Merge branch 'main' into aljupudi-dmclientupdates-new

education/windows/windows-11-se-overview.md

@@ -82,7 +82,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run
 |Safe Exam Browser                   	|3.3.2.413	  |Win32  |Safe Exam Browser|
 |Secure Browser	                    |14.0.0	   |Win32     |Cambium Development|
 |Secure Browser	                        |4.8.3.376	  |Win32  |Questar, Inc|
-|SensoCloud test	                    |2021.11.15.0	|Win32|Senso.Cloud|
+|SensoCloud	                    |2021.11.15.0	|Win32|Senso.Cloud|
 |SuperNova Magnifier & Screen Reader	|21.02	     |Win32   |Dolphin Computer Access|
 |Zoom	                                |5.9.1 (2581)|Win32	|Zoom|
 |ZoomText Fusion	                    |2022.2109.10|Win32	|Freedom Scientific|

windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md

@@ -18,32 +18,49 @@ Before Microsoft can manage your devices in Windows Autopatch, you must have dev
 
 ## Before you begin
 
-Windows Autopatch to take over software updates management of supported devices as soon as an IT admin decides to have their tenant managed by Windows Autopatch. Windows Autopatch update management scope includes:
+Windows Autopatch can take over software update management of supported devices as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes:
 
 - [Windows quality updates](../operate/windows-autopatch-wqu-overview.md)
 - [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
 - [Microsoft Edge updates](../operate/windows-autopatch-edge.md)
 - [Microsoft Teams updates](../operate/windows-autopatch-teams.md)
 
-You must choose what devices to manage with Windows Autopatch by adding either devices through direct membership or by adding other Azure Active Directory (Azure AD) dynamic/assigned groups into the Azure Active Directory assigned **Windows Autopatch Device Registration** group. Windows Autopatch runs every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices into its service.
+### About the use of an Azure AD group to register devices
+
+You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices into its service.
+
+> [!NOTE]
+> All devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered.
+
+#### Supported scenarios when nesting other Azure AD groups
+
+Windows Autopatch also supports the following Azure AD nested group scenarios:
+
+- Azure AD groups synced up from:
+	- On-premises Active Directory groups (Windows server type).
+	- [Configuration Manager collections](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync).
+
+> [!IMPORTANT]
+> The **Windows Autopatch Device Registration** Azure AD group only supports one level of Azure AD nested groups.
 
 > [!TIP]
 > You can also use the **Discover Devices** button in either the Ready or Not ready tabs to discover devices from the Windows Autopatch Device Registration Azure AD group on demand.
 
-To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites:
-
 ## Prerequisites
 
-- Windows 10/11 Enterprise edition 1809+.
+To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites:
+
+- Windows 10/11 64-bit Enterprise edition 1809+.
 - Either hybrid or Azure AD joined (personal devices aren't supported).
-- Managed by Microsoft Endpoint Manager (either Microsoft Endpoint Manager-Intune or Microsoft Endpoint Manager-Configuration Manager Co-management).
-- Microsoft Endpoint Manager-Configuration Manager Co-management workloads swung over to Microsoft Endpoint Manager-Intune (either set to Pilot Intune or Intune).
-	- Windows Updates policies
-	- Device configuration
-	- Office Click-to-run
+- Managed by Microsoft Endpoint Manager
+	- Microsoft Endpoint Manager-Intune or Microsoft Endpoint Manager-Configuration Manager Co-management.
+		- Microsoft Endpoint Manager-Configuration Manager Co-management workloads swung over to Microsoft Endpoint Manager-Intune (either set to Pilot Intune or Intune).
+			- Windows Updates policies
+			- Device configuration
+			- Office Click-to-run
 - Last Intune device check-in completed within the last 28 days.  
 
-For more information about each prerequisite check, see the [Prerequisites](../prepare/windows-autopatch-prerequisites.md) article.
+For more details on each prerequisite check, see the [Prerequisites](../prepare/windows-autopatch-prerequisites.md) article.
 
