windows-itpro-docs/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md

title, description, ms.date, ms.service, ms.subservice, ms.topic, ms.localizationpriority, author, ms.author, manager, ms.reviewer, ms.collection

title	description	ms.date	ms.service	ms.subservice	ms.topic	ms.localizationpriority	author	ms.author	manager	ms.reviewer	ms.collection
Changes made at tenant enrollment	This reference article details the changes made to your tenant when enrolling into Windows Autopatch	12/13/2023	windows-client	itpro-updates	reference	medium	tiaraquan	tiaraquan	aaroncz	hathind	highpri tier1

Changes made at tenant enrollment

The following configuration details explain the changes made to your tenant when enrolling into the Windows Autopatch service.

Important

The service manages and maintains the following configuration items. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service.

Windows Autopatch enterprise applications

Enterprise applications are applications (software) that a business uses to do its work.

Windows Autopatch creates an enterprise application in your tenant. This enterprise application is used to run the Windows Autopatch service.

Enterprise application name	Usage	Permissions
Modern Workplace Management	The Modern Workplace Management application: Manages the service Publishes baseline configuration updates Maintains overall service health	DeviceManagementApps.ReadWrite.All DeviceManagementConfiguration.ReadWrite.All DeviceManagementManagedDevices.PriviligedOperation.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementRBAC.ReadWrite.All DeviceManagementServiceConfig.ReadWrite.All Directory.Read.All Group.Create Policy.Read.All WindowsUpdates.ReadWrite.All

Microsoft Entra groups

Windows Autopatch will create the required Microsoft Entra groups to operate the service.

The following groups target Windows Autopatch configurations to devices and management of the service by our first party enterprise applications.

Group name	Description
Modern Workplace-All	All Modern Workplace users
Modern Workplace - Windows 11 Pre-Release Test Devices	Device group for Windows 11 Pre-Release testing.
Modern Workplace Devices-All	All Autopatch devices
Modern Workplace Devices-Virtual Machine	All Autopatch virtual devices
Modern Workplace Devices-Windows Autopatch-Test	Deployment ring for testing update deployments prior production rollout
Modern Workplace Devices-Windows Autopatch-First	First production deployment ring for early adopters
Modern Workplace Devices-Windows Autopatch-Fast	Fast deployment ring for quick rollout and adoption
Modern Workplace Devices-Windows Autopatch-Broad	Final deployment ring for broad rollout into the organization
Modern Workplace Roles - Service Administrator	All users granted access to Modern Workplace Service Administrator Role
Modern Workplace Roles - Service Reader	All users granted access to Modern Workplace Service Reader Role
Windows Autopatch Device Registration	Group for automatic device registration for Windows Autopatch

Device configuration policies

• Windows Autopatch - Set MDM to Win Over GPO
• Windows Autopatch - Data Collection

Policy name	Policy description	Properties	Value
Windows Autopatch - Set MDM to Win Over GPO	Sets mobile device management (MDM) to win over GPO Assigned to: Modern Workplace Devices-Windows Autopatch-Test Modern Workplace Devices-Windows Autopatch-First Modern Workplace Devices-Windows Autopatch-Fast Modern Workplace Devices-Windows Autopatch-Broad	MDM Wins Over GP	MDM policy is used GP policy is blocked
Windows Autopatch - Data Collection	Windows Autopatch and Telemetry settings processes diagnostic data from the Windows device. Assigned to: Modern Workplace Devices-Windows Autopatch-Test Modern Workplace Devices-Windows Autopatch-First Modern Workplace Devices-Windows Autopatch-Fast Modern Workplace Devices-Windows Autopatch-Broad	Allow Telemetry Limit Enhanced Diagnostic Data Windows Analytics Limit Dump Collection Limit Diagnostic Log Collection	Full Enabled Enabled Enabled

Deployment rings for Windows 10 and later

• Modern Workplace Update Policy [Test]-[Windows Autopatch]
• Modern Workplace Update Policy [First]-[Windows Autopatch]
• Modern Workplace Update Policy [Fast]-[Windows Autopatch]
• Modern Workplace Update Policy [Broad]-[Windows Autopatch]

Policy name	Policy description	OMA	Value
Modern Workplace Update Policy [Test]-[Windows Autopatch	Windows Update for Business Configuration for the Test Ring Assigned to: Modern Workplace Devices-Windows Autopatch-Test	MicrosoftProductUpdates EnablePrereleasebuilds UpgradetoLatestWin11 QualityUpdatesDeferralPeriodInDays FeatureUpdatesDeferralPeriodInDays FeatureUpdatesRollbackWindowInDays BusinessReadyUpdatesOnly AutomaticUpdateMode InstallTime DeadlineForFeatureUpdatesInDays DeadlineForQualityUpdatesInDays DeadlineGracePeriodInDays PostponeRebootUntilAfterDeadline DriversExcluded RestartChecks SetDisablePauseUXAccess SetUXtoCheckforUpdates	Allow Not Configured No 0 0 30 All WindowsDefault 3 5 0 0 False False Allow Disable Enable
Modern Workplace Update Policy [First]-[Windows Autopatch]	Windows Update for Business Configuration for the First Ring Assigned to: Modern Workplace Devices-Windows Autopatch-First	MicrosoftProductUpdates EnablePrereleasebuilds UpgradetoLatestWin11 QualityUpdatesDeferralPeriodInDays FeatureUpdatesDeferralPeriodInDays FeatureUpdatesRollbackWindowInDays BusinessReadyUpdatesOnly AutomaticUpdateMode InstallTime DeadlineForFeatureUpdatesInDays DeadlineForQualityUpdatesInDays DeadlineGracePeriodInDays PostponeRebootUntilAfterDeadline DriversExcluded RestartChecks SetDisablePauseUXAccess SetUXtoCheckforUpdates	Allow Not Configured No 1 0 30 All WindowsDefault 3 5 2 2 False False Allow Disable Enable
Modern Workplace Update Policy [Fast]-[Windows Autopatch]	Windows Update for Business Configuration for the Fast Ring Assigned to: Modern Workplace Devices-Windows Autopatch-Fast	MicrosoftProductUpdates EnablePrereleasebuilds UpgradetoLatestWin11 QualityUpdatesDeferralPeriodInDays FeatureUpdatesDeferralPeriodInDays FeatureUpdatesRollbackWindowInDays BusinessReadyUpdatesOnly AutomaticUpdateMode InstallTime DeadlineForFeatureUpdatesInDays DeadlineForQualityUpdatesInDays DeadlineGracePeriodInDays PostponeRebootUntilAfterDeadline DriversExcluded RestartChecks SetDisablePauseUXAccess SetUXtoCheckforUpdates	Allow Not Configured No 6 0 30 All WindowsDefault 3 5 2 2 False False Allow Disable Enable
Modern Workplace Update Policy [Broad]-[Windows Autopatch]	Windows Update for Business Configuration for the Broad Ring Assigned to: Modern Workplace Devices-Windows Autopatch-Broad	MicrosoftProductUpdates EnablePrereleasebuilds UpgradetoLatestWin11 QualityUpdatesDeferralPeriodInDays FeatureUpdatesDeferralPeriodInDays FeatureUpdatesRollbackWindowInDays BusinessReadyUpdatesOnly AutomaticUpdateMode InstallTime DeadlineForFeatureUpdatesInDays DeadlineForQualityUpdatesInDays DeadlineGracePeriodInDays PostponeRebootUntilAfterDeadline DriversExcluded RestartChecks SetDisablePauseUXAccess SetUXtoCheckforUpdates	Allow Not Configured No 9 0 30 All WindowsDefault 3 5 5 2 False False Allow Disable Enable

Windows feature update policies

• Windows Autopatch - DSS Policy [Test]
• Windows Autopatch - DSS Policy [First]
• Windows Autopatch - DSS Policy [Fast]
• Windows Autopatch - DSS Policy [Broad]
• Modern Workplace DSS Policy [Windows 11]

