Devices successfully registered and healthy don't show up in the Not ready tab. |
+
+## Built-in roles required for device registration
+
+A role defines the set of permissions granted to users assigned to that role. You can use one of the following built-in roles in Windows Autopatch to register devices:
+
+- Global Administrator
+- Intune Service Administrator
+- Modern Workplace Intune Administrator
+
+> [!NOTE]
+> The Modern Workplace Intune Admin role is a custom created role in Windows Autopatch. This role can assign administrators to Endpoint Manager roles, and allows you to create and configure custom Endpoint Manager roles.
+
+## Steps to register devices
+
+**To register devices into Windows Autopatch:**
+
+1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+2. Select **Windows Autopatch** from the left navigation menu.
+3. Select **Devices**.
+4. Select the **Ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens.
+5. Add either devices through direct membership or other Azure Active Directory dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group.
+
+Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices and runs device-level prerequisite checks to try to register them.
+
+## Other device lifecycle management scenarios
+
+There are a few more device lifecycle management scenarios to consider when planning to register devices in Windows Autopatch.
+
+### Device refresh
+
+If a device was previously registered into the Windows Autopatch service, but it needs to be reimaged, you must run one of the device provisioning processes available in Microsoft Endpoint Manager to reimage the device.
+
+The device will be rejoined to Azure AD (either Hybrid or Azure AD-only). Then, re-enrolled into Intune as well. No further action is required from you or the Windows Autopatch service, because the Azure AD device ID record of that device remains the same.
+
+### Device repair and hardware replacement
+
+If you need to repair a device that was previously registered into the Windows Autopatch service, by replacing the motherboard, non-removable network interface cards (NIC) or hard drive, you must re-register the device into the Windows Autopatch service, because a new hardware ID is generated when there are major hardware changes, such as:
+
+- SMBIOS UUID (motherboard)
+- MAC address (non-removable NICs)
+- OS hard drive's serial, model, manufacturer information
+
+When one of these hardware changes occurs, Azure AD creates a new device ID record for that device, even if it's technically the same device.
+
+Any device that needs to be registered into the Windows Autopatch service must be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device record ID. Windows Autopatch scans the Azure AD group to discover the new device and brings it in to be registered.
diff --git a/windows/deployment/windows-autopatch/index.yml b/windows/deployment/windows-autopatch/index.yml
new file mode 100644
index 0000000000..888ce01b0c
--- /dev/null
+++ b/windows/deployment/windows-autopatch/index.yml
@@ -0,0 +1,39 @@
+### YamlMime:Landing
+
+title: Windows Autopatch documentation # < 60 chars
+summary: Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. # < 160 chars
+
+metadata:
+ title: Windows Autopatch documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. # Required; article description that is displayed in search results. < 160 chars.
+ keywords: device, app, update, management
+ ms.service: w11 #Required; service per approved list. service slug assigned to your service by ACOM.
+ ms.topic: landing-page # Required
+ author: tiaraquan #Required; your GitHub user alias, with correct capitalization.
+ ms.author: tiaraquan #Required; microsoft alias of author; optional team alias.
+ ms.date: 05/30/2022 #Required; mm/dd/yyyy format.
+ ms.custom: intro-hub-or-landing
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: About Windows Autopatch
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: What is Windows Autopatch?
+ url: ./overview/windows-autopatch-overview.md
+ - text: Windows Autopatch FAQ
+ url: ./overview/windows-autopatch-faq.md
+
+ # Card (optional)
+ - title: Articles and blog posts
+ linkLists:
+ - linkListType: learn
+ links:
+ - text: "[Blog] Get current and stay current with Windows Autopatch"
+ url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/get-current-and-stay-current-with-windows-autopatch/ba-p/3271839
+
diff --git a/windows/deployment/windows-autopatch/media/release-process-timeline.png b/windows/deployment/windows-autopatch/media/release-process-timeline.png
new file mode 100644
index 0000000000..9aab1d73cf
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/release-process-timeline.png differ
diff --git a/windows/deployment/windows-autopatch/media/update-communications.png b/windows/deployment/windows-autopatch/media/update-communications.png
new file mode 100644
index 0000000000..e4eceeccd6
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/update-communications.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-quality-force-update.png b/windows/deployment/windows-autopatch/media/windows-quality-force-update.png
new file mode 100644
index 0000000000..147d61e752
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-quality-force-update.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-quality-typical-update-experience.png b/windows/deployment/windows-autopatch/media/windows-quality-typical-update-experience.png
new file mode 100644
index 0000000000..830f9f1428
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-quality-typical-update-experience.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png b/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png
new file mode 100644
index 0000000000..043e275574
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png differ
diff --git a/windows/deployment/windows-autopatch/operate/index.md b/windows/deployment/windows-autopatch/operate/index.md
new file mode 100644
index 0000000000..44954ce00f
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/index.md
@@ -0,0 +1,25 @@
+---
+title: Operating with Windows Autopatch
+description: Landing page for the operate section
+ms.date: 05/30/2022
+ms.prod: w11
+ms.technology: windows
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# Operating with Windows Autopatch
+
+This section includes information about Windows Autopatch update management, types of updates managed by Windows Autopatch, and how to contact the Windows Autopatch Service Engineering Team:
+
+- [Update management](windows-autopatch-update-management.md)
+- [Windows quality updates](windows-autopatch-wqu-overview.md)
+- [Microsoft 365 Apps for enterprise updates](windows-autopatch-microsoft-365-apps-enterprise.md)
+- [Microsoft Edge updates](windows-autopatch-edge.md)
+- [Microsoft Teams updates](windows-autopatch-teams.md)
+- [Deregister devices](windows-autopatch-deregister-devices.md)
+- [Submit a support request](windows-autopatch-support-request.md)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
new file mode 100644
index 0000000000..0f18908fb4
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
@@ -0,0 +1,43 @@
+---
+title: Deregister a device
+description: This article explains how to deregister devices
+ms.date: 05/30/2022
+ms.prod: w11
+ms.technology: windows
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# Deregister a device
+
+To avoid end-user disruption, device de-registration in Windows Autopatch only deletes the Windows Autopatch device record itself. Device de-registration can't delete Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity.
