Patch backlog is one of the most common security risks in organisations. Windows Autopatch takes over the full patch process for Windows, Microsoft 365 Apps, Edge, and Teams. What does it do, what do you need, and how do you roll it out without disrupting your users?
Every second Tuesday of the month, Microsoft releases dozens of security updates. For IT administrators balancing multiple responsibilities, this creates a recurring dilemma: roll out quickly to close security gaps, or test first to prevent an update from disrupting production systems. Both options take time and capacity that is not always available. The result is patch backlog, one of the most demonstrable causes of successful attacks on business networks.
Windows Autopatch offers a way out. In 2022 Microsoft took over the patch logistics as a cloud service. You decide which devices participate and which priority ring they belong to. Microsoft then handles planning, deployment, monitoring, and rollback when issues arise. For IT teams managing infrastructure alongside other responsibilities, this is a fundamental change of approach.
Windows Autopatch is a managed service that runs on top of Microsoft Intune. You register your devices once with the service and configure deployment rings. After that Microsoft takes over: the service monitors Patch Tuesday releases, assesses urgency, schedules the rollout per ring, and watches the execution. If an update causes issues on devices in an early ring, the rollout to the next ring is automatically held back until the situation has been assessed.
Autopatch is not a tool you run and manage yourself, but a service where Microsoft takes responsibility for the timeliness and reliability of the deployment. Your IT administrator retains visibility via a dashboard in the Intune portal and receives notifications when manual action is needed, but the daily patch cycle runs fully automatically.
The service covers four component groups. First, Windows quality updates — the monthly security and bug-fix patches for Windows 10 and Windows 11. Autopatch ensures these updates are deployed to all registered devices within ten business days after the Patch Tuesday release. Urgent out-of-band patches are processed on an accelerated timeline.
Second, Windows feature updates — the larger version upgrades of the operating system. Autopatch manages the transition to a new Windows version while respecting Microsoft's support calendar, ensuring devices do not silently remain on an unsupported version.
Third, Microsoft 365 Apps — installations of Word, Excel, Outlook, PowerPoint and the rest of the productivity suite. Autopatch keeps these apps current via the monthly channel releases. Fourth, Microsoft Edge and Microsoft Teams, each with their own update channel, which Autopatch keeps in sync with the rest of the environment.
The core of Autopatch is the ring model. The service creates four default deployment rings: Test, First, Fast, and Broad. Test contains a small group of devices, ideally IT staff or testers, who receive the update first. First covers about one percent of remaining devices, Fast another nine percent, and Broad the rest.
Between each ring there is an automatic waiting period. Autopatch analyses whether the update is causing problems before proceeding to the next ring. On a detectable issue, such as a rise in device crashes or failed installations, the deployment is paused and your administrator receives a notification. Wait times are adjustable, but the defaults suit most environments well.
You can manually assign devices to rings or accept the automatic distribution. For devices in critical roles, such as shared workstations or the financial director's machine, assigning them to the Broad ring makes sense. They are then always updated last, after the stability of an update has been confirmed across most of the fleet.
Autopatch requires one of the following licences: Windows 10/11 Enterprise E3, E5, or F3, or Microsoft 365 Business Premium. For organisations already using Intune via Business Premium, the licence threshold is therefore low. Organisations on a pure Business Basic or Business Standard licence are not eligible and need an upgrade.
On the device side, three requirements apply. Devices must be Intune-managed. They must be Entra ID joined or hybrid Entra ID joined. And they must run Windows 10 version 1809 or later, or Windows 11. Machines running an older Windows version must be upgraded before they can be registered.
Microsoft recommends at least eight devices per ring to make the statistical analysis of update issues meaningful. Smaller environments with fewer than ten devices can still enable Autopatch, but automatic problem detection is less accurate than in larger fleets.
Activation of Autopatch runs through the Intune portal. First, navigate to Windows Autopatch under the Windows Updates section and run through the readiness check. This verifies that your tenant meets the licence and device requirements and shows exactly which devices qualify and which do not.
Second, register devices with the service. This can be done via an Entra ID device group or manually per machine. Autopatch then automatically creates the four deployment rings and distributes devices. Third, set up notification contacts: who receives alerts when a deployment is paused or when manual action is needed?
Fourth, review the reports in the Autopatch portal. The dashboard shows per device and per ring the update status, any errors, and deployment timeliness. This dashboard largely replaces the manual review of WSUS reports or update overviews previously required, providing a single view of your environment's patch health.
It is important to define the scope clearly. Autopatch only manages the four component groups described. Third-party applications such as Adobe Acrobat, Google Chrome, Java, or line-of-business software fall outside scope. For those you remain dependent on Intune scripts, a dedicated patch management tool, or Windows' built-in winget integration.
Autopatch also does not manage servers. Windows Server updates fall under Windows Server Update Services, Microsoft Update, or a separate Intune policy. For macOS devices and mobile devices, a different management path applies. In a mixed environment, a supplementary patch strategy remains necessary for non-Windows devices.
What Autopatch does change is the structural workload for Windows and Microsoft 365. The combination of Intune management and Autopatch makes it achievable for a small IT team to maintain a patch cycle comparable to what larger organisations reach with a dedicated patch team. Want to activate Autopatch within your Microsoft 365 environment or get advice on your Intune setup? Contact Zarioh for a no-obligation conversation about what fits your situation.
