Tenant Enrollment for Windows Autopatch
For the next steps of getting Autopatch to work, let’s check the tenant Enrollment. Now that you have setup the prerequisites and other requirements, the enrollment will be pretty much following the bouncing ball type task.
Path to enable Windows Autopatch
Intune Portal > Tenant Administration > Tenant Enrollment (under Windows Autopatch)
Consent to the Windows Autopatch management agreement
Run the Readiness Tool to understand if everything is in place. The Enrollment will not be ready if the tool returns errors. In other words, there should not be any errors in the results.
Run the Run Checks button.
| Check | Description |
|---|---|
| Windows OS build, architecture, and edition | Checks to see if devices support Windows 1809+ build (10.0.17763), 64-bit architecture and either Pro or Enterprise SKUs. |
| Windows update policies managed via Microsoft Intune | Checks to see if devices have Windows Updates policies managed via Microsoft Intune (MDM). |
| Windows update policies managed via Group Policy Object (GPO) | Checks to see if devices have Windows update policies managed via GPO. Windows Autopatch doesn’t support Windows update policies managed via GPOs. Windows update must be managed via Microsoft Intune. |
| Microsoft Office update policy managed via Group Policy Object (GPO) | Checks to see if devices have Microsoft Office updates policies managed via GPO. Windows Autopatch doesn’t support Microsoft Office update policies managed via GPOs. Office updates must be managed via Microsoft Intune or another Microsoft Office policy management method where Office update bits are downloaded directly from the Office Content Delivery Network (CDN). |
| Windows Autopatch network endpoints | There’s a set of network endpoints that Windows Autopatch services must be able to reach for the various aspects of the Windows Autopatch service. |
| Microsoft Teams network endpoints | There’s a set of network endpoints that devices with Microsoft Teams must be able to reach for software updates management. |
| Microsoft Edge network endpoints | There’s a set of network endpoints that devices with Microsoft Edge must be able to reach for software updates management. |
| Internet connectivity | Checks to see if a device has internet connectivity to communicate with Microsoft cloud services. Windows Autopatch uses the PingReply class. Windows Autopatch tries to ping at least three different Microsoft’s public URLs two times each, to confirm that ping results aren’t coming from the device’s cache. |
Click on the View details button to view the readiness results if needed.
Click on the Enroll Button
Once done, fill in the contact details for Windows Autopatch, So Microsoft can contact you if and when needed.
Once this is done, the process will run from the background and will create all the necessary Security Groups, Windows Update Rings etc.
Once done, you will see the below message and now we can start registering the devices
You will now see more options in the same Windows Autopatch section in the Tenant Administration tab
Device Registration
Managed devices should be registered in to Windows Autopatch in-order to use the service. This all can be done in the Windows Autopatch section of the Intune Portal
Lets look at the Device Registration Overview.
- Adding the devices to a custom Security Group or the Default Autopatch Group.
Adding the devices to the Default groups are recommended as they are pre-built in the tenant.
The Default Autopatch group can’t be deleted or renamed.
Add the devices to the group, Windows Autopatch Device Registration
Go to Intune Portal > Devices > Discover devices
Press OK for the message
Once the Discovery is done, you will see the devices in the Registered, Not Ready (Preview) and Not registered tabs. And also the registered devices will be added to the update rings automatically as well.
Click on one device that is Not Registered and the issues will show up as below, so you can easily take actrions against the issues to resolve the errors.
Now if you go back to the Device Registration Overview, it has gone through the steps in the 1st IT admin and Windows Autopatch curly bracket to get the devices registered in the service.
A more detailed Device Registration flow
Security Groups
We will look at the related Security groups later, but if you look at the Registered Devices section, you will see they have allocated to the Windows Update Deployment Rings, similarly if you look at the Security groups, you will notice the devices are a member of those devices now. Which completes the below from the Device Registration flow.
Wrapping Up
This section covers the below sections in the Deployment Journey. I will be looking at the Update Rings, Entra ID Groups, and Policies in my next article.
Discover more from EMS Route
Subscribe to get the latest posts to your email.
EMS Route 
One thought on “4. Tenant Enrollment and Device Registration in Windows Autopatch”