+
+**To deregister a device:**
+
+1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
+1. Select **Windows Autopatch** in the left navigation menu.
+1. Select **Devices**.
+1. In either **Ready** or **Not ready** tab, select the device(s) you want to deregister.
+1. Once a device or multiple devices are selected, select **Device actions**, then select **Deregister device**.
+
+## Excluded devices
+
+When you deregister a device from the Windows Autopatch service, the device is flagged as "excluded". Windows Autopatch doesn't try to re-register the device into the service again, because the de-registration command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** Azure Active Directory group. This is due to a direct membership removal limitation present in Azure Active Directory dynamic groups.
+
+If you want to re-register a device that was previously deregistered from Windows Autopatch, you must [submit a support request](../operate/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team to request the removal of the "excluded" flag set during the de-registration process. After the Windows Autopatch Service Engineering Team removes the flag, you can re-register a device or a group of devices.
+
+## Hiding unregistered devices
+
+You can hide unregistered devices you don't expect to be remediated anytime soon.
+
+**To hide unregistered devices:**
+
+1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
+1. Select **Windows Autopatch** in the left navigation menu.
+1. Select **Devices**.
+1. In the **Not ready** tab, select an unregistered device or a group of unregistered devices you want to hide then select **Status == All**.
+1. Unselect the **Registration failed** status checkbox from the list.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
new file mode 100644
index 0000000000..3f0a1a95c6
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
@@ -0,0 +1,42 @@
+---
+title: Microsoft Edge
+description: This article explains how Microsoft Edge updates are managed in Windows Autopatch
+ms.date: 05/30/2022
+ms.prod: w11
+ms.technology: windows
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# Microsoft Edge
+
+Windows Autopatch uses the [Stable channel](/deployedge/microsoft-edge-channels%22%20/l%20%22stable-channel) of Microsoft Edge.
+
+## Device eligibility
+
+For a device to be eligible for Microsoft Edge updates as a part of Windows Autopatch, they must meet the following criteria:
+
+- The device must be powered on and have an internet connection.
+- There are no policy conflicts between Windows Autopatch policies and customer policies.
+- The device must be able to access the required network endpoints to reach the Microsoft Edge update service.
+- If Microsoft Edge is open, it must restart for the update process to complete.
+
+## Update release schedule
+
+Microsoft Edge will check for updates every 10 hours. Quality updates occur weekly by default. Feature updates occur automatically every four weeks and are rolled out [progressively](/deployedge/microsoft-edge-update-progressive-rollout) by the Microsoft Edge product group to ensure the best experience for customers. All users will see the update within a few days of the initial release.
+
+Browser updates with critical security fixes will have a faster rollout cadence than updates that don't have critical security fixes to ensure prompt protection from vulnerabilities.
+
+Devices in the Test device group receive feature updates from the [Beta channel](/deployedge/microsoft-edge-channels#beta-channel). This channel is fully supported and automatically updated with new features approximately every four weeks.
+
+## Pausing and resuming updates
+
+Currently, Windows Autopatch can't pause or resume Microsoft Edge updates.
+
+## Incidents and outages
+
+If you're experiencing issues related to Microsoft Edge updates, [submit a support request](../operate/windows-autopatch-support-request.md).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
new file mode 100644
index 0000000000..b9661b4170
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@@ -0,0 +1,108 @@
+---
+title: Microsoft 365 Apps for enterprise
+description: This article explains how Microsoft 365 Apps for enterprise updates are managed in Windows Autopatch
+ms.date: 05/30/2022
+ms.prod: w11
+ms.technology: windows
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# Microsoft 365 Apps for enterprise
+
+## Service level objective
+
+Windows Autopatch aims to keep at least 90% of eligible devices on a [supported version](/deployoffice/overview-update-channels#support-duration-for-monthly-enterprise-channel) of the Monthly Enterprise Channel (MEC) for [Enterprise Standard Suite](/deployoffice/about-microsoft-365-apps) (Access, Excel, OneNote, Outlook, PowerPoint, and Word). Microsoft 365 Apps deployed on the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview) are supported for two months.
+
+> [!NOTE]
+> [Microsoft Teams](../operate/windows-autopatch-teams.md) uses a different update channel from the rest of Microsoft 365 Apps.
+
+## Device eligibility
+
+For a device to be eligible for Microsoft 365 Apps for enterprise updates, as a part of Windows Autopatch, they must meet the following criteria:
+
+- Microsoft 365 Apps for enterprise 64-bit must be installed.
+- There are no policy conflicts between Microsoft Autopatch policies and customer policies.
+- The device must have checked into the Intune service in the last five days.
+
+## Update release schedule
+
+All devices registered for Windows Autopatch will receive updates from the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new features each month, and they'll receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and are pulled directly from the Office Content Delivery Network (CDN).
+
+Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update has been downloaded, there's a three-day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update.
+
+## Update rings
+
+Since the Office CDN determines when devices are offered updates, Windows Autopatch doesn't use rings to control the rollout of these updates.
+
+## End user experience
+
+There are two parts of the end user experience that are configured by Windows Autopatch:
+
+- Behavior during updates
+- Office client
+
+### Behavior during updates
+
+Updates can only be applied when Microsoft 365 Apps aren't running. Therefore, notifications usually appear because the user is working in a Microsoft 365 App, such as Microsoft Outlook, and hasn't closed it in several days.
+
+Once the device has downloaded the update, users are given notifications leading up to the deadline. They'll receive the following message in the notification area in Windows, reminding them that updates are ready to be applied.
+
+*Updates ready to be applied
+Updates are required by your system admin are blocked by one or more apps. Office will restart at mm/dd/yyyy h:mm AM/PM to apply updates.*
+
+Alternatively, users can select **Update now** to apply the updates. The user is then prompted to close all open Office programs. After the updates are applied, the message disappears.
+
+If the deadline arrives and the updates still aren't applied, users see a dialog box that warns them that they have 15 minutes before the updates are applied.
+
+This warning gives users 15 minutes to save and close any work. When the countdown reaches 00∶00, any open Office programs are closed, and the updates are applied.
+
+### Office client app configuration
+
+To ensure that users are receiving automatic updates, Windows Autopatch prevents the user from opting out of automatic updates.
