Enroll in update management by Windows Autopatch

When you enroll a device in update management by Windows Autopatch, you can use Windows Autopatch to manage content delivered from Windows Update to that device. You can enroll a device in update management by update category.

Today, Windows Autopatch supports device enrollment for Windows 10/11 feature updates and driver updates. At this time, no device enrollment is required in the management of Windows 10/11 quality updates in order to deploy expedited quality updates.

Enroll the device in update management

When you enroll a device in management for a certain update category, Windows Autopatch becomes the authority for updates of that category coming from Windows Update. As a result, devices don't receive updates of that category from Windows Update until you deploy an update by assigning it to a deployment. Devices are automatically registered when enrolled in management by Windows Autopatch (that is, an azureADDevice object is automatically created if it doesn't already exist). For driver enrollment, see enroll devices in driver management.

The following example shows how to enroll a device in feature update management.

Request

POST https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/enrollAssets
Content-Type: application/json

{
  "updateCategory": "feature",
  "assets": [
    {
      "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
      "id": "String (identifier)"
    },
    {
      "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
      "id": "String (identifier)"
    },
    {
      "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
      "id": "String (identifier)"
    }
  ]
}

Response

HTTP/1.1 202 Accepted

Check the enrollment state of a device

You can check the enrollment state of a device by getting the device and looking at the enrollments and errors properties on the azureADDevice object. A device that is successfully enrolled in update management has an updateManagementEnrollment object in the enrollments collection, and it doesn't have any updatableAssetError objects in the errors collection. A device that tried to enroll but encountered an error has populated collections for both enrollments and errors. A device with no enrollment requests has empty collections for both enrollments and errors.

The following example shows a device that is successfully enrolled in management of feature updates.

Request

GET https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/983f03cd-03cd-983f-cd03-3f98cd033f98

Response

HTTP/1.1 200 OK
Content-Type: application/json

{
  "value": {
    "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
    "id": "983f03cd-03cd-983f-cd03-3f98cd033f98",
    "errors": [],
    "enrollments": [
      {
        "@odata.type": "microsoft.graph.windowsUpdates.updateManagementEnrollment",
        "updateCategory": "feature"
      }
    ]
  }
}

Unenroll from management or unregister

When you unenroll a device from management for a given update category, the device is no longer considered managed and may start receiving other updates from Windows Update based on its policy configuration. The unenrolled device is removed from all audiences and deployments that contain content for the given update category. The device remains registered and is still enrolled and receiving content for other update categories, if applicable.

Request

POST https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/unenrollAssets
Content-Type: application/json

{
  "updateCategory": "feature",
  "assets": [
    {
      "@odata.type": "#microsoft.graph.windowsUpdates.azureADDevice",
      "id": "String (identifier)"
    }
  ]
}

Response

HTTP/1.1 202 Accepted

You can unregister a device completely by deleting the device object. When a device is unregistered, it is automatically unenrolled from management for all update categories and removed from every deploymentAudience and updatableAssetGroup.

Request

DELETE https://graph.microsoft.com/beta/admin/windows/updates/updatableAssets/{azureADDeviceId}

Response

HTTP/1.1 202 Accepted