Policy name	Policy description	Value
Windows Autopatch - DSS Policy [Test]	DSS policy for Test device group	Assigned to: Modern Workplace Devices-Windows Autopatch-Test Exclude from: Modern Workplace - Windows 11 Pre-Release Test Devices
Windows Autopatch - DSS Policy [First]	DSS policy for First device group	Assigned to: Modern Workplace Devices-Windows Autopatch-First Modern Workplace - Windows 11 Pre-Release Test Devices
Windows Autopatch - DSS Policy [Fast]	DSS policy for Fast device group	Assigned to: Modern Workplace Devices-Windows Autopatch-Fast Exclude from: Modern Workplace - Windows 11 Pre-Release Test Devices
Windows Autopatch - Policy [Broad]	DSS policy for Broad device group	Assigned to: Modern Workplace Devices-Windows Autopatch-Broad Exclude from: Modern Workplace - Windows 11 Pre-Release Test Devices
Modern Workplace DSS Policy [Windows 11]	Windows 11 DSS policy	Assigned to: Modern Workplace - Windows 11 Pre-Release Test Devices

Microsoft Office update policies

• Windows Autopatch - Office Configuration
• Windows Autopatch - Office Update Configuration [Test]
• Windows Autopatch - Office Update Configuration [First]
• Windows Autopatch - Office Update Configuration [Fast]
• Windows Autopatch - Office Update Configuration [Broad]

Policy name	Policy description	Properties	Value
Windows Autopatch - Office Configuration	Sets Office Update Channel to the Monthly Enterprise servicing branch. Assigned to: Modern Workplace Devices-Windows Autopatch-Test Modern Workplace Devices-Windows Autopatch-First Modern Workplace Devices-Windows Autopatch-Fast Modern Workplace Devices-Windows Autopatch-Broad	Enable Automatic Updates Hide option to enable or disable updates Update Channel Channel Name (Device) Hide Update Notifications Update Path Location for updates (Device)	Enabled Enabled Enabled Monthly Enterprise Channel Disabled Enabled http://officecdn.microsoft.com/pr/55336b82-a18d-4dd6-b5f6-9e5095c314a6
Windows Autopatch - Office Update Configuration [Test]	Sets the Office update deadline Assigned to: Modern Workplace Devices-Windows Autopatch-Test	Delay downloading and installing updates for Office Update Deadline	Enabled; Days(Device) == 0 days Enabled; Update Deadline(Device) == 7 days
Windows Autopatch - Office Update Configuration [First]	Sets the Office update deadline Assigned to: Modern Workplace Devices-Windows Autopatch-First	Delay downloading and installing updates for Office Update Deadline	Enabled; Days(Device) == 0 days Enabled; Update Deadline(Device) == 7 days
Windows Autopatch - Office Update Configuration [Fast]	Sets the Office update deadline Assigned to: Modern Workplace Devices-Windows Autopatch-Fast	Delay downloading and installing updates for Office Update Deadline	Enabled; Days(Device) == 3 days Enabled; Update Deadline(Device) == 7 days
Windows Autopatch - Office Update Configuration [Broad]	Sets the Office update deadline Assigned to: Modern Workplace Devices-Windows Autopatch-Broad	Delay downloading and installing updates for Office Update Deadline	Enabled; Days(Device) == 7 days Enabled; Update Deadline(Device) == 7 days

Microsoft Edge update policies

• Windows Autopatch - Edge Update Channel Stable
• Windows Autopatch - Edge Update Channel Beta

Policy name	Policy description	Properties	Value
Windows Autopatch - Edge Update Channel Stable	Deploys updates via the Edge Stable Channel Assigned to: Modern Workplace Devices-Windows Autopatch-First Modern Workplace Devices-Windows Autopatch-Fast Modern Workplace Devices-Windows Autopatch-Broad	Target Channel Override Target Channel (Device)	Enabled Stable
Windows Autopatch - Edge Update Channel Beta	Deploys updates via the Edge Beta Channel Assigned to: Modern Workplace Devices-Windows Autopatch-Test	Target Channel Override Target Channel (Device)	Enabled Beta

PowerShell scripts

Script	Description
Modern Workplace - Autopatch Client Setup v1.1	Installs necessary client components for the Windows Autopatch service