+
+## Update controls
+
+If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might pause the update by forcing Microsoft 365 Apps to stay on a specific version.
+
+Windows Autopatch will either:
+
+- Choose to stay on the previous version for rings that haven't received the update yet.
+- Force all devices to roll back to the previous version.
+
+> [!NOTE]
+> Windows Autopatch doesn't currently allow customers to force their devices to stay on a previous version or rollback to a previous version.
+
+Since Windows quality updates are bundled together into a single release in the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview), we can't roll back only a portion of the update for Microsoft 365 Apps for enterprise.
+
+## Conflicting and unsupported policies
+
+Deploying any of the following policies to a managed device will make that device ineligible for management since the device will prevent us from delivering the service as designed.
+
+### Update policies
+
+Window Autopatch deploys mobile device management (MDM) policies to configure Microsoft 365 Apps and requires a specific configuration. If any [Microsoft 365 Apps update settings](/deployoffice/configure-update-settings-microsoft-365-apps) are deployed which conflict with our policies, then the device won't be eligible for management.
+
+| Update setting | Value | Usage reason |
+| ----- | ----- | ----- |
+| Set updates to occur automatically | Enabled | Enable automatic updates |
+| Specify a location to look for updates | Blank | Don't use this setting since it overwrites the update branch |
+| Update branch | Monthly Enterprise | Supported branch for Windows Autopatch |
+| Specify the version of Microsoft 365 Apps to update to | Variable | Used to roll back to a previous version if an error occurs |
+| Set a deadline by when updates must be applied | 3 | Update deadline |
+| Hide update notifications from users | Turned off | Users should be notified when Microsoft 365 Apps are being updated |
+| Hide the option to turn on or off automatic Office updates | Turned on | Prevents users from disabling automatic updates |
+
+## Microsoft 365 Apps servicing profiles
+
+A service profile takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the above requirements regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management.
+
+## Incidents and outages
+
+If devices in your tenant aren't meeting the [service level objective](#service-level-objective) for Microsoft 365 Apps for enterprise updates, an incident will be raised. The Windows Autopatch Service Engineering Team will work to bring the devices back into compliance.
+
+If you're experiencing issues related to Microsoft 365 Apps for enterprise updates, [submit a support request](../operate/windows-autopatch-support-request.md).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
new file mode 100644
index 0000000000..f6e0614363
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
@@ -0,0 +1,71 @@
+---
+title: Submit a support request
+description: Details how to contact the Windows Autopatch Service Engineering Team and submit support requests
+ms.date: 05/30/2022
+ms.prod: w11
+ms.technology: windows
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# Submit a support request
+
+> [!IMPORTANT]
+> Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with troubleshooting issues.
+
+You can submit support tickets to Microsoft using the Windows Autopatch admin center. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
+
+## Submit a new support request
+
+Support requests are triaged and responded to as they're received.
+
+**To submit a new support request:**
+
+1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant administration** menu.
+1. In the **Windows Autopatch** section, select **Service requests**.
+1. In the **Service requests** section, select **+ New support request**.
+1. Enter your question(s) and/or a description of the problem.
+1. Review all the information you provided for accuracy.
+1. When you're ready, select **Create**.
+
+## Manage an active support request
+
+The primary contact for the support request will receive email notifications when a case is created, assigned to a service engineer to investigate, and mitigated. If, at any point, you have a question about the case, the best way to get in touch is to reply directly to one of those emails. If we have questions about your request or need more details, we'll email the primary contact listed on the support requests.
+
+## View all your active support requests
+
+You can see the summary status of all your support requests. At any time, you can use the portal to see all active support requests in the last six months.
+
+**To view all your active support requests:**
+
+1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant Administration** menu.
+1. In the **Windows Autopatch** section, select **Service request**.
+1. From this view, you can export the summary view or select any case to view the details.
+
+## Edit support request details
+
+You can edit support request details, for example, updating the primary case contact.
+
+**To edit support request details:**
+
+1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant Administration** menu.
+1. In the **Windows Autopatch** section, select **Service request**.
+1. In the **Service requests** section, use the search bar or filters to find the case you want to edit.
+1. Select the case to open the request's details.
+1. Scroll to the bottom of the request details and select **Edit**.
+1. Update the editable information, add attachments to the case, or add a note for the Windows Autopatch Service Engineering Team.
+1. Select **Save**.
+
+Once a support request is mitigated, it can no longer be edited. If a request has been mitigated for less than 24 hours, you'll see the option to reactivate instead of edit. Once reactivated, you can again edit the request.
+
+## Microsoft FastTrack
+
+[Microsoft FastTrack](https://www.microsoft.com/en-us/fasttrack) offers Microsoft 365 deployment guidance for customers with 150 or more licenses of an eligible subscription at no additional cost. FastTrack Specialists can help customers work through the Windows Autopatch technical prerequisites described in the [FAQ](../overview/windows-autopatch-faq.md). For more information, visit the [FastTrack website](https://www.microsoft.com/en-ca/fasttrack?rtc=1).
+
+Customers who need help with Microsoft 365 workloads can sign in to https://fasttrack.microsoft.com/ with a valid Azure ID and submit a Request for Assistance.
+
+ Contact your Microsoft account team if you need additional assistance.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
new file mode 100644
index 0000000000..8cf360c310
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md
@@ -0,0 +1,53 @@
+---
+title: Microsoft Teams
+description: This article explains how Microsoft Teams updates are managed in Windows Autopatch
+ms.date: 05/30/2022
+ms.prod: w11
+ms.technology: windows
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# Microsoft Teams
+
+Windows Autopatch uses the [standard automatic update channel](/microsoftteams/teams-client-update#can-admins-deploy-updates-instead-of-teams-auto-updating) for Microsoft Teams.
+
+## Device eligibility
+
+For a device to be eligible for automated Teams updates as a part of Windows Autopatch they must meet the following criteria:
+
+- Microsoft Teams must be installed on the device.
+- The user must be signed into both the device and Teams.
+- The device must be able to access the Teams update service [network endpoints](../prepare/windows-autopatch-configure-network.md).
