Configure Autopatch

Configure Autopatch

Configure Autopatch

What is Autopatch

Windows Autopatch is a cloud services that permit to automate windows update, M365 apps Microsoft Edge and Microsoft Teams. Updates are provided to devices registered in Microsoft Intune. Following this registration the following services are offered :

  • Windows quality updates : Windows Autopatch keeps at least 95% of eligible devices on the latest quality Windows update.
  • Windows feature updates : Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows. This is to ensure that the affected devices continue to receive Windows feature updates.
  • M365 Apps : Windows Autopatch attempts to keep at least 90% of eligible devices with a supported version of the monthly enterprise channel.
  • Microsoft Edge : Windows Autopatch permit to configure eligible device to progressively deploy Microsoft Edge via the Stable channel.
  • Microsoft Teams : Windows Autopatch permit to use standard automatic update channel.


For use Windows Autopatch, you must have Windows 10/11 Enterprise E3 licence, Azure AD Premium and Intune. Users accounts must be synchronized to Azure Active Directory with Azure AD Connect or use Azure AD Account. The following licence can be used :

  • Microsoft 365 E3
  • Microsoft 365 E5
  • Windows 10/11 Enterprise E3
  • Windows 10/11 Enterprise E5

Devices must be managed by Microsoft Intune or comanaged with MECM. If Co-management is configured, the following workloads must be configured to Pilot Intune or Intune.

  • Windows Update
  • Device configuration
  • Office Click to run

Some limitations are present and must be taken into account

  • The device must be owned by the company. Byod (Bring Your Own Device) is not supported.
  • Device managed only by MECM (SCCM) is not supported. The must be managed by Intune or co-managed.

Confguration for the proxy and firewall

The following URL is used by Windows Autopatch. Other URL for Teams, Intune, Azure AD, etc must be also allowed.


Configure the tenant

Before to use Windows Autopatch, licence must be assigned at the user. From the Azure AD Portal click on Azure Active Directory then on Licences.

Configure Autopatch - Access to Azure AD Portal

Click on All products then on licence for AutoPatch (Windows 10 Enterprise E3 for me).

Windows Autopatch Select Windows Licence

Click on Assign and add desired users.

Assign user to assign licence WIndows Autopatch

Run readiness tools

Readiness tools permit to verify if the autopatch registration can be done. This operation is only performed the first time. A check of Microsoft Intune and Azure AD is performed. Note that the Configuration Manager check is not performed. Global administrator is required for access to the tools.

From the Endpoint Manager Portal click on Tenant administration then on Tenant Enrollment.

Tenant enrollment for Autopatch

Check the checkbox and click on Agree.

Check option and click on agree

You can click on View details if there is few settings not ready. Fixed the problem then click on Run checks.

Click on Details to see if there is an error
Checks if there is ready or not ready settings

Click on Enroll to begin enrollment.

Click on Enroll to begin enrollment

Configure Autopatch

After the enrollment process, a new windows appear. Check the option for give permission at Microsoft to manage Azure AD organization then click on Agree.

Check the box and click on Agree

Enter information about contact in your organization and click on Next.

Enter information about organization

Setting up is in progress

Setting up is in progress

Discover devices

Open a new tab and access at the Azure AD Portal click on Azure Active Directory then on Groups.

Configure Groups on Azure AD

Select Windows Autopatch Device Registration and add the desired devices.

Add devices to Azure AD groups

From the Endpoint Manager windows, click on Discover devices to begin discovery.

Discover devices for WI0Ndows Autopatch

Sync is in progress. When is finished the result appear.After adding the device to the group, it can take up to an hour for the equipment to be discovered

Discover the device from AutoPatch

Select the devoce and click on Device actions. Click on Assign device group to add the device to desired group.

Assign device to device  group autopatch

Select the group that you want and click on Save.

  • Automatic : : Microsoft Managed Destop assign automatically device to one of the groups
  • Test : Use this group for testing only
  • First : Allows a set of devices to receive updates before other devices. Allows you to validate the proper functioning of the workstations following the installation of updates.
  • Fast : Allows to see if problems are present before a large deployment.
  • Broad : Used for Business or critical devices.
Windows Autopatch - Select group for the device

Change assignment take few minutes. Devices has been added in the Azure AD Group.

Device has been added on the Azure AD Group

The ring has been automatically configured. The device is present on the group.

Ring Windpws Update has been configured
Device has been added on the configuration profile

When the computer synchronizes with Intune, it retrieves the new configuration

Autopatch is been configured

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.