Hi Community,
We are almost at the ending of a great year filled with new and cool features all across the Microsoft cloud ecosystem. After Microsoft Ignite this year a lot of new Intune features where announced. Windows Autopatch is not new however the Hotpatch feature is a game changer in the Windows Update landscape.
I saw some older blogs regarding Windows Autopatch and I noticed that the settings to setup and manage the feature are changed. With this in mind i decided to write a blog post on these 2 features. In this blog i will explain how to setup everything and all details you need to know to get started.
Let’s dive in!
IMPORTANT CHANGE 11/02/2025
Windows Autopatch will cease to deploy and configure the Windows Data Diagnostics policy. Previously, as part of the Autopatch feature activation process, Windows Autopatch deployed a policy named Windows Autopatch – Data collection which set the Windows diagnostics data collection level to Optional for managed devices.
You will be able to configure and maintain the Windows Diagnostics Data level policy in your environment. As part of the ongoing service maintenance Windows Autopatch will remove the Windows Autopatch Data collection policy from tenants starting March 03, 2025, Pacific Standard Time. This change will be completed in 2 weeks.
Action required: Create and deploy a Windows Diagnostic data collection policy with at least the recommended minimum setting to all Autopatch devices prior to this change. You may see missing Client State and Client Substate values if your devices are not configured with the recommended Windows Diagnostics settings and level. Alternatively, you may already be covered with existing data collection policies in your environment.
TIP1: You may want to consider using the Windows Autopatch – Devices All group which contains all of the active, registered devices presently in your Autopatch implementation across any and all Autopatch Groups. This is a service-managed group (subject to changes at any time). Not Registered devices will not appear in this Entra group.
TIP2: If you already have a data collection policy in place, make sure that there aren’t any conflicting settings.
TIP3: If you create the new policy make sure to remove the assignements from the “old” policy and assing the new policy to avoid conflicts.
My fellow MVP Ugur Koc made me aware of this change, check out his blog site here
Solution: Create a new policy by March 3 to avoid disruptions on your Autopatch configuration. Folow the steps below to create the correct policy.
You can find this message in the Microsoft 365 Message Center, message ID: MC996580
Create the new Data Collection Policy
In the Intune portal go to Devices – Windows – Configuration – Create – New Policy – Platform: Windows 10 and later – Profile type: Settings catalog – Create.
Name your policy and give it a description if you want, e.g. Click next.
Now for the settings, click Add settings, take over the settings from the screen shot. Do not select Allow telemetry (user) this policy is being scoped on a device group.
Assign this policy to the Windows Autopatch – Devices All group.
And that is it, you are now ready for the change.
What is Windows Autopatch?
Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.
Rather than maintaining complex digital infrastructure, businesses want to focus on what makes them unique and successful. Windows Autopatch offers a solution to some of the challenges facing businesses and their people today:
- Close the security gap: Windows Autopatch keeps software current, there are fewer vulnerabilities and threats to your devices.
- Close the productivity gap: Windows Autopatch adopts features as they’re made available. End users get the latest tools to amplify their collaboration and work.
- Optimize your IT admin resources: Windows Autopatch automates routine endpoint updates. IT pros have more time to create value.
- On-premises infrastructure: Transitioning to the world of software as a service (SaaS) allows you to minimize your investment in on-premises hardware since updates are delivered from the cloud.
- Onboard new services: Windows Autopatch makes it easy to enroll and minimizes the time required from your IT Admins to get started.
- Minimize end user disruption: Windows Autopatch releases updates in sequential deployment rings, and responding to reliability and compatibility signals, user disruptions due to updates are minimized.
- Windows Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge, or Teams. Windows Autopatch uses careful rollout sequences and communicates with you throughout the release, allowing your IT Admins can focus on other activities and tasks.
Below is a list of what Autopatch will be responsible for updating:
- Windows 10 and Windows 11 quality updates
- Windows 10 and 11 features
- Windows 10 and 11 drivers
- Windows 10 and 11 firmware
- Microsoft 365 apps for enterprise updates
- Microsoft Edge
On top of what was mentioned, Windows Autopatch will also handle updating drivers and firmware that are only available through Windows Update as automatic updates. As for how Windows Autopatch works, there are four deployment rings. The first ring covers a small number of your company’s devices, while the second one handles 1% of them. The third and fourth rings take care of 9% and 90% of the devices, respectively.
The following Windows 64-bit editions are suported for Windows Autopatch:
- Windows 10/11 Pro
- Windows 10/11 Enterprise
- Windows 10/11 Pro for Workstations
Windows Autopatch Licensing
Windows Enterprise E3+ and F3 licenses, Business Premium and A3
Check out the table below for the functionality:
| Features included with Business Premium, A3+, E3+ and F3 licenses | Description |
|---|---|
| Update rings | You can manage Update rings for Windows 10 and later devices with Windows Autopatch. |
| Autopatch groups | You can manage update deployment based on your audience. An Autopatch group is a logical container or unit that groups several Microsoft Entra groups, and software update policies, such as Update rings policy for Windows 10 and later and feature updates policy for Windows 10 and later policies. |
| Windows quality updates | With Windows Autopatch, you can manage Windows quality update profiles for Windows 10 and later devices. You can expedite a specific Windows quality update using targeted policies. Windows Autopatch: Aims to keep at least 95% of Up to Date devices on the latest quality update. |
| Hotpatch updates | Install Monthly B release security updates without requiring you to restart the device. |
| Windows feature updates and Multi-phase release policies with feature updates | Windows Autopatch provides tools to assist with the controlled roll out of annual Windows feature updates. With multi-phase release policies, you can create customizable feature update deployments using multiple phases for your existing Autopatch groups. These phased releases can be tailored to meet the unique needs of your organization. |
| Driver and firmware updates | You can manage and control your driver and firmware updates with Windows Autopatch. You can: - Choose to receive driver and firmware updates automatically, or self-manage the deployment - Control the flow of all drivers to an Autopatch group or rings within an Autopatch group - Control the flow of a specific driver or firmware across your entire tenant via approvals - Approve and deploy other drivers and firmware that previously couldn’t be centrally managed |
| Microsoft 365 Apps for enterprise updates | Windows Autopatch aims to keep at least 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC). |
| Microsoft Edge updates | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. |
| Microsoft Teams updates | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. |
| Intune reports | Use Intune reports to monitor the health and activity of endpoints in your organization. |
| Hotpatch quality update report | Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. |
| Enhanced Windows quality and feature update reports and device alerts | Using Windows quality and feature update reports, you can monitor and remediate managed devices that are Not up to Date and resolve any device alerts to bring managed devices back into compliance. |
Features included with E3+ and F3 licenses only In addition to the features listed in the previous table, if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5), you have access to the following through the Microsoft Intune admin center:
Submit support requests with the Windows Autopatch Service Engineering Team
So if you are a Microsoft 365 Business Premium customer you are good to go with Autopatch!!
Windows Autopatch enrollment
Enable Windows Autopatch in your tenant
In this section I will show you how to enable Windows Autopatch in your tenant.
Go to the Intune Portal – Tenant administration – Windows Autopatch – Feature activate – Tick the box I consent to these changes on my tenant – click Activate
Unlicensed Admin Error in Intune Portal During the Autopatch Tenant enrollment, you may encounter the unlicensed admin error. The unlicensed admin error appears because the Intune administrator account doesn’t have enough permissions to interact with Azure AD organization. Follow the instructions provided in the following guide to fix Windows Autopatch unlicensed admin error.
Windows Auto patch will now activate
After a few seconds you will get the message that the feature is activated
You will also be presented with the message: Windows Autopatch is finishing background tasks to complete feature activation. You can continue to use the Windows Autopatch portal in the meantime.
Windows Autopatch settings
Once Windows Autopatch is enabled in your tenant you will see some settings under the Windows Autopatch in you Intune tenant administration blade:
- Autopatch groups
- Messages
- Admin Contacts
- Support Requests
- Tenant management
Let’s walk over these settings in more detail.
Autopatch groups
The primary setup for Windows Autopatch is creating a group. This is the foundation for all the different settings that will be built from it. A Windows Autopatch group is essentially a collection of device rings. Most businesses will have just one group, which defines multiple Windows Update policy rings for managing their devices. Just to clarify, this is NOT an EntraID group – it’s a totally different concept. We will dig deeper in the creation of these groups later on in this blog
Messages
Here you can find messages that Microsoft will post regarding to Windows Autopatch, also you can see the service health.
Admin Contacts
Here you can add Admins who will be contacted by Microsoft if there are any issues or support requests.
Support Requests
Here you can initiate a support/service request to Microsoft. Only for E3 and higher.
Tenant management
Here you can find actions that you need to do if something changes to your tenant configuration.
Create Windows Autopatch groups
When Windows Autopatch got enabled in your tenant a few groups where created.
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Virtual Machine
- Windows Autopatch – Devices All
We need to create some Windows Autopatch groups that we can assign to the different update rings. By default Windows Autopatch creates 2 rings, these are not vissible yet at this point in the configuration, you will see this when you continue further on in the Windows Autopatch group creation. The rings that are created by default are:
- Test
- Last
I will create 1 group for the device registration (Dynamic group distribution), make sure you give it a clear name. If you do this right from the start you avoid confusion later on in time.
Group for Windows Autopatch Device Registration
To populate these system generated groups automatically, we need to define a source group for the registration of the devices into Windows Autopatch (Dynamic group Distribution). This is the most important group we need to get Windows Autopatch working, without this group we cannot configure the device distribution. you can fill this group manually with devices or nested with device groups. All devices in this group will be registered/ernolled into Windows Autopatch and will split all registered/enrolled devices in to the different update rings you configure.
Go to the Intune portal – Groups – New Group
Name your group e.g. Windows Autopatch Device Registration and give a description e.g. Group used for Windows Autopatch dynamic group distribution. Set the owner and you can also add members now if you want to. Click create.
Create the Windows Autopatch Dynamic Group Distribution
To create the Windows Autopatch group, go to the Intune portal – Tenant administration – Windows Autopatch – Autopatch groups – Create
Enter a group name, this can be your company name or for larger enterprise deployments you can also use multiple groups per department. In this case i will use DEMO. Add a description if you want. Click next.
Now we need to add a group that will be in charge of the device registration in Windows Autopatch, we will use the Windows Autopatch Device Registration group we created in the previous step. To do this click add groups next to Dynamic group distribution and add the group and click select.
Create the Windows Autopatch update rings
Setting up the Deployment rings is probably the most complicated part of configuring Autopatch. By default, there are 2 rings, which are assigned to groups with matching names. Administrators will need to define which devices go into each group. The Test ring is used for the first devices that will receive Windows Update.
Devices in this group are meant for your IT admins and testers since they get the updates first. This gives your organization a chance to test and confirm updates before they roll out to everyone.
The Last ring is for VIP or priority devices. These devices will still receive updates, but they’ll be the last to get them.
Add as many deployment rings you want to use, in this setup i will use 3 rings.
Click Add deployment ring to add 3 rings and fill in the percentages of devices you want to add to a specific deployment ring.
Now click next to proceed to the Windows update settings
Set the Windows Autopatch update settings
The default settings are like this:
You can change these settings per ring by clicking on the 3 dots at the end of each Deployment ring and select Manage deployment cadence. There are 2 option to choose from:
- Deadline Driven: Updates become available to devices during the specified time range. Devices can be updated at any point in that window.
- Schedule Install: Updates are only installed during the specified time window. Best for business-critical devices only.
For this setup i will opt for Deadline Driven.
You will have 3 options here for deadline driven:
- Deferral period – The number of days after the update becomes available you want your rollout to begin x days after the release.
- Deadline – The number of days after the deferral when the update must be installed by x days after deferal period ends.
- Grace period – The number of days after a device becomes active when the update must be installed by x days after a device becomes active.
you can configure these setting according to your needs. For this setup i have entered thse settings:
Per Deployment ring you can also set the notification settings. you can choose between these options:
For this setup i will leave them on the default setting: Use the default Windows Update notifications.
Click next for the Drive update settings.
Set the Windows Autopatch driver update settings
Here you can choose to also opt for driver updates installations. You can choose to automatically approve them or manually. Also i have set the deferal perion of the driver updates the same as the Windows Update settings.
If you have set these options click review and create to review your configuration, if you are satisfied, click create.
This will take a few seconds to create.
Now you can check if your groups have been created, go to groups – All groups and you will see the created groups.
Now to verify that our deployment rings have groups assinged go to Devices – Windows updates – Update rings. Here you will see your Windows Autopatch group, in this case DEMO. Expand it and you will see your created Deployment rings with the settings you have configured in the previous steps.
Now click on an update ring and check the assignment. For DEMO – Test all is ok.
You can check the other update rings to if you want.
Now you have configured the Windows Autopatch feature. The only thing we need to configure are the update settings. Let’s do this now.
Set the update settings
To set the update settings click Update settings next to Autopatch groups.
Here you can choose which products to be managed by Windows Autopatch.
When i tried to toggle on all the features i got an error with the Edge updates, in the backend it will retry, so that was just a matter of time and after a few seconds wait it turned green.
Now it will take some time for the groups to get populated. In my case (only 2 test devices) it took around 5 minutes. As you can see my test VM is added to the nessecary groups.
When we check the Windows Autopatch groups you can also see that there are 2 devices registered.
If the registration of your devices to Windows Autopatch is taking a long time you can speed up the process by going to Devices – Windows updates – Monitor – Autopatch devices
Click on Autopatch devices – Discover devices
What other things where created by enabling Windows Autopatch
Apart from the Entra ID groups some confguration profiles are also created, these configuration profiles are set according to the settings we toggled on in the update settings section.
We have the following configuration policies:
- Windows Autopatch – Data Collection
- Windows Autopatch – Edge Update Channel Beta
- Windows Autopatch – Edge Update Channel Stable
- Windows Autopatch – Office Configuration
- Windows Autopatch – Office Update Configuration [Broad]
- Windows Autopatch – Office Update Configuration [Fast]
- Windows Autopatch – Office Update Configuration [First]
- Windows Autopatch – Office Update Configuration [Test]
These configration profiles are automatically assigned to the groups that where automatically generated. Do NOT modify these assignments.
- Windows Autopatch – Data Collection – assigned to Windows Autopatch – Devices All
- Windows Autopatch – Edge Update Channel Beta – assigned to Modern Workplace Devices-Windows Autopatch-Test
- Windows Autopatch – Edge Update Channel Stable – assigned to Modern Workplace Devices-Windows Autopatch-Broad, Modern Workplace Devices-Windows Autopatch-Fast & Modern Workplace Devices-Windows Autopatch-First
- Windows Autopatch – Office Configuration – assigned to Modern Workplace Devices-Windows Autopatch-Broad, Modern Workplace Devices-Windows Autopatch-Fast, Modern Workplace Devices-Windows Autopatch-First & Modern Workplace Devices-Windows Autopatch-Test
- Windows Autopatch – Office Update Configuration [Broad] – assigned to Modern Workplace Devices-Windows Autopatch-Broad
- Windows Autopatch – Office Update Configuration [Fast] – assigned to Modern Workplace Devices-Windows Autopatch-Fast
- Windows Autopatch – Office Update Configuration [First] – assigned to Modern Workplace Devices-Windows Autopatch-First
- Windows Autopatch – Office Update Configuration [Test] – Modern Workplace Devices-Windows Autopatch-Test
Change a device to another update ring
It can be possible that you are not satisfied with the update ring a device has been given by the system, in this case you can change that device to another ring. Go to Devices – Windows updates – Monitor –
Autopatch Devices – select a device you want to change – click assing ring and choose your desired ring.
A notification will appear. This can take some time to reflect.
Windows Autopatch recap
Creating the Intune Windows Autopatch group automatically generates several configurations in the environment.
- Entra groups starting with Modern Work – Do NOT modify these groups, these are created by default.
- DEMO – Test and DEMO – Last update rings – Adding or importing devices in these update rings is NOT supported.
- The 3 Entra Groups DEMO – Ring 1, DEMO – Ring 2 and DEMO – Ring 3 – Do NOT modify these groups, these are created by default.
- Under Devices – Windows Update – Update rings, a set of Windows Update for Business policies are created and matches the Autopatch group configuration.
- Under Devices – Windows Update – Feature updates the Windows Autopatch – Global DSS Policy is created.
- Under Devices – Windows Update – Driver Updates, a set of Windows Update for Business policies are created and matches the Autopatch group configuration.
- Windows Autopatch creates one Feature Update policy that’s automatically applied to all rings. The purpose of this policy is to establish a baseline minimum for the Windows 10/11 build, ensuring it’s on the oldest supported version. Right now, that’s Windows 10 22H2. In the future, this will automatically switch to Windows 11 23H2, as it becomes the next supported build.
Hotpatch Updates (Public Preview)
What is Hotpatch
Hotpatch updates are Monthly B release security updates that can be installed without requiring you to restart the device. Hotpatch updates are designed to reduce downtime and disruptions. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted.
The key benefits are:
- Hotpatch updates streamline the installation process and enhance compliance efficiency.
- No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies.
- The Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates.
Eiligible devices:
- Operating System: Devices must be running Windows 11 24H2 or later.
- VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates.
- Latest Baseline Release: Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates.
Release cycles:
- Baseline Release Months: January, April, July, October.
- Hotpatch Release Months: February, March, May, June, August, September, November, December.
Using Hotpatch will reduce anual reboots from every month to just 4.
How to enable Hotpatch
In the Intune portal go to Devices – Windows updates – Quality updates – Create – Windows quality update policy (preview).
Name your policy e.g. Enable Hotpatch and add a description if you want. Click next.
Switch the box When available, apply without restarting the device (“hotpatch”) to Allow.
Now assign the policy to a device group and click next,
On the review page click create.
Device check
Now when you sync your device with Intune you can check the follwing on your device:
Registry key:
In the settings – Windows updates – Advanced options – Configured update policies
User Experience
Without Hotpatch the user needs to reboot.
With Hotpatch enabled no reboot is needed.
This new feature marks a major step forward in update management for Windows 11 Enterprise. By cutting down on reboots while keeping security strong, it allows IT admins to provide a smoother and more secure experience for users.
With this update, the approach moves from fixing issues after they arise to taking proactive steps to ensure security without any trade-offs. Organizations using this update method can look forward to more efficient operations, increased productivity, and, most importantly, a safer environment for their teams.
This concludes this quit long blog and as always if you feel there is something in error or you want to add some stuff from your own experience don’t hesitate to contact me!
Weird question, but hear me out. My environment is currently mostly Windows Pro. We are licensing for the M365 E3 as I roll out Intune. Will I have to upgrade the machines to the included Enterprise license, or will it work based on the M365 E3 on Windows Pro?
Your Windows machines will be Enterprise because of the M365E3, Windows Enterprise is included in that package so with these digital licenses you are good to go.
Thanks much for this article. Finally, someone walked me through setting this up. Everything else online was out of date. Worked like a charm except I am not seeing my devices in the Autopatch Devices section. The updates applied to the devices already and I show two registered devices under Autopatch groups. Will give it another hour before I blow away this tenant and start over.
If I have existing Windows Update for Business Rings, do I need to delete them before I deploy Autopatch??
Hi Matt, thank you. And no you can use them next to each other so you can migrate in phases. It can take some time before your devices show in Autopatch.
Excellent article, I have one question, when I created Autoptach Group. Say ContosoAPG, I added three rings and for assignments I added security groups which I created beforehand say Group1-Test, Group-Ring1, Group-Ring2, Group-Ring3, Group-Last. After Autopatch Group was created, it also created security groups like ContosoAPG-Test, ContosoAPG-Ring1, ContosoAPG-Ring2, ContosoAPG-Ring3 and ContosoAPG-Last. The groups which were created by Autopatch are also assigned on the update policies. Do I now need to move devices from the groups I manually created to the groups which Autopatch created? To add to the confusion there are also set of groups with Modern Workplace ** with similar rings or do I have to manually move devices to any of the Modern Workplace groups? Now there are three sets of groups, the one I created beforehand, the set of groups which autopatch group created and the modern workplace set of groups. And I am not using dynamic group allocation within Autopatch group. Thanking you
Hi, thank you. You just need to fill up the Windows Autopatch Device Registration group, you can make this an assigned or dynamic group. In case of a dynamic group no manual action is needed.
The device assignment with Windows Autopatch Device Registration will go for custom rings within autopatch group (Ring1/2/3), what about first and last rings which I have assigned with the groups I created manually? In the Windows update policy the group I created is not there, but the group which Autopatch created e.g. Contoso-APG-Test. Does it mean I have to move my devices from Group1-Test to Contoso-APG-Test?
Hotpatch is available for Windows Enterprise 24H2
https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates#prerequisites