In my previous blog post on Windows Autopatch, I have already mentioned the pre-requisites to be met in order to be eligible to use the new service offering from Microsoft.
Considering that your tenant meets the requirement listed and you are interested to try it out (if you haven’t already!), then this blog post is to help you get started with Windows Autopatch.
Table of Contents
Confirm tenant eligibility for Windows Autopatch
In the MEM Admin center, navigate to Tenant administration and check if the Windows Autopatch category shows up with the Tenant enrollment option in there. (Refer to the image on the right below.)
If you don’t see the option (identical to the image on left), note that Windows Autopatch will not show up for a tenant which does not meet the licensing requirements.
It is important to note that just having the required license (Windows 10/11 Enterprise E3/E5 or Windows VDA in case you are not on the M365 E3/E5 licensing scheme) in the tenant arsenal is not enough as you need to have an active assignment of the license.
Once you make the necessary correction, refresh the MEM Admin center and you should now see the Windows Autopatch option coming up.
Network requirements for Windows Autopatch
Windows Autopatch service requires uninterrupted network connectivity to the below endpoints.
- mmdcustomer.microsoft.com
- mmdls.microsoft.com
- logcollection.mmd.microsoft.com
- support.mmd.microsoft.com
This is over and above the network requirements for Microsoft Intune.
I have updated my blog post titled Intune Windows Autopilot URLs Whitelist Requirement to include the Windows Autopatch network URLs as well, so if you want a consolidated view of all the required endpoints, you can check it from there.
Run Assessment to check tenant compatibility with Windows Autopatch
First thing first, you need to sign-in with an account having Global Admin credentials to perform the below steps.
- Sign in to the MEM admin center, navigate to Tenant administration
- Scroll down to Windows Autopatch > Tenant enrollment.
It starts with the Readiness assessment tool that runs the assessment check to show the tenant preparedness to start with Windows Autopatch service and provides remediation steps to fix any issues as detected.
- Click on Run checks.
For each check, the Readiness assessment tool reports one of four possible results:
| Ready | No action is required and you can proceed with enrollment. |
| Advisory | These are issues found but will not act as a blocker for you to proceed with the enrollment. However, it is recommended to fix the issues highlighted as advisories before proceeding. |
| Not ready | You must fix these issues to proceed with enrollment. You won’t be able to enroll the tenant with Windows Autopatch unless you fix these issues. |
| Error | The Azure Active Directory (AD) role you’re using doesn’t have sufficient permissions to run this check. |
There are many things that the check is performing.
- It confirms that there is no Update ring policy currently existing in the tenant that targets to All devices or All users. If found, it will be flagged and need to be resolved as otherwise, it will conflict with the rings managed by Windows Autopatch.
- Verifies that Unlicensed Admin is enabled in Intune to avoid a “lack of permissions” error while creating the required objects in Intune as part of the Windows Autopatch setup for the tenant.
- It confirms that there is no existing Conditional Access policy that requires MFA for All Users. Otherwise, it will create a problem for MS to access the tenant via the Windows Autopatch service accounts that get created during tenant enrolment for the purpose of Windows Autopatch management of the tenant.
- Checks that no existing usernames exist that can conflict with ones that Windows Autopatch reserves for its own use.
- Checks whether Azure AD has security defaults enabled.
- Checks for the necessary licenses.
For more details on the above, please check the MS documentation for the same.
As you can see in the below snap, the result of the assessment check for my tenant came as Not ready.
If you notice in the above snap, it shows that the tenant passed the assessment check for 4 criteria, flagged as an advisory for 2 criteria, and actually failed in 1 criterion.
To see the result in detail and find out which particular criteria failed, for which the result came as Not ready, you need to click on the View details button.
You can then see the actual parameters or criteria list against which the tenant is assessed to conclude if it is ready for Windows Autopatch service. Here in my case, you can see my tenant came up in Not ready assessment state as I did not have the Unlicensed Admin setting enabled on my tenant.
You need to click on the item and a blade appears from the right to show you the reason why the item is flagged and the remediation step to get the same resolved.
Note: You can probably choose to ignore the items flagged as Advisory but it is recommended that you check the reason for why the item is being flagged and if possible remediate the same at the earliest. However, as mentioned previously, these won't act as a potential blocker to stop you from enrolling the tenant in Windows Autopatch.
The tool does not check the workloads in Configuration Manager necessary for Windows Autopatch and as such the Co-Management parameter will always be flagged as an Advisory. You need to ensure that you have the correct co-management workload settings configured to support Windows Autopatch.
Once you complete the remediation steps, you need to come back to Tenant administration > Windows Autopatch > Tenant enrollment and re-run the assessment. If everything goes as expected, then you get to see the Ready status for the tenant and the Enroll button.
Enroll your tenant in Windows Autopatch
By clicking on Enroll, you will proceed with the enrollment of your tenant to the Windows Autopatch service.
You need to provide your consent to the above. Mark the checkbox and click on Agree to continue.
On the next page, you will need to provide user account details like Phone number, Email, Name, and Preferred Language. Once you have added the information, click on Complete.
The user account details you fill up here will be the ones who will be contacted by Microsoft if there occurs any issue related to Windows Autopatch for the tenant. Later you will have the option to add other IT admin accounts as well.
The process will begin setup of the Windows Autopatch service for the tenant and this will take a few minutes to complete. It is during this time that the required service account principles, policies, groups, etc. are getting created.
