deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 15:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into aljupudi-5857645-DisableSearchpolicyupdate

Browse Source
This commit is contained in:
Angela Fleischmann 2022-07-11 13:10:27 -07:00 committed by GitHub
commit ea48e49e5f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
41 changed files with 679 additions and 467 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
.openpublishing.publish.config.json
View File

@ -17,22 +17,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "hololens",
"build_source_folder": "devices/hololens",
"build_output_subfolder": "hololens",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "internet-explorer",
"build_source_folder": "browsers/internet-explorer",
@ -49,22 +33,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "keep-secure",
"build_source_folder": "windows/keep-secure",
"build_output_subfolder": "keep-secure",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "microsoft-edge",
"build_source_folder": "browsers/edge",
@ -81,22 +49,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "release-information",
"build_source_folder": "windows/release-information",
"build_output_subfolder": "release-information",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "smb",
"build_source_folder": "smb",
@ -193,22 +145,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-device-security",
"build_source_folder": "windows/device-security",
"build_output_subfolder": "win-device-security",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-hub",
"build_source_folder": "windows/hub",
@ -225,22 +161,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-plan",
"build_source_folder": "windows/plan",
"build_output_subfolder": "windows-plan",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-privacy",
"build_source_folder": "windows/privacy",
@ -273,38 +193,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "windows-update",
"build_source_folder": "windows/update",
"build_output_subfolder": "windows-update",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-threat-protection",
"build_source_folder": "windows/threat-protection",
"build_output_subfolder": "win-threat-protection",
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",
"RestApi": "Content"
},
"build_entry_point": "docs",
"template_folder": "_themes"
},
{
"docset_name": "win-whats-new",
"build_source_folder": "windows/whats-new",
@ -360,13 +248,13 @@
"Pdf"
]
},
"need_generate_pdf_url_template": true,
"targets": {
"Pdf": {
"template_folder": "_themes.pdf"
}
},
"docs_build_engine": {},
"need_generate_pdf_url_template": true,
"contribution_branch_mappings": {},
"need_generate_pdf": false,
"need_generate_intellisense": false

5
.openpublishing.redirection.json
View File

@ -19559,6 +19559,11 @@
"source_path": "windows/deployment/deploy-windows-mdt/deploy-a-windows-11-image-using-mdt.md",
"redirect_url": "/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt",
"redirect_document_id": false
},
{
"source_path": "education/windows/get-minecraft-device-promotion.md",
"redirect_url": "/education/windows/get-minecraft-for-education",
"redirect_document_id": false
}
]
}

34
education/includes/education-content-updates.md
View File

@ -2,39 +2,9 @@
## Week of May 02, 2022
## Week of June 27, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 5/3/2022 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
| 5/3/2022 | [Change history for Windows 10 for Education (Windows 10)](/education/windows/change-history-edu) | modified |
| 5/3/2022 | [Change to Windows 10 Education from Windows 10 Pro](/education/windows/change-to-pro-education) | modified |
| 5/3/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
| 5/3/2022 | [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education) | modified |
| 5/3/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
| 5/3/2022 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
| 5/3/2022 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
| 5/3/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
| 5/3/2022 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified |
| 5/3/2022 | [Take a Test app technical reference](/education/windows/take-a-test-app-technical) | modified |
| 5/3/2022 | [Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs) | modified |
| 5/3/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified |
| 5/3/2022 | [Test Windows 10 in S mode on existing Windows 10 education devices](/education/windows/test-windows10s-for-edu) | modified |
## Week of April 25, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 4/25/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
| 4/25/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
## Week of April 18, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 4/21/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
| 6/30/2022 | Get Minecraft Education Edition with your Windows 10 device promotion | removed |

2
education/windows/TOC.yml
View File

@ -53,8 +53,6 @@
href: teacher-get-minecraft.md
- name: "For IT administrators: get Minecraft Education Edition"
href: school-get-minecraft.md
- name: "Get Minecraft: Education Edition with Windows 10 device promotion"
href: get-minecraft-device-promotion.md
- name: Test Windows 10 in S mode on existing Windows 10 education devices
href: test-windows10s-for-edu.md
- name: Enable Windows 10 in S mode on Surface Go devices

90
education/windows/get-minecraft-device-promotion.md
View File

@ -1,90 +0,0 @@
---
title: Get Minecraft Education Edition with your Windows 10 device promotion
description: Windows 10 device promotion for Minecraft Education Edition licenses
keywords: school, Minecraft, education edition
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.localizationpriority: medium
author: dansimp
searchScope:
- Store
ms.author: dansimp
ms.date: 06/05/2018
ms.reviewer:
manager: dansimp
---
# Get Minecraft: Education Edition with Windows 10 device promotion
**Applies to:**
- Windows 10
The **Minecraft: Education Edition** with Windows 10 device promotion ended January 31, 2018.
Qualifying customers that received one-year subscriptions for Minecraft: Education Edition as part of this program and wish to continue using the game in their schools can purchase new subscriptions in Microsoft Store for Education.
For more information on purchasing Minecraft: Education Edition, see [Add Minecraft to your Store for Education](./school-get-minecraft.md?toc=%2fmicrosoft-store%2feducation%2ftoc.json).
>[!Note]
>**Minecraft: Education Edition** with Windows 10 device promotion subscriptions are valid for 1 year from the time
of redemption. At the end of 1 year, the promotional subscriptions will expire and any people using these subscriptions will be reverted to a trial license of **Minecraft: Education Edition**.
To prevent being reverted to a trial license, admins or teachers need to purchase new **Minecraft: Education Edition** subscriptions from Store for Education, and assign licenses to users who used a promotional subscription.
<!---
For qualifying customers, receive a one-year, single-user subscription for Minecraft: Education Edition for each Windows 10 device you purchase for your K-12 school. Youll need your invoice or receipt, so be sure to keep track of that. For more information including terms of use, see [Minecraft: Education Edition promotion](https://info.microsoft.com/Minecraft-Education-Edition-Signup.html).
## Requirements
- Qualified Educational Users in K-12 education institutions
- Windows 10 devices purchased from May 2, 2017 - January 31, 2018
- Redeem Minecraft: Education Edition licenses from July 1, 2017 - March 17, 2018
- Microsoft Store for Education admin must submit request for Minecraft: Education Edition licenses
- Proof of device purchase is required (invoice required)
Full details available at [Minecraft: Education Edition promotion](https://info.microsoft.com/Minecraft-Education-Edition-Signup.html).
## Redeem Minecraft: Education Edition licenses
Redeeming your licenses takes just a few steps:
- Visit the device promotion page
- Submit a device purchase statement
- Provide proof of your device purchase
After that, well add the appropriate number of Minecraft: Education Edition licenses to your product inventory in **Microsoft Store for Education** as **Minecraft: Education Edition [subscription]**.
**To redeem Minecraft: Education Edition licenses**
1. Visit [Minecraft: Education Edition and Windows 10 device promotion](https://educationstore.microsoft.com/store/mee-device-promo?setflight=wsfb_devicepromo) in **Microsoft Store for Education**.
![Minecraft: Education Edition page in Microsoft Store for Education.](images/get-mcee-promo.png)
2. Sign in to **Microsoft Store for Education** using a school account. If you dont have one, well help you set one up. <br>
-or-
If you're already signed in to Microsoft Store for Education, the device special offer is available on **Benefits**. </br>
Click **Manage**, **Benefits**, and then click **Minecraft: Education Edition Device Promotion**.
3. **On Minecraft Windows 10 device special offer**, click **Submit a device purchase**.
![Windows 10 device special offer page for Minecraft: Education Edition. Submit a device purchase is highlighted to show customers how to submit info about the devices you purchased.](images/mcee-benefits.png)
4. Provide info for **Proof of Purchase**. Be sure to include a .pdf or .jpg of your invoice, and then click **Next**.
> [!NOTE]
> Your one-year subscription starts when you submit your proof-of-purchase info. Be sure to submit your request when you'll be using licenses in the classroom.
![Proof of purchase page with Invoice area highlighted.](images/proof-of-purchase.png)
5. Accept the **Promotion Terms of use**, and then click **Submit**. </br>
Success look like this!
![Proof of purchase page with Invoice area highlighted.](images/msfe-device-promo-success.png)
6. Click **Actions** and then click **Manage** to go to the management page for **Minecraft: Education Edition** and distribute licenses.
## Distribute Minecraft: Education Edition licenses
Teachers or admins can distribute the licenses:
- [Learn how teachers can distribute **Minecraft: Education Edition**](teacher-get-minecraft.md#distribute-minecraft)
- [Learn how IT administrators can distribute **Minecraft: Education Edition**](school-get-minecraft.md#distribute-minecraft)
-->

4
windows/client-management/mdm/personalization-csp.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
ms.date: 06/28/2022
ms.reviewer:
manager: dansimp
---
@ -19,7 +19,7 @@ The table below shows the applicability of Windows:
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|No|
|Windows SE|No|Yes|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|

