Getting Started With Windows Autopatch (cheat sheet) – EMS Route

[ad_1]

Windows Autopatch have come a long way to become the new normal of updating your Windows endpoints, M365 apps, device drivers and Edge browser with Intune whether the devices are physical (workstations/ laptops/ kiosks/ billboards) or virtual (AVD/ W365). Microsoft Learn documentation will have more detailed info into the services, but this is a short version and how you can quickly start working with Windows Autopatch. If you are new or want to get the best out of Windows Autopatch this guide is for you.

  1. What’s New in Autopatch?
  2. Prerequisites
  3. Conflicting Configs – When devices using a different method
  4. Creating Autopatch Groups
  5. Changing Values in Autopatch Settings
  6. Post-Device Registration Readiness Checks
    1. Checkpoints
  7. Excluding a Device
  8. Monitoring and Reporting
    1. Monitor
    2. Reports
  9. Resolving Service Issues
  10. Messages and Service Health
  11. Useful Links

Table of Contents

Prerequisites

  • Device Join mode
    Entra Joined or Entra Hybrid Joined
  • Licenses
    • Microsoft 365 Business Premium
    • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
    • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
    • Windows 10/11 Enterprise E3 or E5 VDA
  • RBAC
    • Windows Autopatch Administrator
    • Windows Autopatch Reader
    • Intune custom role
  • Device Groups
    Have the Entra ID dynamic or assigned device groups ready. These groups can only be used in one Autopatch group setup.
    • Supports Entra groups synced from On-prem AD or ConfigMgr collections.
  • Active Directory Group Policy (GPO)
  • Configuration Manager Device client settings
  • Manual registry updates
  • Local Group Policy settings applied during imaging (LGPO)

Registry keys inspected by Autopatch

HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations Value=Any
HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess Value=Any
HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate Value=Any

Resolving conflicts: https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations#resolving-conflicts

To create the first Autopatch Group: Devices --> Windows Updates --> Create Autopatch group
To create more Autopatch groups, go to Tenant Administration --> Windows Autopatch --> Autopatch Groups

Maximum number of Autopatch groups: 300, Each group supports up to 15 deployment rings

An Autopatch group would contain,

  • Deployment rings
    • First, Last rings are pre-created.
    • Create more rings depending on the requirement (eg: Department X_Ring)
  • Deployment Ring Assignment
    • Entra ID Groups – Can be dynamic or assigned
    • Dynamic group distribution – Select the Entra ID groups that contains the devices (One or many) and select the percentage of the devices that will be distributed across the desired ring.
      • New Entra ID device groups will be created automatically and will assign the devices to them according to the percentage provided.
    • Test and Last rings need to have Assigned groups
  • Update Types
    • Quality updates
    • Feature updates
    • Driver updates
    • Microsoft 365 apps updates
    • Microsoft Edge updates
  • Deployment Settings
    • Feature Updates: Can be unselected if needed
    • Driver updates: Select Auto or Manual approve
    • Edge policies: Select Beta or Stable channel for each ring or use the same for all rings
  • Release Schedule
    • Select the Release Schedule Preset. Edit individual options if needed
      • Shared device: Devices which are used by multiple users over a period of time.
      • Information worker: Devices which are used by multiple users over a period of time.
      • Kiosk and billboards: High uptime devices used to accomplish a specific task that hide notifications and reboot at a specific time.
      • Reboot-sensitive devices: Devices whee it is critical that they aren’t interrupted in the middle of a task and only update at a scheduled time

While some values can be changed by navigating to different sections in Devices –> Windows Updates and others can be changed by navigating to the Autopatch group in Tenant Administration section.

Post-Device Registration Readiness Checks

Windows Autopatch client agent will be installed after devices successfully registered with Windows Autopatch. This is responsible for performing the readiness checks and report the results back to the service.

Intune Admin Center --> Windows Autopatch --> Tenant management --> Actions

Checkpoints

image 46

Use Tenant Admin --> Windows Autopatch --> Devices, select device/s and Exclude

Monitor

Devices --> Windows Autopatch --> Monitor

  • Autopatch Groups Membership
  • Deployment status per Windows update ring
  • Feature update policies with alerts
  • Expedited quality update policies with alerts
  • Driver update policies with alerts

Reports

Reports --> Windows Autopatch

Tenant Admin --> Windows Autopatch --> Tenant Management

Action type: Maintain tenant access
Severity: Critical
Description: Required licenses expired. The licenses include:

  • Microsoft Intune
  • Microsoft Entra ID P1 or P2
  • Microsoft 365 Business Premium
  • Windows 10/11 Education A3 or higher
  • Windows 10/11 Enterprise E3 or higher

Once critical actions are resolved, it can take up to two hours for Windows Autopatch to return to an active state.

Staying on top of the service is important when you are patching devices using Autopatch. This section will show you any updates from Microsoft related to the service and the overall health of Autopatch service.

Tenant Admin --> Windows Autopatch --> Messages

image 47
image 48

Support Requests: https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/manage/windows-autopatch-support-request

Autopatch on AVD: https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-azure-virtual-desktop-workloads

Autopatch on W365: https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads


Discover more from EMS Route

Subscribe to get the latest posts sent to your email.

[ad_2]

Share this content:

I am a passionate blogger with extensive experience in web design. As a seasoned YouTube SEO expert, I have helped numerous creators optimize their content for maximum visibility.

Leave a Comment