What is Autopatch
Windows Autopatch is a cloud services that permit to automate windows update, M365 apps Microsoft Edge and Microsoft Teams. Updates are provided to devices registered in Microsoft Intune. Following this registration the following services are offered :
- Windows quality updates : Windows Autopatch keeps at least 95% of eligible devices on the latest quality Windows update.
- Windows feature updates : Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows. This is to ensure that the affected devices continue to receive Windows feature updates.
- M365 Apps : Windows Autopatch attempts to keep at least 90% of eligible devices with a supported version of the monthly enterprise channel.
- Microsoft Edge : Windows Autopatch permit to configure eligible device to progressively deploy Microsoft Edge via the Stable channel.
- Microsoft Teams : Windows Autopatch permit to use standard automatic update channel.
For use Windows Autopatch, you must have Windows 10/11 Enterprise E3 licence, Azure AD Premium and Intune. Users accounts must be synchronized to Azure Active Directory with Azure AD Connect or use Azure AD Account. The following licence can be used :
- Microsoft 365 E3
- Microsoft 365 E5
- Windows 10/11 Enterprise E3
- Windows 10/11 Enterprise E5
Devices must be managed by Microsoft Intune or comanaged with MECM. If Co-management is configured, the following workloads must be configured to Pilot Intune or Intune.
- Windows Update
- Device configuration
- Office Click to run
Some limitations are present and must be taken into account
- The device must be owned by the company. Byod (Bring Your Own Device) is not supported.
- Device managed only by MECM (SCCM) is not supported. The must be managed by Intune or co-managed.
Confguration for the proxy and firewall
The following URL is used by Windows Autopatch. Other URL for Teams, Intune, Azure AD, etc must be also allowed.
Configure the tenant
Before to use Windows Autopatch, licence must be assigned at the user. From the Azure AD Portal click on Azure Active Directory then on Licences.
Click on All products then on licence for AutoPatch (Windows 10 Enterprise E3 for me).
Click on Assign and add desired users.
Run readiness tools
Readiness tools permit to verify if the autopatch registration can be done. This operation is only performed the first time. A check of Microsoft Intune and Azure AD is performed. Note that the Configuration Manager check is not performed. Global administrator is required for access to the tools.
From the Endpoint Manager Portal click on Tenant administration then on Tenant Enrollment.
Check the checkbox and click on Agree.
You can click on View details if there is few settings not ready. Fixed the problem then click on Run checks.
Click on Enroll to begin enrollment.
After the enrollment process, a new windows appear. Check the option for give permission at Microsoft to manage Azure AD organization then click on Agree.
Enter information about contact in your organization and click on Next.
Setting up is in progress
Open a new tab and access at the Azure AD Portal click on Azure Active Directory then on Groups.
Select Windows Autopatch Device Registration and add the desired devices.
From the Endpoint Manager windows, click on Discover devices to begin discovery.
Sync is in progress. When is finished the result appear.After adding the device to the group, it can take up to an hour for the equipment to be discovered
Select the devoce and click on Device actions. Click on Assign device group to add the device to desired group.
Select the group that you want and click on Save.
- Automatic : : Microsoft Managed Destop assign automatically device to one of the groups
- Test : Use this group for testing only
- First : Allows a set of devices to receive updates before other devices. Allows you to validate the proper functioning of the workstations following the installation of updates.
- Fast : Allows to see if problems are present before a large deployment.
- Broad : Used for Business or critical devices.
Change assignment take few minutes. Devices has been added in the Azure AD Group.
The ring has been automatically configured. The device is present on the group.
When the computer synchronizes with Intune, it retrieves the new configuration