Windows Autopatch Implementation Setup Guide

Let’s learn how to set up Windows Autopatch using the step-by-step Implementation Setup Guide. Windows Autopatch is generally available for customers with Windows Enterprise E3 and E5 licenses. It applies updates to your Windows operating system and configures automatic updates for Office applications.

Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.

Microsoft will continue to release updates on the second Tuesday of every month, and now Autopatch helps streamline updating operations and create new opportunities for IT pros.

Once you’ve enrolled devices into Autopatch, the service does most of the work. But through the Autopatch blade in Intune MEM Portal, you can fine-tune ring membership, access the service health dashboard, generate reports, and file support requests. The reporting capabilities will grow more robust as the service matures.

Patch My PC

Read More on Windows Autopatch Quality Updates Report In Intune MEM Portal -> Windows Autopatch Quality Updates Report In Intune MEM Portal.

Prerequisites – Windows Autopatch

Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required.

Windows Autopatch is only available for the following products –

  • Microsoft 365 E3
  • Microsoft 365 E5
  • Windows 10/11 Enterprise E3
  • Windows 10/11 Enterprise E5
  • Windows 10/11 Enterprise VDA

Note – Windows Autopatch is offered as a feature to Windows 10/11 Enterprise E3 at no additional cost.

Windows 10/11 Enterprise E3 License - Windows Autopatch Implementation Setup Guide 1
Windows 10/11 Enterprise E3 License – Windows Autopatch Implementation Setup Guide 1

Windows 10/11 Enterprise E3 builds on Windows 10/11 Pro by delivering enterprise-grade security, management, and control features for large or mid-sized companies, or any size business that processes sensitive data operates in regulated industries, or develops intellectual property that must remain secure.

The increased security helps protect your sensitive data, identities, and devices from cybersecurity threats, and provides enhanced deployment and software and device management options.

  • Connectivity – All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network. For the full list of required IPs and URLs, see Configure your network.
  • Supported Operating System – The Windows 64-bit editions are required for Windows Autopatch, Windows 10/11 Pro, Windows 10/11 Enterprise, and Windows 10/11 Pro for Workstations.
  • Hardware requirements: If your corporate-owned devices are running a current. The supported version of Windows 10 or Windows 11, can be enrolled in Windows Autopatch. Bring-your-own-device (BYOD) scenarios are not currently supported.
  • Management requirements: Your devices must be managed with either Microsoft Intune or Configuration Manager co-management.
  • Identity requirements: User accounts must be managed by Azure Active Directory or Hybrid Azure Active Directory Join.

Bonus Step – Activate Trial License

However, you can obtain a trial license for Microsoft 365 E5 if you want to proceed with Windows Autopatch Implementation. This trial will provide you with 25 licenses for 1 month. Follow the steps below for instructions on how to obtain this trial:

  • Navigate to the Microsoft 365 admin center and sign in with your tenant
  • Select Billing and then Purchase services
  • In the search bar, look for Microsoft 365 E5 and select Details under that product
  • Select Start free trial and complete the validation prompts
  • Select Try now and then Continue
  • To validate that you have successfully redeemed the Microsoft 365 E5 trial, navigate to the Microsoft 365 admin center > Billing Licenses.

Is Windows Autopatch Missing In Intue MEM Portal?

If you don’t see the Windows Autopatch Tenant enrollment blade, you don’t meet the prerequisites or the proper licenses. Ensure you have assigned licenses to users. Here you can see after assigning the license, The Windows Autopatch appears in Tenant Administration.

Windows Autopatch Implementation Setup Guide 2
Is Windows Autopatch Missing – Windows Autopatch Implementation Setup Guide 2

Enroll to Windows Autopatch Service

To start using the Windows Autopatch implementation, ensure you meet the Windows Autopatch prerequisites.

Important – You must be a Global Administrator to enroll tenants and run the Readiness assessment tool.

  • Sign in to the Microsoft Endpoint Manager admin center https://endpoint.microsoft.com/.
  • Select Tenant administration and then navigate to Windows Autopatch > Tenant enrollment.
  • Click on Run Checks.

The Readiness assessment tool allows you to check the relevant settings and details steps to fix any settings that aren’t configured properly for Windows Autopatch.

Click on Run checks - Windows Autopatch Implementation Setup Guide 3
Click on Run checks – Windows Autopatch Implementation Setup Guide 3

Once all the management settings checks are completed, A notification will appear automatically in the top right-hand corner with a message. You can see “Management Settings Checks are complete”.

The Readiness Assessment tool shows the status Ready, and you’re ready to enroll in Windows AutoPatch. It is important to review all management settings before starting the enrollment process.

