Blog Post

Windows IT Pro Blog
4 MIN READ

Upgrade to Windows 11 with Windows Autopatch groups

Akash_Malhotra's avatar
Akash_Malhotra
Icon for Microsoft rankMicrosoft
Jul 28, 2025

Have you tried Windows Autopatch groups for the gradual rollout of Windows feature updates?

Windows Autopatch offers the fastest, safest way to upgrade to Windows 11—built for phased, controlled rollouts that align with IT priorities. With Windows 10 support ending on October 14, 2025, some organizations must still decide whether to enroll in Extended Security Updates or move forward with upgrading to Windows 11.  For those ready to upgrade, here is a proven step-by-step approach using Windows Autopatch groups.

The Windows Autopatch upgrade playbook: 4 steps to success

Step 1: Assess Windows 11 readiness before grouping devices

Before creating Windows Autopatch groups, use the Windows 11 readiness report to evaluate the readiness of your devices based on CPU, TPM, RAM, and app compatibility. The report will help you easily:

  • Identify upgrade-ready devices.
  • Export and filter devices based on readiness criteria.
  • Assign devices to Microsoft Entra ID groups.
  • Map device groups to Windows Autopatch rollout rings.

Tip: You can export and filter the data available in the readiness report to identify upgrade-ready devices, then assign them to Microsoft Entra ID dynamic groups based on attributes like OS version, model, or readiness status. These groups then become the building blocks of your rollout rings.

Step 2: Segment devices into Windows Autopatch groups

Windows Autopatch groups are the engine behind phased deployments. They let you define rollout rings using Microsoft Entra ID groups and assign update policies to each ring. This gives you:

  • Control over rollout pace and scope
  • Clear visibility into update progress
  • Flexibility to adapt based on business needs

We recommend starting with foundational Windows Autopatch groups, for example:

  • Windows 11 rollout group: Devices that meet upgrade criteria (e.g., TPM 2.0, supported CPU)
  • ESU group: Devices that will remain on Windows 10 and receive Extended Security Updates (ESUs)

For phased deployments, you can define additional rollout rings using Microsoft Entra ID groups. A common distribution might look like:

  • Test ring (5%) – IT power users with diverse hardware
  • Pilot ring (10%) – Early adopters and business-critical teams
  • First broad ring (20%) – Broader user base
  • Second broad ring (30%) – Majority of remaining devices
  • Final ring (35%) – Remaining devices, deployed after validation

Each group gets a dedicated update policy, offering full control over rollout pace and scope. To get started, visit the Microsoft Intune admin center. Under Tenant administration, navigate to Windows Autopatch > Autopatch groups > Create > Deployment rings.

 

Important: To prevent devices from upgrading all at once, bypassing the phased rollout, please follow these recommendations:

  • Don’t modify the "Windows Autopatch - Global DSS Policy" to a newer version.
  • When creating Windows Autopatch groups, don’t check the “Feature updates” box during configuration. Instead, create a new feature update policy, assigning the Microsoft Entra ID group and Windows Autopatch group directly to a multi-phase update policy (see next section).

 

Step 3: Configure how fast the feature update rolls out

With your Windows Autopatch groups and rollout rings defined, the next step is to determine when each group receives the Windows 11 feature update. This is where a multi-phase feature update comes into play.

With multi-phase updates, you can configure an update timeline for each ring, giving you control over rollout sequencing and deferrals. To set up a multi-phase update:

  1. Go to Microsoft Intune admin center.
  2. Navigate to Devices.
  3. Under Manage updates, select Windows updates.
  4. Under Feature updates, select + Create to create a new Windows feature update policy.
  5. From the menu, select Create Autopatch multi-phase release. 
  6. Set up a ring-based timeline under the Release schedule tab.

For example, you might schedule your test ring to receive the update immediately, then delay the pilot ring by 7 days and the broad rings by another 10–14 days. This staggered approach can give you time to validate update quality, monitor diagnostic data, and respond to issues before they impact a larger portion of your environment.

