Complete guide to setup and configure Windows Autopatch

by | Intune, Cloud

This is a complete guide to setup and configure Windows Autopatch which is a new feature released by Microsoft under MEM (Microsoft Endpoint Manager) in public preview. I will go through the benefits and configuration required for Windows Autopatch.

Table Of Contents
  1. What is Windows Autopatch
  2. Prerequisites for Windows Autopatch
  3. Setup and Configure Windows Autopatch
  4. Verify Autopatch deployment on client
  5. What exactly Windows Autopatch setup will do
  6. Conclusion

What is Windows Autopatch

To simply the complex process of installing the updates in environment, Microsoft has taken initiative to release this new feature. The purpose of Windows Autopatch is to implement the best practice and that too in automated way to simply the end-to-end process for deploy patches. This feature covers feature updates and Microsoft 365 apps as well. Driver updates and other Microsoft updates are also part of this process.

Windows Autopatch is a service, which requires devices to get registered with it. Once this is achieved, this service is responsible to take control of following management area and objective:

  • Windows quality updates – Windows Autopatch aims for at least 95% of eligible devices to be patched in 21 days of release.
  • Microsoft 365 apps for enterprise – Aims to keep at least 90% of eligible devices on supported version of Monthly Enterprise Channel
  • Microsoft Edge – Progressive rollout of Microsoft edge for eligible devices
  • Microsoft Teams – To benefit from standard automatic update channel

Prerequisites for Windows Autopatch

Licensing Requirement

Following are the licensing requirement for Windows Autopatch:

  • Microsoft 365 E3
  • Microsoft 365 E5
  • Windows 10/11 Enterprise E3
  • Windows 10/11 Enterprise E5
  • Windows 10/11 Enterprise VDA

Note: Intune License (EMS + E3/E5) is not sufficient to use Windows Autopatch

Operating System support

Windows Autopatch is supported for following operating systems:

  • Windows 10/11 Pro
  • Windows 10/11 Enterprise
  • Windows 10/11 Pro for Workstations

SCCM Co-management workload requirements

If you are using Configuration Manager, cloud attach should be configured to make co-management work. Following workloads are required for the device:

  • Windows Update
  • Device Configuration
  • Office Click-to-Run apps

Setup and Configure Windows Autopatch

There are few configuration required for Windows Autopatch to work. First it starts with Enrolling the tenant.

Enroll the tenant in Windows Autopatch

To enroll your tenant to Windows Autopatch, login to MEM Admin Center and navigate to Tenant Administration > Windows Autopatch (Preview) > Tenant enrollment. Click on Run Checks.

Autopatch Readiness status tool

This will run Readiness assessment tool which checks the relevant settings and steps required to fix if your environment is not properly configured for Windows Autopatch.

The part of Readiness Assessment tool does following:

  1. Check for Windows Update ring shouldn’t be targeted to all users or all devices. The policy shouldn’t target any Windows Autopatch devices.
  2. Checks unlicensed admin, to avoid ‘lack of permission’ error it checks for appropriate license is assigned to the user who is doing configuration.
  3. Verifies Conditional access policies and MFA authentication aren’t assigned to all users.
  4. Checks Security defaults to see if it is enabled in Azure Active Directory.

If Readiness status shows “Not ready” then click on View details.

This will show you Management settings with Readiness status for couple of settings.

One of the important Readiness setting is Windows Autopatch promo which requires you to setup Windows Autopatch Trial.

Windows Autopatch promo Not ready

Under right Pane, you will see the promo URL, open it in private browser windows.

This will initiate setup of account for Windows Autopatch Trial.

ConfigureAutopatch 04

Login with your account details.

Windows Autopatch Trial

Click on Try now to start your “Windows Autopatch Trial”.

Windows Autopatch Trial Try now

Once done, return to Management settings, you might see other Advisory under Readiness.

Advisory is the warning, but its worth to look into it to make sure you are configuring it correctly.

Advisory: Co-Management

As I previously told you, sccm co-management with following workloads are required:

  1. Device Configuration
  2. Windows Update policies
  3. Office 365 Client Apps
Autopatch Advisory Co-management

Advisory: Conditional access

This is another advisory which tells that no Conditional access policy should be targeted to all users, even though if you ignore this setting, Windows Autopatch configuration takes care of this by excluding the group Modern Workplace Service Accounts. I will explain further regarding this group.

Autopatch Advisory Conditional access

Advisory: Update rings for Windows 10 or later

Registered devices to Windows Autopatch shouldn’t be part of existing Update rings.

Autopatch Advisory Update rings

Return to Home > Windows Autopatch (preview) > Tenant enrollment. Under Readiness status, click on Enroll.

Autopatch Tenant enrollment Enroll

Under “Allow administrator access for Microsoft” check the box and click Agree.

Under next page, provide phone number, Email, Name and preferred Language and click on Complete.

ConfigureAutopatch 13

Setting up of Windows Autopatch will trigger which will do the configuration required.

Setting up Windows Autopatch

Once Windows Autopatch setup is complete, click on continue to start registering the device.

Autopatch Tenant enrollment Enroll

Register Device with Autopatch

Under Home > Devices > Windows Autopatch (preview), click on Devices.

This is the new node recently got created as successful setup of Windows Autopatch. We need to register to Windows Autopatch. Click on Windows Autopatch Device Registration.

Windows Autopatch Device Registration

This will take you to Groups > Windows Autopatch Device Registration group and click on Add members

Add Members

Add few devices under it.

ConfigureAutopatch 18

Navigate back to Home > Windows Autopatch (preview) > Devices, you will be able to see the devices. It make take upto 1 hour of time to get the device listed. You may force to get new devices discovered by clicking on Discover devices.

