Windows Autopatch is a new service from Microsoft that automates the update process of Windows (both quality updates and feature updates), Microsoft 365 Apps for Enterprise (aka Office apps), the Microsoft Edge browser and Microsoft Teams. Once the service is enabled in your tenant and devices are onboarded successful you don’t need to worry about updates of the supported products anymore. Microsoft will take care of it.
Prerequisites of Windows Autopatch
- Windows 10/11 Enterprise E3 or higher
- Microsoft Intune license
- Windows build 1809 or higher
- Users must exist in Azure AD (synced or cloud-only)
- Devices needs to be under management of Microsoft Intune or Configuration Manager Co-managed
- Unlicensed admins needs to have access to Microsoft Endpoint Manager admin center
In this blog
The following steps will step-by-step described in this blog.
- Enable Windows Autopatch
- Onboard devices to Windows Autopatch
- Managing Windows Autopatch
Step 1 – Enable Windows Autopatch
For the next steps, navigate to the Microsoft Endpoint Manager admin center.
Navigate to Tenant administration > Tenant enrollment. Select the checkbox and click Agree.
First we need to run the Readiness assessment tool to see if we can enable the service and we met all the requirements. The results of the test can have one of the following status.
Ready – Ready to go, no actions are required
Advisory – An advice to get the best experience once the service is up and running, not a requirement and so, not a blocker
Not ready – A show stopper that needs to be fixed before you can continue
Error – Mostly related to insufficient permissions to run this task
In my case I have some advisory and not ready points, lets discuss them from top to bottom. Click View details.
The first point is about Unlicensed admin, this is a requirement for this service and I did not enable this feature yet. When clicking on the setting on the left, the instructions about the required steps that needs to be made are displayed on the right.
Second point is an Advisory about co-management configuration. I did not setup co-management in my environment so I will ignore this one.
Next point is an important one. I have setup Update policies for Windows 10 and later devices. These settings can conflict with the settings of Windows Autopatch. Make sure that you exclude Autopatch devices from current Windows Update rings policies. See instructions on the right for more information in the screenshot.
After changing the required and advised settings, click Run check
We are now ready to go.
Select I give Microsoft permission to manage my organization on my behalf (if you do) and click Agree
Fill in the primary admin contact details and click Next
Fill in the secondary admin contact details and click Next
In the background the resources will now be provisioned, this include security groups in Azure AD and policies in Microsoft Intune.
In Azure AD the groups in the above screenshot are created during the Windows Autopatch deployment.
The Configuration profiles for Windows endpoints are created during the Windows Autopatch deployment. Beside these policies, also Update rings for Windows 10 and later and Feature updates for Windows 10 and later polices are created.
Step 2 – Onboard devices to Windows Autopatch
To register / onboard devices to Windows Autopatch you need to make the devices member of the Windows Autopatch Device Registration security group.
In the Windows Autopatch device overview, click Windows Autopatch Device Registration.
With that link the Windows Autopatch Device Registration security group will be opened in a new browser tab. Make sure the Members page is open and click Add members to add the computer accounts.
Go back to the Microsoft Endpoint Manager admin center and click on Discover devices
Once the device is onboarded to the Windows Autopatch service you can see which ring is assigned to the device.
This can be one of the following rings.
Test – Deployment ring for testing update prior production rollout.
First -Early adopters
Fast – Quick rollout and adoption
Broad – Final ring for broad rollout
When a device is selected, you can go to Device actions > Assign device group to change the update ring.
Select one of the rings you want to add the selected device to.
Step 3 – Managing Windows Autopatch
Finally I will give a short overview where you can manage Windows Autopatch within the Microsoft Endpoint Manager admin center.
Under devices a Windows Autopatch section has been added after the enrollment. In the Devices tab you can see an overview of devices that are Ready (onboarded) and Not ready. A reason that a device is Not ready can be that prerequisites are not met.
On the Release management tab you have the option to Pause and Resume updates per ring.
In the Microsoft Endpoint Manager admin center, under Reports you can also find a new section regarding Windows Autopatch. This will show you a overview on all the device statuses (my test device is not up-to-date yet).
There is also a Reports to to display historical trends in your environment.
This was a short blog about how to deploy Windows Autopatch followed by a short introduction about some management features. Hope you liked it, if you do, feel free to share it.