From a236ea828f91cda3753201f96e90b9376b111647 Mon Sep 17 00:00:00 2001 From: Tarun Maganur <104856032+Tarun-Edu@users.noreply.github.com> Date: Tue, 31 May 2022 10:20:42 -0700 Subject: [PATCH 1/6] Update windows-11-se-overview.md name change : Sensocloud test to Sensocloud --- education/windows/windows-11-se-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index be73736a92..c32223b772 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -82,7 +82,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run |Safe Exam Browser |3.3.2.413 |Win32 |Safe Exam Browser| |Secure Browser |14.0.0 |Win32 |Cambium Development| |Secure Browser |4.8.3.376 |Win32 |Questar, Inc| -|SensoCloud test |2021.11.15.0 |Win32|Senso.Cloud| +|SensoCloud |2021.11.15.0 |Win32|Senso.Cloud| |SuperNova Magnifier & Screen Reader |21.02 |Win32 |Dolphin Computer Access| |Zoom |5.9.1 (2581)|Win32 |Zoom| |ZoomText Fusion |2022.2109.10|Win32 |Freedom Scientific| From e30d1f040c82927cc8a6f909bf133b75345ab206 Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Tue, 31 May 2022 16:46:38 -0500 Subject: [PATCH 2/6] Updates to the AP docs --- .../windows-autopatch-register-devices.md | 29 ++++++++++++++----- .../windows-autopatch-deregister-devices.md | 9 ++++-- 2 files changed, 28 insertions(+), 10 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 47c812ba6a..39efb1d422 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -25,7 +25,18 @@ Windows Autopatch to take over software updates management of supported devices - [Microsoft Edge updates](../operate/windows-autopatch-edge.md) - [Microsoft Teams updates](../operate/windows-autopatch-teams.md) -You must choose what devices to manage with Windows Autopatch by adding either devices through direct membership or by adding other Azure Active Directory (Azure AD) dynamic/assigned groups into the Azure Active Directory assigned **Windows Autopatch Device Registration** group. Windows Autopatch runs every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices into its service. +You must choose what devices to manage with Windows Autopatch by adding either devices through direct membership or by nesting other Azure Active Directory (Azure AD) dynamic/assigned groups into the Azure Active Directory assigned **Windows Autopatch Device Registration** group. Windows Autopatch runs every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices into its service. + +### Other nested Azure AD group supported scenarios + +Windows Autopatch also supports the following Azure AD nested group scenarios: + +- Azure AD groups synced up from: + - On-premises Active Directory groups (Windows server type). + - [Configuration Manager collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync). + +> [!IMPORTANT] +> The **Windows Autopatch Device Registration** Azure AD group only supports one level of Azure AD nested groups. > [!TIP] > You can also use the **Discover Devices** button in either the Ready or Not ready tabs to discover devices from the Windows Autopatch Device Registration Azure AD group on demand. @@ -34,13 +45,14 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set ## Prerequisites -- Windows 10/11 Enterprise edition 1809+. +- Windows 10/11 64-bit Enterprise edition 1809+. - Either hybrid or Azure AD joined (personal devices aren't supported). -- Managed by Microsoft Endpoint Manager (either Microsoft Endpoint Manager-Intune or Microsoft Endpoint Manager-Configuration Manager Co-management). -- Microsoft Endpoint Manager-Configuration Manager Co-management workloads swung over to Microsoft Endpoint Manager-Intune (either set to Pilot Intune or Intune). - - Windows Updates policies - - Device configuration - - Office Click-to-run +- Managed by Microsoft Endpoint Manager + - Microsoft Endpoint Manager-Intune or Microsoft Endpoint Manager-Configuration Manager Co-management. + - Microsoft Endpoint Manager-Configuration Manager Co-management workloads swung over to Microsoft Endpoint Manager-Intune (either set to Pilot Intune or Intune). + - Windows Updates policies + - Device configuration + - Office Click-to-run - Last Intune device check-in completed within the last 28 days. For more information about each prerequisite check, see the [Prerequisites](../prepare/windows-autopatch-prerequisites.md) article. @@ -80,6 +92,9 @@ A role defines the set of permissions granted to users assigned to that role. Yo Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices and runs device-level prerequisite checks to try to register them. +> [!IMPORTANT] +> It might take up to an hour for devices to change its statuses from **Ready for User** to **Active** in the Ready tab during the public preview. + ## Other device lifecycle management scenarios There are a few more device lifecycle management scenarios to consider when planning to register devices in Windows Autopatch. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md index 0f18908fb4..bfb6b35250 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md @@ -1,7 +1,7 @@ --- title: Deregister a device description: This article explains how to deregister devices -ms.date: 05/30/2022 +ms.date: 05/31/2022 ms.prod: w11 ms.technology: windows ms.topic: how-to @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +msreviewer: andredm7 --- # Deregister a device @@ -26,7 +26,10 @@ To avoid end-user disruption, device de-registration in Windows Autopatch only d ## Excluded devices -When you deregister a device from the Windows Autopatch service, the device is flagged as "excluded". Windows Autopatch doesn't try to re-register the device into the service again, because the de-registration command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** Azure Active Directory group. This is due to a direct membership removal limitation present in Azure Active Directory dynamic groups. +When you deregister a device from the Windows Autopatch service, the device is flagged as "excluded" so Windows Autopatch doesn't try to re-register the device into the service again, since the de-registration command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** Azure Active Directory group. + +> [!IMPORTANT] +> The Azure AD team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues. If you want to re-register a device that was previously deregistered from Windows Autopatch, you must [submit a support request](../operate/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team to request the removal of the "excluded" flag set during the de-registration process. After the Windows Autopatch Service Engineering Team removes the flag, you can re-register a device or a group of devices. From bb1e37c4f32246d3f5cfe2a8d99a4d6d80ff145b Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 31 May 2022 15:14:43 -0700 Subject: [PATCH 3/6] Update windows-autopatch-register-devices.md fixed link --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 39efb1d422..2a9c8e22e5 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -33,7 +33,7 @@ Windows Autopatch also supports the following Azure AD nested group scenarios: - Azure AD groups synced up from: - On-premises Active Directory groups (Windows server type). - - [Configuration Manager collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync). + - [Configuration Manager collections](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync). > [!IMPORTANT] > The **Windows Autopatch Device Registration** Azure AD group only supports one level of Azure AD nested groups. From bf07802bbc8fbf5d3e3dfd7b56f6b0394843578d Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 31 May 2022 15:16:39 -0700 Subject: [PATCH 4/6] Update windows-autopatch-register-devices.md fixed noun agreement --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 2a9c8e22e5..1b7aa1e52f 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -93,7 +93,7 @@ A role defines the set of permissions granted to users assigned to that role. Yo Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices and runs device-level prerequisite checks to try to register them. > [!IMPORTANT] -> It might take up to an hour for devices to change its statuses from **Ready for User** to **Active** in the Ready tab during the public preview. +> It might take up to an hour for a device to change its statuses from **Ready for User** to **Active** in the Ready tab during the public preview. ## Other device lifecycle management scenarios From 142add568a9e6d0af72fc23246f6bd1357f04d51 Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Tue, 31 May 2022 19:41:03 -0500 Subject: [PATCH 5/6] More updates to device registration --- .../windows-autopatch-register-devices.md | 38 +++++++++++++------ 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 1b7aa1e52f..4a8b3060dc 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -18,16 +18,21 @@ Before Microsoft can manage your devices in Windows Autopatch, you must have dev ## Before you begin -Windows Autopatch to take over software updates management of supported devices as soon as an IT admin decides to have their tenant managed by Windows Autopatch. Windows Autopatch update management scope includes: +Windows Autopatch can take over software updates management of supported devices as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software updates management scope includes: - [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) - [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) - [Microsoft Edge updates](../operate/windows-autopatch-edge.md) - [Microsoft Teams updates](../operate/windows-autopatch-teams.md) -You must choose what devices to manage with Windows Autopatch by adding either devices through direct membership or by nesting other Azure Active Directory (Azure AD) dynamic/assigned groups into the Azure Active Directory assigned **Windows Autopatch Device Registration** group. Windows Autopatch runs every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices into its service. +### About the use of an Azure AD group to register devices -### Other nested Azure AD group supported scenarios +You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices into its service. + +> [!NOTE] +> All devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. + +#### Supported scenarios when nesting other Azure AD groups Windows Autopatch also supports the following Azure AD nested group scenarios: @@ -41,10 +46,10 @@ Windows Autopatch also supports the following Azure AD nested group scenarios: > [!TIP] > You can also use the **Discover Devices** button in either the Ready or Not ready tabs to discover devices from the Windows Autopatch Device Registration Azure AD group on demand. -To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites: - ## Prerequisites +To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites: + - Windows 10/11 64-bit Enterprise edition 1809+. - Either hybrid or Azure AD joined (personal devices aren't supported). - Managed by Microsoft Endpoint Manager @@ -55,7 +60,7 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set - Office Click-to-run - Last Intune device check-in completed within the last 28 days. -For more information about each prerequisite check, see the [Prerequisites](../prepare/windows-autopatch-prerequisites.md) article. +For more details on each prerequisite check, see the [Prerequisites](../prepare/windows-autopatch-prerequisites.md) article. ## About Devices Ready and Not ready tabs @@ -66,19 +71,29 @@ Windows Autopatch introduces a new user interface to help IT admins manage devic | Tab | Purpose | | ----- | ----- | -| Ready tab | The purpose of the Ready tab is to show devices that were successfully registered to the Windows Autopatch service and that have met on-going device health requirements. | -| Not ready tab | The purpose of the Not ready tab is to show devices that didn't successfully register into the Windows Autopatch service, or didn't pass one of the device readiness checks. This tab is intended to help customers identify and remediate devices that don't meet device readiness checks.

Devices successfully registered and healthy don't show up in the Not ready tab. | +| Ready tab | The purpose of the Ready tab is to show devices that were successfully registered to the Windows Autopatch service and that have met post-registration device health requirements. | +| Not ready tab | The purpose of the Not ready tab is to show devices that didn't successfully register into the Windows Autopatch service, or didn't pass one of the post-registration health requirements. This tab is intended to help customers identify and remediate devices that don't meet either pre or post-registration device readiness checks.

Devices successfully registered and healthy don't show up in the Not ready tab. | ## Built-in roles required for device registration A role defines the set of permissions granted to users assigned to that role. You can use one of the following built-in roles in Windows Autopatch to register devices: - Azure AD Global Administrator +- Service Support Administrator - Intune Service Administrator - Modern Workplace Intune Administrator +See [Azure AD built-in roles](https://docs.microsoft.com/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control) for more details. + > [!NOTE] -> The Modern Workplace Intune Admin role is a custom created role in Windows Autopatch. This role can assign administrators to Endpoint Manager roles, and allows you to create and configure custom Endpoint Manager roles. +> The Modern Workplace Intune Admin role is a custom created role during the Windows Autopatch tenant enrollment process. This role can assign administrators to Endpoint Manager roles, and allows you to create and configure custom Endpoint Manager roles. + +## Details about the device registration process + +The process of registering your devices in Windows Autopatch does the following: + +1. Makes a record of devices in the service. +2. Assign devices into the ring groups and other groups required for software updates management. ## Steps to register devices @@ -93,7 +108,7 @@ A role defines the set of permissions granted to users assigned to that role. Yo Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices and runs device-level prerequisite checks to try to register them. > [!IMPORTANT] -> It might take up to an hour for a device to change its statuses from **Ready for User** to **Active** in the Ready tab during the public preview. +> It might take up to an hour for a device to change its status from **Ready for User** to **Active** in the Ready tab during the public preview. ## Other device lifecycle management scenarios @@ -115,4 +130,5 @@ If you need to repair a device that was previously registered into the Windows A When one of these hardware changes occurs, Azure AD creates a new device ID record for that device, even if it's technically the same device. -Any device that needs to be registered into the Windows Autopatch service must be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device record ID. Windows Autopatch scans the Azure AD group to discover the new device and brings it in to be registered. +> [!IMPORTANT] +> If a