Additionally, it's not supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.
-The following four Microsoft Entra ID assigned groups are used to organize devices for the service-based deployment ring set: +When you [start using Autopatch](../prepare/windows-autopatch-feature-activation.md), Windows Autopatch creates the following deployment ring set to organize devices. -| Service-based deployment ring | Description | -| ----- | ----- | +| Deployment ring | Description | +| --- | --- | | Modern Workplace Devices-Windows Autopatch-Test | Deployment ring for testing service-based configuration, app deployments prior production rollout | | Modern Workplace Devices-Windows Autopatch-First | First production deployment ring for early adopters. | | Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption | | Modern Workplace Devices-Windows Autopatch-Broad | Final deployment ring for broad rollout into the organization | -The five Microsoft Entra ID assigned groups that are used to organize devices for the software update-based deployment ring set within the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition): - -| Software updates-based deployment ring | Description | -| ----- | ----- | -| Windows Autopatch - Test | Deployment ring for testing software updates-based deployments prior production rollout. | -| Windows Autopatch - Ring1 | First production deployment ring for early adopters. | -| Windows Autopatch - Ring2 | Fast deployment ring for quick rollout and adoption. | -| Windows Autopatch - Ring3 | Final deployment ring for broad rollout into the organization. | -| Windows Autopatch - Last | Optional deployment ring for specialized devices or VIP/executives that must receive software update deployments after it's well tested with early and general populations in an organization. | - -In the software-based deployment ring set, each deployment ring has a different set of update deployment policies to control the updates rollout. - > [!CAUTION] -> Adding or importing devices directly into any of these groups isn't supported. Doing so might affect the Windows Autopatch service. To move devices between these groups, see [Moving devices in between deployment rings](#moving-devices-in-between-deployment-rings). +> Adding or importing devices directly into any of these groups isn't supported. Doing so might affect the Windows Autopatch service. To move devices between these groups, see [Move devices in between deployment rings](../deploy/windows-autopatch-register-devices.md#move-devices-in-between-deployment-rings). > [!IMPORTANT] -> Windows Autopatch device registration doesn't assign devices to the Test deployment rings of either the service-based (**Modern Workplace Devices-Windows Autopatch-Test**), or software updates-based (**Windows Autopatch - Test and Windows Autopatch - Last**) in the Default Autopatch group. This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments. - -During the device registration process, Windows Autopatch assigns each device to a [service-based and software-update based deployment ring](../deploy/windows-autopatch-groups-overview.md#service-based-versus-software-update-based-deployment-rings) so that the service has the proper representation of device diversity across your organization. +> Windows Autopatch device registration doesn't assign devices to the Test deployment rings of either the service-based (**Modern Workplace Devices-Windows Autopatch-Test**), or your Autopatch groups. This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments. +During the device registration process, Windows Autopatch assigns each device to a deployment ring so that the service has the proper representation of device diversity across your organization. The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment. -> [!NOTE] -> You can't create additional deployment rings or use your own rings for devices managed by the Windows Autopatch service. - -## Default deployment ring calculation logic - -The Windows Autopatch deployment ring calculation occurs during the device registration process and it applies to both the [service-based and the software update-based deployment ring sets](../deploy/windows-autopatch-groups-overview.md#service-based-versus-software-update-based-deployment-rings): - -- If the Windows Autopatch tenant's existing managed device size is **≤ 200**, the deployment ring assignment is First **(5%)**, Fast **(15%)**, remaining devices go to the Broad ring **(80%)**. -- If the Windows Autopatch tenant's existing managed device size is **>200**, the deployment ring assignment will be First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**. - -> [!NOTE] -> You can customize the deployment ring calculation logic by editing the Default Autopatch group. - -| Service-based deployment ring | Default Autopatch group deployment ring | Default device balancing percentage | Description | -| ----- | ----- | ----- | ----- | -| Test | Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.
Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| -| Fast | Ring 2 | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.
The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.
| -| Broad | Ring 3 | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.| -| N/A | Last | **zero** | The Last ring is intended to be used for either specialized devices or devices that belong to VIP/executives in an organization. Windows Autopatch doesn't automatically add devices to this deployment ring. | - -## Software update-based to service-based deployment ring mapping - -There's a one-to-one mapping in between the service-based and software updates-based deployment rings introduced with Autopatch groups. This mapping is intended to help move devices in between deployment rings for other software update workloads that don't yet support Autopatch groups such as Microsoft 365 Apps and Microsoft Edge. - -| If moving a device to | The device also moves to | -| ----- | ----- | -| Windows Autopatch - Test | Modern Workplace Devices-Windows Autopatch-Test | -| Windows Autopatch - Ring1 | Modern Workplace Devices-Windows Autopatch-First | -| Windows Autopatch - Ring2 | Modern Workplace Devices-Windows Autopatch-Fast | -| Windows Autopatch - Ring3 | Modern Workplace Devices-Windows Autopatch-Broad | -| Windows Autopatch - Last | Modern Workplace Devices-Windows Autopatch-Broad | +### Device record and deployment ring assignment -If your Autopatch groups have more than five deployment rings, and you must move devices to deployment rings after Ring3. For example, `This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.
Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| +| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.
The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.
| +| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.| +| N/A | **zero** | The Last ring is intended to be used for either specialized devices or devices that belong to VIP/executives in an organization. Windows Autopatch doesn't automatically add devices to this deployment ring. | ## Automated deployment ring remediation functions -Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test** and **Windows Autopatch - Last** rings, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: +Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test** and **Windows Autopatch - Last** rings, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: - Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or -- An issue occurred which prevented devices from getting a deployment ring assigned during the device registration process. +- An issue occurred which prevented devices from getting a deployment ring assigned during the device registration process. There are two automated deployment ring remediation functions: | Function | Description | | ----- | ----- | -| Check device deployment ring membership | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test and Windows Autopatch - Last** rings). | -| Multi-deployment ring device remediator | Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test** and **Windows Autopatch - Last** rings). If a device is part of multiple deployment rings, Windows Autopatch randomly removes the device until the device is only part of one deployment ring. | +| Check device deployment ring membership | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test and Windows Autopatch - Last** rings). | +| Multi-deployment ring device remediator | Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test** and **Windows Autopatch - Last** rings). If a device is part of multiple deployment rings, Windows Autopatch randomly removes the device until the device is only part of one deployment ring. | > [!IMPORTANT] > Windows Autopatch automated deployment ring functions don't assign or remove devices to or from the following deployment rings:The combination of Dynamic and Assigned device distribution is **not** supported for the Test and Last deployment ring in Autopatch groups.
| -#### About the Test and Last deployment rings +### Test and Last deployment rings -Both the **Test** and **Last** deployment rings are default deployment rings that are automatically present in the Default Autopatch group and Custom Autopatch groups. These default deployment rings provide the recommended minimum number of deployment rings that an Autopatch group should have. +Both the **Test** and **Last** deployment rings are default deployment rings that are automatically present in an Autopatch group. These default deployment rings provide the recommended minimum number of deployment rings that an Autopatch group should have. -If you only keep Test and Last deployment rings in your Default Autopatch group, or you don't add more deployment rings when creating a Custom Autopatch group, the Test deployment ring can be used as the pilot deployment ring and Last can be used as the production deployment ring. +If you don't add more deployment rings when creating an Autopatch group, the Test deployment ring can be used as the pilot deployment ring and Last can be used as the production deployment ring. > [!IMPORTANT] -> Both the **Test** and **Last** deployment rings **can't** be removed or renamed from the Default or Custom Autopatch groups. Autopatch groups don't support the use of one single deployment ring as part of its deployment ring composition because you need at least two deployment rings for their gradual rollout. If you must implement a specific scenario with a single deployment ring, and gradual rollout isn't required, consider managing these devices outside Windows Autopatch. +> Both the **Test** and **Last** deployment rings **can't** be removed or renamed from Autopatch groups. Autopatch groups don't support the use of one single deployment ring as part of its deployment ring composition because you need **at least two deployment rings** for their gradual rollout. If you must implement a specific scenario with a single deployment ring, and gradual rollout isn't required, consider managing these devices outside Autopatch groups. > [!TIP] > Both the **Test** and **Last** deployment rings only support one single Microsoft Entra group assignment at a time. If you need to assign more than one Microsoft Entra group, you can nest the other Microsoft Entra groups under the ones you plan to use with the **Test** and **Last** deployment rings. Only one level of Microsoft Entra group nesting is supported. -#### Service-based versus software update-based deployment rings - -Autopatch groups creates two different layers. Each layer contains its own deployment ring set. - -> [!IMPORTANT] -> Both service-based and software update-based deployment ring sets are, by default, assigned to devices that successfully register with Windows Autopatch. - -##### Service-based deployment rings - -The service-based deployment ring set is exclusively used to keep Windows Autopatch updated with both service and device-level configuration policies, apps and APIs needed for core functions of the service. - -The following are the Microsoft Entra ID assigned groups that represent the service-based deployment rings. These groups can't be deleted or renamed: - -- Modern Workplace Devices-Windows Autopatch-Test -- Modern Workplace Devices-Windows Autopatch-First -- Modern Workplace Devices-Windows Autopatch-Fast -- Modern Workplace Devices-Windows Autopatch-Broad - -> [!CAUTION] -> **Don't** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won't be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly.Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.
- -##### Software-based deployment rings - -The software-based deployment ring set is exclusively used with software update management policies, such as the Windows update ring and feature update policies, in the Default Windows Autopatch group. - -The following are the Microsoft Entra ID assigned groups that represent the software updates-based deployment rings. These groups can't be deleted or renamed: - -- Windows Autopatch - Test -- Windows Autopatch - Ring1 -- Windows Autopatch - Ring2 -- Windows Autopatch - Ring3 -- Windows Autopatch - Last - -> [!IMPORTANT] -> Additional Microsoft Entra ID assigned groups are created and added to list when you add more deployment rings to the Default Autopatch group. - -> [!CAUTION] -> **Don't** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won't be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly.Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.
- -### About device registration - -Autopatch groups register devices with the Windows Autopatch service when you either [create](../manage/windows-autopatch-manage-autopatch-groups.md#create-a-custom-autopatch-group) or [edit a Custom Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group), and/or when you [edit the Default Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to use your existing Microsoft Entra groups instead of the Windows Autopatch Device Registration group provided by the service. - ## Common ways to use Autopatch groups The following are three common uses for using Autopatch groups. ### Use case #1 -> [!NOTE] -> The [Default Autopatch group](#about-the-default-autopatch-group) is recommended for organizations that can meet their business needs using the pre-configured five deployment ring composition. - | Scenario | Solution | | ----- | ----- | -| You're working as the IT admin at Contoso Ltd. And manage several Microsoft and non-Microsoft cloud services. You don't have extra time to spend setting up and managing several Autopatch groups.Your organization currently operates its update management by using five deployment rings, but there's an opportunity to have flexible deployment cadences if it's precommunicated to your end-users.
| If you don't have thousands of devices to manage, use the Default Autopatch group for your organization. You can edit the Default Autopatch group to include additional deployment rings and/or slightly modify some of its default deployment cadences.The Default Autopatch group is preconfigured and doesn't require extra configurations when registering devices with the Windows Autopatch service.
The following is a visual representation of a gradual rollout for the Default Autopatch group preconfigured and fully managed by the Windows Autopatch service.
| - -:::image type="content" source="../media/autopatch-groups-default-autopatch-group.png" alt-text="Default Autopatch group" lightbox="../media/autopatch-groups-default-autopatch-group.png"::: - -### Use case #2 - -| Scenario | Solution | -| ----- | ----- | -| You're working as the IT admin at Contoso Ltd. Your organization needs to plan a gradual rollout of software updates within specific critical business units or departments to help mitigate the risk of end-user disruption. | You can create a Custom Autopatch group for each of your business units. For example, you can create a Custom Autopatch group for the finance department and breakdown the deployment ring composition per the different user personas or based on how critical certain user groups can be for the department and then for the business.The following is a visual representation of a gradual rollout for Contoso's Finance department.
| +| You're working as the IT admin at Contoso Ltd. Your organization needs to plan a gradual rollout of software updates within specific critical business units or departments to help mitigate the risk of end-user disruption. | You can create an Autopatch group for each of your business units. For example, you can create an Autopatch group for the finance department and breakdown the deployment ring composition per the different user personas or based on how critical certain user groups can be for the department and then for the business.The following is a visual representation of a gradual rollout for Contoso’s Finance department.
| :::image type="content" source="../media/autopatch-groups-finance-department-example.png" alt-text="Finance department example" lightbox="../media/autopatch-groups-finance-department-example.png"::: > [!IMPORTANT] > Once Autopatch groups are setup, the release of either Windows quality or feature updates will be deployed sequentially through its deployment rings. -### Use case #3 +### Use case #2 | Scenario | Solution | | ----- | ----- | -| You're working as the IT admin at Contoso Ltd. Your branch location in Chicago needs to plan a gradual rollout of software updates within specific departments to make sure the Chicago office doesn't experience disruptions in its operations. | You can create a Custom Autopatch group for the branch location in Chicago and breakdown the deployment ring composition per the departments within the branch location.The following is a visual representation of a gradual rollout for the Contoso Chicago branch location.
| +| You're working as the IT admin at Contoso Ltd. Your branch location in Chicago needs to plan a gradual rollout of software updates within specific departments to make sure the Chicago office doesn’t experience disruptions in its operations. | You can create an Autopatch group for the branch location in Chicago and breakdown the deployment ring composition per the departments within the branch location.The following is a visual representation of a gradual rollout for the Contoso Chicago branch location.
| :::image type="content" source="../media/autopatch-groups-contoso-chicago-example.png" alt-text="Contoso Chicago example" lightbox="../media/autopatch-groups-contoso-chicago-example.png"::: @@ -235,16 +127,19 @@ The following configurations are supported when using Autopatch groups. ### Software update workloads -Autopatch groups works with the following software update workloads: +Autopatch groups work with the following software update workloads: -- [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md) -- [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md) +- [Windows feature updates](../manage/windows-autopatch-windows-feature-update-overview.md) +- [Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md) +- [Driver and firmware updates](../manage/windows-autopatch-manage-driver-and-firmware-updates.md) +- [Microsoft 365 Apps for enterprise](../manage/windows-autopatch-microsoft-365-apps-enterprise.md) +- [Microsoft Edge](../manage/windows-autopatch-edge.md) ### Maximum number of Autopatch groups -Windows Autopatch supports up to 50 Autopatch groups in your tenant. You can create up to 49 [Custom Autopatch groups](#about-custom-autopatch-groups) in addition to the [Default Autopatch group](#about-the-default-autopatch-group). Each Autopatch group supports up to 15 deployment rings. +Windows Autopatch supports up to 50 Autopatch groups in your tenant. Each Autopatch group supports up to 15 deployment rings. -> [!TIP] -> If you reach the maximum number of Autopatch groups supported (50), and try to create more Custom Autopatch groups, the "**Create**" option in the Autopatch groups blade will be greyed out. +> [!NOTE] +> If you reach the maximum number of Autopatch groups supported (50), and try to create more Autopatch groups, the "Create" option in the Autopatch groups blade will be greyed out. -To manage your Autopatch groups, see [Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md). +To manage your Autopatch groups, see [Manage Windows Autopatch groups](../manage/windows-autopatch-manage-autopatch-groups.md). diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md index a8ddab157a0..c5f450553f2 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md @@ -1,7 +1,7 @@ --- title: Post-device registration readiness checks description: This article details how post-device registration readiness checks are performed in Windows Autopatch -ms.date: 07/08/2024 +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: concept-article @@ -15,14 +15,13 @@ ms.collection: - tier1 --- -# Post-device registration readiness checks (public preview) +# Post-device registration readiness checks -> [!IMPORTANT] -> This feature is in "public preview". It is being actively developed, and may not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios, and provide feedback. +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] One of the most expensive aspects of the software update management process is to make sure devices are always healthy to receive and report software updates for each software update release cycle. -Having a way of measuring, quickly detecting and remediating when something goes wrong with on-going change management processes is important; it helps mitigate high Helpdesk ticket volumes, reduces cost, and improves overall update management results. +Having a way of measuring, quickly detecting and remediating when something goes wrong with ongoing change management processes is important; it helps mitigate high Helpdesk ticket volumes, reduces cost, and improves overall update management results. Windows Autopatch provides proactive device readiness information about devices that are and aren't ready to be fully managed by the service. IT admins can easily detect and fix device-related issues that are preventing them from achieving their update management compliance report goals. @@ -37,13 +36,13 @@ Device readiness in Windows Autopatch is divided into two different scenarios: ### Device readiness checks available for each scenario -| Required device readiness (prerequisite checks) prior to device registration (powered by Intune Graph API) | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension) | +| Required device readiness (prerequisite checks) before device registration (powered by Intune Graph API) | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension) | | ----- | ----- | -|Once devices are remediated, it can take up to **24 hours** to show up in the **Ready** tab.
| +| **What to expect when one or more checks fail?** | Devices are automatically sent to the **Ready** tab once they're successfully registered with Windows Autopatch. When devices don't meet one or more post-device registration readiness checks, the devices are moved to the **Not ready** tab. IT admins can learn about these devices and take appropriate actions to remediate them. Windows Autopatch provides information about the failure and how to potentially remediate devices.Once devices are remediated, it can take up to **24 hours** to appear in the **Ready** tab.
| ## Additional resources -- [Device registration overview](windows-autopatch-device-registration-overview.md) -- [Register your devices](windows-autopatch-register-devices.md) +- [Device registration overview](../deploy/windows-autopatch-device-registration-overview.md) +- [Register your devices](../deploy/windows-autopatch-register-devices.md) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 5f9eee104c6..c2b584ffa30 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices description: This article details how to register devices in Autopatch. -ms.date: 07/10/2024 +ms.date: 09/26/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,125 +17,113 @@ ms.collection: # Register your devices -Before Microsoft can manage your devices in Windows Autopatch, you must have devices registered with the service. +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] -## Before you begin +Before Microsoft can manage your devices in Windows Autopatch, you must register devices with the service. Make sure your devices meet the [device registration prerequisites](../deploy/windows-autopatch-device-registration-overview.md#prerequisites-for-device-registration). -Windows Autopatch can take over software update management control of devices that meet software-based prerequisites as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes the following software update workloads: +## Detailed device registration workflow diagram -- [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md) -- [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md) -- [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) -- [Microsoft Edge updates](../operate/windows-autopatch-edge.md) -- [Microsoft Teams updates](../operate/windows-autopatch-teams.md) +See the following detailed workflow diagram. The diagram covers the Windows Autopatch device registration process: -### Windows Autopatch groups device registration +:::image type="content" source="../media/windows-autopatch-device-registration-workflow-diagram.png" alt-text="Diagram of the device registration workflow." lightbox="../media/windows-autopatch-device-registration-workflow-diagram.png"::: -When you either create/edit a [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or edit the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) to add or remove deployment rings, the device-based Microsoft Entra groups you use when setting up your deployment rings are scanned to see if devices need to be registered with the Windows Autopatch service. +| Step | Description | +| ----- | ----- | +| **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. | +| **Step 2: Add devices** | IT admin identifies and adds devices, or nests other Microsoft Entra device groups into any Microsoft Entra group when you [create an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) or [edit an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group) or imported (WUfB) policies. | +| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function discovers devices (hourly) that were previously added by the IT admin from Microsoft Entra groups used with Autopatch groups in **step #2**. The Microsoft Entra device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Microsoft Entra ID when registering devices into its service.For more information, see [assign an owner of member of a group in Microsoft Entra ID](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group).
+- For more information, see [create an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) or [edit an Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#edit-an-autopatch-group) to register devices into Autopatch groups. +- For more information about moving devices between deployment rings, see [Move devices in between deployment rings](#move-devices-in-between-deployment-rings). -## Details about the device registration process +### Supported scenarios when nesting other Microsoft Entra groups -Registering your devices with Windows Autopatch does the following: +Windows Autopatch also supports the following Microsoft Entra nested group scenarios: -1. Makes a record of devices in the service. -2. Assign devices to the [two deployment ring sets](../deploy/windows-autopatch-groups-overview.md#about-deployment-rings) and other groups required for software update management. +Microsoft Entra groups synced up from: -For more information, see [Device registration overview](../deploy/windows-autopatch-device-registration-overview.md). +- On-premises Active Directory groups (Windows Server AD) +- [Configuration Manager collections](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync) -### Windows Autopatch on Windows 365 Enterprise Workloads +## Windows Autopatch on Windows 365 Enterprise Workloads Windows 365 Enterprise gives IT admins the option to register devices with the Windows Autopatch service as part of the Windows 365 provisioning policy creation. This option provides a seamless experience for admins and users to ensure your Cloud PCs are always up to date. When IT admins decide to manage their Windows 365 Cloud PCs with Windows Autopatch, the Windows 365 provisioning policy creation process calls Windows Autopatch device registration APIs to register devices on behalf of the IT admin. @@ -148,22 +136,19 @@ Windows 365 Enterprise gives IT admins the option to register devices with the W 1. Provide a policy name and select **Join Type**. For more information, see [Device join types](/windows-365/enterprise/identity-authentication#device-join-types). 1. Select **Next**. 1. Choose the desired image and select **Next**. -1. Under the **Microsoft managed services** section, select **Windows Autopatch**. Then, select **Next**. If the *Windows Autopatch (preview) can't manage your Cloud PCs until a Global Admin has finished setting it up.* message appears, you must [enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md) to continue. +1. Under the **Microsoft managed services** section, select **Windows Autopatch**. Then, select **Next**. If the *Windows Autopatch (preview) can't manage your Cloud PCs until a Global Admin has finished setting it up.* message appears, you must [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md) to continue. 1. Assign your policy accordingly and select **Next**. -1. Select **Create**. Now your newly provisioned Windows 365 Enterprise Cloud PCs will automatically be enrolled and managed by Windows Autopatch. +1. Select **Create**. Now your newly provisioned Windows 365 Enterprise Cloud PCs are automatically enrolled and managed by Windows Autopatch. For more information, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy). -> [!IMPORTANT] -> Starting in May 2023, Windows 365 Cloud PC devices are assigned to two deployment ring sets, the service-based and the software-based deployment rings. Additionally, once registered with Windows Autopatch, Windows 365 Cloud PC devices are automatically added to the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group). For more information, see [service-based versus software update-based deployment ring sets](../deploy/windows-autopatch-groups-overview.md#service-based-versus-software-update-based-deployment-rings). - -### Windows Autopatch on Azure Virtual Desktop workloads +## Windows Autopatch on Azure Virtual Desktop workloads Windows Autopatch is available for your Azure Virtual Desktop workloads. Enterprise admins can provision their Azure Virtual Desktop workloads to be managed by Windows Autopatch using the existing device registration process. -Windows Autopatch provides the same scope of service with virtual machines as it does with [physical devices](#windows-autopatch-groups-device-registration). However, Windows Autopatch defers any Azure Virtual Desktop specific support to [Azure support](#contact-support-for-device-registration-related-incidents), unless otherwise specified. +Windows Autopatch provides the same scope of service with virtual machines as it does with [physical devices](../deploy/windows-autopatch-device-registration-overview.md). However, Windows Autopatch defers any Azure Virtual Desktop specific support to [Azure support](#contact-support-for-device-registration-related-incidents), unless otherwise specified. -#### Prerequisites +### Prerequisites Windows Autopatch for Azure Virtual Desktop follows the same [prerequisites](../prepare/windows-autopatch-prerequisites.md) as Windows Autopatch, and the [Azure Virtual Desktop prerequisites](/azure/virtual-desktop/prerequisites). @@ -177,9 +162,9 @@ The following Azure Virtual Desktop features aren't supported: - Pooled non persistent virtual machines - Remote app streaming -#### Deploy Autopatch on Azure Virtual Desktop +### Deploy Autopatch on Azure Virtual Desktop -Azure Virtual Desktop workloads can be registered into Windows Autopatch by using the same method as your [physical devices](#windows-autopatch-groups-device-registration). +Azure Virtual Desktop workloads can be registered into Windows Autopatch by using the same method as your physical devices. For ease of deployment, we recommend nesting a dynamic device group in your Autopatch device registration group. The dynamic device group would target the **Name** prefix defined in your session host, but **exclude** any Multi-Session Session Hosts. For example: @@ -187,13 +172,30 @@ For ease of deployment, we recommend nesting a dynamic device group in your Auto | ----- | ----- | | Windows Autopatch - Host Pool Session Hosts |[Feature activation](../prepare/windows-autopatch-feature-activation.md) is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.
