check before: 2025-05-27
Product:
Entra, Intune, Microsoft 365 admin center, Microsoft 365 Groups, Windows, Windows Autopatch
Platform:
Online, World tenant
Status:
Change type:
Admin impact, New feature, Updated message, User impact
Links:
Details:
Summary:
Windows Autopatch introduces role-based access controls starting May 27, 2025, allowing assignment of specific update management roles—Administrator and Reader—reducing reliance on Intune Service administrator privileges. Custom roles and Intune scope tags are supported. Some legacy Entra groups will be removed; review user permissions accordingly.
Details:
Updated July 30, 2025: We have updated the timeline below. Thank you for your patience.
Windows Autopatch will now provide role-based access controls to access key update management features, previously limited to Intune Service administrators. With this change, administrators can assign specific roles and permissions, so that only authorized personnel can perform update management actions and read reports. With this change you will be able to grant appropriate access rights to individuals, resulting in far fewer privileges for update management, therefore minimizing the need for Intune Service administrator privileges.
[When will this happen:]
General Availability will take place starting May 27, 2025, Pacific Standard Time, and the change will be completed on August 4, 2025.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-04-24
updated:
2025-07-31
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Role Misconfiguration
If the new role-based access controls are implemented without proper preparation, there may be misconfigurations leading to unauthorized access or lack of access to critical update management features, impacting the ability to manage updates effectively.
- roles: IT Administrator, Security Admin
- references: https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview#who-can-access-the-reports
Loss of Access to Reports
The removal of legacy Entra groups without proper user permission review may result in users losing access to important Autopatch reports, hindering their ability to monitor and manage updates.
- roles: IT Administrator, Service Support Administrator
- references: https://go.microsoft.com/fwlink/?linkid=2109431
Configutation Options**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-07-31 | MC MessageTagNames | New feature, User impact, Admin impact | Updated message, New feature, User impact, Admin impact |
| 2025-07-31 | MC Summary | Windows Autopatch introduces role-based access controls for update management, available from May 27, 2025. New roles include Windows Autopatch Administrator and Reader. Custom roles and Intune scope tags are supported. Review and update permissions for users in deprecated Modern Workplace Roles. For assistance, visit the Microsoft Intune admin center. | Windows Autopatch introduces role-based access controls starting May 27, 2025, allowing assignment of specific update management roles—Administrator and Reader—reducing reliance on Intune Service administrator privileges. Custom roles and Intune scope tags are supported. Some legacy Entra groups will be removed; review user permissions accordingly. |
| 2025-07-31 | MC Last Updated | 04/24/2025 02:50:39 | 2025-07-30T22:07:08Z |
| 2025-07-31 | MC Messages | Windows Autopatch will now provide role-based access controls to access key update management features, previously limited to Intune Service administrators. With this change, administrators can assign specific roles and permissions, so that only authorized personnel can perform update management actions and read reports. With this change you will be able to grant appropriate access rights to individuals, resulting in far fewer privileges for update management, therefore minimizing the need for Intune Service administrator privileges.
[When will this happen:] General Availability will take place starting May 27, 2025, Pacific Standard Time, and the change will be completed in 4 weeks. | Updated July 30, 2025: We have updated the timeline below. Thank you for your patience.
Windows Autopatch will now provide role-based access controls to access key update management features, previously limited to Intune Service administrators. With this change, administrators can assign specific roles and permissions, so that only authorized personnel can perform update management actions and read reports. With this change you will be able to grant appropriate access rights to individuals, resulting in far fewer privileges for update management, therefore minimizing the need for Intune Service administrator privileges. [When will this happen:] General Availability will take place starting May 27, 2025, Pacific Standard Time, and the change will be completed on August 4, 2025. |
| 2025-07-31 | MC Title | New Feature: Role-based access controls for Windows Autopatch | (Updated) New Feature: Role-based access controls for Windows Autopatch |
| 2025-07-31 | MC End Time | 07/23/2025 09:00:00 | 2025-09-29T09:00:00Z |
Last updated 2 days ago ago