14
windows/deployment/update/update-compliance-v2-prerequisites.md
View File

@ -8,7 +8,7 @@ author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
ms.date: 06/06/2022
ms.date: 06/30/2022
---
# Update Compliance prerequisites
@ -66,11 +66,15 @@ For more information about what's included in different diagnostic levels, see [
> [!NOTE]
> Enrolling into Update Compliance from the [Azure CLI](/cli/azure) or enrolling programmatically another way currently isn't supported. You must manually add Update Compliance to your Azure subscription.
## Microsoft 365 admin center permissions (optional)
## Microsoft 365 admin center permissions (currently optional)
When you use the [Microsoft admin center software updates (preview) page](update-status-admin-center.md) with Update Compliance, the following permissions are also recommended:
- To configure settings for the **Software Updates** page: [Global Admin role](/microsoft-365/admin/add-users/about-admin-roles)
- To view the **Software Updates** page: [Global Reader role](/microsoft-365/admin/add-users/about-admin-roles)
When you use the [Microsoft admin center software updates (preview) page](update-status-admin-center.md) with Update Compliance, the following permissions are also needed:
- To configure settings and view the **Software Updates** page:
- [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
- To view the **Software Updates** page:
- [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader)
## Log Analytics prerequisites

10
windows/deployment/update/update-status-admin-center.md
View File

@ -10,7 +10,7 @@ ms.collection:
- M365-analytics
- highpri
ms.topic: article
ms.date: 05/07/2022
ms.date: 06/20/2022
---
# Microsoft admin center software updates (preview) page
@ -34,8 +34,12 @@ The **Software updates** page has following tabs to assist you in monitoring upd
- [Update Compliance](update-compliance-v2-overview.md) needs to be enabled with clients sending data to the solution
- An appropriate role assigned for the [Microsoft 365 admin center](https://admin.microsoft.com)
- To configure settings for the **Software Updates** page: [Global Admin role](/microsoft-365/admin/add-users/about-admin-roles)
- To view the **Software Updates** page: [Global Reader role](/microsoft-365/admin/add-users/about-admin-roles)
- To configure settings and view the **Software Updates** page:
- [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator)
- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator)
- To view the **Software Updates** page:
- [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader)
## Limitations

50
windows/deployment/windows-autopatch/TOC.yml
View File

@ -17,8 +17,9 @@
href: prepare/windows-autopatch-configure-network.md
- name: Enroll your tenant
href: prepare/windows-autopatch-enroll-tenant.md
- name: Fix issues found by the Readiness assessment tool
href: prepare/windows-autopatch-fix-issues.md
items:
- name: Fix issues found by the Readiness assessment tool
href: prepare/windows-autopatch-fix-issues.md
- name: Deploy
href: deploy/index.md
items:
@ -32,33 +33,48 @@
- name: Update management
href: operate/windows-autopatch-update-management.md
items:
- name: Windows quality updates
href: operate/windows-autopatch-wqu-overview.md
items:
- name: Windows quality end user experience
href: operate/windows-autopatch-wqu-end-user-exp.md
- name: Windows quality update signals
href: operate/windows-autopatch-wqu-signals.md
- name: Windows quality update communications
- name: Windows updates
href:
items:
- name: Windows quality updates
href: operate/windows-autopatch-wqu-overview.md
items:
- name: Windows quality end user experience
href: operate/windows-autopatch-wqu-end-user-exp.md
- name: Windows quality update signals
href: operate/windows-autopatch-wqu-signals.md
- name: Windows feature updates
href: operate/windows-autopatch-fu-overview.md
items:
- name: Windows feature end user experience
href: operate/windows-autopatch-fu-end-user-exp.md
- name: Windows quality and feature update communications
href: operate/windows-autopatch-wqu-communications.md
- name: Conflicting and unsupported policies
href: operate/windows-autopatch-wqu-unsupported-policies.md
- name: Microsoft 365 Apps for enterprise
href: operate/windows-autopatch-microsoft-365-apps-enterprise.md
- name: Microsoft Edge
href: operate/windows-autopatch-edge.md
- name: Microsoft Teams
href: operate/windows-autopatch-teams.md
- name: Deregister a device
href: operate/windows-autopatch-deregister-devices.md
- name: Maintain the Windows Autopatch environment
href: operate/windows-autopatch-maintain-environment.md
- name: Submit a support request
href: operate/windows-autopatch-support-request.md
- name: Deregister a device
href: operate/windows-autopatch-deregister-devices.md
- name: Un-enroll your tenant
href: operate/windows-autopatch-unenroll-tenant.md
- name: Reference
href:
items:
- name: Update policies
href:
items:
- name: Windows update policies
href: operate/windows-autopatch-wqu-unsupported-policies.md
- name: Microsoft 365 Apps for enterprise update policies
href: references/windows-autopatch-microsoft-365-policies.md
- name: Privacy
href: references/windows-autopatch-privacy.md
- name: Windows Autopatch preview addendum
href: references/windows-autopatch-preview-addendum.md
href: references/windows-autopatch-preview-addendum.md

5
windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
View File

@ -14,9 +14,6 @@ msreviewer: hathind
# Add and verify admin contacts
> [!IMPORTANT]
> The Admin contacts blade isn't available during public preview. However, we'll use the admin contacts provided by you during public preview onboarding.
There are several ways that Windows Autopatch service communicates with customers. To streamline communication and ensure we're checking with the right people when you [submit a support request](../operate/windows-autopatch-support-request.md), you must provide a set of admin contacts when you onboard with Windows Autopatch.
> [!IMPORTANT]
@ -34,7 +31,7 @@ Your admin contacts will receive notifications about support request updates and
| Area of focus | Description |
| ----- | ----- |
| Devices | <uL><li>Device registration</li><li>Device health</li></ul> |
| Updates | <ul><li>Windows quality updates</li><li>Microsoft 365 Apps for enterprise</li><li>Microsoft Teams updates</li><li>Microsoft Edge</li></ul> |
| Updates | <ul><li>Windows quality updates</li><li>Windows feature updates</li><li>Microsoft 365 Apps for enterprise updates</li><li>Microsoft Edge updates</li><li>Microsoft Teams updates</li></ul> |
**To add admin contacts:**

60
windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
View File

@ -1,7 +1,7 @@
---
title: Register your devices
description: This article details how to register devices in Autopatch
ms.date: 06/24/2022
ms.date: 07/06/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
@ -68,16 +68,17 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set
- [Supported Windows 10/11 Enterprise and Professional edition versions](/windows/release-health/supported-versions-windows-client)
- Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported).
- Managed by Microsoft Endpoint Manager.
- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) or [Configuration Manager Co-management](../prepare/windows-autopatch-prerequisites.md#co-management-requirements).
- [Switch Microsoft Endpoint Manager-Configuration Manager Co-management workloads to Microsoft Endpoint Manager-Intune](/mem/configmgr/comanage/how-to-switch-workloads) (either set to Pilot Intune or Intune). This includes the following workloads:
- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#configuration-manager-co-management-requirements).
- Must switch the following Microsoft Endpoint Manager-Configuration Manager [Co-management workloads](/mem/configmgr/comanage/how-to-switch-workloads) to Microsoft Endpoint Manager-Intune (either set to Pilot Intune or Intune):
- Windows updates policies
- Device configuration
- Office Click-to-run
- Last Intune device check-in completed within the last 28 days.
- Last Intune device check in completed within the last 28 days.
- Devices must have Serial Number, Model and Manufacturer.
> [!NOTE]
> Windows Autopatch doesn't support device emulators that don't generate Serial number, Model and Manufacturer. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** pre-requisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch.
For more information on how Configuration Manager workloads work, see [How to switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads).
See [Prerequisites](../prepare/windows-autopatch-prerequisites.md) for more details.
See [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md) for more details.
## About the Ready and Not ready tabs
@ -96,7 +97,7 @@ A role defines the set of permissions granted to users assigned to that role. Yo
- Intune Service Administrator
- Modern Workplace Intune Administrator
For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
> [!NOTE]
> The Modern Workplace Intune Admin role is a custom created role during the Windows Autopatch tenant enrollment process. This role can assign administrators to Endpoint Manager roles, and allows you to create and configure custom Endpoint Manager roles.
@ -110,7 +111,9 @@ Registering your devices in Windows Autopatch does the following:
## Steps to register devices
**To register devices into Windows Autopatch:**
### Physical devices
**To register physical devices into Windows Autopatch:**
1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Windows Autopatch** from the left navigation menu.
@ -121,12 +124,43 @@ Registering your devices in Windows Autopatch does the following:
> [!NOTE]
> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both Ready and Not ready tabs.
Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices and runs software-based prerequisite checks to try to register them with its service.
Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices, and runs software-based prerequisite checks to try to register them with its service.
> [!IMPORTANT]
> It might take up to an hour for a device to change its status from **Ready for User** to **Active** in the Ready tab during the public preview.
### Virtual devices
## Additional device management lifecycle scenarios
#### Windows Autopatch on Windows 365 Enterprise Workloads
With Windows 365 Enterprise, you can include Windows Autopatch onboarding as part of your provision process providing a seamless experience for admins and users to ensure your Cloud PCs are always up to date.
#### Deploy Windows Autopatch on a Windows 365 Provisioning Policy
For general guidance, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy).
**To deploy Windows Autopatch on a Windows 365 Provisioning Policy:**
1. Go to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center.
1. In the left pane, select **Devices**.
1. Navigate to Provisioning > **Windows 365**.
1. Select Provisioning policies > **Create policy**.
1. Provide a policy name and select **Join Type**. For more information, see [Device join types](/windows-365/enterprise/identity-authentication#device-join-types).
1. Select **Next**.
1. Choose the desired image and select **Next**.
1. Under the **Microsoft managed services** section, select **Windows Autopatch**. Then, select **Next**. If the *Windows Autopatch (preview) cannot manage your Cloud PCs until a Global Admin has finished setting it up.* message appears, you must [enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md) to continue.
1. Assign your policy accordingly and select **Next**.
1. Select **Create**. Now your newly provisioned Windows 365 Enterprise Cloud PCs will automatically be enrolled and managed by Windows Autopatch.
#### Deploy Autopatch on Windows 365 for existing Cloud PC
All your existing Windows 365 Enterprise workloads can be registered into Windows Autopatch by leveraging the same method as your physical devices. For more information, see [Physical devices](#physical-devices).
#### Contact support
Support is available either through Windows 365, or Windows Autopatch for update related incidents.
- For Windows 365 support, see [Get support](/mem/get-support).
- For Windows Autopatch support, see [Submit a support request](/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request).
## Device management lifecycle scenarios
There's a few more device lifecycle management scenarios to consider when planning to register devices in Windows Autopatch.

