Edit

Changes made at tenant enrollment

  • Article
  • 4 minutes to read

The following configuration details explain the changes made to your tenant when enrolling into the Windows Autopatch service.

Important

The service manages and maintains the following configuration items. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service.

Windows Autopatch enterprise applications

Enterprise applications are applications (software) that a business uses to do its work.

Windows Autopatch creates an enterprise application in your tenant. This enterprise application is used to run the Windows Autopatch service.

Enterprise application name Usage Permissions
Modern Workplace Management The Modern Workplace Management application:
  • Manages the service
  • Publishes baseline configuration updates
  • Maintains overall service health
  • DeviceManagementApps.ReadWrite.All
  • DeviceManagementConfiguration.ReadWrite.All
  • DeviceManagementManagedDevices.PriviligedOperation.All
  • DeviceManagementManagedDevices.ReadWrite.All
  • DeviceManagementRBAC.ReadWrite.All
  • DeviceManagementServiceConfig.ReadWrite.All
  • Directory.Read.All
  • Group.Create
  • Policy.Read.All
  • WindowsUpdates.ReadWrite.All

Service principal

Windows Autopatch will create a service principal in your tenant to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see Application and service principal objects in Azure Active Directory. The service principal created by Windows Autopatch is:

  • Modern Workplace Customer APIs

Azure Active Directory groups

Windows Autopatch will create the required Azure Active Directory groups to operate the service.

The following groups target Windows Autopatch configurations to devices and management of the service by our first party enterprise applications.

Group name Description
Modern Workplace-All All Modern Workplace users
Modern Workplace - Windows 11 Pre-Release Test Devices Device group for Windows 11 Pre-Release testing.
Modern Workplace Devices-All All Modern Workplace devices
Modern Workplace Devices-Windows Autopatch-Test Deployment ring for testing update deployments prior production rollout
Modern Workplace Devices-Windows Autopatch-First First production deployment ring for early adopters
Modern Workplace Devices-Windows Autopatch-Fast Fast deployment ring for quick rollout and adoption
Modern Workplace Devices-Windows Autopatch-Broad Final deployment ring for broad rollout into the organization
Modern Workplace Roles - Service Administrator All users granted access to Modern Workplace Service Administrator Role
Modern Workplace Roles - Service Reader All users granted access to Modern Workplace Service Reader Role
Windows Autopatch Device Registration Group for automatic device registration for Windows Autopatch

Device configuration policies

  • Windows Autopatch - Set MDM to Win Over GPO
  • Windows Autopatch - Data Collection
Policy name Policy description Properties Value
Windows Autopatch - Set MDM to Win Over GPO Sets mobile device management (MDM) to win over GPO

Assigned to:

  • Modern Workplace Devices-Windows Autopatch-Test
  • Modern Workplace Devices-Windows Autopatch-First
  • Modern Workplace Devices-Windows Autopatch-Fast
  • Modern Workplace Devices-Windows Autopatch-Broad
 MDM Wins Over GP
  • MDM policy is used
  • GP policy is blocked
Windows Autopatch - Data Collection Windows Autopatch and Telemetry settings processes diagnostic data from the Windows device.

Assigned to:

  • Modern Workplace Devices-Windows Autopatch-Test
  • Modern Workplace Devices-Windows Autopatch-First
  • Modern Workplace Devices-Windows Autopatch-Fast
  • Modern Workplace Devices-Windows Autopatch-Broad
  1. Configure Telemetry Opt In Change Notification
  2. Configure Telemetry Opt In Settings UX
  3. Allow Telemetry
  4. Limit Enhanced Diagnostic Data Windows Analytics
  5. Limit Dump Collection
  6. Limit Diagnostic Log Collection
  1. Enable telemetry change notifications
  2. Enable Telemetry opt-in Settings
  3. Full
  4. Enabled
  5. Enabled
  6. Enabled

Deployment rings for Windows 10 and later

  • Modern Workplace Update Policy [Test]-[Windows Autopatch]
  • Modern Workplace Update Policy [First]-[Windows Autopatch]
  • Modern Workplace Update Policy [Fast]-[Windows Autopatch]
  • Modern Workplace Update Policy [Broad]-[Windows Autopatch]
Policy name Policy description OMA Value
Modern Workplace Update Policy [Test]-[Windows Autopatch Windows Update for Business Configuration for the Test Ring

