Windows Autopatch deployment guide
As organizations move to support hybrid and remote workforces, and continue to adopt cloud-based endpoint management with services such as Intune, managing updates is critical.
Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.
A successful Windows Autopatch deployment starts with planning and determining your objectives. Use this deployment guide to plan your move or migration to Windows Autopatch.
This guide:
- Helps you plan your deployment and adopt Windows Autopatch
- Lists and describes some common objectives
- Provides a recommended deployment plan
- Provides migration considerations for Windows Update for Business (WUfB) and Microsoft Configuration Manager
- Lists some common general considerations when deploying Windows Autopatch
- Provides suggested business case benefits and communication guidance
- Gives additional guidance and how to join the Autopatch community
Determine your objectives
This section details some common objectives when using Windows Autopatch.
Once an organization is onboarded, Windows Autopatch automatically creates multiple progressive deployment rings and applies the latest updates according to Windows Autopatch recommended practices and your organization's custom configuration. While there are options to adjust configurations such as quality update cadence, the service provides you with a baseline to begin establishing your update objectives.
Use Windows Autopatch to solve the following challenges:
- Difficulty developing and defending update cadence and general best practices
- Increase visibility and improve issue reporting
- Achieving a consistent update success rate
- Standardize and optimize the configuration for devices, policies, tools and versions across their environment
- Transition to modern update management by configuring Intune and Windows Update for Business
- Make update processes more efficient and less reliant on IT admin resources
- Address vulnerabilities and Windows quality updates as soon as possible to improve security
- Assist with compliance to align with industry standards
- Invest more time on value-add IT projects rather than monthly updates
- Planning and managing Windows feature updates
- Transition to Windows 11
Recommended deployment steps
The following deployment steps can be used as a guide to help you to create your organization's specific deployment plan to adopt and deploy Windows Autopatch.
Step one: Prepare
Review the prerequisites and enroll your tenant into the Windows Autopatch service. At this stage, your devices aren't affected. You can enroll your tenant and review the service options before registering your devices.
Step | Description |
---|---|
1A: Set up the service |
|
1B: Confirm update service needs and configure your workloads |
|
1C: Consider your Autopatch groups distribution | Organizations have a range of Windows devices including desktop computers, laptops and tablets that might be grouped across multiple logical or physical locations. When planning your Autopatch groups strategy, consider the Autopatch group structure that best fits your organizational needs. It's recommended to utilize the service defaults as much as possible. However, if necessary, you can customize the Default Autopatch group with additional deployment rings and/or create your own Custom Autopatch group(s).
|
1D: Review network optimization | It's important to prepare your network to ensure that your devices have access to updates in the most efficient way, without impacting your infrastructure. A recommended approach to manage bandwidth consumption is to utilize Delivery Optimization. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages amongst multiple devices in your deployment. |
Step two: Evaluate
Evaluate Windows Autopatch with around 50 devices to ensure the service meets your needs. You can adjust this number based on your organizational make-up. It's recommended to monitor one update cycle during this evaluation step.
Step | Description |
---|---|
2A: Review reporting capabilities |
There might be times when using Windows Autopatch for update deployment that it's beneficial to review Windows Update for Business (WUfB) reports. For example, when preparing to deploy Windows 11, you might find it useful to evaluate your devices using the Windows feature update device readiness and Windows feature update compatibility risks reports in Intune. |
2B: Review operational changes | As part of the introduction of Windows Autopatch, you should consider how the service integrates with your existing operational processes.
|
2C: Educate end users and key stakeholders | Educate your end users by creating guides for the Windows Autopatch end user experience.
Include your IT support and help desk in the early stages of the Windows Autopatch deployment and planning process. Early involvement allows your support staff to:
Your support staff can experience a walkthrough of the Windows Autopatch admin experience through the Windows Autopatch demo site. |
2D: Pilot planning | Identify target pilot group(s) of up to 500 devices. It's recommended to include a cross-section of your organizational make-up to ensure your pilot results are representative of your organizational environment. |
Step three: Pilot
Plan to pilot the service with around 500 devices to provide sufficient pilot coverage to be ready for deployment. You can adjust this number based on your organizational make-up. It's recommended to monitor one to two update cycles during the pilot step.