Readiness Status of Windows Autopatch Enrollment

For each check, the Readiness assessment tool will report one of four possible results:

  • Ready -> No action is required before completing enrollment.
  • Advisory -> Follow the steps in the tool or this article for the best experience with enrollment and for users. You can complete enrollment, but you must fix these issues before you deploy your first device.
  • Not ready -> You must fix these issues before enrollment. You won’t be able to enroll in Windows Autopatch if you don’t fix these issues. Follow the steps in the tool or this article to resolve them.
  • Error -> The Azure Active Directory (AD) role you’re using doesn’t have sufficient permissions to run this check.

Important – The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you’ll no longer be able to access the tool again.

Management Settings Checks - Windows Autopatch Implementation Guide 4
Management Settings Checks – Windows Autopatch Implementation Guide 4

Click on View details to see all management settings, and The Readiness assessment tool checks the following settings –

  • Conditional access -> Verifies that conditional access policies and multi-factor authentication aren’t assigned to all users. Your conditional access policies must not prevent our service accounts from accessing the service and must not require multi-factor authentication.

Windows Autopatch cloud service accounts -> Check that no usernames conflict with ones that Windows Autopatch reserves for its own use. The cloud service accounts are MsAdmin, MsAdminInt, and MsTest.

  • Security defaults -> Check whether your Azure Active Directory organization has security defaults enabled.
  • Licenses -> Check that you’ve obtained the necessary licenses.

Update rings for Windows 10 or later -> Verifies that Intune’s Update rings for Windows 10 or later policy doesn’t target all users or all devices. Policies of this type shouldn’t target any Windows Autopatch devices.

  • Unlicensed admin -> Verifies that this setting is enabled to avoid a “lack of permissions” error when we interact with your Azure Active Directory. Let’s check the option to Allow Unlicensed Admin To Access Intune.
Readiness Status: Ready - Windows Autopatch Implementation Guide 5
Readiness Status: Ready – Windows Autopatch Implementation Setup Guide 5

Enroll your Tenant for Windows Autopatch

To enroll your tenant, Within the Readiness assessment tool, you’ll now see the Enroll button. By selecting Enroll, you will proceed with the enrollment of your tenant to the Windows Autopatch service.

Select Enroll - Windows Autopatch Implementation Setup Guide 6
Select Enroll – Windows Autopatch Implementation Setup Guide 6

Select the check box to agree to the terms and conditions to allow administrator access for Microsoft and Click on Agree.

Select Agree - Allow Administrator Access for Microsoft
Select Agree > Allow Administrator Access for Microsoft – Windows Autopatch Implementation Setup Guide 7

Here you need to provide the Phone number, Email, Name, and Preferred Language of the IT admin. Once you have added the information, Click on Complete.

Note – You can validate the added information in Admin contacts, available under Tenant administration in the Windows Autopatch section.

Windows Autopatch - Provide Contact Info of Windows Autopatch Admin
Provide Contact Info of Windows Autopatch Admin – Windows Autopatch Implementation Guide 8

The setup of the Windows Autopatch service on your tenant will take a few minutes to complete, Please wait. This step creates the policies, groups, and accounts necessary to run the service.

Setting up Windows Autopatch
Setting up Windows Autopatch – Windows Autopatch Implementation Guide 9

Once these actions are complete, you are successfully enrolled in your tenant. Windows Autopatch setup is complete, and Select Continue to start registering devices.

Select Continue - Windows Autopatch Setup Complete
Select Continue -> Windows Autopatch Setup Complete – Windows Autopatch Implementation Guide 10

Select the Ready tab, then select the Windows Autopatch Device Registration hyperlink. You will be directly navigated to the Azure Active Directory group.

Windows Autopatch Device Registration
Windows Autopatch Device Registration – Windows Autopatch Implementation Guide 11

Windows Autopatch Device Registration

Before Microsoft can manage your devices in Windows Autopatch, you must have devices registered with the service.

You should have either Azure AD Global Administrator, Intune Service Administrator, or Modern Workplace Intune Administrator roles in Windows Autopatch to register devices.

Note – The Modern Workplace Intune Admin role is a custom created role during the Windows Autopatch tenant enrollment process.

The Windows Autopatch device registration process is transparent for end-users because it doesn’t require devices to be reset. The overall device registration process is

Device Registration Overview Credit : Microsoft
Device Registration Overview Credit: Microsoft

Add either device through direct membership or other Azure Active Directory dynamic or assigned groups as nested groups in the Windows Autopatch Device Registration group.

