Windows Autopatch Decoded | Azure AD Groups - Configuration Policies created and managed by Service

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hi there this is Anu today we are going to talk about Windows Auto patch what does Windows Auto patch how that service can help in tune admins and organizations to reduce manual efforts of creating phase-wise patch deployments and segregation of devices into different groups etc etc what are the advantages of using Windows Auto patch and what are the processes behind Windows Auto patch and where is the segregation between InTune admin responsibility or organization's responsibility versus Microsoft responsibility in Auto patch scenario what are the customization options available for Auto patch what will happen if you edit or change some of the policies of Auto badge there are a set of policies which are created in your InTune tenant while getting on board to Windows Auto patch so what will happen if you edit that policy and change something we are going to cover all these things in the presentation and the demo so don't skip it let's go ahead and watch it out let's quickly look into Windows Auto patch presentation and then we will go to the demo so we'll see on a very high level what is Auto patch how to onboard to Auto patch and what are the new updates to autopatch service and what are the customization options you have as a admin if you are managing the devices with Auto patch service from Microsoft now let's move to the next page let's understand what is Auto patch Auto patch is a cloud service that automates Windows operating system Microsoft 365 application for Enterprise such as Outlook word excel PowerPoint all these applications Microsoft edge browser and Microsoft teams updates to improve security and productivity across your organization so this is a very high level definition of Windows Auto patch what does this mean so this means that over here Microsoft introduced the service called Windows Auto patch it is a cloud service and this will handle a lot of things from monthly patching feature updates Etc so you are handing over some of the responsibilities to Microsoft from a patching perspective but there are some responsibilities that you need to handle as an ID admin some of the other responsibilities are managed by Microsoft so you are handing over some of the patching responsibilities to Microsoft so has performed the Readiness of a device for patching it will intelligently calculate the deployment ring and distribution of deployment range assignment of devices to a particular deployment group assigning devices to respective Azure active directory groups required for management and then creating the policies in InTune tenant and automatically adding the assignments Etc to those policies all these things are handled by Microsoft so we'll check what does it admins job over here or responsibility over here it admin needs to identify and add devices to Windows Auto patch Service as an onboarding process so the onboarding process a semi-automated we can see more details in the coming slides how to onboard a device to Windows Auto patch and how to make it fully automated for Windows 365 Cloud PC scenario Etc and then monitoring the device registration success and updates deployment are responsibilities of it admin monitoring the reports monitoring the registration and checking whether there is any deployment issues ETC it admins responsibility and if you have any device level issues that should be managed by itadmin so this is the high level overview of Windows Auto patch let's go to the next slide to understand this more let's quickly look into prerequisites of Windows Auto batch licensing is pretty straightforward you just need to have Windows 10 11 Enterprise E3 or higher license and then there are some prerequisites like user identity should be there in Azure active directory and the device should be managed by Microsoft InTune and it should have all the respective licenses for these functionalities such as Azure active directory premium P1 license Microsoft InTune license or maybe InTune sued etc etc so these are additional licenses required because that is the prerequisite but for Windows Auto pad service is part of this license Windows 10 11 Enterprise E3 or higher and there are additional connectivity requirements for this service so if you want to manage patching of your devices with Windows Auto patch service then you need to have additional connectivity to some of the additional endpoints and I already talked about Azure ready user requirements InTune device management Etc once you have the appropriate license you would be able to see Auto patch node getting appeared in tenant admin so from here you would be able to start the onboarding process to Auto patch for your tenant we'll see that in the coming slides let's go to the next slide let's quickly look into Auto patch workflow there are two things over here one is it admin responsibility and the second one is automated by service that is nothing but different Services it includes Auto pad Service as well as InTune and other related Services it admin needs to identify the devices which he or she wanted to onboard into Auto pad surveys for for patch management scenarios and then the next step is to add those devices into a Azure Active Directory Group which is automatically created as part of the onboarding process the next step is to add those identified devices to Azure active Directory Group which is automatically created by the service Windows Auto pad service or you can use a dynamic group as a nested group inside that Auto patch group so we'll see more details about this in the coming slides and then once the device is added to the group the windows Auto pad service flow will get started discover Azure ID device IDs from the windows Auto patch device registration as a radio assigned group every hour it will check every hour for this group discovers additional Azure ID device attributes and saves the attributes to its memory calls device prerequisite check function and device prerequisite check function is going to go ahead