Windows Autopatch Groups

Every business is now very much aware of the very real threats of attacks that are lurking out there. And for any that aren’t aware, then those threats are even greater. Time and again, we hear of businesses under cyber attacks and critical data compromised. With this in mind, we all need to be looking at ways to enhance our data security.

Otherwise, your business could soon fall victim to hackers. Given the multitude of threats that businesses are constantly dealing with, Microsoft has introduced Windows Autopatch to help improve security. This solution intends to streamline the update process, thus enabling businesses to operate better. In this business solutions article, we will be exploring Windows Autopatch groups and how they function.

Windows Autopatch Recap

For the benefit of those who may not yet be familiar with the service, I’m going to start by going over what Windows Autopatch is. IT admins can attest to the challenges that they sometimes face when it comes to keeping the devices in their environments up to date. Although service providers may offer updates regularly, the process of implementing these updates can sometimes present plenty of challenges to IT staff.

With that in mind, what you get with Windows Autopatch is a cloud-based service that seeks to automate the updates for Windows, Microsoft 365 Apps for Enterprise, Microsoft Teams, and Microsoft Edge.

Due to the automation of these updates, your business can expect to improve security and productivity across the organization. Over the years, we have grown accustomed to getting regular updates. Despite that, the process of implementing them is not always a seamless one. And that’s in addition to the plethora of other tasks that IT admins are responsible for managing. The Windows Autopatch solution gives you a more reliable update method that improves efficiency.

Windows Autopatch Groups

Additionally, Windows Autopatch uses groups to better manage updates in a way that minimizes issues and improves the experience for your business. Autopatch groups, by definition, are logical containers or units that bring together several Azure AD groups and software update policies. These include:

BENEFITS OF AUTOPATCH GROUPS

Windows Autopatch aims to adapt to the needs of businesses that are using Microsoft Cloud-Managed services. It is going to meet you wherever you may be in your update management journey. The first benefit that you’ll be able to get from Autopatch groups is that they can replicate your organizational structure.

What this means is that you can set up Autopatch groups to replicate your organizational structures represented by your existing device-based Azure AD group targeting logic. Furthermore, the use of Autopatch groups allows you to choose which software update deployment cadence is most ideal for your business.

Another benefit is a flexible number of deployments. As a result of this flexibility, you get to have the ideal number of deployment rings that will work perfectly for your business. Depending on your needs, you can have as many as 15 deployment rings per Autopatch group.

The next benefit you’ll get is being able to decide which device or devices will belong to deployment rings. In addition to your existing device-based Azure AD groups, as well as choosing the number of deployment rings, your business also has the option to select which devices belong to deployment rings during the device registration process when setting up Autopatch groups.

AUTOPATCH GROUPS WORKFLOW

There are a few steps in this high-level workflow, including these below:

  • The first step requires the creation of an Autopatch group.
  • Next, the Windows Autopatch service is going to leverage Microsoft Graph to facilitate the creation of:
  • Azure AD groups.
  • Software update policy assignments with other Microsoft services, such as Azure AD, Intune, and Windows Update for Business (WUfB,) based on IT admin choices when you create or edit an Autopatch group.
  • Intune assigns software update policies. You’re going to find that Intune assigns the software update policies to these groups as soon as the Azure AD groups become available in the Azure AD service. In addition, Intune will also provide the number of devices that need the software update policies to the Windows Update for Business (WUfB) service.
  • Lastly, we’ll go over the Windows Update for Business responsibilities and these include:
  • Delivering update policies.
  • Retrieving update deployment statuses back from devices.
  • Sending back the status information to Microsoft Intune and then to the Windows Autopatch service

Things to know

Before you can proceed to use Windows Autopatch groups, there are a few key concepts that you’ll need to familiarize yourself with.

DEFAULT AUTOPATCH GROUP

If your organization can meet its business needs using the pre-configured five-deployment ring composition, then you are the ideal candidate for the Default Autopatch group. The group has the intention of serving businesses that want to enroll in the service as well as those that want to align to Autopatch’s default update management process without the need for additional customizations. Furthermore, this group uses Windows Autopatch’s default update management process recommendation and contains:

  • A set of 5 deployment rings.
  • A default update deployment cadence for both Windows feature and quality updates.

You should also note that you cannot delete or rename the Autopatch group. But you do still get the option to customize its deployment ring composition to add and/or remove deployment rings. Additionally, you can customize the update deployment cadences for each deployment within it.

Default deployment ring composition

The software update-based deployment rings that will be used are determined by default. These deployment rings, represented by Azure AD assigned groups, are as follows:

Deployment ringUse
Windows Autopatch – TestCan only be used as Assigned device distributions.
Windows Autopatch – Ring1Can be used with either Assigned or Dynamic device distributions or have a combination of both device distribution types.
Windows Autopatch – Ring2Can be used with either Assigned or Dynamic device distributions or have a combination of both device distribution types.
Windows Autopatch – Ring3Can be used with either Assigned or Dynamic device distributions or have a combination of both device distribution types.
Windows Autopatch – LastCan only be used as Assigned device distributions.

An additional thing to note for instances where a group of specialized devices and/or VIP/Executive users coverage is provided by the Last deployment ring, the fifth deployment ring in the Default Autopatch group. Furthermore, to minimize any potential disruptions that your business may encounter, software updates for the aforementioned should be received after the organization’s general population.

Default update deployment cadences

Default update deployment cadences are going to be provided by the Default Autopatch group for deployment rings, with the exception of the Last (fifth) deployment ring.

Update rings policy for Windows 10 and later

Each of the default rings in the Default Autopatch group is going to get Update rings policy for Windows 10 and later set up by Windows Autopatch groups. Below is some data concerning the default policy values:

Policy nameAzure AD group assignmentQuality updates deferral in daysFeature updates deferral in daysFeature updates uninstall window in daysDeadline for quality updates in daysDeadline for feature updates in daysGrace periodAuto restart before deadline
Windows Autopatch Update Policy – default – TestWindows Autopatch – Test0030050Yes
Windows Autopatch Update Policy – default – Ring1Windows Autopatch – Ring11030252Yes
Windows Autopatch Update Policy – default – Ring2Windows Autopatch – Ring26030252Yes
Windows Autopatch Update Policy – default – Ring3Windows Autopatch – Ring39030552Yes
Windows Autopatch Update Policy – default – LastWindows Autopatch – Last11030352Yes

Feature update policy for Windows 10 and later

Each of the default rings in the Default Autopatch group is going to get feature updates for Windows 10 and later set up by Windows Autopatch groups. Below is some data concerning the default policy values:

Policy nameAzure AD group assignmentFeature update versionRollout optionsFirst deployment ring availabilityFinal deployment ring availabilityDay between deployment ringsSupport end date
Windows Autopatch – DSS Policy [Test]Windows Autopatch – TestWindows 10 21H2Make update available as soon as possibleN/AN/AN/AJune 11, 2024; 1:00AM
Windows Autopatch – DSS Policy [Ring1]Windows Autopatch – Ring1Windows 10 21H2Make update available as soon as possibleN/AN/AN/AJune 11, 2024; 1:00AM
Windows Autopatch – DSS Policy [Ring2]Windows Autopatch – Ring2Windows 10 21H2Make update available as soon as possibleDecember 14, 2022December 21, 20221June 11, 2024; 1:00AM
Windows Autopatch – DSS Policy [Ring3]Windows Autopatch – Ring3Windows 10 21H2Make update available as soon as possibleDecember 15, 2022December 29, 20221June 11, 2024; 1:00AM
Windows Autopatch – DSS Policy [Last]Windows Autopatch – LastWindows 10 21H2Make update available as soon as possibleDecember 15, 2022December 29, 20221June 11, 2024; 1:00AM

CUSTOM AUTOPATCH GROUPS

If your business needs a more precise representation of its structures as well as its own update cadence in the service, then the Custom Autopatch groups are ideal for you. You’ll also find that the Test and Last deployment rings are automatically present by default.

