Prerequisites
Licenses and entitlements
Windows Autopatch is available to the following licenses:
- Microsoft 365 Business Premium (for more information on available licenses, see Microsoft 365 licensing)
- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10/11 Enterprise E3 or E5 VDA
Feature entitlement
For more information about feature entitlement, see Features and capabilities. Features are accessed through the Microsoft Intune admin center.
| Symbol | Meaning |
|---|---|
| ✔️ | All features available |
| ❌ | Feature not available |
Windows 10 and later update policy management
| Feature | Business Premium | A3+ | E3+ | F3 |
|---|---|---|---|---|
| Releases | ✔️ | ✔️ | ✔️ | ✔️ |
| Update rings | ✔️ | ✔️ | ✔️ | ✔️ |
| Quality updates | ✔️ | ✔️ | ✔️ | ✔️ |
| Feature updates | ✔️ | ✔️ | ✔️ | ✔️ |
| Driver and firmware updates | ✔️ | ✔️ | ✔️ | ✔️ |
Tenant management
| Feature | Business Premium | A3+ | E3+ | F3 |
|---|---|---|---|---|
| Autopatch groups | ✔️ | ✔️ | ✔️ | ✔️ |
| New feature and change management communications | ✔️ | ✔️ | ✔️ | ✔️ |
| Release schedule and status communications | ✔️ | ✔️ | ✔️ | ✔️ |
| Support requests | ❌ | ❌ | ✔️ | ✔️ |
Reporting
| Feature | Business Premium | A3+ | E3+ | F3 |
|---|---|---|---|---|
| Intune Reports | ✔️ | ✔️ | ✔️ | ✔️ |
| Quality updates | ✔️ | ✔️ | ✔️ | ✔️ |
| Feature updates | ✔️ | ✔️ | ✔️ | ✔️ |
| Device readiness | ✔️ | ✔️ | ✔️ | ✔️ |
General infrastructure requirements
| Area | Prerequisite details |
|---|---|
| Licensing terms and conditions for products and services | For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the Product Terms site. |
| Microsoft Entra ID and Intune | Microsoft Entra ID P1 or P2 and Microsoft Intune are required. Microsoft Entra ID must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Microsoft Entra Connect to enable Microsoft Entra hybrid join.
|
| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network. For the full list of required IPs and URLs, see Configure your network. |
| Device management | Devices must be already enrolled with Microsoft Intune before registering with Windows Autopatch. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices. At a minimum, the Windows Update, Device configuration, and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see co-management requirements for Windows Autopatch. Other device management prerequisites include:
See Register your devices for more details on device prerequisites and on how the device registration process works with Windows Autopatch. For more information on co-management, see co-management for Windows devices. |
| Data and privacy | Deployment scheduling controls are always available. However, to take advantage of the unique deployment protections tailored to your population, devices must share diagnostic data with Microsoft. For these features, at minimum, the deployment service requires devices to send diagnostic data at the Required level (previously called Basic) for these features.
For more information on Windows Autopatch privacy practices, see Windows Autopatch Privacy. |
Windows editions, build version, and architecture
The following Windows editions, build version, and architecture applies if you have:
- Business Premium, A3+, E3+ or F3 licenses
- Registered devices with Windows Autopatch
The following Windows 10/11 editions, build version, and architecture are supported when devices are registered with Windows Autopatch:
- Windows 11 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions
- Windows 11 IoT Enterprise edition
- Windows 10 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions
- Windows 10 IoT Enterprise edition
Windows Autopatch service supports Windows client devices on the General Availability Channel.
Important
Windows Autopatch supports registering Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC) devices that are being currently serviced by the Windows 10 LTSC or Windows 11 LTSC. The service only supports managing the Windows quality updates workload for devices currently serviced by the LTSC. Windows Update client policies and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use LTSC media or the Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade for Windows devices that are part of the LTSC.
Configuration Manager co-management requirements
The following Windows editions, build version, and architecture applies if you have:
- Business Premium, A3+, E3+ or F3 licenses
- Registered devices with Windows Autopatch
| Requirement | Description |
|---|---|
| Supported Configuration Manager version | Use a currently supported Configuration Manager version. |
| Configuration Manager must be cloud-attached with Intune (co-management) | Must have the following co-management workloads enabled and set to either Intune or Pilot Intune:
If you’re using Pilot Intune, in the Staging tab, the device must be in the collections that correspond to the three workloads that Windows Autopatch requires.
You or your Configuration Manager administrator are responsible for adding your Autopatch devices to these collections. Windows Autopatch doesn’t change or add to these collections. For more information, see paths to co-management. |
| Create a Custom client setting | Create a Custom client setting in Configuration Manager to disable the Software Updates agent for Intune/Pilot Intune co-managed devices.
|
Required Intune permissions
Your account must be assigned an Intune role-based access control (RBAC) role that includes the following permissions:
- Device configurations:
- Assign
- Create
- Delete
- View Reports
- Update
- Read
You can add the Device configurations permission with one or more rights to your own custom RBAC roles or use one of the built-in Policy and Profile manager roles, which include these rights. For more information, see Microsoft Entra built-in roles and Role-based access control (RBAC) with Microsoft Intune. The Intune Service Administrator role is required to access and use all capabilities under:
- Tenant administration > Windows Autopatch
- Devices > Manage updates > Windows updates
- Autopatch groups membership report
The Intune Service Administrator role is required to register devices, manage your update deployments, and reporting tasks.
Tip
For more information, see assign an owner of member of a group in Microsoft Entra ID.