Assigned to:

  • Modern Workplace Devices-Windows Autopatch-Test
  • QualityUpdatesDeferralPeriodInDays
  • FeatureUpdatesDeferralPeriodInDays
  • FeatureUpdatesRollbackWindowInDays
  • BusinessReadyUpdatesOnly
  • AutomaticUpdateMode
  • InstallTime
  • DeadlineForFeatureUpdatesInDays
  • DeadlineForQualityUpdatesInDays
  • DeadlineGracePeriodInDays
  • PostponeRebootUntilAfterDeadline
  • DriversExcluded
  • 0
  • 0
  • 30
  • All
  • WindowsDefault
  • 3
  • 5
  • 0
  • 0
  • False
  • False
Modern Workplace Update Policy [First]-[Windows Autopatch] Windows Update for Business Configuration for the First Ring

Assigned to:

  • Modern Workplace Devices-Windows Autopatch-First
  • QualityUpdatesDeferralPeriodInDays
  • FeatureUpdatesDeferralPeriodInDays
  • FeatureUpdatesRollbackWindowInDays
  • BusinessReadyUpdatesOnly
  • AutomaticUpdateMode
  • InstallTime
  • DeadlineForFeatureUpdatesInDays
  • DeadlineForQualityUpdatesInDays
  • DeadlineGracePeriodInDays
  • PostponeRebootUntilAfterDeadline
  • DriversExcluded
  • 1
  • 0
  • 30
  • All
  • WindowsDefault
  • 3
  • 5
  • 2
  • 2
  • False
  • False
Modern Workplace Update Policy [Fast]-[Windows Autopatch] Windows Update for Business Configuration for the Fast Ring

Assigned to:

  • Modern Workplace Devices-Windows Autopatch-Fast
  • QualityUpdatesDeferralPeriodInDays
  • FeatureUpdatesDeferralPeriodInDays
  • FeatureUpdatesRollbackWindowInDays
  • BusinessReadyUpdatesOnly
  • AutomaticUpdateMode
  • InstallTime
  • DeadlineForFeatureUpdatesInDays
  • DeadlineForQualityUpdatesInDays
  • DeadlineGracePeriodInDays
  • PostponeRebootUntilAfterDeadline
  • DriversExcluded
  • 6
  • 0
  • 30
  • All
  • WindowsDefault
  • 3
  • 5
  • 2
  • 2
  • False
  • False
Modern Workplace Update Policy [Broad]-[Windows Autopatch] Windows Update for Business Configuration for the Broad Ring

Assigned to:

  • Modern Workplace Devices-Windows Autopatch-Broad
  • QualityUpdatesDeferralPeriodInDays
  • FeatureUpdatesDeferralPeriodInDays
  • FeatureUpdatesRollbackWindowInDays
  • BusinessReadyUpdatesOnly
  • AutomaticUpdateMode
  • InstallTime
  • DeadlineForFeatureUpdatesInDays
  • DeadlineForQualityUpdatesInDays
  • DeadlineGracePeriodInDays
  • PostponeRebootUntilAfterDeadline
  • DriversExcluded
  • 9
  • 0
  • 30
  • All
  • WindowsDefault
  • 3
  • 5
  • 5
  • 2
  • False
  • False

Windows feature update policies

  • Windows Autopatch - DSS Policy [Test]
  • Windows Autopatch - DSS Policy [First]
  • Windows Autopatch - DSS Policy [Fast]
  • Windows Autopatch - DSS Policy [Broad]
  • Modern Workplace DSS Policy [Windows 11]
Policy name Policy description Value
Windows Autopatch - DSS Policy [Test] DSS policy for Test device group Assigned to:
  • Modern Workplace Devices-Windows Autopatch-Test

Exclude from:
  • Modern Workplace - Windows 11 Pre-Release Test Devices
Windows Autopatch - DSS Policy [First] DSS policy for First device group Assigned to:
  • Modern Workplace Devices-Windows Autopatch-First
  • Modern Workplace - Windows 11 Pre-Release Test Devices
Windows Autopatch - DSS Policy [Fast] DSS policy for Fast device group Assigned to:
  • Modern Workplace Devices-Windows Autopatch-Fast

