How to configure RBAC for Windows Autopatch

With role-based access control (RBAC), you can now help your organization better manage access permissions to Windows Autopatch resources! Help control who can do what to which devices in distributed organizations to manage Windows updates in a more flexible and secure way. Read on to see how you can build on your existing Microsoft Intune roles, permissions, and scope tags.

What’s RBAC in Windows Autopatch?

RBAC is an access model that helps protect your organizational resources. Have you used it to help ensure least privileged access across your Windows ecosystem? You’ve been able to apply this model to Microsoft Intune, networking, Microsoft Defender, and more. Now, RBAC has expanded to all capabilities in Windows Autopatch. It began gradual rollout at the end of May 2025.

Windows Autopatch is a cloud service designed to automate updates for Windows, Microsoft 365 apps for enterprise, Microsoft Edge, and Microsoft Teams. Use it to quickly and easily keep Windows devices secure and up to date by reducing vulnerabilities and threats with the latest updates from Microsoft.

If you’re part of a larger, more distributed organization with delegated administration, you might have struggled with enforcing least privileged access to further enhance security. Not anymore! New RBAC capabilities in Windows Autopatch integrated with Intune roles now enhance your update management administration including read-only access and scope of control.

Use RBAC in Windows Autopatch

To use RBAC in Windows Autopatch, assign the appropriate roles with the right administrative permissions. Optionally, you can also apply scope tags. Here’s how.

Assign the appropriate roles

To manage updates with Windows Autopatch at an advanced level with full access, you need both of the following roles:

• Policy and profile manager: This Intune role includes device configuration permissions for managing policies, including Windows Autopatch policies.
• Windows Autopatch administrator: This new role includes permissions necessary to access and manage Windows Autopatch groups, Windows Autopatch reports, support requests, and service-related messages. Note: See the next section for additional Microsoft Entra permissions required to create Windows Autopatch groups.

Now you can assign limited permissions to other admin users. Assign the following roles to support least privileged access to the Windows Autopatch resources in Intune:

• Windows Autopatch reader: This new role includes read-only permissions necessary for Windows Autopatch groups, Windows Autopatch reports, support requests, and messages. It does not permit any changes.
• Alternately, you can create two custom Intune roles that include any permissions that meet the requirements of the job function. Find more about how to create custom roles in Windows Autopatch and in Microsoft Intune.

Windows Autopatch also supports access via Microsoft Entra roles. Find details at Role-based access control.  

Assign administrative permissions for Windows Autopatch groups

Both of the following permissions are required to set up RBAC to manage Windows Autopatch groups:

• Device configuration permissions (assign, create, delete, read, update, view reports). You need these device configuration permissions to manage Intune policies.
• Windows Autopatch group permissions (read, create, edit, delete). Use a combination of permissions for the Windows Autopatch group’s experience.

Important: To create a Windows Autopatch group, you’ll also need permissions to create Microsoft Entra groups. If you don’t have them, you won’t be able to create groups when logged in. For more information, see How to set up self-service group management or Create groups permissions.

Check that you have these permissions:

1. In the Microsoft Intune admin center, select Tenant administration in the left pane.
2. Under Roles, select My permissions.
3. Review the category of your permissions in the Resource column and the specific actions you can take in the Permission column.

Screenshot of the Microsoft Intune admin center showing My permissions under Intune roles.

When you create Windows Autopatch groups and assign devices, Windows Autopatch automatically creates necessary and required software update policies. They’re based on the deployment settings and update types you choose.

Apply Intune scope tags as needed

Your roles and permissions give you access to Windows Autopatch reports, while scope determines what you can see in reports. If you’ve already created scope tags in Intune, you can now apply them to Windows Autopatch resources. Windows Autopatch respects any changes you make to scope tags, which are regularly synced from Intune.

If you don’t apply scope tags, admin users can view everything. If you do, here’s what you can expect:

• You can see devices that match a scope tag defined in your role assignment.
• Device scope determines which devices you see in Windows Autopatch reports.
• For completeness, the report includes the name of the Windows Autopatch group to which the devices belong, even if you don’t have permission to manage it.

So, what happens when you assign a scope tag to a Windows Autopatch group?

• Update policies created in the Windows Autopatch group workflow inherit that scope tag.
• Devices included in the Windows Autopatch group do not inherit the scope tags. This preserves your device scope assignment.  
• Admins with matching scope can manage the Windows Autopatch groups. This prevents unintended modifications to your ring-based deployments that could potentially result in accidental deployments.
• Admins with any of the assigned scope tags can view the Windows Autopatch group.

The policy and profile manager role must have at minimum the same scope tags that are assigned to the Windows Autopatch administrator role. It’s necessary to keep them in sync to successfully apply the update policies to Windows Autopatch groups.

Note: Windows Autopatch respects Intune scope tag details that apply to Windows devices. You can also apply scope tags to policies.

Manage Windows Autopatch groups as a scoped admin

If you typically manage updates for specific locations, geographies, etc., you’re a scoped admin, and you’ll use scoped groups. As such, you’ll be able to create and manage Windows Autopatch groups and manage updates for devices that are in your scope with a few additional steps.

When you create a Windows Autopatch group, you also create a new Microsoft Entra group. However, the Windows Autopatch group will only become available for use after it’s added to your role as a scoped group. Until then, you’ll see the status of any Windows Autopatch group as “pending assignment.” This means:

• The Windows Autopatch group, its deployment rings, and the software update policies have been created.
• The Windows Autopatch policies are not assigned to the deployment rings because the Windows Autopatch group is not in your scoped group.
• Windows Autopatch has created a parent scope group to facilitate administrative steps.
• An Intune role administrator or Intune service administrator must include this group as a scoped group, in the role with device configuration permissions. Until this is done, policy assignment will remain blocked.

Manage control role-based access to Windows Autopatch

Windows Autopatch can now provide granular permissions with built-in Intune roles to securely manage Windows updates. Together with your existing RBAC, take full advantage of managing updates while sharing update management across geographically distributed teams.

Here are some examples of how you can adapt this solution to your organizational context:

• Consider granting your support and help desk teams with read-only access to areas of Windows update management that can make them successful.
• Create a custom role in Windows Autopatch and include only the permissions required for administration of support teams.

To learn more, check out Improved role-based access controls in Windows Autopatch and its accompanying documentation.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.