Prerequisites

  • Makale

Licenses and entitlements

Business Premium and A3+ licenses include:

  • Microsoft 365 Business Premium (for more information on available licenses, see Microsoft 365 licensing)
  • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)

Important

To activate all Windows Autopatch features, you must have Windows 10/11 Enterprise E3+ or F3 (included in Microsoft 365 F3, E3, or E5) licenses. Feature activation is optional and at no additional cost to you when you have Windows 10/11 Enterprise E3+ or F3 licenses. For more information, see Licenses and entitlements.

Feature entitlement

For more information about feature entitlement, see Features and capabilities.

Symbol Meaning
✔️ All features available
🔶 Most features available
Feature not available

Windows 10 and later update policy management

Feature Business Premium A3+ E3+ F3
Releases ✔️ ✔️ ✔️ ✔️
Update rings ✔️ ✔️ ✔️ ✔️
Quality updates ✔️ ✔️ ✔️ ✔️
Feature updates 🔶 🔶 ✔️ ✔️
Driver and firmware updates 🔶 🔶 ✔️ ✔️

Tenant management

Feature Business Premium A3+ E3+ F3
Autopatch groups ✔️ ✔️
New feature and change management communications ✔️ ✔️ ✔️ ✔️
Release schedule and status communications ✔️ ✔️
Support requests ✔️ ✔️
Policy health ✔️ ✔️

Reporting

Feature Business Premium A3+ E3+ F3
Intune Reports ✔️ ✔️ ✔️ ✔️
Quality updates ✔️ ✔️
Feature updates ✔️ ✔️
Device readiness ✔️ ✔️

More about licenses

Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses

Important

Only Windows 10/11 Enterprise E3+ or F3 (included in Microsoft 365 F3, E3, or E5) licenses have access to all Windows Autopatch features after you activate Windows Autopatch features. Microsoft 365 Business Premium and Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) do not have access to all Windows Autopatch features. For more information, see Features and capabilities.

License ID GUID number
Microsoft 365 E3 SPE_E3 05e9a617-0261-4cee-bb44-138d3ef5d965
Microsoft 365 E3 (500 seats minimum_HUB) Microsoft_365_E3 0c21030a-7e60-4ec7-9a0f-0042e0e0211a
Microsoft 365 E3 - Unattended License SPE_E3_RPA1 c2ac2ee4-9bb1-47e4-8541-d689c7e83371
Microsoft 365 E3 EEA (no Teams) - Unattended License Microsoft_365_E3_EEA_(no_Teams)_Unattended_License a23dbafb-3396-48b3-ad9c-a304fe206043
Microsoft 365 E3 EEA (no Teams) (500 seats min)_HUB O365_w/o Teams Bundle_M3_(500_seats_min)_HUB 602e6573-55a3-46b1-a1a0-cc267991501a
TEST - Microsoft 365 E3 SPE_E3_TEST 23a55cbc-971c-4ba2-8bae-04cd13d2f4ad
Microsoft 365 E5 SPE_E5 06ebc4ee-1bb5-47dd-8120-11324bc54e06
Microsoft 365 E5 (500 seats minimum)_HUB Microsoft_365_E5 db684ac5-c0e7-4f92-8284-ef9ebde75d33
Microsoft 365 E5 with calling minutes SPE_E5_CALLINGMINUTES a91fc4e0-65e5-4266-aa76-4037509c1626
Microsoft 365 E5 without audio conferencing SPE_E5_NOPSTNCONF cd2925a3-5076-4233-8931-638a8c94f773
Microsoft 365 E5 without audio conferencing (500 seats minimum)_HUB Microsoft_365_E5_without_Audio_Conferencing 2113661c-6509-4034-98bb-9c47bd28d63c
Microsoft 365 E5 EEA (no Teams) O365_w/o_Teams_Bundle_M5 3271cf8e-2be5-4a09-a549-70fd05baaa17
Microsoft 365 E5 EEA (no Teams) with Calling Minutes Microsoft_365_E5_EEA_(no_Teams)_with_Calling_Minutes 6ee4114a-9b2d-4577-9e7a-49fa43d222d3
Microsoft 365 E5 EEA (no Teams) without Audio Conferencing Microsoft_365_E5_EEA_(no_Teams)_without_Audio_Conferencing 90277bc7-a6fe-4181-99d8-712b08b8d32b
Microsoft 365 E5 EEA (no Teams) without Audio Conferencing (500 seats min)_HUB Microsoft_365_E5_EEA_(no_Teams)without_Audio_Conferencing(500_seats_min)_HUB a640eead-25f6-4bec-97e3-23cfd382d7c2
Microsoft 365 E5 EEA (no Teams) (500 seats min)_HUB O365_w/o_Teams_Bundle_M5_(500_seats_min)_HUB  1e988bf3-8b7c-4731-bec0-4e2a2946600c
TEST - Microsoft 365 E5 without audio conferencing SPE_E5_NOPSTNCONF_TEST 1362a0d9-b3c2-4112-bf1a-7a838d181c0f
Windows 10/11 Enterprise E3 WIN10_VDA_E3 6a0f6da5-0b87-4190-a6ae-9bb5a2b9546a
Windows 10/11 Enterprise E5 WIN10_VDA_E5 488ba24a-39a9-4473-8ee5-19291e71b002
Windows 10/11 Enterprise VDA E3_VDA_only d13ef257-988a-46f3-8fce-f47484dd4550
Microsoft 365 F3 SPE_F1 66b55226-6b4f-492c-910c-a3b7a3c9d993
Microsoft 365 F3 (self-service) Microsoft_365_F3_Department 6803cf1e-c822-41a1-864e-a31377bcdb7e
Microsoft 365 F3 (for Department) Microsoft_365_F3_DEPT 45972061-34c4-44c8-9e83-ad97815acc34
Microsoft 365 F3 EEA (no Teams) Microsoft_365_F3_EEA_(no_Teams) f7ee79a7-7aec-4ca4-9fb9-34d6b930ad87

General infrastructure requirements

Important

The information in section applies to Business premium, A3+, E3+ and F3 licenses. For more information, see Features and capabilities and Licenses and entitlements.

