Windows Autopatch Gets Improved Role-Based Access Controls

Microsoft is giving IT admins more control than ever with new Role-based access control (RBAC) enhancements in Windows Autopatch, designed to simplify update management across distributed teams. These new capabilities are set to become generally available for commercial customers later this month.

Windows Autopatch is a cloud-based service that automates the processing of keeping Windows and Microsoft 365 up to date in enterprise environments. It manages updates for Windows, Microsoft 365 apps, Microsoft Edge, and Teams by using a ring-based deployment model that gradually rolls out updates to minimize risk. This service includes monitoring, reporting, and rollback capabilities, and it’s available at no additional cost for organizations with eligible Microsoft 365 subscriptions.

What are the benefits of RBAC with Windows Autopatch?

Role-Based Access Control (RBAC) is a security approach that restricts system access based on a user’s role within an organization. The expansion of RBAC in Windows Autopatch enhances how organizations manage permissions and responsibilities. It allows IT admins to assign specific roles and permissions to individuals based on their job functions. This includes the flexibility to broaden and or limit read-only access, which helps to maintain oversight without compromising security.

RBAC enforces the principle of least privilege by aligning access with actual responsibilities in order to reduce the risk of unauthorized changes. It also allows administrators to delegate update management to local or functional teams. These RBAC capabilities are particularly useful for organizations with teams spread across different locations or regions.

“Role-based access control (RBAC), a permissions capability that provides granular control over update management, has expanded within Windows Autopatch for organizations using Microsoft Intune. We made this change in response to feedback and requests from Windows Autopatch community members wishing to distribute update management and increase read-only access,” Microsoft explained.

New Windows Autopatch: Roles: Reader vs. Administrator

Windows Autopatch has introduced two new RBAC roles that enable administrators to assign specific permissions related to Autopatch features, including device groups, update reports, support requests, and service messages. Depending on their assigned role, Microsoft Intune users can either view (read-only) or take action (read-write) on these features.

The Windows Autopatch Reader role grants users read-only access, allowing them to view information such as device groups, update reports, support requests, and service messages without making any changes. On the other hand, the Windows Autopatch Administrator role provides full operational permissions, which allows users to not only view but also manage and act on these features.

Microsoft notes that administrators must have Intune device configuration permissions to manage Windows update policies. Scope tags are used in Microsoft Intune to control access to resources. They help to ensure that administrators only see and manage the devices, apps, and policies they are authorized to handle.

Keep in mind that Microsoft Intune scope tags will be respected for reports and management to prevent oversharing of sensitive or relevant information. Moreover, administrators will be able to apply scope tags to Windows Autopatch groups and filter reports based on these scope tags. However, all existing tags in Microsoft Intune won’t be affected, and IT admins will be able to reuse them or create new ones as needed.