BIN
windows/deployment/windows-autopatch/media/windows-feature-force-update.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 168 KiB

BIN
windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
windows/deployment/windows-autopatch/media/windows-feature-typical-update-experience.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 168 KiB

BIN
windows/deployment/windows-autopatch/media/windows-feature-update-grace-period.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 297 KiB

5
windows/deployment/windows-autopatch/operate/index.md
View File

@ -14,12 +14,15 @@ msreviewer: hathind
# Operating with Windows Autopatch
This section includes information about Windows Autopatch update management, types of updates managed by Windows Autopatch, and how to contact the Windows Autopatch Service Engineering Team:
This section includes information about Windows Autopatch update management, types of updates managed by Windows Autopatch, maintaining your Windows Autopatch environment, how to contact the Windows Autopatch Service Engineering Team, and unenrolling your tenant:
- [Update management](windows-autopatch-update-management.md)
- [Windows quality updates](windows-autopatch-wqu-overview.md)
- [Windows feature updates](windows-autopatch-fu-overview.md)
- [Microsoft 365 Apps for enterprise updates](windows-autopatch-microsoft-365-apps-enterprise.md)
- [Microsoft Edge updates](windows-autopatch-edge.md)
- [Microsoft Teams updates](windows-autopatch-teams.md)
- [Maintain the Windows Autopatch environment](windows-autopatch-maintain-environment.md)
- [Deregister devices](windows-autopatch-deregister-devices.md)
- [Submit a support request](windows-autopatch-support-request.md)
- [Unenroll your tenant](windows-autopatch-unenroll-tenant.md)

73
windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md Normal file
View File

@ -0,0 +1,73 @@
---
title: Windows feature update end user experience
description: This article explains the Windows feature update end user experience
ms.date: 07/11/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Windows feature update end user experience
Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing reboots during business hours.
## User notifications
In this section we'll review what an end user would see in the following three scenarios:
1. Typical update experience
2. Feature update deadline forces an update
3. Feature update grace period
> [!NOTE]
> Windows Autopatch doesn't yet support feature updates without notifying end users.
### Typical update experience
In this example, we'll be discussing a device in the First ring. The Autopatch service updates the First rings DSS policy to target the next version of Windows 30 days after the start of the release. When the policy is applied to the device, the device will download the update, and notify end users that the new version of Windows is ready to install. The end user can either:
1. Restart immediately to install the updates
1. Schedule the installation, or
1. Snooze (the device will attempt to install outside of active hours.)
In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline.
:::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience":::
### Feature update deadline forces an update
The following example builds on the scenario outlined in the typical user experience, but the user ignores the notification and selects snooze. Further notifications are received, which the user ignores. The device is also unable to install the updates outside of active hours.
The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the active hours and force a restart to complete the installation. The user will receive a 15-minute warning, after which, the device will install the update and restart.
:::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update":::
### Feature update grace period
In the following example, the user is on holiday and the device is offline beyond the feature update deadline. The user then returns to work and the device is turned back on.
Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification.
:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Window feature update grace period":::
## Servicing window
Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. Device restarts occur outside of active hours until the deadline is reached. By default, active hours are configured dynamically based on device usage patterns. If you wish to specify active hours for your organization, you can do so by deploying both the following policies:
| Policy | Description |
| ----- | ----- |
| [Active hours start](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) | This policy controls the start of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 1200AM, representing the hours of the day in local time on that device. |
| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | This policy controls the end of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 1200AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
> [!IMPORTANT]
> Both policies must be deployed for them to work as expected.
A device won't restart during active hours unless it has passed the date specified by the update deadline policy. Once the device has passed the deadline policy, the device will update as soon as possible.
> [!IMPORTANT]
> If your devices must be updated at a specific date or time, they aren't suitable for Windows Autopatch. Allowing you to choose specific dates to update devices would disrupt the rollout schedule and prevent us from delivering the service level objective. The use of any of the following CSPs on a managed device will render it ineligible for management: <ul><li>[Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)</li><li>[Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek)</li><li>[Update/ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek)</li><li>[Update/ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek)</li><li>[Update/ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek)</li><li>[Update/ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek)</li><li>[Update/ScheduledInstallTime](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)</li></ul>

106
windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md Normal file
View File

@ -0,0 +1,106 @@
---
title: Windows feature updates
description: This article explains how Windows feature updates are managed in Autopatch
ms.date: 07/11/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Windows feature updates
## Service level objective
Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows so that they can continue receiving Windows feature updates.
## Device eligibility
For a device to be eligible for Windows feature updates as a part of Windows Autopatch it must meet the following criteria:
| Criteria | Description |
| ----- | ----- |
| Activity | Devices must have at least six hours of usage, with at least two hours being continuous since the start of the update. |
| Intune sync | Devices must have checked with Intune within the last five days. |
| Storage space | Devices must have more than one GB (GigaBytes) of free storage space. |
| Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. |
| Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). |
| Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). |
| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). |
| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy) |
## Windows feature update releases
When the service decides to move to a new version of Windows, the following update schedule is indicative of the minimum amount of time between rings during a rollout.
The final release schedule is communicated prior to release and may vary a little from the following schedule to account for business weeks or other scheduling considerations. For example, Autopatch may decide to release to the Fast Ring after 62 days instead of 60, if 60 days after the release start was a weekend.
| Ring | Timeline |
| ----- | ----- |
| Test | Release start |
| First | Release start + 30 days |
| Fast | Release start + 60 days |
| Broad | Release start + 90 days |
:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline":::
## New devices to Windows Autopatch
If a device is enrolled and it's below Autopatch's currently targeted Windows feature update, that device will update to the service's target version within five days of meeting eligibility criteria.
If a device is enrolled and it's on, or above the currently targeted Windows feature update, there won't be any change to that device.
## Feature update configuration
When releasing a feature update, there are two policies that are configured by the service to create the update schedule described in the previous section. Youll see four of each of the following policies in your tenant, one for each ring:
- **Modern Workplace DSS Policy**: This policy is used to control the target version of Windows.
- **Modern Workplace Update Policy**: This policy is used to control deferrals and deadlines for feature and quality updates.
| Ring | Target version (DSS) Policy | Feature update deferral | Feature update deadline | Feature update grace period |
| ----- | ----- | ----- | ----- | ----- |
| Test | 21H2 | 0 | 5 | 0 |
| First | 21H2 | 0 | 5 | 0 |
| Fast | 21H2 | 0 | 5 | 2 |
| Broad | 21H2 | 0 | 5 | 2 |
> [!NOTE]
> Customers are not able to select a target version for their tenant.
During a release, the service modifies the Modern Workplace DSS policy to change the target version for a specific ring in Intune. That change is deployed to devices and updates the devices prior to the update deadline.
To understand how devices will react to the change in the Modern Workplace DSS policy, it's important to understand how deferral, deadline, and grace periods effect devices.
| Policy | Description |
| ----- | ----- |
| [Deferrals](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) | The deferral policy determines how many days after a release the feature update is offered to a device. The service maximizes control over feature updates by creating individual DSS policies for each ring and modifying the ring's DSS policy to change the target update version. Therefore, the feature update deferral policy for all rings is set to zero days so that a change in the DSS policy is released as soon as possible. |
| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. |
| [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. |
> [!IMPORTANT]
> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will render a device ineligible for management. Also, if any update related to group policy settings are detected, the device will also be ineligible for management.
## Windows 11 testing
To allow customers to test Windows 11 in their environment, there's a separate DSS policy that enables you to test Windows 11 before broadly adopting within your environment. When you add devices to the **Modern Workplace - Windows 11 Pre-Release Test Devices** group they'll update to Windows 11.
> [!IMPORTANT]
> This group is intended for testing purposes only and shouldn't be used to broadly update to Windows 11 in your environment.
## Pausing and resuming a release
You can pause or resume a Windows feature update from the Release management tab in Microsoft Endpoint Manager.
## Rollback
Windows Autopatch doesn't support the rollback of feature updates.
## Incidents and outages
If devices in your tenant aren't meeting the [service level objective](#service-level-objective) for Windows feature updates, Autopatch will raise an incident will be raised. The Windows Autopatch Service Engineering Team will work to bring those devices onto the latest version of Windows.
If you're experiencing other issues related to Windows feature updates, [submit a support request](../operate/windows-autopatch-support-request.md).