TEST AND LAST DEPLOYMENT RINGS

Both of these are default deployment rings, and they will be automatically present in both the Default Autopatch group and Custom Autopatch groups. These deployment rings are an essential component because they allow the recommended minimum number of deployment rings needed by each Autopatch group to be provided. In a couple of instances, you’ll find that the Test deployment ring can serve as the pilot deployment ring, with the Last serving as the production deployment ring. This can happen:

  • If only the Test and Last deployment rings are within your Default Autopatch group.
  • If at the time you are creating a Custom Autopatch group, you don’t add more deployment rings.

Something else that you need to know is that you cannot remove or even rename the Test and Last deployment rings from the Default or Custom Autopatch groups. Because these Autopatch groups require a minimum of 2 deployment rings for their gradual rollout, they won’t support using a single deployment ring as part of its deployment ring composition.

So, you will need to consider managing devices outside Windows Autopatch whenever you have a specific scenario that you want to implement using a single deployment ring and where the gradual rollout is not necessary.

Deployment rings

Autopatch groups intend to have software update deployments delivered sequentially in a gradual rollout within the. Autopatch group. Deployment rings are the tools that make this possible. Windows Autopatch can align with Azure AD and Intune terminology for device group management. As far as deployment ring group distribution in Autopatch groups is concerned, there are two types that you need to know about:

Deployment ring distributionDescription
DynamicFor this situation, one or more device-based Azure AD groups can be used. And these can be either dynamic query-based or assigned to use in your deployment ring composition. Moreover, you can use the Azure AD groups that are available with the Dynamic distribution type for the distribution of devices across several deployment rings according to the percentage values that can be customized.
AssignedFor this type of deployment ring distribution, a single device-based Azure AD group is best. And this can be either dynamic query-based or assigned to use in your deployment ring composition.
Combination of Dynamic and AssignedIn some cases, you’ll find yourself needing a greater level of flexibility when working on deployment ring compositions. And this option will prove to be the most ideal. It allows you to combine both device distribution types in Autopatch groups. You will, however, need to note that this particular combination of device distribution will not be supported for the Test and Last deployment ring in Autopatch groups.

Service-based versus software update-based deployment rings

Another thing you will discover is that Autopatch groups create 2 different layers. And each of those layers will have its own deployment ring set. By default, both of the deployment ring sets that we are looking at will assign to devices that have completed successful registration with Windows Autopatch.

SERVICE-BASED DEPLOYMENT RINGS

This deployment ring set is only going to be for keeping Windows Autopatch updated. It does so with service and device-level configuration policies, apps, and the APIs required for the core functions of the service. Below is the list of Azure AD-assigned groups representing the service-based deployment rings.

  • Modern Workplace Devices-Windows Autopatch-Test
  • Modern Workplace Devices-Windows Autopatch-First
  • Modern Workplace Devices-Windows Autopatch-Fast
  • Modern Workplace Devices-Windows Autopatch-Broad

Please note that you should absolutely avoid making any modifications to the Azure AD group membership types (Assigned and Dynamic). If you make those changes, Windows Autopatch won’t be able to read the device group membership from these groups.

As a result, the Autopatch groups feature, along with other service-related operations, will not function correctly. Not only that, but you should also know that having Configuration Manager collections directly synced to any Azure AD group and created by Autopatch groups is an unsupported option.

SOFTWARE-BASED DEPLOYMENT RINGS

The second type of deployment ring set is only going to be compatible with software update management policies, such as the Windows update ring and feature update policies, in the Default Windows Autopatch group. Below is the list of Azure AD-assigned groups representing the software updates-based deployment rings.

  • Windows Autopatch – Test
  • Windows Autopatch – Ring1
  • Windows Autopatch – Ring2
  • Windows Autopatch – Ring3
  • Windows Autopatch – Last

IT admins should note that any additional Azure AD assigned groups will be created and added to the list at the same time you’ll be adding more deployment rings to the Default Autopatch group. Moreover, similar to the previous type of deployment ring set, you can’t make any modifications to the Azure AD group membership types (Assigned and Dynamic). If you make those changes, Windows Autopatch won’t be able to read the device group membership from these groups.

As a result, the Autopatch groups feature, along with other service-related operations, will not function correctly. Not only that, but you should also know that having Configuration Manager collections directly synced to any Azure AD group and created by Autopatch groups is an unsupported option.

How to use Autopatch groups

There are a few examples that we can look at that describe certain scenarios and how we use Autopatch groups for those cases.

EXAMPLE NUMBER 1

Imagine a scenario where you are an IT admin who is responsible for several Microsoft and non-Microsoft cloud services. In this example, you don’t have the time necessary to set up and manage multiple Autopatch groups. At present, your company relies on using five deployment rings to operate it’s update management. However, you do have the option for flexible deployment cadences if you were to communicate to your end-users.

The solution, in this case, will involve using the Default Autopatch group if you currently don’t have thousands of devices under your management. The Default Autopatch group is editable to include additional deployment rings and/or slightly modify some of its default deployment cadences.

Additionally, because this Default Autopatch group comes preconfigured and doesn’t require extra configurations when registering devices with the Windows Autopatch service, it will offer greater convenience to IT admins.

EXAMPLE NUMBER 2

For the second example, you’re going to be an IT admin for a business that is looking to implement a gradual rollout of software updates within certain critical business units or departments to help mitigate the risk of end-user disruption.

What you can do in this case is to create a Custom Autopatch group for all your business units. This means that you can create a Custom Autopatch group for each department. And then, you can proceed to break down the deployment ring composition according to the various user personas. You could also perform the breakdown by categorizing how essential certain users may be for not only a particular department but for the business as a whole.

EXAMPLE NUMBER 3

In the final example, imagine being an IT admin working in the New York branch of a particular company. And in this scenario, you’re looking to implement a gradual rollout of software updates within certain departments in a way that does not disrupt operations in that New York branch.

Similar to the second example, you’re going to create a Custom Autopatch group. But this time, it will be for the New York branch. Then, you will proceed to break down the deployment ring composition according to the various departments within that branch location.

Wrap up

With the threat of cyber-attacks seemingly increasing each and every year, businesses need to be highly proactive about their security. They need to put in place measures that help to improve security and minimize vulnerabilities. Microsoft is looking to help businesses do that with the Windows Autopatch service. It is a highly efficient tool that streamlines the management of software updates and patches.

Autopatch leverages groups to enable businesses to get the maximum benefits from the service. This is also while taking into account the unique needs of the business. Therefore, what you ultimately get is a solution that can cut the security gap. And one that optimizes your IT resources in a way that improves productivity.

