Windows Autopatch Setup Implementation Guide

This post is a step-by-step Windows Autopatch setup implementation guide. Use this guide to implement Windows Autopatch into your setup and automate the distribution of updates in Intune.

Let’s first define Autopatch. Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.

In May 2022, the Windows Autopatch service was initially released for public preview. Starting July 11, 2022, Autopatch is generally available for customers with Windows Enterprise E3 and E5 licenses. Every month on the second Tuesday, Microsoft will continue to deliver updates. With the introduction of Windows Autopatch, updating procedures are now made more efficient and opportunities for IT professionals are now available.

Let’s first learn some fundamentals of the Windows Autopatch Service before configuring it in Intune. Make sure you are familiar with this service’s capabilities before enabling Autopatch for your tenant.

Microsoft has published the Windows Autopatch documentation. You can go through it to understand the capabilities of the Windows Autopatch service and how it works.

What is Windows Autopatch?

Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.

It’s a brand-new, helpful service from Microsoft that updates Windows 10, Windows 11, Microsoft Edge, and Microsoft 365 software according to best practices.

Windows Autopatch manages all aspects of deployment groups for Windows 10 and Windows 11 quality and feature updates, drivers, firmware, and Microsoft 365 Apps for enterprise updates.

The Windows Autopatch service can take over software update management of supported devices as soon as an IT admin decides to have their tenant managed by the service.

Windows Autopatch Setup Requirements

The following prerequisites must be met in order to setup Windows Autopatch:

  • The Windows Autopatch service requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users.
  • You will also require Azure Active Directory Premium. The user accounts must exist in Azure Active Directory or the accounts must be synchronized from on-premises Active Directory to Azure AD using Azure AD connect.
  • The corporate network must be connected to a number of Microsoft service endpoints for Windows Autopatch managed devices.
  • All the Windows Autopatch devices must be managed by Microsoft Intune. Intune should be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.

Refer to the following article for detailed information on Windows Autopatch Prerequisites.

Windows Autopatch Licensing Details

The following licenses are supported by Windows Autopatch:

  • Microsoft 365 E3
  • Microsoft 365 E5
  • Windows 10/11 Enterprise E3
  • Windows 10/11 Enterprise E5
  • Windows 10/11 Enterprise VDA

Note: Windows Autopatch is available at no extra cost to Windows Enterprise E3 and above license holders. If you own Enterprise E3 licenses for Windows, the Windows Autopatch service is completely free.

Windows Autopatch Missing in Intune Portal

There is a reason why the Windows Autopatch Tenant Enrollment blade is missing in the Intune portal. That’s because either you haven’t assigned proper licenses to devices or the Autopatch Service prerequisites are not met. The below screenshot illustrates the issue where the Autopatch Tenant Enrollment blade is missing in the Intune portal.

If you are setting up the Windows Autopatch for the first time, you may encounter this issue. Windows Autopatch will require a license for Windows Enterprise E3 or above. So ensure you own the correct licenses and the Autopatch will appear in the Intune Portal.

Windows Autopatch Missing in Intune Portal
Windows Autopatch Missing in Intune Portal

Once you have met all the required Windows Autopatch prerequisites and assigned proper licenses to your users, the Windows Autopatch Tenant Enrollment option appears in Endpoint Manager portal.

Windows Autopatch in Intune Portal
Windows Autopatch in Intune Portal

Windows Autopatch Supported Operating Systems

The following Windows 64-bit editions are required for Windows Autopatch:

  • Windows 10/11 Pro
  • Windows 10/11 Enterprise
  • Windows 10/11 Pro for Workstations

Windows Servers, Linux, macOS are not supported by Windows Autopatch service for patching.

Steps to Enroll your Tenant in Windows Autopatch

There are multiple steps required to enroll your Tenant in Windows Autopatch. While performing each of these steps, ensure you use an account that is Global Administrator.

Step 1. Review All Autopatch Service Prerequisites

Before you enroll your tenant in Windows Autopatch, you must meet all the prerequisites required by the Autopatch Service. For more information, refer to the Windows Autopatch prerequisites documentation.

