Windows Autopatch: What is, Guide to Setup and Configuration

Keeping systems updated is crucial for performance, security, and functionality. To simplify the update process for Windows users, Microsoft offers Windows AutoPatch.

This blog post will explore Windows AutoPatch, its features and benefits, and how it helps create a more efficient and secure computing environment.

What is Windows Autopatch?

Windows Autopatch is a cloud service that automates updates for Windows, Microsoft 365 Apps for Enterprise, Microsoft Edge, and Microsoft Teams. It’s available to organisations with a subscription to Windows 10/11 Enterprise E3 (or higher), AAD Premium, and Intune.

Admins can manually assign or automate testing rings for devices and deploy updates. If no issues are found, updates are deployed to all eligible devices in the organisation. This ensures updates are vetted with small testing groups before being applied to the entire organisation.

What is Covered with Autopatch?

Autopatch manages and installs updates for Windows, Office apps, Edge, and Teams. It ensures a set percentage of devices are compliant with updates.

Microsoft’s targets:

  • Windows quality updates: 95% of eligible devices are updated within 21 days of a Patch Tuesday release.
  • Windows feature updates: 99% of eligible devices on the required version of Windows get feature updates.
  • Microsoft 365 apps: 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC) receive updates.

Edge and Teams updates aim to ensure that all devices get the latest updates quickly, with Edge updating weekly and Teams updating monthly.

Autopatch can also deliver updates for Windows drivers and firmware.

Devices are marked as “healthy” or “unhealthy” in each area. A healthy device meets all requirements for updates, such as being powered on, having network access, and checking in with Intune within the last five days.

Windows Autopatch

Unique to Windows Autopatch

Businesses prefer to focus on what makes them unique and successful rather than maintaining complex digital infrastructure. Windows Autopatch offers solutions to today’s challenges.

  • Optimise IT admin resources: Windows Autopatch automates routine endpoint updates, freeing up IT pros for more valuable work.
  • Minimize on-premises infrastructure: Transitioning to SaaS reduces investment in on-premises hardware, with updates delivered from the cloud.
  • Close the productivity gap: Windows Autopatch provides the latest tools for end users, enhancing collaboration and work.
  • Close the security gap: Windows Autopatch keeps software current, reducing vulnerabilities and threats.
  • Minimise end-user disruption: Windows Autopatch releases updates in sequential deployment rings, minimising disruptions.
  • Onboard new services easily: Windows Autopatch simplifies enrollment and reduces the time required from IT Admins.

Windows Autopatch Pros

The new Windows feature offers two main benefits:

  1. You can use ring deployment to manage your Windows environment.
  2. Microsoft handles orchestration for patch deployment, reducing the workload for IT admins.

Windows Autopatch Cons

As important as the product’s pros are its cons:

  • The feature is useful only for Windows 10 and 11 device management.
  • Autopatch support for Windows Server is not planned.
  • You must use this feature with Azure AD and Intune.
  • Windows Autopatch doesn’t work for Mac or Linux OS.
  • It won’t support third-party applications, Windows Server, or other operating systems like macOS or Linux.

How is Autopatch Different From Windows Update for Business?

Windows Update for Business (WUfB) is a Microsoft cloud tool for managing Windows 10 and 11 updates. It controls software update approval and scheduling. Windows Autopatch and Intune use WUfB to handle updates.

Autopatch Difference From Intune Deployment Rings

Intune deployment rings use Windows Update for Business (WUfB) to control patch deployment, scheduling, and approval from the cloud. Autopatch also uses WUfB but removes scheduling and approval from administrators.

With Autopatch, administrators can assign devices to one of three Autopatch groups (First, Fast, Broad). However, they don’t control when updates are pushed to devices or when they move between rings. Administrators also can’t control the dates or times of patch deployments.

Autopatch Operations and Maintenance

Autopatch automates the creation of management groups and policies for your devices. However, Intune still applies the patches, and problems with Intune can affect Autopatch operations. Use built-in Autopatch reports to monitor Windows updates and Apps Health reports in the Microsoft 365 Apps admin center to track Office app updates.

Autopatch operations follow a cycle: Autopatch uses Intune to deliver updates. Intune and the Microsoft 365 Apps admin center update their reports. You then inspect these reports and fix any issues, such as devices receiving incorrect updates due to misgrouping. This cycle provides more control and visibility compared to independent updates.


How do I turn on Windows Autopatch?

To enable Windows Autopatch, go to the Microsoft Endpoint Manager admin centre. Navigate to the “Devices” section and select “Windows Autopatch”. Click “Start using Autopatch” and follow the on-screen instructions.

What license is required for Windows Autopatch?

Windows Autopatch requires users to have Windows 10 or Windows 11 Enterprise E3 (or higher) or F3 assigned. Microsoft Entra ID P1 or P2 and Microsoft Intune are also required.

What is the Windows Autopatch policy?

Window Autopatch uses MDM policies to set up devices, but it needs a specific setup. Devices not on the allowed list are excluded if they have policies from the Update Policy CSP.

Scroll to Top