For more information, see [Licenses and entitlements](../prepare/windows-autopatch-prerequisites.md#licenses-and-entitlements). If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in [Business premium and A3+ licenses](../overview/windows-autopatch-overview.md#business-premium-and-a3-licenses).
diff --git a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-find-device-name-graph-explorer.md similarity index 91% rename from windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md rename to windows/deployment/windows-autopatch/includes/windows-autopatch-find-device-name-graph-explorer.md index 9cfcff85ad4..00dc5b6ebd2 100644 --- a/windows/deployment/update/includes/wufb-deployment-find-device-name-graph-explorer.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-find-device-name-graph-explorer.md @@ -1,16 +1,16 @@ --- -author: mestew -ms.author: mstewart +author: tiaraquan +ms.author: tiaraquan manager: aaroncz -ms.subservice: itpro-updates ms.service: windows-client +ms.subservice: autopatch ms.topic: include -ms.date: 02/14/2023 +ms.date: 09/16/2024 ms.localizationpriority: medium --- -Use the [device](/graph/api/resources/device) resource type to find clients to enroll into the deployment service. Change the query parameters to fit your specific needs. For more information, see [Use query parameters](/graph/query-parameters). +Use the [device](/graph/api/resources/device) resource type to find clients to enroll into Windows Autopatch. Change the query parameters to fit your specific needs. For more information, see [Use query parameters](/graph/query-parameters). - Displays the **AzureAD Device ID** and **Name** of all devices: diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-graph-explorer-permissions.md similarity index 56% rename from windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md rename to windows/deployment/windows-autopatch/includes/windows-autopatch-graph-explorer-permissions.md index 40f67810ab7..439c49b8034 100644 --- a/windows/deployment/update/includes/wufb-deployment-graph-explorer-permissions.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-graph-explorer-permissions.md @@ -1,18 +1,18 @@ --- -author: mestew -ms.author: mstewart +author: tiaraquan +ms.author: tiaraquan manager: aaroncz -ms.subservice: itpro-updates ms.service: windows-client +ms.subservice: autopatch ms.topic: include -ms.date: 02/14/2023 +ms.date: 09/16/2024 ms.localizationpriority: medium --- - + The following permissions are needed for the queries listed in this article: -- [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions) for [Windows Update for Business deployment service](/graph/api/resources/adminwindowsupdates) operations. +- [WindowsUpdates.ReadWrite.All](/graph/permissions-reference#windows-updates-permissions) for [Windows Autopatch](/graph/api/resources/adminwindowsupdates) operations. - At least [Device.Read.All](/graph/permissions-reference#device-permissions) permission to display [device](/graph/api/resources/device) information. Some roles, such as the [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator), already have these permissions. diff --git a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-graph-explorer.md similarity index 80% rename from windows/deployment/update/includes/wufb-deployment-graph-explorer.md rename to windows/deployment/windows-autopatch/includes/windows-autopatch-graph-explorer.md index 8250bc9e1df..8ce80d8b36b 100644 --- a/windows/deployment/update/includes/wufb-deployment-graph-explorer.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-graph-explorer.md @@ -1,14 +1,14 @@ --- -author: mestew -ms.author: mstewart +author: tiaraquan +ms.author: tiaraquan manager: aaroncz -ms.subservice: itpro-updates ms.service: windows-client +ms.subservice: autopatch ms.topic: include -ms.date: 02/14/2023 +ms.date: 09/16/2024 ms.localizationpriority: medium --- - + For this article, you'll use Graph Explorer to make requests to the [Microsoft Graph APIs](/graph/api/resources/adminwindowsupdates) to retrieve, add, delete, and update data. Graph Explorer is a developer tool that lets you learn about Microsoft Graph APIs. For more information about using Graph Explorer, see [Get started with Graph Explorer](/graph/graph-explorer/graph-explorer-overview). @@ -21,8 +21,7 @@ For this article, you'll use Graph Explorer to make requests to the [Microsoft G 1. You may need to enable the [`WindowsUpdates.ReadWrite.All` permission](/graph/permissions-reference#windows-updates-permissions) to use the queries in this article. To enable the permission: 1. Select the **Modify permissions** tab in Graph Explorer. 1. In the permissions dialog box, select the **WindowsUpdates.ReadWrite.All** permission then select **Consent**. You may need to sign in again to grant consent. - - :::image type="content" source="../media/7512398-wufbds-graph-modify-permission.png" alt-text="Screenshot of the modify permissions tab in Graph Explorer" lightbox="../media/7512398-wufbds-graph-modify-permission.png" ::: + :::image type="content" source="../media/7512398-graph-modify-permission.png" alt-text="Screenshot of the modify permissions tab in Graph Explorer" lightbox="../media/7512398-graph-modify-permission.png" ::: 1. To make requests: 1. Select either GET, POST, PUT, PATCH, or DELETE from the drop-down list for the HTTP method. diff --git a/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-graph-unenroll.md similarity index 58% rename from windows/deployment/update/includes/wufb-deployment-graph-unenroll.md rename to windows/deployment/windows-autopatch/includes/windows-autopatch-graph-unenroll.md index d4681b40c23..f91004dfa08 100644 --- a/windows/deployment/update/includes/wufb-deployment-graph-unenroll.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-graph-unenroll.md @@ -1,19 +1,19 @@ --- -author: mestew -ms.author: mstewart +author: tiaraquan +ms.author: tiaraquan manager: aaroncz -ms.subservice: itpro-updates ms.service: windows-client +ms.subservice: autopatch ms.topic: include -ms.date: 02/14/2023 +ms.date: 09/16/2024 ms.localizationpriority: medium --- - + -When a device no longer requires management, unenroll it from the deployment service. Just like [enrolling a device](#enroll-devices), specify either `driver` or `feature` as the value for the `updateCategory`. The device will no longer receive updates from the deployment service for the specified update category. Depending on the device's configuration, it may start to receive updates from Windows Update. For instance, if a device is still enrolled for feature updates, but it's unenrolled from drivers: +When a device no longer requires management, unenroll it from Windows Autopatch. Just like [enrolling a device](#enroll-devices), specify either `driver` or `feature` as the value for the `updateCategory`. The device will no longer receive updates from Windows Autopatch for the specified update category. Depending on the device's configuration, it may start to receive updates from Windows Update. For instance, if a device is still enrolled for feature updates, but it's unenrolled from drivers: - Existing driver deployments from the service won't be offered to the device -- The device continues to receive feature updates from the deployment service +- The device continues to receive feature updates from Windows Autopatch - Drivers may start being installed from Windows Update depending on the device's configuration To unenroll a device, POST to [updatableAssets](/graph/api/resources/windowsupdates-updatableasset) using [unenrollAssets](/graph/api/windowsupdates-updatableasset-unenrollassets). In the request body, specify: diff --git a/windows/deployment/windows-autopatch/includes/windows-autopatch-limitations.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-limitations.md new file mode 100644 index 00000000000..dc0fd1a739c --- /dev/null +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-limitations.md @@ -0,0 +1,15 @@ +--- +author: tiaraquan +ms.author: tiaraquan +manager: aaroncz +ms.service: windows-client +ms.subservice: autopatch +ms.topic: include +ms.date: 09/16/2024 +ms.localizationpriority: medium +--- + + +Windows Autopatch is a Windows service hosted in Azure Commercial that uses Windows diagnostic data. While customers with GCC tenants may choose to use it, Windows Autopatch is outside the [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) boundary. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). + +Windows Autopatch isn't available in Azure Government for [Office 365 GCC High and DoD](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc-high-and-dod) tenants. diff --git a/windows/deployment/windows-autopatch/includes/windows-autopatch-required-graph-api-endpoints.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-required-graph-api-endpoints.md new file mode 100644 index 00000000000..ec3fc85cbe9 --- /dev/null +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-required-graph-api-endpoints.md @@ -0,0 +1,28 @@ +--- +author: tiaraquan +ms.author: tiaraquan +manager: aaroncz +ms.service: windows-client +ms.subservice: autopatch +ms.topic: include +ms.date: 09/24/2024 +ms.localizationpriority: medium +--- + + +You must have access to the following endpoints: + +[Windows Update endpoints](/windows/privacy/manage-windows-1809-endpoints#windows-update) + +- *.prod.do.dsp.mp.microsoft.com +- *.windowsupdate.com +- *.dl.delivery.mp.microsoft.com +- *.update.microsoft.com +- *.delivery.mp.microsoft.com +- tsfe.trafficshaping.dsp.mp.microsoft.com + +Graph API endpoints: + +- devicelistenerprod.microsoft.com +- login.windows.net +- payloadprod*.blob.core.windows.net diff --git a/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md b/windows/deployment/windows-autopatch/includes/windows-autopatch-update-health-tools-logs.md similarity index 71% rename from windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md rename to windows/deployment/windows-autopatch/includes/windows-autopatch-update-health-tools-logs.md index cd39b4dd7ea..adc812a9a0d 100644 --- a/windows/deployment/update/includes/wufb-deployment-update-health-tools-logs.md +++ b/windows/deployment/windows-autopatch/includes/windows-autopatch-update-health-tools-logs.md @@ -1,14 +1,14 @@ --- -author: mestew -ms.author: mstewart +author: tiaraquan +ms.author: tiaraquan manager: aaroncz -ms.subservice: itpro-updates ms.service: windows-client +ms.subservice: autopatch ms.topic: include -ms.date: 02/14/2023 +ms.date: 09/16/2024 ms.localizationpriority: medium --- - + ## Log location for the Update Health Tools The Update Health Tools are used when you deploy expedited updates. In some cases, you may wish to review the logs for the Update Health Tools. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-customize-windows-update-settings.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-customize-windows-update-settings.md index bfd579ee3ba..5cf7948782d 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-customize-windows-update-settings.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-customize-windows-update-settings.md @@ -1,7 +1,7 @@ --- title: Customize Windows Update settings Autopatch groups experience description: How to customize Windows Updates with Autopatch groups -ms.date: 07/08/2024 +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,9 +17,11 @@ ms.collection: # Customize Windows Update settings -You can customize the Windows Update deployment schedule for each deployment ring in Windows Autopatch groups per your business and organizational needs. This capability is allowed for both [Default](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) and [Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups). However, we recommend that you remain within service defined boundaries to maintain compliance. +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] -When the deployment cadence is customized, Windows Autopatch will override our service defaults with your preferred deployment cadence. Depending on the selected options, devices with [customized schedules](#scheduled-install) may not count towards the Windows Autopatch [Windows quality update service level objective](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective). +You can customize the Windows Update deployment schedule for each deployment ring in Windows Autopatch groups per your business and organizational needs. However, we recommend that you remain within service defined boundaries to maintain compliance. + +When the deployment cadence is customized, Windows Autopatch overrides our service defaults with your preferred deployment cadence. Depending on the selected options, devices with [customized schedules](#scheduled-install) might not count towards the Windows Autopatch [Windows quality update service level objective](../manage/windows-autopatch-windows-quality-update-overview.md#service-level-objective). ## Deployment cadence @@ -37,35 +39,30 @@ For each tenant, at the deployment ring level, there are two cadence types to co With the deadline-drive cadence type, you can control and customize the deferral, deadline, and grace period to meet your specific business needs and organizational requirements. -There are certain limits that Windows Autopatch defines and you'll only be able to make changes with those boundaries. The following boundaries are implemented so that Windows Autopatch can maintain update compliance. - -| Boundary | Description | -| ----- | ----- | -| Deferrals and deadlines | Windows Autopatch will enforce that deadline plus deferral days for a deployment ring to be less than or equal to 14 days. | -| Grace period | The permitted customization range is zero to seven days. | - > [!NOTE] > The configured grace period will apply to both Windows quality updates and Windows feature updates. -Each deployment ring can be scheduled independent of the others, and there are no dependencies that the previous deployment ring must be scheduled before the next ring. Further, if the cadence type is set as **Deadline-driven**, the automatic update behavior setting, **Reset to default** in the Windows Update for Business policy, will be applied. +Each deployment ring can be scheduled independent of the others, and there are no dependencies that the previous deployment ring must be scheduled before the next ring. Further, if the cadence type is set as **Deadline-driven**, the automatic update behavior setting, **Reset to default** in the Windows Update for Business policy, are applied. -It's possible for you to change the cadence from the Windows Autopatch Release management blade while update deployments are in progress. Windows Autopatch will abide by the principle to always respect your preferences over service-defined values. +It's possible for you to change the cadence from the Windows Autopatch groups blade while update deployments are in progress. Windows Autopatch abides by the principle to always respect your preferences over service-defined values. -However, if an update has already started for a particular deployment ring, Windows Autopatch won't be able to change the cadence for that ring during that ongoing update cycle. The changes will only be effective in the next update cycle. +However, if an update already started for a particular deployment ring, Windows Autopatch isn't able to change the cadence for that ring during that ongoing update cycle. The changes will only be effective in the next update cycle. #### Scheduled install > [!NOTE] ->If you select the Schedule install cadence type, the devices in that ring won't be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective). +>If you select the Schedule install cadence type, the devices in that ring won't be counted towards the [Windows quality update service level objective](../manage/windows-autopatch-windows-quality-update-overview.md#service-level-objective). + +While the Windows Autopatch default options meet most the needs for regular users with corporate devices, we understand there are devices that run critical activities and can only receive Windows Updates at specific times. -While the Windows Autopatch default options will meet the majority of the needs for regular users with corporate devices, we understand there are devices that run critical activities and can only receive Windows Updates at specific times. The **Scheduled install** cadence type will minimize disruptions by preventing forced restarts and interruptions to critical business activities for end users. Upon selecting the **Scheduled install** cadence type, any previously set deadlines and grace periods will be removed. Devices will only update and restart according to the time specified. +The **Scheduled install** cadence type minimizes disruptions by preventing forced restarts and interruptions to critical business activities for end users. When you select the **Scheduled install** cadence type, any previously set deadlines and grace periods are removed. Devices will only update and restart according to the time specified. -If other applications force a device to restart outside of the specified time and a Windows Update is pending a restart, the Windows Update will complete its installation at this time. For this reason, ensure that you consider your update and restart scenarios for devices running business critical activities, or restart sensitive workloads before using the Scheduled Install option. +If other applications force a device to restart outside of the specified time and a Windows Update is pending a restart, the Windows Update completes its installation at this time. For this reason, ensure that you consider your update and restart scenarios for devices running business critical activities, or restart sensitive workloads before using the Scheduled Install option. > [!NOTE] > The compliance deadline and grace period for Windows quality updates won't be configured for the Scheduled Install cadence type. -Devices **must** be active and available at the time when the device is scheduled for installation to ensure the optimal experience. If the device is consistently unavailable during the scheduled install time, the device can remain unprotected and unsecured, or the device may have the Windows Update scan and install during active hours. +Devices **must** be active and available at the time when the device is scheduled for installation to ensure the optimal experience. If the device is consistently unavailable during the scheduled install time, the device can remain unprotected and unsecured, or the device might have the Windows Update scan and install during active hours. ##### Scheduled install types @@ -76,7 +73,7 @@ The Scheduled install cadence has two options: | Option | Description | | ----- | ----- | -| Active hours | The period (daily) that the user normally does their work, or the device is busy performing business critical actions.The time outside of active hours is when the device is available for Windows to perform an update and restart the device (daily). The max range for Active hours is 18 hours. The six-hour period outside of the active hours is the deployment period, when Windows Update for Business will scan, install and restart the device.
+| Active hours | The period (daily) that the user normally does their work, or the device is busy performing business critical actions.The time outside of active hours is when the device is available for Windows to perform an update and restart the device (daily). The max range for Active hours is 18 hours. The six-hour period outside of the active hours is the deployment period, when Windows Update for Business scans, install and restart the device.
| Schedule install and restart | Use this option to prevent the service from installing Windows Updates except during the specified start time. You can specify the following occurrence options:Select a time when the device has low activity for the updates to complete. Ensure that the Windows Update has three to four hours to complete the installation and restart the device.
| > [!NOTE] @@ -84,7 +81,7 @@ The Scheduled install cadence has two options: ### User notifications -In addition to the cadence type, you can also manage the end user notification settings. End users will receive all update notifications by default. For critical devices or devices where notifications need to be hidden, use the **Manage notifications** option to configure notifications. For each tenant, at the deployment ring level, there are four options for you to configure end user update notification settings: +In addition to the cadence type, you can also manage the end user notification settings. End users receive all update notifications by default. For critical devices or devices where notifications need to be hidden, use the **Manage notifications** option to configure notifications. For each tenant, at the deployment ring level, there are four options for you to configure end user update notification settings: - Not configured - Use the default Windows Update notifications @@ -101,12 +98,12 @@ For more information, see [Windows Update settings you can manage with Intune up **To customize the Windows Update deployment cadence:** 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release settings** select **Autopatch groups**. Select the **horizontal ellipses (…)** > **Edit** for the Autopatch group you want to edit. +2. Navigate to **Tenant administration** > **Windows Autopatch** > **Autopatch groups**. Select the **horizontal ellipses (…)** > **Edit** for the Autopatch group you want to edit. 3. Select the **horizontal ellipses (…)** across each ring to manage the deployment cadence or notification settings. 4. Select **Next** to navigate to the Windows update settings page. The page lists the existing settings for each of the deployment rings in the Autopatch group. 5. Select [**Manage deployment cadence**](#cadence-types) to customize Windows Update settings. 1. Select one of the cadence types for the ring: - 1. Select **Deadline-driven** to configure the deferral, deadline, and grace periods. This option will enforce forced restarts based on the selected deadline and grace period. In the event you want to switch back to the service recommended defaults, for each of the settings, select the option tagged as "default". + 1. Select **Deadline-driven** to configure the deferral, deadline, and grace periods. This option enforces forced restarts based on the selected deadline and grace period. In the event you want to switch back to the service recommended defaults, for each of the settings, select the option tagged as "default". 1. Select **Scheduled install** to opt-out of deadline-based forced restart. 1. Select either **Active hours** or **Schedule install and restart time**. 2. Select **Save**. @@ -118,5 +115,5 @@ For more information, see [Windows Update settings you can manage with Intune up 1. Turn off all notifications included restart warnings 1. Select **Save** once you select the preferred setting. 7. Repeat the same process to customize each of the rings. Once done, select **Next**. -8. In **Review + apply**, you'll be able to review the selected settings for each of the rings. -9. Select **Apply** to apply the changes to the ring policy. Once the settings are applied, the saved changes can be verified in the **Release schedule** tab. The Windows quality update schedule on the **Release schedule** tab will be updated as per the customized settings. +8. In **Review + apply**, you're able to review the selected settings for each of the rings. +9. Select **Apply** to apply the changes to the ring policy. diff --git a/windows/deployment/update/deployment-service-drivers.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md similarity index 85% rename from windows/deployment/update/deployment-service-drivers.md rename to windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md index ca104fce34b..a9fcc86c266 100644 --- a/windows/deployment/update/deployment-service-drivers.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-driver-and-firmware-update-programmatic-controls.md @@ -1,12 +1,12 @@ --- -title: Deploy drivers and firmware updates -titleSuffix: Windows Update for Business deployment service -description: Use Windows Update for Business deployment service to deploy driver and firmware updates to devices. +title: Programmatic controls for drivers and firmware +titleSuffix: Windows Autopatch +description: Use programmatic controls to deploy driver and firmware updates to devices. ms.service: windows-client -ms.subservice: itpro-updates -ms.topic: conceptual -author: mestew -ms.author: mstewart +ms.subservice: autopatch +ms.topic: how-to +author: tiaraquan +ms.author: tiaraquan manager: aaroncz ms.collection: - tier1 @@ -14,13 +14,13 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 06/22/2023 +ms.date: 09/24/2024 --- -# Deploy drivers and firmware updates with Windows Update for Business deployment service +# Programmatic controls for drivers and firmware updates -The Windows Update for Business deployment service is used to approve and schedule software updates. The deployment service exposes its capabilities through the [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune). +Windows Autopatch programmatic controls are used to approve and schedule software updates through the [Microsoft Graph API](/graph/use-the-api). You can call the API directly, through a [Graph SDK](/graph/sdks/sdks-overview), or integrate them with a management tool such as [Microsoft Intune](/mem/intune). This article uses [Graph Explorer](/graph/graph-explorer/graph-explorer-overview) to walk through the entire process of deploying a driver update to clients. In this article, you will: > [!div class="checklist"] @@ -37,36 +37,41 @@ This article uses [Graph Explorer](/graph/graph-explorer/graph-explorer-overview ## Prerequisites -All of the [prerequisites for the Windows Update for Business deployment service](deployment-service-prerequisites.md) must be met. +All of the [Windows Autopatch prerequisites](../prepare/windows-autopatch-fix-issues.md) must be met. ### Permissions -[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-graph-explorer-permissions.md)] +[!INCLUDE [Windows Autopath permissions using Graph Explorer](../includes/windows-autopatch-graph-explorer-permissions.md)] + +### Required endpoints + + +[!INCLUDE [windows-autopatch-required-graph-api-endpoints](../includes/windows-autopatch-required-graph-api-endpoints.md)] ## Open Graph Explorer -[!INCLUDE [Graph Explorer sign in](./includes/wufb-deployment-graph-explorer.md)] +[!INCLUDE [Graph Explorer sign in](../includes/windows-autopatch-graph-explorer.md)] ## Run queries to identify devices -[!INCLUDE [Graph Explorer device queries](./includes/wufb-deployment-find-device-name-graph-explorer.md)] +[!INCLUDE [Graph Explorer device queries](../includes/windows-autopatch-find-device-name-graph-explorer.md)] ## Enroll devices -When you enroll devices into driver management, the deployment service becomes the authority for driver updates coming from Windows Update. Devices don't receive drivers or firmware from Windows Update until a deployment is manually created or they're added to a driver update policy with approvals. +When you enroll devices into driver management, Windows Autopatch becomes the authority for driver updates coming from Windows Update. Devices don't receive drivers or firmware from Windows Update until a deployment is manually created or they're added to a driver update policy with approvals. -[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-enroll-device-graph-explorer.md)] +[!INCLUDE [Graph Explorer enroll devices](../includes/windows-autopatch-enroll-device-graph-explorer.md)] ## Create a deployment audience and add audience members -[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-audience-graph-explorer.md)] +[!INCLUDE [Graph Explorer enroll devices](../includes/windows-autopatch-audience-graph-explorer.md)] -Once a device has been enrolled and added to a deployment audience, the Windows Update for Business deployment service will start collecting scan results from Windows Update to build a catalog of applicable drivers to be browsed, approved, and scheduled for deployment. +Once a device has been enrolled and added to a deployment audience, Windows Autopatch will start collecting scan results from Windows Update to build a catalog of applicable drivers to be browsed, approved, and scheduled for deployment. ## Create an update policy @@ -75,7 +80,6 @@ Update policies define how content is deployed to a deployment audience. An [upd > [!IMPORTANT] > Any [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings) configured for a [content approval](#approve-driver-content-for-deployment) will be combined with the existing update policy's deployment settings. If the content approval and update policy specify the same deployment setting, the setting from the content approval is used. - ### Create a policy and define the settings later To create a policy without any deployment settings, in the request body specify the **Audience ID** as `id`. In the following example, the **Audience ID** is `d39ad1ce-0123-4567-89ab-cdef01234567`, and the `id` given in the response is the **Policy ID**: @@ -115,6 +119,7 @@ content-type: application/json ### Specify settings during policy creation To create a policy with additional settings, in the request body: + - Specify the **Audience ID** as `id` - Define any [deployment settings](/graph/api/resources/windowsupdates-deploymentsettings). - Add the `content-length` header to the request if a status code of 411 occurs. The value should be the length of the request body in bytes. For information on error codes, see [Microsoft Graph error responses and resource types](/graph/errors). @@ -147,7 +152,6 @@ To create a policy with additional settings, in the request body: } ``` - ### Review and edit update policy settings To review the policy settings, run the following query using the **Policy ID**, for example `9011c330-1234-5678-9abc-def012345678`: @@ -181,10 +185,9 @@ content-type: application/json } ``` - ## Review applicable driver content -Once Windows Update for Business deployment service has scan results from devices, the applicability for driver and firmware updates can be displayed for a deployment audience. Each applicable update returns the following information: +Once Windows Autopatch has scan results from devices, the applicability for driver and firmware updates can be displayed for a deployment audience. Each applicable update returns the following information: - An `id` for its [catalog entry](/graph/api/resources/windowsupdates-catalogentry) - The **Microsoft Entra ID** of the devices it's applicable to @@ -197,6 +200,7 @@ GET https://graph.microsoft.com/beta/admin/windows/updates/deploymentAudiences/d ``` The following truncated response displays: + - An **Microsoft Entra ID** of `01234567-89ab-cdef-0123-456789abcdef` - The **Catalog ID** of `5d6dede684ba5c4a731d62d9c9c2a99db12c5e6015e9f8ad00f3e9387c7f399c` @@ -332,9 +336,9 @@ GET https://graph.microsoft.com/beta/admin/windows/updates/deployments?orderby=c ## Unenroll devices -[!INCLUDE [Graph Explorer enroll devices](./includes/wufb-deployment-graph-unenroll.md)] +[!INCLUDE [Graph Explorer unenroll devices](../includes/windows-autopatch-graph-unenroll.md)] ## Policy considerations for drivers -[!INCLUDE [Windows Update for Business deployment service driver policy considerations](./includes/wufb-deployment-driver-policy-considerations.md)] +[!INCLUDE [Windows Autopatch driver policy considerations](../includes/windows-autopatch-driver-policy-considerations.md)] diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md index a8274a7d80b..831fe0e8a16 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-edge.md @@ -1,7 +1,7 @@ --- title: Microsoft Edge description: This article explains how Microsoft Edge updates are managed in Windows Autopatch -ms.date: 09/15/2023 +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,8 +17,13 @@ ms.collection: # Microsoft Edge +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] + Windows Autopatch uses the [Stable Channel](/deployedge/microsoft-edge-channels#stable-channel) of Microsoft Edge. +> [!IMPORTANT] +> To update Microsoft 365 Apps for enterprise, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group) first and **Microsoft Edge update setting** must be set to [**Allow**](#allow-or-block-microsoft-edge-updates). For more information on workloads supported by Windows Autopatch groups, see [Software update workloads](../deploy/windows-autopatch-groups-overview.md#software-update-workloads). + ## Device eligibility For a device to be eligible for Microsoft Edge updates as a part of Windows Autopatch, they must meet the following criteria: @@ -28,15 +33,54 @@ For a device to be eligible for Microsoft Edge updates as a part of Windows Auto - The device must be able to access the required network endpoints to reach the Microsoft Edge update service. - If Microsoft Edge is open, it must restart for the update process to complete. +## Allow or block Microsoft Edge updates + +> [!IMPORTANT] +> You must be an Intune Administrator to make changes to the setting. + +For organizations seeking greater control, you can allow or block Microsoft Edge updates for Windows Autopatch-enrolled devices. + +| Microsoft Edge setting | Description | +| ----- | ----- | +| **Allow** | When set to **Allow**, Windows Autopatch assigns devices to Microsoft Edge's [Stable Channel](/deployedge/microsoft-edge-channels#stable-channel). To manage updates manually, set the Microsoft Edge setting to **Block**. | +| **Block** | When set to **Block**, Windows Autopatch doesn't assign devices to Microsoft Edge's [Stable Channel](/deployedge/microsoft-edge-channels#stable-channel) updates on your behalf, and your organizations have full control over these updates. You can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). | + +**To allow or block Edge updates:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Tenant administration** > **Windows Autopatch** > **Autopatch groups** > **Update settings**. +1. Go to the **Edge updates** section. By default, the Allow/Block toggle is set to **Block**. +1. Turn off the **Allow** toggle (set to Block) to opt out of Microsoft Edge update policies. You see the notification: *Update in process. This setting will be unavailable until the update is complete.* +1. Once the update is complete, you receive the notification: *This setting is updated*. + +> [!NOTE] +> If the notification: *This setting couldn't be updated. Please try again or submit a support request.* appears, use the following steps:Additionally, it's not supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.