Step 2. Run the Readiness Assessment Tool

The Readiness assessment tool checks the readiness of your tenant to enroll in Windows Autopatch for the first time. You cannot run this tool once you enroll your tenant for Autopatch service.

This tool should be run before you enroll your tenant in Autopatch. It checks the settings in Microsoft Endpoint Manager (Microsoft Intune) and Azure Active Directory (Azure AD) to ensure they’ll work with Windows Autopatch.

If you have not run the Readiness Assessment tool for Autopatch Service, you will see the message Assessment not started – Select Run checks to begin assessment.

Use the following steps to run the Readiness Assessment Tool for Windows Autopatch Setup:

  • Sign in to the Microsoft Endpoint Manager admin center.
  • Select Tenant Administration and navigate to Windows Autopatch Tenant enrollment.
  • Click on Run Checks to initiate Readiness Assessment Tool.
Run the Readiness Assessment Tool
Run the Readiness Assessment Tool

The Readiness Assessment tool will now run in the background to determine if your tenant is ready for Windows Autopatch. Any issues with your tenant will be reported by this tool.

In case the assessment tool finds an error, you cannot enroll your tenant in Autopatch until you fix it. If you notice advisory warnings, try to fix them before you begin enrollment.

Once all the management settings checks are completed, A notification will appear automatically in the top right-hand corner with a message – “Management Settings Checks are complete”.

The following message confirms that your tenant is ready for Windows Autopatch enrollment. Ready – You are ready to enroll in Windows Autopatch.

Run the Readiness Assessment Tool
Run the Readiness Assessment Tool

Unlicensed Admin Error in Intune Portal

During the Windows Autopatch Tenant enrollment, you may encounter the unlicensed admin error. The unlicensed admin error appears because the Intune administrator account doesn’t have enough permissions to interact with Azure AD organization. Follow the instructions provided in the following guide to fix Windows Autopatch Unlicensed Admin error.

List of Readiness Statuses of Windows Autopatch Enrollment

After the Readiness Assessment Tool completes its operation, the tool shows the status which can have these options:

  1. Ready: This means your tenant is ready for Autopatch enrollment.
  2. Advisory: With Advisory status, you can continue enrolling your tenant however it is good to resolve those issues. If you skip them, you cannot run the Readiness Assessment Tool again.
  3. Not Ready: This means you cannot enroll your tenant for Autopatch. You have to fix these errors that prevent the enrollment. Clicking the error will show the steps to resolve the error.
  4. Error: This means your tenant hasn’t met prerequisites for Autopatch enrollment. The Azure Active Directory (AD) role you’re using doesn’t have sufficient permissions to run this check.

Step 3: Start Windows Autopatch Enrollment

Once the Readiness Assessment Tool shows the status as Ready, you can begin the Windows Autopatch Enrollment. On the Tenant Enrollment page, click Enroll to proceed with the enrollment of your tenant to the Windows Autopatch service.

Windows Autopatch Enrollment
Windows Autopatch Enrollment

You must allow administrator access for Microsoft for the following:

  1. Create accounts to manage and license your registered devices.
  2. Manage devices using Intune
  3. Collect and share info on usage, status, and compliance for devices and apps.
  4. Remove Microsoft administrator accounts from Multifactor authentication and conditional access policies.

Select the checkbox to provide consent to the terms and conditions and allow administrator access for Microsoft and click Agree.

Windows Autopatch Enrollment
Windows Autopatch Enrollment

On the Welcome screen of Windows Autopatch Setup wizard, provide the contact info for your organization’s Windows Autopatch admin. Phone number, email address, name, and preferred language are among the information that must be provided. Click Complete.

At this point, you can add only one contact for admin. However, after you implement Windows Autopatch, you can add additional contacts as admins. Read the following guide to know how to add Admin Contact Info in Windows Autopatch.

Windows Autopatch Admin Details
Windows Autopatch Admin Details

Now we see the Setting up Windows Autopatch message. It takes a few minutes to set up the Autopatch service. During this step, the accounts, and policies are set up and configured for your tenant.

Setting up Windows Autopatch
Setting up Windows Autopatch

After a short while, we observe that Windows Autopatch setup is complete. This verifies that your tenant has been successfully registered for Windows Autopatch service.

