Browse all topics
All guidesGlossary

Windows Autopatch

Microsoft's managed Windows update service — what it does, where it differs from Windows Update for Business, and when to use it.

Windows Autopatch is Microsoft's managed Windows update service for enterprise customers. It takes ownership of patching Windows and Microsoft 365 Apps across the fleet — deploying updates in rings, monitoring for issues, rolling back when needed, and providing reporting suitable for executive consumption.

What Autopatch does

Once a device is enrolled in Autopatch (via Intune, with appropriate Microsoft 365 licensing):

  • Windows quality updates — monthly Patch Tuesday cumulative updates.
  • Windows feature updates — annual Windows feature releases.
  • Driver and firmware updates for supported OEM devices.
  • Microsoft 365 Apps updates — the installable Office apps.
  • Microsoft Edge updates.
  • Teams updates.

For each, Microsoft deploys to your fleet in deployment rings (Test, First, Fast, Broad) with delays between them. Microsoft also watches telemetry across the entire Autopatch customer base, so when an update is causing problems for any customer, it pauses for everyone.

Deployment rings

The four default rings:

  • Test (1% of devices) — early validation.
  • First (9%) — broader pilot.
  • Fast (15%) — internal IT and tech-friendly users.
  • Broad (75%) — general population.

Custom rings can be defined for organisations needing more granularity. Users move between rings via Entra ID group membership.

How it differs from Windows Update for Business

Windows Update for Business (the underlying Microsoft service) configures Windows to receive updates from Microsoft. Autopatch is operational management on top of WUfB:

  • Autopatch defines and operates the deployment rings.
  • Autopatch monitors success rates and rolls back automatically when needed.
  • Autopatch provides reporting suitable for leadership.
  • Autopatch coordinates with Microsoft's per-customer telemetry on issues.
  • Autopatch handles communication of disruptions to admins.

Without Autopatch, you do all of this yourself in Intune. With Autopatch, Microsoft does it.

Service-level objectives

Microsoft commits to SLOs for Autopatch:

  • Devices reach N+1 quality updates within X days.
  • Feature updates roll out within published windows.
  • Issues caught in earlier rings prevent broader rollout.

These SLOs are measured per tenant and surfaced in the Autopatch dashboard.

Tenant readiness

To use Autopatch, your tenant needs:

  • Microsoft 365 E3 / E5 or specific other licensing (check current eligibility).
  • Intune managing the devices.
  • Entra ID-joined or hybrid-joined Windows 10 / 11 devices on supported editions.
  • Connectivity to Microsoft Update endpoints (per the network connectivity principles).

A readiness check tool validates these prerequisites before onboarding.

When Autopatch is right

  • Large fleets where managing update rings manually is operationally expensive.
  • Organisations wanting Microsoft to take operational responsibility for patching health.
  • Tenants with limited dedicated client-engineering staff — Autopatch effectively replaces a managed-update operations function.
  • Modern cloud-managed devices — Entra-joined, Intune-managed, with reasonable connectivity.

When it's not

  • Devices not yet Intune-managed — Autopatch requires Intune.
  • Heavy customisation requirements — if you need bespoke patching cadences for specific user populations beyond the standard rings.
  • Air-gapped or specialised environments that can't receive updates directly from Microsoft.

For most Microsoft 365 enterprise customers running modern Windows endpoints, Autopatch is increasingly the default. It removes a chunk of the IT operational backlog at no additional cost.