Overview
Windows Autopatch is a cloud-based service built into Microsoft Intune that automates update deployment for Windows, Microsoft 365 Apps, Edge, and Teams. It streamlines patch management through phased deployment rings and centralized monitoring.
“Even with automation, proactive monitoring and troubleshooting remain essential. Intune equips admins with dashboards, alerts, diagnostic tools, and Graph API/Copilot capabilities to detect issues early and resolve them swiftly. In this post, you’ll find detailed, actionable guidance to monitor your Autopatch environment effectively and fix common pitfalls.
Check Windows Autopatch Device Readiness Status
Windows Autopatch device readiness refers to ensuring that your organization’s devices meet all the requirements to be successfully managed and updated by the Windows Autopatch service.
The Windows Autopatch Devices Readiness report is accessible from the Device / Monitoring / Autopatch Groups Membership. This report provides the status of Windows autopatch device readiness. You can determine whether a device is Ready, Not Ready, ot Not registered to Autopatch service.
Device with Registered > Ready status
In a Windows Autopatch readiness report, the “Ready” status indicates that a device meets all requirements to be fully managed by the Autopatch service. This means the device has passed both prerequisite checks (before registration) and post-registration readiness checks, ensuring it can receive and report software updates without issues. The report also includes the name of the Deployment ring that you can refer to understand which ring the device is a member of.
Device with Registered > Not ready status
Devices that are not ready may have configuration mismatches, missing updates, or other issues that prevent them from being fully managed by Autopatch. IT admins can use the readiness report to detect and fix these problems
The possible issues are listed below. I have added the screenshot for the issues that I encountered during the autopatch testing.
- The device has not synchronized with Intune for the past 28 days:
- Conflicting Windows Update for Business settings:
Conflicting Windows updates for business settings may prevent devices from being registered with the Autopatch service. You need to ensure these settings are configured through GPO or Microsoft Intune.
Alternatively, you can also use Windows Autopatch – Auto remediation script to fix the conflicts. The script can be deployed as an Intune remediation script.
You may see the following errors in case of a conflict:
Error description: Windows Autopatch has identified a configuration that will prevent the device from receiving Windows updates, drivers, and firmware.
Registry keys: Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NotAutoUpdate
Error description: Windows Autopatch has identified a configuration that will prevent the device from receiving Windows updates, drivers, and firmware.
Registry keys: Software\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations
Device with Not registered status
The Not Registered tab displays details of devices that haven’t met the prerequisites for Windows Autopatch registration.
The prerequisites include the following checks:
- Intune or Cloud-Attached
- Microsoft Entra stale device
- Windows OS version
- ConfigMgr Co-management workloads
- Microsoft Entra ID join type
- Disabled Microsoft Entra device
- Empty Device Serial Number
- Empty Device Manufacturer
- Empty Device Model
- Duplicated Serial Number
- Last Intune device Check-in
Now, take a look at the following prerequisite issues that I encountered during Windows autopatch implementation. I have added screenshots for your reference.
Check: ConfigMgr Co-management workloads
More info: Workloads must be swung over to pilot Intune or Intune.
The screenshot below shows that the device is a Co-managed device. However, the Windows update workload has not been swung over to Intune.
Ensure you have added the device to the appropriate collection in Configuration Manager to switch the workload to Intune. The device must be connected to the corporate network (office, VPN, or CMG) to allow the latest Configuration Manager policy downloads.
Check: Windows OS version
More Info: Either Windows OS version or Edition is not supported
The screenshot below shows that the device doesn’t meet Windows OS version prerequisites. Please check Windows Autopatch Prerequisites to know about supported OS versions.
Check: Microsoft Entra stale device
More Info: A stale device is a device that has been registered with Microsoft Entra ID but hasn’t been used to access any cloud apps in the last 28 days. Stale devices don’t have an Intune object associated with it anymore.
Another example where the device failed multiple prerequisites check. The workload has not been swung to Intune. However, the device has also not reported to Intune or Entra ID for more than 28 days. Hence, it may be a stale record, or the user may be on a long vacation.
If you’re seeing a large number of stale devices in Entra ID, it may indicate that a proper device decommissioning process is missing in the environment.
You can check Detailed prerequisite check workflow diagram at Microsoft Learn for more details about autopatch device registration prerequisites.
Check Policy Conflicts and Errors
The Deployment status report—accessible via Devices → Windows Update → Monitor—lets you monitor policy conflicts and errors across every Windows Autopatch update ring (e.g., Test, First, Fast, Broad, Last). It presents a device‑by‑device breakdown showing the assigned deployment ring, update state (such as Succeeded, Error, In Progress, Conflict), and whether the update has been paused. Clicking on a specific ring or policy name drills down into detailed logs, highlighting the root causes of conflicts or failures, such as WSUS/GPO interference, missing prerequisites, or diagnostic errors. Optional columns like hex error codes, client/service state, and last Intune check-in time provide added context for in-depth troubleshooting. This centralized view simplifies identifying problem devices, analyzing failure reasons, and prioritizing remediation
Software Updates Reports
The Microsoft Intune admin center features a robust suite of Windows update reports, accessible under Devices → Windows updates. These reports provide both high-level overviews and granular device-level insights into update deployment:
Compatibility & Readiness Insights – The Feature Update Device Readiness report provides risk assessments for each device, highlighting possible compatibility barriers from apps, drivers, or system configurations.
