In case you haven’t seen the news, Windows Autopatch is now in Public Preview and I’m thrilled to write my 2nd post about it. Post 1 can be found below
1. Tenant Onboarding and Device Registration
In this post I will talking about the main component of the feature – Deployment Rings and Device Profiles. Lets dive in!
All this time the deployment rings were created by the admins according to their requirements, but with Autopatch approach, they will be created during the tenant enrollment process.
Table of Content
- Rings
- Update Rings and Feature Updates
- How to Add the Device to the Deployment ring?
- Device Configuration Profiles
- Drivers, Vulnerability Updates and Other FAQs
- Final Words
- Next Up
Rings
There are 4 main Rings working with Windows Autopatch at the moment and act differently according to the ring the device is in.
This will corelate with below Update Rings with the explanation as to where you can use each of them.
Security Group Assignments
According to the ring you are choosing for the device or for the batch of devices, they will be automatically added to the below Azure AD security groups appropriately. These are also getting created during the Tenant Enrollment process. These will be used for assignments for Autopatch policies.
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
Update Rings and Feature Updates
Now that you have seen the types of rings and the security groups that corelates with them, lets see the Update Rings. You can find the specific Update rings in the usual spot.
Endpoint Manager > Devices
The above policies have been assigned to the relevant Security groups that we discussed earlier.
Update Rings Built-in Settings
| **Update Setting** | Test | First | Fast | Broad |
|---|---|---|---|---|
| Microsoft product updates | Allow | Allow | Allow | Allow |
| Windows drivers | Allow | Allow | Allow | Allow |
| Quality update deferral period (days) | 0 | 1 | 6 | 9 |
| Feature update deferral period (days) | 0 | 0 | 0 | 0 |
| Upgrade Windows 10 devices to Latest Windows 11 release | No | No | No | No |
| Set feature update uninstall period (2 – 60 days) | 30 | 30 | 30 | 30 |
| Servicing channel | General Availability channel | General Availability channel | General Availability channel | General Availability channel |
| **User experience settings** | Test | First | Fast | Broad |
| Automatic update behavior | Reset to default | Reset to default | Reset to default | Reset to default |
| Restart checks | Allow | Allow | Allow | Allow |
| Option to pause Windows updates | Disable | Disable | Disable | Disable |
| Option to check for Windows updates | notConfigured | notConfigured | notConfigured | notConfigured |
| Change notification update level | notConfigured | notConfigured | notConfigured | notConfigured |
| Use deadline settings | Allow | Allow | Allow | Allow |
| Deadline for feature updates | 5 | 5 | 5 | 5 |
| Deadline for quality updates | 0 | 5 | 5 | 5 |
| Grace period | 0 | 5 | 5 | 2 |
| Auto reboot before deadline | Yes | Yes | Yes | Yes |
Feature Updates
As you can see below screenshot the Feature update section is also follows the same pattern as update settings when it comes to categories and created automatically during the tenant enrollment process.
Feature update at the moment are for Windows 10 Version 21H2 or Windows 11 version 21H2 at the time of wring this post.
If you need to add the devices to acquire the Windows 11 version 21H2, you need to add the device manually to the Azure AD group Modern Workplace – Windows 11 Pre-Release Test Devices
How to Add the Device to the Deployment ring?
While adding the device to the group will simply do the policy assignment, you don’t need to navigate in the groups section every time. There is an easy way of doing it from the Endpoint Manager it self.
Endpoint Manager > Devices > Autopatch (Preview)
As you already read in the previous article, once the device is registered, you can see the devices in the Autopatched device area.
So in this case, select the device/s > Device Actions > Assign to device groups and select the required group.
Once the device is added from this page, it will be a member of one of the the previously discussed Azure AD Modern Workplace Devices groups.
Device Configuration Profiles
As mentioned earlier, there are some Device Config profiles created with the same Test, First, Fast, Broad categories.
Configuration settings for these policies has been created with the Custom OMA-URI settings
The good things about Automation here is, when you add the device in to the required category (Example – Edge Update Policy), from the Autopatch device assignment page, it will be added to the appropriate Device Config policies as well.
Other config profile will be applied to all categories
Below are the automatically created device config profiles
Drivers, Vulnerability Updates and Other FAQs
A great FAQ regarding Autopatch can be found here : https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopatch-faq/ba-p/3272081
Final Words
The main component or the update engine looks pretty fascinating as it has created all required policies for you. The advise though, Test before you roll it out to the broader device category so you know the wins, possible issues and errors and then can be ready for them.
Next Up
Now that I roughly touched base on issues and errors, I will be discussing about the Support Requests in my next post 🙂
EMS Route - Shehan Perera 
3 thoughts on “Windows Autopatch – 2. Deployment Rings, Security Groups and Device Profiles”