Autopatch Discover devices

We need to assign these devices to existing Update Rings created by Windows Autopatch setup process. Click on Devices actions > Assign device group.

Autopatch Assign device group

Select the specific group out 4 groups (created by Windows Autopatch):

  • Test
  • First
  • Fast
  • Broad
ConfigureAutopatch 21

Do the same for other devices as well.

ConfigureAutopatch 22

After waiting for few minutes / hours, Device name property will be generated along with other details such as Last sign in date and Enrollment date.

Autopatch registered devices

Verify Autopatch deployment on client

Login to the workstation and wait for sync to happen. Once it is done you can see new Windows Update rings policies are applied. Device will download and installed the patch based upon the update rings settings for defer update, deadline and grace period setting. You will see the prompt generated to restart the device with Grace period specified for one of the deployment rings.

ConfigureAutopatch 23

What exactly Windows Autopatch setup will do

This is an important Question. We need to see the answer, what exactly happened in our environment with Windows Autopatch setup.

You might behaving questions that what am I going to achieve with once Autopatch is configured. Behind the scenes, what autopatch did ? We will discuss here.

Creation of 4 deployment rings

Once Autopatch is configured, it will create 4 Deployment Rings (Windows Update Ring):

  • Test: Modern Workplace Update Policy [Test]-[Windows Autopatch]
  • First: Modern Workplace Update Policy [First]-[Windows Autopatch]
  • Fast: Modern Workplace Update Policy [Fast]-[Windows Autopatch]
  • Broad: Modern Workplace Update Policy [Broad]-[Windows Autopatch]
Autopatch update rings

These Update rings will be targeted to newly created Groups by Windows Autopatch setup process:

  • Modern Workplace Devices-Windows Autopatch-Test
  • Modern Workplace Devices-Windows Autopatch-First
  • Modern Workplace Devices-Windows Autopatch-Fast
  • Modern Workplace Devices-Windows Autopatch-Broad

Creation of Feature update policy

Multiple Feature Update policies will be created under Devices > Windows > Feature updates for Windows 10 and later (Preview)

  • Modern Workplace DSS Policy [Broad]
  • Modern Workplace DSS Policy [Fast]
  • Modern Workplace DSS Policy [First]
  • Modern Workplace DSS Policy [Test]
  • Modern Workplace DSS Policy [Windows 11]
ConfigureAutopatch 31

Each Feature update policy will target latest version of Windows 10, at the time of publishing it targeted Windows 10, version 21H2 and will be targeted to corresponding Deployment groups for each ring. First 4 deployments which are meant for Windows 10, will exclude the group “Modern Workplace – Windows 11 Pre-Release Test Devices” as this group is used to target the Windows 11 Feature update policy.

Creation of multiple Modern Workplace groups

These are list of all groups created as part of Windows Autopatch setup:

  • Modern Workplace-All
  • Modern Workplace Service Accounts
  • Modern Workplace Devices-All
  • Modern Workplace Service – Intune Reader MMD
  • Modern Workplace Devices Dynamic – Windows 10
  • Modern Workplace Devices Dynamic – Windows 11
  • Modern Workplace Service – Intune Reader All
  • Modern Workplace Roles – Service Administrator
  • Modern Workplace Roles – Service Reader
  • Modern Workplace Devices-Virtual Machine
  • Modern Workplace Device Profiles – Windows Autopatch
  • Modern Workplace Service – Intune Admin All
  • Modern Workplace – Windows 11 Pre-Release Test Devices
  • Modern Workplace Devices-Windows Autopatch-Test
  • Modern Workplace Devices-Windows Autopatch-First
  • Modern Workplace Devices-Windows Autopatch-Broad
  • Modern Workplace Devices-Windows Autopatch-Fast
Modern workplace devices groups

Creation of multiple Modern Workplace accounts

Following 3 users are created:

  • Modern Workplace Administrator Account: MSAdmin
  • Modern Workplace Interactive Administrator Account: MSAdminInt
  • Modern Workplace Test Account: MSTest
Autopatch Modern Workplace accounts

Creation of Named locations

Setup creates Modern Workplace – Secure Workstation named location under Azure Active Directory > Conditional Access > Named locations

Autopatch Conditional Access Modern Workplace

Creation of Conditional Access policy

Setup also created Conditional Access policy with the name Modern Workplace – Secure Workstation where it blocks all Cloud apps while excluding the group Modern Workplace – Secure Workstation.

Modern Workplace Service Accounts

Exclusion of Modern Service workplace accounts from existing CA policy

If you have existing CA policy which is targeted to all users, it will modify the CA and exclude the group with name Modern Service workplace accounts which consist of several other Modern workplace users and groups which were created as part of Autopatch setup

Modern Workplace Service Accounts

Conclusion

Windows Autopatch is the new initiative by Microsoft which eases off the pressure on organization by automating the whole process by creating multiple update rings, groups and deployments. For big organization with complicated infrastructure I don’t see a successful way of deploying the updates because of so many constraints. This approach can be used for the organizations where they wanted to configure the update rings with least efforts without focusing to much on other things.

Important Links

Windows Autopatch: Frequently Asked Questions | Tech Community (microsoft.com)

Get started with Windows Autopatch: public preview – Microsoft Tech Community

Prerequisites – Windows Deployment | Microsoft Docs

Windows Autopatch documentation – Windows Deployment | Microsoft Docs

Blog | Get current and stay current with Windows Autopatch | Tech Community (microsoft.com)

Leave a Reply