Patching used to be a calendar problem. You picked a Patch Tuesday, hand-built deployment rings, babysat WSUS or Configuration Manager collections, and hoped nothing broke on the way out. Windows Autopatch takes that orchestration off your plate and hands it to a Microsoft-run cloud service. But "Microsoft manages it" is exactly the kind of sentence that should make you ask: so what is it actually doing — in their cloud, and on my devices? This is the full tour — what Autopatch is, where it came from, what happens on the service back end, and the precise registry keys, agents, scheduled tasks, services and event entries it leaves on a device. Every device-side detail below was pulled, read-only, from a genuinely Autopatch-managed Windows 11 Enterprise machine.
What Windows Autopatch actually is
Windows Autopatch is a cloud update service from Microsoft that automatically keeps Windows quality and feature updates, Microsoft 365 Apps, Microsoft Edge, Microsoft Teams, and (optionally) drivers and firmware up to date on your managed devices. You don't build the rollout — the service does. It releases updates through a sequence of deployment rings, watches reliability and compatibility signals as it goes, and pauses or rolls back automatically when something looks wrong.
It is not a new engine bolted onto Windows. Under the hood it sits on top of the Windows Update for Business Deployment Service (WUfB-DS) — the same cloud service that targets and schedules updates — and it is driven entirely through Microsoft Intune. So Autopatch is best understood as a management layer: Microsoft's opinionated, automated way of operating Windows Update for Business for you, with ring logic, health monitoring and reporting built in.
Why teams turn it on
- No more hand-built rings. The service calculates ring membership and walks updates through them automatically.
- Safety rails. It halts or rolls back a rollout when reliability/compatibility signals degrade — you're not the one watching a dashboard at 2am.
- One pane of glass. Everything reports back through Intune — compliance, device health, update status.
- Broader than Windows. The same service manages Microsoft 365 Apps, Edge, Teams and driver/firmware updates, not just the OS.
The back end — what happens in Microsoft's cloud
This is the half nobody shows you, because it doesn't live on the device. When you "use Autopatch", almost all of the brains sit in Microsoft's cloud as a set of services that talk to Intune over the Microsoft Graph:
| Cloud component | What it does |
|---|---|
| WUfB Deployment Service | The engine. Registers the device with Microsoft Update, decides which update train it is offered and when, and applies pause/rollback. Autopatch drives it via Graph. |
| Device registration service | A microservice that discovers devices in your scoped Entra group (a routine runs roughly hourly), validates prerequisites, and calculates ring membership. |
| Autopatch group service | Maps your Autopatch groups → Entra device groups → WUfB policies, so a device's ring is really just policy assignment under the hood. |
| Device action feed | A per-device, signed (SAS) JSON endpoint the on-device Client Broker polls to receive targeted actions and readiness configuration (more on this below). |
The flow, end to end, looks like this:
2 The discovery routine finds it by Entra Device ID and queries Intune + Entra attributes.
3 Prerequisite checks — Intune-managed? right join type? co-management workloads correct?
4 The service calculates a deployment ring and assigns the device.
5 WUfB policy is applied; the Client Broker runs post-registration actions on the device.
6 Device is marked Active. No reboot, no reset — fully transparent to the user.
The deployment ring model
Autopatch doesn't ship an update to everyone at once. Each Autopatch group has a Test and Last ring that can't be removed, plus service-managed rings in between. New devices are distributed by percentage, and the split depends on tenant size:
| Ring | Tenant ≤ 200 devices | Tenant > 200 devices |
|---|---|---|
| Test | Manually populated — your canary devices (this is the ring the sample device below is in) | |
| First | 5% | 1% |
| Fast | 15% | 9% |
| Broad | 80% | 90% |
| Last | Final ring — your most sensitive devices, updated last | |
What changes on the device — the real evidence
Here is where it stops being theory. Everything below is real output from a live, Autopatch-managed device. Identifiers (device ID, tenant, the update client GUID, the SAS signature) are redacted — but the keys, paths and structure are exactly what's there.
1. The Autopatch registry hive
Registration creates HKLM\SOFTWARE\Microsoft\WindowsAutopatch. The substance is in the ClientBroker subkey — the device's deployment ring, the signed action-feed URL it polls, the broker version, and a cached readiness verdict:
Ring Test
ProductInfo\Version 1.2509.201.3
ActionsFeedUriExpiresAt 1782926093 # = 2026-07-01 17:14 UTCRing is the headline — the device tells you, locally, exactly which Autopatch ring it's in. Here it's Test; no portal needed.