Windows Autopatch: Guide to Setup and Configuration

Most businesses have several technologies that they use to help their employees operate at the highest levels of efficiency. Without them, your ability to provide high-quality products and services would be severely hindered.

But, all these devices and the associated operating systems and applications need maintenance for them to work the way they were designed to. They need regular attention as well as updates and security patches. This is so businesses can fully benefit from their productivity tools.

Windows Autopatch gives you a great solution for your Microsoft products by automating the update process. Additionally, it simplifies the maintenance process for you. In this article, we’ll be going over how your business can set up this must-have solution.

What is Windows Autopatch?

Let’s start by explaining what exactly Windows Autopatch is and what it does. According to the Windows Autopatch page:

Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.”

One of the key reasons this solution is a much-needed tool is that the process of implementing updates is not entirely seamless for a lot of organizations. IT admins are responsible for ensuring your organization’s devices get all the necessary updates upon release. And they’re responsible for overseeing that everything is working as it should.

So, even though Microsoft provides regular updates for its products and services, the task can sometimes be challenging and very time-consuming. Therefore, with a solution like Autopatch, IT admins can save a lot of time on the update processes. They can additionally cut time in positioning the overall security posture of the business, leading to improvements.

I’m sure most would agree that this is an excellent feature to have, given the increasing sophistication of cyber attacks. Additionally, end users will be able to work more efficiently with fewer distractions. Moreover, your IT personnel will potentially have a lot more time on their hands for dedicating to more productive tasks.

The role of Autopatch services

From what we have seen over the last year, we know that Windows Autopatch can manage your updates for you. But, you still need to know what exactly Autopatch will be responsible for regarding those updates. This is why it’s not too surprising that a lot of IT admins are hesitant about using Autopatch. They have concerns about losing control over their devices.

To simplify the rollout of the different updates, Windows Autopatch will place devices into groups based on their software and hardware configurations. Doing it this way enables suitable test machines to receive updates first. And if all goes well, broader deployments can proceed as well. Not only is this a crucial step for evaluating updates, but it can help alleviate some of the concerns that IT admins have.

Below is a list of what Autopatch will be responsible for updating:

  • Windows 10 and Windows 11 quality
  • Windows 10 and 11 features
  • Windows 10 and 11 drivers
  • Windows 10 and 11 firmware
  • Microsoft 365 apps for enterprise updates

In addition to the above list, Windows Autopatch will also be responsible for patching drivers and firmware that are only published to Windows Update as automatic. Also, in terms of how Windows Autopatch operates, there are four deployment rings. The first one caters to a few of your company’s devices, and the second one is responsible for 1% of these devices. The third and fourth rings will contain 9% and then 90% of the organization’s devices respectively. 

Setting up Windows Autopatch

The process of setting up Windows Autopatch includes several steps that we will be discussing in this section.

PREREQUISITES

AreaRequirements
LicensingWindows 10/11 Enterprise E3 (or higher) in addition to Azure Active Directory Premium and Microsoft Intune.
ConnectivityAll Windows Autopatch devices require dedicated connectivity to multiple Microsoft service endpoints across the corporate network.
Azure Active DirectoryThe source of authority for all user accounts needs to be Azure AD. Or, the user accounts can be synchronized from on-premises Active Directory using the very latest supported version of Azure AD Connect to enable Hybrid Azure Active Directory to join.
Device managementAll devices must be registered with Microsoft Intune, be connected to the internet, have a Serial number, Model and Manufacturer, and must be corporate-owned. Furthermore, the target devices will need to have Intune set as the Mobile Device Management (MDM) authority or co-management must be turned on.

NETWORK CONFIGURATION

  • Proxy configuration – Windows Autopatch needs to reach certain endpoints for the various aspects of the Windows Autopatch service. Network optimization can be done by sending all trusted Microsoft 365 network requests directly through their firewall or proxy.
  • Proxy requirements – should support TLS 1.2, and if not, then you may need to disable protocol detection. 
  • Required URLs – mmdcustomer.microsoft.com

                         – mmdls.microsoft.com

                         – logcollection.mmd.microsoft.com

                         – support.mmd.microsoft.com

  • Delivery optimization – Microsoft recommends configuring and validating Delivery Optimization when you enroll into the Windows Autopatch service.

TENANT ENROLLMENT

The first step in this next stage will require you to verify that you’ve met all the requirements discussed at the beginning of this section.

With that done, you’ll now need to run the readiness tool. This checks the settings in both Intune and Azure AD and verifies that they work with Autopatch. To access this readiness assessment tool, head over to the Intune admin center and select Tenant administration in the left pane. Once there, go to Windows Autopatch > Tenant enrollment. When the check is done, you’ll get one of four possible results: Ready, Advisory, Not ready, or Error. And if this check is showing any issues with your tenant, then your next step will involve fixing the issues picked up by the readiness assessment tool.

If everything is in order and the readiness assessment tool has given you the “Ready” result, then you can proceed and enroll the tenant. You’ll find the “Enroll” button that you need to select within the readiness assessment tool. Once you select this option, it will start the process of enrolling your tenant into the Windows Autopatch service. You’ll see the following during the process:

  • Consent workflow to manage your tenant.
  • Provide Windows Autopatch with IT admin contacts.
  • Setup of the Windows Autopatch service on your tenant. This step is where the policies, groups, and accounts necessary to run the service will be created.

Your tenant will be successfully enrolled upon completion of these actions. And then, after all this is done, you can delete the collected data by the readiness assessment tool if you want. To do so:

  • Head over to the Microsoft Intune admin center.
  • Go to Windows Autopatch > Tenant enrollment.
  • Select Delete all data.

ADD AND VERIFY ADMIN CONTACTS

After you have finished the process of enrolling your tenant, you can move on to the addition and verification of admin contacts. Windows Autopatch has several ways of communicating with customers. And there’s a requirement to submit a set of admin contacts when onboarding. Each specific area of focus should have an admin contact. This provides that the Windows Autopatch Service Engineering Team has a contact for assistance with the support request. These areas of focus are given below.

Area of focusDescription
DevicesDevice registration Device health
UpdatesWindows quality updates Windows feature updates Microsoft 365 Apps for enterprise updates Microsoft Edge updates Microsoft Teams updates

To add the admin contacts, follow these steps:

  • Sign in to the Intune admin center.
  • Head over to the Windows Autopatch section, find Tenant administration, and then select Admin contacts.
  • Select Add.
  • Now, you need to provide all the necessary contact details. This includes name, an email, phone number, and language of choice.
  • Choose an area of focus and provide information about the contact’s knowledge and authority in this particular area.
  • Click Save and then repeat the steps for each area of focus.

DEVICE REGISTRATION

  • Windows Autopatch groups device registration

Autopatch groups will start the device registration process for devices that aren’t yet registered using your existing device-based Azure AD groups. This is instead of the Windows Autopatch Device Registration group. Windows Autopatch will support a couple of Azure AD nested group scenarios, namely Azure AD groups synced up from:

  • On-premises Active Directory groups (Windows Server AD)
  • Configuration Manager collections
  • Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant

For an Azure AD dual state to occur, a device needs to be initially connected to Azure AD as an Azure AD registered device. And then, when you enable Hybrid Azure AD join, the same device will be connected twice to Azure AD as a Hybrid Azure AD device.

So, what you’ll find in the dual state is a device with two Azure AD device records with different join types. However, the Azure AD registered device record is stale because the Hybrid Azure AD device record will take precedence.