and check with InTune Services whether in tune device records are available attributes are available or not etc etc and based on that condition whether the device is managed by in tune or not it will pass the check and it will pass to Auto patch deployment ring assignment calculation automated service over here and then after the calculation it will assign the device to a deployment ring we'll see what does deployment ring Etc in the coming slides and in demo and then once the deployment ring is calculated the device will get added to additional Azure active directory groups for that particular deployment rate and then the service will add the device into managed devices database so this means probably Auto patch has a different managed device database and the device will get added to that particular database then the device gets flagged as active in the ready tab you'll see that in the demo and then it will pass it back to it admin to check the device registration status either it's ready or not registered if it is not ready or some previous checks failed Etc then it admin needs to take care of that action so this is the high level workflow of Windows Auto patch and what will happen in a Windows 365 scenario there's a provisioning policy which I discussed in a previous video I will link that video over here if you can click on I button in YouTube you would be able to see that video in the provisioning policy of Windows 365 provisioning policy is nothing but Windows 365 Cloud PC creation policy as part of cloud PC creation you can add a step and ask Windows 365 provisioning service to get in touch with Auto patch service API to add Windows 365 Cloud pce the devices into Windows Auto patch Discovery service so that will make sure these two steps are automated in Windows 365 Cloud PC scenario so you don't need to do this for cloud PC scenario because Windows 365 service will automatically get in touch with Device registration service of Auto patch and do the initial process of discovery now let's go to the next slide in this slide we'll see one time activity that you need to do for your InTune tenant tenant enrollment for Windows Auto patch so you will see a button over here when you go to tenant admin you will see your Auto patch node over here if you have appropriate licenses then you will see this node Auto patch node and then if you click on that node you will get this screen and it will check the Readiness status etc etc for your tenant and then and there would be a button called enroll click on this button to get started with enrollment process of Windows order patch for your tenant and then you need to agree with Microsoft terms and conditions etc etc and you need to provide some permissions to Auto pad service so that it can create Azure active directory groups policies Etc within your tenant oh at the end you would be able to see Windows Auto patch setup is complete select continue to start registering the devices so the registration of devices onboarding of devices to autopilot service is the next step after completion of this one now let's go to the next slide before going into registration of devices let's quickly check the policies which are automatically created by Autobots service and we will see the groups also in the coming slides and in the demo these are the sum of the sample policies created by Windows Autobots service and these policies are end-to-end managed by Windows autobat service so these are read-only policies even though if you try to edit the policy you won't be able to save it even though you would be able to save it it will get undone very soon so we will see more details in the demo about this okay these are the policies created under update rings for Windows 10 or later so this is the automation we are talking about from a policy creation as a Active Directory Group creation and management of policies and Azure active directory groups four patching scenarios this is not only for Windows operating system quality updates or feature Updates this is for edge browser Microsoft teams and all the other Microsoft 365 or office applications such as Outlook Etc now let's go to the next slide in this slide we will talk about device registration what does the process for device registration this is the process where you can start registering the devices to Windows Auto pad service before that you need to identify the devices then add those devices into a particular group called Windows Auto patch device registration group this is a Azure active directory static group that is where you need to add the devices so that it can get registered with Windows Auto pad service and the discover devices check will run every hour or if you want you can manually initiate discovered devices from using this button this is the ad group Azure Active Directory Group which we are talking about and you can add members device records can be added to this group or you can use a dynamic Azure Active Directory Group and automate this process for example if you have Windows autopilot group then you can add that Dynamic group to this group using the nesting option now let's go to the next slide we'll see more details about discover devices Etc in the demo as well this is what we have discussed in the previous slide you can manually discover the devices if you want you don't need to wait for an hour to get the registered devices and all the other details so this is the manual option to start the discovery process immediately now let's go to the next slide this is what we have talked about Windows 365 Cloud PC in the previous video over here if you click on I button in YouTube you would be able to see that video let's go to the next slide so these are the differences between Windows 365 and physical devices for the physical devices you need to add devices in into a particular Azure Active Directory Group as we discussed previously this is one example for manual addition again this is explained in very detailed in the previous video over here if you can click on I button you would be able to see that video so let's go to the next slide these are the deployment