Muokkaa

Jaa

Register your devices

  • Artikkeli

Important

The information in this article or section only applies if you have Windows Enterprise E3+ or F3 licenses (included in Microsoft 365 F3, E3, or E5) licenses and have activated Windows Autopatch features.

Feature activation is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.

For more information, see Licenses and entitlements. If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in Business premium and A3+ licenses.

Before Microsoft can manage your devices in Windows Autopatch, you must register devices with the service. Make sure your devices meet the device registration prerequisites.

Detailed device registration workflow diagram

See the following detailed workflow diagram. The diagram covers the Windows Autopatch device registration process:

Diagram of the device registration workflow.

Step Description
Step 1: Identify devices IT admin identifies devices to be managed by the Windows Autopatch service.
Step 2: Add devices IT admin identifies and adds devices, or nests other Microsoft Entra device groups into any Microsoft Entra group when you create an Autopatch group or edit an Autopatch group or imported (WUfB) policies.
Step 3: Discover devices The Windows Autopatch Discover Devices function discovers devices (hourly) that were previously added by the IT admin from Microsoft Entra groups used with Autopatch groups in step #2. The Microsoft Entra device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Microsoft Entra ID when registering devices into its service.
  1. Once devices are discovered from the Microsoft Entra group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Microsoft Entra ID in this step:
    1. AzureADDeviceID
    2. OperatingSystem
    3. DisplayName (Device name)
    4. AccountEnabled
    5. RegistrationDateTime
    6. ApproximateLastSignInDateTime
  2. In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements before registration.
Step 4: Check prerequisites The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the Detailed prerequisite check workflow diagram section. The service checks the following device readiness attributes, and/or prerequisites:
  1. If the device is Intune-managed or not.
    1. Windows Autopatch looks to see if the Microsoft Entra device ID has an Intune device ID associated with it.
      1. If yes, it means this device is enrolled into Intune.
      2. If not, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
    2. If the device is not managed by Intune, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name, and other attributes. When this happens, the Windows Autopatch service uses the Microsoft Entra device attributes gathered and saved to its memory in step 3a.
      1. Once it has the device attributes gathered from Microsoft Entra ID in step 3a, the device is flagged with the Prerequisite failed status, and the device's Autopatch readiness status appears as Not registered in the Devices report. The IT admin can review the reasons the device wasn't registered into Windows Autopatch. The IT admin remediates these devices. In this case, the IT admin should check why the device wasn't enrolled into Intune.
      2. A common reason is when the Microsoft Entra device ID is stale, it doesn't have an Intune device ID associated with it anymore. To remediate, clean up any stale Microsoft Entra device records from your tenant.
    3. If the device is managed by Intune, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device checked into Intune in the last 28 days.
  2. If the device is a Windows device or not.
    1. Windows Autopatch looks to see if the device is a Windows and corporate-owned device.
      1. If yes, it means this device can be registered with the service because it's a Windows corporate-owned device.
      2. If not, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.
  3. Windows Autopatch checks the Windows SKU family. The SKU must be either:
    1. Enterprise
    2. Pro
    3. Pro Workstation
  4. If the device meets the operating system requirements, Windows Autopatch checks whether the device is either:
    1. Only managed by Intune.
      1. If the device is only managed by Intune, the device is marked as Passed all prerequisites.
    2. Co-managed by both Configuration Manager and Intune.
      1. If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
        1. Windows Updates Policies
        2. Device Configuration
        3. Office Click to Run
      2. If Windows Autopatch determines that one of these workloads isn't enabled on the device, the service marks the device as Prerequisite failed and the device's Autopatch readiness status appears as Not registered in the Devices report.
Step 5: Calculate deployment ring assignment Once the device passes all prerequisites described in step #4, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:
  1. If the Windows Autopatch tenant's existing managed device size is ≤ 200, the deployment ring assignment is First (5%), Fast (15%), remaining devices go to the Broad ring (80%).
  2. If the Windows Autopatch tenant's existing managed device size is >200, the deployment ring assignment is First (1%), Fast (9%), remaining devices go to the Broad ring (90%).
Step 6: Assign devices to a deployment ring group Once the deployment ring calculation is done, Windows Autopatch assigns devices to two deployment ring sets, the first one being the service-based deployment ring set represented by the following Microsoft Entra groups:
  1. Modern Workplace Devices-Windows Autopatch-First
    1. The Windows Autopatch device registration process doesn't automatically assign devices to the Test ring represented by the Microsoft Entra group (Modern Workplace Devices-Windows Autopatch-Test). It's important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
  2. Modern Workplace Devices-Windows Autopatch-Fast
  3. Modern Workplace Devices-Windows Autopatch-Broad
Step 7: Assign devices to a Microsoft Entra group Windows Autopatch also assigns devices to the following Microsoft Entra groups when certain conditions apply:
  1. Modern Workplace Devices - All
    1. This group has all devices managed by Windows Autopatch.
  2. Modern Workplace Devices - Virtual Machine
    1. This group has all virtual devices managed by Windows Autopatch.
Step 8: Post-device registration In post-device registration, three actions occur:
  1. Windows Autopatch adds devices to its managed database.
  2. Flags devices as Ready. The device's Autopatch readiness status appears as Registered in the Devices report.
  3. The Microsoft Entra device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension's allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.
    1. The agent is the Modern Workplace - Autopatch Client setup PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.
Step 9: Review device registration status IT admins review the device's Autopatch readiness status. Devices are either Registered or Not registered in the Devices report.
  1. If the device was successfully registered, the device's Autopatch readiness status appears as Registered in the Devices report.
  2. If not, the device's Autopatch readiness status appears as Not registered in the Devices report.
Step 10: End of registration workflow This is the end of the Windows Autopatch device registration workflow.