I have tried to list most of the objects that get created as part of this process as below. [Note that this may not be the comprehensive list containing all objects that are created as part of Windows Autopatch tenant enrolment!]
| Windows Autopatch Cloud service accounts | MsAdmin@yourdomain.onmicrosoft.com MsAdminInt@yourdomain.onmicrosoft.com MsTest@yourdomain.onmicrosoft.com For additional details, check here. |
| Windows Autopatch Azure AD groups | Windows Autopatch Device Registration Modern Workplace-All Modern Workplace Service Accounts Modern Workplace Devices-Windows Autopatch-Fast Modern Workplace Devices-Windows Autopatch-Broad Modern Workplace Service – Intune Admin All Modern Workplace Roles – Service Reader Modern Workplace Service – Intune Reader MMD Modern Workplace – Windows 11 Pre-Release Test Devices Modern Workplace Service – Intune Reader All Modern Workplace Devices Dynamic – Windows 10 Modern Workplace Devices-Virtual Machine Modern Workplace Devices Dynamic – Windows 11 Modern Workplace Device Profiles – Windows Autopatch Modern Workplace Roles – Service Administrator Modern Workplace Devices-Windows Autopatch-First Modern Workplace Devices-All Modern Workplace Devices-Windows Autopatch-Test |
| Windows Autopatch Conditional Access policy | Modern Workplace – Secure Workstation |
| Windows Autopatch Microsoft Endpoint Manager custom RBAC role | Modern Workplace Intune Admin |
| Windows Autopatch Update rings | Modern Workplace Update Policy [Broad]-[Windows Autopatch] Modern Workplace Update Policy [Fast]-[Windows Autopatch] Modern Workplace Update Policy [First]-[Windows Autopatch] Modern Workplace Update Policy [Test]-[Windows Autopatch] |
| Windows Autopatch Feature updates for Windows 10 and later (preview) policies | Modern Workplace DSS Policy [First] Modern Workplace DSS Policy [Fast] Modern Workplace DSS Policy [Broad] Modern Workplace DSS Policy [Test] Modern Workplace DSS Policy [Windows 11] |
| Windows Autopatch MEM device configuration profiles | Modern Workplace – Data Collection Modern Workplace – Edge Update ADMX Deployment Modern Workplace – Edge Update Channel Beta Modern Workplace – Edge Update Channel Stable Modern Workplace – Office ADMX Deployment Modern Workplace – Office Configuration v5 Modern Workplace – Office Update Configuration [Broad] Modern Workplace – Office Update Configuration [Fast] Modern Workplace – Office Update Configuration [First] Modern Workplace – Office Update Configuration [Test] Modern Workplace – Set MDM to Win Over GPO Modern Workplace – Telemetry Settings for Windows 10 Modern Workplace – Telemetry Settings for Windows 11 Modern Workplace – Windows Update Detection Frequency |
| Windows Autopatch Powershell deployment | Modern Workplace – Autopatch Client Setup |
These actions also get logged in the audit reporting of Azure AD and MEM, and you can see them as initiated by the actor Modern Workplace Management application.
If the process does not encounter any error (which it should not unless any service-side disruption pops up in the middle of nowhere), the Windows Autopatch enrollment for the tenant gets completed.
You can click on Continue post which you can start registering your devices to the service.
Now when you get back to Tenant administration > Windows Autopatch, you will not find the Tenant enrolment option anymore. Instead, you will find new options as below.
- Admin contact is from where you will be able to add additional IT admins accounts.
- Support requests is from where you will be able to raise support ticket specific to Windows Autopatch.
- Release management is from where you get to see what updates (quality/feature) is being pushed through the Autopatch service.
Register devices to Windows Autopatch
Windows Autopatch only supports Intune-managed devices having AADJ or HAADJ join state. [No AADR]
For devices in the co-management state, the co-management workload settings for the Windows Update, Device Configuration, and Office Click-to-Run apps workloads must be set to intune or Pilot Intune for such device to be serviced via Autopatch.
Provided the devices in your environment meet the conditions as mentioned above, you may want to start slow by registering a few devices to Windows Autopatch to run as a Pilot initially.
Before you can register devices to Windows Autopatch, you need to ensure that your currently signed-in account has any of the following privileges added to it.
- Azure AD Global Administrator
- Intune Service Administrator
- Modern Workplace Intune Administrator
The last one on the list is a custom role that got created as part of the tenant enrollment to Windows Autopatch.
For device registration, all you need to do is add devices to the Windows Autopatch master device group – Windows Autopatch Device Registration.
You can add device through direct membership or by nesting other Azure AD dynamic/assigned groups into the Windows Autopatch Device Registration group.
Post adding devices to the required group, in the MEM Admin center, go to Devices > Windows Autopatch > Devices to check the status of device registration.
Added device to Windows Autopatch but do not see any devices in here yet? Well, you may need to wait for some time.
Windows Autopatch automatically runs every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices.
If you are one of those who cannot hold their horses, you can initiate a manual scan to check for added device members by clicking on the Discover devices button and then continue clicking on the Refresh button till the death of the mouse or the device shows up in the console (either under the Ready or Not ready tab).
Devices added to Windows Autopatch for registration need to meet the pre-requisites as listed here for onboarding into the service.
If the device added to the Windows Autopatch device registration group satisfies the criteria, it will get registered and listed under the Ready tab. Otherwise, the device registration fails, and such devices will be listed under the Not ready tab.
To be contd.
Today in this blog post, I have walked you through the Windows Autopatch
- network requirements
- tenant pre-enrolment Readiness assessment check and how to deal with Not Ready status.
- tenant enrolment
- some details into what happens during the enrolment process
- device registration to Windows Autopatch
In the next part, I will take you through the operations and other miscellaneous information of Windows Autopatch that you need to know if you want to start a Pilot batch in your tenant.
2 Trackbacks / Pingbacks
Comments are closed.