Step | Description |
---|---|
3A: Register devices | Register pilot device group(s) |
3B: Monitor update process success |
|
3C: Review reports |
|
3D: Implement operational changes |
|
3E: Communicate with stakeholders | Review and action your stakeholder communication plan. |
3F: Deployment planning | Prepare target deployment groups for phased deployment of Windows Autopatch. |
Step four: Deploy
Following a successful pilot, you can commence deployment to your broader organization. The pace at which you deploy is dependent on your own requirements; for example, deploying in groups of 500 to 5000 per week are commonly used approaches to complete the deployment of Windows Autopatch.
Step | Description |
---|---|
4A: Review reports |
|
4B: Communicate with stakeholders | Review and action your stakeholder communication plan |
4C: Complete operational changes |
|
Migration considerations
If you're an existing Windows Update for Business (WUfB) or Configuration Manager customer, there are several considerations that could accelerate your deployment along a shorter path.
Why migrate from Windows Update for Business or Configuration Manager to Windows Autopatch?
Customers who are using Windows Update for Business (WUfB) or Configuration Manager can quickly adopt Windows Autopatch and take advantage of the key benefits that Windows Autopatch provides.
When moving from Windows Update for Business (WUfB) or Configuration Manager to Windows Autopatch, you can enhance and optimize the update experience that you're already familiar with.
Once migrated, there are several configuration tasks that you no longer need to carry out:
Autopatch benefit | Configuration Manager | Windows Update for Business (WUfB) |
---|---|---|
Automated setup and ongoing configuration of Windows Update policies | Manage and perform recurring tasks such as:
|
Manage "static" deployment ring policies |
Automated management of deployment ring membership | Manually check collection membership and targets | Manage "static" deployment ring membership |
Maintain minimum Windows feature version and progressively move between servicing versions | Spend time developing, testing and rolling-out task sequence | Set up and deploy Windows feature update policies |
Service provides release management, signal monitoring, testing, and Windows Update deployment | Setup, target and monitor update test collections | Manage Test deployment rings and manually monitor update signals |
Simple, integrated process to turn on the service as part of the Windows 365 provisioning policy | Manually target Cloud PCs in device collections | Manually target Cloud PCs in Microsoft Entra groups |
In addition to the reports, other benefits include:
Autopatch benefit | Configuration Manager and Windows Update for Business (WUfB) |
---|---|
Windows quality and feature update reports with integrated alerts, deep filtering, and status-at-a-glance | Requires you to manually navigate and hunt for status and alerts |
Filter by action needed with integrated resolution documentation | Requires you to research and discover possible actions relating to update issues |
Better visibility for IT admins, Security compliance and proof for regulator | Requires you to pull together different reports and views across multiple admin portals |
Service management benefits include:
Autopatch benefit | Configuration Manager and Windows Update for Business (WUfB) |
---|---|
Windows automation and Microsoft Insights | First or third-party resources required to support and manage updates internally |
Microsoft research and insights determine the 'go/no-go' for your update deployment | Limited signals and insights from your organization to determine the 'go/no-go' for your update deployment |
Windows Autopatch might pause or roll back an update. The pause or rollback is dependent on the scope of impact and to prevent end user disruption | Manual intervention required, widening the potential impact of any update issues |
Migrating from Windows Update for Business (WUfB) to Windows Autopatch
Assessing your readiness to migrate from Windows Update for Business (WUfB) to Windows Autopatch
When moving from Windows Update for Business (WUfB) to Windows Autopatch, you can accelerate and simplify your adoption by assessing your readiness to quickly migrate to the Windows Autopatch service by considering key differences that might impact your deployment:
Step | Assessment step | Recommendation |
---|---|---|
1 | "User based" vs. "device based" targeting | Windows Autopatch doesn't support "user based" targeting. If your Windows Update deployment is "user based", you must plan to move to a device-based targeting model by adding and registering devices into Windows Autopatch. Use the Consider your Autopatch groups guidance |
2 | Microsoft Edge channels | Windows Autopatch deploys Microsoft Edge Stable channel to devices in all deployment rings except for the Test deployment ring. The Test deployment ring is configured for the Microsoft Edge Beta channel. If you're currently using different channels, your teams should understand that your Windows Autopatch devices use these channels. For more information, see Confirm update service needs and configure your workloads. |