-> [!IMPORTANT] -> Windows Autopatch creates the device-based Microsoft Entra ID assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience. +> [!CAUTION] +> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that's been already used, you'll receive an error that prevents you from creating or editing the Autopatch group. -## Edit the Default or a Custom Autopatch group +## Edit an Autopatch group > [!TIP] > You can't edit an Autopatch group when there's one or more Windows feature update releases targeted to it. If you try to edit an Autopatch group with one or more ongoing Windows feature update releases targeted to it, you get the following informational banner message: "**Some settings are not allowed to be modified as there's one or more on-going Windows feature update release targeted to this Autopatch group.**" -> See [Manage Windows feature update releases](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md) for more information on release and phase statuses. +> For more information on release and phase statuses, see [Windows feature update](../manage/windows-autopatch-windows-feature-update-overview.md). -**To edit either the Default or a Custom Autopatch group:** +**To edit an Autopatch group:** 1. Select the **horizontal ellipses (…)** > **Edit** for the Autopatch group you want to edit. -1. You can only modify the **description** of the Default or a Custom Autopatch group. You **can't** modify the name. Once the description is modified, select **Next: Deployment rings**. +1. You can only modify the **description** of an Autopatch group. You **can't** modify the name. Once the description is modified, select **Next: Deployment rings**. To rename an Autopatch group, see [Rename an Autopatch group](#rename-an-autopatch-group). 1. Make the necessary changes in the **Deployment rings** page, then select **Next: Windows Update settings**. 1. Make the necessary changes in the **Windows Update settings** page, then select **Next: Review + save**. 1. Select **Review + create** to review all changes made. @@ -109,46 +78,42 @@ Before you start managing Autopatch groups, ensure you've met the following prer > [!IMPORTANT] > Windows Autopatch creates the device-based Microsoft Entra ID assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience. -## Rename a Custom Autopatch group +## Rename an Autopatch group -You **can't** rename the Default Autopatch group. However, you can rename a Custom Autopatch group. +**To rename an Autopatch group:** -**To rename a Custom Autopatch group:** - -1. Select the **horizontal ellipses (…)** > **Rename** for the Custom Autopatch group you want to rename. The **Rename Autopatch group** fly-in opens. -1. In the **New Autopatch group name**, enter the new Autopatch group name of your choice, then click **Rename group**. +1. Select the **horizontal ellipses (…)** > **Rename** for the Autopatch group you want to rename. The **Rename Autopatch group** fly-in opens. +1. In the **New Autopatch group name**, enter the new Autopatch group name of your choice, then select **Rename group**. > [!IMPORTANT] -> Autopatch supports up to 64 characters for the custom Autopatch group name. Additionally, when you rename a custom Autopatch group all [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) associated with the custom Autopatch group are renamed to include the new Autopatch group name you define in its name string. Also, when renaming a custom Autopatch group all Microsoft Entra groups representing the custom Autopatch group's deployment rings are renamed to include the new Autopatch group name you define in its name string. - -## Delete a Custom Autopatch group +> Autopatch supports up to 64 characters for the Autopatch group name. Additionally, when you rename a Autopatch group all [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) associated with the Autopatch group are renamed to include the new Autopatch group name you define in its name string. Also, when renaming an Autopatch group all Microsoft Entra groups representing the Autopatch group's deployment rings are renamed to include the new Autopatch group name you define in its name string. -You **can't** delete the Default Autopatch group. However, you can delete a Custom Autopatch group. +## Delete an Autopatch group -**To delete a Custom Autopatch group:** +**To delete an Autopatch group:** -1. Select the **horizontal ellipses (…)** > **Delete** for the Custom Autopatch group you want to delete. -1. Select **Yes** to confirm you want to delete the Custom Autopatch group. +1. Select the **horizontal ellipses (…)** > **Delete** for the Autopatch group you want to delete. +1. Select **Yes** to confirm you want to delete the Autopatch group. > [!CAUTION] -> You can't delete a Custom Autopatch group when it's being used as part of one or more active or paused feature update releases. However, you can delete a Custom Autopatch group when the release for either Windows quality or feature updates have either the **Scheduled** or **Paused** statuses. +> You can't delete an Autopatch group when it's being used as part of one or more active or paused feature update releases. However, you can delete an Autopatch group when the release for either Windows quality or feature updates have either the **Scheduled** or **Paused** statuses. ## Manage device conflict scenarios when using Autopatch groups -Overlap in device membership is a common scenario when working with device-based Microsoft Entra groups since sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Microsoft Entra groups. +Overlap in device membership is a common scenario when working with device-based Microsoft Entra groups. Sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Microsoft Entra groups. -Since Autopatch groups allow you to use your existing Microsoft Entra groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that may occur. +Since Autopatch groups allow you to use your existing Microsoft Entra groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that might occur. > [!CAUTION] -> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that's been already used, you'll receive an error that prevents you from creating or editing the Autopatch group (Default or Custom). +> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that's been already used, you'll receive an error that prevents you from creating or editing the Autopatch group. ### Device conflict in deployment rings within an Autopatch group -Autopatch groups uses the following logic to solve device conflicts on your behalf within an Autopatch group: +Autopatch groups use the following logic to solve device conflicts on your behalf within an Autopatch group: | Step | Description | | ----- | ----- | -| Step 1: Checks for the deployment ring distribution type (**Assigned** or **Dynamic**) that the device belongs to. | For example, if a device is part of one deployment ring with **Dynamic** distribution (Ring3), and one deployment ring with **Assigned** distribution (Test,) within the same Autopatch group, the deployment ring with **Assigned** distribution (Test) takes precedence over the one with the **Dynamic** distribution type (Ring3). | +| Step 1: Checks for the deployment ring distribution type (**Assigned** or **Dynamic**) that the device belongs to. | For example, if a device is part of one deployment ring with **Dynamic** distribution (Ring3), and one deployment ring with **Assigned** distribution (Test) within the same Autopatch group, the deployment ring with **Assigned** distribution (Test) takes precedence over the one with the **Dynamic** distribution type (Ring3). | | Step 2: Checks for deployment ring ordering when device belongs to one or more deployment ring with the same distribution type (**Assigned** or **Dynamic**) | For example, if a device is part of one deployment ring with **Assigned** distribution (Test), and in another deployment ring with **Assigned** distribution (Ring3) within the **same** Autopatch group, the deployment ring that comes later (Ring3) takes precedence over the deployment ring that comes earlier (Test) in the deployment ring order. | > [!IMPORTANT] @@ -156,28 +121,18 @@ Autopatch groups uses the following logic to solve device conflicts on your beha ### Device conflict across different Autopatch groups -Device conflict across different deployment rings in different Autopatch groups may occur, review the following examples about how the Windows Autopatch services handles the following scenarios: - -#### Default to Custom Autopatch group device conflict - -| Conflict scenario | Conflict resolution | -| ----- | ----- | -| You, the IT admin at Contoso Ltd., starts using only the Default Autopatch group, but later decides to create an Autopatch group called "Marketing".However, you notice that the same devices that belong to the deployment rings in the Default Autopatch group are now also part of the new deployment rings in the Marketing Autopatch group.
| Autopatch groups automatically resolve this conflict on your behalf.In this example, devices that belong to the deployment rings as part of the "Marketing" Autopatch group take precedence over devices that belong to the deployment ring in the Default Autopatch group, because you, the IT admin, demonstrated clear intent on managing deployment rings using a Custom Autopatch group outside the Default Autopatch group.
| +Device conflict across different deployment rings in different Autopatch groups might occur, review the following examples about how the Windows Autopatch services handles the following scenarios: -#### Custom to Custom Autopatch group device conflict +#### Same device in different deployment rings across different Autopatch groups | Conflict scenario | Conflict resolution | | ----- | ----- | -| You, the IT admin at Contoso Ltd., are using several Custom Autopatch groups. While navigating through devices in the Windows Autopatch Devices blade (**Not ready** tab), you notice that the same device is part of different deployment rings across several different Custom Autopatch groups. | You must resolve this conflict.Autopatch groups informs you about the device conflict in the **Devices** > **Not ready** tab. You're required to manually indicate which of the existing Custom Autopatch groups the device should exclusively belong to.
| +| You, the IT admin at Contoso Ltd., are using several Autopatch groups. While navigating through devices in the Windows Autopatch Devices blade, you notice that the same device is part of different deployment rings across several different Autopatch groups. This device appears as **Not ready**. | You must resolve this conflict.Autopatch groups inform you about the device conflict in the [**Devices report**](../deploy/windows-autopatch-register-devices.md#devices-report). Select the **Not ready** status for the device you want to address. You're required to manually indicate which of the existing Autopatch groups the device should exclusively belong to.
| -#### Device conflict prior to device registration +#### Device conflict before device registration -When you create or edit the Custom or Default Autopatch group, Windows Autopatch checks if the devices that are part of the Microsoft Entra groups, used in Autopatch groups' deployment rings, are registered with the service. +When you create or edit an Autopatch group, Windows Autopatch checks if the devices that are part of the Microsoft Entra groups, used in Autopatch groups’ deployment rings, are registered with the service. | Conflict scenario | Conflict resolution | | ----- | ----- | -| Devices are in the Custom-to-Custom Autopatch group device conflict scenario | You must resolve this conflict.Devices will fail to register with the service and will be sent to the **Not registered** tab. You're required to make sure the Microsoft Entra groups that are used with the Custom Autopatch groups don't have device membership overlaps.
| - -#### Device conflict post device registration - -Autopatch groups will keep monitoring for all device conflict scenarios listed in the [Manage device conflict scenarios when using Autopatch groups](../manage/windows-autopatch-manage-autopatch-groups.md#manage-device-conflict-scenarios-when-using-autopatch-groups) section even after devices were successfully registered with the service. +| Device conflict before device registration due to device membership overlap | You must resolve this conflict.Devices fail to register with the service and are marked with a **Not registered** status. You’re required to make sure the Microsoft Entra groups that are used in an Autopatch group don’t have device membership overlaps.
| diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md index 50979877ff0..ddab13c4408 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-driver-and-firmware-updates.md @@ -1,7 +1,7 @@ --- title: Manage driver and firmware updates description: This article explains how you can manage driver and firmware updates with Windows Autopatch -ms.date: 07/08/2024 +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,46 +17,116 @@ ms.collection: # Manage driver and firmware updates -You can manage and control your driver and firmware updates with Windows Autopatch. You can choose to receive driver and firmware updates automatically, or self-manage the deployment. +You can manage driver and firmware profiles for Windows 10 and later devices. By using targeted policies, you can expedite a specific driver and firmware update to release to your tenant. For more information about driver updates for Windows 10 and later, see [Windows driver update management in Intune](/mem/intune/protect/windows-driver-updates-overview). -> [!TIP] -> Windows Autopatch's driver and firmware update management is based on [Intune's driver and firmware update management](/mem/intune/protect/windows-driver-updates-overview). You can use **both** Intune and Windows Autopatch to manage your driver and firmware updates. +## Driver and firmware controls -## Automatic and Self-managed modes +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] -Switching the toggle between Automatic and Self-managed modes creates driver profiles on a per-ring basis within your tenant. +You can manage and control your driver and firmware updates by: + +- Controlling the flow of all drivers to an Autopatch group or rings within an Autopatch group +- Controlling the flow of a specific driver or firmware across your entire tenant via approvals +- Approving and deploying other drivers and firmware that previously couldn’t be centrally managed + +### Automatic and Manual modes + +The Autopatch service creates additional driver profiles on a per-deployment ring and per group basis within your tenant. + +> [!NOTE] +> For more information about policies created for Driver updates for Windows 10 and later, see [Changes made at feature activation](../references/windows-autopatch-changes-made-at-feature-activation.md#driver-updates-for-windows-10-and-later). + +Choosing between Automatic and Manual modes can be done per-deployment ring and/or per Autopatch group. For a single Autopatch group, a mix of both Automatic and Manual policies is allowed. If you were previously in Manual mode, we create Manual policies for all your group rings. If Automatic (the default) was previously used, we create Automatic policies instead. + +> [!IMPORTANT] +> If you switch between Automatic and Manual modes, new policies are generated to **replace old policies**. **You’ll lose any approvals, paused drivers, and declined drivers previously made for those groups and/or deployment rings**. | Modes | Description | | ----- | -----| -| Automatic | We recommend using **Automatic** mode.Automatic mode (default) is recommended for organizations with standard Original Equipment Manufacturer (OEM) devices where no recent driver or hardware issues have occurred due to Windows Updates. Automatic mode ensures the most secure drivers are installed using Autopatch deployment ring rollout.
| -| Self-managed | When you use **Self-managed** mode, no drivers are installed in your environment without your explicit approval. You can still use Intune to choose specific drivers and deploy them on a ring-by-ring basis.Self-managed mode turns off Windows Autopatch's automatic driver deployment. Instead, the Administrator controls the driver deployment.
The Administrator selects the individual driver within an Intune driver update profile. Then, Autopatch creates an Intune driver update profile per deployment ring. Drivers can vary between deployment rings.
The drivers listed for selection represent only the drivers needed for the targeted clients, which are the Autopatch rings. Therefore, the drivers offered may vary between rings depending on the variety of device hardware in an organization.
| +| Automatic | We recommend using **Automatic** mode.Automatic mode (default) is recommended for organizations with standard Original Equipment Manufacturer (OEM) devices where no recent driver or hardware issues occurred due to Windows Updates.
Automatic mode ensures the most secure drivers are installed using Autopatch deployment ring rollout. You can also choose to deploy additional drivers from the **Other** tab to your deployment rings or Autopatch groups that are set to **Automatic**.
| +| Manual | When you use **Manual** mode, no drivers are installed in your environment without your explicit approval. You can also choose to deploy additional drivers from the Other tab to your deployment rings or Autopatch groups that are set to Manual.Manual mode turns off Windows Autopatch’s automatic driver deployment. Instead, the Administrator controls the driver deployment.
The Administrator selects the individual drivers to be deployed to their tenant. Then, the Administrator can choose to approve those drivers for deployment. Drivers approved can vary between deployment rings.
| -## Set driver and firmware updates to Automatic or Self-managed mode +> [!NOTE] +> In both Automatic and Manual modes, the drivers listed for selection represent only the drivers needed for the targeted clients, which are the Autopatch deployment rings. Therefore, the drivers offered may vary between rings depending on the variety of device hardware in an organization. -**To set driver and firmware updates to Automatic or Self-managed mode:** +#### Set driver and firmware updates to Automatic or Manual mode + +**To set driver and firmware updates to Automatic or Manual mode:** 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release settings**. -1. In the **Windows Driver Updates** section, read and accept the agreement. -1. Select either **Automatic** or **Self-managed**. +1. Navigate to **Devices** > **Manage Updates** > **Windows Updates** > **Driver Updates** tab. +1. Select the groups you’d like to modify. Find the Driver update settings section, then select Edit. +1. Set the policy to be **Automatic** or **Manual** for each deployment ring within the previously selected group. + 1. If you select **Automatic**, you can choose a **Deferral period** in days from the dropdown menu. + 2. If you select **Manual**, the deferral day setting can’t be set and displays **Not applicable**. +1. Select **Review + Save** to review all changes made. +1. Once the review is done, select **Save** to commit your changes. -## View driver and firmware policies created by Windows Autopatch +##### Choose the deferral period for driver and firmware updates for Automatic deployment rings -**To view driver and firmware policies created by Windows Autopatch:** +For deployment rings set to **Automatic**, you can choose the deferral period for driver and firmware updates. The deferral period is the number of days that you must wait to deploy after a driver becomes available. By default, these deferral values match the values you set for your Windows quality updates. -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Navigate to **Devices** > **Driver updates for Windows 10 and later**. -1. Windows Autopatch creates four policies. The policy names begin with **Windows Autopatch - Driver Update Policy** and end with the name of the deployment ring to which they're targeted in brackets. For example, **Windows Autopatch - Driver Update Policy [Test]**. +The deferral period allows you to delay the installation of driver and firmware updates on the devices in the specified deployment ring in case you want to test the update on a smaller group of devices first or avoid potential disruptions during a busy period. + +The deferral period can be set from 0 to 14 days, and it can be different for each deployment ring. + +> [!NOTE] +> The deferral period only applies to automatically approved driver and firmware updates. An admin must specify the date to start offering a driver with any manual approval. + +### Recommended driver and firmware updates across managed devices + +#### Recommended drivers and firmware + +Recommended drivers are the best match for the 'required' driver updates that Windows Update can identify for a device. To be a recommended update, the OEM or driver publisher must mark the update as required and the update must be the most recent update version marked as required. These updates are the same ones available through Windows Update and are almost always the most current update version for a driver. + +When an OEM releases a newer update version that qualifies to be the new recommended driver, it replaces the previous update as the recommended driver update. If the older update version is still applicable to a device in the policy, it's moved to the **Other drivers** tab. If the older version was previously approved, it remains approved. + +##### Approve and deploy recommended drivers + +**To approve and deploy recommended drivers:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), navigate to **Devices** > **Manage updates** > **Windows updates** > **Driver updates**. +1. Select **Manage drivers for Autopatch groups** or select one of the **Drivers to review** links. +1. Select the driver or drivers you’d like to manage. +1. Select **Manage**. You can either: + 1. Approve for all policies + 2. Decline for all unreviewed policies + 3. Manage for individual policies +1. In the **Approve for all policies** dropdown, select the date to make the driver available through Windows Update. +1. In the **Manage for individual policies** dropdown, select the policies to approve or decline the driver. +1. Select **Save**. + +### Extensions and Plug and play driver updates + +Extensions and Plug and play driver updates might not require admin approval. + +| Driver update | Description | +| ----- | ----- | +| Extensions | Windows Autopatch doesn't manage extension drivers. They're easily identified by the term 'extension' in the name. Extensions are typically minor updates to a base driver package that can enhance, modify, or filter the functionality provided by the base driver. They play a crucial role in facilitating effective communication between the operating system and the hardware. If the device hasn't received drivers from Windows Update for some time, the device might have multiple extension drivers offered during the first scan. For more information, see [Why do my devices have driver updates installed that didn't pass through an updates policy?](/mem/intune/protect/windows-driver-updates-overview#why-do-my-devices-have-driver-updates-installed-that-didnt-pass-through-an-updates-policy). | +| Plug and play | When Windows detects a hardware or software component (such as, but not limited to, a mouse, keyboard, or webcam) without an existing driver, it automatically downloads and installs the latest driver to ensure the component functions properly to keep the end-user productive. After the initial installation, the driver becomes manageable. Any additional updates require approval before being offered to the device. | + +### Other drivers and firmware + +Other driver updates are updates available from the original equipment manufacturer (OEM) aside from the current recommended driver update. These updates remain in the policy if they're newer than the driver version that is currently installed on at least one device with the policy. + +These updates can include: -The `CreateDriverUpdatePolicy` is created for the Test, First, Fast, and Broad deployment rings. The policy settings are defined in the following table: +- A previously recommended update is superseded by a newer update version +- Firmware updates +- Optional driver updates, or updates that the OEM doesn't intend to be installed on all devices by default -| Policy name | DisplayName | Description | Approval Type | DeploymentDeferralInDays | -| ----- | ----- | ----- | ----- | ----- | -| `CreateDriverUpdatePolicy` | Windows Autopatch - Driver Update Policy [**Test**] | Driver Update Policy for device **Test** group | Automatic | `0` | -| `CreateDriverUpdatePolicy`| Windows Autopatch - Driver Update Policy [**First**] | Driver Update Policy for device **First** group | Automatic | `1` | -| `CreateDriverUpdatePolicy` |Windows Autopatch - Driver Update Policy [**Fast**] | Driver Update Policy for device **Fast** group | Automatic | `6` | -| `CreateDriverUpdatePolicy` | Windows Autopatch - Driver Update Policy [**Broad**] | Driver Update Policy for device **Broad** group | Automatic | `9` | +#### Approve and deploy other drivers -## Feedback and support +**To approve and deploy other drivers:** -If you need support with this feature, and have enrolled your tenant into Windows Autopatch, [submit a support request](../operate/windows-autopatch-support-request.md). +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), navigate to **Devices** > **Manage updates** > **Windows update** > **Driver Updates**. +1. Select **Manage drivers for Autopatch groups** or select one of the **Drivers to review** links. +1. Select **Other drivers** tab. You can either: +1. Select the driver or drivers you’d like to manage. +1. Select **Manage**. You can either: + 1. Approve for all policies + 2. Decline for all unreviewed policies + 3. Manage for individual policies +1. In the **Approve for all policies** dropdown, select the date to make the driver available through Windows Update. +1. In the **Manage for individual policies** dropdown, select the policies to approve or decline the driver. +1. Select **Save**. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-windows-feature-update-releases.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-windows-feature-update-releases.md deleted file mode 100644 index dbdbcdcdc5c..00000000000 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-manage-windows-feature-update-releases.md +++ /dev/null @@ -1,218 +0,0 @@ ---- -title: Manage Windows feature update releases -description: This article explains how you can manage Windows feature updates with Autopatch groups -ms.date: 07/08/2024 -ms.service: windows-client -ms.subservice: autopatch -ms.topic: how-to -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: aaroncz -ms.reviewer: andredm7 -ms.collection: - - highpri - - tier1 ---- - -# Manage Windows feature update releases - -You can create custom releases for Windows feature update deployments in Windows Autopatch. - -## Before you begin - -Before you start managing custom Windows feature update releases, consider the following: - -- If you're planning on using either the [Default or Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#key-concepts) ensure: - - The Default Autopatch group has all deployment rings and deployment cadences you need. - - You have created all your Custom Autopatch groups prior to creating custom releases. -- Review [Windows feature update prerequisites](/mem/intune/protect/windows-10-feature-updates#prerequisites). -- Review the [Windows feature updates policy limitations](/mem/intune/protect/windows-10-feature-updates#limitations-for-feature-updates-for-windows-10-and-later-policy). - -## About the auto-populate automation for release phases - -By default, the deployment rings of each Autopatch group will be sequentially assigned to a phase. For example, the first deployment ring of each Autopatch group is assigned to Phase 1, and the second deployment ring of each Autopatch group is assigned to Phase 2, etc. - -The following table explains the auto-populating assignment of your deployments rights if you have two Autopatch groups. One Autopatch group is named Finance and the other is named Marketing; each Autopatch group has four (Finance) and five (Marketing) deployment rings respectively. - -| Phases | Finance | Marketing -| ----- | ----- | ----- | -| Phase 1 | Test | Test | -| Phase 2 | Ring1 | Ring1 | -| Phase 3 | Ring2 | Ring2 | -| Phase 4 | Last | Ring3 | - -If the Autopatch groups are edited after a release is created (Active status), the changes to the Autopatch group won't be reflected unless you create a new custom release. - -If you wish to change the auto-populating assignment of your deployment rings to release phases, you can do so by adding, removing, or editing the auto-populated phases. - -### More information about the completion date of a phase - -The goal completion date of a phase is calculated using the following formula: - -``
[Feature activation](../prepare/windows-autopatch-feature-activation.md) is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.
