Jump to content


Getting started with Windows 365 - Part 7. Patching your Cloud PCs with Windows Autopatch

Recommended Posts


This is Part 7 in a new series of guides about getting started with Windows 365. This series of guides will help you to learn all about Windows 365 in a clear and insightful way. This series is co-written by Niall & Paul, both of whom are Enterprise Mobility MVP’s with broad experience in the area of modern management. At the time of writing, Paul is a 6 times Enterprise Mobility MVP based in the UK and Niall is a 12 times Enterprise Mobility MVP based in Sweden. In this series we aim to cover everything we learn about Windows 365 and share it with you to help you to deploy it safely and securely within your own organization. In Part 1 we introduced you to Windows 365, selecting the right edition with the level of management that you need, choosing the plan that suits your users needs at a cost you can afford, or modifying the configuration to make it more suited to your individual needs, purchasing licenses and saving money for your organization via the Windows Hybrid Benefit. In Part 2 you learned how to provision an Azure Ad joined Cloud PC and take a look at the different network options available when provisioning an Azure Ad joined Cloud PC. In Part 3 you learned about the steps needed to successfully provision a Hybrid Azure Ad Joined Cloud PC. In Part 4 you saw the many different ways you can connect to your Cloud PC from many device be it Android, Mac, Windows, Linux or iPhone and you learned that not all connection options have the same abilities. In Part 5 we covered the management capabilities of your Cloud PCs and explained the different options available depending on which version (Business versus Enterprise) that you purchase. In Part 6 we looked at the built in configurable backup technology in Windows 365 which is known as Point-in-time restore, which gives the admin (or user) the ability to restore Cloud PC's to an earlier time before a problem such as a Ransomware incident occurred.

Below you can find all parts in this series:

In this part we'll cover the following:

  • Introduction to Windows Autopatch
  • Prerequisites
  • Allow access to admins without licenses
  • Enroll into Windows Autopatch
    • Readiness assessment tool
    • Enroll
    • Device registration
  • Moving devices between deployment rings
  • Reports
  • User Experience
  • Create Provisioning policy
  • Recommended reading
  • Summary

Introduction to Windows Autopatch


"Do more with less"

Windows Autopatch was created to ease the pain of managing software updates by automating those tasks, improve security and thereby freeing up IT admins time. After registering devices with Windows Autopatch it can deal with multiple areas of update management including:

  • Windows quality updates
  • Windows feature updates
  • Microsoft 365 apps for Enterprise
  • Microsoft Edge
  • Microsoft Teams

Windows Autopatch aims to reach the following SLO (Service Level Objective) at the time of writing.

  • Windows quality updates  - 95% of eligible devices on the latest quality update within 21 days
  • Windows feature updates - 99% of eligible devices on a supported version
  • Microsoft 365 apps for Enterprise - 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC)


Windows Autopatch like all Microsoft services has a list of prerequisites and you can review them here and it covers 4 main areas.

  1. Licensing
  2. Connectivity
  3. Azure Active Directory
  4. Device Management

In a nutshell you must be licensed to use Windows Autopatch, Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune licenses are required. You must also allow connectivity to all endpoints specified here including mmdcustomer.microsoft.com, mmdls.microsoft.com, logcollection.mmd.microsoft.com and support.mmd.microsoft.com. Your users must be created in Azure Active Directory or synced via the latest version of Azure AD Connect. Last but not least, your devices must already be enrolled into Intune management before you try to register them with the Windows Autopatch service. They can use co-management but, if so, make sure that the following workloads are pointing to Pilot Intune or Intune.

  • Windows Update policies workload to Pilot Intune or Intune.
  • Device configuration workload to Pilot Intune or Intune.
  • Office Click-to-Run apps workload to Pilot Intune or Intune.

comanagement workloads to intune.png

Allow access to admins without licenses

When turning on Windows Autopatch for your Tenant, one of the tests that will be done is admin licensing. You can make things smoother by configuring this setting in advance. You can give administrators access to Microsoft Endpoint Manager without them requiring an Intune license, see Unlicensed admins in Microsoft Intune | Microsoft Learn


This feature applies to any administrator, including Intune administrators, global administrators, Azure AD administrators, and so on. Other features or services, such as those in Azure Active Directory (AD) Premium, may require a license for the administrator.
The Unlicensed admins option has been enabled by default on all accounts created after the 2006 release.