+- Once the update is downloaded, the user must be logged in with the device in an idle state for at least 40 minutes to ensure that Teams can automatically update.
+
+## Update release schedule
+
+The Teams desktop client updates are released once a month for all users, and twice a month for members of the Technology Adoption Program (TAP).
+
+Updates undergo vigorous internal testing and are first released to members of TAP for validation. The update usually takes place on a Monday. If a critical update is needed, Teams will bypass this schedule and release the update as soon as it's available.
+
+## End user experience
+
+Teams will check for updates every few hours behind the scenes, download the updates, and then will wait for the computer to be idle for at least 40 minutes before automatically installing the update.
+
+When an update is available, the following are required to be able to download the update:
+
+- The user must be signed into both the device and Teams.
+- The device must have an internet connection.
+- The device must be able to access the required network endpoints to reach the Teams update service.
+
+> [!NOTE]
+> If a user is on a version of Teams that is out of date, Teams will force the user to update prior to allowing them to use the application.
+
+## Pausing and resuming updates
+
+Windows Autopatch can't pause or resume Teams updates.
+
+## Incidents and outages
+
+If you're experiencing issues related to Teams updates, [submit a support request](../operate/windows-autopatch-support-request.md).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
new file mode 100644
index 0000000000..fb113c593d
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
@@ -0,0 +1,69 @@
+---
+title: Update management
+description: This article provides an overview of how updates are handled in Autopatch
+ms.date: 05/30/2022
+ms.prod: w11
+ms.technology: windows
+ms.topic: overview
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# Update management
+
+Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates.
+
+## Update types
+
+| Update type | Description |
+| ----- | ----- |
+| Window quality update | Windows Autopatch uses four update rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). |
+| Anti-virus definition | Updated with each scan. |
+| Microsoft 365 Apps for enterprise | For more information, see Microsoft 365 Apps for enterprise. |
+| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). |
+| Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). |
+
+## Update rings
+
+> [!NOTE]
+> Update rings only apply to Windows quality updates.
+
+During enrollment, Windows Autopatch creates four Azure Active Directory groups that are used to segment devices into update rings:
+
+1. Modern Workplace Devices - Test
+2. Modern Workplace Devices - First
+3. Modern Workplace Devices - Fast
+4. Modern Workplace Devices - Broad
+
+Each of the update rings has a different purpose and assigned a set of policies to control the rollout of updates in each management area.
+
+When a device is enrolled into the Windows Autopatch service, the device is assigned to an update ring so that we have the right distributions across your estate. The distribution of each ring is designed to release to as few devices as possible to get the signals needed to make a quality evaluation of a given release.
+
+> [!NOTE]
+> You can't create additional rings for managed devices and must use the four rings provided by Windows Autopatch.
+
+| Ring | Default device count | Description
+| ----- | ----- | ----- |
+| Test | zero | Windows Autopatch doesn't automatically add devices to this ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:
This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all customers. For example, we can generate a statistically significant signal saying that critical errors are trending up in a specific release for all customers but can't be confident that it's doing so in your environment.
Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this ring might experience outages if there are scenarios that weren't covered during testing in the Test ring. | +| Fast | 9% | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.
The goal with this ring is to cross the 500-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.
| +| Broad | 90% | The Broad ring is the last group of users to receive changes. Since it contains most of the devices enrolled in Windows Autopatch, it favors stability over speed in deployment.| + +## Moving devices between rings + +If you want to move separate devices to different rings, repeat the following steps for each device: + +1. In Microsoft Endpoint Manager, select **Devices** in the left pane. +2. In the **Windows Autopatch** section, select **Devices**. +3. Select the devices you want to assign. All selected devices will be assigned to the ring you specify. +4. Select **Device actions** from the menu. +5. Select **Assign device to ring**. A fly-in opens. +6. Use the dropdown menu to select the ring to move devices to, and then select **Save**. The **Ring assigned by** column will change to **Pending**. + +When the assignment is complete, the **Ring assigned by** column will change to Admin (indicates that you made the change) and the **Ring** column will show the new ring assignment. + +> [!NOTE] +> You can't move devices to other rings if they're in the "error" or "pending" registration state.If a device hasn't been properly removed, it could show a status of "ready." If you move such a device, it's possible that the move won't be complete. If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check that the device is available by searching for it in Intune. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md new file mode 100644 index 0000000000..f4eab55834 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md @@ -0,0 +1,45 @@ +--- +title: Windows quality update communications +description: This article explains Windows quality update communications +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Windows quality update communications + +There are three categories of communication that are sent out during a Windows quality update: + +- [Standard communications](#standard-communications) +- [Communications during release](#communications-during-release) +- [Incident communications](#incident-communications) + +Communications are posted to Message center, Service health dashboard, and the Windows Autopatch messages section of the Microsoft Endpoint Manager admin center as appropriate for the type of communication. + +:::image type="content" source="../media/update-communications.png" alt-text="Update communications timeline"::: + +## Standard communications + +| Communication | Location | Timing | Description | +| ----- | ----- | ----- | ----- | +| Release schedule |
First
Fast
Broad | 0
1
6
9 | 0
2
2
5 | 0
2
2
2 | +| Expedited release | All devices | 0 | 1 | 1 | + +> [!NOTE] +> Windows Autopatch doesn't allow customers to request expedited releases. + +## Pausing and resuming a release + +If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md), we may decide to pause that release. + +If we pause the release, a policy will be deployed which prevents devices from updating while the issue is investigated. Once the issue is resolved, the release will be resumed. + +> [!NOTE] +> Windows Autopatch doesn't allow you to request that a release be paused or resumed during public preview. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md new file mode 100644 index 0000000000..cf052fbba4 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md @@ -0,0 +1,61 @@ +--- +title: Windows quality update signals +description: This article explains the Windows quality update signals +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Windows quality update signals + +Windows Autopatch monitors a specific set of signals and aims to release quality updates both quickly and safely. The service doesn't comprehensively monitor every use case in Windows. + +If there's a scenario that is critical to your business, which isn't monitored by Windows Autopatch, you're responsible for testing and taking any follow-up actions, like requesting to pause the release. + +## Pre-release signals + +Before being released to the Test ring, Windows Autopatch reviews several data sources to determine if we need to send any customer advisories or need to pause the update. Situations where Windows Autopatch doesn't release an update to the Test ring are seldom occurrences. + +| Text | Text | +| ----- | ----- | +| Windows Payload Review | The contents of the B release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-wqu-communications.md#communications-during-release) will be sent out. | +| C-Release Review - Internal Signals | Windows Autopatch reviews active incidents associated with the previous C release to understand potential risks in the B release. | +| C-Release Review - Social Signals | Windows Autopatch monitors social signals to better understand potential risks associated with the B release. | + +## Early signals + +The update is released to the Test ring on the second Tuesday of the month. Those test devices will update, allowing you to conduct early testing of critical scenarios in your environment. There are also several new Microsoft internal signals that have become available to the service that are monitored throughout the release. + +| Device reliability signal | Description | Microsoft will | +| ----- | ----- | ----- | +| Security Risk Profile | As soon as the update is released, the criticality of the security content is assessed. |
Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. | +| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | Update/ActiveHoursEnd | This policy controls the end of the protected window where devices won't reboot.
Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. | +| [Active hours max range](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange) | Update/ActiveHoursMaxRange | Allows the IT admin to specify the max active hours range.
This value sets the maximum number of active hours from the start time. Supported values are from eight through to 18. | + +## Group policy + +Group policy takes precedence over mobile device management (MDM) policies. For Windows quality updates, if any group policies are detected which modify the following hive in the registry, the device will be ineligible for management: + +`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState` + +## Incidents and outages + +If devices in your tenant aren't meeting the [service level objective](../operate/windows-autopatch-wqu-overview.md#service-level-objective) for Windows quality updates, an incident will be raised, and the Windows Autopatch Service Engineering Team will work to bring the devices back into compliance. + +If you're experiencing other issues related to Windows quality updates, [submit a support request](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.md new file mode 100644 index 0000000000..3fad61cc1f --- /dev/null +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.md @@ -0,0 +1,65 @@ +--- +title: FAQ +description: This article answers frequently asked questions about Windows Autopatch +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: troubleshooting +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# FAQ + +## General + +| Question | Answer | +| ----- | ----- | +| What Windows versions are supported? | Windows Autopatch works with all [supported versions of Windows 10 and Windows 11 Enterprise edition](/windows/release-health/supported-versions-windows-client). | +| What is the difference between Windows Updates for Business and Windows Autopatch? | Windows Autopatch is a service that removes the need for organizations to plan and operate the update process.
Windows Autopatch moves the burden from your IT to Microsoft. Windows Autopatch uses [Windows Update for Business](/windows/deployment/update/deployment-service-overview) and other service components to update devices. Both are part of Windows Enterprise E3. | +| Is Windows 365 for Enterprise supported with Windows Autopatch? | Windows Autopatch supports Windows 365 for Enterprise. Windows 365 for Business isn't supported.| +| Does Windows Autopatch support Windows Education (A3) or Windows Front Line Worker (F3) licensing? | Autopatch isn't available for 'A' or 'F' series licensing. | +| Will Windows Autopatch support local domain join Windows 10? | Windows Autopatch doesn't support local (on-premise) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Azure AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid). | +| Will Windows Autopatch be available for state and local government customers? | Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. | + +## Requirements + +| Question | Answer | +| ----- | ----- | +| What are the prerequisites for Windows Autopatch? |
This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task. | +| What happens if there's an issue with an update? | Autopatch relies on the following capabilities to help resolve update issues.
When you've onboarded with Windows Autopatch, you can [submit a support request](../operate/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team. | + +## Other + +| Question | Answer | +| ----- | ----- | +| Are there Autopatch specific APIs or PowerShell scripts available? | Programmatic access to Autopatch isn't currently available. | diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md new file mode 100644 index 0000000000..f2bb7d8615 --- /dev/null +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md @@ -0,0 +1,91 @@ +--- +title: What is Windows Autopatch? (preview) +description: Details what the service is and shortcuts to articles +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# What is Windows Autopatch? (preview) + +> [!IMPORTANT] +> **Windows Autopatch is in public preview**. It's actively being developed and may not be complete. You can test and use these features in production environments and [provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch). + +Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. + +## Unique to Windows Autopatch + +Rather than maintaining complex digital infrastructure, businesses want to focus on what makes them unique and successful. Windows Autopatch offers a solution to some of the challenges facing businesses and their people today: + +- **Close the security gap**: By keeping software current, there are fewer vulnerabilities and threats to your devices. +- **Close the productivity gap**: By adopting features as they're made available, users get the latest tools to enhance creation and collaboration. +- **Optimize your IT admin resources**: By automating routine endpoint updates, IT pros have more time to create value. +- **On-premises infrastructure**: Transitioning to the world of software as a service (SaaS) allows you to minimize your investment in on-premises hardware since updates are delivered from the cloud. +- **Onboard new services**: Windows Autopatch is scoped to make it easy to enroll and minimizes the time investment from your IT Admins to get started. +- **Minimize end user disruption**: By releasing in sequential update rings, and responding to reliability and compatibility signals, user disruptions due to updates are minimized. + +Windows Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge or Teams. By crafting careful rollout sequences and communicating with you throughout the release, your IT Admins can focus on other activities and tasks. + +## Update management + +The goal of Windows Autopatch is to deliver software updates to registered devices; the service frees up IT and minimizes disruptions to your end users. Once a device is registered with the service, Windows Autopatch takes on several areas of management: + +| Management area | Service level objective | +| ----- | ----- | +| [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) | Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. | +| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Windows Autopatch aims to keep at least 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC). | +| [Microsoft Edge](../operate/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. | +| [Microsoft Teams](../operate/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. | + +For each management area, there's a set of eligibility requirements that determine if the device will receive that specific update. An example of an eligibility criteria is that the device must have access to the required network endpoints for the Windows update. It's your responsibility to ensure that devices are meeting eligibility requirements for each management area. + +To determine if we're meeting our service level objectives, all eligible devices are labeled as either "Healthy" or "Unhealthy". Healthy devices are meeting the eligibility requirements for that management area and unhealthy devices aren't. If Windows Autopatch falls below any service level objective for a management area, an incident is raised. Then, we bring the service back into compliance. + +While an update is in progress, it's monitored by Windows Autopatch. Depending on the criticality of the update, the service may decide to expedite the update. If we detect an issue during release, we may pause or roll back the update. Since each management area has a different monitoring and update control capabilities, you review the documentation for each area to familiarize yourself with the service. + +## Messages + +To stay informed of upcoming changes, including new and changed features, planned maintenance, or other important announcements, navigate to [Microsoft 365 admin center > Message center](https://admin.microsoft.com/adminportal/home#/MessageCenter). + +## Accessibility + +Microsoft remains committed to the security of your data and the [accessibility](https://www.microsoft.com/trust-center/compliance/accessibility) of our services. For more information, see the [Microsoft Trust Center](https://www.microsoft.com/trust-center) and the [Office Accessibility Center](https://support.office.com/article/ecab0fcf-d143-4fe8-a2ff-6cd596bddc6d). + +## Need more