Windows Autopatch – 2. Deployment Rings, Security Groups and Device Profiles

In case you haven’t seen the news, Windows Autopatch is now in Public Preview and I’m thrilled to write my 2nd post about it. Post 1 can be found below

1. Tenant Onboarding and Device Registration

In this post I will talking about the main component of the feature – Deployment Rings and Device Profiles. Lets dive in!

All this time the deployment rings were created by the admins according to their requirements, but with Autopatch approach, they will be created during the tenant enrollment process.

Table of Content


There are 4 main Rings working with Windows Autopatch at the moment and act differently according to the ring the device is in.

This will corelate with below Update Rings with the explanation as to where you can use each of them.

Image from MS Docs

Security Group Assignments

According to the ring you are choosing for the device or for the batch of devices, they will be automatically added to the below Azure AD security groups appropriately. These are also getting created during the Tenant Enrollment process. These will be used for assignments for Autopatch policies.

  • Modern Workplace Devices-Windows Autopatch-Test
  • Modern Workplace Devices-Windows Autopatch-First
  • Modern Workplace Devices-Windows Autopatch-Fast
  • Modern Workplace Devices-Windows Autopatch-Broad

Update Rings and Feature Updates

Now that you have seen the types of rings and the security groups that corelates with them, lets see the Update Rings. You can find the specific Update rings in the usual spot.

Endpoint Manager > Devices

The above policies have been assigned to the relevant Security groups that we discussed earlier.

Update Rings Built-in Settings

**Update Setting**TestFirstFastBroad
Microsoft product updatesAllowAllowAllowAllow
Windows driversAllowAllowAllowAllow
Quality update deferral period (days)0169
Feature update deferral period (days)0000
Upgrade Windows 10 devices to Latest Windows 11 releaseNoNoNoNo
Set feature update uninstall period (2 – 60 days)30303030
Servicing channelGeneral Availability channelGeneral Availability channelGeneral Availability channelGeneral Availability channel
**User experience settings**TestFirstFastBroad
Automatic update behaviorReset to defaultReset to defaultReset to defaultReset to default
Restart checksAllowAllowAllowAllow
Option to pause Windows updatesDisableDisableDisableDisable
Option to check for Windows updatesnotConfigurednotConfigurednotConfigurednotConfigured
Change notification update levelnotConfigurednotConfigurednotConfigurednotConfigured
Use deadline settingsAllowAllowAllowAllow
Deadline for feature updates5555
Deadline for quality updates0555
Grace period0552
Auto reboot before deadlineYesYesYesYes

Feature Updates

As you can see below screenshot the Feature update section is also follows the same pattern as update settings when it comes to categories and created automatically during the tenant enrollment process.

Feature update at the moment are for Windows 10 Version 21H2 or Windows 11 version 21H2 at the time of wring this post.

If you need to add the devices to acquire the Windows 11 version 21H2, you need to add the device manually to the Azure AD group Modern Workplace – Windows 11 Pre-Release Test Devices

How to Add the Device to the Deployment ring?

While adding the device to the group will simply do the policy assignment, you don’t need to navigate in the groups section every time. There is an easy way of doing it from the Endpoint Manager it self.

Endpoint Manager > Devices > Autopatch (Preview)

As you already read in the previous article, once the device is registered, you can see the devices in the Autopatched device area.

So in this case, select the device/s > Device Actions > Assign to device groups and select the required group.

Once the device is added from this page, it will be a member of one of the the previously discussed Azure AD Modern Workplace Devices groups.

Device Configuration Profiles

As mentioned earlier, there are some Device Config profiles created with the same Test, First, Fast, Broad categories.

Configuration settings for these policies has been created with the Custom OMA-URI settings

The good things about Automation here is, when you add the device in to the required category (Example – Edge Update Policy), from the Autopatch device assignment page, it will be added to the appropriate Device Config policies as well.

Other config profile will be applied to all categories

Below are the automatically created device config profiles

Drivers, Vulnerability Updates and Other FAQs

A great FAQ regarding Autopatch can be found here :

Final Words

The main component or the update engine looks pretty fascinating as it has created all required policies for you. The advise though, Test before you roll it out to the broader device category so you know the wins, possible issues and errors and then can be ready for them.

Next Up

Now that I roughly touched base on issues and errors, I will be discussing about the Support Requests in my next post 🙂

3. Support Requests


3 thoughts on “Windows Autopatch – 2. Deployment Rings, Security Groups and Device Profiles

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.