Detailed prerequisite check workflow diagram

As described in step #4 in the previous Detailed device registration workflow diagram, the following diagram is a visual representation of the prerequisite construct for the Windows Autopatch device registration process. The prerequisite checks are sequentially performed.

Diagram of the prerequisite check workflow.

Devices report

Windows Autopatch has a device report that allows you to see:

  • Each registered devices readiness for the service
  • Update status
  • Policies that target each device

View the device report

To view the device report:

  1. In the Intune admin center, select Devices in the left pane.
  2. Under Manage updates, select Windows updates.
  3. Select the Monitor tab, and then select Autopatch devices.

Once a device is registered to the service, a readiness status is displayed. Each readiness status helps you to determine if there are any actions to take or if the device is ready for the service.

Readiness statuses

Autopatch readiness status in the Devices report Substatus description
Registered
  • Ready: Devices successfully passed all prerequisite checks and successfully registered with Windows Autopatch. Additionally, Ready devices successfully passed all post-device registration readiness checks and don't have any active alerts targeting them.
  • Not ready: These devices were successfully registered with Windows Autopatch. However, these devices:
    • Failed to pass one or more post-device registration readiness checks.
    • Aren't ready to have one or more software update workloads managed by the service.
    • The device didn't communicate with Microsoft Intune in the last 28 days
    • The device has a conflict with policies or with Autopatch group membership
Not registered
  • Autopatch group conflict: The device has a conflict with Autopatch group membership
  • Prerequisites failed: The device failed to pass one or more post-device registration readiness checks.
  • Excluded: Devices with this status are removed from the Windows Autopatch service only. Microsoft assumes you manage these devices yourself in some capacity.

View only excluded devices

You can view the excluded devices in the Not registered tab to make it easier for you to bulk restore devices that were previously excluded from the Windows Autopatch service.

To view only excluded devices:

  1. In the Intune admin center, navigate to Windows Autopatch > Devices.
  2. In the Not registered tab, select Excluded from the filter list. Leave all other filter options unselected.

Move devices in between deployment rings

If you want to move devices to different deployment rings after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices.