To register devices, navigate to Devices > Windows Autopatch, and click on Devices. Click on add members to the Azure AD group called Windows Autopatch Device Registration. To register more devices, Navigate to the Azure AD group Windows Autopatch Device Registration.

Note – All existing Windows 365 Cloud PC Enterprise workloads can be registered into Windows Autopatch by leveraging the same method as your physical devices.

Once you add the device, A notification will appear automatically in the top right-hand corner with a message. You can see “Group members successfully added“.

Add members - Windows Autopatch Device Registration
Add members > Windows Autopatch Device Registration – Windows Autopatch Implementation Guide 12

Once devices or Azure AD groups containing devices are added to the Windows Autopatch Device Registration group, Windows Autopatch discovers these devices. It runs software-based prerequisite checks to try to register them with its service.

It can take up to an hour for registered devices to appear in the Intune console. You can manually discover registered devices in Autopatch, Try clicking the “Discover devices” button to register them on demand.

Note – To register more devices, Navigate to the Azure AD group Windows Autopatch Device Registration and add members. You can also click on the hyperlink Windows Autopatch Device Registration reflected in the below screenshots.

Windows Autopatch - Select Discover Devices
Select Discover Devices – Windows Autopatch Implementation Guide 14

In MEM Admin Center, Navigate to Devices > Windows Autopatch, and click on Devices. The Ready tab is to show devices that were successfully registered to the Windows Autopatch service.

Windows Autopatch - Device Ready State
Windows Autopatch – Device Ready State

Important – Windows Autopatch enrollment of SCCM Co-Managed devices requires the following 3 workload sliders to Pilot/Intune.

  • Device Configuration
  • Windows Update policies
  • Office 365 Client Apps

Adding Devices to Update Rings In Windows Autopatch

If you want to move separate devices to different rings, repeat the following steps for each device:

  • In the Windows Autopatch section, select Devices.
  • Select the devices you want to assign. All selected devices will be assigned to the ring you specify.
  • Select Device actions from the menu and Select Assign device group.
Select Device Actions > Assign Device Group - Adding Devices to Ring In Windows Autopatch
Select Device Actions > Assign Device Group – Windows Autopatch Implementation Guide 15

A fly-in opens, Use the dropdown menu to select the ring to move devices to, and then choose Save. Each of the update rings has a different purpose and is assigned a set of policies to control the rollout of updates in each management area.

  • Automatic: Let Microsoft Managed Desktop automatically assigned to one of the groups.
  • Test: Select this group for devices used for testing purposes only.
  • First: Best for early adopters to receive and validate changes.
  • Fast: Best for assessing quality issues prior to broad deployment.
  • Broad: Use for business-critical devices.
Select Group - Assign Deployment Group
Assign Deployment Group – Windows Autopatch Implementation Guide 16

A notification will appear automatically in the top right-hand corner with a message. You can see “1 device scheduled for assignment to Test group.”

Group Assigned - Test Ring Windows Autopatch Deployment
Test Ring Windows Autopatch Deployment – Windows Autopatch Implementation Guide 17

Based on the deployment group assignment, you can see the added device part of Modern Workplace Devices – Test and multiple groups. You can view Group Membership for Intune Managed Devices.

Device - Windows Autopatch Group
Windows Autopatch Group – Windows Autopatch Implementation Guide 18

Windows Autopatch on Windows 365 Cloud PC Enterprise Edition

With Windows 365 Enterprise, you can include Windows Autopatch onboarding as part of your provision process, providing a seamless experience for admins and users to ensure your Cloud PCs are always up to date.

For Windows Autopatch Implementation on a Windows 365 Provisioning Policy, You can check more about creating provisioning policies for Azure AD Join and Hybrid Azure AD Join for Windows 365 Cloud PC.

When creating a Provisioning Policy in Windows 365, Under the Microsoft managed services section, select Windows Autopatch.

When the assignment is complete, the Group assigned by column will change to Test (based on your group selection), and the Group column will show the new group assignment.

Create a provisioning policy - Windows Autopatch on Windows 365 Cloud PC Enterprise Edition
Create a provisioning policy – Windows Autopatch Implementation on Windows 365 Cloud PC Enterprise

During enrollment, Windows Autopatch creates four Azure Active Directory groups that are used to segment devices into update rings:

Note – You can’t create additional rings for managed devices and must use the four rings provided by Windows Autopatch.

  • Modern Workplace Devices – Test
  • Modern Workplace Devices – First
  • Modern Workplace Devices – Fast
  • Modern Workplace Devices – Broad

Each of the update rings has a different purpose and is assigned a set of policies to control the rollout of updates in each management area.