The action feed. The broker also stores ActionsFeedUri — a per-device, SAS-signed URL it polls for instructions from the service. Stripped of the redacted token, it decodes into four simple parts:
| URL part | Meaning |
|---|---|
device.autopatch.microsoft.com | The Autopatch device service endpoint |
/na03s02/ | Azure scale unit — the region serving this tenant |
/deviceactionfeed/<tenant>/<device>/actionfeed.json | The per-device action feed the broker reads |
?skoid…&sktid…&se…&sig… | A SAS token — scoped, read-only, time-limited (se = expiry, matches ActionsFeedUriExpiresAt) |
Device readiness. DeviceReadiness is the broker's cached verdict on whether this machine is ready for each update train. The raw value is JSON arrays of result codes — what actually matters is which trains are being gated:
| Readiness config | What it gates |
|---|---|
AP | Autopatch policy / baseline readiness |
Appraiser | OS upgrade compatibility — the Windows appraiser |
CO21H2 | Feature-update family — 21H2 ("Cobalt") |
NI22H2 / NI23H2 | Feature-update families — 22H2 / 23H2 ("Nickel") |
CBSCorruption | Component store (CBS) health |
M365 | Microsoft 365 Apps update readiness |
Edge | Microsoft Edge update readiness |
2. The Windows Update identity keys (older than you'd think)
Under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate sit values that predate Autopatch by a decade — inherited straight from the WSUS era and reused:
SusClientId REG_SZ <guid-redacted> # unique device id for updates
SusClientIdValidation REG_BINARY 06 02 28 00 ... # hash validating the id
UpdateDesiredVisibility REG_DWORD 0 # 0 = cloud-registered, NOT WSUS-reportedSusClientId is how the device is uniquely identified to the update service — the same key WSUS used. UpdateDesiredVisibility = 0 is the tell that this device is treated as a cloud-registered client (WUfB-DS / Autopatch) rather than a WSUS-reporting one. The fact that Autopatch leans on these keys is a good reminder that it's an evolution of Windows Update, not a rewrite.
3. Windows Update for Business targeting
The ring policy Autopatch applies shows up as ordinary WUfB policy under HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate — here pinning the device to a specific release:
TargetReleaseVersion REG_DWORD 1
TargetReleaseVersionInfo REG_SZ 24H2And the broader Windows Update orchestration lives in subkeys under HKLM\SOFTWARE\Microsoft\WindowsUpdate — Orchestrator, UpdatePolicy, UX, UUS, UpdateHandlers — the plumbing the Update Orchestrator Service drives.
4. The agents, the broker tasks, and the services
Two agents get installed: the Windows Autopatch Client Broker (readiness checks + automated support-log collection) and Microsoft Update Health Tools (the health/remediation component the deployment service relies on). The broker runs on a schedule under its own task folder, and the standard update services do the heavy lifting:
# Installed agents (Add/Remove Programs)
Windows Autopatch Client Broker 1.2509.201.3
Microsoft Update Health Tools 5.72.0.0
# \Microsoft\ClientBroker\ scheduled tasks (poll the action feed + sync readiness)
Autopatch Client Broker Poll Ready last=29/06/2026 18:16 result=0x0
Autopatch Client Broker Sync Ready last=28/06/2026 18:14 result=0x0
# Services doing the work
Update Orchestrator Service (UsoSvc) Running
Windows Update (wuauserv) Running
Delivery Optimization (DoSvc) Running
Microsoft Intune Management Extension RunningPoll reaches out to the device action feed (that signed URL) for any actions the service wants run; Sync reports readiness/state back. A result=0x0 means the last run succeeded — the first thing to check if a device looks stuck.5. Where the activity is logged
Day-to-day update activity lands in the Windows Update client operational log — scans, finds and downloads. This is where you confirm the device is actually checking in and pulling updates:
2026-06-30 08:36 [26] Windows Update successfully found 0 updates.
2026-06-29 14:41 [26] Windows Update successfully found 41 updates.
2026-06-29 06:39 [41] An update was downloaded.Event 26 = a scan completed; event 41 = an update was downloaded. For the Client Broker's own activity and deeper troubleshooting, the Intune Management Extension logs at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\ are the next place to look.
