3/5/24, 8:26 AM How to Configure Windows Autopatch: A Step-by-Step Guide

How to Configure Windows Autopatch: A Step-by-Step Guide

BlogMicrosoft 365Post

Windows Autopatch is a new Microsoft service that organizations can use to automate the patching of Windows, Microsoft 365 apps for
Enterprise, Microsoft Edge, and Microsoft Teams. It aims to complete patching cycles within the least amount of time, whilst keeping downtime
to a minimum.
In this guide, we’ll show you how to configure Windows Autopatch in your organization. Before we go into the details about how the service
works, though, we’ll briefly cover why we patch, and what we patch.
Advertisement
What is Windows Autopatch?
There are three main reasons we patch Windows devices and apps that run on them:
1. Security: Fixing vulnerabilities and protecting the OS from evolving threats.
2. Quality: Fixing issues or bugs that impede the user experience.
3. Features: New capabilities that Microsoft adds to Windows over time.
These three reasons match nicely with the 2 types of updates that Microsoft provides: Quality & security udpates and Feature updates.
Quality & security updates are released each month, usually on the second Tuesday of the month.
Feature updates are released less regularly – roughly every 12 months.
As IT pros, we typically apply patches to the Windows operating system and Microsoft 365 Apps for Enterprise: This includes apps like Word,
Excel, PowerPoint, Microsoft Edge, and Microsoft Teams, as well as non-Microsoft apps that are installed on a device.
As Microsoft’s update services do not support patching of third-party apps, Windows Autopatch will only manage updates for the core
Windows operating system, Microsoft 365 Apps for Enterprise, Microsoft Edge, and Microsoft Teams.
Advertisement
The origins of Windows Autopatch
In November 2021, Microsoft announced the private preview of Microsoft Managed Desktop P1, a mini-version of the company’s complete IT
outsourcing service, Microsoft Managed Desktop. Throughout the preview, Microsoft dropped the Microsoft Managed Desktop branding and
marketed the solution as exactly what it was – a managed patching solution. This shift also brought the new moniker, Windows Autopatch.
While the branding changed, the underlying processes that powered Microsoft Managed Desktop P1 are still in place. This can be seen
through the similarities in the enrollment process for both Windows Autopatch and Microsoft Managed Desktop.
Differences between Windows Update for Business (WUfB) and Windows Autopatch
Windows Autopatch is a managed service that takes over the management of Intune update rings and update groups, and therefore Windows
Update for Business. It removes the need for IT admins to plan and operate the update process and workflow.
This new service leverages the native capability of Intune and Windows Update for Business, moving the burden of management and
orchestration from the organization to Microsoft itself.
Advertisement
Windows Autopatch licensing
Windows Autopatch requires:
Windows Enterprise E3 or greater (including A3 and A5).
Devices need to be managed by Intune or co-management.
Devices also need to be Azure AD joined or hybrid Azure AD joined.
Service-level objectives (SLOs)
Management area Service level objective
The service aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after
Windows quality updates
release.
The service aims to keep at least 99% of eligible devices on a supported version of Windows so that they can
Windows feature updates
continue receiving Windows feature updates.
Microsoft 365 Apps for The service aims to keep at least 90% of eligible devices on a supported version of the Monthly Enterprise
enterprise Channel (MEC).
The service configures eligible devices to benefit from Microsoft Edge’s progressive rollouts on the Stable
Microsoft Edge
channel.
Microsoft Teams The service allows eligible devices to benefit from the standard automatic update channel.
Source: Microsoft Docs
How to configure Windows Autopatch
The first step to leveraging Windows Autopatch in your environment is to enroll your tenant into the service.
Enrolling your tenant for Windows Autopatch
This is a quick process that starts from within the Tenant administration blade of the Microsoft Endpoint Manager admin center:
1. From the Microsoft Endpoint Manager admin center, click on Tenant administration.
2. From the Tenant admin blade, scroll down to Windows Autopatch and click on Tenant enrollment.