Rings which are available for Auto patch and you can let Auto badge service to decide which ring a particular device should be part of test is basically for testing purpose only it is not for the production devices first ring is for early adopters and the first ring is basically for assessing quality issues prior to Broad deployment broad deployment is basically for business critical devices or VIP devices etc etc you can go to device action and assign a particular device to a different deploy diamond ring group if you want normally it takes some time after changing this will take a few minutes to reflect that over here in the screen and if you want to remove a particular device from Windows Auto batch you can do that using deregister device option now let's go to the next slide these are the customization options for Windows update Auto pad settings as we discussed you cannot change the policies which are managed by Windows Auto patch so Windows Auto patch is giving admins additional options to customize the deadline scheduled install different period options and you also got a notification customization option for each of this deployment Rings we'll see that in detail in the coming demo deadline plus different dates for deployment ring to be less than or equal to 14 days and permitted customization range is 0 to 7 days now let's go to the demo and check how this is going to work now I have logged into InTune admin sender and earlier Windows Auto patch used to be somewhere here now you need to scroll down a bit to reach Windows Auto patch over here if you click on devices under Windows Auto patch you would be able to see the managed devices Etc before getting into this detail let's go to tenant Administration and check out windows Auto patch options over here from this place you need to enroll your InTune tenant into Windows Auto patch as we discussed in the presentation at the moment this is all good for me for the tenant because we have already enrolled everything is okay let's quickly check other options available under 10 in the admin Auto patch so you can see there's no support request raised for the moment but you can raise it if you have any issue and you can see the admin contacts over here this is basically unique to Windows Auto pad service and you can set up some of the admin contacts teams name or a particular person's name and their email ID then the phone number area of focus all these options are there for admin contacts and then there is an option called messages where you will get all the messages related to Windows Auto patch monthly updates release management options etc etc and even service Health dashboard is there in the messages you would be able to see feature update planning reminder Auto patch advisory all these things you would be able to see interestingly there is a translate option also and you can check the service Health dashboard to confirm whether the there is any issue without a patch or not you can check whether there was any issue in the past or not if you click on this link this will take you to Microsoft 365 admin Center portal to check the details of past incidents now let's check the groups which are associated with Windows Auto patch service all these groups are created by Windows Auto pad service so if I search with Windows Auto patch keyword in the search box over here you would be able to see a several groups over here this is the registration group all the devices which you want to onboard should be part of this particular group Windows Auto patch device registration Azure Active Directory Group and this is a static group if I go and open this group you can see this is a static group over here and if I go over here you would be able to see two objects inside this one is the device and the other one is a dynamic Group which I added so that the devices will automatically get registered you can add Windows autopilot groups if you want for the physical devices so that all the autopilot registered devices will get added to Windows Auto pad Service as well there are some other groups also Windows Auto patch test group Windows Auto patch last group these are all deployment Rings test last ring two ring three ring one all these are automatically created by Windows Auto pad server and this is assignment groups for policies modern workplace device Windows Auto patch if I click on this you can see all the details over here if I go to properties of this group you would be able to see first production ring for early adopters that is the purpose of this group and if I go to members you would be able to see some members over here here this particular tenant I don't have any first group actually some of the devices are part of test group you can see over here so this is the test group the first deployment ring option as we have seen in the slides let's go back to devices node and go back to devices over here you would be able to see the status of the device that means it is active and registered successfully Etc so this is the ready tab over here and if there is any device which is not ready then those devices will be part of this particular tab at the moment I don't have any not ready devices and if I click on not registered devices you would be able to see the devices which are not registered prerequisite failed all of them prerequisite failed data shows prerequisite failed if I click on one of the device you would be able to see more details why it is failed not registered it is not managed by InTune that is y does not registered if I look at this device in the devices over here under Windows let's check whether this particular let's check whether this particular device is there or not see this device is not there in in tune at all but it shows in Windows Auto patch not registered devices why is this coming because I have added a cloud PC Dynamic group over there as you might have noticed in the Azure ad group members so for all the devices it is almost same prerequisite failed and this is very useful this information right so that you will come to know where exactly the problem is let's go to ready device and check