 ## About Devices Ready and Not ready tabs
 
@@ -54,19 +71,29 @@ Windows Autopatch introduces a new user interface to help IT admins manage devic
 
 | Tab | Purpose |
 | ----- | ----- |
-| Ready tab | The purpose of the Ready tab is to show devices that were successfully registered to the Windows Autopatch service and that have met on-going device health requirements. |
-| Not ready tab | The purpose of the Not ready tab is to show devices that didn't successfully register into the Windows Autopatch service, or didn't pass one of the device readiness checks. This tab is intended to help customers identify and remediate devices that don't meet device readiness checks.<p><p>Devices successfully registered and healthy don't show up in the Not ready tab. |
+| Ready tab | The purpose of the Ready tab is to show devices that were successfully registered to the Windows Autopatch service and that have met post-registration device health requirements. |
+| Not ready tab | The purpose of the Not ready tab is to show devices that didn't successfully register into the Windows Autopatch service, or didn't pass one of the post-registration health requirements. This tab is intended to help customers identify and remediate devices that don't meet either pre or post-registration device readiness checks.<p><p>Devices successfully registered and healthy don't appear in the Not ready tab. |
 
 ## Built-in roles required for device registration
 
 A role defines the set of permissions granted to users assigned to that role. You can use one of the following built-in roles in Windows Autopatch to register devices:
 
 - Azure AD Global Administrator
+- Service Support Administrator
 - Intune Service Administrator
 - Modern Workplace Intune Administrator
 
+For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and  [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
+
 > [!NOTE]
-> The Modern Workplace Intune Admin role is a custom created role in Windows Autopatch. This role can assign administrators to Endpoint Manager roles, and allows you to create and configure custom Endpoint Manager roles.
+> The Modern Workplace Intune Admin role is a custom created role during the Windows Autopatch tenant enrollment process. This role can assign administrators to Endpoint Manager roles, and allows you to create and configure custom Endpoint Manager roles.
+
+## Details about the device registration process
+
+Registering your devices in Windows Autopatch does the following:
+
+1. Makes a record of devices in the service.
+2. Assign devices into the ring groups and other groups required for software updates management.
 
 ## Steps to register devices
 
@@ -80,6 +107,9 @@ A role defines the set of permissions granted to users assigned to that role. Yo
 
 Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices and runs device-level prerequisite checks to try to register them.
 
+> [!IMPORTANT]
+> It might take up to an hour for a device to change its status from **Ready for User** to **Active** in the Ready tab during the public preview.
+
 ## Other device lifecycle management scenarios
 
 There are a few more device lifecycle management scenarios to consider when planning to register devices in Windows Autopatch.
@@ -100,4 +130,5 @@ If you need to repair a device that was previously registered into the Windows A
 
 When one of these hardware changes occurs, Azure AD creates a new device ID record for that device, even if it's technically the same device.
 
-Any device that needs to be registered into the Windows Autopatch service must be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device record ID. Windows Autopatch scans the Azure AD group to discover the new device and brings it in to be registered.
+> [!IMPORTANT]
+> If a new Azure AD device ID is generated for a device that was previously registered into Windows Autopatch, even if it's the same device, the new Azure AD device ID must be added either through device direct membership or through nested Azure AD dynamic/assigned group into the **Windows Autopatch Device Registration** group. This process guarantees the newly generated Azure AD device ID is registered with Windows Autopatch and that the device continues to have its software updates managed by the service.

windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md

@@ -1,7 +1,7 @@
 ---
 title: Deregister a device
 description:  This article explains how to deregister devices
-ms.date: 05/30/2022
+ms.date: 05/31/2022
 ms.prod: w11
 ms.technology: windows
 ms.topic: how-to
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
 author: tiaraquan
 ms.author: tiaraquan
 manager: dougeby
-msreviewer: hathind
+msreviewer: andredm7
 ---
 
 # Deregister a device
@@ -26,7 +26,10 @@ To avoid end-user disruption, device de-registration in Windows Autopatch only d
 
 ## Excluded devices
 
-When you deregister a device from the Windows Autopatch service, the device is flagged as "excluded". Windows Autopatch doesn't try to re-register the device into the service again, because the de-registration command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** Azure Active Directory group. This is due to a direct membership removal limitation present in Azure Active Directory dynamic groups.  
+When you deregister a device from the Windows Autopatch service, the device is flagged as "excluded" so Windows Autopatch doesn't try to re-register the device into the service again, since the de-registration command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** Azure Active Directory group. 
+
+> [!IMPORTANT]
+> The Azure AD team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues.
 
 If you want to re-register a device that was previously deregistered from Windows Autopatch, you must [submit a support request](../operate/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team to request the removal of the "excluded" flag set during the de-registration process. After the Windows Autopatch Service Engineering Team removes the flag, you can re-register a device or a group of devices.