3 | Microsoft 365 Apps for enterprise | Windows Autopatch deploys the Monthly Enterprise Channel to all Microsoft 365 Apps for enterprise clients. If your organization is using a different channel and you don't wish to adopt the Monthly Enterprise Channel, you can opt out Microsoft 365 Apps for enterprise updates. For more information, see Confirm update service needs and configure your workloads |
4 | Prepare your policies | You should consider any existing policy configurations in your Windows Update for Business (WUfB), Intune or on-premises environment that could impact your deployment of Windows Autopatch. For more information, review General considerations |
5 | Network optimization technologies | We recommend you consider your network optimization technologies as part of your Windows Autopatch deployment. However, if you're already using Windows Update for Business (WUfB) it's likely you already have your network optimization solution in place. For more information, see Review network optimization |
Optimized deployment path: Windows Update for Business (WUfB) to Windows Autopatch
Once you have assessed your readiness state to ensure you're aligned to Windows Autopatch readiness, you can optimize your deployment of Windows Autopatch to quickly migrate to the service. The following steps illustrate a recommended optimized deployment path:
Step | Example timeline | Task |
---|---|---|
Step one: Prepare > Set up the service | Week one | Follow our standard guidance to turn on the Windows Autopatch service
|
Step one: Prepare > Adjust the service configuration based on your migration readiness | Week one | |
Step two: Evaluate | Week one to month two | Evaluate with around 50 devices for one update cycle to confirm the correct service configurations are in place |
Step three: Pilot | Month two to three | Pilot with around 500 - 5000 devices for one update cycle to ensure you can further validate with your key stakeholders and Service Desk teams |
Step four: Deploy | Month three to six | Phase deployments as necessary to migrate your estate. You can move as quickly as you feel comfortable |
Migrating from Configuration Manager to Windows Autopatch
Regardless of if you're migrating from Configuration Manager to Microsoft Intune or if you're remaining with Configuration Manager, if you're currently using Configuration Manager to manage updates, you can migrate the update workloads to Windows Autopatch and take advantage of the key benefits for your Configuration Manager environment.
Assessing your readiness to migrate from Configuration Manager to Windows Autopatch
When you migrate from Configuration Manager to Windows Autopatch, the fastest path to quickly gain value from Windows Autopatch is to already have co-management and the requisite workloads moved to Intune.
Step | Assessment step | Recommendation |
---|---|---|
1 | Turn on co-management | If you're using co-management across Configuration Manager and your managed devices, you meet the key requirements to use Windows Autopatch. If you don't have co-management, see How to use co-management in Configuration Manager |
2 | Use required co-management workloads | Using Windows Autopatch requires that your managed devices use the following three co-management workloads:
If you have these workloads configured, you meet the key requirements to use Windows Autopatch. If you don't have these workloads configured, review How to switch Configuration Manager workloads to Intune |
3 | Prepare your policies | You should consider any existing policy configurations in your Configuration Manager (or on-premises) environment that could impact your deployment of Windows Autopatch. For more information, review General considerations |
4 | Ensure Configuration Manager collections or Microsoft Entra device groups readiness | To move devices to Windows Autopatch, you must register devices with the Windows Autopatch service. To do so, use either Microsoft Entra device groups, or Configuration Manager collections. Ensure you have either Microsoft Entra device groups or Configuration Manager collections that allow you to evaluate, pilot and then migrate to the Windows Autopatch service. For more information, see Register your devices. |
Optimized deployment path: Configuration Manager to Windows Autopatch
Once you have assessed your readiness state to ensure you're aligned to Windows Autopatch readiness, you can optimize your deployment of Windows Autopatch to quickly migrate to the service. The following steps illustrate a recommended optimized deployment path:
Step | Example timeline | Task |
---|---|---|
Step one: Prepare > Set up the service | Week one | Follow our standard guidance to turn on the Windows Autopatch service
|
Step one: Prepare > Adjust the service configuration based on your migration readiness | Week one | |
Step two: Evaluate | Week one to month two | Evaluate with around 50 devices for one update cycle to confirm the correct service configurations are in place |
Step three: Pilot | Month two to three | Pilot with around 500 - 5000 devices for one update cycle to ensure you can further validate with your key stakeholders and Service Desk teams |
Step four: Deploy | Month three to six | Phase deployments as necessary to migrate your estate. You can move as quickly as you feel comfortable |
General considerations
As part of your planning process, you should consider any existing enterprise configurations in your environment that could affect your deployment of Windows Autopatch.
