Improved role-based access controls in Windows Autopatch

Role-based access control (RBAC), a permissions capability that provides granular control over update management, has expanded within Windows Autopatch for organizations using Microsoft Intune. We made this change in response to feedback and requests from Windows Autopatch community members wishing to distribute update management and increase read-only access. RBAC now addresses both of these concerns.

These improvements to RBAC in Windows Autopatch became generally available in late May 2025. The rollout is expected to be complete by the end of June 2025.

Keep reading to learn more about:

• The benefits of RBAC with Windows Autopatch.
• New Windows Autopatch reader and administrator roles in Intune.
• Using existing Intune scope tags with Windows Autopatch RBAC roles.

Benefits of RBAC with Windows Autopatch

RBAC helps strengthen your organization’s security by providing more granular control over update management. With RBAC, you can target and distribute update management to specific people or groups. This reduces central administration bottlenecks while maintaining consistent security and compliance standards.

RBAC’s expansion within Windows Autopatch offers several improvements. Benefits include the ability to:

• Authorize roles and assign permissions to specific people.
• Expand or narrow read-only privileges.
• Enforce least privilege access by aligning to user responsibilities.
• Delegate update management to local or functional teams.

These capabilities are especially useful to organizations with geographically distributed models. For example, if an organization has European and North American offices, they may also have different IT teams for each region. Now, each team can be made invisible to the other, helping to prevent an overshare of information or accidental change management.

Two roles with Windows Autopatch

Windows Autopatch has added two new RBAC roles that enable least privileged access for Windows Autopatch features that include groups, reports, and support requests and messages. This change allows Intune users to either read or act based on their level of permission for all Windows Autopatch features. 

• Windows Autopatch reader provides read-only access to the features listed above.
• Windows Autopatch administrator provides the necessary permissions to operate the features listed above.

Intune device configuration permissions are still needed to manage Windows update policies. For update management, use the above roles in addition to the policy and profile administrator Intune role that you are already using. This gives you the permissions needed to manage update policies.

Will existing Intune scope tags be affected?

When assigning a role, you select which users and devices those permissions apply to using Intune scope tags. Once that role and scope are applied, that administrator can only see or act on devices in that scope.

Intune scope tags will be respected for reports and management to prevent oversharing information. You will also be able to assign Intune scope tags to Windows Autopatch groups and filter reports based on scope tags. Existing scope tags in Microsoft Intune will not be affected. You may either reuse your existing scope tags or create new ones as you see fit.

Learn more

• Visit the Learn pages for Windows Autopatch to find answers to frequently asked questions about Windows Autopatch.
• For more about RBAC and Windows Autopatch, visit the Role-based access control documentation.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q&A.