About the Registered, Not ready, and Not registered tabs

Device blade tabPurposeExpected device readiness status
RegisteredShows successful registration of devices with Windows AutopatchActive
Not readyShows successfully registered devices that aren’t yet ready to have one or more software update workloads managed by the Windows Autopatch service.Readiness failed and/or Inactive
Not registeredShows devices that have not passed the prerequisite checks and thus require remediation.Prerequisites failed.

Device readiness statuses

Readiness statusDescriptionDevice blade tab
ActiveShows devices that: +have passed all prerequisite checks +registered with Windows Autopatch +have passed all post-device registration readiness checksRegistered
Readiness failedShows devices that: +haven’t passed one or more post-device registration readiness checks +aren’t ready to have one or more software update workloads managed by Windows AutopatchNot ready
InactiveShows devices that haven’t communicated with Microsoft Intune in the last 28 days.Not ready.
Prerequisites failedShows devices that: +haven’t passed one or more prerequisite checks +have failed to successfully register with Windows AutopatchNot registered

Built-in roles required for device registration

Roles are permissions granted to dedicated users. And there are a couple of built-in users in Autopatch that you can use to register devices:

  • Azure AD Global Administrator
  • Intune Service Administrator

Less privileged user accounts can be assigned to perform specific tasks in the Windows Autopatch portal. You can do this by adding these user accounts into one of the two Azure AD groups created during the tenant enrollment process:

Azure AD group nameDiscover devicesModify columnsRefresh device listExport to .CSV
Modern Workplace Roles – Service AdministratorYesYesYesYes
Modern Workplace Roles – Service ReaderNoYesYesYes

Details about the device registration process

The process of registering your devices with Windows Autopatch will accomplish a couple of things:

  • Creation of a record of devices in the service.
  • Device assignment to the two deployment ring sets and other groups required for software update management.

Windows Autopatch on Windows 365 Enterprise Workloads

As part of the Windows 365 provisioning policy creation, Windows 365 Enterprise admins will have the option to register devices with Windows Autopatch. This means that Cloud PC users will also benefit from the increased security and automated updates that Windows Autopatch provides. The process for registering new Cloud PC devices is as follows:

  • Head over to the Intune admin center and select Devices.
  • Next, go to Provisioning>Windows 365 and select Provisioning policies>Create policy.
  • Type in the policy name, select Join Type, and then select Next.
  • Pick your desired image and select Next.
  • Navigate to the Microsoft managed services section, select Windows Autopatch, and then select Next.
  • Assign the ideal policy, select Next, and then select Create.
  • Your newly provisioned Windows 365 Enterprise Cloud PCs will then be automatically enrolled and managed by Autopatch.

Windows Autopatch on Azure Virtual Desktop workloads

Azure Virtual Desktop (AVD) workloads can also benefit from the features that Windows Autopatch has to offer. Your admins can use the existing device registration process to provision their AVD workloads to be managed by Autopatch.

One of the most appealing features of Windows Autopatch is how it offers the same quality of service to virtual devices as it does to physical ones. This ensures that if your business is looking to migrate to virtual devices or is already using them, then you won’t miss out on what Windows Autopatch offers.

It is worth noting, however, that any Azure Virtual Desktop specific support is deferred to Azure support unless otherwise specified. In addition, the prerequisites for Windows Autopatch for AVD are pretty much the same as those for Windows Autopatch and AVD.

The service will support personal persistent virtual machines. But, there are some AVD features that are not supported such as multi-session hosts, pooled non-persistent virtual machines, and remote app streaming.

Deploy Autopatch on Azure Virtual Desktop

Another great feature that you’ll get with Autopatch is that you can register your Azure Virtual Desktop workloads using the same method as your physical devices. Microsoft recommends nesting a dynamic device group in your Autopatch device registration group to simplify the process for your admins. And this dynamic device group is going to target the Name prefix defined in your session host while also excluding any Multi-Session Session Hosts.

Client support

Windows Autopatch provides businesses with excellent support services to ensure that any issues are addressed. You can access the appropriate support services through Windows 365, or the Windows Autopatch Service Engineering team for device registration-related incidents.

Device management lifecycle scenarios

Before you proceed and register your devices in Windows Autopatch, there are a few device management lifecycle scenarios that you may want to consider. These include the following:

  • Device refresh – devices that were previously registered in Autopatch and require reimaging will require you to run one of the device provisioning processes available in Microsoft Intune to reimage these devices. Subsequently, these devices will be rejoined to Azure AD (Hybrid or Azure AD only) and then re-enrolled into Intune. And because the Azure AD device ID record of that device will not be altered, neither you nor Windows Autopatch will need to perform any additional actions.
  • Device repair and hardware replacement – when devices require you to repair them by replacing certain hardware, then you’ll need to re-register these devices into Autopatch when you’re done. We are talking about the kind of repairs that include replacing parts such as the motherboard, non-removable network interface cards (NIC), or hard drives. And the reason why re-registration is necessary is that when you replace those parts, a new hardware ID will be generated, including:
  • SMBIOS UUID (motherboard)
  • MAC address (non-removable NICs)
  • OS hard drive’s serial, model, manufacturer information

So, even though you still practically have the same device, whenever you replace major hardware, Azure AD will create a new ID record for that device.

UPDATE MANAGEMENT

Software update workloads

Software update workloadDescription
Windows quality update – on the second Tuesday of every month, Autopatch deploys monthly security update releases. Autopatch also uses mobile device management (MDM) policies to gradually release updates to devices. These policies are deployed to each update deployment ring to control the rollout.Requires four deployment rings to manage these updates
Windows feature update – in this instance, you’ll be the one to inform Autopatch when you’re ready to upgrade to the new Windows OS version. The feature update release management process has been designed to make the task of keeping your Windows devices up to date much easier and more affordable. This also has the added benefit of lessening your burden, thus allowing you to dedicate more time to more productive tasks.Requires four deployment rings to manage these updates
Anti-virus definitionUpdated with each scan
Microsoft 365 Apps for EnterpriseFind information at Microsoft 365 Apps for Enterprise
Microsoft EdgeFind information at Microsoft Edge
Microsoft TeamsFind information at Microsoft Teams

Autopatch groups

Autopatch groups play an essential role in helping Microsoft Cloud-Managed services work with businesses according to their various needs. When it comes to update management, Windows Autopatch groups provide an excellent tool that allows for the combining of Azure AD groups and software update policies. These might include Windows Update rings and feature update policies.

Reports

If there are any Windows Autopatch managed devices in your environment that are not up to date, you can monitor and remediate them using Windows quality and feature update reports. Not only that, but you can also resolve any device alerts to bring Windows Autopatch-managed devices back into compliance.

Policy health and remediation

To enable the management of Windows quality and feature updates, Autopatch needs to deploy Intune policies. Windows Update policies must be healthy at all times should you plan to remain up to date and receive Windows updates. Microsoft ensures continuous monitoring to maintain the health of the policies, as well as raise alerts and provide remediation actions.

Wrap up

The threat of attacks against businesses is something that is always lurking. And as we have seen on far too many occasions in recent years, these attacks can be devastating. Business operations can be severely compromised. Additionally, the financial penalties can be massive. Therefore, there is a need to do everything within your power to fortify your system defenses. Windows Autopatch allows you to bolster your security by automating certain tasks.

