You can complete enrollment, but you must fix these issues before you deploy your first device. | | Not ready | Enrollment will fail if you don't fix these issues. Follow the steps in the tool or this article to resolve them. | | Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. | > [!NOTE] > The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Azure Active Directory (AD), or Microsoft 365, items that were "Ready" can become "Not ready". To avoid problems with Windows Autopatch operations, review the specific settings described in this article before you change any policies. ## Microsoft Intune settings You can access Intune settings at the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). ### Unlicensed admins This setting must be turned on to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. | Result | Meaning | | ----- | ----- | | Not ready | Allow access to unlicensed admins should be turned on. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.
For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). | ### Update rings for Windows 10 or later Your "Windows 10 update ring" policy in Intune must not target any Windows Autopatch devices. | Result | Meaning | | ----- | ----- | | Not ready | You have an "update ring" policy that targets all devices, all users, or both. Change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.
After enrolling into Autopatch, make sure that any update ring policies you have exclude the **Modern Workplace Devices - All** Azure Active Directory (AD) group.
For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
| | Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch. This advisory is flagging an action you should take after enrolling into the service:During enrollment, we'll attempt to exclude Windows Autopatch service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. However, if we're unsuccessful, this can cause errors during your enrollment experience.
For best practice, [create an assignment that targets a specific Azure Active Directory (AD) group](/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) that doesn't include Windows Autopatch service accounts.
| | Error | The Intune Administrator role doesn't have sufficient permissions for this check. You'll also need to have these Azure Active Directory (AD) roles assigned to run this check: