Changes made at feature activation

Important

The information in this article or section only applies if you have Windows Enterprise E3+ or F3 licenses (included in Microsoft 365 F3, E3, or E5) licenses and have activated Windows Autopatch features.

Feature activation is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.

For more information, see Licenses and entitlements. If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in Business premium and A3+ licenses.

The following configuration details explain the changes made to your tenant when consenting to Windows Autopatch feature activation with the Windows Autopatch service.

Important

The service manages and maintains the following configuration items. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service.

Windows Autopatch enterprise applications

Enterprise applications are applications (software) that a business uses to do its work.

Windows Autopatch creates an enterprise application in your tenant. This enterprise application is used to run the Windows Autopatch service.

Enterprise application name Usage Permissions
Modern Workplace Management The Modern Workplace Management application:
  • Manages the service
  • Publishes baseline configuration updates
  • Maintains overall service health
  • DeviceManagementApps.ReadWrite.All
  • DeviceManagementConfiguration.ReadWrite.All
  • DeviceManagementManagedDevices.PriviligedOperation.All
  • DeviceManagementManagedDevices.ReadWrite.All
  • DeviceManagementRBAC.ReadWrite.All
  • DeviceManagementServiceConfig.ReadWrite.All
  • Directory.Read.All
  • Group.Create
  • Policy.Read.All
  • WindowsUpdates.ReadWrite.All

Microsoft Entra groups

Windows Autopatch creates the required Microsoft Entra groups to operate the service.

The following groups target Windows Autopatch configurations to devices and management of the service by our first party enterprise applications.

Group name Description
Modern Workplace Devices-Virtual Machine All Autopatch virtual devices
Windows Autopatch-Devices all All Autopatch devices
Modern Workplace Devices-Windows Autopatch-Test Deployment ring for testing update deployments prior production rollout
Modern Workplace Devices-Windows Autopatch-First First production deployment ring for early adopters
Modern Workplace Devices-Windows Autopatch-Fast Fast deployment ring for quick rollout and adoption
Modern Workplace Devices-WindowsAutopatch-Broad Final deployment ring for broad rollout into the organization

Device configuration policies

  • Windows Autopatch - Data Collection
Policy name Policy description Properties Value
Windows Autopatch - Data Collection Windows Autopatch and Telemetry settings processes diagnostic data from the Windows device.

Assigned to:

  • Modern Workplace Devices-Windows Autopatch-Test
  • Modern Workplace Devices-Windows Autopatch-First
  • Modern Workplace Devices-Windows Autopatch-Fast
  • Modern Workplace Devices-Windows Autopatch-Broad
  1. Allow Telemetry
  2. Limit Enhanced Diagnostic Data Windows Analytics
  3. Limit Dump Collection
  4. Limit Diagnostic Log Collection
  1. Full
  2. Enabled
  3. Enabled
  4. Enabled

Windows feature update policies

  • Windows Autopatch - Global DSS Policy
Policy name Policy description Value
Windows Autopatch - Global DSS Policy Global DSS policy for Test device group with the required minimum OS version Assigned to:
  • Modern Workplace Devices-Windows Autopatch-Test

Exclude from:
  • Modern Workplace - Windows 11 Pre-Release Test Devices

Microsoft Office update policies

Important

By default, these policies are not deployed. You can opt-in to deploy these policies when you activate Windows Autopatch features.

To update Microsoft Office, you must create at least one Autopatch group and the toggle the must be set to Allow.

  • Windows Autopatch - Office Configuration
  • Windows Autopatch - Office Update Configuration [Test]
  • Windows Autopatch - Office Update Configuration [First]
  • Windows Autopatch - Office Update Configuration [Fast]
  • Windows Autopatch - Office Update Configuration [Broad]
Policy name Policy description Properties Value
Windows Autopatch - Office Configuration Sets Office Update Channel to the Monthly Enterprise servicing branch.

Assigned to:

  1. Modern Workplace Devices-Windows Autopatch-Test
  2. Modern Workplace Devices-Windows Autopatch-First
  3. Modern Workplace Devices-Windows Autopatch-Fast
  4. Modern Workplace Devices-Windows Autopatch-Broad
  1. Enable Automatic Updates
  2. Hide option to enable or disable updates
  3. Update Channel
  4. Channel Name (Device)
  5. Hide Update Notifications
  6. Update Path
  7. Location for updates (Device)
  1. Enabled
  2. Enabled
  3. Enabled
  4. Monthly Enterprise Channel
  5. Disabled
  6. Enabled
  7. http://officecdn.microsoft.com/pr/55336b82-a18d-4dd6-b5f6-9e5095c314a6
Windows Autopatch - Office Update Configuration [Test] Sets the Office update deadline

Assigned to:

  1. Modern Workplace Devices-Windows Autopatch-Test
  1. Delay downloading and installing updates for Office
  2. Update Deadline
  1. Enabled; Days(Device) == 0 days
  2. Enabled; Update Deadline(Device) == 7 days
Windows Autopatch - Office Update Configuration [First] Sets the Office update deadline

Assigned to:

  1. Modern Workplace Devices-Windows Autopatch-First
  1. Delay downloading and installing updates for Office
  2. Update Deadline
  1. Enabled; Days(Device) == 0 days
  2. Enabled; Update Deadline(Device) == 7 days
Windows Autopatch - Office Update Configuration [Fast] Sets the Office update deadline

Assigned to:

  1. Modern Workplace Devices-Windows Autopatch-Fast
  1. Delay downloading and installing updates for Office
  2. Update Deadline
  1. Enabled; Days(Device) == 3 days
  2. Enabled; Update Deadline(Device) == 7 days
Windows Autopatch - Office Update Configuration [Broad] Sets the Office update deadline
Assigned to:
  1. Modern Workplace Devices-Windows Autopatch-Broad
  1. Delay downloading and installing updates for Office
  2. Update Deadline
  1. Enabled; Days(Device) == 7 days
  2. Enabled; Update Deadline(Device) == 7 days

Microsoft Edge update policies

Important

By default, these policies are not deployed. You can opt-in to deploy these policies when you activate Windows Autopatch features.

To update Microsoft Edge, you must create at least one Autopatch group and the toggle the must be set to Allow.

  • Windows Autopatch - Edge Update Channel Stable
  • Windows Autopatch - Edge Update Channel Beta
Policy name Policy description Properties Value
Windows Autopatch - Edge Update Channel Stable Deploys updates via the Edge Stable Channel

Assigned to:

  1. Modern Workplace Devices-Windows Autopatch-First
  2. Modern Workplace Devices-Windows Autopatch-Fast
    1. Modern Workplace Devices-Windows Autopatch-Broad
  1. Target Channel Override
  2. Target Channel (Device)
  1. Enabled
  2. Stable
Windows Autopatch - Edge Update Channel Beta Deploys updates via the Edge Beta Channel

Assigned to:

  1. Modern Workplace Devices-Windows Autopatch-Test
  1. Target Channel Override
  2. Target Channel (Device)
  1. Enabled
  2. Beta

Driver updates for Windows 10 and later

Important

By default, these policies are not deployed. You can opt-in to deploy these policies when you activate Windows Autopatch features.

To update drivers and firmware, you must create at least one Autopatch group and the toggle the must be set to Allow.

  • Windows Autopatch - Driver Update Policy [Test]
  • Windows Autopatch - Driver Update Policy [First]
  • Windows Autopatch - Driver Update Policy [Fast]
  • Windows Autopatch - Driver Update Policy [Broad]

PowerShell scripts

Script Description
Modern Workplace - Autopatch Client Setup v1.1 Installs necessary client components for the Windows Autopatch service