Update Rings Report – Displays deployment results (Succeeded, Error, Conflict, Not Applicable, In Progress) for each update ring policy, showing device counts and status percentages in intuitive charts.
Device-Level Reporting – Drilling into a specific ring reveals detailed data per device, including check-in timestamps, user, individual setting statuses, and full policy assignment results.
Feature Updates Reporting – Enables compliance tracking and failure troubleshooting for feature updates, with dedicated “Organizational” and “Operational” views and alert-level detail.
Driver & Expedited Update Reports – Specialized reports surface driver update failures and expedited quality update issues, allowing targeted triage.
Common Issues and Fixes
| Common Issues | Possible Cause and Fixes |
|---|---|
| Autopatch Readiness – Not Ready | The Windows update for business settings conflicts may cause this issue. Please refer to the Device with registered > Not ready status section for troubleshooting steps. |
| Autopatch Readiness – Not Registered | The device has not been registered with autopatch service yet. Please review the prerequisites and take action accordingly. Please refer Device with Not Registered status for more deatils. |
| Update – Need attention – Download issue | Network connectivity problems: Devices may be offline, have unstable internet, or blocked by firewall/WSUS settings, preventing Windows Update from fetching files. Disk space issue: Insufficent disk space on the device Policy conflicts: Local or group-based policies—like legacy WSUS or GPO settings—can conflict with Intune, stopping downloads. Review Intune and group policy results using GPresult or RSOP to identify problematic policy configuration. You can also use Windows Autopatch – Auto remediation script to fix the conflicts. |
Windows Autopatch Troubleshooting Tips
When issues arise, here are common scenarios and troubleshooting tips:
- Check Autopatch Device readiness: Check the Windows Autopatch Devices report from Devices/Monitor/Windows Autopatch Devices to confirm that the device is registered to the Windows Autopatch service. Check the Autopatch readiness columns to confirm that the device is in the Ready state.
- Check Pause Status: Ensure updates for the relevant category aren’t paused (e.g., Pause feature updates, Pause quality updates).
- Deployment State: Verify that the deployment the device is assigned to has an “offering” state, not “paused” or “scheduled.”
- Scanning for Updates: Confirm the device is scanning the Windows Update service and not an alternative endpoint (like WSUS).
- Safeguard Holds (Feature Updates): A device might have a safeguard hold applied for a specific feature update version.
- Update Health Tools: For expedited quality updates, ensure the “Microsoft Update Health Tools” are installed (typically at C:\Program Files\Microsoft Update Health Tools).
- Enrollment Errors: Check for Microsoft Entra device registration errors that might prevent feature update management enrollment.
- Feature Update Enrollment: If a device isn’t properly enrolled in feature update management, it might receive different updates based on its deferral period.
- Understanding Delays/Multiple Updates: It’s normal for a device to briefly show a newer update being offered while an older one is in progress. Windows Update will attempt to cancel the older installation and restart with the newer one.
- Licenses: Ensure all required licenses (Intune, Microsoft Entra ID P1/P2, Windows/Microsoft 365) are active. Expired licenses can mark your tenant as inactive.
- Network Connectivity: Confirm devices have consistent internet access to Microsoft service endpoints.
- Co-management Conflicts: If using co-management, ensure the Windows Update, Device configuration, and Office Click-to-Run apps workloads are set to Pilot Intune or Intune.
By embracing Windows Autopatch, organizations can achieve a more secure, efficient, and hands-off approach to managing their Windows and Microsoft 365 updates. It’s a powerful step towards modernizing your IT operations and ensuring your workforce always has access to the latest, most secure tools.
Related Posts
- Understanding Windows Autopatch with Intune
- Manage Edge Chromium favorites with Endpoint Manager | Intune
- Configure Edge Chromium Homepage & Startup Page
- Configure Microsoft Edge Sleeping Tabs using Intune
- Configure Google Chrome settings using Administrative templates | Intune | Endpoint Manager
- Block USB Device with Exception
- Deny Write Access to USB Devices Using Intune Catalog Settings
- Manage Windows 10 /11 Desktop Wallpaper with Microsoft Intune
- Manage Local Admin Password with Intune & Windows LAPS
- How to Create a Custom RBAC Role in Intune for LAPS Password Administrator
Subscribe to Techuisitive Newsletter
Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.