Make sure that update and patch deployments occur in a timely fashion. It can significantly reduce the risk of attacks against your business. And this is precisely what Autopatch is ready to help you prevent.

It helps you by automating the update process and simplifying tasks that are sometimes difficult and time-consuming. As a result, you get an easier and less expensive way of equipping your business with all the latest security updates necessary. Ultimately, it allows you to enhance your operations.

Understanding the Requirements of Windows Autopatch

Most IT pros are fully aware of how challenging it can be to manage the update process for all the devices in their organization. It can be an incredibly complex and time-consuming task that takes away time from engaging your efforts in work that could be considered more productive for the business.

Fortunately, Microsoft knows about this challenge and offers you Windows Autopatch to help businesses with this process. With this service, your organization will get a product that can help you to “streamline updating operations and create new opportunities for IT pros.” By enabling organizations to automate tasks such as these, Windows Autopatch will help you to minimize the security and performance issues that can sometimes be encountered because of inefficient update processes.

What is Windows Autopatch?

In case you may not as yet be familiar with Windows Autopatch, let me start by going over a few things your teams should know. Released in 2022, Autopatch is a cloud-based service that is designed to automatically manage the updates for Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams.

As I’m sure you can imagine, a service like this can vastly improve the efficiency of your IT operations. Not only that but this will tighten your organization’s security, it will improve productivity, and it will enhance device management among other things.

Consequences of Poor Update Processes

Research done by Google has shown that 66% of users don’t automatically or immediately apply updates. And most of us can relate to the reasons given such as not wanting the unwelcome interruption, not seeing the need, worrying about the time it could take, and so on.

Unfortunately, though the consequences of not applying updates may not be immediate they can eventually be very damaging. It’s important to know that updates are critical for device performance and security. Malicious actors are constantly searching for vulnerabilities in your network and occasionally they find them. So, if security patches are made available and you ignore them it will leave your business exposed to all manner of cyber attacks.

In addition to that, hackers can potentially access organizational data and infect your network with malware. Not so long ago in 2017, Equifax was the victim of a brutal cyber attack that exposed the personal information of close to 150 million people. This kind of attack would be very damaging to an organization and as we saw in this case it cost the company over half a billion dollars in settlement. Clearly, this kind of situation needs to be avoided whenever possible. Furthermore, security concerns are not the only thing to worry about with neglecting updates. It can also result in your organization using poorly performing devices and not having access to the best and latest features. Obviously, this can cost you significantly especially if other businesses are gaining an advantage over you.

Before You Get Started

Just like any other service you would want to use, Windows Autopatch has some requirements you would need to meet before you can get started. There are several areas that you will have to consider if you want to deploy Autopatch.

Licensing

The most obvious starting point is going to be the licensing requirements for Autopatch. You’re going to need to assign Windows 10/11 Enterprise E3 (or higher) to all the various users who will require the service. Fortunately, users that already have Windows 10/11 Enterprise E3 or higher (user-based only), get Windows Autopatch with their licenses. There are several service plan SKUs that are eligible for Autopatch and they are given in the table below:

LicenseID
Microsoft 365 E3SPE_E3
Microsoft 365 E3 (500 seats minimum_HUB)Microsoft_365_E3Microsoft_365_E3
Microsoft 365 E3 – Unattended LicenseSPE_E3_RPA1
Microsoft 365 E5SPE_E5
Microsoft 365 E5 (500 seats minimum)_HUBMicrosoft_365_E5
Microsoft 365 E5 with calling minutesSPE_E5_CALLINGMINUTES
Microsoft 365 E5 without audio conferencingSPE_E5_NOPSTNCONF
Microsoft 365 E5 without audio conferencing (500 seats minimum)_HUBMicrosoft_365_E5_without_Audio_Conferencing
TEST – Microsoft 365 E3SPE_E3_TEST
TEST – Microsoft 365 E5 without audio conferencingSPE_E5_NOPSTNCONF_TEST
Windows 10/11 Enterprise E3WIN10_VDA_E3
Windows 10/11 Enterprise E5WIN10_VDA_E5
Windows 10/11 Enterprise VDAE3_VDA_only

You’ll also find there are a few Windows 10, build versions and architectures that are eligible for registration with Windows Autopatch. These are as follows:

  • Windows 10 (1809+)/11 Pro
  • Windows 10 (1809+)/11 Enterprise
  • Windows 10 (1809+)/11 Pro for Workstations

In addition to the licensing requirements given above, these users will also need to have Azure Active Directory Premium and Microsoft Intune.

Network configuration

The next area to review is the connectivity to multiple Microsoft service endpoints from the corporate network which will be needed. Autopatch being a cloud service means that for the service’s different elements to work properly there is a set of endpoints that Autopatch should be able to reach.

The network optimization for these can be done by using their firewalls or proxies to send all trusted Microsoft 365 network requests. Doing this allows you to bypass authentication, and all additional packet-level inspection or processing.

As a result, you can expect to directly benefit from less latency and reduced perimeter capacity requirements. The required proxy or firewall will need to support TLS 1.2. If it doesn’t, you might need to disable protocol detection.

REQUIRED WINDOWS AUTOPATCH ENDPOINTS FOR PROXY AND FIREWALL RULES

The allowed list for your proxy and firewall needs to contain certain URLs if Autopatch devices are to be able to communicate with Microsoft services. The Windows Autopatch URL is necessary for anything that the service runs on client APIs. Therefore, it’s important to verify that this URL remains consistently available on your corporate network. The URLs required on the allowed list are given below:

  • mdcustomer.microsoft.com
  • mmdls.microsoft.com
  • logcollection.mmd.microsoft.com
  • support.mmd.microsoft.com

REQUIRED MICROSOFT PRODUCT ENDPOINTS

The allowed list will also need to contain certain URLs from several Microsoft products if Autopatch devices are to be able to communicate with these Microsoft services. The table below shows the Microsoft services as well as the corresponding URLs.

Microsoft ServiceURLs required on Allowlist
Windows 10/11 Enterprise including Windows Update for BusinessManage connection endpoints for Windows 10 Enterprise, version 1909   Manage connection endpoints for Windows 10 Enterprise, version 2004   Connection endpoints for Windows 10 Enterprise, version 20H2   Manage connection endpoints for Windows 10 Enterprise, version 21H1   Manage connection endpoints for Windows 10 Enterprise, version 21H2   Manage connection endpoints for Windows 11 Enterprise
Microsoft 365Microsoft 365 URL and IP address ranges Hybrid identity required ports and protocols
Azure Active DirectoryActive Directory and Active Directory Domain Services Port Requirements
Microsoft IntuneIntune network configuration requirements   Network endpoints for Microsoft Intune
Microsoft EdgeAllowlist for Microsoft Edge Endpoints
Microsoft TeamsOffice 365 URLs and IP address ranges
Windows Update for Business (WUfB)Windows Update for Business firewall and proxy requirements

DELIVERY OPTIMIZATION

One of the recommendations made by Windows Autopatch during your enrollment into the Autopatch service is that you configure and validate Delivery Optimization. Doing so will provide access to a P2P distribution technology that is offered in Windows 10 and Windows 11.