To flip the setting go to your Tenant admin, click on Roles, and select Endpoint Manager roles, click on Administrator Licensing and you'll see this.

allow access to unlicensed admins.png

read the warning before clicking Yes (or No if you are unsure.)

allow access to unlicensed admins warning.PNG

Once done, there will simply be a blank space to greet you in the Administrator Licensing space.

where's the confirmation.PNG


Enroll into Windows Autopatch

Readiness assessment tool

At this point you are hopefully ready to enroll your tenant into Windows Autopatch, so let's do it. In the Tenant Admin node, click on Tenant enrollment and select Windows Autopatch.

enroll into windows autopatch.png

place a tick in the checkbox and click Agree. this will launch the readiness assessment tool.

readiness assessment tool initial results.png

clicking on View details gives you an overview of what is OK or NOT OK in your tenant in relation to Windows Autopatch. Any errors marked in red must be fixed (notice the unlicensed admin error !)

errors in red not ready.png

You can click on a linked entry to get details of the problem, for example here is the co-management advisory.

comanagement advisory.png

and here's the advisory for Update rings for Windows 10, which is odd as you haven't created any for Windows Autopatch yet so how can you exclude them in advance ?

update rings for windows 10.png

After fixing the minor problems noted above, you can click on Run checks again and this time it should report that it is Ready (to enroll).

ready to enroll.png

If you are still curious about why there are still 2 advisories you can also click on View details again to review that.

2 ready 2 advisory.png


Now that the readiness assessment is happy, go ahead and click on Enroll. You'll have to agree to allow admin access for Microsoft requiring 2 admin users email and phone numbers.

allow administrator access for Microsoft.png

supply the details of your Primary admin

primary admin.png

and the Secondary admin

secondary admin.png

after clicking complete you might see an error, don't panic, we did in both our tenants.

an error has occurred during enrollment.png

but on the second attempt all was good ! Notice all the activity going crazy in the notification area.

windows autopatch is enrolled.png

After some time you should be notified that Windows Autopatch Setup is complete.

windows autopatch setup complete.png

Changes to your tenant

When you enroll into Windows Autopatch the service creates many new objects including Azure AD Groups, policies, update rings and reports, here are a few snippets of some of those many changes.

New Azure AD Groups


new Azure AD groups.png

New configuration profiles

new configuration profiles.png

New PowerShell script

Modern Workplace - Autopatch Client Setup v1.1

New Update Rings


New Feature Updates


New reports

windows quality update reports.png

Device registration

Clicking Continue (in the screenshot above) brings you to the Windows Autopatch devices view which will most likely be empty after enrollment. It's separated into three tabs

  • Ready
  • Not ready (Preview)
  • Not registered

windows autopatch devices empty.png

After reading the text and clicking the included link it was clear that there was a new Azure AD Group created by the Windows Autopatch service called Windows Autopatch Device Registration. We went ahead and added a Windows 365 Cloud PC to the Windows Autopatch Device Registration group.

add one cloud pc to the group.png

Next, in the Windows Autopatch devices node, click on Discover Devices to get the service to look for new members in that group.



After some time it showed up.

added one cloud pc to the group.png

We then looked at the Group Membership of that device directly after we registered it with Windows Autopatch.

group membership after windows autopatch.png

Interesting how it detects that the Cloud PC is a Virtual Machine.

You'll notice that the Windows Autopatch service has automatically added this Cloud PC to a group called First, this is one of 4 update ring groups.

  • Modern Workplace Devices-Windows Autopatch-Test       Deployment ring for testing update deployments prior to production rollout.
  • Modern Workplace Devices-Windows Autopatch-First       First production deployment ring for early adopters.
  • Modern Workplace Devices-Windows Autopatch-Fast       Fast deployment ring for quick rollout and adoption.
  • Modern Workplace Devices-Windows Autopatch-Broad    Final deployment ring for broad rollout into the organization.