Important

You can only move devices in between deployment rings within the same Autopatch group. You can't move devices in between deployment rings across different Autopatch groups. If you try to select a device that belongs to one Autopatch group, and another device that belongs to a different Autopatch group, you'll receive the following error message on the top right corner of the Microsoft Intune portal: An error occurred. Please select devices within the same Autopatch group.

To move devices in between deployment rings:

Note

You can only move devices to other deployment rings when the device's Autopatch readiness status appears as Registered and the Update status is Active.

  1. In the Intune admin center, select Devices in the left pane.
  2. Navigate to Windows updates > Monitor > Autopatch devices.
  3. Select one or more devices you want to assign and select Assign ring.
  4. Use the dropdown menu to select the deployment ring to move devices to, and then select Save. All selected devices are assigned to the deployment ring you specify. The "1 devices scheduled for assignment" notification appears.
  5. When the assignment is complete, the Ring assigned by column changes to Admin (which indicates that you made the change) and the Ring column shows the new deployment ring assignment. The Ring assigned by column is only visible in the fly-in menu.

Warning

Moving devices between deployment rings through directly changing Microsoft Entra group membership isn't supported and might cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the Assign ring action described previously to move devices between deployment rings.

Register devices into Autopatch groups

Important

The information in this article or section only applies if you have Windows Enterprise E3+ or F3 licenses (included in Microsoft 365 F3, E3, or E5) licenses and have activated Windows Autopatch features.

Feature activation is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.

For more information, see Licenses and entitlements. If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in Business premium and A3+ licenses.

An Autopatch group is a logical container or unit that groups several Microsoft Entra groups, and software update policies. For more information, see Windows Autopatch groups.

When you create an Autopatch group or edit an Autopatch group to add or remove deployment rings, the device-based Microsoft Entra groups you use when setting up your deployment rings, are scanned to see if devices need to be registered with the Windows Autopatch service.

If devices aren't registered, Autopatch groups start the device registration process by using your existing device-based Microsoft Entra groups.

Supported scenarios when nesting other Microsoft Entra groups

Windows Autopatch also supports the following Microsoft Entra nested group scenarios:

Microsoft Entra groups synced up from:

Windows Autopatch on Windows 365 Enterprise Workloads

Windows 365 Enterprise gives IT admins the option to register devices with the Windows Autopatch service as part of the Windows 365 provisioning policy creation. This option provides a seamless experience for admins and users to ensure your Cloud PCs are always up to date. When IT admins decide to manage their Windows 365 Cloud PCs with Windows Autopatch, the Windows 365 provisioning policy creation process calls Windows Autopatch device registration APIs to register devices on behalf of the IT admin.

To register new Windows 365 Cloud PC devices with Windows Autopatch from the Windows 365 Provisioning Policy:

  1. Go to the Intune admin center.
  2. In the left pane, select Devices.
  3. Navigate to Provisioning > Windows 365.
  4. Select Provisioning policies > Create policy.
  5. Provide a policy name and select Join Type. For more information, see Device join types.
  6. Select Next.
  7. Choose the desired image and select Next.
  8. Under the Microsoft managed services section, select Windows Autopatch. Then, select Next. If the Windows Autopatch (preview) can't manage your Cloud PCs until a Global Admin has finished setting it up. message appears, you must activate Windows Autopatch features to continue.
  9. Assign your policy accordingly and select Next.
  10. Select Create. Now your newly provisioned Windows 365 Enterprise Cloud PCs are automatically enrolled and managed by Windows Autopatch.

For more information, see Create a Windows 365 Provisioning Policy.

Windows Autopatch on Azure Virtual Desktop workloads

Windows Autopatch is available for your Azure Virtual Desktop workloads. Enterprise admins can provision their Azure Virtual Desktop workloads to be managed by Windows Autopatch using the existing device registration process.