Tenant enrollment
The Tenant enrollment blade will show detailed information about the service, giving links to prerequisites, documentation, and privacy
statements. At the bottom of the scrolling window, you’ll need to select the checkbox to enable the Agree button.

https://petri.com/windows-autopatch/ 1/5
3/5/24, 8:26 AM How to Configure Windows Autopatch: A Step-by-Step Guide

Tenant enrollment agreement

Once the Agree button is clicked, the enrollment process begins. Within a few moments, a notification appears to show the progress of the
“Management settings” checks.

Tenant enrollment – Management settings checks

The Management setting checks will complete within a few minutes, providing an overview of the settings that have been checked, as well as
their ‘Readiness’ state.

Tenant enrollment – Management settings readiness

Finally, since all checks are complete and only ‘Advisory’ and ‘Ready’ items are shown, we are ready to start our enrollment process.

https://petri.com/windows-autopatch/ 2/5
3/5/24, 8:26 AM How to Configure Windows Autopatch: A Step-by-Step Guide

Tenant enrollment – Enroll

Upon clicking Enroll, we are presented with a set of permissions that Microsoft must be granted in order to manage Windows updates on
behalf of your organization. If you’re comfortable with the requested permissions, simply click the checkbox and choose Agree.

Tenant enrolment – Permissions

Windows Autopatch setup
Upon completion of the previous wizard, the Windows Autopatch setup will begin automatically. The service will start setting up accounts and
policies for your tenant, a process that will take a few minutes

The service is being configured for your tenant

Once completed, the Devices blade will show devices that are currently registered for the service. This will be empty until you start registering
new devices.

https://petri.com/windows-autopatch/ 3/5
3/5/24, 8:26 AM How to Configure Windows Autopatch: A Step-by-Step Guide

The Devices blade

Registering devices for Windows Autopatch
The next step is to get some devices to be managed by Windows Autopatch. A number of Azure AD groups are created by the service during
the enrollment process, but only one of them needs to have devices added to it to get started. This is done by simply adding devices to an
Azure AD group named Windows Autopatch Device Registration.
1. From the Microsoft Endpoint Manager admin center, click Groups, and search for Windows Autopatch Device Registration.
2. Choose the group, then choose Members, Add Members
3. Add some (or all) devices to this group, either by choosing them individually or by nesting a larger group.

Group Membership
Once devices are added to the group, the synchronization process can take up to an hour. Once completed, devices will appear in
the Devices blade.

Devices list
Managing groups and update rings
Once devices show in the devices list, you’ll be able to see which update group they have been automatically added to. In this example above,
my two devices were added to the ‘First’ group, as you can see from the image below.

https://petri.com/windows-autopatch/ 4/5
3/5/24, 8:26 AM How to Configure Windows Autopatch: A Step-by-Step Guide

First Group
A number of update rings and feature update rings are also automatically created by the service, as shown in the following two graphics.

Update Rings
Once devices have been registered for Windows Autopatch, you should no longer have to worry about them. Depending on their
characteristics and information gathered about their use, installed apps, etc., they will be placed into appropriate groups to
determine when they will be patched.

Feature Update Rings

Ultimately, the burden of managing updates for these devices is, in theory, no longer that of your organization – simply leave them to be
automatically updated using a formula and process determined by Microsoft.
Conclusion
As a brand new offering, Windows Autopatch has received a mixed response so far. For organizations that are mature in their patching
process and automation, this new service is probably of limited use.
However, for organizations that are new to Intune or are not quite so mature in their automation or update management, the service could be
much more appealing. There’s definitely some value in a service that can automate the process of managing and rolling out updates for
Windows and Microsoft 365 apps.

If you want to get more details about how to configure the service in your organization, feel free to check out my video guide covering the first
few steps of Windows Autopatch enrollment.

https://petri.com/windows-autopatch/ 5/5