The power of automated Windows update management is coming to government SKUs! Starting this month, you can use Windows Autopatch to help keep devices at your organization secure and productive with minimal disruption to users. This cloud-based service that has a proven record with enterprises has now been approved to be added to the Azure FedRAMP High Provisional Authorization to Operate (P-ATO). Learn what this means for your environment and how to get started!
New Windows Autopatch service for GCC subscriptions
Windows Autopatch is now available to US government organizations as part of Microsoft 365 Government. This is what Windows Autopatch allows you to accomplish for your Government Community Cloud (GCC) devices:
- Windows Autopatch provides control over which content is approved for deployment to which devices through Windows Update.
- Windows Autopatch groups help you automate a safe rollout process. You can distribute devices into rings and recommend release schedules, leaving you with the final say.
- Get secure faster with hotpatching: apply security patches without waiting for a restart.
- Pause or expedite monthly quality updates or drivers for groups of devices in your environment.
- Simplify update compliance reporting. Windows Autopatch reporting tracks which devices have the latest updates installed with less than 4-hour latency.
- Manage policy and see reporting through the Microsoft Intune admin center.
Get started with Windows Autopatch
To begin, double-check that your devices meet the prerequisites for Windows Autopatch. Configure role-based access control to manage access to your organization’s resources and network.
If you’re using Microsoft Intune, the easiest way to automate your update process is to create one or more Windows Autopatch groups:
- Go to the Microsoft Intune admin center.
- In the left pane, select Tenant administration and then navigate to Windows Autopatch > Autopatch groups.
- Create a Windows Autopatch group and assign devices, automating a few things:
- Distribute devices for gradual rollout into a set of Microsoft Entra groups.
- Configure a safe rollout schedule using update rings.
- (Optional) Configure content approval using feature and driver update policies.
- (Optional) Configure update settings for Microsoft 365 Apps and Microsoft Edge.
- Distribute devices for gradual rollout into a set of Microsoft Entra groups.
- Enroll devices to receive hotpatch updates, getting them secure faster.
- That’s it! Just monitor the reports to ensure that you’re hitting your update compliance targets.
Instead of Windows Autopatch groups, you can also create individual policies:
- Update rings: Control update settings on targeted endpoints.
- Windows quality updates: Configure your device to receive hotpatch updates.
- Expedited quality updates: Deploy a specific quality update more quickly.
- Windows feature updates: Choose the version of Windows approved for deployment for a group of devices.
- Driver and firmware updates: Control which drivers are approved for deployment for a group of devices.
Regardless of which setup option you choose, if your device is included in a policy, it will show up in the reports for that content type.
What about other Azure Government Cloud offerings?
Windows Autopatch is not currently supported in US Government Community Cloud High (GCC High) or Department of Defense (DoD) environments. We are working on expanding our service to meet those requirements.
Welcome to automated update management!
Come be part of the Windows Autopatch community! Here are the resources you’ll need to get started and get support:
Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.
Microsoft