30
windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md Normal file
View File

@ -0,0 +1,30 @@
---
title: Maintain the Windows Autopatch environment
description: This article details how to maintain the Windows Autopatch environment
ms.date: 07/11/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Maintain the Windows Autopatch environment
After you've completed enrollment in Windows Autopatch, some management settings might need to be adjusted. Use the following steps:
1. Review the [Microsoft Intune settings](#microsoft-intune-settings) described in the following section.
1. If any of the items apply to your environment, make the adjustments as described.
> [!NOTE]
> As your operations continue in the following months, if you make changes after enrollment to policies in Microsoft Intune, Azure Active Directory, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly. To avoid problems with the service, check the specific settings described in [Fix issues found by the readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) before you change the policies listed there.
## Microsoft Intune settings
| Setting | Description |
| ----- | ----- |
| Conditional access policies | If you create any new conditional access or multi-factor authentication policies related to Azure AD, or Microsoft Intune after Windows Autopatch enrollment, exclude theModern Workplace Service AccountsAzure AD group from them. For more information, see[Conditional Access: Users and groups](/azure/active-directory/conditional-access/concept-conditional-access-users-groups). Windows Autopatch maintains separate conditional access policies to restrict access to these accounts.<p>**To review the Windows Autopatch conditional access policy (Modern Workplace Secure Workstation):**</p><p>Go to Microsoft Endpoint Manager and navigate to**Conditional Access**in**Endpoint Security**. Do **not** modify any Azure AD conditional access policies created by Windows Autopatch that have "**Modern Workplace**" in the name.</p> |
| Update rings for Windows 10 or later | For any update rings for Windows 10 or later policies you've created, exclude the**Modern Workplace Devices - All**Azure AD group from each policy. For more information, see[Create and assign update rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).<p>Windows Autopatch will also have created some update ring policies. all of which The policies will have "**Modern Workplace**" in the name. For example:</p><ul><li>Modern Workplace Update Policy [Broad]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [Fast]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [First]-[Windows Autopatch]</li><li>Modern Workplace Update Policy [Test]-[Windows Autopatch]</li></ul><p>When you update your own policies, ensure that youdon'texclude the**Modern Workplace Devices - All**Azure AD group from the policies that Windows Autopatch created.</p><p>**To resolve the Not ready result:**</p><p>After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p><p>**To resolve the Advisory result:**</p><ol><li>Make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.</li> <li>If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also **exclude** the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).</li></ol><p>For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p> |

22
windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
View File

@ -82,27 +82,11 @@ Windows Autopatch will either:
Since quality updates are bundled together into a single release in the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview), we can't roll back only a portion of the update for Microsoft 365 Apps for enterprise.
## Conflicting and unsupported policies
## Compatibility with Servicing Profiles
Deploying any of the following policies to a managed device will make that device ineligible for management since the device will prevent us from delivering the service as designed.
[Servicing profiles](/deployoffice/admincenter/servicing-profile) is a feature in the [Microsoft 365 Apps admin center](https://config.office.com/) that provides controlled update management of monthly Office updates, including controls for user and device targeting, scheduling, rollback, and reporting.
### Update policies
Window Autopatch deploys mobile device management (MDM) policies to configure Microsoft 365 Apps and requires a specific configuration. If any [Microsoft 365 Apps update settings](/deployoffice/configure-update-settings-microsoft-365-apps) are deployed which conflict with our policies, then the device won't be eligible for management.
| Update setting | Value | Usage reason |
| ----- | ----- | ----- |
| Set updates to occur automatically | Enabled | Enable automatic updates |
| Specify a location to look for updates | Blank | Don't use this setting since it overwrites the update branch |
| Update branch | Monthly Enterprise | Supported branch for Windows Autopatch |
| Specify the version of Microsoft 365 Apps to update to | Variable | Used to roll back to a previous version if an error occurs |
| Set a deadline by when updates must be applied | 3 | Update deadline |
| Hide update notifications from users | Turned off | Users should be notified when Microsoft 365 Apps are being updated |
| Hide the option to turn on or off automatic Office updates | Turned on | Prevents users from disabling automatic updates |
## Microsoft 365 Apps servicing profiles
A service profile takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management.
A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management.
However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [update type](windows-autopatch-update-management.md#update-types), see the Device eligibility section of each respective update type.

57
windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md Normal file
View File

@ -0,0 +1,57 @@
---
title: Unenroll your tenant
description: This article explains what unenrollment means for your organization and what actions you must take.
ms.date: 07/11/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Unenroll your tenant
If you're looking to unenroll your tenant from Windows Autopatch, this article details what unenrollment means for your organization and what actions you must take.
> [!IMPORTANT]
> You must be a Global Administrator to unenroll your tenant.
Unenrolling from Windows Autopatch requires manual actions from both you and from the Windows Autopatch Service Engineering Team. The Windows Autopatch Service Engineering Team will:
- Remove Windows Autopatch access to your tenant.
- Deregister your devices from the Windows Autopatch service. Deregistering your devices from Windows Autopatch won't remove your devices from Intune, Azure AD or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in Deregister a device.
- Delete all data that we've stored in the Windows Autopatch data storage.
> [!NOTE]
> We will **not** delete any of your customer or Intune data.
## Microsoft's responsibilities during unenrollment
| Responsibility | Description |
| ----- | ----- |
| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We wont make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../references/windows-autopatch-privacy.md). |
| Windows Autopatch cloud service accounts | Windows Autopatch will remove the cloud service accounts created during the enrollment process. The accounts are:<ul><li>MsAdmin</li><li>MsAdminInt</li><li>MsTest</li></ul> |
| Conditional access policy | Windows Autopatch will remove the Modern Workplace Secure Workstation conditional access policy. |
| Microsoft Endpoint Manager roles | Windows Autopatch will remove the Modern Workplace Intune Admin role. |
## Your responsibilities after unenrolling your tenant
| Responsibility | Description |
| ----- | ----- |
| Updates | After the Windows Autopatch service is unenrolled, well no longer provide updates to your devices. You must ensure that your devices continue to receive updates through your own policies to ensure they're secure and up to date. |
| Optional Windows Autopatch configuration | Windows Autopatch wont remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you dont wish to use these policies for your devices after unenrollment, you may safely delete them. |
## Unenroll from Windows Autopatch
**To unenroll from Windows Autopatch:**
1. [Submit a support request](windows-autopatch-support-request.md) and request to unenroll from the Windows Autopatch service.
1. The Windows Autopatch Service Engineering Team will communicate with your IT Administrator to confirm your intent to unenroll from the service.
1. You'll have 14 days to review and confirm the communication sent by the Windows Autopatch Service Engineering Team.
2. The Windows Autopatch Service Engineering Team can proceed sooner than 14 days if your confirmation arrives sooner.
1. The Windows Autopatch Service Engineering Team will proceed with the removal of all items listed under [Microsoft's responsibilities during unenrollment](#microsofts-responsibilities-during-unenrollment).
1. The Windows Autopatch Service Engineering Team will inform you when unenrollment is complete.
1. Youre responsible for the items listed under [Your responsibilities after unenrolling your tenant](#your-responsibilities-after-unenrolling-your-tenant).

3
windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
View File

@ -20,7 +20,8 @@ Keeping your devices up to date is a balance of speed and stability. Windows Aut
| Update type | Description |
| ----- | ----- |
| Window quality update | Windows Autopatch uses four update rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). |
| Windows quality update | Windows Autopatch uses four update rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). |
| Windows feature update | Windows Autopatch uses four update rings to manage Windows feature updates. For more detailed information, see [Windows feature updates](windows-autopatch-fu-overview.md).
| Anti-virus definition | Updated with each scan. |
| Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). |
| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). |

4
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md
View File

@ -1,5 +1,5 @@
---
title: End user experience
title: Windows quality update end user experience
description: This article explains the Windows quality update end user experience
ms.date: 05/30/2022
ms.prod: w11
@ -12,7 +12,7 @@ manager: dougeby
msreviewer: hathind
---
# End user experience
# Windows quality update end user experience
Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing reboots during business hours.

7
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
View File

@ -72,8 +72,11 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win
If we pause the release, a policy will be deployed which prevents devices from updating while the issue is investigated. Once the issue is resolved, the release will be resumed.
> [!NOTE]
> Windows Autopatch doesn't allow you to request that a release be paused or resumed during public preview.
You can pause or resume a Windows quality update from the Release management tab in Microsoft Endpoint Manager.
## Rollback
Windows Autopatch will rollback updates if we detect a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md).
## Incidents and outages

95
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md
View File

@ -1,7 +1,7 @@
---
title: Conflicting and unsupported policies
description: This article explains the conflicting and unsupported policies in Windows quality updates
ms.date: 05/30/2022
title: Windows update policies
description: This article explains Windows update policies in Windows Autopatch
ms.date: 07/07/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
@ -12,11 +12,94 @@ manager: dougeby
msreviewer: hathind
---
# Conflicting and unsupported policies
# Windows update policies
## Update rings for Windows 10 and later
The following policies contain settings which apply to both Windows quality and feature updates. After onboarding there will be four of these policies in your tenant with the following naming convention:
**Modern Workplace Update Policy [ring name] [Windows Autopatch]**
### Windows 10 and later update settings
| Setting name | Test | First | Fast | Broad |
| ----- | ----- | ----- | ----- | ----- |
| Microsoft product updates | Allow | Allow | Allow | Allow |
| Windows drivers | Allow | Allow | Allow | Allow |
| Quality update deferral period | 0 | 1 | 6 | 9 |
| Feature update deferral period | 0 | 0 | 0 | 0 |
| Upgrade Windows 10 to latest Windows 11 release | No | No | No | No |
| Set feature update uninstall period | 30 days | 30 days | 30 days | 30 days |
| Servicing channel | General availability | General availability | General availability | General availability |
### Windows 10 and later user experience settings
| Setting name | Test | First | Fast | Broad |
| ----- | ----- | ----- | ----- | ----- |
| Automatic update behaviour | Reset to default | Reset to default | Reset to default | Reset to default |
| Restart checks | Allow | Allow | Allow | Allow |
| Option to pause updates | Disable | Disable | Disable | Disable |
| Option to check for Windows updates | Default | Default | Default | Default |
| Change notification update level | Default | Default | Default | Default |
| Deadline for feature updates | 5 | 5 | 5 | 5 |
| Deadline for quality updates | 0 | 2 | 2 | 5 |
| Grace period | 0 | 2 | 2 | 2 |
| Auto-restart before deadline | Yes | Yes | Yes | Yes |
### Windows 10 and later assignments
| Setting name | Test | First | Fast | Broad |
| ----- | ----- | ----- | ----- | ----- |
| Included groups | Modern Workplace DevicesWindows Autopatch-Test | Modern Workplace DevicesWindows Autopatch-First | Modern Workplace DevicesWindows Autopatch-Fast | Modern Workplace DevicesWindows Autopatch-Broad |
| Excluded groups | None | None | None | None |
## Feature update policies
The service deploys policies using Microsoft Intune to control how feature updates are deployed to devices.
### Feature updates for Windows 10 and later
These policies control the minimum target version of Windows which a device is meant to accept. Throughout the rest of the article, you will see these policies referred to as DSS policies. After onboarding there will be four of these policies in your tenant with the following naming convention:
**Modern Workplace DSS Policy [ring name]**
#### Feature update deployment settings
| Setting name | Test | First | Fast | Broad |
| ----- | ----- | ----- | ----- | ----- |
| Name | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows |
| Rollout options | Immediate start | Immediate start | Immediate start | Immediate start |
#### Feature update policy assignments
| Setting name | Test | First | Fast | Broad |
| ----- | ----- | ----- | ----- | ----- |
| Included groups | Modern Workplace DevicesWindows Autopatch-Test | Modern Workplace DevicesWindows Autopatch-First | Modern Workplace DevicesWindows Autopatch-Fast | Modern Workplace DevicesWindows Autopatch-Broad |
| Excluded groups | Modern Workplace Windows 11 Pre-Release Test Devices | Modern Workplace Windows 11 Pre-Release Test Devices | Modern Workplace Windows 11 Pre-Release Test Devices | Modern Workplace Windows 11 Pre-Release Test Devices |
#### Windows 11 testing
To allow customers to test Windows 11 in their environment, there's a separate DSS policy which enables you to test Windows 11 before broadly adopting within your environment.
##### Windows 11 deployment setting
| Setting name | Test |
| ----- | ----- |
| Name | Windows 11 |
| Rollout options | Immediate start |
##### Windows 11 assignments
| Setting name | Test |
| ----- | ----- |
| Included groups | Modern Workplace Windows 11 Pre-Release Test Devices |
| Excluded groups | None |
## Conflicting and unsupported policies
Deploying any of the following policies to a Windows Autopatch device will make that device ineligible for management since the device will prevent us from delivering the service as designed.
## Update policies
### Update policies
Window Autopatch deploys mobile device management (MDM) policies to configure devices and requires a specific configuration. If any policies from the [Update Policy CSP](/windows/client-management/mdm/policy-csp-update) are deployed to devices that aren't on the permitted list, those devices will be excluded from management.
@ -26,7 +109,7 @@ Window Autopatch deploys mobile device management (MDM) policies to configure de
| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | Update/ActiveHoursEnd | This policy controls the end of the protected window where devices won't reboot.<p><p>Supported values are from zero through to 23, where zero is 1200AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
| [Active hours max range](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange) | Update/ActiveHoursMaxRange | Allows the IT admin to specify the max active hours range.<p><p>This value sets the maximum number of active hours from the start time. Supported values are from eight through to 18. |
## Group policy
### Group policy
Group policy takes precedence over mobile device management (MDM) policies. For Windows quality updates, if any group policies are detected which modify the following hive in the registry, the device will be ineligible for management:

13
windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
View File

@ -4,7 +4,7 @@ metadata:
description: Answers to frequently asked questions about Windows Autopatch.
ms.prod: w11
ms.topic: faq
ms.date: 06/02/2022
ms.date: 07/06/2022
audience: itpro
ms.localizationpriority: medium
manager: dougeby
@ -43,7 +43,7 @@ sections:
- [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune)
Additional pre-requisites for devices managed by Configuration Manager:
- [Co-management](../prepare/windows-autopatch-prerequisites.md#co-management-requirements)
- [Configuration Manager Co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements)
- [A supported version of Configuration Manager](/mem/configmgr/core/servers/manage/updates#supported-versions)
- [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.)
- question: What are the licensing requirements for Windows Autopatch?
@ -59,6 +59,15 @@ sections:
- question: Can Autopatch customers individually approve or deny devices?
answer: |
No you can't individually approve or deny devices. Once a device is registered with Windows Autopatch, updates are rolled out to the devices according to its ring assignment. Individual device level control isn't supported.
- question: Does Autopatch on Windows 365 Cloud PCs have any feature difference from a physical device?
answer: |
No, Windows 365 Enterprise Cloud PC's support all features of Windows Autopatch. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
- question: Do my Cloud PCs appear any differently in the Windows Autopatch admin center?
answer: |
Cloud PC displays the model as the license type you have provisioned. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
- question: Can I run Autopatch on my Windows 365 Business Workloads?
answer: |
No. Autopatch is only available on enterprise workloads. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
- name: Update Management
questions:
- question: What systems does Windows Autopatch update?

46
windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
View File

@ -1,7 +1,7 @@
---
title: What is Windows Autopatch? (preview)
title: What is Windows Autopatch?
description: Details what the service is and shortcuts to articles
ms.date: 05/30/2022
ms.date: 07/11/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
@ -12,10 +12,7 @@ manager: dougeby
msreviewer: hathind
---
# What is Windows Autopatch? (preview)
> [!IMPORTANT]
> **Windows Autopatch is in public preview**. It's actively being developed and may not be complete. You can test and use these features in production environments and [provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch).
# What is Windows Autopatch?
Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.
@ -39,6 +36,7 @@ The goal of Windows Autopatch is to deliver software updates to registered devic
| Management area | Service level objective |
| ----- | ----- |
| [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) | Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. |
| [Windows feature updates](../operate/windows-autopatch-fu-overview.md) | Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows so that they can continue receiving Windows feature updates. |
| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Windows Autopatch aims to keep at least 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC). |
| [Microsoft Edge](../operate/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. |
| [Microsoft Teams](../operate/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. |
@ -59,33 +57,13 @@ Microsoft remains committed to the security of your data and the [accessibility]
## Need more details?
### Prepare
| Area | Description |
| ----- | ----- |
| Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:<ul><li>[Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li><li>[Configure your network](../prepare/windows-autopatch-configure-network.md)</li><li>[Enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md)</li><li>[Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)</li></ul> |
| Deploy | Once you've enrolled your tenant, this section instructs you to:<ul><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><li>[Register your devices](../deploy/windows-autopatch-register-devices.md)</li></ul> |
| Operate | This section includes the following information about your day-to-day life with the service:<ul><li>[Update management](../operate/windows-autopatch-update-management.md)</li><li>[Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)</li><li>[Submit a support request](../operate/windows-autopatch-support-request.md)</li><li>[Deregister a device](../operate/windows-autopatch-deregister-devices.md)</li></ul>
| References | This section includes the following articles:<ul><li>[Windows update policies](../operate/windows-autopatch-wqu-unsupported-policies.md)</li><li>[Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)</li><li>[Privacy](../references/windows-autopatch-privacy.md)</li><li>[Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md)</li></ul> |
The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:
### Have feedback or would like to start a discussion?
- [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
- [Configure your network](../prepare/windows-autopatch-configure-network.md)
- [Enroll your tenant with Windows Autopatch](../prepare/windows-autopatch-enroll-tenant.md)
- [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)
### Deploy
Once you've enrolled your tenant, this section instructs you to:
- [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
- [Register your devices](../deploy/windows-autopatch-register-devices.md)
### Operate
This section includes the following information about your day-to-day life with the service:
- [Update management](../operate/windows-autopatch-update-management.md)
- [Submit a support request](../operate/windows-autopatch-support-request.md)
- [Deregister a device](../operate/windows-autopatch-deregister-devices.md)
### References
This section includes the following articles:
- [Privacy](../references/windows-autopatch-privacy.md)
- [Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md)
You can [provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch).