For more information, see [Licenses and entitlements](../prepare/windows-autopatch-prerequisites.md#licenses-and-entitlements). If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in [Business premium and A3+ licenses](../overview/windows-autopatch-overview.md#business-premium-and-a3-licenses).
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md index c6eb294c1af..6465a2a404d 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request.md @@ -1,7 +1,7 @@ --- title: Submit a support request description: Details how to contact the Windows Autopatch Service Engineering Team and submit support requests -ms.date: 09/06/2023 +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,6 +17,8 @@ ms.collection: # Submit a support request +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] + > [!IMPORTANT] > Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with remediating issues. @@ -29,7 +31,7 @@ Support requests are triaged and responded to as they're received. 1. Sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and navigate to the **Tenant administration** menu. 1. In the **Windows Autopatch** section, select **Support requests**. 1. In the **Support requests** section, select **+ New support request**. -1. Enter your question(s) and/or a description of the problem. +1. Enter your questions and/or a description of the problem. 1. Review all the information you provided for accuracy. 1. When you're ready, select **Create**. @@ -44,12 +46,12 @@ Depending on your support contract, the following severity options are available | Support contract | Severity options | | ----- | ----- | -| Premier | Severity A, B or C | -| Unified | Critical or non-critical | +| Premier | Severity A, B, or C | +| Unified | Critical or noncritical | ## Manage an active support request -The primary contact for the support request will receive email notifications when a case is created, assigned to a service engineer to investigate, and mitigated. If, at any point, you have a question about the case, the best way to get in touch is to reply directly to one of those emails. If we have questions about your request or need more details, we'll email the primary contact listed on the support requests. +The primary contact for the support request receives email notifications when a case is created, assigned to a service engineer to investigate, and mitigated. If, at any point, you have a question about the case, the best way to get in touch is to reply directly to one of those emails. If we have questions about your request or need more details, we email the primary contact listed on the support requests. ## View all your active support requests @@ -75,7 +77,7 @@ You can edit support request details, for example, updating the primary case con 1. Update the editable information, add attachments to the case, or add a note for the Windows Autopatch Service Engineering Team. 1. Select **Save**. -Once a support request is mitigated, it can no longer be edited. If a request has been mitigated for less than 24 hours, you'll see the option to reactivate instead of edit. Once reactivated, you can again edit the request. +Once a support request is mitigated, it can no longer be edited. If a request was mitigated in less than 24 hours, you can reactivate instead of edit. Once reactivated, you can again edit the request. ## Microsoft FastTrack @@ -83,4 +85,4 @@ Once a support request is mitigated, it can no longer be edited. If a request ha Customers who need help with Microsoft 365 workloads can sign in to [Microsoft FastTrack](https://fasttrack.microsoft.com/) with a valid Azure ID and submit a Request for Assistance. - Contact your Microsoft account team if you need additional assistance. +Contact your Microsoft account team if you need additional assistance. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md index 37a7cc46c9d..e6b32fd7ca5 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-teams.md @@ -1,7 +1,7 @@ --- title: Microsoft Teams description: This article explains how Microsoft Teams updates are managed in Windows Autopatch -ms.date: 09/15/2023 +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,6 +17,8 @@ ms.collection: # Microsoft Teams +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] + Windows Autopatch uses the [standard automatic update channel](/microsoftteams/teams-client-update#can-admins-deploy-updates-instead-of-teams-auto-updating) for Microsoft Teams. ## Device eligibility @@ -30,13 +32,13 @@ For a device to be eligible for automated Teams updates as a part of Windows Aut ## Update release schedule -The Teams desktop client updates are released once a month for all users, and twice a month for members of the Technology Adoption Program (TAP). +The Teams desktop client updates are released once a month for all users, and twice a month for members of the [Technology Adoption Program (TAP)](https://developer.microsoft.com/microsoft-365/tap). -Updates undergo vigorous internal testing and are first released to members of TAP for validation. The update usually takes place on a Monday. If a critical update is needed, Teams will bypass this schedule and release the update as soon as it's available. +Updates undergo vigorous internal testing and are first released to members of [Technology Adoption Program (TAP)](https://developer.microsoft.com/microsoft-365/tap) for validation. The update usually takes place on a Monday. If a critical update is needed, Teams bypasses this schedule and releases the update as soon as it's available. ## End user experience -Teams will check for updates every few hours behind the scenes, download the updates, and then will wait for the computer to be idle for at least 40 minutes before automatically installing the update. +Teams checks for updates every few hours behind the scenes, download the updates, and then waits for the computer to be idle for at least 40 minutes before automatically installing the update. When an update is available, the following are required to be able to download the update: @@ -47,7 +49,7 @@ When an update is available, the following are required to be able to download t > [!NOTE] > If a user is on a version of Teams that is out of date, Teams will force the user to update prior to allowing them to use the application. -## Pausing and resuming updates +## Pause and resume updates Windows Autopatch can't pause or resume Teams updates. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-troubleshoot-programmatic-controls.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-troubleshoot-programmatic-controls.md new file mode 100644 index 00000000000..62a8d7c8e53 --- /dev/null +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-troubleshoot-programmatic-controls.md @@ -0,0 +1,63 @@ +--- +title: Troubleshoot programmatic controls +titleSuffix: Windows Autopatch +description: Solutions to commonly encountered problems when using Windows Autopatch API. +ms.service: windows-client +ms.subservice: autopatch +ms.topic: troubleshooting +ms.author: tiaraquan +author: tiaraquan +manager: aaroncz +ms.collection: + - tier1 +ms.localizationpriority: medium +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +ms.date: 09/16/2024 +--- + +# Troubleshoot programmatic controls + +This troubleshooting guide addresses the most common issues that IT administrators face when using Windows Autopatch API. For a general troubleshooting guide for Windows Update, see [Windows Update troubleshooting](/troubleshoot/windows-client/deployment/windows-update-issues-troubleshooting?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json). + +## The device isn't receiving an update that I deployed + +- Check that the device doesn't have updates of the relevant category paused. See [Pause feature updates](/windows/deployment/update/waas-configure-wufb) and [Pause quality updates](/windows/deployment/update/waas-configure-wufb). +- **Feature updates only**: The device might have a safeguard hold applied for the given feature update version. For more about safeguard holds, see [Safeguard holds](/windows/deployment/update/safeguard-holds) and [Opt out of safeguard holds](/windows/deployment/update/safeguard-opt-out). +- Check that the deployment to which the device is assigned has the state *offering*. Deployments that have the states *paused* or *scheduled* doesn't deploy content to devices. +- Check that the device was scanned for updates and is scanning the Windows Update service. To learn more about scanning for updates, see [Scanning updates](/windows/deployment/update/how-windows-update-works#scanning-updates). +- **Feature updates only**: Check that the device is successfully enrolled in feature update management. A device that is successfully enrolled will be represented by a Microsoft Entra device resource with an update management enrollment for feature updates and have no Microsoft Entra device registration errors. +- **Expedited quality updates only**: Check that the device has the Update Health Tools installed (available for Windows 10 version 1809 or later in the update described in [KB 4023057 - Update for Windows 10 Update Service components](https://support.microsoft.com/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a), or a more recent quality update). The Update Health Tools are required for a device to receive an expedited quality update. On a device, the program can be located at **C:\\Program Files\\Microsoft Update Health Tools**. You can verify its presence by reviewing **Add or Remove Programs** or using the following PowerShell script: `Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match "Microsoft Update Health Tools"}`. + +## The device is receiving an update that I didn't deploy + +- Check that the device is scanning the Windows Update service and not a different endpoint. If the device is scanning for updates from a WSUS endpoint, for example, it might receive different updates. To learn more about scanning for updates, see [Scanning updates](/windows/deployment/update/how-windows-update-works#scanning-updates). +- **Feature updates only**: Check that the device is successfully enrolled in feature update management. A device that isn't successfully enrolled might receive different updates according to its feature update deferral period, for example. A device that is successfully enrolled will be represented by a Microsoft Entra device resource with an update management enrollment for feature updates and have no Microsoft Entra device registration errors. + +### The device installed a newer update than the expedited update I deployed + +There are some scenarios when a deployment to expedite an update results in the installation of a more recent update than specified in policy. This result occurs when the newer update includes and surpasses the specified update, and that newer update is available before a device checks in to install the update that's specified in the expedited update policy. + +Installing the most recent quality update reduces disruptions to the device and user while applying the benefits of the intended update. This avoids having to install multiple updates, which each might require separate reboots. + +A more recent update is deployed when the following conditions are met: + +- The device isn't targeted with a deferral policy that blocks installation of a more recent update. In this case, the most recently available update that isn't deferred is the update that might install. + +- During the process to expedite an update, the device runs a new scan that detects the newer update. This can occur due to the timing of: + - When the device restarts to complete installation + - When the device runs its daily scan + - When a new update becomes available + + When a scan identifies a newer update, Windows Update attempts to stop installation of the original update, cancel the restart, and then starts the download and installation of the more recent update. + +While expedite update deployments override an update deferral for the update version that's specified, they don't override deferrals that are in place for any other update version. + + +[!INCLUDE [Windows Autopatch Update Health Tools](../includes/windows-autopatch-update-health-tools-logs.md)] + +## Policy considerations for drivers + + +[!INCLUDE [Windows Autopatch driver policy considerations](../includes/windows-autopatch-driver-policy-considerations.md)] diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md new file mode 100644 index 00000000000..e68df90cbb4 --- /dev/null +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-update-rings.md @@ -0,0 +1,68 @@ +--- +title: Manage Update rings +description: How to manage update rings +ms.date: 09/16/2024 +ms.service: windows-client +ms.subservice: autopatch +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: aaroncz +ms.reviewer: andredm7 +ms.collection: + - highpri + - tier1 +--- + +# Manage Update rings + +[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] + +You can manage Update rings for Windows 10 and later devices with Windows Autopatch. Using Update rings, you can control when and how updates are installed on your devices. For more information, see [Configure Update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings). + +## Import Update rings for Windows 10 and later + +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] + +You can import your organization’s existing Intune Update rings for Windows 10 and later into Windows Autopatch. Importing your organization’s Update rings provides the benefits of the Windows Autopatch's reporting and device readiness without the need to redeploy, or change your organization’s existing update rings. + +Imported rings automatically register all targeted devices into Windows Autopatch. For more information about device registration, see the [device registration workflow diagram](../deploy/windows-autopatch-register-devices.md#detailed-device-registration-workflow-diagram). + +> [!NOTE] +> Devices which are registered as part of an imported ring, might take up to 72 hours after the devices have received the latest version of the policy, to be reflected in Windows Autopatch devices blade and reporting. For more information about reporting, see [Windows quality and feature update reports overview](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md). + +> [!NOTE] +> Device registration failures don't affect your existing update schedule or targeting. However, devices that fail to register might affect Windows Autopatch's ability to provide reporting and insights. Any conflicts should be resolved as needed. For additional assistance, [submit a support request](../manage/windows-autopatch-support-request.md). + +### To import Update rings for Windows 10 and later + +**To import Update rings for Windows 10 and later:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +2. Select **Devices** from the left navigation menu. +3. Under the **Manage updates** section, select **Windows updates**. +4. In the **Windows updates** blade, go to the **Update rings** tab. +5. Select **Enroll policies**. +6. Select the existing rings you would like to import. +7. Select **Import**. + +### Remove an imported Update ring for Windows 10 and later + +**To remove an Imported Update rings for Windows 10 and later:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +2. Select **Devices** from the left navigation menu. +3. Under the **Manage updates** section, select **Windows updates**. +4. In the **Windows updates** blade, go to the **Update rings**. +5. Select the Update rings for Windows 10 and later you would like to remove. +6. Select the **horizontal ellipses (...)** and select **Remove**. + +### Known limitations + +The following Windows Autopatch features aren't available with imported Intune Update rings: + +- [Autopatch groups](../deploy/windows-autopatch-groups-overview.md) and [features dependent on Autopatch groups](../deploy/windows-autopatch-groups-overview.md#supported-configurations) +- [Moving devices in between deployment rings in devices](../deploy/windows-autopatch-register-devices.md#move-devices-in-between-deployment-rings) +- [Automated deployment ring remediation functions](../deploy/windows-autopatch-device-registration-overview.md#automated-deployment-ring-remediation-functions) +- [Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md) diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md index 233baa86f86..cd90f487813 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows feature updates overview -description: This article explains how Windows feature updates are managed with Autopatch groups -ms.date: 07/08/2024 +description: This article explains how Windows feature updates are managed +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: overview @@ -15,158 +15,129 @@ ms.collection: - tier1 --- -# Windows feature updates overview +# Windows feature update -Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization's IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation. +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] -Windows feature updates consist of: +Windows Autopatch provides tools to assist with the controlled roll out of annual Windows feature updates. These policies provide tools to allow version targeting, phased releases, and even Windows 10 to Windows 11 update options. For more information about how to configure feature update profiles, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates). -- Keeping Windows devices protected against behavioral issues. -- Providing new features to boost end-user productivity. +## Multi-phase feature update -Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date. You can focus on running your core businesses while Windows Autopatch runs update management on your behalf. +Multi-phase feature update allows you to create customizable feature update deployments using multiple phases for your [existing Autopatch groups](../manage/windows-autopatch-manage-autopatch-groups.md). These phased releases can be tailored to meet your organizational unique needs. -## Service level objective +### Release statuses -Windows Autopatch's service level objective for Windows feature updates aims to keep **95%** of eligible devices on the targeted Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) for its default and global releases maintained by the service, and custom releases created and managed by you. +A release is made of one or more phases. The release status is based on the calculation and consolidation of each phase status. -## Device eligibility criteria +The release statuses are described in the following table: -Windows Autopatch's device eligibility criteria for Windows feature updates aligns with [Windows Update for Business and Microsoft Intune's device eligibility criteria](/mem/intune/protect/windows-10-feature-updates#prerequisites). +| Release status | Definition | Options | +| ----- | ----- | ----- | +| Scheduled | Release is scheduled and not all phases created its Windows feature update policies |A global Windows feature update policy is automatically assigned behind the scenes to the newly added deployment rings or when you assigned Microsoft Entra groups to the deployment ring (Last) in the Default Autopatch group.
| -| Scenario #2 | You create new [Custom Autopatch groups](../manage/windows-autopatch-manage-autopatch-groups.md#create-a-custom-autopatch-group).The global Windows feature policy is automatically assigned behind the scenes to all deployment rings as part of the Custom Autopatch groups you create.
| +| Scheduled | The phase is scheduled but didn't reach its first deployment date yet. The Windows feature update policy wasn't created for the respective phase yet. | +| Active | The first deployment date reached. The Windows feature update policy was created for the respective phase. | +| Inactive | All Autopatch groups within the phase are reassigned to a new release. All Windows feature update policies were unassigned from the Autopatch groups. | +| Paused | Phase is paused. You must resume the phase. | +| Canceled | Phase is canceled. All Autopatch groups within the phase can be used with a new release. A phase that is canceled can't be deleted. | + +#### Phase policy configuration + +For more information about Windows feature update policies that are created for phases within a release, see [Windows feature update policies](../manage/windows-autopatch-windows-feature-update-policies.md). + +## Create a custom release + +**To create a custom release:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** from the left navigation menu. +1. Under the **Manage updates** section, select **Windows updates**. +1. In the **Windows updates** blade, select the **Feature updates** tab. +1. Select **Create Autopatch multi-phase release**. +1. In the **Basics** page: + 1. Enter a **Name** for the custom release. + 2. Select the **Version** to deploy. + 3. Enter a **Description** for the custom release. + 4. Select **Next**. +1. In the **Autopatch groups** page, choose one or more existing Autopatch groups you want to include in the custom release, then select Next. +1. You can't choose Autopatch groups that are already part of an existing custom release. Select **Autopatch groups assigned to other releases** to review existing assignments. +1. In the Release phases page, review the number of autopopulated phases. You can Edit, Delete, and Add a phase based on your needs. Once you're ready, select **Next**. **Before you proceed to the next step**, all deployment rings must be assigned to a phase, and all phases must have deployment rings assigned. +1. In the **Release schedule** page, choose **First deployment date**, and the number of **Gradual rollout groups**, then select **Next**. **You can only select the next day**, not the current day, as the first deployment date. The service creates feature update policy for Windows 10 and later twice a day at 4:00AM and 4:00PM (UTC) and can't guarantee that the release starts on the current day given the UTC variance across the globe. + 1. The **Goal completion date** only applies to the [Deadline-driven deployment cadence type](../operate/windows-autopatch-groups-windows-update.md#deadline-driven). The Deadline-drive deployment cadence type can be specified when you configure the Windows Updates settings during the Autopatch group creation/editing flow. + 2. Additionally, the formula for the goal completion date is `[Feature activation](../prepare/windows-autopatch-feature-activation.md) is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.
For more information, see [Licenses and entitlements](../prepare/windows-autopatch-prerequisites.md#licenses-and-entitlements). If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in [Business premium and A3+ licenses](../overview/windows-autopatch-overview.md#business-premium-and-a3-licenses).
-:::image type="content" source="../media/autopatch-groups-manage-feature-release-case-1.png" alt-text="Manage Windows feature update release use case one" lightbox="../media/autopatch-groups-manage-feature-release-case-1.png"::: +> [!NOTE] +> If you pause an update, the specified release has the **Paused** status. The Windows Autopatch service can't overwrite IT admin's pause. You must select **Resume** to resume the update. [The **Paused by Service Pause** status **only** applies to Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md#pause-and-resume-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf. -### Use case #2 +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** from the left navigation menu. +1. Under the **Manage updates** section, select **Windows updates**. +1. In the **Windows updates** blade, select the **Feature updates** tab. +1. In the **Feature updates** tab, select the **horizontal ellipses (…)** > **Pause** or **Resume** to pause or resume your feature updates release. +1. Select a reason from the dropdown menu. +1. Optional. Enter details about why you're pausing or resuming the selected update. +1. If you're resuming an update, you can select one or more deployment rings. +1. Select **Pause deployment** or **Resume deployment** to save your changes. -| Scenario | Solution | -| ----- | ----- | -| You're working as the IT admin at Contoso Ltd. and your organization isn't ready to upgrade its devices to either Windows 11 or the newest Windows 10 OS versions due to conflicting project priorities within your organization.However, you want to keep Windows Autopatch managed devices supported and receiving monthly updates that are critical to security and the health of the Windows ecosystem.
| Default Windows feature update releases deliver the minimum Windows OS upgrade vertically to each Windows Autopatch group (either [Default](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [Custom](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)). The Default Windows Autopatch group is pre-configured with the [default Windows feature update release](#default-release) and no additional configuration is required from IT admins as Autopatch manages the default release on your behalf.If you decide to edit the default Windows Autopatch group to add additional deployment rings, these rings receive a [global Windows feature update policy](#global-release) set to offer the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) to devices. Every custom Autopatch group you create gets a [global Windows feature update policy](#global-release) that enforces the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2).
See the following visual for a representation of default releases.
| +## Roll back a release -:::image type="content" source="../media/autopatch-groups-manage-feature-release-case-2.png" alt-text="Manage Windows feature update release use case two" lightbox="../media/autopatch-groups-manage-feature-release-case-2.png"::: +Windows Autopatch doesn't support the rollback of Windows feature updates through its end-user experience flows. diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-policies.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-policies.md new file mode 100644 index 00000000000..47810fe1945 --- /dev/null +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-policies.md @@ -0,0 +1,111 @@ +--- +title: Windows feature updates policies +description: This article describes Windows feature update policies used in Windows Autopatch +ms.date: 09/16/2024 +ms.service: windows-client +ms.subservice: autopatch +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: aaroncz +ms.reviewer: andredm7 +ms.collection: + - highpri + - tier1 +--- + +# Windows feature update policies + +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] + +## Windows feature updates for Windows 10 and later + +These policies control the minimum target version of Windows that a device is meant to accept. Throughout the rest of the article, these policies are referred to as DSS policies. There are four of these policies in your tenant with the following naming convention: + +**`Modern Workplace DSS Policy [ring name]`** + +### Windows feature update deployment settings + +| Setting name | Test | First | Fast | Broad | +| ----- | ----- | ----- | ----- | ----- | +| Name | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows | +| Rollout options | Immediate start | Immediate start | Immediate start | Immediate start | + +### Windows feature update policy assignments + +| Setting name | Test | First | Fast | Broad | +| ----- | ----- | ----- | ----- | ----- | +| Included groups | Modern Workplace Devices-Windows Autopatch-Test | Modern Workplace Devices-Windows Autopatch-First | Modern Workplace Devices-Windows Autopatch-Fast | Modern Workplace Devices-Windows Autopatch-Broad | + +## Default release policy configuration + +You can see the following default policies created by the service in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431): + +| Policy name | Phase mapping | Feature update version | Rollout options | Support end date | +| ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch - DSS Policy [Test] | Phase 1 | Windows 10 22H2 | Make update available as soon as possible | October 14, 2025 | +| Windows Autopatch - DSS Policy [First] | Phase 2 | Windows 10 22H2 | Make update available as soon as possible | October 14, 2025 | +| Windows Autopatch - DSS Policy [Fast] | Phase 3 | Windows 10 22H2 | Make update available as soon as possible | October 14, 2025 | +| Windows Autopatch - DSS Policy [Broad] | Phase 4 | Windows 10 22H2 | Make update available as soon as possible | October 14, 2025 | + +> [!NOTE] +> Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually). + +## Global release policy configuration + +Windows Autopatch configures the values for its global Windows feature update policy. See the following default policies created by the service in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431): + +| Policy name | Feature update version | Rollout options | Support end date | +| ----- | ----- | ----- | ----- | +| Windows Autopatch - Global DSS Policy [Test] | Windows 10 22H2 | Make update available as soon as possible | October 14, 2025 | + +> [!NOTE] +> Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to be a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually). + +### Difference between the default and global update policies + +> [!IMPORTANT] +> Once you create a custom Windows feature update release, both the global and the default Windows feature update policies are unassigned from Autopatch group's deployment rings behind the scenes. + +The differences in between the global and the default Windows feature update policy values are: + +| Default Windows feature update policy | Global Windows feature update policy | +| ----- | ----- | +|Once the deferral period passes, the device downloads the update and notifies the end user that updates are ready to install.
