Getting started with Windows Autopatch has been designed to be easy. This article outlines the infrastructure requirements you must meet to assure success with Windows Autopatch.
|Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher), or F3 to be assigned to your users. Additionally, Microsoft Entra ID P1 or P2 and Microsoft Intune are required. For details about the specific service plans, see more about licenses.
For more information on available licenses, see Microsoft 365 licensing.
For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the Product Terms site.
|All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.
For the full list of required IPs and URLs, see Configure your network.
|Microsoft Entra ID
|Microsoft Entra ID must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Microsoft Entra Connect to enable Microsoft Entra hybrid join.
|Devices must be already enrolled with Microsoft Intune prior to registering with Windows Autopatch. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.
At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see co-management requirements for Windows Autopatch.
Other device management prerequisites include:
See Register your devices for more details on device prerequisites and on how the device registration process works with Windows Autopatch.
For more information on co-management, see co-management for Windows devices.
|Data and privacy
|For more information on Windows Autopatch privacy practices, see Windows Autopatch Privacy.
More about licenses
Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-based only). The following are the service plan SKUs that are eligible for Windows Autopatch:
|Microsoft 365 E3
|Microsoft 365 E3 (500 seats minimum_HUB)
|Microsoft 365 E3 - Unattended License
|Microsoft 365 E3 EEA (no Teams) - Unattended License
|Microsoft 365 E3 EEA (no Teams) (500 seats min)_HUB
|O365_w/o Teams Bundle_M3_(500_seats_min)_HUB
|TEST - Microsoft 365 E3
|Microsoft 365 E5
|Microsoft 365 E5 (500 seats minimum)_HUB
|Microsoft 365 E5 with calling minutes
|Microsoft 365 E5 without audio conferencing
|Microsoft 365 E5 without audio conferencing (500 seats minimum)_HUB
|Microsoft 365 E5 EEA (no Teams)
|Microsoft 365 E5 EEA (no Teams) with Calling Minutes
|Microsoft 365 E5 EEA (no Teams) without Audio Conferencing
|Microsoft 365 E5 EEA (no Teams) without Audio Conferencing (500 seats min)_HUB
|Microsoft 365 E5 EEA (no Teams) (500 seats min)_HUB
|TEST - Microsoft 365 E5 without audio conferencing
|Windows 10/11 Enterprise E3
|Windows 10/11 Enterprise E5
|Windows 10/11 Enterprise VDA
|Microsoft 365 F3
|Microsoft 365 F3 (self-service)
|Microsoft 365 F3 (for Department)
|Microsoft 365 F3 EEA (no Teams)
The following Windows 10 editions, build version and architecture are supported to be registered with Windows Autopatch:
- Windows 10 (1809+)/11 Pro
- Windows 10 (1809+)/11 Enterprise
- Windows 10 (1809+)/11 Pro for Workstations
While Windows Autopatch supports registering devices below the minimum Windows OS version enforced by the service, once registered, devices are automatically offered with the minimum windows OS version. The devices must be on a minimum Windows OS currently serviced by the Windows servicing channels to keep receiving monthly security updates that are critical to security and the health Windows.
Windows Autopatch supports registering Windows 10 Long-Term Servicing Channel (LTSC) devices that are being currently serviced by the Windows LTSC. The service only supports managing the Windows quality updates workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use LTSC media or the Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade for Windows devices that are part of the LTSC.
Configuration Manager co-management requirements
Windows Autopatch fully supports co-management. The following co-management requirements apply:
- Use a currently supported Configuration Manager version.
- Configuration Manager must be cloud-attached with Intune (co-management) and must have the following co-management workloads enabled and set to either Pilot Intune or Intune:
For more information, see paths to co-management.