what are the other options you can see over here under device actions there are two options select one of the device from here and then go to device actions and assign a device group so this means basically changing the deployment Rings now it is Broad you can change it if you want from here select a group and you can select fast and then you would be able to change the group to past and click on save button to complete this change that is one of the option that Windows Auto patch provides for admins one PC is in test deployment ring other PC is in Broad deployment rate and there's another option over here to de-register the device for example if you want to remove a particular device from Windows Auto pad service you can go over here and click on deregister re-register the device re-registering the selected device is permanent and will remove the device from being managed by Windows Auto patch this action won't remove the device record from InTune or Azure active directory so again it proves that Windows Auto patch has a different database and it says Windows Auto patch device word will get removed from its database this is the button to deregister the device if you click on this button that particular device will get deregistered so those are the main options over here and the important option which we have seen in the slide is discover devices normally the discovery will happen every hour as you can see over here if you want to immediately discover the devices you can use this button click on this button and it says scan Windows Auto patch device registration group to register devices for recently added members click on OK button to start the discovery process the sync is in progress now and it will take some time to complete the sync so these are the main scenarios under device node of Auto patch over here now let's look into release management what are the customization option and what are the other options available under release management release management node shows details such as Windows quality updates Windows feature updates View and customize quality update deployment schedule View and customize Windows feature update deployment phases and schedule there are other two tabs also release announcements and release settings okay if I click on this one quality updates you can see the deployment Rings over here test first fast broad these are the deployment Rings over here with this option if you want to pause some deployments because you see some issues you can do that from here if you want to pause a deployment for example if you find an issue with fast ring and you want to stop broad deployment until the first ring issue is resolved then you can click on pause button over here click on pause button and over here you need to provide the reason why you are posting it and additional description why you are doing this post can take up to 8 hours that is important the pause of deployment ring can take up to eight hours up to eight hours means it doesn't mean light is going to take for sure eight hours it will happen before eight hours as well I have seen it happens very quickly and once post you can resume also now you can see all the statuses are active but I want if I want I can pause it and I can see update problem from the drop down or I can say business reason delay and then I can click OK button over here to pause it so it says in progress over here quality update pause is in progress and let's refresh and check what is happening customer pause so it paused all the deployment Rings until the issues solved from here it is not individual ring pause option so the pause option is for all the deployment Rings now I can click on resume and select business issue resolved in the reason and I can say description is not mandatory and then I can see okay I want to resume for all the deployment Rings or for a particular deployment ring I can select test I can select first in this order only I can select I want to resume the deployment ring for test I can do that clicking on OK button now the test ring pause is removed let's click refresh and see this is active now for the test ring but for others it is customer pause now I can again resume and say I want to resume this for first ring also Okay click on that now it will get active okay you don't need to refresh it it will automatically get active so this can be done for all the deployment Rings individually that is really good pause is for all the Rings but resume is for individual Rings you can do it for individual rings and same for feature updates also pause and resume that was about release schedule options now let's look at release announcement options what are the latest release announcements happened what are the latest releases happened over here this is all talking about last batch update patch Tuesday update for Quality updates if I click on this that will open up the support article for this particular patch so that is all about release announcements and release settings is another important customization option if I go over here under release settings you would be able to see expirated quality updates options it is allowed already you can enable or disable it by clicking on this button right and Windows 365 app updates it is also enabled over here and this is the customization option which we talked in the slide if you want to customize the Cadence of Windows update you can do that using this button even though I have seen that probably it is not always recommended to change these settings because the this is the best recommended approach by Microsoft deadline grace period deferral period Cadence type Etc there are different Cadence types also if you click on this button three dots over here you would be able to see manage deployment Cadence option let's click on that and you can see different options over here deadline driven option and if I hover over here you would be able to see updates become available to devices during specified time range and there's a scheduled install option so scheduled install option is another option where updates are only installed during specified time window