The end user can either:
In this example, the user schedules the restart and is notified 15 minutes before the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline.
| +| Day 10 | Windows quality update deadline. The end user must download the update and restart their device. | :::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience" lightbox="../media/windows-quality-typical-update-experience.png"::: @@ -46,24 +48,27 @@ In the following example, the user schedules the restart and is notified 15 minu In the following example, the user: -- Ignores the notification and selects snooze. -- Further notifications are received, which the user ignores. -- The device is unable to install the updates outside of active hours. - -The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the [active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart) and force a restart to complete the update installation. The user will receive a 15-minute warning, after which, the device will install the update and restart. +| Day | Description | +| --- | --- | +| Day 0 | The Windows quality update is published. | +| Day 7-9 | The deferral period expires.The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device ignores the [active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart) and force a restart to complete the update installation. The user will receive a 15-minute warning, after which, the device will install the update and restart.
| :::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update" lightbox="../media/windows-quality-force-update.png"::: ### Quality update grace period -In the following example, the user is on holiday and the device is offline beyond the quality update deadline. The user then returns to work and the device is turned back on. +In the following example, the user: -Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification. +| Day | Description | +| --- | --- | +| Day 0-13 | While the user is on holiday and the device is offline:Once the two-day grace period expired, the user is forced to restart with a 15-minute warning notification.
| :::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period" lightbox="../media/windows-quality-update-grace-period.png"::: ## Minimize user disruption due to updates Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. By default, [Active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart) are configured dynamically based on device usage patterns. Device restarts occur outside of active hours until the deadline is reached. - -Windows Autopatch understands the importance of not disrupting critical devices but also updating the devices quickly. If you wish to configure a specific installation time or [Active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart), use the [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md), and select the [**ScheduledInstall**](../operate/windows-autopatch-groups-windows-update.md#scheduled-install) option. Using this option removes the deadline enforced for a device restart. Devices with this configuration will also **not** be counted towards the [service level objective](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective). diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md index 0295bf28bf5..942d898c055 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md @@ -1,7 +1,7 @@ --- -title: Windows quality updates overview with Autopatch groups experience -description: This article explains how Windows quality updates are managed with Autopatch -ms.date: 05/24/2024 +title: Windows quality updates overview +description: This article explains how Windows quality updates are managed +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: conceptual @@ -17,26 +17,19 @@ ms.collection: # Windows quality updates -Windows Autopatch deploys the [Monthly security update releases](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month. +You can manage Windows quality update profiles for Windows 10 and later devices. You can expedite a specific Windows quality update using targeted policies. -To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. There are three primary policies that are used to control Windows quality updates: +For more information about how to expedite quality update for Windows 10 or later in Microsoft Intune, see [Use Intune to expedite Windows quality updates](/mem/intune/protect/windows-10-expedite-updates). -| Policy | Description | -| ----- | ----- | -| [Deferrals](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) | Deferral policies delay the time the update is offered to the device by a specific number of days. The "offer" date for Windows quality updates is equal to the number of days specified in the deferral policy after the second Tuesday of each month. | -| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, users can schedule restarts or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. | -| [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. | +## Service level objective -For devices in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), Windows Autopatch configures these policies differently across deployment rings to gradually release the update. Devices in the Test ring receive changes first and devices in the Last ring receive changes last. For more information about the Test and Last deployment rings, see [About the Test and Last deployment rings in Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-the-test-and-last-deployment-rings). With Windows Autopatch groups, you can also customize the [Default Deployment Group's deployment ring composition](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition) to add and/or remove deployment rings and can customize the update deployment cadences for each deployment ring. To learn more about customizing Windows Quality updates deployment cadence, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md). +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] -> [!IMPORTANT] -> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed. These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective). +Windows Autopatch aims to keep at least 95% of [Up to Date devices](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) on the latest quality update. Autopatch uses the previously defined release schedule on a per ring basis with a five-day reporting period to calculate and evaluate the service level objective (SLO). The result of the service level objective is the column "% with the latest quality update" displayed in the Windows updates blade and reporting. -## Service level objective +## Service level objective calculation -Windows Autopatch aims to keep at least 95% of [Up to Date devices](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) on the latest quality update. Autopatch uses the previously defined release schedule on a per ring basis with a five-day reporting period to calculate and evaluate the service level objective (SLO). The result of the service level objective is the column "% with the latest quality update" displayed in release management and reporting. - -### Service level objective calculation +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] There are two states a device can be in when calculating the service level objective (SLO): @@ -61,135 +54,41 @@ The service level objective for each of these states is calculated as: > Targeted deployment ring refers to the deployment ring value of the device in question. If a device has a five day deferral with a two day deadline, and two day grace period, the SLO for the device would be calculated to `5 + 2 + 5 = 12`-day service level objective from the second Tuesday of the month. The five day reporting period is one established by Windows Autopatch to allow enough time for device check-in reporting and data evaluation within the service. > [!IMPORTANT] -> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager operating system deployment capabilities to perform an in-place upgrade](/mem/configmgr/osd/deploy-use/upgrade-windows-to-the-latest-version) for Windows devices that are part of the LTSC. - -## Import Update rings for Windows 10 and later - -You can import your organization's existing Intune Update rings for Windows 10 and later into Windows Autopatch. Importing your organization's Update rings provides the benefits of the Windows Autopatch's reporting and device readiness without the need to redeploy, or change your organization's existing update rings. - -Imported rings automatically register all targeted devices into Windows Autopatch. For more information about device registration, see the [device registration workflow diagram](../deploy/windows-autopatch-device-registration-overview.md#detailed-device-registration-workflow-diagram). - -> [!NOTE] -> Devices which are registered as part of an imported ring, might take up to 72 hours after the devices have received the latest version of the policy, to be reflected in Windows Autopatch devices blade and reporting. For more information about reporting, see [Windows quality and feature update reports overview](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md). - -> [!NOTE] -> Device registration failures don't affect your existing update schedule or targeting. However, devices that fail to register might affect Windows Autopatch's ability to provide reporting and insights. Any conflicts should be resolved as needed. For additional assistance, [submit a support request](../operate/windows-autopatch-support-request.md). - -### To import Update rings for Windows 10 and later +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. -**To import Update rings for Windows 10 and later:** - -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Devices** from the left navigation menu. -3. Under the **Windows Autopatch** section, select **Release management**. -4. In the **Release management** blade, go to the **Release schedule** tab and select **Windows quality updates**. -5. Select **Import Update rings for Windows 10 and later**. -6. Select the existing rings you would like to import. -7. Select **Import**. - -### Remove an imported Update ring for Windows 10 and later - -**To remove an Imported Update rings for Windows 10 and later:** - -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Devices** from the left navigation menu. -3. Under the **Windows Autopatch** section, select **Release management**. -4. In the **Release management** blade, go to the **Release schedule** tab and select **Windows quality updates**. -5. Select the Update rings for Windows 10 and later you would like to remove. -6. Select the **horizontal ellipses (...)** and select **Remove**. - -### Known limitations - -The following Windows Autopatch features aren't available with imported Intune Update rings: - -- Autopatch groups and features dependent on Autopatch groups -- Moving devices in between deployment rings in devices -- Automated deployment ring remediation functions -- Policy health and remediation - -## Release management - -> [!NOTE] -> To access the Release management blade, you must have the correct [role-based access control](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration). +## Out of Band releases -In the Release management blade, you can: - -- Track the [Windows quality update schedule](#release-schedule). -- [Turn off expedited Windows quality updates](#turn-off-service-driven-expedited-quality-update-releases). -- Review release announcements and knowledge based articles for regular and [Out of Band (OOB) Windows quality updates](#out-of-band-releases). - -### Release schedule - -For each deployment ring, the **Release schedule** tab contains: - -- The status of the update. Releases appear as **Active**. The update schedule is based on the values of the [Windows 10 Update Ring policies](/mem/intune/protect/windows-update-for-business-configure), which are configured on your behalf. -- The date the update is available. -- The target completion date of the update. -- In the **Release schedule** tab, you can either [**Pause** and/or **Resume**](#pause-and-resume-a-release) a Windows quality update release. - -### Expedited releases - -Threat and vulnerability information about a new revision of Windows becomes available on the second Tuesday of each month. Windows Autopatch assesses that information shortly afterwards. If the service determines that it's critical to security, it might be expedited. The quality update is also evaluated on an ongoing basis throughout the release and Windows Autopatch might choose to expedite at any time during the release. - -When expediting a release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update quickly. - -| Release type | Group | Deferral | Deadline | Grace period | -| ----- | ----- | ----- | ----- | ----- | -| Expedited release | All devices | 0 | 1 | 1 | - -#### Turn off service-driven expedited quality update releases - -Windows Autopatch provides the option to turn off of service-driven expedited quality updates. - -By default, the service expedites quality updates as needed. For those organizations seeking greater control, you can disable expedited quality updates for Windows Autopatch-enrolled devices using Microsoft Intune. - -**To turn off service-driven expedited quality updates:** - -1. Go to **[Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**. -2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited quality updates** setting. - -> [!NOTE] -> Windows Autopatch doesn't allow customers to request expedited releases. - -### Out of Band releases +[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule. -For the deployment rings that have passed quality updates deferral date, the OOB release schedule is expedited and deployed on the same day. For the deployment rings that have deferral upcoming, OOBs is released as per the set deferral dates. - -**To view deployed Out of Band quality updates:** - -1. Go to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**. -2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates. You can also view the schedules for OOB update releases in the Release Schedule tab. +For the deployment rings that pass quality updates deferral date, the OOB release schedule is expedited and deployed on the same day. For the deployment rings that have deferral upcoming, OOBs are released as per the set deferral dates. -> [!NOTE] -> Announcements and OOB update schedules will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused. - -### Pause and resume a release - -> [!CAUTION] -> You should only pause and resume [Windows quality](#pause-and-resume-a-release) and [Windows feature updates](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#pause-and-resume-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. +## Pause and resume a release The service-level pause is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft. -If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-groups-windows-quality-update-signals.md), we might decide to pause that release. +If Windows Autopatch detects a significant issue with a release, we might decide to pause that release. > [!IMPORTANT] -> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
+> **Pausing or resuming an update can take up to eight hours to be applied to devices**. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
-**To pause or resume a Windows quality update:** +**To pause and resume a release:** + +> [!IMPORTANT] +> **You can only pause an Autopatch group if you have Windows Enterprise E3+ or F3 licenses (included in Microsoft 365 F3, E3, or E5) licenses and have [activated Windows Autopatch features](../overview/windows-autopatch-overview.md#windows-enterprise-e3-and-f3-licenses).**[Feature activation](../prepare/windows-autopatch-feature-activation.md) is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.
For more information, see [Licenses and entitlements](../prepare/windows-autopatch-prerequisites.md#licenses-and-entitlements). If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in [Business premium and A3+ licenses](../overview/windows-autopatch-overview.md#business-premium-and-a3-licenses).
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Devices** from the left navigation menu. -1. Under the **Windows Autopatch** section, select **Release management**. -1. In the **Release management** blade, go to the **Release schedule** tab and select **Windows quality updates**. -1. Select the Autopatch group or deployment ring that you want to pause or resume. Select either: **Pause** or **Resume**. Alternatively, you can select the **horizontal ellipses (...)** of the Autopatch group or deployment ring you want to pause or resume. Select, **Pause** or **Resume** from the dropdown menu. -1. Optional. Enter the justification(s) about why you're pausing or resuming the selected update. +1. Under the **Manage updates** section, select **Windows updates**. +1. In the **Windows updates** blade, select the **Quality updates** tab. +1. Select the Autopatch group or deployment ring that you want to pause or resume. Select either: **Pause** or **Resume**. Alternatively, you can select the **horizontal ellipses (...)** of the Autopatch group or deployment ring you want to pause or resume. Select, **Pause, or **Resume** from the dropdown menu. +1. Optional. Enter the justification about why you're pausing or resuming the selected update. 1. Optional. Select **This pause is related to Windows Update**. When you select this checkbox, you must provide information about how the pause is related to Windows Update. 1. If you're resuming an update, you can select one or more Autopatch groups or deployment rings. 1. Select **Pause or Resume deployment**. -The three following statuses are associated with paused quality updates: +The following statuses are associated with paused quality updates: | Status | Description | | ----- | ------ | @@ -198,4 +97,6 @@ The three following statuses are associated with paused quality updates: ## Remediating Not ready and/or Not up to Date devices -To ensure your devices receive Windows quality updates, Windows Autopatch provides information on how you can [remediate Windows Autopatch device alerts](../operate/windows-autopatch-device-alerts.md). +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] + +To ensure your devices receive Windows quality updates, Windows Autopatch provides information on how you can [remediate Windows Autopatch device alerts](../monitor/windows-autopatch-device-alerts.md). diff --git a/windows/deployment/update/deployment-service-expedited-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md similarity index 88% rename from windows/deployment/update/deployment-service-expedited-updates.md rename to windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md index 8220c332c74..77acf64924d 100644 --- a/windows/deployment/update/deployment-service-expedited-updates.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-programmatic-controls.md @@ -1,12 +1,12 @@ --- -title: Deploy expedited updates -titleSuffix: Windows Update for Business deployment service -description: Learn how to use Windows Update for Business deployment service to deploy expedited updates to devices in your organization. +title: Programmatic controls for expedited Windows quality updates +titleSuffix: Windows Autopatch +description: Use programmatic controls to deploy expedited Windows quality updates to devices in your organization. ms.service: windows-client -ms.subservice: itpro-updates -ms.topic: conceptual -ms.author: mstewart -author: mestew +ms.subservice: autopatch +ms.topic: how-to +ms.author: tiaraquan +author: tiaraquan manager: aaroncz ms.collection: - tier1 @@ -14,10 +14,10 @@ ms.localizationpriority: medium appliesto: - ✅ Windows 11 - ✅ Windows 10 -ms.date: 04/05/2024 +ms.date: 09/24/2024 --- -# Deploy expedited updates with Windows Update for Business deployment service +# Programmatic controls for expedited Windows quality updates In this article, you will: @@ -32,7 +32,8 @@ In this article, you will: ## Prerequisites -All of the [prerequisites for the Windows Update for Business deployment service](deployment-service-prerequisites.md) must be met, including ensuring that the *Update Health Tools* is installed on the clients. +All of the [Windows Autopatch prerequisites](../prepare/windows-autopatch-prerequisites.md) must be met, including ensuring that the *Update Health Tools* is installed on the clients. + - The *Update Health Tools* are installed starting with [KB4023057](https://support.microsoft.com/kb/4023057). To confirm the presence of the Update Health Tools on a device, use one of the following methods: - Run a [readiness test for expedited updates](#readiness-test-for-expediting-updates) - Look for the folder **C:\Program Files\Microsoft Update Health Tools** or review *Add Remove Programs* for **Microsoft Update Health Tools**. @@ -41,21 +42,26 @@ All of the [prerequisites for the Windows Update for Business deployment service ### Permissions -[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-graph-explorer-permissions.md)] +[!INCLUDE [Windows Autopatch permissions using Graph Explorer](../includes/windows-autopatch-graph-explorer-permissions.md)] + +### Required endpoints + + +[!INCLUDE [windows-autopatch-required-graph-api-endpoints](../includes/windows-autopatch-required-graph-api-endpoints.md)] ## Open Graph Explorer -[!INCLUDE [Graph Explorer sign in](./includes/wufb-deployment-graph-explorer.md)] +[!INCLUDE [Graph Explorer sign in](../includes/windows-autopatch-graph-explorer.md)] ## Run queries to identify devices -[!INCLUDE [Graph Explorer device queries](./includes/wufb-deployment-find-device-name-graph-explorer.md)] +[!INCLUDE [Graph Explorer device queries](../includes/windows-autopatch-find-device-name-graph-explorer.md)] ## List catalog entries for expedited updates -Each update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). You can query the catalog to find updates that can be expedited. The `id` returned is the **Catalog ID** and is used to create a deployment. The following query lists all security and nonsecurity quality updates that can be deployed as expedited updates by the deployment service. Using `$top=2` and ordering by `ReleaseDateTimeshows` displays the most recent updates that can be deployed as expedited. +Each update is associated with a unique [catalog entry](/graph/api/resources/windowsupdates-catalogentry). You can query the catalog to find updates that can be expedited. The `id` returned is the **Catalog ID** and is used to create a deployment. The following query lists all security and nonsecurity quality updates that can be deployed as expedited updates by Windows Autopatch. Using `$top=2` and ordering by `ReleaseDateTimeshows` displays the most recent updates that can be deployed as expedited. ```msgraph-interactive GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$filter=isof('microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry') and microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/isExpeditable eq true&$orderby=releaseDateTime desc&$top=2 @@ -98,7 +104,7 @@ The following truncated response displays a **Catalog ID** of `e317aa8a0455ca60 } ``` -The deployment service can display more information about updates that were released on or after January 2023. Using [product revision](/graph/api/resources/windowsupdates-productrevision) gives you additional information about the updates, such as the KB numbers, and the `MajorVersion.MinorVersion.BuildNumber.UpdateBuildRevision`. Windows 10 and 11 share the same major and minor versions, but have different build numbers. +Windows Autopatch can display more information about updates that were released on or after January 2023. Using [product revision](/graph/api/resources/windowsupdates-productrevision) gives you additional information about the updates, such as the KB numbers, and the `MajorVersion.MinorVersion.BuildNumber.UpdateBuildRevision`. Windows 10 and 11 share the same major and minor versions, but have different build numbers. Use the following to display the product revision information for the most recent quality update: @@ -106,7 +112,6 @@ Use the following to display the product revision information for the most recen GET https://graph.microsoft.com/beta/admin/windows/updates/catalog/entries?$expand=microsoft.graph.windowsUpdates.qualityUpdateCatalogEntry/productRevisions&$orderby=releaseDateTime desc&$top=1 ``` - The following truncated response displays information about KB5029244 for Windows 10, version 22H2, and KB5029263 for Windows 11, version 22H2: ```json @@ -296,7 +301,6 @@ To verify the devices were added to the audience, run the following query using To stop an expedited deployment, DELETE the deployment. Deleting the deployment will prevent the content from being offered to devices if they haven't already received it. To resume offering the content, a new approval will need to be created. - The following example deletes the deployment with a **Deployment ID** of `de910e12-3456-7890-abcd-ef1234567890`: ```msgraph-interactive @@ -305,7 +309,7 @@ DELETE https://graph.microsoft.com/beta/admin/windows/updates/deployments/de910e ## Readiness test for expediting updates -You can verify the readiness of clients to receive expedited updates by using [isReadinessTest](/graph/api/resources/windowsupdates-expeditesettings). Create a deployment that specifies it's an expedite readiness test, then add members to the deployment audience. The service will check to see if the clients meet the prerequisites for expediting updates. The results of the test are displayed in the [Windows Update for Business reports workbook](wufb-reports-workbook.md#quality-updates-tab). Under the **Quality updates** tab, select the **Expedite status** tile, which opens a flyout with a **Readiness** tab with the readiness test results. +You can verify the readiness of clients to receive expedited updates by using [isReadinessTest](/graph/api/resources/windowsupdates-expeditesettings). Create a deployment that specifies it's an expedite readiness test, then add members to the deployment audience. The service will check to see if the clients meet the prerequisites for expediting updates. The results of the test are displayed in the [Windows Update for Business reports workbook](/windows/deployment/update/wufb-reports-workbook#quality-updates-tab). Under the **Quality updates** tab, select the **Expedite status** tile, which opens a flyout with a **Readiness** tab with the readiness test results. ```msgraph-interactive POST https://graph.microsoft.com/beta/admin/windows/updates/deployments @@ -330,7 +334,7 @@ content-type: application/json } ``` -The truncated response displays that **isReadinessTest** is set to `true` and gives you a **DeploymentID** of `de910e12-3456-7890-abcd-ef1234567890`. You can then [add members to the deployment audience](#add-members-to-the-deployment-audience) to have the service check that the devices meet the preresquites then review the results in the [Windows Update for Business reports workbook](wufb-reports-workbook.md#quality-updates-tab). +The truncated response displays that **isReadinessTest** is set to `true` and gives you a **DeploymentID** of `de910e12-3456-7890-abcd-ef1234567890`. You can then [add members to the deployment audience](#add-members-to-the-deployment-audience) to have the service check that the devices meet the preresquites then review the results in the [Windows Update for Business reports workbook](/windows/deployment/update/wufb-reports-workbook#quality-updates-tab). ```json "expedite": { @@ -347,4 +351,4 @@ The truncated response displays that **isReadinessTest** is set to `true` and gi ``` -[!INCLUDE [Windows Update for Business deployment service permissions using Graph Explorer](./includes/wufb-deployment-update-health-tools-logs.md)] +[!INCLUDE [Windows Autopatch Update Health Tools](../includes/windows-autopatch-update-health-tools-logs.md)] diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-update-policies.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-update-policies.md index 03072b748f0..38ee9e58cb2 100644 --- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-update-policies.md +++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-update-policies.md @@ -1,7 +1,7 @@ --- -title: Windows update policies -description: This article explains Windows update policies in Windows Autopatch -ms.date: 07/08/2024 +title: Windows quality update policies +description: This article explains Windows quality update policies in Windows Autopatch +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: concept-article @@ -14,70 +14,9 @@ ms.collection: - tier2 --- -# Windows update policies +# Windows quality update policies -## Deployment rings for Windows 10 and later - -The following policies contain settings that apply to both Windows quality and feature updates. After onboarding there will be four of these policies in your tenant with the following naming convention: - -**Modern Workplace Update Policy [ring name] - [Windows Autopatch]** - -### Windows 10 and later update settings - -| Setting name | Test | First | Fast | Broad | -| ----- | ----- | ----- | ----- | ----- | -| Microsoft product updates | Allow | Allow | Allow | Allow | -| Windows drivers | Allow | Allow | Allow | Allow | -| Windows quality update deferral period | 0 | 1 | 6 | 9 | -| Windows feature update deferral period | 0 | 0 | 0 | 0 | -| Upgrade Windows 10 to latest Windows 11 release | No | No | No | No | -| Set Windows feature update uninstall period | 30 days | 30 days | 30 days | 30 days | -| Servicing channel | General availability | General availability | General availability | General availability | - -### Windows 10 and later user experience settings - -| Setting name | Test | First | Fast | Broad | -| ----- | ----- | ----- | ----- | ----- | -| Automatic update behavior | Reset to default | Reset to default | Reset to default | Reset to default | -| Restart checks | Allow | Allow | Allow | Allow | -| Option to pause updates | Disable | Disable | Disable | Disable | -| Option to check for Windows updates | Default | Default | Default | Default | -| Change notification update level | Default | Default | Default | Default | -| Deadline for Windows feature updates | 5 | 5 | 5 | 5 | -| Deadline for Windows quality updates | 0 | 2 | 2 | 5 | -| Grace period | 0 | 2 | 2 | 2 | -| Auto restart before deadline | Yes | Yes | Yes | Yes | - -### Windows 10 and later assignments - -| Setting name | Test | First | Fast | Broad | -| ----- | ----- | ----- | ----- | ----- | -| Included groups | Modern Workplace Devices-Windows Autopatch-Test | Modern Workplace Devices-Windows Autopatch-First | Modern Workplace Devices-Windows Autopatch-Fast | Modern Workplace Devices-Windows Autopatch-Broad | -| Excluded groups | None | None | None | None | - -## Windows feature update policies - -The service deploys policies using Microsoft Intune to control how Windows feature updates are deployed to devices. - -### Windows feature updates for Windows 10 and later - -These policies control the minimum target version of Windows that a device is meant to accept. Throughout the rest of the article, these policies are referred to as DSS policies. After onboarding, there will be four of these policies in your tenant with the following naming convention: - -**Modern Workplace DSS Policy [ring name]** - -#### Windows feature update deployment settings - -| Setting name | Test | First | Fast | Broad | -| ----- | ----- | ----- | ----- | ----- | -| Name | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows | -| Rollout options | Immediate start | Immediate start | Immediate start | Immediate start | - -#### Windows feature update policy assignments - -| Setting name | Test | First | Fast | Broad | -| ----- | ----- | ----- | ----- | ----- | -| Included groups | Modern Workplace Devices-Windows Autopatch-Test | Modern Workplace Devices-Windows Autopatch-First | Modern Workplace Devices-Windows Autopatch-Fast | Modern Workplace Devices-Windows Autopatch-Broad | -| Excluded groups | Modern Workplace - Windows 11 Pre-Release Test Devices | Modern Workplace - Windows 11 Pre-Release Test Devices | Modern Workplace - Windows 11 Pre-Release Test Devices | Modern Workplace - Windows 11 Pre-Release Test Devices | +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] ## Conflicting and unsupported policies @@ -89,8 +28,8 @@ Window Autopatch deploys mobile device management (MDM) policies to configure de | Allowed policy | Policy CSP | Description | | ----- | ----- | ----- | -| [Active hours start](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) | Update/ActiveHoursStart | This policy controls the end of the protected window where devices won't restart.Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. | -| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | Update/ActiveHoursEnd | This policy controls the end of the protected window where devices won't restart.
Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. | +| [Active hours start](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) | Update/ActiveHoursStart | This policy controls the end of the protected window where devices don't restart.
Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. | +| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | Update/ActiveHoursEnd | This policy controls the end of the protected window where devices don't restart.
Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. | | [Active hours max range](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange) | Update/ActiveHoursMaxRange | Allows the IT admin to specify the max active hours range.
This value sets the maximum number of active hours from the start time. Supported values are from eight through to 18. | ### Group policy and other policy managers diff --git a/windows/deployment/update/media/7512398-deployment-enroll-asset-graph.png b/windows/deployment/windows-autopatch/media/7512398-deployment-enroll-asset-graph.png similarity index 100% rename from windows/deployment/update/media/7512398-deployment-enroll-asset-graph.png rename to windows/deployment/windows-autopatch/media/7512398-deployment-enroll-asset-graph.png diff --git a/windows/deployment/update/media/7512398-deployment-service-graph-modify-header.png b/windows/deployment/windows-autopatch/media/7512398-deployment-service-graph-modify-header.png similarity index 100% rename from windows/deployment/update/media/7512398-deployment-service-graph-modify-header.png rename to windows/deployment/windows-autopatch/media/7512398-deployment-service-graph-modify-header.png diff --git a/windows/deployment/update/media/7512398-deployment-service-overview.png b/windows/deployment/windows-autopatch/media/7512398-deployment-service-overview.png similarity index 100% rename from windows/deployment/update/media/7512398-deployment-service-overview.png rename to windows/deployment/windows-autopatch/media/7512398-deployment-service-overview.png diff --git a/windows/deployment/update/media/7512398-wufbds-graph-modify-permission.png b/windows/deployment/windows-autopatch/media/7512398-graph-modify-permission.png similarity index 100% rename from windows/deployment/update/media/7512398-wufbds-graph-modify-permission.png rename to windows/deployment/windows-autopatch/media/7512398-graph-modify-permission.png diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png index 2098b9cd0cf..bf4ba54006e 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png index d59d22d90c9..18d4f8c5427 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-licensing.svg b/windows/deployment/windows-autopatch/media/windows-autopatch-licensing.svg new file mode 100644 index 00000000000..168e2f4fad2 --- /dev/null +++ b/windows/deployment/windows-autopatch/media/windows-autopatch-licensing.svg @@ -0,0 +1,3 @@ + \ No newline at end of file diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md index 4e75b89b161..aed2b1e6446 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-device-alerts.md @@ -1,7 +1,7 @@ --- title: Device alerts description: Provide notifications and information about the necessary steps to keep your devices up to date. -ms.date: 07/08/2023 +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,9 +17,11 @@ ms.collection: # Device alerts +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] + Windows Autopatch and Windows Updates use Device alerts to provide notifications and information about the necessary steps to keep your devices up to date. In Windows Autopatch reporting, every device is provided with a section for alerts. If no alerts are listed, no action is needed. Navigate to **Reports** > **Quality update status** or **Feature update status** > **Device** > select the **Device alerts** column. The provided information helps you understand: -- Microsoft and/or Windows Autopatch performs the action(s) to keep the device properly updated. +- Microsoft and/or Windows Autopatch performs the actions to keep the device properly updated. - The actions you must perform so the device can properly be updated. > [!NOTE] @@ -43,59 +45,59 @@ Windows Autopatch assigns alerts to either Microsoft Action or Customer Action. | Assignment | Description | | ----- | ----- | | Microsoft Action | Refers to the responsibility of the Windows Autopatch service to remediate. Windows Autopatch performs these actions automatically. | -| Customer Action | Refers to your responsibility to carry out the appropriate action(s) to resolve the reported alert. | +| Customer Action | Refers to your responsibility to carry out the appropriate actions to resolve the reported alert. | ## Alert resolutions Alert resolutions are provided through the Windows Update service and provide the reason why an update didn't perform as expected. The recommended actions are general recommendations and if additional assistance is needed, [submit a support request](../operate/windows-autopatch-support-request.md). -| Alert message | Description | Windows Autopatch recommendation(s) | +| Alert message | Description | Windows Autopatch recommendations | | ----- | ----- | ----- | -| `CancelledByUser` | User canceled the update | The Windows Update service has reported the update was canceled by the user.
It's recommended to work with the end user to allow updates to execute as scheduled.
| -| `DamagedMedia` | The update file or hard drive is damaged | The Windows Update service has indicated the update payload might be damaged or corrupt.It's recommended to run `Chkdsk /F` on the device with administrator privileges, then retry the update. For more information, see [chkdsk](/windows-server/administration/windows-commands/chkdsk?tabs=event-viewer).
| -| `DeploymentConflict` | Device is in more than one deployment of the same update type. Only the first deployment assigned is effective. | The Windows Update service has reported a policy conflict.For more information, see the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `DeviceRegistrationInvalidAzureADDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Microsoft Entra Device ID. | The Windows Update service has reported a device registration issue.For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `DeviceRegistrationInvalidGlobalDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Global Device ID. |The Windows Update service has reported that the MSA Service may be disabled preventing Global Device ID assignment.Check that the MSA Service is running or able to run on device.
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `DeviceRegistrationIssue` | The device isn't able to register or authenticate properly with Windows Update. | The Windows Update service has reported a device registration issue.For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `DeviceRegistrationNoTrustType` | The device isn't able to register or authenticate properly with Windows Update because it can't establish Trust. | The Windows Update service has reported a device registration issue.For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `DiskFull` | The installation couldn't be completed because the Windows partition is full. | The Windows Update service has reported there's insufficient disk space to perform the update. Free up disk space on the Windows partition and retry the installation.For more information, see [Free up space for Windows Updates](https://support.microsoft.com/windows/free-up-space-for-windows-updates-429b12ba-f514-be0b-4924-ca6d16fa1d65).
| -| `DownloadCancelled` | Windows Update couldn't download the update because the update server stopped the connection. | The Windows Update service has reported an issue with your update server. Validate your network is working and retry the download. If the alert persists, review your network configuration to make sure that this computer can access the internet.For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).
| -| `DownloadConnectionIssue` | Windows Update couldn't connect to the update server and the update couldn't download. | The Windows Update service has reported an issue connecting to Windows Update. Review your network configuration, and to make sure that this computer can access the internet and Windows Update Online.For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `DownloadCredentialsIssue` | Windows Update couldn't download the file because the Background Intelligent Transfer Service ([BITS](/windows/win32/bits/about-bits)) couldn't connect to the internet. A proxy server or firewall on your network might require credentials. | The Windows Update service Windows has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client. Retry the download.Review your network configuration to make sure that this computer can access the internet. Validate and/or allowlist Windows Update and Delivery Optimization endpoint.
For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `DownloadIssue` | There was an issue downloading the update. | The Windows Update service has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client.For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `DownloadIssueServiceDisabled` | There was a problem with the Background Intelligent Transfer Service (BITS). The BITS service or a service it depends on might be disabled. | The Windows Updates service has reported that the BITS service is disabled. In the local client services, make sure that the Background Intelligent Transfer Service is enabled. If the service isn't running, try starting it manually. For more information, see [Issues with BITS](/windows/win32/bits/about-bits).If it will not start, check the event log for errors or [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `DownloadTimeout` | A timeout occurred while Windows tried to contact the update service or the server containing the update's payload. | The Windows Update service has reported it attempted to download the payload and the connection timed out.Retry downloading the payload. If not successful, review your network configuration to make sure that this computer can access the internet.
For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5). | -| `EndOfService` | The device is on a version of Windows that has passed its end of service date. | Windows Update service has reported the current version is past End of Service. Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).
| +| `CancelledByUser` | User canceled the update | The Windows Update service reported the update was canceled by the user.It's recommended to work with the end user to allow updates to execute as scheduled.
| +| `DamagedMedia` | The update file or hard drive is damaged | The Windows Update service indicated the update payload might be damaged or corrupt.It's recommended to run `Chkdsk /F` on the device with administrator privileges, then retry the update. For more information, see [chkdsk](/windows-server/administration/windows-commands/chkdsk?tabs=event-viewer).
| +| `DeploymentConflict` | Device is in more than one deployment of the same update type. Only the first deployment assigned is effective. | The Windows Update service reported a policy conflict.For more information, see the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `DeviceRegistrationInvalidAzureADDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Microsoft Entra Device ID. | The Windows Update service reported a device registration issue.For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `DeviceRegistrationInvalidGlobalDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Global Device ID. |The Windows Update service reported that the MSA Service might be disabled preventing Global Device ID assignment.Check that the MSA Service is running or able to run on device.
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `DeviceRegistrationIssue` | The device isn't able to register or authenticate properly with Windows Update. | The Windows Update service reported a device registration issue.For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `DeviceRegistrationNoTrustType` | The device isn't able to register or authenticate properly with Windows Update because it can't establish Trust. | The Windows Update service reported a device registration issue.For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `DiskFull` | The installation couldn't be completed because the Windows partition is full. | The Windows Update service reported there's insufficient disk space to perform the update. Free up disk space on the Windows partition and retry the installation.For more information, see [Free up space for Windows Updates](https://support.microsoft.com/windows/free-up-space-for-windows-updates-429b12ba-f514-be0b-4924-ca6d16fa1d65).
| +| `DownloadCancelled` | Windows Update couldn't download the update because the update server stopped the connection. | The Windows Update service reported an issue with your update server. Validate that your network is working and retry the download. If the alert persists, review your network configuration to make sure that this computer can access the internet.For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).
| +| `DownloadConnectionIssue` | Windows Update couldn't connect to the update server and the update couldn't download. | The Windows Update service reported an issue connecting to Windows Update. Review your network configuration, and to make sure that this computer can access the internet and Windows Update Online.For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `DownloadCredentialsIssue` | Windows Update couldn't download the file because the Background Intelligent Transfer Service ([BITS](/windows/win32/bits/about-bits)) couldn't connect to the internet. A proxy server or firewall on your network might require credentials. | The Windows Update service Windows reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client. Retry the download.Review your network configuration to make sure that this computer can access the internet. Validate and/or allowlist Windows Update and Delivery Optimization endpoint.
For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `DownloadIssue` | There was an issue downloading the update. | The Windows Update service reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client.For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `DownloadIssueServiceDisabled` | There was a problem with the Background Intelligent Transfer Service (BITS). The BITS service or a service it depends on might be disabled. | The Windows Updates service reported that the BITS service is disabled. In the local client services, make sure that the Background Intelligent Transfer Service is enabled. If the service isn't running, try starting it manually. For more information, see [Issues with BITS](/windows/win32/bits/about-bits).If it doesn't start, check the event log for errors or [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `DownloadTimeout` | A timeout occurred while Windows tried to contact the update service or the server containing the update's payload. | The Windows Update service reported it attempted to download the payload and the connection timed out.Retry downloading the payload. If not successful, review your network configuration to make sure that this computer can access the internet.
For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5). | +| `EndOfService` | The device is on a version of Windows that passed its end of service date. | Windows Update service reported the current version is past End of Service. Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).
| | `EndOfServiceApproaching` | The device is on a version of Windows that is approaching its end of service date. | Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).
| -| `FailureResponseThreshold` | The failure response threshold setting was met for a deployment to which the device belongs. | The Windows Update service has reported the client has hit the Failure Response Threshold. Consider pausing the deployment and assess for issues. If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md). | -| `FileNotFound` | The downloaded update files can't be found. The Disk Cleanup utility or a non-Microsoft software cleaning tool might have removed the files during cleanup. | Windows Update has reported that the update files couldn't be found, download the update again, and then retry the installation.This can often occur with third party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `Incompatible` | The system doesn't meet the minimum requirements to install the update. | The Windows Update service has reported the update is incompatible with this device for more details please review the `ScanResult.xml` file in the `C:\WINDOWS\PANTHER folder for "Block Type=Hard`.If this is occurring on a Windows Autopatch managed device, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `IncompatibleArchitecture` | This update is for a different CPU architecture. | The Windows Update service has reported the update architecture doesn't match the destination architecture, make sure the target operating system architecture matches the host operating system architecture.This is **not** typical for Windows Update based environments.
If this is occurring on a Windows Autopatch managed device, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `IncompatibleServicingChannel` | Device is in a servicing channel that is incompatible with a deployment to which the device belongs. | The Windows Update service has reported the servicing channel on the client isn't compatible with the targeted payload.We recommend configuring the device's servicing channel to the [Semi-Annual Enterprise Channel](/windows-server/get-started/servicing-channels-comparison#semi-annual-channel).
| -| `InstallAccessDenied` | Installer doesn't have permission to access or replace a file. The installer might have tried to replace a file that an antivirus, anti-malware, or a backup program is currently scanning. | The Windows Update service has reported it couldn't access the necessary system locations, ensure no other service has a lock or handle on the windows update client folders and retry the installation.This can often occur with third party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).
| -| `InstalledCancelled` | The installation was canceled. | The Windows Update service has reported the update was canceled by the user.It's recommended to work with the end user to allow updates to execute as scheduled.
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `InstallFileLocked` | Installer couldn't access a file that is already in use. The installer might have tried to replace a file that an antivirus, anti-malware, or backup program is currently scanning. | The Windows Update service has reported it couldn't access the necessary system locations.Check the files under the `%SystemDrive%\$Windows.~bt` directory and retry the installation.
This can often occur with third party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `InstallIssue` | There was an issue installing the update. | The Windows Update service has reported the update installation has failed.If the alert persists, run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges, then retry the update.
For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `InstallIssueRedirection` | A known folder that doesn't support redirection to another drive might have been redirected to another drive. | The Windows Update service has reported that the Windows Update file location may be redirected to an invalid location. Check your Windows Installation, and retry the update.If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `InstallMissingInfo` | Windows Update doesn't have the information it needs about the update to finish the installation. | The Windows Update service has reported that another update may have replaced the one you're trying to install. Check the update, and then try reinstalling it. | -| `InstallOutOfMemory` | The installation couldn't be completed because Windows ran out of memory. | The Windows Update service has reported the system doesn't have sufficient system memory to perform the update.Restart Windows, then try the installation again.
If it still fails, allocate more memory to the device, or increase the size of the virtual memory pagefile(s). For more information, see [How to determine the appropriate page file size for 64-bit versions of Windows](/troubleshoot/windows-client/performance/how-to-determine-the-appropriate-page-file-size-for-64-bit-versions-of-windows).
| -| `InstallSetupBlock` | There's an application or driver blocking the upgrade. | The Windows Update service has detected that an application or driver is hindering the upgrade process. Utilize the SetupDiag utility to identify and diagnose any compatibility problems.For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).
| -| `InstallSetupError` | Windows Setup encountered an error while installing. | The Windows Update service has reported an error during installation.Review the last reported HEX error code in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) to further investigate.If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `PolicyConflict` | There are client policies (MDM, GP) that conflict with Windows Update settings. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `PolicyConflictDeferral` | The Deferral Policy configured on the device is preventing the update from installing. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `PolicyConflictPause` | Updates are paused on the device, preventing the update from installing. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| -| `PostRestartIssue` | Windows Update couldn't determine the results of installing the update. The error is usually false, and the update probably succeeded. | The Windows Update Service has reported the update you're trying to install isn't available.No action is required.
If the update is still available, retry the installation.
| -| `RollbackInitiated` | A rollback was started on this device, indicating a catastrophic issue occurred during the Windows Setup install process. | The Windows Update service has reported a failure with the update. Run the Setup Diagnostics Tool on the Device or review the HEX error in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md). **Don't** retry the installation until the impact is understood.For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).
| -| `SafeguardHold` | Update can't install because of a known Safeguard Hold. | The Windows Update Service has reported a [Safeguard Hold](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds) which applies to this device.For more information about safeguards, see [Windows 10/11 release information for the affected version(s)](/windows/release-health/release-information).
| -| `UnexpectedShutdown` | The installation was stopped because a Windows shutdown or restart was in progress. | The Windows Update service has reported Windows was unexpectedly restarted during the update process.No action is necessary the update should retry when windows is available.
If the alert persists, ensure the device remains on during Windows installation.
| -| `VersionMismatch` | Device is on a version of Windows that wasn't intended by Windows Update. | The Windows Update service has reported that the version of Windows wasn't intended.Confirm whether the device is on the intended version.
| -| `WindowsRepairRequired` | The current version of Windows needs to be repaired before it can be updated. | The Windows Update service has indicated that the service is in need of repair. Run the Startup Repair Tool on this device.For more information, see [Windows boot issues - troubleshooting](/troubleshoot/windows-client/performance/windows-boot-issues-troubleshooting#method-1-startup-repair-tool).
| -| `WUBusy` | Windows Update can't do this task because it's busy. | The Windows Update service has reported that Windows Update is busy. No action is needed. Restart Windows should and retry the installation. | -| `WUComponentMissing` | Windows Update might be missing a component, or the update file might be damaged. | The Windows Update service has reported key components for windows update are missing.Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges, to repair these components. Then retry the update.
For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.
| -| `WUDamaged` | Windows Update or the update file might be damaged. | The Windows Update service has reported key components for windows update are missing.Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges to repair these components. Then retry the update.
For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.
| -| `WUDecryptionIssue` | Windows Update couldn't decrypt the encrypted update file because it couldn't find the proper key. | The Windows Update service has reported it couldn't decrypt the update payload.This alert could be a network transit error and may be resolved on its own. If the alert persists, validate any network Riverbeds, Application or http proxies and retry.
| -| `WUDiskError` | Windows Update encountered an error while reading or writing to the system drive. | The Windows Update service has reported an alert reading or writing to the system disk. This alert is often a client issue with the target system. We recommend running the Windows Update Troubleshooter on the device. Retry the installation.For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/windows/windows-update-troubleshooter-19bc41ca-ad72-ae67-af3c-89ce169755dd).
| -| `WUIssue` | Windows Update couldn't understand the metadata provided by the update service. This error usually indicates a problem with the update. | The Windows Update service has reported an issue with the Update payload. This could be a transient alert.If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `FailureResponseThreshold` | The failure response threshold setting was met for a deployment to which the device belongs. | The Windows Update service reported the client hit the Failure Response Threshold. Consider pausing the deployment and assess for issues. If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md). | +| `FileNotFound` | The downloaded update files can't be found. The Disk Cleanup utility or a non-Microsoft software cleaning tool might remove the files during cleanup. | Windows Update reported that the update files couldn't be found, download the update again, and then retry the installation.This can often occur with third-party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `Incompatible` | The system doesn't meet the minimum requirements to install the update. | The Windows Update service reported the update is incompatible with this device for more details please review the `ScanResult.xml` file in the `C:\WINDOWS\PANTHER folder for "Block Type=Hard`.If this is occurring on a Windows Autopatch managed device, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `IncompatibleArchitecture` | This update is for a different CPU architecture. | The Windows Update service reported the update architecture doesn't match the destination architecture. Make sure the target operating system architecture matches the host operating system architecture.This is **not** typical for Windows Update based environments.
If this is occurring on a Windows Autopatch managed device, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `IncompatibleServicingChannel` | Device is in a servicing channel that is incompatible with a deployment to which the device belongs. | The Windows Update service reported the servicing channel on the client isn't compatible with the targeted payload.We recommend configuring the device's servicing channel to the [Semi-Annual Enterprise Channel](/windows-server/get-started/servicing-channels-comparison#semi-annual-channel).
| +| `InstallAccessDenied` | Installer doesn't have permission to access or replace a file. The installer might try to replace a file that an antivirus, anti-malware, or a backup program is currently scanning. | The Windows Update service reported it couldn't access the necessary system locations. Ensure no other service has a lock or handle on the Windows Update client folders and retry the installation.This can often occur with third-party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).
| +| `InstalledCancelled` | The installation was canceled. | The Windows Update service reported the update was canceled by the user.It's recommended to work with the end user to allow updates to execute as scheduled.
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `InstallFileLocked` | Installer couldn't access a file that is already in use. The installer tried to replace a file that an antivirus, anti-malware, or backup program is currently scanning. | The Windows Update service reported it couldn't access the necessary system locations.Check the files under the `%SystemDrive%\$Windows.~bt` directory and retry the installation.
This can often occur with third party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `InstallIssue` | There was an issue installing the update. | The Windows Update service reported the update installation failed.If the alert persists, run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges, then retry the update.
For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows might be required.
If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `InstallIssueRedirection` | A known folder that doesn't support redirection to another drive might be redirected to another drive. | The Windows Update service reported that the Windows Update file location was redirected to an invalid location. Check your Windows Installation, and retry the update.If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `InstallMissingInfo` | Windows Update doesn't have the information it needs about the update to finish the installation. | The Windows Update service reported that another update replaced the one you're trying to install. Check the update, and then try reinstalling it. | +| `InstallOutOfMemory` | The installation couldn't be completed because Windows ran out of memory. | The Windows Update service reported the system doesn't have sufficient system memory to perform the update.Restart Windows, then try the installation again.
If it still fails, allocate more memory to the device, or increase the size of the virtual memory pagefiles. For more information, see [How to determine the appropriate page file size for 64-bit versions of Windows](/troubleshoot/windows-client/performance/how-to-determine-the-appropriate-page-file-size-for-64-bit-versions-of-windows).
| +| `InstallSetupBlock` | There's an application or driver blocking the upgrade. | The Windows Update service detected that an application or driver is hindering the upgrade process. Utilize the SetupDiag utility to identify and diagnose any compatibility problems.For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).
| +| `InstallSetupError` | Windows Setup encountered an error while installing. | The Windows Update service reported an error during installation. Review the last reported HEX error code in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) to further investigate.If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `PolicyConflict` | There are client policies (MDM, GP) that conflict with Windows Update settings. | The Windows Update service reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `PolicyConflictDeferral` | The Deferral Policy configured on the device is preventing the update from installing. | The Windows Update service reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `PolicyConflictPause` | Updates are paused on the device, preventing the update from installing. | The Windows Update service reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| +| `PostRestartIssue` | Windows Update couldn't determine the results of installing the update. The error is false, and the update probably succeeded. | The Windows Update Service reported the update you're trying to install isn't available.No action is required.
If the update is still available, retry the installation.
| +| `RollbackInitiated` | A rollback was started on this device, indicating a catastrophic issue occurred during the Windows Setup install process. | The Windows Update service reported a failure with the update. Run the Setup Diagnostics Tool on the Device or review the HEX error in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md). **Don't** retry the installation until the impact is understood.For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).
| +| `SafeguardHold` | Update can't install because of a known Safeguard Hold. | The Windows Update Service reported a [Safeguard Hold](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds) which applies to this device.For more information about safeguards, see [Windows 10/11 release information for the affected versions](/windows/release-health/release-information).
| +| `UnexpectedShutdown` | The installation was stopped because a Windows shutdown or restart was in progress. | The Windows Update service reported Windows was unexpectedly restarted during the update process.No action is necessary the update should retry when windows is available.
If the alert persists, ensure the device remains on during Windows installation.
| +| `VersionMismatch` | Device is on a version of Windows that wasn't intended by Windows Update. | The Windows Update service reported that the version of Windows wasn't intended.Confirm whether the device is on the intended version.
| +| `WindowsRepairRequired` | The current version of Windows needs to be repaired before it can be updated. | The Windows Update service indicated that the service is in need of repair. Run the Startup Repair Tool on this device.For more information, see [Windows boot issues - troubleshooting](/troubleshoot/windows-client/performance/windows-boot-issues-troubleshooting#method-1-startup-repair-tool).
| +| `WUBusy` | Windows Update can't do this task because it's busy. | The Windows Update service reported that Windows Update is busy. No action is needed. Restart Windows should and retry the installation. | +| `WUComponentMissing` | Windows Update might be missing a component, or the update file might be damaged. | The Windows Update service reported key components for Windows Update are missing.Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges. Repair these components. Then retry the update.