2
windows/deployment/windows-autopatch/prepare/index.md
View File

@ -19,4 +19,4 @@ The following articles describe the steps you must take to onboard with Windows
1. [Review the prerequisites](windows-autopatch-prerequisites.md)
1. [Configure your network](windows-autopatch-configure-network.md)
1. [Enroll your tenant](windows-autopatch-enroll-tenant.md)
1. [Fix issues found in the Readiness assessment tool](windows-autopatch-fix-issues.md)
1. [Fix issues found in the Readiness assessment tool](windows-autopatch-fix-issues.md)

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
View File

@ -32,7 +32,7 @@ The Windows Autopatch URL is used for anything our service runs on the customer
| Microsoft service | URLs required on allowlist |
| ----- | ----- |
| Windows Autopatch | <ul><li>mmdcustomer.microsoft.com</li><li>mmdls.microsoft.com</li></ul>|
| Windows Autopatch | <ul><li>mmdcustomer.microsoft.com</li><li>mmdls.microsoft.com</li><li>logcollection.mmd.microsoft.com</li><li>support.mmd.microsoft.com</li></ul>|
### Required Microsoft product endpoints

64
windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
View File

@ -1,7 +1,7 @@
---
title: Enroll your tenant
description: This article details how to enroll your tenant
ms.date: 05/30/2022
ms.date: 07/11/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
@ -16,7 +16,10 @@ msreviewer: hathind
Before you enroll in Windows Autopatch, there are settings and other parameters you must set ahead of time.
The Readiness assessment tool, accessed through the [Windows Autopatch admin center](https://endpoint.microsoft.com/), checks management or configuration -related settings. This tool allows you to check the relevant settings and detailed steps to fix any settings that aren't configured properly for Windows Autopatch.
> [!IMPORTANT]
> You must be a Global Administrator to enroll your tenant.
The Readiness assessment tool, accessed through the [Windows Autopatch admin center](https://endpoint.microsoft.com/), checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch.
## Step 1: Review all prerequisites
@ -27,18 +30,18 @@ To start using the Windows Autopatch service, ensure you meet the [Windows Autop
> [!IMPORTANT]
> The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you'll no longer be able to access the tool again.
The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Co-management requirements](../prepare/windows-autopatch-prerequisites.md#co-management-requirements).
The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager Co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements).
**To access and run the Readiness assessment tool:**
> [!IMPORTANT]
> You must be a Global Administrator to enroll your tenant.
> You must be a Global Administrator to run the Readiness assessment tool.
1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. In the left pane, select Tenant administration and then navigate to Windows Autopatch > **Tenant enrollment**.
> [!IMPORTANT]
> If you don't see the Tenant enrollment blade, this is because you don't meet the prerequisites or the proper licenses. For more information, see [Windows Autopatch prerequisites](windows-autopatch-prerequisites.md).
> If you don't see the Tenant enrollment blade, this is because you don't meet the prerequisites or the proper licenses. For more information, see [Windows Autopatch prerequisites](windows-autopatch-prerequisites.md#more-about-licenses).
A Global Administrator should be used to run this tool. Other roles, such as the Global Reader and Intune Administrator have insufficient permissions to complete the checks on Conditional Access Policies and Multi-factor Authentication. For more information about the extra permissions, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies).
@ -50,8 +53,8 @@ The following are the Microsoft Intune settings:
| Check | Description |
| ----- | ----- |
| Update rings for Windows 10 or later | Verifies that Intune's Update rings for Windows 10 or later policy doesn't target all users or all devices. The policy shouldn't target any Windows Autopatch devices. |
| Unlicensed admin | Verifies that this setting is enabled to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. |
| Update rings for Windows 10 or later | Verifies that Intune's Update rings for Windows 10 or later policy doesn't target all users or all devices. Policies of this type shouldn't target any Windows Autopatch devices. For more information, see [Configure update rings for Windows 10 and later in Intune](/mem/intune/protect/windows-10-update-rings). |
| Unlicensed admin | Verifies that this setting is enabled to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. For more information, see [Unlicensed admins in Microsoft Intune](/mem/intune/fundamentals/unlicensed-admins). |
### Azure Active Directory settings
@ -59,38 +62,27 @@ The following are the Azure Active Directory settings:
| Check | Description |
| ----- | ----- |
| Conditional access | Verifies that conditional access policies and multi-factor authentication aren't assigned to all users.<p><p>Conditional access policies shouldn't be assigned to Windows Autopatch service accounts. For more information on steps to take, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies). |
| Windows Autopatch service accounts | Checks that no usernames conflict with ones that Windows Autopatch reserves for its own use. |
| Conditional access | Verifies that conditional access policies and multi-factor authentication aren't assigned to all users.<p><p>Your conditional access policies must not prevent our service accounts from accessing the service and must not require multi-factor authentication. For more information, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies). |
| Windows Autopatch cloud service accounts | Checks that no usernames conflict with ones that Windows Autopatch reserves for its own use. The cloud service accounts are:<ul><li>MsAdmin</li><li>MsAdminInt</li><li>MsTest</li></ul> For more information, see [Tenant access](../references/windows-autopatch-privacy.md#tenant-access). |
| Security defaults | Checks whether your Azure Active Directory organization has security defaults enabled. |
| Licenses | Checks that you've obtained the necessary [licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
### Check results
For each check, the tool will report one of four possible results:
| Result | Meaning |
| ----- | ----- |
| Ready | No action is required before completing enrollment. |
| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.<p><p>You can complete enrollment, but you must fix these issues before you deploy your first device. |
| Not ready | Enrollment will fail if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
| Not ready | You must fix these issues before enrollment. You wont be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. |
### Seeing issues with your tenant?
## Step 3: Fix issues with your tenant
If the Readiness assessment tool is displaying issues with your tenant, see [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) for more information on how to remediate.
### Delete data collected from the Readiness assessment tool
Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a de-identified form. You can choose to delete the data we collect directly within the Readiness assessment tool.
> [!NOTE]
> Windows Autopatch will only delete the results we collect within the Readiness assessment tool; Autopatch won't delete any other tenant-level data.
**To delete the data we collect:**
1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Navigate to Windows Autopatch > **Tenant enrollment**.
3. Select **Delete all data**.
## Step 3: Enroll your tenant
## Step 4: Enroll your tenant
> [!IMPORTANT]
> You must be a Global Administrator to enroll your tenant.
@ -105,4 +97,24 @@ Within the Readiness assessment tool, you'll now see the **Enroll** button. By s
- Provide Windows Autopatch with IT admin contacts.
- Setup of the Windows Autopatch service on your tenant. This step is where we'll create the policies, groups and accounts necessary to run the service.
Once these actions are complete, you've now successfully enrolled your tenant. Ensure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md) before you [register your devices](../deploy/windows-autopatch-register-devices.md).
Once these actions are complete, you've now successfully enrolled your tenant.
### Delete data collected from the Readiness assessment tool
You can choose to delete the data we collect directly within the Readiness assessment tool.
Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a de-identified form.
> [!NOTE]
> Windows Autopatch will only delete the results we collect within the Readiness assessment tool; Autopatch won't delete any other tenant-level data.
**To delete the data we collect:**
1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Navigate to Windows Autopatch > **Tenant enrollment**.
3. Select **Delete all data**.
## Next steps
1. Maintain your [Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md).
1. Ensure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md) before you [register your devices](../deploy/windows-autopatch-register-devices.md).

14
windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
View File

@ -14,13 +14,17 @@ msreviewer: hathind
# Fix issues found by the Readiness assessment tool
Seeing issues with your tenant? This article details how to remediate issues found with your tenant.
## Check results
For each check, the tool will report one of four possible results:
| Result | Meaning |
| ----- | ----- |
| Ready | No action is required before completing enrollment. |
| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.<p><p>You can complete enrollment, but you must fix these issues before you deploy your first device. |
| Not ready | Enrollment will fail if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
| Not ready | You must fix these issues before enrollment. You wont be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. |
> [!NOTE]
@ -44,8 +48,8 @@ Your "Windows 10 update ring" policy in Intune must not target any Windows Autop
| Result | Meaning |
| ----- | ----- |
| Not ready | You have an "update ring" policy that targets all devices, all users, or both. Change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.<p><p>After enrolling into Autopatch, make sure that any update ring policies you have exclude the **Modern Workplace Devices - All** Azure Active Directory (AD) group.</p><p>For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p>|
| Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch. This advisory is flagging an action you should take after enrolling into the service:<ol><li>Make sure that any update ring policies you have exclude the **Modern Workplace Devices - All** Azure Active Directory (AD) group.</li><li>If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also exclude the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).</li></ol><br>For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure). |
| Not ready | You have an "update ring" policy that targets all devices, all users, or both.<p>To resolve, change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.</p><p>For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p> |
| Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch.<p>You can continue with enrollment. However, you must resolve the advisory prior to deploying your first device. To resolve the advisory, see [Maintain the Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md).</p>|
## Azure Active Directory settings
@ -68,13 +72,13 @@ Windows Autopatch requires the following licenses:
| ----- | ----- |
| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
### Windows Autopatch service accounts
### Windows Autopatch cloud service accounts
Certain account names could conflict with account names created by Windows Autopatch.
| Result | Meaning |
| ----- | ----- |
| Not ready | You have at least one account name that will conflict with account names created by Windows Autopatch. Work with your Microsoft account representative to exclude these account names. We don't list the account names publicly to minimize security risk. |
| Not ready | You have at least one account name that will conflict with account names created by Windows Autopatch. The cloud service accounts are:<ul><li>MsAdmin</li><li>MsAdminInt</li><li>MsTest</li></ul><p>You must either rename or remove conflicting accounts to move forward with enrolling to the Windows Autopatch service as we'll create these accounts as part of running our service.For more information, see [Tenant Access](../references/windows-autopatch-privacy.md#tenant-access).</p> |
### Security defaults