Many organizations have existing policies and device management infrastructure, for example:
- Group Policy Objects (GPO)
- Registry settings
- Configuration Manager
- Existing Mobile Device Management (MDM) policies
- Servicing profiles for Microsoft 365 Apps
It's a useful exercise to create a baseline of your policies and existing settings to map out the configuration that could impact your move to Windows Autopatch.
Group policy
Review existing policies and their structure. Some policies might apply globally, some apply at the site level, and some are specific to a device. The goal is to know and understand the intent of global policies, the intent of local policies, and so on.
On-premises AD group policies are applied in the LSDOU order (Local, Site, Domain, and Organizational Unit (OU)). In this hierarchy, OU policies overwrite domain policies, domain policies overwrite site policies, and so on.
Area | Path | Recommendation |
---|---|---|
Windows Update Group Policy settings | Computer Configuration\Administrative Templates\Windows Components\Windows Updates |
The most common Windows Update settings delivered through Group Policy can be found under this path. This is a good place for you to start your review. |
Don't connect to any Windows Update Internet locations | Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations |
This is a common setting for organizations that rely solely on intranet update locations such as Windows Server Update Services (WSUS) servers and can often be overlooked when moving to cloud update services such as Windows Update for Business (WUfB) When turned on, this policy prevents contact with the public Windows Update service and won't establish connections to Windows Update, and might cause the connection to Windows Update for Business (WUfB), and Delivery Optimization to stop working. |
Scan Source policy | Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service |
You can choose what types of updates to get from either Windows Server Update Services (WSUS) or Windows Update for Business (WUfB) service with the Windows Update Scan Source policy. You should review any scan source policy settings targeting devices to ensure:
|
Registry settings
Any policies, scripts or settings that create or edit values in the following registry keys might interfere with Windows and Office Update settings delivered through Autopatch. It's important to understand how these settings interact with each other and with the Windows and Office Update service as part of your Autopatch planning.
Key | Description |
---|---|
HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState (Intune MDM only cloud managed) HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate (If GPO/WSUS/Configuration Manager is deployed) |
This key contains general settings for Windows Update, such as the update source, the service branch, and the deferral periods for feature and quality updates. |
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU (If GPO/WSUS/Configuration Manager is deployed) |
This key contains settings for Automatic Updates, such as the schedule, the user interface, and the detection frequency. |
HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update (GPO/WSUS/Configuration Manager/Intune MDM Managed) |
This key contains settings for update policies that are managed by Mobile Device Management (MDM) or Group Policy, such as pausing updates, excluding drivers, or configuring delivery optimization. |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration (GPO/Configuration Manager/Intune MDM Managed) |
This key contains the registry keys for the Update Channel. This is a dynamic key that changes (depending on the configured settings) and the CDNBaseUrl (set when Microsoft 365 installs on the device). Look at the UpdateChannel value. The value tells you how frequently Office is updated.For more information, see Manage Microsoft 365 Apps with Configuration Manager to review the values, and what they're set to. Windows Autopatch currently supports the Monthly Enterprise Channel. If you opt into Office updates, it should be set to the Monthly Enterprise channel. |
Note
For more information about Windows Update Settings for Group Policy and Mobile Device Management (MDM), see Manage additional Windows Update settings.
Configuration Manager
Windows and Microsoft 365 Apps for enterprise updates
When Configuration Manager is deployed, and if Software Update policies are configured, the Software Update policies could conflict with Windows Update for Business and Office Update policies.
Configuration Manager could require custom settings to disable software updates and assist with troubleshooting conflicting legacy, on-premises configurations to ensure that Autopatch deliver Windows and Office updates. It's safe to implement this change if you aren't managing third party updates from Configuration Manager.
To ensure that Software Update Policies don't conflict with Windows Update for Business (WUfB) and Office Update policies, create a Software Update Policy in Configuration Manager that has:
- Windows and Office Update configuration disabled
- Includes devices enrolled into Autopatch to remove any existing configuration(s).
If this policy remains live, confirm that Autopatch devices aren't included in the live Software Update Policy in Configuration Manager.
All devices that are enrolled in Autopatch use Windows and Office Update policies from the service, and any configurations that are applied through Configuration Manager Software Update Policies can be removed.
