From ef3cc5be8d77955b49b7556212c2ee6c9293f6ab Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Tue, 31 Jan 2023 09:33:50 -0800 Subject: [PATCH] Windows feature update..updates. --- .../operate/windows-autopatch-fu-overview.md | 106 ++++++++---------- .../overview/windows-autopatch-faq.yml | 11 +- .../windows-autopatch-whats-new-2023.md | 3 +- 3 files changed, 53 insertions(+), 67 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index ef3dba90f8..146f1197cc 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -14,93 +14,75 @@ msreviewer: hathind # Windows feature updates -## Service level objective +Microsoft provides robust modern device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and fundamental tasks by IT organizations because Windows feature updates provide: -Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows so that they can continue receiving Windows feature updates. +- Fixes for security vulnerabilities and known bugs to keep Windows devices protected against advanced malicious attacks. +- New features to boost end-user productivity. -## Device eligibility +Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date so you can focus on running your core businesses while Windows Autopatch runs update management on your behalf. -For a device to be eligible for Windows feature updates as a part of Windows Autopatch it must meet the following criteria: +Windows Autopatch feature update deployment provides: -| Criteria | Description | -| ----- | ----- | -| Activity | Devices must have at least six hours of usage, with at least two hours being continuous since the start of the update. | -| Intune sync | Devices must have checked with Intune within the last five days. | -| Storage space | Devices must have more than one GB (GigaBytes) of free storage space. | -| Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. | -| Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). | -| Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). | -| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../references/windows-autopatch-wqu-unsupported-policies.md). | -| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](../references/windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers). | +- A customer-driven and efficient Windows feature update deployment approach for Windows OS target versions and deployment cadence. +- Proactive insights prior, during and after Windows Feature update deployments. +- Options to [pause or resume Windows](#pausing-and-resuming-a-release) feature updates on behalf of your organization. -## Windows feature update releases +## Enforcing a minimum Windows OS version -When the service decides to move to a new version of Windows, the following update schedule is indicative of the minimum amount of time between rings during a rollout. +Once devices are registered with Windows Autopatch, they’re assigned to deployment rings. Each deployment ring has a set of Windows feature update policies assigned to them. -The final release schedule is communicated prior to release and may vary a little from the following schedule to account for business weeks or other scheduling considerations. For example, Autopatch may decide to release to the Fast Ring after 62 days instead of 60, if 60 days after the release start was a weekend. +The policies: -| Ring | Timeline | -| ----- | ----- | -| Test | Release start | -| First | Release start + 30 days | -| Fast | Release start + 60 days | -| Broad | Release start + 90 days | +- Contain the minimum Windows OS version being currently serviced by the Windows servicing channels. The current minimum OS version is **Windows 10 20H2**. +- Set a bare minimum Windows OS version required by the service once devices are registered with the service. +- Minimize unexpected Windows OS upgrades once new devices register with Windows Autopatch. -:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline" lightbox="../media/windows-feature-release-process-timeline.png"::: +If a device is registered with Windows Autopatch, and the device is: -## New devices to Windows Autopatch +- Below the service's currently targeted Windows feature update, that device will update to the service's target version when it meets the Windows OS upgrade eligibility criteria. +- On, or above the currently targeted Windows feature update version, there won't be any Windows OS upgrades to that device. -If a device is enrolled and it's below Autopatch's currently targeted Windows feature update, that device will update to the service's target version within five days of meeting eligibility criteria. +## Windows feature update policy configuration -If a device is enrolled and it's on, or above the currently targeted Windows feature update, there won't be any change to that device. +If your tenant is enrolled with Windows Autopatch, you can see the following policies created by the service in the Microsoft Intune portal: -## Feature update configuration +| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch – DSS Policy [Test] | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | 5/8/2023, 7:00PM | +| Windows Autopatch – DSS Policy [First] | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | 5/8/2023, 7:00PM | +| Windows Autopatch – DSS Policy [Fast] | Windows 10 20H2 | Make update available as soon as possible | 12/14/2022 | 12/21/2022 | 1 | 5/8/2023, 