8
windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
View File

@ -1,7 +1,7 @@
---
title: Prerequisites
description: This article details the prerequisites needed for Windows Autopatch
ms.date: 05/30/2022
ms.date: 06/30/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
@ -21,7 +21,9 @@ Getting started with Windows Autopatch has been designed to be easy. This articl
| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).<p><p>For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).<p><p>For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.<p><p>For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.<br><ul><li>For more information, see [Azure Active Directory Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Hybrid Azure Active Directory join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)</li><li>For more information on supported Azure Active Directory Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).</li></ul> |
| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.<p><p>At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.<p>Other device management prerequisites include:<ul><li>Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.</li><li>Devices managed only by Microsoft Endpoint Configuration Manager aren't supported.</li><li>Devices must be in communication with Microsoft Intune in the last 28 days. Otherwise, the devices won't be registered with Autopatch.</li><li>Devices must be connected to the internet.</li></ul><p>For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview). |
| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.<p><p>At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.<p>Other device management prerequisites include:<ul><li>Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.</li><li>Devices must be managed by either Intune or Configuration Manager Co-management. Devices only managed by Configuration Manager aren't supported.</li><li>Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.</li><li>Devices must be connected to the internet.</li><li>Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate these fail to meet **Intune or Clout-attached** pre-requisite check.</li></ul><p>See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device pre-requisites and on how the device registration process works.
For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview). |
| Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). |
## More about licenses
@ -42,7 +44,7 @@ The following Windows 64-bit editions are required for Windows Autopatch:
- Windows 10/11 Enterprise
- Windows 10/11 Pro for Workstations
## Co-management requirements
## Configuration Manager Co-management requirements
Windows Autopatch fully supports co-management. The following co-management requirements apply:

33
windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md Normal file
View File

@ -0,0 +1,33 @@
---
title: Microsoft 365 Apps for enterprise update policies
description: This article explains the Microsoft 365 Apps for enterprise policies in Windows Autopatch
ms.date: 07/11/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Microsoft 365 Apps for enterprise update policies
## Conflicting and unsupported policies
Deploying any of the following policies to a managed device will make that device ineligible for management since the device will prevent us from delivering the service as designed.
### Update policies
Window Autopatch deploys mobile device management (MDM) policies to configure Microsoft 365 Apps and requires a specific configuration. If any [Microsoft 365 Apps update settings](/deployoffice/configure-update-settings-microsoft-365-apps) are deployed which conflict with our policies, then the device won't be eligible for management.
| Update setting | Value | Usage reason |
| ----- | ----- | ----- |
| Set updates to occur automatically | Enabled | Enable automatic updates |
| Specify a location to look for updates | Blank | Don't use this setting since it overwrites the update branch |
| Update branch | Monthly Enterprise | Supported branch for Windows Autopatch |
| Specify the version of Microsoft 365 Apps to update to | Variable | Used to roll back to a previous version if an error occurs |
| Set a deadline by when updates must be applied | 3 | Update deadline |
| Hide update notifications from users | Turned off | Users should be notified when Microsoft 365 Apps are being updated |
| Hide the option to turn on or off automatic Office updates | Turned on | Prevents users from disabling automatic updates |

12
windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
View File

@ -58,11 +58,21 @@ Windows Autopatch only processes and stores system-level data from Windows 10 op
For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process personal data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement.
## Tenant access
Windows Autopatch creates and uses guest accounts leveraging just-in-time access functionality when signing into a customer tenant to manage the Windows Autopatch service. To provide additional locked down control, Windows Autopatch maintains a separate conditional access policy to restrict access to these accounts.
| Account name | Usage | Mitigating controls |
| ----- | ----- | -----|
| MsAdmin@tenantDomain.onmicrosoft.com | <ul><li>This is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Windows Autopatch devices.</li><li>This account doesn't have interactive login permissions.The account performs operations only through the service.</li></ul> | Audited sign-ins |
| MsAdminInt@tenantDomain.onmicrosoft.com |<ul><li>This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.</li><li>This account is used for interactive login to the customers tenant.</li><li>The use of this account is extremely limited as most operations are exclusively through MsAdmin (non-interactive) account.</li></ul> | <ul><li>Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy</li><li>Audited sign-ins</li</ul> |
| MsTest@tenantDomain.onmicrosoft.com | This is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins |
## Microsoft Windows Update for Business
Microsoft Windows Update for Business uses data from Windows diagnostics to analyze update status and failures. Windows Autopatch uses this data and uses it to mitigate, and resolve problems to ensure that all registered devices are up to date based on a predefined update cadence.
## Microsft Azure Active Directory
## Microsoft Azure Active Directory
Identifying data used by Windows Autopatch is stored by Azure Active Directory (Azure AD) in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Azure AD data is located, see [Azure Active Directory - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9)

59
windows/privacy/changes-to-windows-diagnostic-data-collection.md
View File

@ -74,18 +74,59 @@ The following provides information on the current configurations:
- [Microsoft Managed Desktop](/microsoft-365/managed-desktop/service-description/device-policies#windows-diagnostic-data)
- [Desktop Analytics](/mem/configmgr/desktop-analytics/overview)
## New Windows diagnostic data processor configuration
## Significant changes coming to the Windows diagnostic data processor configuration
> [!IMPORTANT]
> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information](configure-windows-diagnostic-data-in-your-organization.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
Currently, to enroll devices in the [Window diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) option, IT admins can use policies, such as the “Allow commercial data pipeline” policy, at the individual device level.
Enterprise customers have an option for controlling their Windows diagnostic data for their Azure Active Directory-joined devices. This configuration option is supported on the following versions of Windows:
To enable efficiencies and help us implement our plan to [store and process EU Data for European enterprise customers in the EU](https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boundary/), we'll be introducing the following significant change for enterprise Windows devices that have diagnostic data turned on.
- Windows 11 Enterprise, Professional, and Education
- Windows 10, Enterprise, Professional, and Education, version 1809 with at least the July 2021 update.
***Well stop using policies, such as the “Allow commercial data pipeline” policy, to configure the processor option. Instead, well be introducing an organization-wide configuration based on Azure Active Directory (Azure AD) to determine Microsofts role in data processing.***
Previously, enterprise customers had two options in managing their Windows diagnostic data: 1) allow Microsoft to be the [controller](/compliance/regulatory/gdpr#terminology) of that data and responsible for determining the purposes and means of the processing of Windows diagnostic data in order to improve the Windows operating system and deliver analytical services, or 2) turn off diagnostic data flows altogether.
Were making this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way, and in the same geographic region.
Now, customers will have a third option that allows them to be the controller for their Windows diagnostic data, while still benefiting from the purposes that this data serves, such as quality of updates and device drivers. Under this approach, Microsoft will act as a data [processor](/compliance/regulatory/gdpr#terminology), processing Windows diagnostic data on behalf of the controller.
### Devices in Azure AD tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA)
This new option will enable customers to use familiar tools to manage, export, or delete data to help them meet their compliance obligations. For example, using the Microsoft Azure portal, customers will have the means to respond to their own users requests, such as delete and export diagnostic data. Admins can easily enable the Windows diagnostic data processor configuration for Windows devices using group policy or mobile device management ([MDM](/windows/client-management/mdm/policy-csp-system)). For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe.
From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users [data subject requests](/compliance/regulatory/gdpr-dsr-windows).
### Devices in Azure AD tenants with a billing address outside of the EU and EFTA
For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data:
- [Update Compliance](/windows/deployment/update/update-compliance-monitor)
- [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview)
- [Microsoft Managed Desktop](/managed-desktop/intro/)
- [Endpoint analytics (in Microsoft Endpoint Manager)](/mem/analytics/overview)
*(Additional licensing requirements may apply to use these services.)*
If you dont sign up for any of these enterprise services, Microsoft will act as controller for the diagnostic data.
> [!NOTE]
> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
### Rollout plan for this change
This change will roll out initially to Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program no earlier than July 2022. Once the rollout is initiated, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option.
During this initial rollout, the following conditions apply to devices in the Dev Channel that are joined to an Azure AD tenant with a billing address outside of the EU or EFTA:
- Devices can't be enabled for the Windows diagnostic data processor configuration at this time.
- The processor configuration will be disabled in any devices that were previously enabled.
- Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
It's recommended Insiders on these devices pause flighting if these changes aren't acceptable.
For Windows devices in the Dev Channel that aren't joined to an Azure AD tenant, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
For other Windows devices (not in the Dev Channel), additional details on supported versions of Windows 11 and Windows 10 will be announced at a later date. These changes will roll out no earlier than the last quarter of calendar year 2022.
To prepare for this change, ensure that you meet the [prerequisites](configure-windows-diagnostic-data-in-your-organization.md#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD, and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services.
As part of this change, the following policies will no longer be supported to configure the processor option:
- Allow commercial data pipeline
- Allow Desktop Analytics Processing
- Allow Update Compliance Processing
- Allow WUfB Cloud Processing
- Configure the Commercial ID

