Preserving your units updated is at all times vital, and one of the simplest ways to do this is by automating it. That is the place Home windows Autopatch is available in, a cloud-based answer that updates Home windows, Microsoft 365 Apps, and Microsoft Edge routinely.
Home windows Autopatch isn’t new, it has been round since 2022. However it at all times required a Home windows Enterprise E3 or E5 license, which isn’t quite common for small or medium companies. Nevertheless, since April 2025, Autopatch is now additionally out there with Microsoft 365 Enterprise Premium.
On this article, we are going to check out learn how to arrange and configure Home windows Autopatch.
Necessities
There are a few necessities earlier than you should use Home windows Autopatch. An important one is the right Microsoft 365 license. As of April 2025, this requirement has grow to be lots simpler as a result of Microsoft Enterprise Premium and Home windows 10/11 Skilled are actually additionally supported.
Which means that you want one of many following Microsoft 365 licenses:
- Microsoft 365 Enterprise Premium
- Microsoft 365 F3, E3, or E5
- Microsoft 365 A3 or A5
With Enterprise Premium, you get just about all the identical options for Autopatch as with the Enterprise or Training licences, aside from one: help requests. Assist just isn’t included with Enterprise Premium.
For the endpoints, you should use just about all Home windows 10 or 11 variations (Home windows 10/11 Skilled, Training, Enterprise, Professional Training, Professional for Workstations editions, or IoT Enterprise version), aside from the house variations, in fact.
Establishing Home windows Autopatch
Earlier than we will begin with organising Home windows Autopatch, we first want to take a look at our surroundings. On the subject of deploying updates, you at all times need to take a look at them first on a few machines earlier than rolling them out to all units.
Now, there are a few methods that you should use with regards to rolling out updates. For small environments, we will hold it easy, we will assign a share of the machines to the take a look at ring, and the remaining foremost deployment ring.
However for a bigger group (100+ units), you most likely need to have a bit extra management over the take a look at section. apply is to begin with the units from the IT division or one other division the place the customers are a bit extra tech-savvy.
Then there may be typically additionally a gaggle of customers or a division that you just need to do final, like the chief customers, or perhaps the finance division.
So, relying in your setting and rollout plan, it’s a good suggestion to arrange your units first into a few system teams. We will then assign the units in these teams to the completely different deployment rings.
Creating Machine Teams
I’ve solely a small take a look at setting right here, so I’m going to maintain the system teams easy. We’re going to create one group for the IT division, this shall be our take a look at group. One group with the units from the board members, and one group with the remainder of the units.
- Open the Microsoft Entra Admin Heart
- Broaden Group and go to Overview (direct hyperlink)
- Click on on New Group
- Create the next Teams:
| Take a look at Gadgets | Final Gadgets | Relaxation | |
|---|---|---|---|
| Title | Autopatch-Take a look at | Autopatch-Final | Autopatch-Broad |
| Homeowners | Add an admin | Add an admin | Add an admin |
| Membership kind | Assigned | Assigned | Assigned |
| Members | Choose take a look at units | Choose vital units | Remainder of the units |
As a substitute of assigned membership, it’s also possible to use dynamic system membership kind. This lets you use a rule to dynamically assign the units to the teams. You may, for instance, assign the units primarily based on the system title, OS kind/model, and extra.
In massive environments, I like to recommend including a pilot group as nicely. This group ought to include units of various departments, roles, and/or {hardware}. Attempt to assign ~10% of the units to this group, so you’ve gotten a superb baseline to catch any issues with the updates.
Home windows Autopatch Teams
With the system teams created, we will begin with organising Home windows Autopatch. Step one shall be to create an Autopatch group. When you’ve gotten 250 units or fewer, you may completely use one Autopatch group. When you’ve gotten a number of department places of work, it’s a good suggestion to create an Autopatch group for every workplace.
- Open the Intune Admin Heart
- Click on on Tenant administration
- Broaden Home windows Autopatch and click on on Autopatch teams (direct hyperlink)
- Click on on Create Autopatch Group
- Give your group a reputation and click on on Subsequent
Word
In the event you don’t see Home windows Autopatch within the Tenant Administration, you then don’t have an Intune license in your tenant. Test the necessities for the licenses that you just want
Deployment Rings
Every Autopatch group comes with two deployment rings by default: a take a look at ring and a final ring. These rings can’t be eliminated, however are good to have. The take a look at ring ought to include just one% of the units, roughly. We shall be utilizing our take a look at group that we created for this. The Final ring shall be used for our vital units, which we need to replace final.
For the remainder of our units, Autopatch-Broad, we’re going to create two rings. We shall be utilizing dynamic group distribution between these two teams to routinely cut up the remainder of the units. Dynamic Group Distribution means that you can assign a share of the units to the ring.
- Assign the Autopatch-Take a look at system group to the Take a look at ring
- Assign the Autopatch-Final system group to the Final ring
- Add two extra deployment rings
- Assign the Autopatch-Board group to the Dynamic group distribution
- Set the chances to 10% and 90% for Ring 1 and Ring 2
- Click on Subsequent when accomplished
Replace Varieties
Within the Replace Varieties step, you may choose which sorts of updates you need to roll out to the units. In genera,l you need to allow all updates on your units.
Deployment Settings
Within the deployment settings, we will configure how updates needs to be accredited. The primary setting, featured updates, means that you can set the goal model. In case your group makes use of an app that isn’t suitable with a brand new launch, then you may restrict right here which model needs to be put in.
Home windows Autopatch additionally updates drivers routinely. For many organizations, the automated approval mode is completely high quality. However when you’ve gotten skilled points with current driver updates, then I like to recommend setting it to Handbook approval mode. This offers you a bit extra management over which drivers are put in and means that you can totally take a look at it.