details? + +### Prepare + +The following articles describe the mandatory steps to prepare for enrollment, including: + +- [Prerequisites](../prepare/windows-autopatch-prerequisites.md) +- [Configure your network](../prepare/windows-autopatch-configure-network.md) +- [Enroll your tenant with Windows Autopatch](../prepare/windows-autopatch-enroll-tenant.md) +- [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) + +### Deploy + +Once you're ready to enroll, this section includes the following articles: + +- [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md) +- [Register your devices](../deploy/windows-autopatch-register-devices.md) + +### Operate + +This section includes the following information about your day-to-day life with the service: + +- [Update management](../operate/windows-autopatch-update-management.md) +- [Submit a support request](../operate/windows-autopatch-support-request.md) +- [Deregister a device](../operate/windows-autopatch-deregister-devices.md) + +### References + +This section includes the following articles: + +- [Privacy](../references/windows-autopatch-privacy.md) +- [Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md) diff --git a/windows/deployment/windows-autopatch/prepare/index.md b/windows/deployment/windows-autopatch/prepare/index.md new file mode 100644 index 0000000000..71ba6f2d78 --- /dev/null +++ b/windows/deployment/windows-autopatch/prepare/index.md @@ -0,0 +1,22 @@ +--- +title: Preparing for Windows Autopatch +description: Landing page for the prepare section +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Preparing for Windows Autopatch + +The following articles describe the steps you must take to onboard with Windows Autopatch: + +1. [Review the prerequisites](windows-autopatch-prerequisites.md) +1. [Configure your network](windows-autopatch-configure-network.md) +1. [Enroll your tenant](windows-autopatch-enroll-tenant.md) +1. [Fix issues found in the Readiness assessment tool](windows-autopatch-fix-issues.md) diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md new file mode 100644 index 0000000000..a1fb48b746 --- /dev/null +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md @@ -0,0 +1,49 @@ +--- +title: Configure your network +description: This article details the network configurations needed for Windows Autopatch +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Configure your network + +## Proxy configuration + +Windows Autopatch is a cloud service. There's a set of endpoints that Windows Autopatch services must be able to reach for the various aspects of the Windows Autopatch service. + +You can optimize their network by sending all trusted Microsoft 365 network requests directly through their firewall or proxy to bypass authentication, and all additional packet-level inspection or processing. This process reduces latency and your perimeter capacity requirements. + +## Proxy requirements + +The proxy or firewall must support TLS 1.2. Otherwise, you might have to disable protocol detection. + +### Required Windows Autopatch endpoints for proxy and firewall rules + +The following URLs must be on the allowed list of your proxy and firewall so that Windows Autopatch devices can communicate with Microsoft services. + +The Windows Autopatch URL is used for anything our service runs on the customer API. You must ensure this URL is always accessible on your corporate network. + +| Microsoft service | URLs required on allowlist | +| ----- | ----- | +| Windows Autopatch |
[Manage connection endpoints for Windows 10 Enterprise, version 2004](/windows/privacy/manage-windows-2004-endpoints)
[Connection endpoints for Windows 10 Enterprise, version 20H2](/windows/privacy/manage-windows-20h2-endpoints)
[Manage connection endpoints for Windows 10 Enterprise, version 21H1](/windows/privacy/manage-windows-21h1-endpoints)
[Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints)
[Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints)
| +| Microsoft 365 | [Microsoft 365 URL and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true) | +| Azure Active Directory | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports)[Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))
| +| Microsoft Intune | [Intune network configuration requirements](/intune/network-bandwidth-use)[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
+| Microsoft Edge | [Allowlist for Microsoft Edge Endpoints](/deployedge/microsoft-edge-security-endpoints) | +| Microsoft Teams | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) | +| Windows Update for Business (WUfB) | [Windows Update for Business firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md new file mode 100644 index 0000000000..c594bece89 --- /dev/null +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md @@ -0,0 +1,108 @@ +--- +title: Enroll your tenant +description: This article details how to enroll your tenant +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Enroll your tenant + +Before you enroll in Windows Autopatch, there are settings and other parameters you must set ahead of time. + +The Readiness assessment tool, accessed through the [Windows Autopatch admin center](https://endpoint.microsoft.com/), checks management or configuration -related settings. This tool allows you to check the relevant settings and detailed steps to fix any settings that aren't configured properly for Windows Autopatch. + +## Step 1: Review all prerequisites + +To start using the Windows Autopatch service, ensure you meet the [Windows Autopatch prerequisites](../prepare/windows-autopatch-prerequisites.md). + +## Step 2: Run the Readiness assessment tool + +> [!IMPORTANT] +> The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you'll no longer be able to access the tool again. + +The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Co-management requirements](../prepare/windows-autopatch-prerequisites.md#co-management-requirements). + +**To access and run the Readiness assessment tool:** + +> [!IMPORTANT] +> You must be a Global Administrator to enroll your tenant. + +1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). +2. In the left pane, select Tenant administration and then navigate to Windows Autopatch > **Tenant enrollment**. + +> [!IMPORTANT] +> If you don't see the Tenant enrollment blade, this is because you don't meet the prerequisites or the proper licenses. For more information, see [Windows Autopatch prerequisites](windows-autopatch-prerequisites.md). + +A Global Administrator should be used to run this tool. Other roles, such as the Global Reader and Intune Administrator have insufficient permissions to complete the checks on Conditional Access Policies and Multi-factor Authentication. For more information about the extra permissions, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies). + +The Readiness assessment tool checks the following settings: + +### Microsoft Intune settings + +The following are the Microsoft Intune settings: + +| Check | Description | +| ----- | ----- | +| Update rings for Windows 10 or later | Verifies that Intune's Update rings for Windows 10 or later policy doesn't target all users or all devices. The policy shouldn't target any Windows Autopatch devices. | +| Unlicensed admin | Verifies that this setting is enabled to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. | + +### Azure Active Directory settings + +The following are the Azure Active Directory settings: + +| Check | Description | +| ----- | ----- | +| Conditional access | Verifies that conditional access policies and multi-factor authentication aren't assigned to all users.Conditional access policies shouldn't be assigned to Windows Autopatch service accounts. For more information on steps to take, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies). | +| Windows Autopatch service accounts | Checks that no usernames conflict with ones that Windows Autopatch reserves for its own use. | +| Security defaults | Checks whether your Azure Active Directory organization has security defaults enabled. | +| Licenses | Checks that you've obtained the necessary [licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). | + +For each check, the tool will report one of four possible results: + +| Result | Meaning | +| ----- | ----- | +| Ready | No action is required before completing enrollment. | +| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.