new Azure AD device ID is generated for a device that was previously registered into Windows Autopatch, even technically being the same device, the new Azure AD device ID has to be added either through device direct membership or through nested Azure AD dynamic/assigned group into the Windows Autopatch Device Registration group. This process guarantees the newly generated Azure AD device ID is registered into the Windows Autopatch service and it can keep having its software updates managed by the service. \ No newline at end of file From e3cd67b1c788f6b2d746b5fc4446e99b8d851d1e Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 31 May 2022 21:27:58 -0700 Subject: [PATCH 6/6] Update windows-autopatch-register-devices.md Reviewed for grammar, and broken links. --- .../deploy/windows-autopatch-register-devices.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 4a8b3060dc..31f250df19 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -18,7 +18,7 @@ Before Microsoft can manage your devices in Windows Autopatch, you must have dev ## Before you begin -Windows Autopatch can take over software updates management of supported devices as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software updates management scope includes: +Windows Autopatch can take over software update management of supported devices as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes: - [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) - [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) @@ -72,7 +72,7 @@ Windows Autopatch introduces a new user interface to help IT admins manage devic | Tab | Purpose | | ----- | ----- | | Ready tab | The purpose of the Ready tab is to show devices that were successfully registered to the Windows Autopatch service and that have met post-registration device health requirements. | -| Not ready tab | The purpose of the Not ready tab is to show devices that didn't successfully register into the Windows Autopatch service, or didn't pass one of the post-registration health requirements. This tab is intended to help customers identify and remediate devices that don't meet either pre or post-registration device readiness checks.

Devices successfully registered and healthy don't show up in the Not ready tab. | +| Not ready tab | The purpose of the Not ready tab is to show devices that didn't successfully register into the Windows Autopatch service, or didn't pass one of the post-registration health requirements. This tab is intended to help customers identify and remediate devices that don't meet either pre or post-registration device readiness checks.

Devices successfully registered and healthy don't appear in the Not ready tab. | ## Built-in roles required for device registration @@ -83,14 +83,14 @@ A role defines the set of permissions granted to users assigned to that role. Yo - Intune Service Administrator - Modern Workplace Intune Administrator -See [Azure AD built-in roles](https://docs.microsoft.com/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control) for more details. +For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control). > [!NOTE] > The Modern Workplace Intune Admin role is a custom created role during the Windows Autopatch tenant enrollment process. This role can assign administrators to Endpoint Manager roles, and allows you to create and configure custom Endpoint Manager roles. ## Details about the device registration process -The process of registering your devices in Windows Autopatch does the following: +Registering your devices in Windows Autopatch does the following: 1. Makes a record of devices in the service. 2. Assign devices into the ring groups and other groups required for software updates management. @@ -131,4 +131,4 @@ If you need to repair a device that was previously registered into the Windows A When one of these hardware changes occurs, Azure AD creates a new device ID record for that device, even if it's technically the same device. > [!IMPORTANT] -> If a new Azure AD device ID is generated for a device that was previously registered into Windows Autopatch, even technically being the same device, the new Azure AD device ID has to be added either through device direct membership or through nested Azure AD dynamic/assigned group into the Windows Autopatch Device Registration group. This process guarantees the newly generated Azure AD device ID is registered into the Windows Autopatch service and it can keep having its software updates managed by the service. \ No newline at end of file +> If a new Azure AD device ID is generated for a device that was previously registered into Windows Autopatch, even if it's the same device, the new Azure AD device ID must be added either through device direct membership or through nested Azure AD dynamic/assigned group into the **Windows Autopatch Device Registration** group. This process guarantees the newly generated Azure AD device ID is registered with Windows Autopatch and that the device continues to have its software updates managed by the service.