The Microsoft Edge updates are set to Secure for all rings, aside from the take a look at ring. That is set to Beta by default. In case you have an IT division that likes to check out Beta releases, then depart it as is. However in any other case, I might set your take a look at ring additionally to steady.
Launch Schedules
That is most likely essentially the most attention-grabbing web page of the Autopatch group. Right here we will management when the updates are put in. And with that I imply, from the time to days after launch, to the deadline when it must be put in.
Now, earlier than we begin adjusting the values, Microsoft has created a number of preset launch schedules:
- Data employee – For single-user units (essentially the most generally used possibility)
- Shared units – Gadgets which are utilized by a number of customers over time
- Kiosks and billboards – Excessive uptime units, pressure updates and reboots to particular occasions
- Reboot-sensitive systems – Vital units that shouldn’t be interrupted in the midst of a process
We’re going to use the default, data employee, template. Now, the primary setting is the Home windows replace set up, reboot, and notification conduct. The default setting for that is to routinely set up and restart, and default Home windows Replace notifications for all rings.
However when potential, updates ought to at all times be accomplished outdoors the lively hours. This manner, the customers received’t be interrupted throughout their work. On the subject of the notifications, solely the restart warning is sufficient. There isn’t any have to trouble the customers with the reset, aside from the take a look at group. This group needs to be notified about any updates.
Subsequent, we have to configure once we need to set up the updates. And on this case, we imply what number of days after the replace is launched. You may set the values for the shopper, driver, Microsoft 365 apps updates, and the Home windows Characteristic updates. For every possibility, you will note the phrases: deferrals, deadline, and a grace interval that we will configure. Let me clarify that first:
Deferrals
Defines what number of days after Microsoft has launched the replace, it needs to be put in. For instance, if the shopper replace deferral is about to 7 days, and Microsoft has launched an replace on March 1st, then the replace received’t present up on the system till March seventh.
Deadline
When an replace turns into out there after the deferral interval, the deadline defines how lengthy the consumer has to put in the replace voluntarily. After the deadline passes, the replace will auto-install and pressure a reboot if wanted.
Grace Interval
The grace interval defines the variety of days the consumer can postpone the reboot after the replace or driver is put in. After that, Home windows will pressure a reboot.
Creating the schedule
Now I’ve seen my justifiable share of updates that trigger issues after they have been launched. So I don’t like my units to be the guinea pigs with regards to new updates.
So, what you are able to do is use a schedule like beneath, for instance:
| Deployment Ring | Consumer Replace Deferrals | Driver Replace Deferrals | Deadline | Grace Interval |
|---|---|---|---|---|
| Predominant Group – Take a look at | 3 days | 3 days | 2 days | 2 days |
| Predominant Group – Ring1 | 5 days | 5 days | 2 days | 2 days |
| Predominant Group – Ring2 | 9 days | 9 days | 3 days | 2 days |
| Predominant Group – Final | 14 days | 14 days | 5 days | 5 days |
Featured Updates
Microsoft recommends utilizing the function replace coverage to configure the discharge of the function updates. So we will depart these 0 days.
Microsoft 365 apps updates
For the Microsoft 365 app updates, I like to recommend utilizing an analogous schedule because the one for the shopper and driver updates. Though you possibly can set the rings a bit nearer collectively, as a result of these updates are sometimes not that problematic.
Evaluation and Create
The final step is to overview and create your Home windows Autopath group. Click on on create when accomplished. It should now take a few hours for all of the units to be added to the completely different deployment rings.
Monitoring Home windows Autopatch
With Home windows Autopatch configured and deployed, we will begin monitoring the units. The primary place to begin is the Gadgets Overview web page. This may inform you what number of units are efficiently added to Home windows Autopatch. Yow will discover this overview underneath Gadgets > Overview.
In the event you click on on Home windows Autopatch Gadgets on the Overview web page, you’ll get an inventory of all units which are registered in Autopatch. And extra importantly, it’s going to present the replace standing and the deployment ring the units is assigned to:
We will additionally monitor the improve progress from the Home windows Updates perspective. In the event you open the Home windows updates web page underneath Gadgets > Handle Updates, you may see all of the updates which are prepared for deployment in your tenant.
In the event you click on on an replace, you may monitor the progress of the replace for every ring. Additionally, make certain to take a look at the final tab, Monitor, which provides you a fast overview of any units with errors.
The very last thing that I need to level out the place you may shortly see to which replace ring a tool belongs. Now we have, in fact, the Autopatch Gadgets overview web page as I discussed earlier, however what you probably have a tool with a driver situation? Or after a reboot, it received’t run anymore? In these circumstances, you need to test by which replace ring the system belongs so you may both pause the updates if wanted or examine the problems with different units.
Gadgets are added to the completely different replace rings with group memberships. This implies which you can decide which ring a tool belongs to by merely trying up its group memberships. In Microsoft Entra, you may view it underneath Gadgets > Open the system, and on the properties web page, it’s listed underneath Teams.
A little bit bit simpler is the Intune Admin Heart. Go to Gadgets > All Gadgets. Search for the system in query and click on on Group membership. Right here you will note to which ring and which Autopatch group the system is assigned:
Wrapping Up
Home windows Autopatch isn’t new, in fact. It has been out there with the Microsoft 365 Enterprise licenses for a few years now. However now it’s additionally included with Microsoft 365 Enterprise Premium customers, permitting smaller companies to simply automate and handle the updates, with out the necessity to manually configure replace rings or monitor deployments.
Hope you preferred this text, make certain to subscribe to the e-newsletter if you wish to keep up-to-date with the most recent options, and you probably have any questions, simply drop a remark beneath.