test for business critical devices this is for business critical devices so you can see deferral period your option over here and then restart options over here automatic update frequency options are available over here fourth week of the month third week of the month etc etc and schedule install day which day you want to install every day or any other weekday or weekend etc etc so this is useful schedule install time it says it may take up to 90 minutes before the update begins so you need to plan accordingly what are the timings available here all the timings are available here eight and if I want to change it to 8 30 it is not possible but at the moment it is eight o'clock nine o'clock something like that okay so these are the options customization options for Cadence and the other option is manage notification you can manage the notifications if you want these are the options at the moment use default Windows update notification turn off all the notification excluding restart mornings turn off all notification including restart warnings these are the notification customization options you have as part of Windows Auto patch service this is for foreign and you can see different options for different grace period different deadline for different Rings over here broad deployment ring has deadline of five days and grace period up to two days and different period is nine days so this is for the broad deployment then if you have changed something you can review click on review and apply and that will give you more details if you click on view details over here you would be able to see the details what does the configuration this is kind of for the review purpose Windows Auto patch Windows update notification Cadence type deferral period deadline grace period etc etc now click on apply button if you have changed something that will save your work so that is the customization option available here for deadline and all the other configurations and for the notification also now let's go to some of the device and check what is happening over there let's take one of the device which is managed by Windows Auto patch for the patching scenario for the patching workload click on that device and check what are the policies assigned to that under device configuration this will give you more details about the policies which are deployed to these Auto patch devices and which are these Auto patch related policies etc etc okay so if you look at some of these policies from device configuration you can see many policies are deployed related to Auto patch to this device Edge update is there MDM wins over grew policy that is another interesting policy which is set by Windows Auto patch and office configuration policies are there and interestingly I can see some of the office updates are getting conflict let's understand what is it click on that check why it is getting on flick the deadline policy is getting conflict this is a conflict between two Auto patch policies okay that's interesting maybe you need to raise a ticket with Microsoft and resolve this issue or understand this issue or first of all need to understand why both office configurations are assigned to this particular device and start the troubleshooting from there so these are the browser policies these are office policies there is some expedite policies which I am going to quickly look into what does the configuration over here expedited policy you can see is four conflicts for this particular policy and this is assigned to all the groups this is the policy where you can expedite office updates delay downloading and installing updates for office enabled there's no delay 0 update deadline is enabled and deadline is also zero that is also base if you can edit and you can change it if if you want as I mentioned but the auto pad service will undo this changes might take some time but it will undo the changes so it does not recommend to do any changes on these automatically created Auto patch policy so these are some of the configuration profiles now let's quickly go into update rings and check what are the policies created by Auto patch over here modern workplace update policies these are the policies created by Auto patch let's click on this and check what is happening over here so you can see other policies also for example over here so this is another place you can look and take a look at the deployment policies Etc which are created by Auto pad service let's quickly look into Windows Auto patch reports now on the reporting node over here you can see a Windows Auto patch section under that you would be able to see Windows quality update know that you have seen the entire video you got a better idea about Windows Auto patch now you know you cannot edit Windows Auto patch policies it is a read-only policy the changes will get undone and you know about Azure ready group management of Auto patch how many groups are there in Azure active directory related to Windows Auto patch and most of those groups are managed by Microsoft Auto pad service itself we also saw the customization option in Auto pad scenario for each of the faces we can change the notification settings and deployment deadline settings etc etc using the customization option we have also seen how to expedite office updates Windows updates with some particular policy settings this can be used even if you are not using Windows order patch hope this was helpful thank you all for watching see you around [Music] foreign
Info
Channel: HTMD Community
Views: 3,224
Rating: undefined out of 5
Keywords: SCCM, Intune, Windows 11, AVD, Cloud PC, Windows 10, Windows Autopatch, Windows Autopatch Decoded, Customize Windows Update Autopatch Settings, Assign Devices to Autopatch Group, Differences?, Autopatch Registration for Windows 365 CloudPC, Discover Devices, Device Registration, Automatic Policy & Group Creation, Enoll Windows Autopatch, Autopatch Workflow, Quick Prerequisites, New Updates and Customization Options
Id: Te8vkRPg-n4
Channel Id: undefined
Length: 36min 27sec (2187 seconds)
Published: Mon Apr 03 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.