deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 13:53:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Autopatch NFA release

Browse Source
This commit is contained in:
tiaraquan
2025-03-26 15:13:51 -07:00
parent d926a66eb3
commit 2d10e02480
46 changed files with 468 additions and 848 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
View File

@ -1,7 +1,7 @@
---
title: Configure your network
description: This article details the network configurations needed for Windows Autopatch
ms.date: 09/24/2024
ms.date: 03/31/2025
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -26,35 +26,18 @@ The proxy or firewall must support TLS 1.2. Otherwise, you might have to disable
There are URLs from several Microsoft products that must be in the allowed list so that Windows Autopatch devices can communicate with those Microsoft services. Use the links to see the complete list for each product.
#### [Business Premium and A3+](#tab/business-premium-and-a3-licenses-required-microsoft-endpoints)
[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)]
| Microsoft service | URLs required on Allowlist |
| ----- | ----- |
| Microsoft Entra ID | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports)<p><p>[Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))</p> |
| Microsoft Intune | [Intune network configuration requirements](/mem/intune/fundamentals/network-bandwidth-use)<p><p>[Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)</p> |
| Windows Update for Business (WUfB) | [Windows Update for Business firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) |
#### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-and-f3-licenses-required-microsoft-endpoints)
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
In addition to the Microsoft Entra ID, Intune and Windows Update for Business endpoints listed in the Business Premium and A3+ licenses section, the following endpoints apply to Windows E3+ and F3 licenses that have [activated Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md). There are URLs from several Microsoft products that must be in the allowed list so that devices can communicate with Windows Autopatch. Use the links to see the complete list for each product.
| Microsoft service | URLs required on Allowlist |
| ----- | ----- |
| Windows 10/11 Enterprise including Windows Update for Business | [Manage connection endpoints for Windows 10 Enterprise, version 1909](/windows/privacy/manage-windows-1909-endpoints)<p><p>[Manage connection endpoints for Windows 10 Enterprise, version 2004](/windows/privacy/manage-windows-2004-endpoints)</p><p>[Connection endpoints for Windows 10 Enterprise, version 20H2](/windows/privacy/manage-windows-20h2-endpoints)</p><p>[Manage connection endpoints for Windows 10 Enterprise, version 21H1](/windows/privacy/manage-windows-21h1-endpoints)</p><p>[Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints)</p><p>[Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints)</p>|
| Microsoft 365 | [Microsoft 365 URL and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true) |
| Microsoft Edge | [Allowlist for Microsoft Edge Endpoints](/deployedge/microsoft-edge-security-endpoints) |
| Microsoft Teams | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) |
---
### Required Windows Autopatch endpoints for proxy and firewall rules
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
Windows Autopatch is a cloud service. There's a set of endpoints that Windows Autopatch services must be able to reach for the various aspects of the Windows Autopatch service.
You can optimize your network by sending all trusted Microsoft 365 network requests directly through your firewall or proxy to bypass authentication, and all additional packet-level inspection or processing. This process reduces latency and your perimeter capacity requirements.
@ -63,15 +46,10 @@ The following URLs must be on the allowed list of your proxy and firewall so tha
| Microsoft service | URLs required on allowlist |
| ----- | ----- |
| Windows Autopatch | <ul><li>mmdcustomer.microsoft.com</li><li>mmdls.microsoft.com</li><li>devicelistenerprod.microsoft.com</li><li>login.windows.net</li><li>device.autopatch.microsoft.com</li></ul>|
| Windows Autopatch | <ul><li>mmdcustomer.microsoft.com</li><li>mmdls.microsoft.com</li><li>devicelistenerprod.microsoft.com (devicelistenprod.eudb.microsoft.com for tenants with billing addresses in the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations))</li><li>login.windows.net</li><li>device.autopatch.microsoft.com</li><li>services.autopatch.microsoft.com</li><li>payloadprod*.blob.core.windows.net</li><li>*.webpubsub.azure.com</li></ul>|
## Delivery Optimization
[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)]
Delivery Optimization is a peer-to-peer distribution technology available in Windows 10 and Windows 11 that allows devices to share content, such as updates, that the devices downloaded from Microsoft over the internet. Delivery Optimization can help reduce network bandwidth because the device can get portions of the update from another device on the same local network instead of having to download the update completely from Microsoft.