And the key advantage of this is that you get a service that enables devices to share content, such as updates, that the devices downloaded from Microsoft over the internet. Another core benefit of using this technology is that it can also reduce network bandwidth since portions of the update will already be available to the device from another device sharing the same local network. So, there won’t be an additional need to perform a complete update download from Microsoft.

Azure Active Directory

When it comes down to identifying the source of authority for all user accounts then Azure Active Directory would arguably be the most ideal. If not, however, you will need to ensure that all user accounts are synchronized from on-premises Active Directory. And this will have to be done using the latest supported version of the Azure Active Directory Connect so that Hybrid Azure Active Directory join can be enabled.

Azure AD Connect is a  Microsoft service that your organization will receive as part of your Azure subscription. This tool is something that will help you to manage the synchronization of identity data between your on-premises Active Directory environment and Azure AD. So, users will benefit from the convenience of being able to use the same credentials to access on-premises applications and cloud services.

Hybrid Azure AD join, in its simplest terms, means having a device that is available in both the on-premises Active Directory and the Azure AD environments. Therefore, this tool can simplify device management because of how a ‘hybrid-joined’ device is visible on both platforms.

Before registration with Windows Autopatch can proceed, all the concerned devices will need to be enrolled with Intune. Furthermore, Intune should be set as the Mobile Device Management authority. Alternatively, you’ll need to ensure that you turn on and enable co-management on the target devices. In addition, you are required to set to Pilot Intune or Intune the apps workloads for the Windows Update, Device configuration, and Office Click-to-Run. And then don’t forget to verify that the devices you want to bring to Windows Autopatch are in the targeted device collection.

Device Management

The device management requirements for Windows Autopatch are given below:

  • All devices that you are going to use will need to be corporate-owned. This is because Windows bring-your-own-devices (BYOD) are not eligible and will therefore not pass the device registration prerequisite checks.
  • Devices should be under Configuration Manager or Intune co-management. So, any devices that are only under Configuration Manager management will not be eligible.
  • Registration with Windows Autopatch is only possible if a device has been in communication with Microsoft Intune in the last 28 days.
  • It goes without saying that internet connectivity is required for the devices.
  • Lastly, devices need to have a serial number, model, and manufacturer. Therefore, any device emulators that don’t provide this information will not pass the Intune or Cloud-attached prerequisite check.

A few things to note

Based on the aforementioned requirements, there are a few other things that we should be aware of. One of these issues involves the registration of devices that don’t meet the minimum Windows OS required.

Although these devices can be registered with Windows Autopatch, after that process is complete they will be offered the minimum Windows OS version. You’ll need to make the necessary changes concerning the minimum Windows OS version. From there, you’ll receive monthly security updates that maintain the health and security of your devices.

Furthermore, Windows Autopatch allows you to register Windows 10 Long-Term Servicing Channel (LTSC) devices. These devices are being currently serviced by the Windows LTSC. However, only devices that are currently serviced by the LTSC can have their Windows quality updates workloads managed by the service.

So, any devices that are part of the LTSC are not eligible for Windows feature updates from both the Windows Autopatch and Windows Update for Business services. In the case of Windows devices that are part of the LTSC, you’ll need to use either the Configuration Manager Operating System Deployment capabilities or LTSC media to carry out an in-place upgrade.

Configuration Manager Co-management Requirements

We’ve already gone through some of the information concerning co-management and Windows Autopatch. Since co-management is fully supported, you need to know what the requirements are:

Switch Configuration Manager Workloads to Intune

Among the additional requirements for devices managed by Configuration Manager is the need to switch Configuration Manager workloads to Intune. This is something that can present a significant issue for a lot of people. Fortunately,  however, you’ll still be able to switch workloads back to Configuration Manager if you later decide that’s what you want.

Different pilot collections can be configured for all of the co-management workloads. The benefit of using various pilot collections is the ability to leverage a more granular approach during the shifting of workloads. So, workloads can be switched at your convenience, meaning you can do so once you enable co-management. Rr you can postpone it until a later time. At this point, if you haven’t yet enabled co-management that’s what you’ll need to do first. And once done, you can proceed to modify the settings in the co-management properties.

Modify

  1. Head over to the Configuration Manager console and go to the Administration workspace.  Next, you need to expand Cloud Services and then select the Cloud Attach node. If the version is 2103 or earlier, then select the Co-management node.
  2. Select the co-management object, and then choose Properties in the ribbon.
  3. Next, you need to switch to the Workloads tab. Take note that all workloads are by default set to the Configuration Manager setting. So, to switch a workload you must move the slider control for that workload to the desired setting. If you keep the slider where it is then Configuration Manager will continue to manage the workload. Moving the slider to Pilot Intune should only be done if the devices are in the pilot collection. And if you want to change the Pilot collections, you can do so by going to the Staging tab of the co-management properties page. And then lastly, move the slider to Intune for all Windows devices enrolled in co-management.
  4. If necessary, you can now go to the Staging tab and change the Pilot collection for any of the workloads you want.

NOTE: Always verify that any workloads you would like to switch, the corresponding workloads in Intune have been configured and deployed. In addition, workloads should always be managed by one of the available management tools for your devices. Furthermore, whenever you switch to a co-management workload, there will be an automatic synchronization of the MDM policy from Intune by the co-managed devices.

Data and Privacy

The administration of enrolled devices requires Windows Autopatch to use data from various sources. These sources, which include Intune, Azure AD, and Windows 10/11, are going to provide a comprehensive view of the devices under Autopatch management. Below is a helpful table containing a list of the various data sources. Also outlined is the intended purpose of the information:

Data SourcePurpose
Windows 10/11 EnterpriseHandles the management of device setup experience, connections to other services, and operational support for IT pros.
Windows Update for BusinessLeverages diagnostic data collected from Windows 10/11 Enterprise to provide additional information on Windows 10/11 update.
Microsoft IntuneHandles device management and plays a key role in maintaining device security. It makes use of a couple of endpoint management data sources:   Microsoft Azure Active Directory: Authentication and identification of all user accountsMicrosoft Intune: Distributing device configurations, device management, and application management
Windows AutopatchData provided by the customer or generated by the service during the running of the service.
Microsoft 365 Apps for EnterpriseManagement of Microsoft 365 Apps.

Effective Service

Also, to effectively provide service to enterprise clients, Autopatch needs data from multiple Microsoft products and services. This data must be processed and copied from these services to Autopatch. This allows enrolled devices to be maintained and protected. The processor duties undertaken by Autopatch include maintaining security, confidentiality, and resilience. All this is done to ensure that Autopatch can offer clients high-level security in the handling of all personally identifiable data.

The vast amounts of data that Autopatch handles will be stored in Azure data centers depending on data residency. It’s also important to recognize that the data that is being accumulated is necessary for Autopatch to keep the service operational. If you decide to remove a device from Windows Autopatch, the data will be kept for no more than 30 days.

WINDOWS 10/11 DIAGNOSTIC DATA

To keep Windows secure, up to date, address any issues, and continuously make improvements, Autopatch leverages Windows 10/11 Enhanced diagnostic data. Within the enhanced diagnostic data setting, you’re going to find more comprehensive information concerning devices enrolled in Autopatch. Not only that but you also get detailed information about the devices’ health, capabilities, and settings.

So, when you select enhanced diagnostic data, data will be collected including the required diagnostic data. Because of how Autopatch only wants to process strictly necessary data, we can expect to see changes in the diagnostic data terminology in the future. The objective is to change the diagnostic level to Optional with Autopatch looking to implement the limited diagnostic policies to fine-tune the diagnostic data collection required for the service.

