How to set up Windows Autopatch for Microsoft 365 Business Premium

If you want the short version: make sure Intune is already working, create test and pilot groups, enable Autopatch, sync one device, then confirm updates behave normally before wider rollout.

Microsoft Windows Autopatch docs · Prerequisites

What you need before you start

Before setup, confirm the client has:

• Microsoft 365 Business Premium or another supported license
• Microsoft Intune active
• Microsoft Entra ID in use
• at least one test device
• at least one test user

Do not start rollout until the licensing and device management basics are ready.

Setup order

Step 1, make sure device management is ready

Where: Intune admin center

Check:

• devices are enrolled in Intune
• users have the right licenses
• test devices are visible in Intune admin center
• Windows devices are supported and current enough for Autopatch

If these basics are not clean yet, stop here and fix them first.

Step 2, create rollout groups

Where: Intune admin center or Entra admin center

Do this:

• create Autopatch-Test
• create Autopatch-Pilot
• create Autopatch-Production

Start with only the test group.

Keep names simple and obvious.

Step 3, open Windows Autopatch

Where: Intune admin center

Do this:

• open Tenant administration
• open Windows Autopatch
• start the setup flow

If Microsoft shows a readiness or onboarding check, finish that before moving on.

Step 4, confirm admin access

Check that your admin account has:

• Intune admin permissions
• Entra permissions if group work is needed
• rights to manage Windows update policies

If access is limited, setup will get annoying fast.

Step 5, register devices with Autopatch

Do this:

• add only your test group first
• keep the first batch small

Goal:

• confirm policies apply
• confirm updates work cleanly
• confirm users are not disrupted

Step 6, review update policy setup

Check that Autopatch creates or manages:

• update rings
• feature update policies
• driver update settings, if used
• deployment groups

Do not manually fight the same settings in multiple places unless the client has a specific reason.

Step 7, sync a test device

On the test device:

• open Settings
• go to Accounts → Access work or school
• select the connected work account
• click Info
• click Sync

In Intune:

• open the device
• click Sync

Wait for the device to check in.

Step 8, check that Autopatch policies applied

Where: Intune admin center

Check:

• correct group membership
• assigned update policies
• recent check-in
• healthy compliance state

If the device is missing policies, give it a little time and sync again.

Step 9, validate with PowerShell

Run this on a test Windows device:

Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, OsBuildNumber

Check Windows Update related services:

Get-Service wuauserv, usosvc | Select-Object Name, Status, StartType

If needed, trigger update detection carefully:

UsoClient StartScan

How to know it is working

Before moving past test devices, confirm:

• devices stay compliant
• users still work normally
• updates install without obvious failures
• reboot timing is not causing problems

If the test group looks clean, then move to pilot.

Roll out in phases

Best order:

1. test
2. pilot
3. production

Quick checklist

• licenses confirmed
• Intune enrollment working
• test device ready
• rollout groups created
• Windows Autopatch enabled
• test group added
• device synced
• update policies confirmed
• pilot approved

Common mistakes

• skipping Intune readiness checks
• adding production devices too early
• mixing manual update policies with Autopatch without a plan
• testing on too many devices at once

What to do next

After the pilot is stable, the next useful checks are:

• review user reboot experience
• confirm update compliance reporting
• document the rollout groups clearly
• decide whether driver policies need tuning

Autopatch works best when the rollout is boring, predictable, and gradual.