New Feature: Role-based access controls for Windows Autopatch
Windows Autopatch introduces role-based access controls for update management, available from May 27, 2025. New roles include Windows Autopatch Administrator and Reader. Custom roles and Intune scope tags are supported. Review and update permissions for users in deprecated Modern Workplace Roles. For assistance, visit the Microsoft Intune admin center.

Windows Autopatch will now provide role-based access controls to access key update management features, previously limited to Intune Service administrators. With this change, administrators can assign specific roles and permissions, so that only authorized personnel can perform update management actions and read reports. With this change you will be able to grant appropriate access rights to individuals, resulting in far fewer privileges for update management, therefore minimizing the need for Intune Service administrator privileges.
When will this happen:
General Availability will take place starting May 27, 2025, Pacific Standard Time, and the change will be completed in 4 weeks.
How will this affect your organization:
This release includes the following
Built-in roles
- Windows Autopatch Administrator: This includes full permissions necessary for Autopatch Groups, Autopatch reports and Messages.
- Windows Autopatch Reader: This includes read permissions necessary for Autopatch Groups, Autopatch reports and Messages but does not permit any changes.
IT admins have been using the Intune role Policy and Profile Manager or an Intune custom role with equivalent permissions that include Device configuration permissions for managing Intune policies. To fully access advanced update management features such as Autopatch Groups, a user must be assigned to both Policy and Profile Manager and Windows Autopatch administrator.
The roles will be available at Microsoft Intune admin center -> Tenant Administration -> Roles -> All roles
Custom roles – you can create a custom Autopatch role and include just the permissions required for update related activities. You can access this from Microsoft Intune admin center -> Tenant Administration -> Roles -> All roles -> Create -> Windows Autopatch role.
You will be able to assign Intune scope tags to Autopatch Groups and filter Autopatch reports based on scope tags.
Windows Autopatch reports – You will be able to access the Windows Autopatch reports with the above built-in roles, or grant permissions to custom roles. Learn more about which current roles can access reports at Who can access Windows Autopatch reports
In addition to Global administrator and Intune Service administrator, the following Microsoft Entra roles will have access to various Autopatch features.
- Service Support Administrator
- Security Admin
- Security Reader
- Billing Administrator
- Helpdesk Administrator
We will also remove the “Modern Workplace Roles – Service Administrator” and “Modern Workplace Roles – Service Reader” Microsoft Entra groups, that Autopatch no longer uses, and if they are present in your tenant. Autopatch will not migrate the group membership to any of the above roles, at release.
What you need to do to prepare:
Review your environment for users in “Modern Workplace Roles – Service Administrator” or “Modern Workplace Roles – Service Reader”. Configure their permission to view Autopatch reports using the roles included in “Who can access Windows Autopatch reports”, to prevent loss of access.
If you have any questions or concerns, or need assistance, file a service request by visiting the Microsoft Intune admin center.
Message ID: MC1061099
 
		
 HANDS ON SharePoint
HANDS ON SharePoint
					 HANDS ON Teams
HANDS ON Teams
					 HANDS ON Lists
HANDS ON Lists
					 HANDS ON tek
HANDS ON tek
					 M365 Admin
M365 Admin
					 
                 
 
	 
 
	 
 
	 
 
	 
 
	 
 
	
 
				 
		 
		 
	