Windows Autopatch provides the same scope of service with virtual machines as it does with physical devices. However, Windows Autopatch defers any Azure Virtual Desktop specific support to Azure support, unless otherwise specified.

Prerequisites

Windows Autopatch for Azure Virtual Desktop follows the same prerequisites as Windows Autopatch, and the Azure Virtual Desktop prerequisites.

The service supports:

  • Personal persistent virtual machines

The following Azure Virtual Desktop features aren't supported:

  • Multi-session hosts
  • Pooled non persistent virtual machines
  • Remote app streaming

Deploy Autopatch on Azure Virtual Desktop

Azure Virtual Desktop workloads can be registered into Windows Autopatch by using the same method as your physical devices.

For ease of deployment, we recommend nesting a dynamic device group in your Autopatch device registration group. The dynamic device group would target the Name prefix defined in your session host, but exclude any Multi-Session Session Hosts. For example:

Group name Dynamic membership name
Windows Autopatch - Host Pool Session Hosts
  • (device.displayName -contains "AP")
  • (device.deviceOSType -ne "Windows 10 Enterprise for Virtual Desktops")

Clean up dual state of Microsoft Entra hybrid joined and Azure registered devices in your Microsoft Entra tenant

An Microsoft Entra dual state occurs when a device is initially connected to Microsoft Entra ID as an Microsoft Entra registered device. However, when you enable Microsoft Entra hybrid join, the same device is connected twice to Microsoft Entra ID but as a Hybrid Microsoft Entra device.

In the dual state, you end up having two Microsoft Entra device records with different join types for the same device. In this case, the Hybrid Microsoft Entra device record takes precedence over the Microsoft Entra registered device record for any type of authentication in Microsoft Entra ID, which makes the Microsoft Entra registered device record stale.

It's recommended to detect and clean up stale devices in Microsoft Entra ID before registering devices with Windows Autopatch, see How To: Manage stale devices in Microsoft Entra ID.

Warning

If you don't clean up stale devices in Microsoft Entra ID before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed) pre-requisite check in the Not ready tab because it's expected that these stale Microsoft Entra devices aren't enrolled into the Intune service anymore.

Important

The information in this article or section only applies if you have Windows Enterprise E3+ or F3 licenses (included in Microsoft 365 F3, E3, or E5) licenses and have activated Windows Autopatch features.

Feature activation is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.

For more information, see Licenses and entitlements. If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in Business premium and A3+ licenses.

Support is available either through Windows 365, or the Windows Autopatch Service Engineering team for device registration-related incidents.

Device management lifecycle scenarios

There's a few more device management lifecycle scenarios to consider when planning to register devices in Windows Autopatch.

Device refresh

If a device was previously registered into the Windows Autopatch service, but it needs to be reimaged, you must run one of the device provisioning processes available in Microsoft Intune to reimage the device.

The device is rejoined to Microsoft Entra ID (either Hybrid or Microsoft Entra-only). Then, re-enrolled into Intune as well. No further action is required from you or the Windows Autopatch service, because the Microsoft Entra device ID record of that device remains the same.

Device repair and hardware replacement

If you need to repair a device that was previously registered into the Windows Autopatch service, by replacing the motherboard, nonremovable network interface cards (NIC), or hard drive, you must re-register the device into the Windows Autopatch service, because a new hardware ID is generated when there are major hardware changes, such as:

  • SMBIOS UUID (motherboard)
  • MAC address (nonremovable NICs)
  • OS hard drive's serial, model, manufacturer information

When one of these hardware changes occurs, Microsoft Entra ID creates a new device ID record for that device, even if it's technically the same device.

Important

If a new Microsoft Entra device ID is generated for a device that was previously registered into the Windows Autopatch service, even if it's technically same device, the new Microsoft Entra device ID must be added either through device direct membership or through nested Microsoft Entra dynamic/assigned group in the Windows Autopatch group experience. This process guarantees that the newly generated Microsoft Entra device ID is registered with Windows Autopatch and that the device continues to have its software updates managed by the service.