Policy health and remediation
Important
The information in this article or section only applies if you have Windows Enterprise E3+ or F3 licenses (included in Microsoft 365 F3, E3, or E5) licenses and have activated Windows Autopatch features.
Feature activation is optional and at no additional cost to you if you have Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses.
For more information, see Licenses and entitlements. If you choose not to go through feature activation, you can still use the Windows Autopatch service for the features included in Business premium and A3+ licenses.
Windows Autopatch uses Microsoft Intune policies to set configurations and deliver the service. Windows Autopatch continuously monitors the policies and maintains all configurations related to the operation of the service.
Important
Don't change, edit, add to, or remove any of the Windows Autopatch policies or groups. Doing so can cause unintended configuration changes and impact the Windows Autopatch service. For more information about Windows Autopatch configurations, see Changes made at feature activation.
When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch raises alerts and detailed recommended actions to ensure healthy operation of the service.
IT admins must respond to the service-generated alerts to ensure that Autopatch services can be delivered, and devices remain eligible for the service.
With this feature, IT admins can:
- View alerts, in line with the features you commonly use:
- Windows Update related alerts in the Release management blade.
- Device configuration alerts in the Tenant management > Alert actions tab.
- Initiate action for the Autopatch service to restore policies without having to raise an incident.
- Initiate action for the Autopatch service to restore the deployment rings without having to raise an incident.
Note
You can rename your policies to meet your organization's requirements. Do not rename the underlying Autopatch deployment groups.
Check policy health
Alerts are raised when deployment rings don't have the required policies and the settings that impact devices within the ring. The remediation actions from the displayed alerts are intended to keep the deployment rings in a healthy state. Devices in each ring might continue to report different states, including errors and conflicts. This occurs due to multiple policies targeted at the same device or other conditions on the device. Policy conflicts and other device errors aren't addressed by these alerts.
Built-in roles required for remediation actions
The minimum role required to restore configurations is Intune Service Administrator.
Restore Data collection, Office and/or Edge configuration policies
Important
For these policies, Windows Autopatch doesn't store the last known policy value, Autopatch restores the base policy values.
To initiate remediation action for device configuration alerts:
- Go to the Microsoft Intune admin center.
- Navigate to Tenant administration > Tenant management > Actions.
- Select Restore missing policy to launch the workflow.
- Review the message and select Restore policy.
- If the Change modified policy alert appears, select this alert to launch the workflow.
- Select Submit changes to restore to service required values.
There's an alert for each policy that is missing or deviated from the service defined values.
Restore missing Windows Update policies
Important
For Quality and Feature update policies, Autopatch restores the last known value of policy. For Driver update policies, Autopatch restores the base policy.
To initiate remediation actions for Windows Update policies (Quality, Feature or Driver updates):
Note
By default, the service will auto-select all the policies.
- Go to the Microsoft Intune admin center.
- Navigate to Tenant administration > Windows Autopatch > Autopatch groups > Policy health.
- Select Missing policy to launch the Restore missing policy workflow.
- Review the message for the missing policy error. If more than once policy is present, select which policy you'd like to restore.
- Select Restore policies to complete the workflow.
Note
You can also select on the associated Windows Autopatch group name for any Autopatch group that has a Missing Policy under the Policy health column. Doing so will lead you to the details page of that specific Autopatch group. Under the Windows update settings section, you'll see a banner that states "There are missing update settings in this Autopatch group. Take action to resolve". Selecting this banner will take you to the same experience as mentioned in Restore missing Windows Update policies.
Restore deployment groups
Windows Autopatch automatically restores any missing groups that are required by the service. When a missing deployment group is restored, and the policies are also missing, the policies be restored to the deployment groups.
If policies are misconfigured or unassigned, admins must restore them. In the Autopatch groups blade, the service raises a missing policy workflow that you must complete to repair Windows Update policies. All other policies must be restored from the Tenant administration blade.
Due to the asynchronous run of service detectors, it might take up to four (4) hours for this error to be displayed.
Note
While Windows Autopatch continuously monitors the policies, all policy alerts are raised within four (4) hours of detection.
Alerts will remain active until an IT admin completes the action to restore them to a healthy state.
There are no Autopatch reports for policy alerts and actions at this time.
Use audit logs to track actions in Microsoft Intune
You can review audit logs in Intune to review the activities completed on the tenant.
To review audit logs in Intune:
- Go to the Microsoft Intune admin center.
- Select Tenant administration > Audit logs.
The entries with enterprise application name, Modern Workplace Management, are the actions requested by Windows Autopatch.