Area Prerequisite details
Licensing terms and conditions for products and services For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the Product Terms site.
Microsoft Entra ID and Intune Microsoft Entra ID P1 or P2 and Microsoft Intune are required.

Microsoft Entra ID must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Microsoft Entra Connect to enable Microsoft Entra hybrid join.
Connectivity All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network. For the full list of required IPs and URLs, see Configure your network.
Device management Devices must be already enrolled with Microsoft Intune before registering with Windows Autopatch. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.

At a minimum, the Windows Update, Device configuration, and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see co-management requirements for Windows Autopatch.

Other device management prerequisites include:

  • Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
  • Devices must be managed by either Intune or Configuration Manager co-management. Devices only managed by Configuration Manager aren't supported.
  • Devices must be in communication with Microsoft Intune in the last 28 days. Otherwise, the devices aren't registered with Autopatch.
  • Devices must be connected to the internet.

See Register your devices for more details on device prerequisites and on how the device registration process works with Windows Autopatch.

For more information on co-management, see co-management for Windows devices.
Data and privacy Deployment scheduling controls are always available. However, to take advantage of the unique deployment protections tailored to your population and to deploy driver updates, devices must share diagnostic data with Microsoft. For these features, at minimum, the deployment service requires devices to send diagnostic data at the Required level (previously called Basic) for these features.

When you use Windows Update for Business reports with the deployment service, using diagnostic data at the following levels allows device names to appear in reporting:

  • Optional level (previously Full) for Windows 11 devices
  • Enhanced level for Windows 10 devices

For more information on Windows Autopatch privacy practices, see Windows Autopatch Privacy.

Windows editions, build version, and architecture

Important

The following Windows editions, build version, and architecture applies if you have:

The following Windows 10/11 editions, build version, and architecture are supported when devices are registered with Windows Autopatch:

  • Windows 11 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions
  • Windows 10 Professional, Education, Enterprise, Pro Education, or Pro for Workstations editions

Windows Autopatch service supports Windows client devices on the General Availability Channel.

Note

Windows Autopatch supports registering Windows 10 Long-Term Servicing Channel (LTSC) devices that are being currently serviced by the Windows LTSC. The service only supports managing the Windows quality updates workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use LTSC media or the Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade for Windows devices that are part of the LTSC.

Configuration Manager co-management requirements

Important

The following Windows editions, build version, and architecture applies if you have:

Requirement Description
Supported Configuration Manager version Use a currently supported Configuration Manager version.
Configuration Manager must be cloud-attached with Intune (co-management) Must have the following co-management workloads enabled and set to either Intune or Pilot Intune:
  • Windows Update policies workload
  • Device configuration workload
  • Office Click-to-Run apps workload

If you’re using Pilot Intune, in the Staging tab, the device must be in the collections that correspond to the three workloads that Windows Autopatch requires.

  • If you selected Intune for one workload and Pilot Intune for the other two workloads, your devices only need to be in the two Pilot Intune collections.
  • If you have different collection names for each workload, your devices must be in CoMgmtPilot.

You or your Configuration Manager administrator are responsible for adding your Autopatch devices to these collections. Windows Autopatch doesn’t change or add to these collections.

For more information, see paths to co-management.
Create a Custom client setting Create a Custom client setting in Configuration Manager to disable the Software Updates agent for Intune/Pilot Intune co-managed devices.
  1. Under Disable Software Updates > Device Settings > Enable software updates on clients, select No.
  2. Under CoMgmtSettingsProd Properties > Staging tab > Office Click-to-Run apps, set to Co-Management – O365 Workload.
  3. Under CoMgmtSettingsProd Properties > Staging tab > Windows Update policies, set to Co-Management – WUfB Workload.
  4. Ensure the Disable Software Updates setting has a lower priority than your default client settings and target your co-management collection.
    1. If the co-management workload is set to Intune, deploy the Client Setting to a collection that includes all co-management devices, for example, Co-management Eligible Devices.
  5. Configuration Manager disables the Software Updates agent in the next policy cycle. However, because the Software Updates Scan Cycle is removed, Configuration Manager might not remove the Windows Server Update Service (WSUS) registry keys.
    1. Remove the registry values under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate because Windows Update for Business (WUfB) policies control the process.

Required Intune permissions

Your account must be assigned an Intune role-based access control (RBAC) role that includes the following permissions:

  • Device configurations:
    • Assign
    • Create
    • Delete
    • View Reports
    • Update
  • Read

You can add the Device configurations permission with one or more rights to your own custom RBAC roles or use one of the built-in Policy and Profile manager roles, which include these rights.