Windows Autopatch Enrollment Complete
Windows Autopatch Enrollment Complete

Step 4. Add Devices into Windows Autopatch

Once you enroll in Windows Autopatch for your Intune tenant, the first step that you need to take is to register your devices with the Windows Autopatch service. You can try out the Windows Autopatch service by registering a small number of devices.

To enroll or register the devices for Windows Autopatch management, the devices must meet a minimum set of required software-based prerequisites:

  • Windows 10 (1809+)/11 Enterprise and Professional edition versions (only x64 architecture).
  • Either Hybrid Azure AD-Joined or Azure AD-joined only (personal devices aren’t supported).
  • Managed by Microsoft Endpoint Manager.
  • Microsoft Intune and/or Configuration Manager Co-management.
  • Must switch the following Microsoft Endpoint Manager-Configuration Manager Co-management workloads to Microsoft Endpoint Manager-Intune (either set to Pilot Intune or Intune):
  • Windows updates policies
  • Device configuration
  • Office Click-to-run
  • Last Intune device check in completed within the last 28 days.
  • Devices must have Serial Number, Model, and Manufacturer.

The Autopatch will take over the management of these devices’ software updates once you register them for the Autopatch service. For initial testing, you can register a few test devices, and even Windows 365 Cloud PCs are also supported.

You can use one of the following built-in roles in Windows Autopatch to register devices:

  • Azure AD Global Administrator
  • Intune Service Administrator
  • Modern Workplace Intune Administrator

Note: Devices that are intended to be managed by the Windows Autopatch service must be added into the Windows Autopatch Device Registration Azure AD assigned group. You can add the devices either through direct membership or other Azure Active Directory dynamic or assigned groups as nested groups in the Windows Autopatch Device Registration group.

Windows Autopatch Device Registration

The steps to register devices into Windows Autopatch are as follows:

  • Sign in to the Microsoft Endpoint Manager admin center.
  • Select Windows Autopatch from the left navigation menu and select Devices.
  • Select the Ready tab, then select the Windows Autopatch Device Registration hyperlink. The Azure Active Directory group blade opens.
  • Add either devices through direct membership, or other Azure Active Directory dynamic or assigned groups as nested groups in the Windows Autopatch Device Registration group.
Windows Autopatch Device Registration
Windows Autopatch Device Registration

Once you add members (devices) to Windows Autopatch, a notification appears in the top right-handcorner with a message “Group members successfully added“.

Once you have added the devices or Azure AD groups containing devices to the Windows Autopatch Device Registration group, the Autopatch discovers these devices, and runs software-based prerequisite checks to try to register them with its service.

Windows Autopatch Device Registration
Windows Autopatch Device Registration

Missing Devices under Windows Autopatch Device Registration?

After registering the devices with Windows Autopatch service, you may notice that under Windows Autopatch Device Registration, the devices are missing. This happens because the Windows Autopatch automatically runs every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices and devices will be visible under device registration section.

Step 5. Manually Discover Devices for Windows Autopatch

Initially when you register devices with Autopatch, it can take up to an hour for registered devices to appear in the console.

You can manually discover registered devices in Autopatch with following steps. Go to Tenant Administration > Windows Autopatch – Tenant Enrollment > Tenant Admin > Devices. Now for Windows Autopatch devices, click Discover Devices.

Manually Discover Devices for Windows Autopatch
Manually Discover Devices for Windows Autopatch

The following message box appears: Discover devices – Scan Windows Autopatch Device Registration group to register devices for recently added members. This process can up to an hour. Click OK to begin the device discovery process.

Manually Discover Devices for Windows Autopatch
Manually Discover Devices for Windows Autopatch

In few seconds, you will see the Windows devices are discovered and listed under Discover Devices.

Manually Discover Devices for Windows Autopatch
Manually Discover Devices for Windows Autopatch

Step 6. Update Rings in Windows Autopatch

Each of the update rings in Windows Autopatch has a different purpose and assigned a set of policies to control the rollout of updates in each management area.

After you enroll a device into the Windows Autopatch service, you assign an update ring for the device and based on the update ring, update management happens. Each ring has a description, and it is listed below.

