = @" - + diff --git a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md index 514c6ab44c..52730d3c75 100644 --- a/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md +++ b/windows/configuration/assigned-access/includes/quickstart-restricted-experience-xml.md @@ -21,7 +21,7 @@ ms.topic: include - + @@ -79,7 +79,7 @@ ms.topic: include - + From c6b489f1474a8cb7d678239d152cf98b10247d99 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 3 Mar 2025 09:48:25 -0700 Subject: [PATCH 6/7] Update policy-csp-admx-kerberos.md --- windows/client-management/mdm/policy-csp-admx-kerberos.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md index 480281a102..756376d2de 100644 --- a/windows/client-management/mdm/policy-csp-admx-kerberos.md +++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md @@ -174,7 +174,7 @@ This policy setting allows you to specify which DNS host names and which DNS suf > [!NOTE] -> The list of DNS host names and DNS suffixes has a 2048 character limit. This policy would not apply if you exceed this limit. +> The list of DNS host names and DNS suffixes has a 2048 character limit. This policy would not apply if you exceed this limit. For more information, see [Kerberos realm to host mapping policy string-length limitations](https://support.microsoft.com/topic/e86856c2-1e02-43fe-9c58-d7c9d6386f01). From 0615bc7e2aaa0483b8fda8f840d7d1fbd1cbc79f Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 3 Mar 2025 12:30:24 -0700 Subject: [PATCH 7/7] Update known-issues.md --- .../app-control-for-business/operations/known-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md b/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md index 70b974076b..e2c44042bd 100644 --- a/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md +++ b/windows/security/application-security/application-control/app-control-for-business/operations/known-issues.md @@ -62,7 +62,7 @@ Although App Control audit mode is designed to avoid impact to apps, some featur ### .NET native images may generate false positive block events -In some cases, the code integrity logs where App Control for Business errors and warnings are written include error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image falls back to its corresponding assembly and .NET regenerates the native image at its next scheduled maintenance window. To prevent that, consider compiling your .NET application ahead of time using the [Native AOT](https://learn.microsoft.com/dotnet/core/deploying/native-aot) feature. +In some cases, the code integrity logs where App Control for Business errors and warnings are written include error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image falls back to its corresponding assembly and .NET regenerates the native image at its next scheduled maintenance window. To prevent that, consider compiling your .NET application ahead of time using the [Native AOT](/dotnet/core/deploying/native-aot) feature. ### Signatures using elliptical curve cryptography (ECC) aren't supported