How to Deploy Windows Autopatch for Enterprise Security Updates

Before deploying Autopatch, audit your environment to ensure compatibility and identify potential issues. This step prevents deployment failures and helps plan your rollout strategy.

First, check your licensing requirements. Navigate to the Microsoft 365 Admin Center and verify you have one of these licenses:

• Microsoft 365 E3/E5, F3, A3/A5 (full support)
• Microsoft 365 Business Premium (limited support, no support requests)
• Windows 10/11 Enterprise E3/E5 VDA

Next, inventory your devices using PowerShell. Run this script on a management machine with Azure AD PowerShell module:

# Connect to Azure AD
Connect-AzureAD

# Get all Windows devices
$devices = Get-AzureADDevice -Filter "deviceOSType eq 'Windows'" | Select-Object DisplayName, DeviceOSVersion, TrustType, IsCompliant

# Export to CSV for analysis
$devices | Export-Csv -Path "C:\temp\autopatch-inventory.csv" -NoTypeInformation

# Count devices by OS version
$devices | Group-Object DeviceOSVersion | Select-Object Name, Count

For Hotpatch readiness (mandatory starting May 11, 2026), check VBS status on sample devices:

# Check VBS status on local machine
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | Select-Object VirtualizationBasedSecurityStatus

Dynamic device groups automatically assign devices to deployment rings based on criteria you define. This ensures consistent rollout management without manual device assignment.

Open the Entra ID Admin Center (entra.microsoft.com) and navigate to Groups > All groups > New group.

Create four groups for your deployment rings:

Test Ring Group:

Group type: Security
Group name: Autopatch-Test
Membership type: Dynamic Device
Dynamic device members rule:
(device.deviceOSType -eq "Windows") and (device.trustType -eq "AzureAd") and (device.displayName -startsWith "TEST-")

First Ring Group (10% of production):

Group name: Autopatch-First
Dynamic device members rule:
(device.deviceOSType -eq "Windows") and (device.trustType -eq "AzureAd") and (device.displayName -startsWith "PILOT-")

Broad Ring Group (80% of production):

Group name: Autopatch-Broad
Dynamic device members rule:
(device.deviceOSType -eq "Windows") and (device.trustType -eq "AzureAd") and (device.displayName -notStartsWith "TEST-") and (device.displayName -notStartsWith "PILOT-") and (device.displayName -notStartsWith "CRITICAL-")

Last Ring Group (critical systems):

Group name: Autopatch-Last
Dynamic device members rule:
(device.deviceOSType -eq "Windows") and (device.trustType -eq "AzureAd") and (device.displayName -startsWith "CRITICAL-")

# Check group membership
Get-AzureADGroup -SearchString "Autopatch-" | ForEach-Object {
    $group = $_
    $members = Get-AzureADGroupMember -ObjectId $group.ObjectId
    Write-Output "$($group.DisplayName): $($members.Count) members"
}

Windows Autopatch is managed through the Intune Admin Center. This step ensures you have proper access and can navigate to the Autopatch configuration area.

Open your browser and navigate to the Intune Admin Center at https://endpoint.microsoft.com. Sign in with your tenant administrator account.

In the left navigation pane, expand Tenant administration and look for Windows Autopatch. If you don't see this option, verify your licensing:

# Check your license assignment
Connect-MgGraph -Scopes "User.Read.All", "Organization.Read.All"
Get-MgUserLicenseDetail -UserId "your-admin@domain.com" | Select-Object SkuPartNumber

Click on Windows Autopatch to access the main dashboard. You should see several options:

• Overview - Dashboard with deployment status
• Autopatch groups - Where you'll create your deployment configuration
• Devices - Device enrollment and status
• Update readiness - Compatibility and readiness reports
• Reports - Detailed deployment analytics

The Autopatch group is the core configuration that defines how updates are deployed across your organization. This step creates the deployment framework for your entire update strategy.

In the Intune Admin Center, navigate to Tenant administration > Windows Autopatch > Autopatch groups.

Click Create Autopatch group and configure the following:

Basic Information:

Group name: Enterprise-Production-Autopatch
Description: Primary Autopatch group for enterprise security updates
Scope tags: (Select appropriate tags if using RBAC)

Click Next to proceed to deployment ring configuration.

Deployment Rings Configuration:

Configure each ring with appropriate timing and device assignments:

Test Ring:
- Assigned group: Autopatch-Test
- Deployment schedule: Day 0 (immediate)
- Deferral period: 0 days
- Device limit: 50 devices max

First Ring:
- Assigned group: Autopatch-First  
- Deployment schedule: Day 1
- Deferral period: 1 day
- Device limit: 10% of total devices

Fast Ring:
- Assigned group: Autopatch-Broad
- Deployment schedule: Day 5
- Deferral period: 5 days
- Device limit: 80% of total devices

Broad Ring:
- Assigned group: Autopatch-Last
- Deployment schedule: Day 14
- Deferral period: 14 days
- Device limit: Remaining devices

For organizations with fewer than 250 devices, you can use a simplified approach:

Single Ring Configuration:
- Test: 5% of devices
- Production: 95% of devices
- Staggered deployment over 7 days

Fine-tune your update deployment policies to match your organization's requirements. This includes configuring different update types, approval workflows, and compatibility settings.

