Existing GPOs, Registry Settings, Config Manager and MDM Settings
In this section, I would like to go through some important changes required in your environment before moving to Widows Autopatch.
Ideally, this comes in step 3 of the development journey – Pilot.
With everything in place, you may have selected the devices that need to go in the Pilot phase and if they are coming from Config Manager, WSUS, or GPOs for existing Update Management, some values should be changed in order for Windows Autopatch to work seamlessly. Going through the below sections that match your current scenario will make your devices ready for the Windows Autopatch deployment
Let’s look at the options.
Moving from Config Manager to Windows Autopatch
Ideally, this approach is required to make sure the device won’t end up with update conflicts between Windows Autopatach and WUfB + Office Updates. To make sure the devices won’t get Config Manager policies in a Co-Managed situation,
Create a policy to Disable Windows and Office updates.
In Config Manager, go to Administration > Client Settings > Create Custom Device Settings > Software Updates > OK
Double-click on the created policy > Software Updates > NO to Enable software updates on clients > OK
Right-click > Deploy > Deploy it to the previously created device collection.
GPO, Registry Settings, and Existing MDM Policy Considerations
It is important to understand the Group Policy settings when moving from WSUS/ WUfB update rings to Windows Autopatch as these policies are not reversing most of the time and need to be undone manually (with another GPO most of the time). The below tables are taken from the Microsoft Learn Documents as it has explained the required info perfectly.
| Area | Path | Recommendation |
|---|---|---|
| Windows Update Group Policy settings | Computer Configuration\Administrative Templates\Windows Components\Windows Updates | The most common Windows Update settings delivered through Group Policy can be found under this path. This is a good place for you to start your review. |
| Don’t connect to any Windows Update Internet locations | Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations | This is a common setting for organizations that rely solely on intranet update locations such as Windows Server Update Services (WSUS) servers and can often be overlooked when moving to cloud update services such as Windows Update for Business (WUfB) When turned on, this policy prevents contact with the public Windows Update service and won’t establish connections to Windows Update, and might cause the connection to Windows Update for Business (WUfB), and Delivery Optimization to stop working. |
| Scan Source policy | Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service | You can choose what types of updates to get from either Windows Server Update Services (WSUS) or Windows Update for Business (WUfB) service with the Windows Update Scan Source policy. You should review any scan source policy settings targeting devices to ensure:That no conflicts exist that could affect update deployment through Windows AutopatchSuch policies aren’t targeting devices enrolled into Windows Autopatch |
Registry Settings
| Key | Description |
|---|---|
HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState(Intune MDM only cloud managed) HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate(If GPO/WSUS/Configuration Manager is deployed) | This key contains general settings for Windows Update, such as the update source, the service branch, and the deferral periods for feature and quality updates. |
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU(If GPO/WSUS/Configuration Manager is deployed) | This key contains settings for Automatic Updates, such as the schedule, the user interface, and the detection frequency. |
HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update(GPO/WSUS/Configuration Manager/Intune MDM Managed) | This key contains settings for update policies that are managed by Mobile Device Management (MDM) or Group Policy, such as pausing updates, excluding drivers, or configuring delivery optimization. |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration(GPO/Configuration Manager/Intune MDM Managed) | This key contains the registry keys for the Update Channel. This is a dynamic key that changes (depending on the configured settings) and the CDNBaseUrl (set when Microsoft 365 installs on the device). Look at the UpdateChannel value. The value tells you how frequently Office is updated.For more information, see Manage Microsoft 365 Apps with Configuration Manager to review the values, and what they’re set to. Windows Autopatch currently supports the Monthly Enterprise Channel. If you opt into Office updates, it should be set to the Monthly Enterprise channel. |
Existing MDM Policies
| Policy | Description |
|---|---|
| MDM to win over GP | As part of the tenant enrollment process, Autopatch deploys a Device configuration profile, which applies to all registered devices to set Mobile Device Management (MDM) to win over Group Policy (GP) with the “MDMWinsOverGP” CSP. When applied, any MDM policy that’s set, and has an equivalent GP Policy, results in the GP service blocking the policy setting. Setting the value to 0 (zero) or deleting the policy removes the GP policy blocks and restore the saved GP policies. This setting doesn’t apply to all scenarios. This setting doesn’t work for:User scoped settings. This setting applies to device scoped settings onlyAny custom Group Policy Object (GPO) outside of ADMX. For example, Microsoft Edge or Chrome settingsAny Windows Update for Business policies (WUfB). When you use Windows Update for Business (WUfB), ensure all previous Group Policies (GP) are removed that relate to Windows Update to ensure that Autopatch policies can take effect For more information and guidance on the expected behavior applied through this policy, see ControlPolicyConflict Policy CSP |
| Windows Update for Business (WUfB) policies | If you have any existing Deployment rings for Windows 10 and later or Windows feature update DSS policies in place, ensure that the assignments don’t target Windows Autopatch devices. This is to avoid creating policy conflicts and unexpected update behavior, which could impact update compliance and end user experience. |
| Update Policy CSP | If any policies from the Update Policy CSP that aren’t deployed and managed by Windows Autopatch are deployed to devices, policy conflicts and unexpected update behavior could occur and could affect update compliance and the end user experience. |
With the above possible roadblocks cleared, we can look at the Tenant Enrollment for Windows Autopatch in the next section.
Discover more from EMS Route
Subscribe to get the latest posts to your email.
EMS Route 
2 thoughts on “3. Windows Autopatch Device Readiness”