In this section I would like to deep dive on few things that is getting created as a part of the Tenant Enrollment. The good thing about this is that your Autopatch environment will be ready for you and ready to go when you enrolled it. Entra ID groups, Update Rings and Policies.
Microsoft Learn pages got a high-level architecture diagram so things can be easily explained.
My goal in this section is to table all the Entra ID groups, their purpose and the policies that they have been assigned to.
| Entra ID Group | Purpose | Assigned Policies |
|---|---|---|
| Windows Autopatch Device Registration | Automatic device registration for Windows Autopatch | N/A – Used to add devices for registration |
| ———————————- | Used for Software-based deployment rings | ———————————- |
| Windows Autopatch – Test | Deployment group for device policy rollout into an enterprise. Can be only used as Assigned device distributions. | * Windows Autopatch Update Policy – Default – Test * Windows Autopatch – DSS Policy [Test] |
| Windows Autopatch – Ring1 | Deployment group for device policy rollout into an enterprise. Can be used with either Assigned or Dynamic device distributions, or have a combination of both device distribution types. | * Windows Autopatch Update Policy – Default – Ring1 * Windows Autopatch – DSS Policy [First] |
| Windows Autopatch – Ring2 | Deployment group for device policy rollout into an enterprise. Can be used with either Assigned or Dynamic device distributions or have a combination of both device distribution types. | * Windows Autopatch Update Policy – Default – Ring2 * Windows Autopatch – DSS Policy [Fast] |
| Windows Autopatch – Ring3 | Deployment group for device policy rollout into an enterprise. Can be used with either Assigned or Dynamic device distributions, or have a combination of both device distribution types. | * Windows Autopatch Update Policy – Default – Ring3 * Windows Autopatch – DSS Policy [Broad] |
| Windows Autopatch – Last | Deployment group for device policy rollout into an enterprise. Can be only used as Assigned device distributions. | * Windows Autopatch Update Policy – Default – Last * Windows Autopatch – Global DSS Policy |
| ———————————- | Used for RBAC | ———————————- |
| Modern Workplace Roles – Service Reader | All users granted access to Modern Workplace Service Reader Role | N/A – Used for RBAC |
| Modern Workplace Roles – Service Administrator | All users granted access to Modern Workplace Service Administrator Role | N/A – Used for RBAC |
| ———————————- | Used for Service-based Deployment rings | ———————————- |
| Modern Workplace Devices-Windows Autopatch-Test | Immediate ring for device rollout | * Windows Autopatch – Driver Update Policy [Test] * Windows Autopatch – Data Collection * Windows Autopatch – Edge Update Channel Beta * Windows Autopatch – MDM wins over GPO * Windows Autopatch – Office Configuration * Windows Autopatch – Office Update Configuration [Test] |
| Modern Workplace Devices-Windows Autopatch-First | First production ring for early adopters | * Windows Autopatch – Driver Update Policy [First] * Windows Autopatch – Data Collection * Windows Autopatch – Edge Update Channel Stable * Windows Autopatch – MDM wins over GPO * Windows Autopatch – Office Configuration * Windows Autopatch – Office Update Configuration [First] |
| Modern Workplace Devices-Windows Autopatch-Fast | Fast ring for quick rollout and adoption | * Windows Autopatch – Driver Update Policy [Fast] * Windows Autopatch – Data Collection * Windows Autopatch – Edge Update Channel Stable * Windows Autopatch – MDM wins over GPO * Windows Autopatch – Office Configuration * Windows Autopatch – Office Update Configuration [Fast] |
| Modern Workplace Devices-Windows Autopatch-Broad | Final ring for broad rollout into an enterprise | * Windows Autopatch – Driver Update Policy [Broad] * Windows Autopatch – Data Collection * Windows Autopatch – Edge Update Channel Stable * Windows Autopatch – MDM wins over GPO * Windows Autopatch – Office Configuration * Windows Autopatch – Office Update Configuration [Broad] |
| Modern Workplace Devices-All | All Modern Workplace devices | |
| Modern Workplace – Windows 11 Pre-Release Test Devices | Device group for Windows 11 Pre-Release testing | Modern Workplace DSS Policy [Windows 11] |
Windows Autopatch – Test and Last can be only used as Assigned device distributions.
Windows Autopatch – Ring1, Ring2 and Ring3 can be used with either Assigned or Dynamic device distributions, or have a combination of both device distribution types.
Creating Custom Autopatch Groups
Again, using the default groups that are pre-built for Autopatch is the recommended way to go. However, there can be situations where you need your own groups crated and added to the mix. Use the below steps to create the groups.
Intune Portal > Devices > Release Management (under Windows Autopatch) > Autopatch Groups > Create
When you press Next, you will see the TEST and LAST rings can’t be removed.
- In Deployment rings page, select Add deployment ring to add the number of deployment rings to the Custom Autopatch group.
- Each new deployment ring added must have either a Microsoft Entra device group assigned to it, or a Microsoft Entra group that is dynamically distributed across your deployments rings using defined percentages.
- In the Dynamic groups area, select Add groups to select one or more existing device-based Microsoft Entra groups to be used for Dynamic group distribution.
- In the Dynamic group distribution column, select the desired deployment ring checkbox. Then, either:
- Enter the percentage of devices that should be added from the Microsoft Entra groups selected in step 9. The percentage calculation for devices must equal to 100%, or
- Select Apply default dynamic group distribution to use the default values.
- In the Assigned group column, select Add group to ring to add an existing Microsoft Entra group to any of the defined deployment rings. The Test and Last deployment rings only support Assigned group distribution. These deployment rings don’t support Dynamic distribution.
- Select Next: Windows Update settings.
- Select the horizontal ellipses (…) > Manage deployment cadence to customize your gradual rollout of Windows quality and feature updates. Select Save.
Select the horizontal ellipses (…) > Manage notifications to customize the end-user experience when receiving Windows updates. Select Save. - Select Review + create to review all changes made.
- Once the review is done, select Create to save your custom Autopatch group.
More on Entra ID Groups: https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups
Wrapping up
This section is mainly a FYI type and no rocket science to be honest. However, when you have a large environment with heaps of Intune policies and Entra ID groups, it’s easy to keep a register or documentation of some sort to understand where the groups and policies are connecting to is great.
Discover more from EMS Route
Subscribe to get the latest posts to your email.
EMS Route 
One thought on “5. Windows Autopatch – Entra ID Groups, and Policies”