For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows might be required.
| +| `WUDamaged` | Windows Update or the update file might be damaged. | The Windows Update service reported key components for Windows Update are missing.Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges. Repair these components. Then retry the update.
For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows might be required.
| +| `WUDecryptionIssue` | Windows Update couldn't decrypt the encrypted update file because it couldn't find the proper key. | The Windows Update service reported it couldn't decrypt the update payload.This alert could be a network transit error and might resolve on its own. If the alert persists, validate any network Riverbeds, Application, or http proxies and retry.
| +| `WUDiskError` | Windows Update encountered an error while reading or writing to the system drive. | The Windows Update service reported an alert reading or writing to the system disk. This alert is often a client issue with the target system. We recommend running the Windows Update Troubleshooter on the device. Retry the installation.For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/windows/windows-update-troubleshooter-19bc41ca-ad72-ae67-af3c-89ce169755dd).
| +| `WUIssue` | Windows Update couldn't understand the metadata provided by the update service. This error usually indicates a problem with the update. | The Windows Update service reported an issue with the Update payload. This could be a transient alert.If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).
| ## Additional resources diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md index 960e0011c7d..735d7a14141 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-maintain-environment.md @@ -1,7 +1,7 @@ --- title: Maintain the Windows Autopatch environment description: This article details how to maintain the Windows Autopatch environment -ms.date: 09/15/2023 +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,23 +17,16 @@ ms.collection: # Maintain the Windows Autopatch environment -After you've completed enrollment in Windows Autopatch, some management settings might need to be adjusted. Use the following steps: +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] -1. Review the [Microsoft Intune settings](#microsoft-intune-settings) described in the following section. -1. If any of the items apply to your environment, make the adjustments as described. +After you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md), some management settings might need to be adjusted. If any of the following items apply to your environment, make the adjustments as described. > [!NOTE] -> As your operations continue in the following months, if you make changes after enrollment to policies in Microsoft Intune, Microsoft Entra ID, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly. To avoid problems with the service, check the specific settings described in [Fix issues found by the readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) before you change the policies listed there. - -## Microsoft Intune settings - -| Setting | Description | -| ----- | ----- | -| Deployment rings for Windows 10 or later | For any deployment rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Microsoft Entra group from each policy. For more information, see [Create and assign deployment rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).Windows Autopatch creates some update ring policies. These policies have "**Modern Workplace**" in the name. For example:
When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Microsoft Entra group from the policies that Windows Autopatch created.
**To resolve the Not ready result:**
After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Microsoft Entra group. For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
**To resolve the Advisory result:**
For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
| +> As your operations continue in the following months, if you make changes after enrollment to policies in Microsoft Intune, Microsoft Entra ID, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly. ## Windows Autopatch configurations -Windows Autopatch deploys, manages and maintains all configurations related to the operation of the service, as described in [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). Don't make any changes to any of the Windows Autopatch configurations. +Windows Autopatch deploys, manages, and maintains all configurations related to the operation of the service, as described in [Changes made at feature activation](../references/windows-autopatch-changes-made-at-feature-activation.md). Don't make any changes to any of the Windows Autopatch configurations. ## Windows Autopatch tenant management @@ -50,14 +43,14 @@ The type of banner that appears depends on the severity of the action. Currently | Severity | Description | | ----- | ----- | -| Critical | You must take action as soon as possible to avoid disruption to the Windows Autopatch service.If no action is taken, Windows Autopatch might not be able to manage devices in your tenant, and the Windows Autopatch service may be marked as **inactive**.
To restore service health and return to an active status, all critical pending actions must be resolved.
| +| Critical | You must take action as soon as possible to avoid disruption to the Windows Autopatch service.If no action is taken, Windows Autopatch might not be able to manage devices in your tenant, and the Windows Autopatch service might be marked as **inactive**.
To restore service health and return to an active status, all critical pending actions must be resolved.
| ### Critical actions | Action type | Severity | Description | | ----- | ----- | ----- | -| Maintain tenant access | Critical | Required licenses have expired. The licenses include:To take action on missing licenses, you can visit the Microsoft 365 admin center or contact your Microsoft account manager. Until you have renewed the required licenses to run the service, Windows Autopatch marks your tenant as **inactive**. For more information, see [Microsoft 365 - What happens after my subscription expires?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires)
| -| Maintain tenant access | Critical | Address tenant access issues. Windows Autopatch currently can't manage your tenant. Until you take action, your tenant is marked as **inactive**, and you have only limited access to the Windows Autopatch portal.Reasons for tenant access issues:
Take action by consenting to allow Windows Autopatch to make the appropriate changes on your behalf. You must be a Global Administrator to consent to this action. Once you provide consent, Windows Autopatch remediates this critical action for you.
For more information, see [Windows Autopatch enterprise applications](../overview/windows-autopatch-privacy.md#tenant-access).
| +| Maintain tenant access | Critical | Required licenses expired. The licenses include:To take action on missing licenses, you can visit the Microsoft 365 admin center or contact your Microsoft account manager. Until you renew the required licenses to run the service, Windows Autopatch marks your tenant as **inactive**. For more information, see [Microsoft 365 - What happens after my subscription expires?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires)
| +| Maintain tenant access | Critical | Address tenant access issues. Windows Autopatch currently can't manage your tenant. Until you take action, your tenant is marked as **inactive**, and you have only limited access to the Windows Autopatch portal.Reasons for tenant access issues:
Take action by consenting to allow Windows Autopatch to make the appropriate changes on your behalf. You must be a Global Administrator to consent to this action. Once you provide consent, Windows Autopatch remediates this critical action for you.
For more information, see [Windows Autopatch enterprise applications](../overview/windows-autopatch-privacy.md#tenant-access).
| ### Inactive status @@ -75,5 +68,5 @@ To be taken out of the **inactive** status, you must [resolve any critical actio | Impact area | Description | | ----- | ----- | -| Management | Windows Autopatch isn't able to manage your tenant and perform non-interactive actions we use to run the service. Non-interactive actions include:For more information, see [Windows Autopatch enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications).
| +| Management | Windows Autopatch isn't able to manage your tenant and perform non-interactive actions we use to run the service. Non-interactive actions include:For more information, see [Windows Autopatch enterprise applications](../references/windows-autopatch-changes-made-at-feature-activation.md#windows-autopatch-enterprise-applications).
| | Device updates | Changes to Windows Autopatch policies aren't pushed to your devices. The existing configurations on these devices remain unchanged, and they continue receiving updates. | diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-policy-health-and-remediation.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-policy-health-and-remediation.md index e7228e6c3e1..d30db0518d3 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-policy-health-and-remediation.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-policy-health-and-remediation.md @@ -1,7 +1,7 @@ --- -title: policy health and remediation +title: Policy health and remediation description: Describes what Autopatch does it detects policies in the tenant are either missing or modified to states that affect the service -ms.date: 07/10/2024 +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,12 +17,14 @@ ms.collection: # Policy health and remediation +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] + Windows Autopatch uses Microsoft Intune policies to set configurations and deliver the service. Windows Autopatch continuously monitors the policies and maintains all configurations related to the operation of the service. > [!IMPORTANT] -> Don't change, edit, add to, or remove any of the Windows Autopatch policies or groups. Doing so can cause unintended configuration changes and impact the Windows Autopatch service. For more information about Windows Autopatch configurations, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). +> Don't change, edit, add to, or remove any of the Windows Autopatch policies or groups. Doing so can cause unintended configuration changes and impact the Windows Autopatch service. For more information about Windows Autopatch configurations, see [Changes made at feature activation](../references/windows-autopatch-changes-made-at-feature-activation.md). -When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch will raise alerts and detailed recommended actions to ensure healthy operation of the service. +When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch raises alerts and detailed recommended actions to ensure healthy operation of the service. IT admins must respond to the service-generated alerts to ensure that Autopatch services can be delivered, and devices remain eligible for the service. @@ -39,13 +41,16 @@ With this feature, IT admins can: ## Check policy health -Alerts are raised when deployment rings don't have the required policies and the settings that impact devices within the ring. The remediation actions from the displayed alerts are intended to keep the deployment rings in a healthy state. Devices in each ring may continue to report different states, including errors and conflicts. This occurs due to multiple policies targeted at the same device or other conditions on the device. Policy conflicts and other device errors aren't addressed by these alerts. +Alerts are raised when deployment rings don't have the required policies and the settings that impact devices within the ring. The remediation actions from the displayed alerts are intended to keep the deployment rings in a healthy state. Devices in each ring might continue to report different states, including errors and conflicts. This occurs due to multiple policies targeted at the same device or other conditions on the device. Policy conflicts and other device errors aren't addressed by these alerts. ## Built-in roles required for remediation actions The minimum role required to restore configurations is **Intune Service Administrator**. -## Restore device configuration policy +## Restore Data collection, Office and/or Edge configuration policies + +> [!IMPORTANT] +> For these policies, Windows Autopatch doesn't store the last known policy value, Autopatch restores the base policy values. **To initiate remediation action for device configuration alerts:** @@ -56,33 +61,32 @@ The minimum role required to restore configurations is **Intune Service Administ 1. If the **Change modified policy alert** appears, select this alert to launch the workflow. 1. Select **Submit changes** to restore to service required values. -There will be an alert for each policy that is missing or has deviated from the service defined values. +There's an alert for each policy that is missing or deviated from the service defined values. -## Restore Windows Update policies +## Restore missing Windows Update policies -**To initiate remediation actions for Windows quality update policies:** +> [!IMPORTANT] +> For Quality and Feature update policies, Autopatch restores the last known value of policy. For Driver update policies, Autopatch restores the base policy. -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release schedule** > **Windows quality updates** > **Status**. -1. Select **Policy Error** to launch the Policy error workflow. -1. Review the message: - 1. If this is a missing policy error, select **Restore policy** to complete the workflow. - 2. If this is a modified policy, select **Submit changes** to restore to service required values. +**To initiate remediation actions for Windows Update policies (Quality, Feature or Driver updates):** -**To initiate remediation actions for Windows feature update policies:** +> [!NOTE] +> By default, the service will auto-select all the policies. 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release schedule** > **Windows feature updates** > **Status**. -1. Select **Policy Error** to launch the Policy error workflow. -1. Review the message. - 1. If this is a missing policy error, select **Restore policy** to complete the workflow. - 2. If this is a modified policy, select **Submit changes** to restore to service required values. +1. Navigate to **Tenant administration** > **Windows Autopatch** > **Autopatch groups** > **Policy health**. +1. Select **Missing policy** to launch the Restore missing policy workflow. +1. Review the message for the missing policy error. If more than once policy is present, select which policy you'd like to restore. +1. Select **Restore policies** to complete the workflow. + +> [!NOTE] +> You can also select on the associated Windows Autopatch group name for any Autopatch group that has a **Missing Policy** under the **Policy health** column. Doing so will lead you to the details page of that specific Autopatch group. Under the **Windows update settings** section, you'll see a banner that states "*There are missing update settings in this Autopatch group. Take action to resolve"*. Selecting this banner will take you to the same experience as mentioned in [Restore missing Windows Update policies](#restore-missing-windows-update-policies). ## Restore deployment groups -Windows Autopatch will automatically restore any missing groups that are required by the service. When a missing deployment group is restored, and the policies are also missing, the policies be restored to the deployment groups. +Windows Autopatch automatically restores any missing groups that are required by the service. When a missing deployment group is restored, and the policies are also missing, the policies be restored to the deployment groups. -If policies are misconfigured or unassigned, admins must restore them. In the Release management blade, the service will raise a Policy error workflow that you must complete to repair Windows Update policies. All other policies must be restored from the Tenant administration blade. +If policies are misconfigured or unassigned, admins must restore them. In the Autopatch groups blade, the service raises a missing policy workflow that you must complete to repair Windows Update policies. All other policies must be restored from the Tenant administration blade. Due to the asynchronous run of service detectors, it might take up to four (4) hours for this error to be displayed. @@ -96,6 +100,6 @@ You can review audit logs in Intune to review the activities completed on the te **To review audit logs in Intune:** 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Tenant administration** > **Audit logs**. +1. Select **Tenant administration** > **Audit logs**. The entries with enterprise application name, Modern Workplace Management, are the actions requested by Windows Autopatch. diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-reliability-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-reliability-report.md index 71129f797dc..c4831649561 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-reliability-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-reliability-report.md @@ -17,6 +17,8 @@ ms.collection: # Reliability report (public preview) +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] + > [!IMPORTANT] > This feature is in **public preview**. It's being actively developed, and might not be complete. @@ -117,4 +119,4 @@ The following information is available as default columns in the Reliability rep ## Known limitations -The Reliability report supports tenant and service-level score data going back to September 2023. Data before that date isn't supported. A full 12 months of score data will be available to select from the menu dropdowns in September 2024. +The Reliability report supports tenant and service-level score data going back to September 2023. Data before that date isn't supported. A full 12 months of score data are available to select from the menu dropdowns in September 2024. diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-resolve-policy-conflicts.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-resolve-policy-conflicts.md index d878aa44113..6b5547677da 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-resolve-policy-conflicts.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-resolve-policy-conflicts.md @@ -1,7 +1,7 @@ --- title: Resolve policy conflicts description: This article describes how to resolve Windows Autopatch policy conflicts. -ms.date: 04/09/2024 +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -15,21 +15,20 @@ ms.collection: - tier1 --- -# Resolve policy conflicts (public preview) +# Resolve policy conflicts -> [!IMPORTANT] -> This feature is in **public preview**. It's being actively developed, and might not be complete. +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] -Windows Autopatch deploys Microsoft Intune policies to enrolled tenants, and continuously monitors the Microsoft Intune policies. Conflicts occur when there are two policies in the tenant, and they update the same setting to different values. For Windows Autopatch to successfully deliver updates to registered devices, it’s critical for the devices in the service to have the policy targeted and assigned successfully. +Windows Autopatch deploys Microsoft Intune policies to enrolled tenants, and continuously monitors the Microsoft Intune policies. Conflicts can happen when there are two policies in the tenant, and they update the same setting to different values. For Windows Autopatch to successfully deliver updates to registered devices, it's critical for the devices in the service to have the policy targeted and assigned successfully. > [!IMPORTANT] -> Don't change, edit, add to, or remove any of the Windows Autopatch policies or groups. Doing so can cause unintended configuration changes and impact the Windows Autopatch service. For more information about Windows Autopatch configurations, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). +> Don't change, edit, add to, or remove any of the Windows Autopatch policies or groups. Doing so can cause unintended configuration changes and impact the Windows Autopatch service. For more information about Windows Autopatch configurations, see [Changes made at feature activation](../references/windows-autopatch-changes-made-at-feature-activation.md). -When the Windows Autopatch service detects policies in the tenant that conflict with a setting in another Intune device policy, this conflict is displayed. It’s necessary to review the policies and their settings and manually resolve these conflicts. +When the Windows Autopatch service detects policies in the tenant that conflict with a setting in another Intune device policy, this conflict is displayed. It's necessary to review the policies and their settings and manually resolve these conflicts. With this feature, IT admins can view: -- List of all Autopatch policies that conflict with other device policies in the tenant +- A list of all Autopatch policies that conflict with other device policies in the tenant - A summary view of conflicting policies, affected devices, and open alerts - A detailed view of affected devices - Alerts that include details of conflicting policies, the settings, and the Azure AD groups they're assigned to. Admins must take necessary action so the expected policy is successfully assigned to the device @@ -38,25 +37,25 @@ With this feature, IT admins can view: Alerts are raised when devices report policy conflicts. Autopatch policies are assigned to Autopatch groups. Devices that are members of Autopatch groups are expected to receive only Windows Autopatch policies. -Once you resolve the conflict, it takes effect on the device at the next Intune sync. This view is refreshed every 24 hours. It can take up to 72 hours after the conflict is resolved for the view to be updated. +Once you resolve the conflict, it can take effect on the device at the next Intune sync. This view is refreshed every 24 hours. It can take up to 72 hours after the conflict is resolved for the view to be updated. > [!NOTE] -> This view only includes policy conflicts between Microsoft Intune policies. This view doesn’t include policy issues caused by other configurations, for example, group policy settings, registry settings that are changed by scripts and prevent Windows Autopatch from deploying updates.When Windows Autopatch detects Intune based policies are missing or modified, this information is displayed with detailed recommended actions, and described in [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md).
To ensure devices remain healthy and not affected by group policies, see [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md#details-about-the-post-device-registration-readiness-checks).
+> This view only includes policy conflicts between Microsoft Intune policies. This view doesn't include policy issues caused by other configurations, for example, group policy settings, registry settings that are changed by scripts and prevent Windows Autopatch from deploying updates.When Windows Autopatch detects Intune based policies are missing or modified, this information is displayed with detailed recommended actions, and described in [Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md).
To ensure devices remain healthy and not affected by group policies, see [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md#details-about-the-post-device-registration-readiness-checks).
## Policy conflict view -This view includes the list of Windows Autopatch policies ([Expected policies](#policy-conflict-alert-details)) that are assigned to various Windows Autopatch groups that include devices. When the Expected policy can't be successfully assigned to one or more devices, because of an equivalent setting in another Intune policy targeting the device, the conflict is detected, and reported as a [Conflicting policy](#policy-conflict-alert-details). +This view includes the list of Windows Autopatch policies ([Expected policies](#policy-conflict-view-alert-details)) that are assigned to various Windows Autopatch groups that include devices. When the Expected policy can't be successfully assigned to one or more devices, because of an equivalent setting in another Intune policy targeting the device, the conflict is detected, and reported as a [Conflicting policy](#policy-conflict-view-alert-details). -If the Expected policy conflicts with multiple Intune policies, each conflict is displayed in different lines in the Policy conflict view. +If the Expected policy conflicts with multiple Intune policies, each conflict is displayed in different lines in the Policy conflict view. -**To view all policies conflicting with the expected policies:** +**To view all policies conflicting with the Expected policies:** -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Navigate to **Devices** > **Windows Autopatch** > **Policy health**. +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +2. Navigate to **Devices** > **Managed updates** > **Windows Updates** > **Monitor** > **Policy health**. 3. In the **Policy conflicts** tab, the list of expected policies and conflicting policies is displayed. 4. Select **View alert** and review the details of the **Recommended action** and alert details. -### Policy conflict alert details +### Policy conflict view alert details All alerts displayed in this flyout include the following details. You must review the details and take action to resolve the conflict. @@ -71,9 +70,9 @@ All alerts displayed in this flyout include the following details. You must revi ## Affected devices view -This view includes the list of devices with policy conflicts with the [Expected policy](#policy-conflict-alert-details). It’s possible for devices to have multiple conflicting policies, due to their membership in various groups. +This view includes the list of devices with policy conflicts with the [Expected policy](#policy-conflict-view-alert-details). It's possible for devices to have multiple conflicting policies, due to their membership in various groups. -You can navigate to this view from the Affected devices column link in the Policy conflicts view, or directly from Policy health blade. This page displays a filtered device list, when navigating from the Policy conflicts view. Affected devices only include devices that have a successful Intune sync status in the last 28 days. +You can navigate to this view from the Affected devices column link in the [Policy conflicts view](#policy-conflict-view), or directly from Policy health blade. This page displays a filtered device list, when navigating from the Policy conflicts view. Affected devices only include devices that have a successful Intune sync status in the last 28 days. **To view the alert details and perform the recommended actions:** @@ -81,9 +80,9 @@ You can navigate to this view from the Affected devices column link in the Polic 2. Navigate to **Windows Autopatch** > **Policy health** > **Affected devices** tab. 3. Select **View alert** to see the alert details. -### Affected devices alert details +### Affected devices view alert details -In this flyout, when the device is reporting conflicts due to multiple policies, each policy is displayed as a separate section in this alert. Alerts occur when the device is a member of multiple groups, and each policy conflicts with the [Expected Windows Autopatch policy](#policy-conflict-view). +In this flyout, when the device is reporting conflicts due to multiple policies, each policy is displayed, as a separate section in this alert. This occurs when the device is a member of multiple groups, and each policy conflicts with the [Expected Windows Autopatch policy](#policy-conflict-view). ## Options diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md index 5b210062a3e..4219401d769 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md @@ -1,7 +1,7 @@ --- title: Feature update status report description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. -ms.date: 07/08/2024 +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,7 +17,9 @@ ms.collection: # Feature update status report -The Feature update status report provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] + +The Feature update status report provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. **To view the Feature update status report:** @@ -50,7 +52,7 @@ The following information is available as optional columns in the Feature update | ----- | ----- | | Microsoft Entra device ID | The current Microsoft Entra ID recorded device ID for the device | | Serial number | The current Intune recorded serial number for the device | -| Intune last check in time | The last time the device checked in to Intune | +| Intune last check-in time | The last time the device checked in to Intune | | Service State | The Service State provided from Windows Update | | Service Substate | The Service Substate provided from Windows Update | | Client State | The Client State provided from Windows Update | @@ -73,8 +75,8 @@ The following options are available: | Option | Description | | ----- | ----- | -| Search | Use to search by device name, Microsoft Entra device ID or serial number | +| Search | Use to search by device name, Microsoft Entra device ID, or serial number | | Sort | Select the **column headings** to sort the report data in ascending and descending order. | | Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | -| Filter | Select either the **Add filters** or at the top of the report to filter the results. | +| Filter | Select **Add filters** or use the filters at the top of the report to filter the results. | | Columns | Select a column to add or remove the column from the report. | diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md index f630537c12c..4e65d5e28be 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md @@ -1,7 +1,7 @@ --- title: Windows feature update summary dashboard description: Provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. -ms.date: 01/22/2024 +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,6 +17,8 @@ ms.collection: # Windows feature update summary dashboard +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] + The Summary dashboard provides a broader view of the current Windows OS update status for all devices registered with Windows Autopatch. The first part of the Summary dashboard provides you with an all-devices trend report where you can follow the deployment trends within your organization. You can view if updates were successfully installed, failing, in progress, not ready or have their Windows feature update paused. diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md index 39ffb54eff0..7d7c71c4aa9 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-trending-report.md @@ -1,7 +1,7 @@ --- title: Feature update trending report description: Provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days. -ms.date: 07/08/2024 +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,6 +17,8 @@ ms.collection: # Feature update trending report +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] + Windows Autopatch provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days. **To view the Feature update trending report:** diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md index fadb440d952..b2b2d8bf424 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality and feature update reports overview description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch. -ms.date: 07/10/2024 +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: overview @@ -17,6 +17,8 @@ ms.collection: # Windows quality and feature update reports overview +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] + ## Windows quality update reports The Windows quality reports provide you with information about: @@ -76,7 +78,7 @@ Each status has its own set of sub statuses to further describe the status. Up to date devices are devices that meet all of the following prerequisites: - [Prerequisites](../prepare/windows-autopatch-prerequisites.md) -- [Prerequisites for device registration](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) +- [Prerequisites for device registration](../deploy/windows-autopatch-device-registration-overview.md#prerequisites-for-device-registration) - [Windows quality and feature update device readiness](../deploy/windows-autopatch-post-reg-readiness-checks.md) - [Post-device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) - Applied the current monthly cumulative updates @@ -89,14 +91,14 @@ Up to date devices are devices that meet all of the following prerequisites: | Sub status | Description | | ----- | ----- | | In Progress | Devices are currently installing the latest [quality update](../operate/windows-autopatch-groups-windows-quality-update-overview.md#release-schedule) or [feature update](../operate/windows-autopatch-groups-windows-feature-update-overview.md#default-release) deployed through the Windows Autopatch release schedule. | -| Paused | Devices that are currently paused due to a Windows Autopatch or customer-initiated Release management pause. For more information, see pausing and resuming a [Windows quality update](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) or [Windows feature update](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#pause-and-resume-a-release). | +| Paused | Devices that are currently paused due to a Windows Autopatch or customer-initiated pause. For more information, see pausing and resuming a [Windows quality update](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) or [Windows feature update](../operate/windows-autopatch-windows-feature-update-overview.md#pause-and-resume-a-release). | ### Not up to Date devices Not Up to Date means a device isn't up to date when the: - Quality or feature update is out of date, or the device is on the previous update. -- The assigned update schedule has elapsed and the device still has not applied the current release. +- The assigned update schedule elapsed and the device still didn't apply the current release. - Device has an [alert](../operate/windows-autopatch-device-alerts.md) resulting in an error and action must be taken. ### Not Ready devices diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md index 7c1283c3295..bcd381e6d12 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md @@ -1,7 +1,7 @@ --- title: Quality update status report -description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices. -ms.date: 07/08/2024 +description: Provides a per device view of the current update status for all Windows Autopatch managed devices. +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,7 +17,9 @@ ms.collection: # Quality update status report -The Quality update status report provides a per device view of the current update status for all Windows Autopatch enrolled devices. +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] + +The Quality update status report provides a per device view of the current update status for all Windows Autopatch managed devices. **To view the Quality update status report:** @@ -53,7 +55,7 @@ The following information is available as optional columns in the Quality update | ----- | ----- | | Microsoft Entra device ID | The current Microsoft Entra ID recorded device ID for the device | | Serial number | The current Intune recorded serial number for the device | -| Intune last check in time | The last time the device checked in to Intune | +| Intune last check-in time | The last time the device checked in to Intune | | Service State | The Service State provided from Windows Update | | Service Substate | The Service Substate provided from Windows Update | | Client State | The Client State provided from Windows Update | @@ -75,8 +77,8 @@ The following options are available: | Option | Description | | ----- | ----- | -| Search | Use to search by device name, Microsoft Entra device ID or serial number | +| Search | Use to search by device name, Microsoft Entra device ID, or serial number | | Sort | Select the **column headings** to sort the report data in ascending and descending order. | | Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | -| Filter | Select either the **Add filters** or at the top of the report to filter the results. | +| Filter | Select **Add filters** or use the filters at the top of the report to filter the results. | | Columns | Select a column to add or remove the column from the report. | diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md index 4752f080ec3..c145b09b4cd 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md @@ -1,7 +1,7 @@ --- title: Windows quality update summary dashboard -description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch -ms.date: 01/22/2024 +description: Provides a summary view of the current update status for all Windows Autopatch managed devices. +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,7 +17,9 @@ ms.collection: # Windows quality update summary dashboard -The Summary dashboard provides a summary view of the current update status for all devices enrolled into Windows Autopatch. +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] + +The Summary dashboard provides a summary view of the current update status for all Windows Autopatch managed devices. **To view the current update status for all your enrolled devices:** diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md index df4024c72f1..6932c1db071 100644 --- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md +++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-trending-report.md @@ -1,7 +1,7 @@ --- title: Quality update trending report description: Provides a visual representation of the update status trend for all devices over the last 90 days. -ms.date: 07/08/2024 +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: how-to @@ -17,14 +17,16 @@ ms.collection: # Quality update trending report +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] + The Quality update trending report provides a visual representation of the update status trend for all devices over the last 90 days. **To view the Quality update trending report:** -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. -1. Select the **Reports** tab. -1. Select **Quality update trending**. +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. +1. Select the **Reports** tab. +1. Select **Quality update trending**. > [!NOTE] > This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page. @@ -35,8 +37,8 @@ The following options are available: | Option | Description | | ----- | ----- | -| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. | +| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. | | By percentage | Select **by percentage** to show your trending graphs and indicators by percentage. | | By device count | Select **by device count** to show your trending graphs and indicators by numeric value. | -For a description of the displayed device status trends, see [Windows quality update statuses](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses). +For a description of the displayed device status trends, see [Windows quality update statuses](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses). diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md index caed55c6e27..9d2fd72bf2e 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md @@ -65,8 +65,8 @@ The following deployment steps can be used as a guide to help you to create your | Step | Description | | ----- | ----- | | **1A: Set up the service** |An Autopatch group is a logical container or unit that groups several [Microsoft Entra groups](/entra/fundamentals/groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates policy for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates).