For more information, see [What is Delivery Optimization?](/windows/deployment/do/waas-delivery-optimization)
> [!TIP]
> **It's recommended to configure and validate Delivery Optimization when you [activate Window Autopatch features](../prepare/windows-autopatch-feature-activation.md)**. This only applies if you have Windows Enterprise E3+ and F3 licenses.

110
windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
View File

@ -1,7 +1,7 @@
---
title: Prerequisites
description: This article details the prerequisites needed for Windows Autopatch
ms.date: 10/30/2024
ms.date: 03/31/2025
ms.service: windows-client
ms.subservice: autopatch
ms.topic: concept-article
@ -19,29 +19,13 @@ ms.collection:
## Licenses and entitlements
> [!IMPORTANT]
> Microsoft 365 Business Premium and Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) do **not** have access to all Windows Autopatch features. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities).
### [Business Premium and A3+](#tab/business-premium-a3-entitlements)
Business Premium and A3+ licenses include:
Windows Autopatch is available to the following licenses:
- Microsoft 365 Business Premium (for more information on available licenses, see Microsoft 365 licensing)
- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
[!INCLUDE [windows-autopatch-business-premium-a3-licenses](../includes/windows-autopatch-business-premium-a3-licenses.md)]
### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-f3-entitlements)
The following licenses provide access to the Windows Autopatch features [included in Business premium and A3+ licenses](../overview/windows-autopatch-overview.md#business-premium-and-a3-licenses) and its [additional features](../overview/windows-autopatch-overview.md#windows-enterprise-e3-and-f3-licenses) after you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md):
- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
- Windows 10/11 Enterprise E3 or E5 VDA
For more information about specific service plans, see [Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses].
---
### Feature entitlement
For more information about feature entitlement, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities). Features are accessed through the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
@ -49,88 +33,51 @@ For more information about feature entitlement, see [Features and capabilities](
| Symbol | Meaning |
| --- | --- |
| :heavy_check_mark: | All features available |
| :large_orange_diamond: | Most features available |
| :x: | Feature not available |
#### Windows 10 and later update policy management
| Feature | Business Premium | A3+ | E3+ | F3 |
| --- | --- | --- | --- | --- |
| --- | :---: | :---: | :---: | :---: |
| Releases | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:|
| Update rings | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:|
| Quality updates | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:|
| Feature updates | :large_orange_diamond: | :large_orange_diamond: | :heavy_check_mark: | :heavy_check_mark:|
| Driver and firmware updates | :large_orange_diamond: | :large_orange_diamond: | :heavy_check_mark: | :heavy_check_mark:|
| Feature updates | :heavy_check_mark:| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:|
| Driver and firmware updates | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:|
#### Tenant management
| Feature | Business Premium | A3+ | E3+ | F3 |
| --- | --- | --- | --- | --- |
| Autopatch groups | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:|
| --- | :---: | :---: | :---: | :---: |
| Autopatch groups | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:|
| New feature and change management communications | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:|
| Release schedule and status communications | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:|
| Release schedule and status communications | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:|
| Support requests | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:|
| Policy health | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:|
| Policy health | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:|
#### Reporting
| Feature | Business Premium | A3+ | E3+ | F3 |
| --- | --- | --- | --- | --- |
| --- | :---: | :---: | :---: | :---: |
| Intune Reports | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:|
| Quality updates | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:|
| Feature updates | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:|
| Device readiness | :x: | :x: | :heavy_check_mark: | :heavy_check_mark:|
## More about licenses
### Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) licenses
> [!IMPORTANT]
> Only Windows 10/11 Enterprise E3+ or F3 (included in Microsoft 365 F3, E3, or E5) licenses have access to all Windows Autopatch features after you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md). Microsoft 365 Business Premium and Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) do **not** have access to all Windows Autopatch features. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities).
