Blog Post

Windows IT Pro Blog
4 MIN READ

Windows Autopatch has arrived!

Lior_Bela's avatar
Lior_Bela
Icon for Microsoft rankMicrosoft
Jul 11, 2022
The public anticipation surrounding Windows Autopatch has been building since we announced it in April. Fortunately for all, the wait is over. We are pleased to announce that this service is now gene...
Updated Jul 14, 2022
Version 4.0
servicing and updates
windows autopatch
Andre Della Monica's avatar
Andre Della Monica
Icon for Microsoft rankMicrosoft
Jul 15, 2022

NVader2000 – Thanks for all your questions here, please see inline:

  • On #1:Uh, what is the purpose of assigning devices to the Windows AutoPatch Groups if Windows AutoPatch is going to automatically assign devices to groups. It has a mind of its own and I may not want certain devices (e.g. Tier 2, Dev) devices to be in the 'Test' group. I do not see a way to turn this 'auto' assignment off.
    • [andredm]: The goal of having you assigning devices into the Windows Autopatch Device Registration AAD group is so you’re in control of telling Windows Autopatch what devices you want managed by the service. We’d prefer you tell us instead of us guessing what devices you want us to manage. Once you add devices into the AAD group, we’ll make a record of your device and calculate the deployment ring assignment (First, Fast, Broad) – we don’t assign any of your devices into the test deployment ring, we let you decide what devices should be assigned to the test ring after you register your devices. You can also move devices in between rings after the device registration took place - Windows Autopatch allows you to change the initial deployment ring from its Ready blade, if needed.
  • On #2:Also, what is the purpose of the 'Modern Workplace Device Profiles - Windows Autopatch' group?
    • [andredm]: Right now, all devices registered with Windows Autopatch get added into this group, we’re introducing some changes where we’ll deprecate the use of this group, meaning the device registration process won’t add any devices into it anymore, and we’ll remove it completely from your tenants. The initial idea of having this group was to add some specific Windows Autopatch device configuration profiles, but we won’t introduce a standard profile for Windows Autopatch anymore. More updates to come soon on this.
  • On #3:Refresh resorts the device list in random order.”
    • [andredm]: Yes, this is an issue we also identified in our backend. We’ll fix it soon; I just don’t have a specific date to share with you just yet, but I can keep you posted through other channels.
  • On #4:Thousands of devices fail to register due to 'Windows OS version is not supported.' even though the version being reported is also listed on devices successfully registered with Windows Autopatch and are 'Ready' and 'Active'.
    • [andredm]: Thanks for sharing more information about your tenant with us here. Looking into this for you, I found that you only have 2 devices failing supported OS version in Windows Autopatch. That’s because you tried to register two devices running Windows Education edition. Windows Education edition is not supported in Windows Autopatch today. See this doc where I cover pre-requisites for reference: Register your devices - Windows Deployment | Microsoft Docs
  • On #5:Windows Autopatch reports 3788 devices 'Ready' and 2246 'Not ready. Intune reports 3926 total devices.
    • [andredm]: We see that most of your devices (about 4K) were successfully registered with Windows Autopatch. However, we see about 2K devices failing to register because they’re not managed by either Intune or SCCM Co-management. Windows Autopatch uses the Windows Autopatch Device Registration group to discover devices and register them, for that to happen we use the Azure AD device ID information to query Intune to see if the device is managed since this is a requirement. We saw a large number of Azure AD device IDs in your tenant that are not getting an Azure AD auth token since 2021, this means that these are stale Azure AD device records that don't have an Intune object associated with anymore, we recommend you to clean up Azure AD stale device records in your tenant. We’re making a few improvements to the pre-req checks where we’re going to proactively surface that information for you too but take a look at the guidance, I shared in this doc to help you deal with stale records avoiding bringing them into the Windows Autopatch device registration process. Check: “Clean up dual state of Hybrid Azure AD joined and Azure AD registered devices in your Azure AD tenant” for more details.” - Register your devices - Windows Deployment | Microsoft Docs
    • [andredm]: Also, there’s a large number of devices that haven’t communicated with Intune in the last 28 days, take a look at the Not ready tab to identify them.
  • On #6:There are several security groups (some dynamic) and device configuration polices that are created by Microsoft Autopatch (aka Windows Autopatch). Discovered that the following profiles conflict
    • [andredm]: Yes, we’re aware of that and will release a fix soon to correct these queries. I can’t share exact timelines yet, but the fix will be out very soon.

      I'll let my colleagues respond to your other inquiries here as they're the experts for these other areas you mentioned.