When a device is enrolled into the Windows Autopatch service, the device is assigned to an updated ring so that we have the right distributions across your estate. The distribution of each ring is designed to release to as few devices as possible to get the signals needed to make a quality evaluation of a given release.

Windows Autopatch Implementation Setup Guide 1
Update Ring – Windows Autopatch Implementation Guide 19

End Users Experience – Quality Update

Login to the device that is part of the deployment group and waits for the sync to complete, and you can see added Windows Update rings policies are applied.

The Windows 10 quality update is published, and devices in the Broad ring have a deferral period of nine days. Devices will wait nine days before downloading the latest quality update.

In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn’t able to reschedule past the deadline.

End Users Experience - Quality Update | Credit - Microsoft
End Users Experience Quality Update – Windows Autopatch Implementation Guide 20 | Credit – Microsoft

Feature Update Grace Period

In the following example, the user is on holiday, and the device is offline beyond the feature update deadline. The user returns to work, turning the device back on.

Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification.

End Users Experience - Feature Update | Credit - Microsoft
End Users Experience Feature Update – Windows Autopatch Implementation Guide 21 | Credit – Microsoft

Windows Autopatch Release Management

The Windows Autopatch Release Management provides you more clarity on the Quality and Feature updates install schedules in Intune portal.

Navigate to Tenant Administration, Under Windows Autopatch. Select Release management that displays the updates and releases scheduled.

Windows Autopatch Release Management
Windows Autopatch Release Management – Windows Autopatch Implementation Guide 22

Pausing Release

To pause a release, Click on the Pause options and choose the reason you want to Pause. Select the type of update you would like to pause and reason, Additional details, and click Okay.

Pause Release - Windows Autopatch Release Management 2
Pause Release Windows Autopatch Release Management – Windows Autopatch Implementation Guide 23

A notification will appear automatically in the top right-hand corner with the message “Windows Quality Update Pause Successful” Here you can see the status Customer Pause.

Pause Successful - Windows Autopatch Release Management 3
Pause Successful Windows Autopatch Release Management – Windows Autopatch Implementation Guide 24

Resume Release

To resume a release, Click on the Resume options and choose the reason you want to resume. Select the type of update you would like to resume and reason, Additional details.

Select the Update groups for which you want to resume the update. Resuming an update for a later group will also resume updates for all previous groups and click Okay.

Resuming a release - Windows Autopatch Release Management 4
Windows Autopatch Release Management – Windows Autopatch Implementation Guide 25

A notification will appear automatically in the top right-hand corner with the message “Windows Quality Update Resume Successful” Here you can see the status Active.

Resume Successful - Windows Autopatch Release Management 5
Resume Successful – Windows Autopatch Release Management 26

Windows Autopatch relies on the following capabilities to help resolve update issues if there is an issue with an update

  • Pausing and resuming: If Windows Autopatch detects an issue with a Windows quality release, Microsoft may decide that it’s necessary to pause that release. Once the issue is resolved, the release will be resumed.
  • Rollback: If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, Microsoft might force all devices to roll back to the previous version. 

Windows Autopatch Implementation – Summary of Changes Made During Tenant Enrollment

During the Windows Autopatch enrollment process, the Autopatch service created the following changes –

  • Sixteen (16) Azure AD groups
  • Three (3) Windows Autopatch Cloud Service Accounts 
  • Four (4) Update rings for Windows 10 and later policies
  • Five (5) Feature updates for Windows 10 and later policies
  • One (1) Conditional Access policy
  • Nineteen (19) Device Configuration profiles
  • One (1) Custom Endpoint Manager role.
  • One (1) Enterprise application
  • One (1) PowerShell Script

Note : The details count we represent here is based on our observations.

Azure Active Directory Groups – Windows Autopatch Implementation

Windows Autopatch will create Azure Active Directory groups that are required to operate the service. The following groups are used for targeting Windows Autopatch configurations to devices –

Group nameDescription
Modern Workplace-AllAll Modern Workplace users
Modern Workplace – Windows 11 Pre-Release Test DevicesDevice group for Windows 11 Pre-Release testing.
Modern Workplace Devices-AllAll Modern Workplace devices
Modern Workplace Devices-Windows Autopatch-TestImmediate ring for device rollout
Modern Workplace Devices-Windows Autopatch-FirstFirst production ring for early adopters
Modern Workplace Devices-Windows Autopatch-FastFast ring for quick rollout and adoption
Modern Workplace Devices-Windows Autopatch-BroadFinal ring for broad rollout into an organization
Modern Workplace Devices Dynamic – Windows 10Microsoft Managed Desktop Devices with Windows 10 Group
Modern Workplace Devices Dynamic – Windows 11Microsoft Managed Desktop Devices with Windows 11 Group
Modern Workplace Roles – Service AdministratorAll users are granted access to the Modern Workplace Service Administrator Role
Modern Workplace Roles – Service ReaderAll users granted access to Modern Workplace Service Reader Role
Modern Workplace Service – Intune Admin AllGroup for Intune AdminsAssigned to:Modern Workplace Service Accounts
Modern Workplace Service – Intune Reader AllGroup for Intune readersAssigned to:Modern Workplace Service Accounts
Modern Workplace Service – Intune Reader MMDGroup for Intune readers of MMD devices and usersAssigned to:Modern Workplace Service Accounts
Modern Workplace Service AccountsGroup for Windows Autopatch service accounts
Windows Autopatch Device RegistrationGroup for automatic device registration for Windows Autopatch
Azure Active Directory Groups – Windows Autopatch Release Management 27

Service Accounts Windows Autopatch Implementation

Windows Autopatch will create three cloud service accounts in your tenant. These accounts are used to run the service and all need to be excluded from any multi-factor authentication controls –

Cloud service account nameUsage
[email protected]This account is a limited-service account with administrator privileges, used as an Intune and User administrator to define and configure the tenant for Microsoft Modern desktop devices. This account doesn’t have interactive sign-in permissions.  The account performs operations only through the service.
[email protected]This account is an Intune and User administrator account used to define and configure the tenant for Modern Workplace devices, used for interactive sign-in to the customers’ tenant. The use of this account is extremely limited as most operations are exclusively through msadmin (non-interactive).
[email protected]This is a standard account used as a validation account for the initial configuration and roll out of policy, application, and device compliance settings.
Windows Autopatch Cloud Service Accounts – Windows Autopatch Release Management 28

Device Configuration Policies – Windows Autopatch Implementation

The following configuration policies are used for targeting Windows Autopatch configurations –

  • Modern Workplace – Set MDM to Win Over GPO
  • Modern Workplace – Telemetry Settings for Windows 10
  • Modern Workplace – Telemetry Settings for Windows 11
  • Modern Workplace-Window Update Detection Frequency
  • Modern Workplace – Data Collection

Conditional Access Policies – Windows Autopatch Implementation

Modern Workplace – Secure Workstation -> This policy is targeted to only the Windows Autopatch cloud service accounts. The policy blocks access to the tenant unless the user is accessing the tenant from a Microsoft authorized location.

Update rings for Windows 10 and later – Windows Autopatch Implementation

  • Modern Workplace Update Policy [Test]-[Windows Autopatch]
  • Modern Workplace Update Policy [First]-[Windows Autopatch]
  • Modern Workplace Update Policy [Fast]-[Windows Autopatch]
  • Modern Workplace Update Policy [Broad]-[Windows Autopatch]

Feature Update Policies – Windows Autopatch Implementation

  • Modern Workplace DSS Policy [Test]
  • Modern Workplace DSS Policy [First]
  • Modern Workplace DSS Policy [Fast]
  • Modern Workplace DSS Policy [Broad]
  • Modern Workplace DSS Policy [Windows 11]

Microsoft Office Update Policies – Windows Autopatch

  • Modern Workplace – Office ADMX Deployment
  • Modern Workplace – Office Configuration v5
  • Modern Workplace – Office Update Configuration [Test]
  • Modern Workplace – Office Update Configuration [First]
  • Modern Workplace – Office Update Configuration [Fast]
  • Modern Workplace – Office Update Configuration [Broad]

Microsoft Edge Update Policies – Windows Autopatch

  • Modern Workplace – Edge Update ADMX Deployment
  • Modern Workplace – Edge Update Channel Stable
  • Modern Workplace – Edge Update Channel Beta

Modern Workplace – Autopatch Client Setup -> PowerShell Installs necessary client components for the Windows Autopatch service.

Author

5 thoughts on “Windows Autopatch Implementation Setup Guide”

  1. When you enable Windows Autopatch service for a device, does it disable / stops the patch management capability from ConfigMgr ? Just want to see if there any ways to continue managing 3Rd party application patches through ConfigMgr.

    Reply
    • On very high-level as name suggests its an automatic patch deployment using cloud intelligence without or very less manual intervention from the admin side.

      In the SCCM world, you need to use ADR or some other mechanism to create monthly patches and then deploy it pilot ring or test devices/users and get feedback from them before moving forward with production deployment or border deployment.

      With Windows Autopatch, the vision is to reduce/automate all these tedious steps with better user and admin experience.

      Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.