Intrigued we added another Cloud PC along with several unpatched, out of date devices in the tenant to see what would happen.

add devices to Windows Autopatch Device Registration.png

within some time the Windows Autopatch service had assigned these devices to groups automatically with both of the Windows 365 Cloud PC's added to the First update ring.

devices added to update ring groups.png

In addition to these Ready devices some were Not registered with the service due to not meeting prerequisites.

not registered.png

Moving device between deployment rings

To change the update ring a device is in you must select one of more devices and use the Device actions dropdown to move to another update ring group, do not simply move the device from one Azure ad group to another (more on those groups later).

assign device group.png

This brings up a dropdown list of the available rings (update ring groups)

assigning a group.png

We selected the Test ring for this Cloud PC

selected Test.PNG

after the change

test ring.png

Note that you can only move devices to other deployment rings when they are in an Active state in the Status tab.


Windows Autopatch includes new reports to assist with monitoring the effectiveness of automated software update management. Let's take a look. In the Reports node of Intune, select Windows Quality Updates in the Windows Autopatch section. You'll be presented with a summary of Windows Autopatch managed devices in their various states, listed below:

  • Up to Date
  • In Progress
  • Paused
  • Not Up to Date
  • Ineligible
  • Total

Windows Quality Updates.png

clicking on the Reports tab (beside summary) will show the actual reports.


In the first report, All devices report, you can see our Cloud PCs are currently up to date ! Great.

Cloud PCs up to date.png

Truth be told however, they had an issue before Windows Autopatch could do it's thing, and that was they were getting a GPO applied (as they are Hybrid Azure AD joined) which was blocking automatic updates. Once that GPO was identified and delinked, they updated very quickly indeed.

Below you can see what they looked like before the GPO was identified. Notice how they are both showing with an Update Status of Not Up to Date, and the Update sub status looks confused (Other and No Heartbeat).

not up to date.png

The offending GPO was setting the following registry key which was blocking Windows Autopatch (highlighted below in bold)

  • WUServer
  • WUStatusServer
  • DoNotConnectToWindowsUpdateInternetLocations
  • DisableWindowsUpdateAccess
  • AU\NoAutoUpdate
  • AU\UseWUServer

the next report is the All devices Report - historical which gives you a historical view of how up to date (or not) your devices are over a period of time (90-day trend), notice how currently 7 out of 10 devices are up to date and none are not up to date.

all devices report historical.png

You can click on any of the headings in the right pane to get time points and clarity of that section. You can also choose to Export trend to get a CSV file containing this data, unfortunately it doesn't go any deeper than what you see here so you won't for example see device names/serial numbers or anything useful like that. Hopefully we can get that data in a later release.

export trend.png

The next report is the Eligible devices report - historical where you can review the effectiveness of any of the Windows Autopatch update rings over a period of time.

eligible devices report historical.png

And finally we have the ineligible devices report historical which shows data about your ineligible devices and whether they are on an unsupported build or not.

ineligible devices report historical.png


User Experience

the user experience is exactly what you'd expect from WUFB managed clients, you get the normal Windows notifications and they are goverened by the Windows Autopatch update ring policies, which you shouldn't change as they will be overwritten by the Windows Autopatch service. Below is one such notification received by our Cloud PCs over the last few weeks.

windows update info in windows update settings.png

Create Provisioning policy

Lastly, we'd like to mention the Windows Autopatch setting in the Create Provisioning Policy section. It's there, but it's not clear exactly what it does (for example, would it kick off a Windows Autopatch readiness assessment tool if you hadn't yet enrolled into Windows Autopatch. This remains unanswered. We'll update it after getting clarification from Microsoft.

Windows Autopatch ANC setting.png

Recommended reading


The Windows Autopatch service is like your very own IT Admin for Software Update Management, much like what you get with Automatic Deployment Rules within Configuration Manager or Windows Intune's quality and feature update rings. The difference here is that when you enable Windows Autopatch, Microsoft define and manage these administrative tasks so you don't have to. Keep in mind that it is not recommended to change any settings in the preconfigured update rings or policies or scripts provided by the service as they could be overwritten by the service when it gets updated by Microsoft. Also, you should not manually populate the Azure AD groups created by the service except the one used for device registration. The fact that you can't really deviate from the settings, policies and parts that make up Windows Autopatch can be a downside for some customers. Hopefully Microsoft reads this and adds this ability going forward. Overall though, a thumbs up from us, well done to all involved with creating Windows Autopatch, it makes the management of updates, security patches and more to your Cloud PC's a walk in the park.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.