61
windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
View File

@ -85,7 +85,7 @@ The following table lists the endpoints related to how you can manage the collec
|Connected User Experiences and Telemetry | v10.events.data.microsoft.com <br></br> v10c.events.data.microsoft.com <br></br> v10.vortex-win.data.microsoft.com |
| [Windows Error Reporting](/windows/win32/wer/windows-error-reporting) | watson.telemetry.microsoft.com <br></br> umwatsonc.events.data.microsoft.com <br></br> *-umwatsonc.events.data.microsoft.com <br></br> ceuswatcab01.blob.core.windows.net <br></br> ceuswatcab02.blob.core.windows.net <br></br> eaus2watcab01.blob.core.windows.net <br></br> eaus2watcab02.blob.core.windows.net <br></br> weus2watcab01.blob.core.windows.net <br></br> weus2watcab02.blob.core.windows.net |
|Authentication | login.live.com <br></br> <br></br> IMPORTANT: This endpoint is used for device authentication. We do not recommend disabling this endpoint.|
| [Online Crash Analysis](/windows/win32/dxtecharts/crash-dump-analysis) | oca.microsoft.com <br></br> kmwatsonc.telemetry.microsoft.com <br></br> *-kmwatsonc.telemetry.microsoft.com |
| [Online Crash Analysis](/windows/win32/dxtecharts/crash-dump-analysis) | oca.telemetry.microsoft.com <br></br> oca.microsoft.com <br></br> kmwatsonc.events.data.microsoft.com <br></br> *-kmwatsonc.events.data.microsoft.com |
|Settings | settings-win.data.microsoft.com <br></br> <br></br> IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data. |
### Data access
@ -256,7 +256,7 @@ Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm
## Enable Windows diagnostic data processor configuration
> [!IMPORTANT]
> There are some significant changes planned for diagnostic data processor configuration. To learn more, [review this information](#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
> There are some significant changes planned for diagnostic data processor configuration. To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
The Windows diagnostic data processor configuration enables you to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from your Windows devices that meet the configuration requirements.
@ -325,63 +325,6 @@ Windows Update for Business:
- [How to enable deployment protections](/windows/deployment/update/deployment-service-overview#how-to-enable-deployment-protections)
### Significant changes coming to the Windows diagnostic data processor configuration
Currently, to enroll devices in the Window diagnostic data processor configuration option, IT admins can use policies, such as the “Allow commercial data pipeline” policy, at the individual device level.
To enable efficiencies and help us implement our plan to [store and process EU Data for European enterprise customers in the EU](https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boundary/), we'll be introducing the following significant change for enterprise Windows devices that have diagnostic data turned on.
***Well stop using policies, such as the “Allow commercial data pipeline” policy, to configure the processor option. Instead, well be introducing an organization-wide configuration based on Azure Active Directory (Azure AD) to determine Microsofts role in data processing.***
Were making this change to help ensure the diagnostic data for all devices in an organization is processed in a consistent way, and in the same geographic region.
#### Devices in Azure AD tenants with a billing address in the European Union (EU) or European Free Trade Association (EFTA)
For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) in the EU or EFTA, the Windows diagnostic data for that device will be automatically configured for the processor option. The Windows diagnostic data for those devices will be processed in Europe.
From a compliance standpoint, this change means that Microsoft will be the processor and the organization will be the controller of the Windows diagnostic data. IT admins for those organizations will become responsible for responding to their users [data subject requests](/compliance/regulatory/gdpr-dsr-windows).
#### Devices in Azure AD tenants with a billing address outside of the EU and EFTA
For Windows devices with diagnostic data turned on and that are joined to an [Azure AD tenant with billing address](/azure/cost-management-billing/manage/change-azure-account-profile) outside of the EU and EFTA, to enable the processor configuration option, the organization must sign up for any of the following enterprise services, which rely on diagnostic data:
- [Update Compliance](/windows/deployment/update/update-compliance-monitor)
- [Windows Update for Business deployment service](/windows/deployment/update/deployment-service-overview)
- [Microsoft Managed Desktop](/managed-desktop/intro/)
- [Endpoint analytics (in Microsoft Endpoint Manager)](/mem/analytics/overview)
*(Additional licensing requirements may apply to use these services.)*
If you dont sign up for any of these enterprise services, Microsoft will act as controller for the diagnostic data.
> [!NOTE]
> In all cases, enrollment in the Windows diagnostic data processor configuration requires a device to be joined to an Azure AD tenant. If a device isn't properly enrolled, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
#### Rollout plan for this change
This change will roll out initially to Windows devices enrolled in the [Dev Channel](/windows-insider/flighting#dev-channel) of the Windows Insider program no earlier than July 2022. Once the rollout is initiated, devices in the Dev Channel that are joined to an Azure AD tenant with a billing address in the EU or EFTA will be automatically enabled for the processor configuration option.
During this initial rollout, the following conditions apply to devices in the Dev Channel that are joined to an Azure AD tenant with a billing address outside of the EU or EFTA:
- Devices can't be enabled for the Windows diagnostic data processor configuration at this time.
- The processor configuration will be disabled in any devices that were previously enabled.
- Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
It's recommended Insiders on these devices pause flighting if these changes aren't acceptable.
For Windows devices in the Dev Channel that aren't joined to an Azure AD tenant, Microsoft will act as the controller for Windows diagnostic data in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Data Protection Addendum](https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA) terms won't apply.
For other Windows devices (not in the Dev Channel), additional details on supported versions of Windows 11 and Windows 10 will be announced at a later date. These changes will roll out no earlier than the last quarter of calendar year 2022.
To prepare for this change, ensure that you meet the [prerequisites](#prerequisites) for Windows diagnostic data processor configuration, join your devices to Azure AD, and keep your devices secure and up to date with quality updates. If you're outside of the EU or EFTA, sign up for any of the enterprise services.
As part of this change, the following policies will no longer be supported to configure the processor option:
- Allow commercial data pipeline
- Allow Desktop Analytics Processing
- Allow Update Compliance Processing
- Allow WUfB Cloud Processing
- Configure the Commercial ID
## Limit optional diagnostic data for Desktop Analytics
For more information about how to limit the diagnostic data to the minimum required by Desktop Analytics, see [Enable data sharing for Desktop Analytics](/mem/configmgr/desktop-analytics/enable-data-sharing).

2
windows/privacy/windows-10-and-privacy-compliance.md
View File

@ -147,7 +147,7 @@ An administrator can disable a users ability to delete their devices diagn
#### _2.3.7 Diagnostic data: Enabling the Windows diagnostic data processor configuration_
> [!IMPORTANT]
> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information](configure-windows-diagnostic-data-in-your-organization.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
**Applies to:**

5
windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
View File

@ -9,7 +9,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 05/09/2022
ms.date: 06/27/2022
ms.topic: reference
---
@ -53,6 +53,9 @@ A Windows Defender Application Control policy logs events locally in Windows Eve
## Diagnostic events for Intelligent Security Graph (ISG) and Managed Installer (MI)
> [!NOTE]
> When Managed Installer is enabled, customers using LogAnalytics should be aware that Managed Installer may fire many 3091 events. Customers may need to filter out these events to avoid high LogAnalytics costs.
Events 3090, 3091 and 3092 prove helpful diagnostic information when the ISG or MI option is enabled by any Application Control policy. These events can help you debug why something was allowed/denied based on managed installer or ISG. These events don't necessarily indicate a problem but should be reviewed in context with other events like 3076 or 3077 described above.
| Event ID | Explanation |

16
windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
View File

@ -10,7 +10,7 @@ ms.reviewer: jogeurte
ms.author: jogeurte
ms.manager: jsuther
manager: dansimp
ms.date: 04/14/2021
ms.date: 07/01/2022
ms.technology: windows-sec
ms.topic: article
ms.localizationpriority: medium
@ -25,19 +25,23 @@ ms.localizationpriority: medium
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic covers tips and tricks for admins as well as known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production.
This topic covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production.
## Managed Installer and ISG will cause garrulous events
When Managed Installer and ISG are enabled, 3091 and 3092 events will be logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. Beginning with the September 2022 C release, these events will be moved to the verbose channel since the events don't indicate an issue with the policy.
## .NET native images may generate false positive block events
In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fallback to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window.
In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fall back to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window.
## MSI Installations launched directly from the internet are blocked by WDAC
Installing .msi files directly from the internet to a computer protected by WDAC will fail.
For example, this command will not work:
For example, this command won't work:
```console
msiexec i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi

12
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -14,7 +14,7 @@ author: dansimp
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 01/26/2022
ms.date: 06/28/2022
ms.technology: windows-sec
---
@ -26,8 +26,8 @@ ms.technology: windows-sec
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Windows Defender Application Control (WDAC) can control what runs on Windows 10 and Windows 11, by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
@ -88,7 +88,7 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
| Rule level | Description |
|----------- | ----------- |
| **Hash** | Specifies individual hash values for each discovered binary. This is the most specific level, and requires more effort to maintain the current product versions hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This is the most specific level, and requires more effort to maintain the current product versions hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
| **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. |
| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. More information about FilePath level rules can be found below. |
| **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. |
@ -146,6 +146,10 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE%
## More information about hashes
WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file does not change when the file is re-signed or timestamped, or the digital signature is removed from the file. By using the Authenticode hash, WDAC provides added security and less management overhead so customers do not need to revise the policy hash rules when the digital signature on the file is updated.
The Authenticode/PE image hash can be calculated for digitally-signed and unsigned files.
### Why does scan create four hash rules per XML file?
The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash.

7
windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
View File

@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 05/03/2018
ms.date: 06/27/2022
ms.technology: windows-sec
---
@ -48,6 +48,9 @@ To sign a Windows Defender Application Control policy with SignTool.exe, you nee
> [!NOTE]
> All policies (base and supplemental and single-policy format) must be pkcs7 signed. [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652)
>
>Certificate fields, like 'subject common name' and 'issuer common name,' cannot be UTF-8 encoded, otherwise, blue screens may occur. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
If you do not have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or Windows Defender Application Control (WDAC) policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
@ -108,4 +111,4 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
> [!NOTE]
> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.