Exclude from:
  • Modern Workplace - Windows 11 Pre-Release Test Devices
Windows Autopatch - Policy [Broad] DSS policy for Broad device group Assigned to:
  • Modern Workplace Devices-Windows Autopatch-Broad

Exclude from:
  • Modern Workplace - Windows 11 Pre-Release Test Devices
Modern Workplace DSS Policy [Windows 11] Windows 11 DSS policy Assigned to:
  • Modern Workplace - Windows 11 Pre-Release Test Devices

Microsoft Office update policies

  • Windows Autopatch - Office Configuration
  • Windows Autopatch - Office Update Configuration [Test]
  • Windows Autopatch - Office Update Configuration [First]
  • Windows Autopatch - Office Update Configuration [Fast]
  • Windows Autopatch - Office Update Configuration [Broad]
Policy name Policy description Properties Value
Windows Autopatch - Office Configuration Sets Office Update Channel to the Monthly Enterprise servicing branch.

Assigned to:

  1. Modern Workplace Devices-Windows Autopatch-Test
  2. Modern Workplace Devices-Windows Autopatch-First
  3. Modern Workplace Devices-Windows Autopatch-Fast
  4. Modern Workplace Devices-Windows Autopatch-Broad
  1. Enable Automatic Updates
  2. Hide option to enable or disable updates
  3. Update Channel
  4. Channel Name (Device)
  5. Hide Update Notifications
  6. Update Path
  1. Enabled
  2. Enabled
  3. Enabled
  4. Monthly Enterprise Channel
  5. Disabled
  6. Enabled
Windows Autopatch - Office Update Configuration [Test] Sets the Office update deadline

Assigned to:

  1. Modern Workplace Devices-Windows Autopatch-Test
  1. Delay downloading and installing updates for Office
  2. Update Deadline
  1. Enabled; Days(Device) == 0 days
  2. Enabled; Update Deadline(Device) == 7 days
Windows Autopatch - Office Update Configuration [First] Sets the Office update deadline

Assigned to:

  1. Modern Workplace Devices-Windows Autopatch-First
  1. Delay downloading and installing updates for Office
  2. Update Deadline
  1. Enabled; Days(Device) == 0 days
  2. Enabled; Update Deadline(Device) == 7 days
Windows Autopatch - Office Update Configuration [Fast] Sets the Office update deadline

Assigned to:

  1. Modern Workplace Devices-Windows Autopatch-Fast
  1. Delay downloading and installing updates for Office
  2. Update Deadline
  1. Enabled; Days(Device) == 3 days
  2. Enabled; Update Deadline(Device) == 7 days
Windows Autopatch - Office Update Configuration [Broad] Sets the Office update deadline
Assigned to:
  1. Modern Workplace Devices-Windows Autopatch-Broad
  1. Delay downloading and installing updates for Office
  2. Update Deadline
  1. Enabled; Days(Device) == 7 days
  2. Enabled; Update Deadline(Device) == 7 days

Microsoft Edge update policies

  • Windows Autopatch - Edge Update Channel Stable
  • Windows Autopatch - Edge Update Channel Beta
Policy name Policy description Properties Value
Windows Autopatch - Edge Update Channel Stable Deploys updates via the Edge Stable Channel

Assigned to:

  1. Modern Workplace Devices-Windows Autopatch-First
  2. Modern Workplace Devices-Windows Autopatch-Fast
    1. Modern Workplace Devices-Windows Autopatch-Broad
  1. Target Channel Override
  2. Target Channel (Device)
  1. Enabled
  2. Stable
Windows Autopatch - Edge Update Channel Beta Deploys updates via the Edge Beta Channel

Assigned to:

  1. Modern Workplace Devices-Windows Autopatch-Test
  1. Target Channel Override
  2. Target Channel (Device)
  1. Enabled
  2. Beta

PowerShell scripts

Script Description
Modern Workplace - Autopatch Client Setup v1.1 Installs necessary client components for the Windows Autopatch service