| License | ID | GUID number |
| ----- | ----- | ------|
| [Microsoft 365 E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3 | 05e9a617-0261-4cee-bb44-138d3ef5d965 |
| [Microsoft 365 E3 (500 seats minimum_HUB)](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | Microsoft_365_E3 | 0c21030a-7e60-4ec7-9a0f-0042e0e0211a |
| [Microsoft 365 E3 - Unattended License](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3_RPA1 | c2ac2ee4-9bb1-47e4-8541-d689c7e83371 |
| Microsoft 365 E3 EEA (no Teams) - Unattended License | Microsoft_365_E3_EEA_(no_Teams)_Unattended_License | a23dbafb-3396-48b3-ad9c-a304fe206043 |
| Microsoft 365 E3 EEA (no Teams) (500 seats min)_HUB | O365_w/o Teams Bundle_M3_(500_seats_min)_HUB | 602e6573-55a3-46b1-a1a0-cc267991501a |
| [TEST - Microsoft 365 E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3_TEST | 23a55cbc-971c-4ba2-8bae-04cd13d2f4ad |
| [Microsoft 365 E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5 | 06ebc4ee-1bb5-47dd-8120-11324bc54e06 |
| [Microsoft 365 E5 (500 seats minimum)_HUB](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | Microsoft_365_E5 | db684ac5-c0e7-4f92-8284-ef9ebde75d33 |
| [Microsoft 365 E5 with calling minutes](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5_CALLINGMINUTES | a91fc4e0-65e5-4266-aa76-4037509c1626 |
| [Microsoft 365 E5 without audio conferencing](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5_NOPSTNCONF | cd2925a3-5076-4233-8931-638a8c94f773 |
| [Microsoft 365 E5 without audio conferencing (500 seats minimum)_HUB](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | Microsoft_365_E5_without_Audio_Conferencing | 2113661c-6509-4034-98bb-9c47bd28d63c |
| Microsoft 365 E5 EEA (no Teams) | O365_w/o_Teams_Bundle_M5 |3271cf8e-2be5-4a09-a549-70fd05baaa17 |
| Microsoft 365 E5 EEA (no Teams) with Calling Minutes | Microsoft_365_E5_EEA_(no_Teams)_with_Calling_Minutes | 6ee4114a-9b2d-4577-9e7a-49fa43d222d3 |
| Microsoft 365 E5 EEA (no Teams) without Audio Conferencing | Microsoft_365_E5_EEA_(no_Teams)_without_Audio_Conferencing | 90277bc7-a6fe-4181-99d8-712b08b8d32b |
| Microsoft 365 E5 EEA (no Teams) without Audio Conferencing (500 seats min)_HUB | Microsoft_365_E5_EEA_(no_Teams)_without_Audio_Conferencing_(500_seats_min)_HUB | a640eead-25f6-4bec-97e3-23cfd382d7c2 |
| Microsoft 365 E5 EEA (no Teams) (500 seats min)_HUB | O365_w/o_Teams_Bundle_M5_(500_seats_min)_HUB| 1e988bf3-8b7c-4731-bec0-4e2a2946600c |
| [TEST - Microsoft 365 E5 without audio conferencing](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5_NOPSTNCONF_TEST | 1362a0d9-b3c2-4112-bf1a-7a838d181c0f |
| [Windows 10/11 Enterprise E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E3 | 6a0f6da5-0b87-4190-a6ae-9bb5a2b9546a |
| [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 |
| [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 |
| [Microsoft 365 F3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_F1 | 66b55226-6b4f-492c-910c-a3b7a3c9d993 |
| Microsoft 365 F3 (self-service) | Microsoft_365_F3_Department |6803cf1e-c822-41a1-864e-a31377bcdb7e |
| Microsoft 365 F3 (for Department) | Microsoft_365_F3_DEPT |45972061-34c4-44c8-9e83-ad97815acc34 |
| Microsoft 365 F3 EEA (no Teams) | Microsoft_365_F3_EEA_(no_Teams) | f7ee79a7-7aec-4ca4-9fb9-34d6b930ad87 |
| Quality updates | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:|
| Feature updates | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:|
| Device readiness | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:|
## General infrastructure requirements
[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)]
| Area | Prerequisite details |
| --- | --- |
| Licensing terms and conditions for products and services | For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
| Microsoft Entra ID and Intune | Microsoft Entra ID P1 or P2 and Microsoft Intune are required.<p>Microsoft Entra ID must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Microsoft Entra Connect to enable Microsoft Entra hybrid join.</p><ul><li>For more information, see [Microsoft Entra Connect](/entra/identity/hybrid/connect/whatis-azure-ad-connect) and [Microsoft Entra hybrid join](/entra/identity/devices/how-to-hybrid-join)</li><li>For more information on supported Microsoft Entra Connect versions, see [Microsoft Entra Connect:Version release history](/entra/identity/hybrid/connect/reference-connect-version-history).</li></ul> |
| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network. For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
| Device management | [Devices must be already enrolled with Microsoft Intune](/mem/intune/user-help/enroll-windows-10-device) before registering with Windows Autopatch. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.<p>At a minimum, the Windows Update, Device configuration, and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements).</p><p>Other device management prerequisites include:</p><ul><li>Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.</li><li>Devices must be managed by either Intune or Configuration Manager co-management. Devices only managed by Configuration Manager aren't supported.</li><li>Devices must be in communication with Microsoft Intune in the last 28 days. Otherwise, the devices aren't registered with Autopatch.</li><li>Devices must be connected to the internet.</li></ul><p>See [Register your devices](../deploy/windows-autopatch-register-devices.md) for more details on device prerequisites and on how the device registration process works with Windows Autopatch.</p><p>For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).</p> |
| Data and privacy |Deployment scheduling controls are always available. However, to take advantage of the unique deployment protections tailored to your population and to [deploy driver updates](/windows/deployment/update/deployment-service-drivers), devices must share diagnostic data with Microsoft. For these features, at minimum, the deployment service requires devices to send [diagnostic data](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) at the Required level (previously called *Basic*) for these features.<p>When you use [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview) with the deployment service, using diagnostic data at the following levels allows device names to appear in reporting:</p><ul><li>Optional level (previously Full) for Windows 11 devices</li><li>Enhanced level for Windows 10 devices</li></ul><p>For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../overview/windows-autopatch-privacy.md).</p> |
| Data and privacy |Deployment scheduling controls are always available. However, to take advantage of the unique deployment protections tailored to your population, devices must share diagnostic data with Microsoft. For these features, at minimum, the deployment service requires devices to send [diagnostic data](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-settings) at the Required level (previously called *Basic*) for these features.<ul><li>Optional level (previously Full) for Windows 11 devices</li><li>Enhanced level for Windows 10 devices</li></ul><p>For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../overview/windows-autopatch-privacy.md).</p> |
## Windows editions, build version, and architecture
> [!IMPORTANT]
> The following Windows editions, build version, and architecture **applies if you have**:<ul><li>Windows Enterprise E3+ or F3 licenses</li><li>[Activated Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md)</li><li>[Registered devices with Windows Autopatch](../deploy/windows-autopatch-register-devices.md)</li></ul>
> The following Windows editions, build version, and architecture **applies if you have**:<ul><li>Business Premium, A3+, E3+ and F3 licenses</li><li>[Registered devices with Windows Autopatch](../deploy/windows-autopatch-register-devices.md)</li></ul>
The following Windows 10/11 editions, build version, and architecture are supported when [devices are registered with Windows Autopatch](../deploy/windows-autopatch-register-devices.md):
@ -141,14 +88,13 @@ The following Windows 10/11 editions, build version, and architecture are suppor
Windows Autopatch service supports Windows client devices on the **General Availability Channel**.