In your Autopatch group configuration, navigate to the Update policies section and configure each update type:

Quality Updates (Security Updates):

{
  "deploymentMode": "automatic",
  "approvalRequired": false,
  "testRingDeferral": 0,
  "firstRingDeferral": 1,
  "fastRingDeferral": 5,
  "broadRingDeferral": 14,
  "maintenanceWindow": {
    "startTime": "02:00",
    "duration": "4 hours",
    "allowRebootOutsideWindow": false
  }
}

Feature Updates:

{
  "deploymentMode": "manual",
  "targetVersion": "Windows 11 24H2",
  "approvalRequired": true,
  "compatibilityHold": true,
  "deferralPeriod": 30
}

Driver Updates:

{
  "deploymentMode": "manual",
  "approvalRequired": true,
  "automaticDrivers": false,
  "criticalDriversOnly": true
}

Configure Microsoft 365 Apps updates:

Update Channel: Monthly Enterprise Channel
Deployment Schedule: Follow quality update rings
Automatic Updates: Enabled
Deadline Enforcement: 7 days after deployment

Set up Hotpatch configuration (mandatory from May 11, 2026):

{
  "hotpatchEnabled": true,
  "vbsRequired": true,
  "baselineVersionRequired": "Windows 11 24H2",
  "fallbackToTraditionalUpdates": true,
  "rebootSuppressionPeriod": "30 days"
}

Virtualization-based Security (VBS) is mandatory for Hotpatch functionality starting May 11, 2026. This step configures VBS across your device fleet to ensure seamless update deployment without reboots.

Create a VBS configuration policy in Intune. Navigate to Devices > Configuration profiles > Create profile.

Configure the profile settings:

Platform: Windows 10 and later
Profile type: Settings catalog
Name: Enable-VBS-for-Hotpatch
Description: Enables VBS for Hotpatch compatibility

Add the following settings from the Settings catalog:

Category: Virtualization Based Security
Settings:
- Enable Virtualization Based Security: Enabled
- Require UEFI Memory Attributes Table: Enabled  
- Require Secure Boot: Enabled
- Hypervisor Protected Code Integrity: Enabled with UEFI lock
- Credential Guard Configuration: Enabled with UEFI lock

Create a PowerShell script to verify VBS status across devices:

# VBS Status Check Script
$vbsStatus = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard

$result = @{
    ComputerName = $env:COMPUTERNAME
    VBSStatus = switch ($vbsStatus.VirtualizationBasedSecurityStatus) {
        0 { "VBS not enabled" }
        1 { "VBS enabled but not running" }
        2 { "VBS enabled and running" }
        default { "Unknown status" }
    }
    HypervisorEnforcedCodeIntegrity = $vbsStatus.CodeIntegrityPolicyEnforcementStatus
    CredentialGuard = $vbsStatus.LsaCfgFlags
    SecureBoot = Confirm-SecureBootUEFI
}

# Output results
$result | ConvertTo-Json | Out-File "C:\temp\vbs-status.json"
Write-Output $result

Deploy this script as a Win32 app or run it via Intune PowerShell scripts to inventory VBS readiness.

Assign the VBS policy to your Autopatch device groups with a phased approach:

Phase 1: Test devices (Week 1)
Phase 2: First ring devices (Week 2)
Phase 3: Broad deployment (Week 3-4)
Phase 4: Critical systems (Week 5)

Effective monitoring ensures your Autopatch deployment runs smoothly and helps you identify issues before they impact users. This step sets up comprehensive monitoring and alerting.

Access the Windows Autopatch monitoring dashboard at Tenant administration > Windows Autopatch > Overview.

