TEXAS A&M UNIVERSITY
Windows Autopatch Configuration
Audience: Platform Engineering, IT administrators
Purpose: Deploy and manage Windows Autopatch for automated update management
Quick Reference
- Managed Service — Microsoft engineers actively manage rollouts, monitoring, and remediation
- Comprehensive — Handles Windows, Microsoft 365 Apps, Edge, Teams, and drivers
- Client Broker — On-device intelligence checks for and remediates update issues
- Autopatch Groups — Your control plane for managing update cadences
Overview
Windows Autopatch is a cloud service included with Windows Enterprise A3+ licenses that automates the entire update process. Unlike manual Windows Update for Business (WUfB) management, Autopatch:
- Creates all necessary update policies automatically
- Assigns devices to deployment rings (Test, First, Fast, Broad)
- Manages progressive rollout according to service-level objectives
- Uses Microsoft's telemetry to detect and respond to issues
Philosophy: Trust the Service
The core principle is moving from manual control to trust and verification:
- Define business needs — Information workers vs. kiosks vs. sensitive devices
- Assign devices — Add to appropriate Autopatch group
- Monitor health — Review service reports and alerts
By entrusting operational details to Microsoft, you focus on strategic initiatives while benefiting from their expertise and automation.
Prerequisites
| Requirement | Details |
|---|---|
| Licensing | Windows Enterprise A3+ |
| Identity | Entra ID Joined or Hybrid Joined devices |
| Management | Microsoft Intune |
| Network | Access to Microsoft Update and Autopatch endpoints |
Configuration Procedure
Step 1: One-Time Tenant Enrollment
- In Intune admin center, navigate to Tenant admin → Windows Autopatch
- Select Tenant enrollment
- The service runs a Readiness assessment checking:
- Licensing
- Intune configuration
- User roles
- Address any flagged items
- Consent to enroll your tenant
Created automatically:
Windows Autopatch Device Registrationgroup- Groups for each deployment ring (Test, First, Fast, Broad)
Step 2: Create Autopatch Group
Navigate to Tenant admin → Windows Autopatch → Groups and click Add Autopatch group.
Basics
Provide a clear name (e.g., "TAMU Information Workers") and description.
Deployment Rings
| Ring | Assignment Method |
|---|---|
| Test | Assigned (specific known devices) |
| First | Dynamic or assigned |
| Fast | Dynamic or assigned |
| Broad | Dynamic or assigned |
| Last | Assigned (final validation devices) |
Update Types
Select all for full service benefit:
- ✅ Quality updates
- ✅ Feature updates
- ✅ Driver updates
- ✅ Microsoft 365 apps updates
- ✅ Microsoft Edge updates
Deployment Settings
| Update Type | Configuration |
|---|---|
| Feature updates | Set target version (e.g., Windows 11 25H2) |
| Driver updates | Set approval method (auto-approve recommended) |
Release Schedule Presets
Choose the preset matching your device population:
| Preset | Use Case |
|---|---|
| Information worker | Default for typical user devices |
| Shared device | Aggressive reboots outside business hours |
| Kiosks and billboards | Very aggressive for non-interactive devices |
| Reboot-sensitive | Gentle policies for lab equipment |
After selecting a preset, all deferral, deadline, and grace period values are populated with Microsoft's best practices. Customize individual settings if needed.
Step 3: Device Registration
Register Devices
- Add devices to the Windows Autopatch Device Registration Entra ID group
- Autopatch detects devices, runs readiness checks, marks them "Ready"
Assign to Rings
Add ready devices to the Entra ID group associated with their deployment ring.
Monitor
Use the Windows Autopatch section in Intune admin center to monitor:
- Release status
- Device health
- Trends and alerts
Autopatch Client Broker
The Client Broker provides on-device intelligence that makes Autopatch a true managed service:
| Function | Description |
|---|---|
| Health Checks | Verifies device readiness before updates |
| Automatic Remediation | Fixes common issues (stuck services, BITS problems) |
| Policy Coordination | Orchestrates deferrals, deadlines, and notifications |
The Client Broker proactively fixes the most common update failures, dramatically increasing compliance rates and reducing support tickets.
FAQs
Does Autopatch replace my manual WUfB rings?
Yes. Remove devices from manually configured WUfB policies to avoid conflicts. Autopatch creates and manages its own policies for enrolled devices.
What happens if a bad update is released?
Microsoft's service operations team monitors update health using large-scale data. If an issue is detected, the service automatically pauses or rolls back the deployment—often before you're aware of the problem.
Can I expedite a security update?
Yes. Autopatch automatically handles expedited quality updates when necessary based on the threat landscape.
Glossary
| Term | Definition |
|---|---|
| Autopatch Group | Logical grouping with its own deployment rings and schedules |
| Release Schedule Preset | Pre-configured best-practice settings for a device persona |
| Client Broker | On-device components for health checks and remediation |
Related Resources
- Intune Documentation — Endpoint management overview
- Scope Groups & Naming — Group conventions
- Microsoft Autopatch Overview — Official documentation