There are four rings provided by Windows Autopatch and you can’t create additional rings for managed devices.

  • Automatic: Select Automatic when you want Microsoft Managed Desktop to automatically assign devices to one of the other groups.
  • Test: Devices in this group are intended for your IT Administrators and testers since changes are released here first.
  • First: The First ring is the first group of production users to receive a change. This group is the first set of devices to send data to Windows Autopatch.
  • Fast: The Fast ring is the second group of production users to receive changes.
  • Broad: The Broad ring is the last group of users to receive changes.

Step 7. Adding Devices to Update Rings in Windows Autopatch

To assign update ring to devices, go to Windows Autopatch – Devices and click Device Actions. Now select Assign device group and select the devices that you want to assign an update ring.

Note: You must use the same steps to change the update ring for device(s).

Adding Devices to Update Rings in Windows Autopatch
Adding Devices to Update Rings in Windows Autopatch

You must now select a deployment group to assign the device. The available options are Automatic, Test, First, Fast and Broad. Select an option and your devices will be added to that deployment group. You cannot add a device to more than one deployment group.

Adding Devices to Update Rings in Windows Autopatch
Adding Devices to Update Rings in Windows Autopatch

Now we see the devices have been added to Fast deployment group. You can change the deployment group when you feel a device needs to be added to a different update ring.

Adding Devices to Update Rings in Windows Autopatch
Adding Devices to Update Rings in Windows Autopatch

During enrollment, Windows Autopatch creates four Azure Active Directory groups that are used to segment devices into update rings:

  • Modern Workplace Devices – Test
  • Modern Workplace Devices – First
  • Modern Workplace Devices – Fast
  • Modern Workplace Devices – Broad

You can view these groups in Azure portal or even in Intune Portal. Go to Groups and select All Groups. You can search for “Modern Workplace Devices – Windows Autopatch” to view all the Autopatch Azure AD groups.

Windows Autopatch Azure AD Groups
Windows Autopatch Azure AD Groups

Step 8. Verify Autopatch Deployment on Client

Login to the device that is part of deployment group and wait for sync to happen. Once it is complete, you can see new Windows Update rings policies are applied.

The device will download and install the patch based upon the update rings settings. You will see the notification generated to restart the device with Grace period specified for one of the deployment rings.

The below screenshot shows an example of what the user sees when Windows Autopatch software update deployment is successful. The user can pick a time to restart the computer, set to restart tonight or can immediately restart with Restart now option.

Verify Autopatch Deployment on Client
Verify Autopatch Deployment on the Client

Windows Autopatch FAQs

Here are some FAQs about Windows Autopatch

What is Windows Autopatch?

Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. It’s a brand-new, helpful service from Microsoft that updates Windows 10, Windows 11, Microsoft Edge, and Microsoft 365 software according to best practices.

What is Windows Autopatch Release Date?

Windows Autopatch has been released in July 2022.

How much does Windows Autopatch cost?

Windows Autopatch is offered as a feature to Windows 10/11 Enterprise E3 at no additional cost.

Leave a Reply

Your email address will not be published. Required fields are marked *

10 Comments

  1. When i add the devices to the AutoPatch group. I notice that they are going into the “First” ring automatically. Can I change that somewhere to make all devices that get registered go to “Broad” then I can manually move the devices to the other rings?

    Thanks

    1. it will be automatically controlled, at the end 1% of the enrolled devices will be devided like: 1% in the first group, 9 % fast group and the rest (90%) in the broad group.

      1. oops small typo,

        it will be automatically controlled, the enrolled devices will be devided : 1% in the first group, 9 % fast group and the rest (90%) in the broad group.

  2. How do you disable autopatch? We keep getting login attempts on the Modern Workplace Administrator Account externally.

  3. Do you know what the difference between Windows Autopatch is and say Update Management through an Automation Account? My Automation Account would allow me to import Intune devices, I’m just curious if there’s more included with Autopatch.

  4. Avatar photo Narayanan says:

    Hi Prajwal,

    Nice explanation about the Autopatch Concept.

  5. This is the best and most clear and concise guide.

  6. Hi Prajwal, can you tell us how long does it take to register the device in Autopatch?