Windows Autopatch is finally here and this will update your eligible Windows 10 and 11 devices and Office application. This is a IT admin hands off task as opposed to traditional Patch Tuesday and other patching events and internal IT admins can always open support tickets with Microsoft when required. This is Microsoft looking after the devices when they are registered to receive the patches. This is still in preview and will be Generally Available soon.
I would like to divide my posts on the below sections as they have made up of many components
- Tenant Onboarding and Device Registration
- Deployment Rings, Security Groups and Device Profiles
- Support Requests
Table of Content
- What will this patch?
- 1. Tenant Onboarding
- 2. Device Registration
- Next Up
- Windows 10/ 11 Enterprise E3 or E5 license
- M365 E3 or M365 E5 license
- 64 bit edition of Windows 10/11 Pro, Enterprise, Pro for Workstations
- Network connectivity the Endpoint Manager Endpoints – Endpoint Details
- Device to be managed via Intune or Config Manager
- Device to be Azure AD joined or Hybrid Azure AD joined
What will this patch?
- Windows Patches
- Microsoft 365 apps
- Microsoft Teams
- Edge Browser
1. Tenant Onboarding
To enrol Autopatch in to your tenant, you have to 1st go to the Tenant Administration section in Endpoint Manager console and follow the below steps.
Tenant Administration > Tenant Enrollment under Windows Autopatch
Redeem The Promo Code
- Redeem the Windows Autopatch trial promo code as mentioned in the Step 1
- Once you go to the Promo link
- Enter your details and complete the registration
Once completed, the licenses will be allocated to the protal
Run the Readiness Tool
Run the Readiness checks and you will get a similar outcome.
In my case as you can see there is an Advisory for Conditional Access.
If I dig further on Conditional Access, I will get the below about the advisory and how to enable.
Once done with the Readiness, then you can Enroll the Windows Autopatch by pressing the Enroll button.
This will take a while to complete as this will create few Azure AD security groups, Device Configuration Policies, Windows Update policies
Once pressed Enroll, the below steps needs to be completed.
Once done, go to Devices section of the portal and you will see the Autopatch feature. This is where you enable devices to use the Autopatch feature.
2. Device Registration
Now the challenge is to get the devices in to the Windows Autopatch section so you can start adding them to the other policy related Azure AD groups.
To do this, go to Groups and start searching with Windows Autopatch and a bunch of related groups will come up. I will be looking at the other groups in the next post, but at the moment what we need is the Windows Autopatch Device Registration Azure AD Group. Technically, any Windows device in this group will be eligible to configure Autopatch and will appear in the Windows Autopatch Section.
Add your device which is enrolled to Intune
Once the device has been added to the group, go back to the Windows Autopatch Devices section and run Discover Devices option and it will appear.
And now, this is where the fun begins 🙂 (Star Wars pun intended).
From this point onwards, you can start assigning the devices in to different update rings. However, I will be exploring on Deployment Rings and Device Profiles in the next section.