7:00PM | +| Windows Autopatch – DSS Policy [Broad] | Windows 10 20H2 | Make update available as soon as possible | 12/15/2022 | 12/29/2022 | 1 | 5/8/2023, 7:00PM | -When releasing a feature update, there are two policies that are configured by the service to create the update schedule described in the previous section. You’ll see four of each of the following policies in your tenant, one for each ring: +## Test Windows 11 feature updates -- **Modern Workplace DSS Policy**: This policy is used to control the target version of Windows. -- **Modern Workplace Update Policy**: This policy is used to control deferrals and deadlines for feature and quality updates. +You can test Windows 11 deployments by adding devices either through direct membership or by bulk importing them into the Modern Workplace - Windows 11 Pre-Release Test Devices Azure AD group. There’s a separate Windows feature update policy (**Modern Workplace DSS Policy [Windows 11]**) targeted to this Azure AD group, and its configuration is set as follows: -| Ring | Target version (DSS) Policy | Feature update deferral | Feature update deadline | Feature update grace period | -| ----- | ----- | ----- | ----- | ----- | -| Test | 20H2 | 0 | 5 | 0 | -| First | 20H2 | 0 | 5 | 2 | -| Fast | 20H2 | 0 | 5 | 2 | -| Broad | 20H2 | 0 | 5 | 2 | +| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch – DSS Policy [Test] | Windows 11 22H2 | Make update available as soon as possible | N/A | N/A | N/A | 10/13/2025, 7:00PM | -> [!NOTE] -> Customers are not able to select a target version for their tenant. +## Manage Windows feature update deployments -During a release, the service modifies the Modern Workplace DSS policy to change the target version for a specific ring in Intune. That change is deployed to devices and updates the devices prior to the update deadline. +Windows Autopatch uses Microsoft Intune’s built-in solution, which uses configuration service providers (CSPs), for pausing and resuming both [Windows quality](windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release) and feature updates. -To understand how devices will react to the change in the Modern Workplace DSS policy, it's important to understand how deferral, deadline, and grace periods affect devices. - -| Policy | Description | -| ----- | ----- | -| [Deferrals](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) | The deferral policy determines how many days after a release the feature update is offered to a device. The service maximizes control over feature updates by creating individual DSS policies for each ring and modifying the ring's DSS policy to change the target update version. Therefore, the feature update deferral policy for all rings is set to zero days so that a change in the DSS policy is released as soon as possible. | -| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. | -| [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. | - -> [!IMPORTANT] -> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will render a device ineligible for management. Also, if any update related to group policy settings are detected, the device will also be ineligible for management. - -## Windows 11 testing - -To allow customers to test Windows 11 in their environment, there's a separate DSS policy that enables you to test Windows 11 before broadly adopting within your environment. When you add devices to the **Modern Workplace - Windows 11 Pre-Release Test Devices** group they'll update to Windows 11. - -> [!IMPORTANT] -> This group is intended for testing purposes only and shouldn't be used to broadly update to Windows 11 in your environment. +Windows Autopatch provides a permanent pause of a Windows feature update deployment. The Windows Autopatch service automatically extends the 35 day pause limit (permanent pause) established by Microsoft Intune on your behalf. The deployment remains permanently paused until you decide to resume it. ## Pausing and resuming a release -You can pause or resume a Windows feature update from the Release management tab in the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +**To pause or resume a feature update:** + +1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** from the left navigation menu. +1. Under the **Windows Autopatch** section, select **Release management**. +1. In the **Release management** blade, select either **Pause** or **Resume**. ## Rollback -Windows Autopatch doesn't support the rollback of feature updates. +Windows Autopatch doesn’t support the rollback of Windows Feature updates. -## Incidents and outages +> [!CAUTION] +> It’s not recommended to use [Microsoft Intune’s capabilities](/mem/intune/protect/windows-10-update-rings#manage-your-windows-update-rings) to pause and rollback a Windows feature update. However, if you choose to pause, resume and/or roll back from Intune, Windows Autopatch is **not** responsible for any problems that arise from rolling back the feature update. -If devices in your tenant don't meet the [service level objective](#service-level-objective) for Windows feature updates, Autopatch will raise an incident will be raised. The Windows Autopatch Service Engineering Team will work to bring those devices onto the latest version of Windows. +## Contact support -If you're experiencing other issues related to Windows feature updates, [submit a support request](../operate/windows-autopatch-support-request.md). +If you’re experiencing issues related to Windows feature updates, you can [submit a support request](../operate/windows-autopatch-support-request.md). Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team. diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index e51bf1f82a..0c377a7e69 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -37,7 +37,7 @@ sections: Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. - question: What if I enrolled into Windows Autopatch using the promo code? Will I still have access to the service? answer: | - Yes. For those who used the promo code to access Windows Autopatch during public preview, you'll continue to have access to Windows Autopatch even when the promo code expires. There is no additional action you have to take to continue using Windows Autopatch. + Yes. For those who used the promo code to access Windows Autopatch during public preview, you'll continue to have access to Windows Autopatch even when the promo code expires. There's no additional action you have to take to continue using Windows Autopatch. - name: Requirements questions: - question: What are the prerequisites for Windows Autopatch? @@ -70,14 +70,14 @@ sections: No, Windows 365 Enterprise Cloud PC's support all features of Windows Autopatch. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices). - question: Do my Cloud PCs appear any differently in the Windows Autopatch admin center? answer: | - Cloud PC displays the model as the license type you have provisioned. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads). + Cloud PC displays the model as the license type you've provisioned. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads). - question: Can I run Autopatch on my Windows 365 Business Workloads? answer: | No. Autopatch is only available on enterprise workloads. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads). - question: Can you change the policies and configurations created by Windows Autopatch? answer: | No. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. For more information about policies and configurations, see [Changes made at tenant enrollment](/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant). - - name: Update Management + - name: Update management questions: - question: What systems does Windows Autopatch update? answer: | @@ -94,9 +94,12 @@ sections: Autopatch relies on the following capabilities to help resolve update issues: - Pausing and resuming: If Windows Autopatch detects an issue with a Windows quality release, we may decide that it's necessary to pause that release. Once the issue is resolved, the release will be resumed. For more information, see [Pausing and resuming a Windows quality release](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release). - Rollback: If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might force all devices to roll back to the previous version. For more information, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#update-controls). + - question: Can I permanently pause a Windows feature update deployment? + answer: | + Yes. Windows Autopatch provides a [permanent pause of either a feature update deployment](../operate/windows-autopatch-fu-overview.md#pausing-and-resuming-a-release). - question: Will Windows quality updates be released more quickly after vulnerabilities are identified, or what is the regular cadence of updates? answer: | - For zero-day threats, Autopatch will have an [expedited release cadence](../operate/windows-autopatch-wqu-overview.md#expedited-releases). For normal updates Autopatch uses a [regular release cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) starting with devices in the Test ring and completing with general rollout to the Broad ring. + For zero-day threats, Autopatch will have an [expedited release cadence](../operate/windows-autopatch-wqu-overview.md#expedited-releases). For normal updates Autopatch, uses a [regular release cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) starting with devices in the Test ring and completing with general rollout to the Broad ring. - question: Can customers configure when to move to the next ring or is it controlled by Windows Autopatch? answer: | The decision of when to move to the next ring is handled by Windows Autopatch; it isn't customer configurable. diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index cbc9b52878..966d0c3c43 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -1,7 +1,7 @@ --- title: What's new 2023 description: This article lists the 2023 feature releases and any corresponding Message center post numbers. -ms.date: 01/09/2023 +ms.date: 01/31/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: whats-new @@ -24,6 +24,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Article | Description | | ----- | ----- | +| [Windows feature update](../operate/windows-autopatch-fu-overview.md) | Updated Windows feature update information | | [Submit a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md) | Added the Submit a tenant enrollment support request section. You can submit a tenant enrollment support request through the Tenant enrollment tool if you're running into issues with enrollment. | | [Submit a support request](../operate/windows-autopatch-support-request.md) | Added Premier and Unified support options section |