Not all system-level data from Windows 10/11 optional diagnostic data will be processed and stored by Windows Autopatch. It only caters to data obtained from enrolled devices such as application and device reliability, and performance information. Therefore, clients should know that their personal data such as chat and browser history, voice, text, or speech data will not be processed or stored by Autopatch.

Wrap up

All of us can benefit immensely from a service that can help us manage the update process a lot more efficiently. It can save us valuable time, minimize errors, and enable our businesses to be more productive. Microsoft has developed Windows Autopatch with all this and more in mind. Using this service is meant to help your IT staff by removing some of their burdens while simultaneously reducing the time taken by patching cycles. So, if you want a service that can add a lot of value to your business, then Autopatch is one that’s worth considering.

9 Things to Know About Windows Autopatch

The Microsoft ecosystem has a vast array of products and services that are integral to the operations of countless businesses across the globe. And it’s extremely important to ensure that your business can conduct affairs seamlessly without interruptions. 

This is why you cannot ignore the issue of updates. You need to make sure that everything is always up to date and in doing so you guarantee that your Microsoft services are running at optimum levels. 

But, keeping up with updates can be challenging at times and therefore, you can find some applications lacking the most recent updates. Fortunately, we now have Windows Autopatch to adequately deal with this task.

What is Windows Autopatch?

So, we’ll start by looking at what exactly Windows Autopatch is. This relatively new product is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. 

By automating the management and rolling out of updates, this service will make life easier for admins. Especially in larger organizations where admins can be responsible for large numbers of devices.

Although most would agree that the quality of Windows updates has improved in recent years, the updating process can still be rather challenging. Admins are still responsible for making sure that the process performs seamlessly and that new Windows patches are applied without issue. 

And when you consider the multitude of other tasks that admins need to manage, it’s easy to see how problems can arise. This is precisely why Windows Autopatch plays such a key role by automating this particular task and thus lightening the burden on admins.

Importance of updates

Another issue to look at it is why are updates so important. Why does it seem as though some people are always going on about updates? With the increasing threat of cybercrime, updates are one of the best ways to protect your organization against attacks. 

Nefarious actors are constantly looking for vulnerabilities in your system and if they find any it can be catastrophic for your business. Updates can address any existing bugs and vulnerabilities that may be in your system. By patching these security flaws, you can lower the risk of successful attacks against your system.

In addition, updates will also address bugs that affect performance.  As technology continues to evolve, organizations will also be improving their products and services. So, updates allow you to get the latest and best features for your applications. This will give you a better overall user experience and ultimately your business can run more efficiently. Furthermore, updates can help you get even better performances from your devices. We’ve all probably at one point or another had the frustrating experience of an application crashing. 

It’s never a pleasant experience and can cost you some work progress.  By updating your applications, you significantly reduce the chances of these occurrences. With that said, let’s take a look at some of the features that make Windows Autopatch such an amazing service. 

Comparison to Windows Update

One of the first things that people may be wondering is how does Windows Autopatch differ from Windows Update for Business? With Windows Autopatch what organizations are getting is a service that eliminates the need for manually planning and operating the update process. The goal is to give you an automated update system that becomes the responsibility of Microsoft and in doing so frees up your IT team from this task. 

So, when we look at Windows Update for Business, we find one of the components that Windows Autopatch uses for updating devices. And both Autopatch and Windows Update for Business are part of Windows Enterprise E3.

Therefore, we’re not talking about differences but rather how Windows Update for Business is one of the components that Autopatch uses. On the other hand, you also have the option to use ConfigMgr by adding a CMG if there’s an interest in adding a CMG. 

In addition, you may also enable co-management after which you can migrate the Windows Updates workload to Intune so that you can take advantage of Windows Update for Business. Simply put, the greatest benefits of Windows Autopatch are not about which components get the job done, but rather the automation provided. Microsoft takes over responsibility for your updates in a manner that intends to offer greater convenience and satisfaction. 

Requirements

The next thing you’ll need to know is what the requirements are to be eligible for Autopatch. Below you’ll find the requirements that you need to meet before proceeding:

§  Licensing – to use Autopatch, you need your end-users to have Windows 10 and Windows 11 E3 or higher. There are also some additional licensing requirements such as Azure Active Directory Premium and Microsoft Intune.

§  Connectivity – as one would expect, you are going to need connectivity to Microsoft update services endpoints. There are several endpoints on this list but below are some of them: 

  • mmdcustomer.microsoft.com
  • mmdls.microsoft.com
  • logcollection.mmd.microsoft.com
  • support.mmd.microsoft.com 

§  Azure Active Directory – when it comes to the requirements for Azure AD, you get two options. The first option allows you to use Azure Active Directory as the source of authority for all user accounts. And then for the second option, you can synchronize your users from the on-premises Active Directory Domain Services by leveraging the Hybrid Azure AD Domain join.

§  Device management – your devices will need to be under Intune management and therefore, Intune should be the Mobile Device Management (MDM) authority. If not, then you need to opt for co-management. Furthermore, all the devices must be corporate-owned and not in a BYOD scenario. All devices should also have internet connectivity and will need to have been in contact with Microsoft Intune in the last 28 days. Minimally, you’ll also be required to ensure the configuration of the following in Microsoft Intune:

  • Windows Update
  • Device configuration
  • Office click-to-run apps workloads

What does Autopatch update?

Thus far, we know that Windows Autopatch seeks and intends to manage your updates for you. But you still need to know what exactly Autopatch will be responsible for. To make the task easier, Windows Autopatch will place devices into groups based on their software and hardware configurations. Doing it this way enables suitable test machines to receive updates first and if all goes well, then broader deployments can proceed as well.

Below is a list of what Autopatch will be responsible for updating:

  • Windows 10 and Windows 11 quality updates
  • Windows 10 and 11 features
  • Windows 10 and 11 drivers
  • Windows 10 and 11 firmware
  • Microsoft 365 apps for enterprise updates

In addition to the above list, Windows Autopatch will also be responsible for patching drivers and firmware that are only published to Windows Update as automatic. Also, in terms of how Windows Autopatch operates, there are four deployment rings used, with the first one catering to a few of your company’s devices and the second one responsible for 1% of these devices. The third and fourth rings will contain 9% and then 90% of the organization’s devices respectively. 

Enhancing business operations

One of the biggest things that Autopatch offers businesses is that it helps to eliminate the need for complex IT infrastructure. Doing so allows organizations to focus a lot more on core business matters. Windows Autopatch will help you to address some of the challenges below: 

  • Close the security gap: keeping your software up to date means that you’ll always have all the latest security features, making any vulnerabilities addressable. As a result, you can reduce your risk of suffering successful attacks.
  • Close the productivity gap: getting all the latest productivity features as soon as they become available means that end-users can consistently perform at their best and improve creativity and overall productivity.
  • Optimize your IT admin resources: because Autopatch takes over responsibility for routine updates, your IT staff can dedicate significantly more effort towards tasks that will enhance your organization’s operations.
  • On-premises infrastructure: your organization can invest less in on-premises infrastructure by migrating to the cloud and adopting software-as-a-service solutions. And with updates delivering from the cloud, this can offer you an even more efficient system.  
  • Onboard new services: Windows Autopatch simplifies the addition of new services to your organization. By making the process easier, IT admins will no longer need to dedicate as much time to onboarding processes.
  • Minimize end-user disruption: the sequential deployment rings mentioned above, as well as the ability to respond to reliability and compatibility signals, is helpful. It means that end-users will face far fewer disruptions because of updates.