You can complete enrollment, but you must fix these issues before you deploy your first device. | +| Not ready | Enrollment will fail if you don't fix these issues. Follow the steps in the tool or this article to resolve them. | +| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. | + +### Seeing issues with your tenant? + +If the Readiness assessment tool is displaying issues with your tenant, see [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) for more information on how to remediate. + +### Delete data collected from the Readiness assessment tool + +Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a de-identified form. You can choose to delete the data we collect directly within the Readiness assessment tool. + +> [!NOTE] +> Windows Autopatch will only delete the results we collect within the Readiness assessment tool; Autopatch won't delete any other tenant-level data. + +**To delete the data we collect:** + +1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). +2. Navigate to Windows Autopatch > **Tenant enrollment**. +3. Select **Delete all data**. + +## Step 3: Enroll your tenant + +> [!IMPORTANT] +> You must be a Global Administrator to enroll your tenant. + +Once the Readiness assessment tool provides you with a "Ready" result, you're ready to enroll! + +**To enroll your tenant:** + +Within the Readiness assessment tool, you'll now see the **Enroll** button. By selecting **Enroll**, you'll kick off the enrollment of your tenant to the Windows Autopatch service. During the enrollment workflow, you'll see the following: + +- Consent workflow to manage your tenant. +- Provide Windows Autopatch with IT admin contacts. +- Setup of the Windows Autopatch service on your tenant. This step is where we'll create the policies, groups and accounts necessary to run the service. + +Once these actions are complete, you've now successfully enrolled your tenant. Ensure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md) before you [register your devices](../deploy/windows-autopatch-register-devices.md). diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md new file mode 100644 index 0000000000..8dff734be5 --- /dev/null +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -0,0 +1,85 @@ +--- +title: Fix issues found by the Readiness assessment tool +description: This article details how to fix issues found by the Readiness assessment tool +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Fix issues found by the Readiness assessment tool + +For each check, the tool will report one of four possible results: + +| Result | Meaning | +| ----- | ----- | +| Ready | No action is required before completing enrollment. | +| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.
You can complete enrollment, but you must fix these issues before you deploy your first device. | +| Not ready | Enrollment will fail if you don't fix these issues. Follow the steps in the tool or this article to resolve them. | +| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. | + +> [!NOTE] +> The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Azure Active Directory (AD), or Microsoft 365, items that were "Ready" can become "Not ready". To avoid problems with Windows Autopatch operations, review the specific settings described in this article before you change any policies. + +## Microsoft Intune settings + +You can access Intune settings at the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). + +### Unlicensed admins + +This setting must be turned on to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. + +| Result | Meaning | +| ----- | ----- | +| Not ready | Allow access to unlicensed admins should be turned on. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.
For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). | + +### Windows 10 update rings + +Your "Windows 10 update ring" policy in Intune must not target any Windows Autopatch devices. + +| Result | Meaning | +| ----- | ----- | +| Not ready | You have an "update ring" policy that targets all devices, all users, or both. Change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.
After enrolling into Autopatch, make sure that any update ring policies you have exclude the **Modern Workplace Devices - All** Azure Active Directory (AD) group.
For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
| +| Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch.This advisory appears after enrolling into Autopatch. Check the following:
During enrollment, we'll attempt to exclude Windows Autopatch service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. However, if we're unsuccessful, this can cause errors during your enrollment experience.
For best practice, [create an assignment that targets a specific Azure Active Directory (AD) group](/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) that doesn't include Windows Autopatch service accounts.
| +| Error | The Intune Administrator role doesn't have sufficient permissions for this check. You'll also need to have these Azure Active Directory (AD) roles assigned to run this check:For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). | +| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.
For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
+| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.
At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.
Other device management prerequisites include:
For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview). |
+| Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). |
+
+## More about licenses
+
+Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. The following are the other licenses that grant entitlement to Windows Autopatch:
+
+- Windows 10/11 Enterprise E3
+- Windows 10/11 Enterprise E5
+- Microsoft 365 E3
+- Microsoft 365 E5
+
+The following Windows 64-bit editions are required for Windows Autopatch:
+
+- Windows 10/11 Enterprise
+
+## Co-management requirements
+
+Windows Autopatch fully supports co-management. The following co-management requirements apply:
+
+- Use a currently supported [Configuration Manager version](/mem/configmgr/core/servers/manage/updates#supported-versions).
+- Ensure ConfigMgr is connected to the internet and [cloud-attach with Intune](/mem/configmgr/cloud-attach/overview).
+- Ensure ConfigMgr is co-managed. For more information, see [Paths to co-management](/mem/configmgr/comanage/quickstart-paths).
+- Set the [Windows Update workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune.
+- Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune.
+- Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune.