For more information about workloads supported by Autopatch groups, see [Software update workloads](../deploy/windows-autopatch-groups-overview.md#software-update-workloads).
| +| [Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md) | In addition to the [Business Premium and A3+ capabilities](#business-premium-and-a3-licenses), Windows Autopatch:[Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))
| +| Microsoft Intune | [Intune network configuration requirements](/mem/intune/fundamentals/network-bandwidth-use)[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
| +| Windows Update for Business (WUfB) | [Windows Update for Business firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) | -### Required Microsoft product endpoints +#### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-and-f3-licenses-required-microsoft-endpoints) -There are URLs from several Microsoft products that must be in the allowed list so that Windows Autopatch devices can communicate with those Microsoft services. Use the links to see the complete list for each product. +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] + +In addition to the Microsoft Entra ID, Intune and Windows Update for Business endpoints listed in the Business Premium and A3+ licenses section, the following endpoints apply to Windows E3+ and F3 licenses that have [activated Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md). There are URLs from several Microsoft products that must be in the allowed list so that devices can communicate with Windows Autopatch. Use the links to see the complete list for each product. | Microsoft service | URLs required on Allowlist | | ----- | ----- | | Windows 10/11 Enterprise including Windows Update for Business | [Manage connection endpoints for Windows 10 Enterprise, version 1909](/windows/privacy/manage-windows-1909-endpoints)[Manage connection endpoints for Windows 10 Enterprise, version 2004](/windows/privacy/manage-windows-2004-endpoints)
[Connection endpoints for Windows 10 Enterprise, version 20H2](/windows/privacy/manage-windows-20h2-endpoints)
[Manage connection endpoints for Windows 10 Enterprise, version 21H1](/windows/privacy/manage-windows-21h1-endpoints)
[Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints)
[Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints)
| | Microsoft 365 | [Microsoft 365 URL and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true) | -| Microsoft Entra ID | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports)[Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))
| -| Microsoft Intune | [Intune network configuration requirements](/intune/network-bandwidth-use)[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
| Microsoft Edge | [Allowlist for Microsoft Edge Endpoints](/deployedge/microsoft-edge-security-endpoints) | | Microsoft Teams | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) | -| Windows Update for Business (WUfB) | [Windows Update for Business firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) -### Delivery Optimization +--- + +### Required Windows Autopatch endpoints for proxy and firewall rules + +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] + +Windows Autopatch is a cloud service. There's a set of endpoints that Windows Autopatch services must be able to reach for the various aspects of the Windows Autopatch service. + +You can optimize your network by sending all trusted Microsoft 365 network requests directly through your firewall or proxy to bypass authentication, and all additional packet-level inspection or processing. This process reduces latency and your perimeter capacity requirements. + +The following URLs must be on the allowed list of your proxy and firewall so that Windows Autopatch devices can communicate with Microsoft services. The Windows Autopatch URL is used for anything our service runs on the customer API. You must ensure this URL is always accessible on your corporate network + +| Microsoft service | URLs required on allowlist | +| ----- | ----- | +| Windows Autopatch |You can complete enrollment, but you must fix these issues before you deploy your first device. | -| Not ready | You must fix these issues before enrollment. You can't enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. | -| Error | The Microsoft Entra role you're using doesn't have sufficient permissions to run this check. | +To start using the service, you must create an update policy owned by Windows Autopatch. The update policy can be one of the following: -## Step 3: Fix issues with your tenant +- [Update rings](../manage/windows-autopatch-update-rings.md) +- [Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md) +- [Windows feature updates](../manage/windows-autopatch-windows-feature-update-overview.md) +- [Driver and firmware updates](../manage/windows-autopatch-manage-driver-and-firmware-updates.md) -If the Readiness assessment tool is displaying issues with your tenant, see [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) for more information on how to remediate. +Once a device or Microsoft Entra device group is associated with a Windows Autopatch policy, your tenant is now using the Autopatch service to manage updates. Devices are registered with the service following the process as described in [Register your devices](../deploy/windows-autopatch-register-devices.md). -## Step 4: Enroll your tenant +## Activate Windows Autopatch features > [!IMPORTANT] -> You must be a Global Administrator to enroll your tenant. - -Once the Readiness assessment tool provides you with a "Ready" result, you're ready to enroll! - -**To enroll your tenant:** - -Within the Readiness assessment tool, you can see the **Enroll** button. By selecting **Enroll**, you start the enrollment process of your tenant into the Windows Autopatch service. During the enrollment workflow, you see the following: - -- Consent workflow to manage your tenant. -- Provide Windows Autopatch with IT admin contacts. -- Setup of the Windows Autopatch service on your tenant. This step is where we create the policies, groups and accounts necessary to run the service. +> You must be a Global Administrator to consent to the feature activation flow. -Once these actions are complete, you've now successfully enrolled your tenant. - -> [!NOTE] -> For more information about changes made to your tenant, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). - -### Delete data collected from the Readiness assessment tool - -You can choose to delete the data we collect directly within the Readiness assessment tool. - -Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Microsoft Entra organization (tenant). After 12 months, we retain the data in a deidentified form. - -> [!NOTE] -> Windows Autopatch will only delete the results we collect within the Readiness assessment tool; Autopatch won't delete any other tenant-level data. - -**To delete the data we collect:** - -1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Navigate to Windows Autopatch > **Tenant enrollment**. -3. Select **Delete all data**. +If your tenant meets the licensing entitlement for Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5), you can activate Windows Autopatch features by either: -## Next steps +| Method | Description | +| --- | --- | +| Banner method | **Select the banner** and follow the consent prompt on the side page that appears. | +| Intune admin center | Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). In the left pane, select **Tenant Administration** > **Windows Autopatch** > **Activate features**. | -1. Maintain your [Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md). -1. Ensure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md) before you [register your devices](../deploy/windows-autopatch-register-devices.md). +When you activate Windows Autopatch features, Windows Autopatch creates deployment rings. For more information about deployment rings, see [Windows Autopatch deployment rings](../deploy/windows-autopatch-device-registration-overview.md#windows-autopatch-deployment-rings). diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md deleted file mode 100644 index 27125d29bd2..00000000000 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md +++ /dev/null @@ -1,71 +0,0 @@ ---- -title: Fix issues found by the Readiness assessment tool -description: This article details how to fix issues found by the Readiness assessment tool. -ms.date: 07/08/2024 -ms.service: windows-client -ms.subservice: autopatch -ms.topic: how-to -ms.localizationpriority: medium -author: tiaraquan -ms.author: tiaraquan -manager: aaroncz -ms.reviewer: hathind -ms.collection: - - highpri - - tier1 ---- - -# Fix issues found by the Readiness assessment tool - -Seeing issues with your tenant? This article details how to remediate issues found with your tenant. - -> [!NOTE] -> If you need more assistance with tenant enrollment, you can [submit a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md). - -## Check results - -For each check, the tool reports one of four possible results: - -| Result | Meaning | -| ----- | ----- | -| Ready | No action is required before completing enrollment. | -| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.
You can complete enrollment, but you must fix these issues before you deploy your first device. | -| Not ready | You must fix these issues before enrollment. You can't enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. | -| Error | The Microsoft Entra role you're using doesn't have sufficient permission to run this check or your tenant isn't properly licensed for Microsoft Intune. | - -> [!NOTE] -> The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Microsoft Entra ID, or Microsoft 365, items that were "Ready" can become "Not ready". To avoid problems with Windows Autopatch operations, review the specific settings described in this article before you change any policies. - -## Microsoft Intune settings - -You can access Intune settings at the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -### Update rings for Windows 10 or later - -Your "Update rings for Windows 10 or later" policy in Intune must not target any Windows Autopatch devices. - -| Result | Meaning | -| ----- | ----- | -| Advisory | You have an "update ring" policy that targets all devices, all users, or both. Windows Autopatch creates our own update ring policies during enrollment. To avoid conflicts with Windows Autopatch devices, we exclude our devices group from your existing update ring policies that target all devices, all users, or both. You must consent to this change when you go to enroll your tenant.
| - - - -## Microsoft Entra settings - -You can access Microsoft Entra settings in the [Azure portal](https://portal.azure.com/). - -### Co-management - -Co-management enables you to concurrently manage Windows 10 or later devices by using both Configuration Manager and Microsoft Intune. - -| Result | Meaning | -| ----- | ----- | -| Advisory | To successfully enroll devices that are co-managed into Windows Autopatch, it's necessary that the following co-managed workloads are set to **Intune**:If co-management doesn't apply to your tenant, this check can be safely disregarded, and it won't block device deployment.
| - -### Licenses - -Windows Autopatch requires the following licenses: - -| Result | Meaning | -| ----- | ----- | -| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Microsoft Entra ID P1 or P2, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). | diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index ad60e63ad0a..74379f93b02 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -1,7 +1,7 @@ --- title: Prerequisites description: This article details the prerequisites needed for Windows Autopatch -ms.date: 01/11/2024 +ms.date: 09/27/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: concept-article @@ -17,19 +17,76 @@ ms.collection: # Prerequisites -Getting started with Windows Autopatch has been designed to be easy. This article outlines the infrastructure requirements you must meet to assure success with Windows Autopatch. +## Licenses and entitlements -| Area | Prerequisite details | -| ----- | ----- | -| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher), or F3 to be assigned to your users. Additionally, Microsoft Entra ID P1 or P2 and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). | -| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.
For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
-| Microsoft Entra ID | Microsoft Entra ID must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Microsoft Entra Connect to enable Microsoft Entra hybrid join.
At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements).
Other device management prerequisites include:
See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works with Windows Autopatch.
For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).
| -| Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../overview/windows-autopatch-privacy.md). | +> [!IMPORTANT] +> Microsoft 365 Business Premium and Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) do **not** have access to all Windows Autopatch features. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). + +### [Business Premium and A3+](#tab/business-premium-a3-entitlements) + +Business Premium and A3+ licenses include: + +- Microsoft 365 Business Premium (for more information on available licenses, see Microsoft 365 licensing) +- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) + +[!INCLUDE [windows-autopatch-business-premium-a3-licenses](../includes/windows-autopatch-business-premium-a3-licenses.md)] + +### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-f3-entitlements) + +The following licenses provide access to the Windows Autopatch features [included in Business premium and A3+ licenses](../overview/windows-autopatch-overview.md#business-premium-and-a3-licenses) and its [additional features](../overview/windows-autopatch-overview.md#windows-enterprise-e3-and-f3-licenses) after you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md): + +- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) +- Windows 10/11 Enterprise E3 or E5 VDA + +For more information about specific service plans, see [Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses]. + +--- + +### Feature entitlement + +For more information about feature entitlement, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). Features are accessed through the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +| Symbol | Meaning | +| --- | --- | +| :heavy_check_mark: | All features available | +| :large_orange_diamond: | Most features available | +| :x: | Feature not available | + +#### Windows 10 and later update policy management + +| Feature | Business Premium | A3+ | E3+ | F3 | +| --- | --- | --- | --- | --- | +| Releases | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| +| Update rings | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| +| Quality updates | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| +| Feature updates | :large_orange_diamond: | :large_orange_diamond: | :heavy_check_mark: | :heavy_check_mark:| +| Driver and firmware updates | :large_orange_diamond: | :large_orange_diamond: | :heavy_check_mark: | :heavy_check_mark:| + +#### Tenant management + +| Feature | Business Premium | A3+ | E3+ | F3 | +| --- | --- | --- | --- | --- | +| Autopatch groups | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:| +| New feature and change management communications | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| +| Release schedule and status communications | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:| +| Support requests | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:| +| Policy health | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:| + +#### Reporting + +| Feature | Business Premium | A3+ | E3+ | F3 | +| --- | --- | --- | --- | --- | +| Intune Reports | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| +| Quality updates | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:| +| Feature updates | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:| +| Device readiness | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:| ## More about licenses -Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-based only). The following are the service plan SKUs that are eligible for Windows Autopatch: +### Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses + +> [!IMPORTANT] +> Only Windows 10/11 Enterprise E3+ or F3 (included in Microsoft 365 F3, E3, or E5) licenses have access to all Windows Autopatch features after you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md). Microsoft 365 Business Premium and Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) do **not** have access to all Windows Autopatch features. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). | License | ID | GUID number | | ----- | ----- | ------| @@ -58,26 +115,74 @@ Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-b | Microsoft 365 F3 (for Department) | Microsoft_365_F3_DEPT |45972061-34c4-44c8-9e83-ad97815acc34 | | Microsoft 365 F3 EEA (no Teams) | Microsoft_365_F3_EEA_(no_Teams) | f7ee79a7-7aec-4ca4-9fb9-34d6b930ad87 | -The following Windows 10 editions, build version and architecture are supported to be [registered](../deploy/windows-autopatch-register-devices.md) with Windows Autopatch: +## General infrastructure requirements + +[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)] -- Windows 10 (1809+)/11 Pro -- Windows 10 (1809+)/11 Enterprise -- Windows 10 (1809+)/11 Pro for Workstations +| Area | Prerequisite details | +| --- | --- | +| Licensing terms and conditions for products and services | For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). | +| Microsoft Entra ID and Intune | Microsoft Entra ID P1 or P2 and Microsoft Intune are required.Microsoft Entra ID must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Microsoft Entra Connect to enable Microsoft Entra hybrid join.
At a minimum, the Windows Update, Device configuration, and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements).
Other device management prerequisites include:
See [Register your devices](../deploy/windows-autopatch-register-devices.md) for more details on device prerequisites and on how the device registration process works with Windows Autopatch.
For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).
| +| Data and privacy |Deployment scheduling controls are always available. However, to take advantage of the unique deployment protections tailored to your population and to [deploy driver updates](/windows/deployment/update/deployment-service-drivers), devices must share diagnostic data with Microsoft. For these features, at minimum, the deployment service requires devices to send [diagnostic data](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) at the Required level (previously called *Basic*) for these features.When you use [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) with the deployment service, using diagnostic data at the following levels allows device names to appear in reporting:
For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../overview/windows-autopatch-privacy.md).
| + +## Windows editions, build version, and architecture > [!IMPORTANT] -> While Windows Autopatch supports registering devices below the [minimum Windows OS version enforced by the service](../operate/windows-autopatch-windows-feature-update-overview.md), once registered, devices are automatically offered with the [minimum windows OS version](../operate/windows-autopatch-windows-feature-update-overview.md). The devices must be on a [minimum Windows OS currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) by the [Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) to keep receiving monthly security updates that are critical to security and the health Windows. +> The following Windows editions, build version, and architecture **applies if you have**:If you’re using **Pilot Intune**, in the **Staging** tab, the device must be in the collections that correspond to the three workloads that Windows Autopatch requires.
**You or your Configuration Manager administrator are responsible for adding your Autopatch devices to these collections. Windows Autopatch doesn’t change or add to these collections.**
For more information, see [paths to co-management](/mem/configmgr/comanage/quickstart-paths).
| +| Create a Custom client setting |Create a Custom client setting in Configuration Manager to disable the Software Updates agent for Intune/Pilot Intune co-managed devices.Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates).
+ - Windows Autopatch - Office Configuration - Windows Autopatch - Office Update Configuration [Test] - Windows Autopatch - Office Update Configuration [First] @@ -102,21 +78,34 @@ The following groups target Windows Autopatch configurations to devices and mana | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | -| Windows Autopatch - Office Configuration | Sets Office Update Channel to the Monthly Enterprise servicing branch.Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
Assigned to:
To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).
+ - Windows Autopatch - Edge Update Channel Stable - Windows Autopatch - Edge Update Channel Beta | Policy name | Policy description | Properties | Value | | ----- | ----- | ----- | ----- | -| Windows Autopatch - Edge Update Channel Stable | Deploys updates via the Edge Stable ChannelAssigned to:
Assigned to:
Assigned to:
Assigned to:
To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group).
+ +- Windows Autopatch - Driver Update Policy [Test] +- Windows Autopatch - Driver Update Policy [First] +- Windows Autopatch - Driver Update Policy [Fast] +- Windows Autopatch - Driver Update Policy [Broad] ## PowerShell scripts diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md index 1b9f1d56479..a570c117ed9 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md @@ -1,7 +1,7 @@ --- title: Conflicting configurations description: This article explains how to remediate conflicting configurations affecting the Windows Autopatch service. -ms.date: 07/08/2024 +ms.date: 09/16/2024 ms.service: windows-client ms.subservice: autopatch ms.topic: concept-article @@ -15,12 +15,11 @@ ms.collection: - tier1 --- -# Conflicting configurations (public preview) +# Conflicting configurations -> [!IMPORTANT] -> This feature is in **public preview**. The feature is being actively developed and might not be complete. +[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)] -During Readiness checks, if there are devices with conflicting registry configurations, notifications are listed in the **Not ready** tab. The notifications include a list of alerts that explain why the device isn't ready for updates. Instructions are provided on how to resolve the issue(s). You can review any device marked as **Not ready** and remediate them to a **Ready** state. +During Readiness checks, if there are devices with conflicting registry configurations, notifications are listed in the **Not ready** tab. The notifications include a list of alerts that explain why the device isn't ready for updates. Instructions are provided on how to resolve the issues. You can review any device marked as **Not ready** and remediate them to a **Ready** state. Windows Autopatch monitors conflicting configurations. You're notified of the specific registry values that prevent Windows from updating properly. These registry keys should be removed to resolve the conflict. However, it's possible that other services write back the registry keys. It's recommended that you review common sources for conflicting configurations to ensure your devices continue to receive Windows Updates. @@ -28,7 +27,6 @@ The most common sources of conflicting configurations include: - Active Directory Group Policy (GPO) - Configuration Manager Device client settings -- Windows Update for Business (WUfB) policies - Manual registry updates - Local Group Policy settings applied during imaging (LGPO) @@ -42,7 +40,7 @@ Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate ## Resolving conflicts -Windows Autopatch recommends removing the conflicting configurations. The following remediation examples can be used to remove conflicting settings and registry keys when targeted at Autopatch-managed clients. +Windows Autopatch recommends removing the conflicting configurations. The following remediation examples can be used to remove conflicting settings and registry keys when targeted at Autopatch-managed devices. > [!IMPORTANT] > **It's recommended to only target devices with conflicting configuration alerts**. The following remediation examples can affect devices that aren't managed by Windows Autopatch, be sure to target accordingly. @@ -93,7 +91,7 @@ Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpda ### Batch file -Copy and paste the following code into a text editor, and save it with a `.cmd` extension, and execute against affected devices. This command removes registry keys that affect the Windows Autopatch service. +Copy and paste the following code into a text editor, and save it with a `.cmd` extension, and execute against affected devices. This command removes registry keys that affect the Windows Autopatch service. For more information, see [Using batch files: Scripting: Management services](/previous-versions/windows/it-pro/windows-server-2003/cc758944(v=ws.10)?redirectedfrom=MSDN). ```cmd @echo off @@ -120,7 +118,7 @@ Windows Registry Editor Version 5.00 ## Common sources of conflicting configurations -The following examples can be used to validate if the configuration is persistent from one of the following services. The list isn't an exhaustive, and Admins should be aware that changes can affect devices not managed by Windows Autopatch and should plan accordingly. +The following examples can be used to validate if the configuration is persistent from one of the following services. The list isn't an exhaustive, and Admins should plan for changes can affect devices not managed by Windows Autopatch. ### Group Policy management @@ -130,7 +128,7 @@ Group Policy management is the most popular client configuration tool in most or 1. Navigate to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update** 1. If a Policy **doesn't exist** in Windows Update, then it appears to not be Group Policy. 1. If a Policy **exists** in Windows Update is present, modify or limit the target of the conflicting policy to resolve the Alert. -1. If the **Policy name** is labeled **Local Group Policy**, these settings could have been applied during imaging or by Configuration Manager. +1. If the **Policy name** is labeled **Local Group Policy**, these settings are applied during imaging or by Configuration Manager. ### Configuration Manager @@ -142,4 +140,4 @@ Configuration Manager is a common enterprise management tool that, among many th ## Third-party solutions -Third-party solutions can include any other product that may write configurations for the devices in question, such as MDMs (Mobile Device Managers) or Policy Managers. +Third-party solutions can include any other product that might write configurations for the devices in question, such as MDMs (Mobile Device Managers) or Policy Managers. diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index 41e1b7cfd28..5492f63c147 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -212,11 +212,11 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Added [Allow or block Microsoft 365 App updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates) section | | [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md#) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../operate/windows-autopatch-windows-feature-update-overview.md) | | [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../operate/windows-autopatch-windows-quality-update-overview.md) | -| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) | +| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../deploy/windows-autopatch-device-registration-overview.md#prerequisites-for-device-registration) | | [Prerequisites](../prepare/windows-autopatch-prerequisites.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) | | [Privacy](../overview/windows-autopatch-privacy.md) | Added additional resources to the [Microsoft Windows 10/11 diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data) section | | [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated Feature update policies section with Windows Autopatch - DSS Policy [deployment ring] | -| [Register your devices](../deploy/windows-autopatch-register-devices.md) |Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft to quickly identify and address issues affecting its customers.
Diagnostic data is categorized into the following:
Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft to quickly identify and address issues affecting its customers.
Diagnostic data is categorized into the following: