Windows Autopatch Guide Blog 2 of 7
In this section, I will look at the prerequisites that need to be setup in order to carry out a successful Windows Autopatch implementation.
- Minimum Windows OS Version (at the time of writing)
- RBAC Setup
- Licenses for Autopatch
- Network Configuration
- Device Management
- Wrapping Up
Minimum Windows OS Version (at the time of writing)
The current minimum Windows OS version is Windows 10 21H2.
RBAC Setup
This is one of the important things you need to think about as you want the RBAC to be set up as Just Enough Access should be the ideal way to hand out the access.
Global Administrator and Intune Service Administrator are the built-in roles that can manage the Device registration for Autopatch
More granular roles can be created as that’s the recommended way to go with specific access to your role-based administrators.
During the Tenant Enrollment for Autopatch, some Entra ID groups are being created. From them, Role-based groups are Modern Workplace Roles – Service Administrator and Modern Workplace Roles – Service Reader. Below are their capabilities.
| Role | Discover Devices | Modify Columns | Refresh Device List | Export to .csv | Device Actions |
|---|---|---|---|---|---|
| Modern Workplace Roles – Service Administrator | Yes | Yes | Yes | Yes | Yes |
| Modern Workplace Roles – Service Reader | No | Yes | Yes | Yes | No |
Ideally, you don’t need to re-create the custom roles and they honor the Just Enough Access principles.
Note – If you’re adding less-privileged user accounts into the Modern Workplace Roles – Service Administrator Azure AD group, it’s recommended to add the same users as owners of the Windows Autopatch Device Registration Azure AD group. Owners of the Windows Autopatch Device Registration Azure AD group can add new devices as members of the group for registration purposes.
These groups have an application added that has built-in roles provided with specific access levels.
Modern Workplace Customer APIs is a Microsoft 1st party application that gets created during the enrollment process. The role mentioned before is maintained by the Application itself and has the above specific level of access depending on the group you assign the user/s to.
Licenses for Autopatch
Windows Autopatch will work on the devices if the user license includes the Windows 10/11 Enterprise component and if an eligible subscription is not available in the tenant, the readiness checks will fail during the tenant enrollment stage.
Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. The following are the service plan SKUs that are eligible for Windows Autopatch
| License | ID | GUID number |
|---|---|---|
| Microsoft 365 E3 | SPE_E3 | 05e9a617-0261-4cee-bb44-138d3ef5d965 |
| Microsoft 365 E3 (500 seats minimum_HUB) | Microsoft_365_E3 | 0c21030a-7e60-4ec7-9a0f-0042e0e0211a |
| Microsoft 365 E3 – Unattended License | SPE_E3_RPA1 | c2ac2ee4-9bb1-47e4-8541-d689c7e83371 |
| Microsoft 365 E5 | SPE_E5 | 06ebc4ee-1bb5-47dd-8120-11324bc54e06 |
| Microsoft 365 E5 (500 seats minimum)_HUB | Microsoft_365_E5 | db684ac5-c0e7-4f92-8284-ef9ebde75d33 |
| Microsoft 365 E5 with calling minutes | SPE_E5_CALLINGMINUTES | a91fc4e0-65e5-4266-aa76-4037509c1626 |
| Microsoft 365 E5 without audio conferencing | SPE_E5_NOPSTNCONF | cd2925a3-5076-4233-8931-638a8c94f773 |
| Microsoft 365 E5 without audio conferencing (500 seats minimum)_HUB | Microsoft_365_E5_without_Audio_Conferencing | 2113661c-6509-4034-98bb-9c47bd28d63c |
| TEST – Microsoft 365 E3 | SPE_E3_TEST | 23a55cbc-971c-4ba2-8bae-04cd13d2f4ad |
| TEST – Microsoft 365 E5 without audio conferencing | SPE_E5_NOPSTNCONF_TEST | 1362a0d9-b3c2-4112-bf1a-7a838d181c0f |
| Windows 10/11 Enterprise E3 | WIN10_VDA_E3 | 6a0f6da5-0b87-4190-a6ae-9bb5a2b9546a |
| Windows 10/11 Enterprise E5 | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 |
| Windows 10/11 Enterprise VDA | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 |
The following Windows 10 editions, build versions, and architecture are supported to be registered with Windows Autopatch:
- Windows 10 (1809+)/11 Pro
- Windows 10 (1809+)/11 Enterprise
- Windows 10 (1809+)/11 Pro for Workstations
Network Configuration
Like anything that connects to Microsoft endpoints, there are some specific endpoints related to Windows Autopatch that need to be enabled. If you using a Proxy or Firewall they should be able to be able to bypass authentication to Autopatch cloud service.
Proxy Requirement
Firewall or Proxy must support TLS 1.2 or need to disable protocol detection
Proxy and Firewall Rules for Windows Autopatch Endpoints
| Microsoft service | URLs required on allowlist |
|---|---|
| Windows Autopatch | mmdcustomer.microsoft.com mmdls.microsoft.com logcollection.mmd.microsoft.com support.mmd.microsoft.com |
Other Required Microsoft Product Endpoints
For a successful Windows Autopatch deployment, devices need to communicate the relevant endpoints seamlessly and with a low latency. Since Autopatch covers other products, having to connect to those endpoints is essential.
| Microsoft service | URLs required on Allowlist |
|---|---|
| Windows 10/11 Enterprise including Windows Update for Business | Manage connection endpoints for Windows 10 Enterprise, version 1909 Manage connection endpoints for Windows 10 Enterprise, version 2004 Connection endpoints for Windows 10 Enterprise, version 20H2 Manage connection endpoints for Windows 10 Enterprise, version 21H1 Manage connection endpoints for Windows 10 Enterprise, version 21H2 Manage connection endpoints for Windows 11 Enterprise |
| Microsoft 365 | Microsoft 365 URL and IP address ranges |
| Azure Active Directory | Hybrid identity required ports and protocols Active Directory and Active Directory Domain Services Port Requirements |
| Microsoft Intune | Intune network configuration requirements Network endpoints for Microsoft Intune |
| Microsoft Edge | Allowlist for Microsoft Edge Endpoints |
| Microsoft Teams | Office 365 URLs and IP address ranges |
| Windows Update for Business (WUfB) | Windows Update for Business firewall and proxy requirements |
Setting up Delivery Optimization
Delivery optimization is a peer-to-peer distribution technology that can be found in Windows 10 and 11 and Windows Autopatch can use this option to deliver updates to the devices more efficiently, especially in a low latency situation and this can reduce the network bandwidth, and gives the opportunity to look for the updates locally from other peers before reaching the Microsoft cloud services.
🔗Read more on Delivery Optimization
🔗Setting up Delivery Optimization
Create a Delivery Optimization Configuration profile
Create a new configuration profile > Search for the Templates and select Delivery Optimization
Device Management
- Device must be enrolled in Intune
- Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.
- If using the Co-management with COnfig Manager/ SCCM – At a minimum, the Windows Update, Device configuration, and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune.
- Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
- Devices must be managed by either Intune or Configuration Manager co-management. Devices only managed by Configuration Manager aren’t supported.
Supported Config Manager Versions
| Version | Availability date | Support end date | Baseline | In-console update |
|---|---|---|---|---|
| 2303 (5.00.9106) | April 10, 2023 | October 10, 2024 | YesNote 1 | Yes |
| 2211 (5.00.9096) | December 5, 2022 | June 5, 2024 | No | Yes |
| 2207 (5.00.9088) | August 12, 2022 | February 12, 2024 | No | Yes |
| 2203 (5.00.9078) | April 8, 2022 | October 8, 2023 | YesNote 1 | Yes |
| 2111 (5.00.9068) | December 1, 2021 | June 1, 2023 | No | Yes |
- Devices must be in communication with Microsoft Intune in the last 28 days. Otherwise, the devices won’t be registered with Autopatch.
- Devices must be connected to the internet.
- Devices must have a Serial number, Model and Manufacturer. Device emulators that don’t generate this information fail to meet Intune or Cloud-attached prerequisite check.
Wrapping Up
Once the environment and device readiness is done, we can look for other considerations specially if you are coming from Config manager or WUfB services.
Discover more from EMS Route
Subscribe to get the latest posts to your email.
EMS Route 
One thought on “2. Setting up Prerequisites for Windows Autopatch”