Ultimately, Windows Autopatch is a service that removes some of the burdens from your IT team. Taking over the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge, or Teams, means your IT staff can focus more on core business activities. 

Enrollment process

The enrollment process is going to begin with you navigating to Intune Portal > Tenant administration > Windows Autopatch Tenant enrollment where you’ll proceed to tick the box. Doing this will launch the readiness tool whose objective is to verify that all requirements have been met before enrolling your tenant. 

If the process fails, then you will see your status displayed as Not Ready. And you have an option to click on View Details so that you can get all the information regarding what requirements you’re missing. As soon as you address the relevant areas, you can click on Run Checks. From there, another verification will carry out to see if the issue has been resolved.

After addressing existing problems, you can now proceed to select Enroll. During this process, Microsoft will need you to provide consent to have certain access to your tenant. 

Providing this consent allows the process of setting up Windows Autopatch to proceed. And it will also be necessary in case there are any problems that the support team may need to deal with. In addition to giving consent, the setup process also requires you to provide the contact details of two administrators. 

It is necessary that these details be availed and that these admins be two separate individuals. Having completed this step, Autopatch will then proceed to set up the required policies, accounts, groups, and profiles. With all this done, Windows Autopatch will now be enabled for your tenant and available for use. However, you will still need to register the devices that you want for Autopatch.

Autopatch device registration

The device registration process will allow the devices that you want to be placed under the management of Windows Autopatch. It’s a relatively easy process that requires you to place devices in the Windows Autopatch Device Registration group. This happens to be an Azure AD group. There are two different pathways that you can utilize to register your devices. 

But the path you choose will depend on the type of the device. Windows 365 Cloud PCs will have their own path and then all other Windows devices will have to use another path. The registration with Autopatch will begin during Cloud PC provisioning for Windows 365 Cloud PCs. And this will happen as soon as the provisioning policy is set up with Autopatch enabled.

When it comes to all the other Windows devices, they will first need to be added to the Windows Autopatch Device Registration Azure AD group. Only then can the registration with Autopatch begin.

Note: An important thing that you need to be aware of is that if anything happens to a device that causes a new Azure AD device ID to be generated, that device will need reading to the Azure AD group. Furthermore, you can add devices to the Azure AD group via a direct membership, by using bulk import of group members. You can also do so by nesting various other Azure AD groups.

Update management

Another point that should be of interest is the areas of management that Windows Autopatch will handle for you. In the table below you’ll find detailed information concerning this:

Management areaService level objective
Windows quality updatesThe objective here is to ensure that at least 95% of eligible devices get to receive the latest Windows quality update 21 days after release.
Windows feature updatesIn this case, the goal is to ensure that at least 99% of eligible devices remain on a supported version of Windows to enable them to continue receiving Windows feature updates.
Microsoft 365 Apps for EnterpriseWindows Autopatch wants to ensure that at least 90% of eligible devices are kept on a supported version of the Monthly Enterprise Channel (MEC).
Microsoft EdgeAll eligible devices are going to be configured by Windows Autopatch so that they can leverage Microsoft Edge’s progressive rollouts on the Stable channel.
Microsoft TeamsFor this particular scenario, the benefit of Windows Autopatch is that it enables all eligible devices to take advantage of the standard automatic update channel.

More to know

However, users will need to be aware that for devices to receive specific updates, they will need to meet certain requirements for each management area. For instance, devices may need to have access to the required network endpoints for the Windows update. So, to avoid issues or unwanted disruptions, it’s best to ensure that you verify the eligibility of all devices for the various updates.

Also, all eligible devices will be tagged as either Healthy or Unhealthy. And doing so makes it possible to verify whether service level objectives are being met. Healthy devices are simply those that meet the eligibility criteria for a particular management area. Unhealthy devices are the opposite. So, you will find that an incident raises every time Windows Autopatch falls below any service level objective for a management area. 

Admin responsibilities

With all the benefits that come with using Windows Autopatch, we need to remember that IT staff will still retain certain responsibilities. As great a service as Autopatch may be, Microsoft does not intend for it to completely eliminate all human intervention in the process. Before applying patches, it would be wise for IT to look into them first. They need to check compatibility and stability. You can then avoid significant problems that may disrupt your organization’s operations. 

Also, when it comes to the application of patches, it’s important to learn to prioritize patches. Some patches may be urgently required to address pressing security issues. However, that’s not to say the other patches are not important. But IT has to perform a delicate balancing act to ensure that all updates are done in a manner that does not expose you to threats nor compromise operational efficiency.

Furthermore, simply because the goal of Autopatch is to make the update process easier, it does not mean IT admins can fold their hands and forget about it. It’s critical that IT keeps an eye on the update process to see that everything proceeds as planned. Not only that, but admins need to prepare to intervene in case of unexpected issues so that they address them in a timely fashion. 

Monitoring the system also allows the admins to periodically perform their own evaluations of the efficiency of the progress. This will ultimately help you pinpoint any areas of concern that need improving, so that the system can perform even better. Otherwise, if you don’t keep an eye on things, you may end up with security vulnerabilities that could prove very costly. 

How to deregister a device

Occasionally, you may find yourself in a situation where you need to deregister a device. And you will want to do this without causing the end-user unnecessary disruptions. To ensure that this happens, Windows Autopatch will only delete the Windows Autopatch device record itself. 

Also, device deregistration will not allow you to delete Microsoft Intune and/or the Azure Active Directory device records. This, therefore, means that the expectation is for you to continue managing those devices. However, please be aware that removing devices from the Windows Autopatch Device Registration Azure AD will not deregister devices from the Autopatch service. 

To deregister a device, you follow the steps given below:

  • Navigate to Intune admin center and sign in.
  • In the navigation menu that appears, select Windows Autopatch.
  • Select Devices.
  • Choose the device or devices that you want to deregister from the Ready or Not Ready tab.
  • After the device selection is done, select Device actions, then select Deregister device.

Excluded devices

If you have deregistered a device from the Autopatch service, it will then flag as excluded. This will ensure that Autopatch won’t attempt to reregister the device into the service again. It’s because the deregistration command does not cause device membership removal from the Windows Autopatch Device Registration Azure AD group. 

So, reregistration of a device that was previously deregistered from Autopatch will require the submission of a support request to the Windows Autopatch Service Engineering Team. The goal of this request is to ask that the excluded tag be removed during the deregistration process.

Wrap-Up

Organizations are constantly looking for services that can improve the way they operate from top to bottom. Especially when it comes to IT staff who can often be overburdened with the tasks at hand. This is precisely why Microsoft develops services like Windows Autopatch to simplify the patching process while simultaneously maintaining highly secure networks. It helps IT admins with task management by offering an extremely efficient service that automates the management of software updates and patches. 

And Autopatch does not completely remove admins from the process so they will retain overall control over their devices. This is something that will help to alleviate fears that admins may have about device management. When all is said and done, Windows Autopatch is a service that can bring a lot of efficiency and security to the patching process but the decision to use it remains yours to make.