For example, Configuration Manager Software Update Policy settings exclude Autopatch enrolled devices from receiving conflicting configuration for Windows and Office Updates:
Device setting | Recommended configuration |
---|---|
Enable software updates | No |
Enable management of the Office 365 Client Agent | No |
Note
There is no requirement to create a Configuration Manager Software Update Policy if the policies aren't in use.
Existing Mobile Device Management (MDM) policies
Policy | Description |
---|---|
MDM to win over GP | As part of the tenant enrollment process, Autopatch deploys a Device configuration profile, which applies to all registered devices to set Mobile Device Management (MDM) to win over Group Policy (GP) with the "MDMWinsOverGP" CSP. When applied, any MDM policy that's set, and has an equivalent GP Policy, results in the GP service blocking the policy setting. Setting the value to 0 (zero) or deleting the policy removes the GP policy blocks and restore the saved GP policies. This setting doesn't apply to all scenarios. This setting doesn't work for:
For more information and guidance on the expected behavior applied through this policy, see ControlPolicyConflict Policy CSP |
Windows Update for Business (WUfB) policies | If you have any existing Deployment rings for Windows 10 and later or Windows feature update DSS policies in place, ensure that the assignments don't target Windows Autopatch devices. This is to avoid creating policy conflicts and unexpected update behavior, which could impact update compliance and end user experience. |
Update Policy CSP | If any policies from the Update Policy CSP that aren't deployed and managed by Windows Autopatch are deployed to devices, policy conflicts and unexpected update behavior could occur and could affect update compliance and the end user experience. |
Servicing profiles for Microsoft 365 Apps for enterprise
You can use automation to deliver monthly updates to Microsoft 365 Apps for enterprise directly from the Office Content Delivery Network (CDN) using Servicing profiles. A servicing profile takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. The servicing profile affects all devices that meet the device eligibility requirements regardless of existing management tools in your environment.
You can consider retargeting servicing profiles to non-Windows Autopatch devices or if you plan to continue using them, you can block Windows Autopatch delivered Microsoft 365 App updates for Windows Autopatch-enrolled devices.
Business case
Part of your planning might require articulating the business benefits of moving to Windows Autopatch from your existing update solution(s). Windows Autopatch provides several resources to help when building your business case.
- How Windows Autopatch works for you
- What is Windows Autopatch?
- Forrester - The Projected Total Economic Impact™ Of Windows Autopatch: Cost Savings And Business Benefits Enabled By Windows Autopatch
- Windows Autopatch Skilling snack
Stakeholder communications
Change management relies on clear and helpful communication about upcoming changes. The best way to have a smooth deployment is to make sure end users and stakeholders are aware of all changes and disruptions. Your rollout communication plan should include all pertinent information, how to notify users, and when to communicate.
- Identify groups impacted by the Autopatch deployment
- Identify key stakeholders in the impacted groups
- Determine the types of communications needed
- Develop your messaging based on the Recommended deployment steps
- Create your stakeholder and communication plan schedule based on the Recommended deployment steps
- Have communications drafted and reviewed, and consider your delivery channels such as:
- Social media posts
- Internal messaging app (for example, Microsoft Teams)
- Internal team site
- Company blog
- Prerecorded on-demand videos
- Virtual meeting(s)
- In-person meetings
- Team workshops
- Deploy your stakeholder communication plan
Review your objectives and business case with stakeholders
Review your original objectives and business case with your key stakeholders to ensure your outcomes have been met and to ensure your expected value has been achieved.
Need additional guidance?
If you need assistance with your Windows Autopatch deployment journey, you have the following support options:
- Microsoft Account Team
- Microsoft FastTrack
- Windows Autopatch Service Engineering Team
First contact your Microsoft Account team who can work with you to establish any guidance or support you might need. If you don't have a Microsoft Account Team contact or wish to explore other routes, Microsoft FastTrack offers Microsoft 365 deployment guidance for customers with 150 or more licenses of an eligible subscription at no additional cost. Finally, you can also log a support request with the Windows Autopatch Service Engineering Team.
Windows Commercial Advisors (WCA)
Once you're underway with your deployment, consider joining the Windows Commercial Advisors (WCA) community within the Microsoft Management Customer Connection Program (MM CCP), where you can:
- Engage directly with the Windows Commercial Engineering Teams and other Windows Commercial Customers
- Gain access to:
- Exclusive virtual meetings
- Focus groups
- Surveys
- Teams discussions
- Previews