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md b/windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md
new file mode 100644
index 0000000000..b81c723344
--- /dev/null
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md
@@ -0,0 +1,33 @@
+---
+title: Windows Autopatch Preview Addendum
+description: This article explains the Autopatch preview addendum
+ms.date: 05/30/2022
+ms.prod: w11
+ms.technology: windows
+ms.topic: reference
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# Windows Autopatch Preview Addendum
+
+**This Windows Autopatch - Preview Addendum ("Addendum") to the Microsoft Product Terms** (as provided at:
+| [Windows Autopatch](https://endpoint.microsoft.com/#home) | Data provided by the customer or generated by the service during running of the service. |
+| [Microsoft 365 Apps for enterprise](/microsoft-365/enterprise/compare-office-365-plans?rtc=1)| Management of Microsoft 365 Apps. |
+
+## Windows Autopatch data process and storage
+
+Windows Autopatch relies on data from multiple Microsoft products and services to provide its service to enterprise customers.
+
+To protect and maintain enrolled devices, we process and copy data from these services to Windows Autopatch. When we process data, we follow the documented directions you provide as referenced in the [Online Services Terms](https://www.microsoft.com/licensing/product-licensing/products) and [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).
+
+Processor duties of Windows Autopatch include ensuring appropriate confidentiality, security, and resilience. Windows Autopatch employs additional privacy and security measures to ensure proper handling of personal identifiable data.
+
+## Windows Autopatch data storage and staff location
+
+Windows Autopatch stores its data in the Azure data centers in the United States.
+
+Personal data obtained by Windows Autopatch and other services are required to keep the service operational. If a device is removed from Windows Autopatch, we keep personal data for a maximum of 30 days. For more information on data retention, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview).
+
+Windows Autopatch Service Engineering Team is in the United States, India and Romania.
+
+## Microsoft Windows 10/11 diagnostic data
+
+Windows Autopatch uses [Windows 10/11 Enhanced diagnostic data](/windows/privacy/windows-diagnostic-data) to keep Windows secure, up to date, troubleshoot problems, and make product improvements.
+
+The enhanced diagnostic data setting includes more detailed information about the devices enrolled in Windows Autopatch and their settings, capabilities, and device health. When enhanced diagnostic data is selected, data, including required diagnostic data, are collected. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection) about the Windows 10 diagnostic data setting and data collection.
+
+The diagnostic data terminology will change in future versions of Windows. Windows Autopatch is committed to processing only the data that the service needs. While this will mean the diagnostic level will change to **Optional**, Windows Autopatch will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection).
+
+Windows Autopatch only processes and stores system-level data from Windows 10 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' personal data such as chat and browser history, voice, text, or speech data.
+
+For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process personal data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement.
+
+## Microsoft Windows Update for Business
+
+Microsoft Windows Update for Business uses data from Windows diagnostics to analyze update status and failures. Windows Autopatch uses this data and uses it to mitigate, and resolve problems to ensure that all registered devices are up to date based on a predefined update cadence.
+
+## Microsft Azure Active Directory
+
+Identifying data used by Windows Autopatch is stored by Azure Active Directory (Azure AD) in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Azure AD data is located, see [Azure Active Directory - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9)
+
+## Microsoft Intune
+
+Microsoft Intune collects, processes, and shares data to Windows Autopatch to support business operations and services. For more information about the data collected in Intune, see [Data collection in Intune](/mem/intune/protect/privacy-data-collect)
+
+For more information on Microsoft Intune data locations, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations). Intune respects the storage location selections made by the administrator for customer data.
+
+## Microsoft 365 Apps for enterprise
+
+Microsoft 365 Apps for enterprise collects and shares data with Windows Autopatch to ensure those apps are up to date with the latest version. These updates are based on predefined update channels managed by Windows Autopatch. For more information on Microsoft 365 Apps's data collection and storage locations, see [Microsoft Defender for Endpoint data storage and privacy](/microsoft-365/security/defender-endpoint/data-storage-privacy#what-data-does-microsoft-defender-atp-collect).
+
+## Major data change notification
+
+Windows Autopatch follows a change control process as outlined in our service communication framework.
+
+We notify customers through the Microsoft 365 message center, and the Windows Autopatch admin center of both security incidents and major changes to the service.
+
+Changes to the types of data gathered and where it's stored are considered a material change. We'll provide a minimum of 30 days advanced notice of this change as it's standard practice for Microsoft 365 products and services.
+
+## Data subject requests
+
+Windows Autopatch follows General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) privacy regulations, which give data subjects specific rights to their personal data.
+
+These rights include:
+
+- Obtaining copies of personal data
+- Requesting corrections to it
+- Restricting the processing of it
+- Deleting it
+- Receiving it in an electronic format so it can be moved to another controller
+
+For more general information about Data Subject Requests (DSRs), see [Data Subject Requests and the GDPR and CCPA](/compliance/regulatory/gdpr-data-subject-requests).
+
+To exercise data subject requests on data collected by the Windows Autopatch case management system, see the following data subject requests:
+
+| Data subject requests | Description |
+| ------ | ------ |
+| Data from Windows Autopatch support requests | Your IT administrator can request deletion, or extraction of personal data related support requests by submitting a report request at the [admin center](https://aka.ms/memadmin).
Provide the following information:
|
+
+For DSRs from other products related to the service, see the following articles:
+
+- [Windows diagnostic data](/compliance/regulatory/gdpr-dsr-windows)
+- [Microsoft Intune data](/compliance/regulatory/gdpr-dsr-intune)
+- [Azure Active Directory data](/compliance/regulatory/gdpr-dsr-azure)
+
+## Legal
+
+The following is Microsoft's privacy notice to end users of products provided by organizational customers.
+
+The [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) notifies end users that when they sign into Microsoft products with a work account:
+
+1. Their organization can control and administer their account (including controlling privacy-related settings), and access and process their data.
+2. Microsoft may collect and process the data to provide the service to the organization and end users.
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 278064b469..3ef3314bf4 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -133,6 +133,9 @@ conceptualContent:
- url: /windows/deployment/update/prepare-deploy-windows
itemType: deploy
text: Prepare to deploy Windows client
+ - url: /windows/deployment/windows-autopatch
+ itemType: deploy
+ text: Windows Autopatch
# Card
- title: App management