Enroll your tenant

Before you enroll in Windows Autopatch, there are settings, and other parameters you must set ahead of time.

Important

You must be a Global Administrator to enroll your tenant.

The Readiness assessment tool, accessed through the Windows Autopatch admin center, checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch.

Step 1: Review all prerequisites

To start using the Windows Autopatch service, ensure you meet the Windows Autopatch prerequisites.

Step 2: Run the Readiness assessment tool

Important

The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you'll no longer be able to access the tool again.

The Readiness assessment tool checks the settings in Microsoft Endpoint Manager (specifically, Microsoft Intune) and Azure Active Directory (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see Configuration Manager co-management requirements.

To access and run the Readiness assessment tool:

Important

You must be a Global Administrator to run the Readiness assessment tool.

  1. Go to the Microsoft Endpoint Manager admin center.
  2. In the left pane, select Tenant administration and then navigate to Windows Autopatch > Tenant enrollment.

Important

If you don't see the Tenant enrollment blade, this is because you don't meet the prerequisites or the proper licenses. For more information, see Windows Autopatch prerequisites.

The Readiness assessment tool checks the following settings:

Microsoft Intune settings

The following are the Microsoft Intune settings:

Check Description
Update rings for Windows 10 or later Verifies that Intune's Update rings for Windows 10 or later policy doesn't target all users or all devices. Policies of this type shouldn't target any Windows Autopatch devices. For more information, see Configure update rings for Windows 10 and later in Intune.
Unlicensed admin Verifies that this setting is enabled to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. For more information, see Unlicensed admins in Microsoft Intune.

Azure Active Directory settings

The following are the Azure Active Directory settings:

Check Description
Co-management This advisory check only applies if co-management is applied to your tenant. This check ensures that the proper workloads are in place for Windows Autopatch. If co-management doesn't apply to your tenant, this check can be safely disregarded, and won't block device deployment.
Licenses Checks that you've obtained the necessary licenses.

Check results

For each check, the tool will report one of four possible results:

Result Meaning
Ready No action is required before completing enrollment.
Advisory Follow the steps in the tool or this article for the best experience with enrollment and for users.

You can complete enrollment, but you must fix these issues before you deploy your first device.

Not ready You must fix these issues before enrollment. You won’t be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them.
Error The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check.

Step 3: Fix issues with your tenant

If the Readiness assessment tool is displaying issues with your tenant, see Fix issues found by the Readiness assessment tool for more information on how to remediate.

Step 4: Enroll your tenant

Important

You must be a Global Administrator to enroll your tenant.

Once the Readiness assessment tool provides you with a "Ready" result, you're ready to enroll!

To enroll your tenant:

Within the Readiness assessment tool, you'll now see the Enroll button. By selecting Enroll, you'll kick off the enrollment of your tenant to the Windows Autopatch service. During the enrollment workflow, you'll see the following:

  • Consent workflow to manage your tenant.
  • Provide Windows Autopatch with IT admin contacts.
  • Setup of the Windows Autopatch service on your tenant. This step is where we'll create the policies, groups and accounts necessary to run the service.

Once these actions are complete, you've now successfully enrolled your tenant.

Note

For more information about changes made to your tenant, see Changes made at tenant enrollment.

Delete data collected from the Readiness assessment tool

You can choose to delete the data we collect directly within the Readiness assessment tool.

Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a de-identified form.

Note

Windows Autopatch will only delete the results we collect within the Readiness assessment tool; Autopatch won't delete any other tenant-level data.

To delete the data we collect:

  1. Go to the Microsoft Endpoint Manager admin center.
  2. Navigate to Windows Autopatch > Tenant enrollment.
  3. Select Delete all data.

Next steps

  1. Maintain your Windows Autopatch environment.
  2. Ensure you've added and verified your admin contacts before you register your devices.