How to deploy Windows Autopatch with Microsoft Endpoint Manager – Intune

Windows Autopatch is a new service from Microsoft that automates the update process of Windows (both quality updates and feature updates), Microsoft 365 Apps for Enterprise (aka Office apps), the Microsoft Edge browser and Microsoft Teams. Once the service is enabled in your tenant and devices are onboarded successful  you don’t need to worry about updates of the supported products anymore. Microsoft will take care of it.

Prerequisites of Windows Autopatch

  • Windows 10/11 Enterprise E3 or higher
  • Microsoft Intune license
  • Windows build 1809 or higher
  • Users must exist in Azure AD (synced or cloud-only)
  • Devices needs to be under management of Microsoft Intune or Configuration Manager Co-managed
  • Unlicensed admins needs to have access to Microsoft Endpoint Manager admin center

In this blog

The following steps will step-by-step described in this blog.

  1. Enable Windows Autopatch
  2. Onboard devices to Windows Autopatch
  3. Managing Windows Autopatch

Step 1 – Enable Windows Autopatch

For the next steps, navigate to the Microsoft Endpoint Manager admin center.

Navigate to Tenant administration > Tenant enrollment. Select the checkbox and click Agree.

First we need to run the Readiness assessment tool to see if we can enable the service and we met all the requirements. The results of the test can have one of the following status.

Ready – Ready to go, no actions are required
Advisory – An advice to get the best experience once the service is up and running, not a requirement and so, not a blocker
Not ready – A show stopper that needs to be fixed before you can continue
Error – Mostly related to insufficient permissions to run this task

In my case I have some advisory and not ready points, lets discuss them from top to bottom. Click View details.

The first point is about Unlicensed admin, this is a requirement for this service and I did not enable this feature yet. When clicking on the setting on the left, the instructions about the required steps that needs to be made are displayed on the right.

Second point is an Advisory about co-management configuration. I did not setup co-management in my environment so I will ignore this one.

Next point is an important one. I have setup Update policies for Windows 10 and later devices. These settings can conflict with the settings of Windows Autopatch. Make sure that you exclude Autopatch devices from current Windows Update rings policies. See instructions on the right for more information in the screenshot.

After changing the required and advised settings, click Run check

We are now ready to go.

Click Enroll

Select I give Microsoft permission to manage my organization on my behalf (if you do) and click Agree

Fill in the primary admin contact details and click Next

Fill in the secondary admin contact details and click Next

Click Continue

In the background the resources will now be provisioned, this include security groups in Azure AD and policies in Microsoft Intune.

In Azure AD the groups in the above screenshot are created during the Windows Autopatch deployment.

The Configuration profiles for Windows endpoints are created during the Windows Autopatch deployment. Beside these policies, also Update rings for Windows 10 and later and Feature updates for Windows 10 and later polices are created.

 

Step 2 – Onboard devices to Windows Autopatch

To register / onboard devices to Windows Autopatch you need to make the devices member of the Windows Autopatch Device Registration security group.

In the Windows Autopatch device overview, click Windows Autopatch Device Registration.

With that link the Windows Autopatch Device Registration security group will be opened in a new browser tab. Make sure the Members page is open and click Add members to add the computer accounts.

Go back to the Microsoft Endpoint Manager admin center and click on Discover devices

Once the device is onboarded to the Windows Autopatch service you can see which ring is assigned to the device.

This can be one of the following rings.

TestDeployment ring for testing update prior production rollout.
First -Early adopters
Fast – Quick rollout and adoption
Broad – Final ring for broad rollout

When a device is selected, you can go to Device actions > Assign device group to change the update ring.

Select one of the rings you want to add the selected device to.

 

Step 3 – Managing Windows Autopatch

Finally I will give a short overview where you can manage Windows Autopatch within the Microsoft Endpoint Manager admin center.

Under devices a Windows Autopatch section has been added after the enrollment. In the Devices tab you can see an overview of devices that are Ready (onboarded) and Not ready. A reason that a device is Not ready can be that prerequisites are not met.

On the Release management tab you have the option to Pause and Resume updates per ring.

In the Microsoft Endpoint Manager admin center, under Reports you can also find a new section regarding Windows Autopatch. This will show you a overview on all the device statuses (my test device is not up-to-date yet).

There is also a Reports to to display historical trends in your environment.

This was a short blog about how to deploy Windows Autopatch followed by a short introduction about some management features. Hope you liked it, if you do, feel free to share it.

1 comment

Your email address will not be published.

About Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close