Key metrics to monitor include:

• Device enrollment status - Devices successfully registered to Autopatch
• Update deployment progress - Current ring deployment status
• Success rates - Percentage of successful installations per ring
• Failure analysis - Common failure reasons and affected devices

Set up automated monitoring using Microsoft Graph API. Create this PowerShell script for daily status reports:

# Autopatch Monitoring Script
Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All"

# Get Autopatch group status
$autopatchGroups = Get-MgDeviceManagementWindowsAutopatchDeploymentAudience

foreach ($group in $autopatchGroups) {
    $deploymentStatus = Get-MgDeviceManagementWindowsAutopatchDeploymentAudienceUpdateDeployment -WindowsAutopatchDeploymentAudienceId $group.Id
    
    $report = @{
        GroupName = $group.DisplayName
        TotalDevices = $group.DeviceCount
        SuccessfulDeployments = ($deploymentStatus | Where-Object {$_.Status -eq "Succeeded"}).Count
        FailedDeployments = ($deploymentStatus | Where-Object {$_.Status -eq "Failed"}).Count
        InProgressDeployments = ($deploymentStatus | Where-Object {$_.Status -eq "InProgress"}).Count
        LastUpdateTime = Get-Date
    }
    
    # Send to monitoring system or email
    $report | ConvertTo-Json | Out-File "C:\monitoring\autopatch-status-$(Get-Date -Format 'yyyyMMdd').json"
}

Configure alerting for critical issues. In the Intune Admin Center, navigate to Tenant administration > Notifications and create alerts for:

Alert Type: Update Deployment Failure
Threshold: >5% failure rate in any ring
Notification: Email to IT administrators
Frequency: Immediate

Alert Type: Device Enrollment Issues  
Threshold: >10 devices failed to enroll in 24 hours
Notification: Teams channel notification
Frequency: Daily summary

Use the Update Readiness feature for proactive monitoring:

1. Navigate to Windows Autopatch > Update readiness
2. Review compatibility insights for upcoming updates
3. Check driver compatibility reports
4. Identify applications that may block updates

Even with proper configuration, you'll encounter deployment issues. This step provides systematic troubleshooting approaches for the most common Autopatch problems.

Issue 1: Devices Not Enrolling in Autopatch

Check device eligibility and enrollment status:

# Check device Autopatch enrollment
$deviceId = "device-object-id-here"
$device = Get-MgDevice -DeviceId $deviceId

# Verify Intune enrollment
$intuneDevice = Get-MgDeviceManagementManagedDevice -Filter "azureADDeviceId eq '$($device.DeviceId)'"

if ($intuneDevice) {
    Write-Output "Device enrolled in Intune: $($intuneDevice.DeviceName)"
    Write-Output "Compliance Status: $($intuneDevice.ComplianceState)"
    Write-Output "OS Version: $($intuneDevice.OperatingSystem)"
} else {
    Write-Output "Device not found in Intune - check enrollment"
}

Common solutions:

• Verify device is in correct Azure AD group
• Check Intune enrollment status and compliance
• Ensure proper licensing assignment
• Restart Windows Update service on affected devices

Issue 2: Update Installation Failures

Analyze failure logs using this PowerShell script:

# Windows Update Log Analysis
$logPath = "C:\Windows\Logs\WindowsUpdate"
$recentLogs = Get-ChildItem $logPath -Filter "*.etl" | Sort-Object LastWriteTime -Descending | Select-Object -First 5

foreach ($log in $recentLogs) {
    Write-Output "Analyzing log: $($log.Name)"
    
    # Convert ETL to readable format
    $outputFile = "C:\temp\wu-log-$($log.BaseName).log"
    Get-WindowsUpdateLog -ETLPath $log.FullName -LogPath $outputFile
    
    # Search for error patterns
    $errors = Select-String -Path $outputFile -Pattern "ERROR|FAILED|0x8"
    if ($errors) {
        Write-Output "Found $($errors.Count) errors in $($log.Name)"
        $errors | Select-Object -First 10 | ForEach-Object { Write-Output $_.Line }
    }
}

Issue 3: Hotpatch Compatibility Problems

For devices failing Hotpatch requirements after May 11, 2026:

# Hotpatch Readiness Check
function Test-HotpatchReadiness {
    $results = @{}
    
    # Check Windows version
    $osVersion = (Get-CimInstance Win32_OperatingSystem).Version
    $results.WindowsVersion = $osVersion
    $results.Windows11_24H2 = $osVersion -ge "10.0.26100"
    
    # Check VBS status
    $vbs = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
    $results.VBSEnabled = $vbs.VirtualizationBasedSecurityStatus -eq 2
    
    # Check baseline version compliance
    $updateSession = New-Object -ComObject Microsoft.Update.Session
    $updateSearcher = $updateSession.CreateUpdateSearcher()
    $searchResult = $updateSearcher.Search("IsInstalled=1 and Type='Software'")
    $results.BaselineCompliant = $searchResult.Updates.Count -gt 0
    
    # Overall readiness
    $results.HotpatchReady = $results.Windows11_24H2 -and $results.VBSEnabled -and $results.BaselineCompliant
    
    return $results
}

$readiness = Test-HotpatchReadiness
$readiness | ConvertTo-Json

Issue 4: Ring Deployment Delays

If updates aren't deploying according to your ring schedule:

1. Check group membership and dynamic group rules
2. Verify deployment policies aren't conflicting
3. Review maintenance window configurations
4. Check for approval workflow bottlenecks