> [!IMPORTANT]
> Windows Autopatch supports registering [Windows 10 and Windows 11 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/overview) devices that are being currently serviced by the [Windows 10 LTSC](/windows/release-health/release-information) or [Windows 11 LTSC](/windows/release-health/windows11-release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
## Configuration Manager co-management requirements
> [!IMPORTANT]
> The following Windows editions, build version, and architecture **applies if you have**:<ul><li>Windows Enterprise E3+ or F3 licenses</li><li>[Activated Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md)</li><li>[Registered devices with Windows Autopatch](../deploy/windows-autopatch-register-devices.md)</li></ul>
> The following Windows editions, build version, and architecture **applies if you have**:<ul><li>Business Premium, A3+, E3+ and F3 licenses</li><li>[Registered devices with Windows Autopatch](../deploy/windows-autopatch-register-devices.md)</li></ul>
| Requirement | Description |
| --- | --- |
@ -158,8 +104,6 @@ Windows Autopatch service supports Windows client devices on the **General Avail
## Required Intune permissions
### [Business Premium and A3+](#tab/business-premium-a3-intune-permissions)
Your account must be assigned an [Intune role-based access control](/mem/intune/fundamentals/role-based-access-control) (RBAC) role that includes the following permissions:
- **Device configurations**:
@ -170,25 +114,13 @@ Your account must be assigned an [Intune role-based access control](/mem/intune/
- Update
- Read
You can add the *Device configurations* permission with one or more rights to your own custom RBAC roles or use one of the built-in **Policy and Profile manager** roles, which include these rights.
You can add the *Device configurations* permission with one or more rights to your own custom RBAC roles or use one of the built-in **Policy and Profile manager** roles, which include these rights. For more information, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control). The Intune Service Administrator role is required to access and use all capabilities under:
### [Windows Enterprise E3+ and F3](#tab/windows-enterprise-e3-f3-intune-permissions)
- Tenant administration > Windows Autopatch
- Devices > Manage updates > Windows updates
- [Autopatch groups membership report](../deploy/windows-autopatch-register-devices.md#autopatch-groups-membership-report)
Your account must be assigned an [Intune role-based access control](/mem/intune/fundamentals/role-based-access-control) (RBAC) role that includes the following permissions:
- **Device configurations**:
- Assign
- Create
- Delete
- View Reports
- Update
- Read
After you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md#activate-windows-autopatch-features), use the Intune Service Administrator role to register devices, manage your update deployments, and reporting tasks.
For more information, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
The **Intune Service Administrator** role is required to register devices, manage your update deployments, and reporting tasks.
> [!TIP]
> For more information, see [assign an owner of member of a group in Microsoft Entra ID](/entra/id-governance/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group).
---

20
windows/deployment/windows-autopatch/prepare/windows-autopatch-feature-activation.md → windows/deployment/windows-autopatch/prepare/windows-autopatch-start-using-autopatch.md
View File

@ -1,7 +1,7 @@
---
title: Start using Windows Autopatch
description: This article details how to activate Autopatch features
ms.date: 09/16/2024
description: This article details how to start using Autopatch features
ms.date: 03/31/2025
ms.service: windows-client
ms.subservice: autopatch
ms.topic: how-to
@ -17,8 +17,6 @@ ms.collection:
# Start using Windows Autopatch
[!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
Before you begin the process of deploying updates with Windows Autopatch, ensure you meet the [prerequisites](../prepare/windows-autopatch-prerequisites.md).
Once you're ready to deploy updates to your devices, you can either use Microsoft Intune or Microsoft Graph to manage updates with Windows Autopatch.
@ -36,17 +34,3 @@ To start using the service, you must create an update policy owned by Windows Au
- [Driver and firmware updates](../manage/windows-autopatch-manage-driver-and-firmware-updates.md)
Once a device or Microsoft Entra device group is associated with a Windows Autopatch policy, your tenant is now using the Autopatch service to manage updates. Devices are registered with the service following the process as described in [Register your devices](../deploy/windows-autopatch-register-devices.md).
## Activate Windows Autopatch features
> [!IMPORTANT]
> You must be a Global Administrator to consent to the feature activation flow.
If your tenant meets the licensing entitlement for Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5), you can activate Windows Autopatch features by either:
| Method | Description |
| --- | --- |
| Banner method | **Select the banner** and follow the consent prompt on the side page that appears. |
| Intune admin center | Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). In the left pane, select **Tenant Administration** > **Windows Autopatch** > **Activate features**. |
When you activate Windows Autopatch features, Windows Autopatch creates deployment rings. For more information about deployment rings, see [Windows Autopatch deployment rings](../deploy/windows-autopatch-device-registration-overview.md#windows-autopatch-deployment-rings).