See it on your own device
Rather than click through five registry paths and two log channels by hand, I wrapped all of it into a single read-only script — Get-AutopatchStatus.ps1. It reads the registry, scheduled tasks, services and event logs, and prints one clean readout. It changes nothing.
Here's its output on the device above (run elevated so it can read the Windows Update event log; identifiers redacted):
============== WINDOWS AUTOPATCH STATUS ==============
Computer : <redacted> Date : 2026-06-30 09:16
[ Registration ]
Autopatch registered : YES (WindowsAutopatch key present)
Deployment ring : Test
Client Broker version: 1.2509.201.3
Action feed expires : 01/07/2026 17:14:53 UTC
[ Device readiness checks reported ]
AP, Appraiser, NI22H2, CO21H2, NI23H2, CBSCorruption, M365, Edge
[ Windows Update for Business ]
Target release : 24H2
SusClientId : <guid-redacted>
UpdateDesiredVisibility: 0 (0 = cloud-registered, not WSUS-reported)
[ Agents ]
Windows Autopatch Client Broker 1.2509.201.3
Microsoft Update Health Tools 5.72.0.0
[ Client Broker scheduled tasks ]
Autopatch Client Broker Poll Ready last=29/06/2026 18:16:38 result=0x0
Autopatch Client Broker Sync Ready last=28/06/2026 18:14:37 result=0x0
[ Update services ]
Delivery Optimization Running
Microsoft Intune Management Extension Running
Update Orchestrator Service Running
Windows Update Running
[ Recent Windows Update scans (WindowsUpdateClient/Operational) ]
2026-06-30 08:36 [26] Windows Update successfully found 0 updates.
2026-06-29 14:41 [26] Windows Update successfully found 41 updates.
2026-06-29 06:39 [41] An update was downloaded.
[ Autopatch eligibility (join state) ]
AzureAdJoined : YES
DomainJoined : YES
Edition : Microsoft Windows 11 Enterprise
=======================================================What each section is telling you:
| Section | What you're reading |
|---|---|
| Registration | Is the device registered, which ring it's in, the broker version, and when its action-feed token expires (a stale expiry = the broker hasn't checked in). |
| Device readiness | Which update trains the service is evaluating this device against (feature-update families, M365, Edge, component-store health). |
| WUfB | The pinned target release and the cloud-registration markers — proof it's WUfB-DS, not WSUS. |
| Agents / tasks / services | The Client Broker + Update Health Tools versions, the broker poll/sync results (0x0 = healthy), and the running update services. |
| Eligibility | Join state and edition — a fast sanity check that the device even qualifies for Autopatch. |
Which devices Autopatch works on
| Requirement | Detail |
|---|---|
| Join type | Microsoft Entra joined or Entra hybrid joined. On-prem-only domain joined is not supported. |
| Management | Intune-managed, or co-managed with the Windows Update / Device config / Office workloads on Intune (or Pilot Intune). |
| Ownership | Corporate-owned. Personal/BYOD devices are blocked at registration. |
| Editions | Windows 10/11 Pro, Enterprise, Education, Pro Education, Pro for Workstations — General Availability channel. (LTSC: quality updates only.) |
| Activity | Checked in with Intune within the last 28 days, and internet-connected. |
| Diagnostics | Diagnostic data at the Required level (minimum) so the service can tailor deployment protections. |
| Licensing | Windows Ent E3/E5 (incl. M365 F3/E3/E5), Business Premium, or Education A3/A5 — plus Entra ID P1/P2 and Intune. |
The 2026 change to have on your radar
The short version
Windows Autopatch is a Microsoft-run service that registers your device with the Windows Update for Business Deployment Service, drops it in a ring, points Windows Update at the right release, and keeps a small, very legible footprint on the device: the WindowsAutopatch hive (with the ring and the signed action feed), two agents, two broker tasks, the reused WSUS-era identity keys, and the same Windows Update plumbing that's been there for years. The brains are in the cloud; the evidence is in the registry. Now you can read both.
References & further reading
Microsoft Learn / official
- What is Windows Autopatch?
- Windows Autopatch — Prerequisites
- Register devices with Windows Autopatch groups
- Windows Autopatch groups overview
- Windows Autopatch Client Broker
- Windows Autopatch — FAQ
- Windows Autopatch product page
Community & further deep-dives