 

Note: For smaller organizations or targeted upgrades, you can also use single feature update policies using Microsoft Entra ID groups. Phased deployments; however, offer more control and visibility.

Step 4: Monitor your rollout with feature update reporting

Windows Autopatch feature update reporting helps you track how your Windows 11 upgrade is progressing across Windows Autopatch groups and deployment rings. The Windows feature update compatibility risks report includes:

  • Device-level update status. See which devices are:

o   Up to date (successfully upgraded)

o   In progress (actively receiving the update)

o   Not up to date (blocked or delayed)

o   Not ready (doesn’t meet upgrade criteria)

  • Policy-level update status. Understand which version of Windows 11 is being deployed and how many devices have successfully upgraded.
  • Update trendlines. Use 30/60/90-day historical views to assess how quickly devices are progressing through the rollout and identify patterns.
  • Troubleshooting and remediation. Drill into specific devices to view error codes and remediation guidance.

Manage ESU devices separately

Devices that will remain on Windows 10 and are enrolled in ESUs should be completely excluded from any Windows 11 rollout policies. Instead, you should create a dedicated group for ESU devices and manage them separately. This avoids mixed targeting, ensures these devices continue receiving monthly security updates, and prevents accidental inclusion in Windows 11 upgrade deployments. For more details on this scenario, see When to use Windows 10 Extended Security Updates.

Act now

While Windows 10 end of support is coming soon, there is still time to upgrade eligible devices to Windows 11. Windows Autopatch groups can make the process faster and easier with phased deployments, readiness insights, and powerful reporting so you can upgrade with confidence.

To learn more about using Windows Autopatch, see the following:

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q\&A.

Updated Jul 28, 2025
Version 2.0
security
windows 11
windows autopatch

3 Comments

Sort By
  • Marc_Laf's avatar
    Marc_Laf
    Iron Contributor
    Aug 01, 2025

    I'm confused at the call-out that says

    • When creating Windows Autopatch groups, don’t check the “Feature updates” box during configuration. Instead, create a new feature update policy, assigning the Microsoft Entra ID group and Windows Autopatch group directly to a multi-phase update policy (see next section).

    We are not using AP at this time but I want to set it up for all of the capabilities (QU, FU, Driver, 365, Edge). During group creation, all of those capabilities are checked by default. Does this mean that the first time I create an Autopatch group, I need to uncheck Feature Updates and step through the settings then separately run through creating a dedicated Feature Update multi-release phase and pick the same groups used the first time?

    Why then are you able to have Feature Update checked during AP Group creation if you are recommending us not to have it checked?

    An additional question - should you use a separate Autopatch Group with separate Entra Groups for doing a Win 10 to Win 11 upgrade? Or can we use the same AP Group?

    • Akash_Malhotra's avatar
      Akash_Malhotra
      Icon for Microsoft rankMicrosoft
      Aug 01, 2025

      Hey Marc, 

      Let me help clarify a bit. 

      When you check the “Feature updates” box during Autopatch group creation, it automatically creates a single feature update policy assigned to all deployment rings in that group. While this works, it limits flexibility and control—especially if you want to use multi-phase rollout strategies or manage Windows 10 to Windows 11 upgrades separately. 

      The checkbox exists to support simpler scenarios where a single policy is sufficient if you want devices in that group to be on that minimum version. But for phased rollouts and ring-specific targeting it’s better to manage feature updates separately.

      It is recommended using separate Autopatch Group since devices staying on Windows 10 (e.g., ESU-enrolled) and those upgrading to Windows 11 have different servicing needs. Keeping them in the same Autopatch group risks conflicting policies or accidental upgrades.

      • Marc_Laf's avatar
        Marc_Laf
        Iron Contributor
        Aug 05, 2025

        Thanks Akash for the explanation. So for us where we want to move everyone to Windows 11 but do it in a phased roll-out, we should use two separate groups until the rollout is complete then just use one group for continued maintenance (if I am understanding it correctly).