Automated Patching
Automated Patching is an advanced windows patch management capability in SureMDM that enables organizations to deploy Microsoft updates in a phased, controlled, and automated manner using deployment rings. This feature helps IT administrators reduce risk by gradually rolling out updates across devices, monitoring impact at each stage, and ensuring stability before broad deployment.
This feature is available to Premium and above tier customers.
Prerequisites
Before enabling or configuring Automated Patching, ensure that the following prerequisites are met to avoid update failures or delayed deployments.
Device Enrollment Requirements
- Windows devices must be dual-enrolled in the SureMDM Console
- Windows 10 and 11 (dashboard reporting supported on Windows 11 only)
- Windows Pro, Enterprise, Education, IoT Enterprise / IoT Enterprise LTSC editions
Network and Firewall Requirements
Ensure that the following Microsoft-recommended endpoints are allowed through the network firewall. These endpoints are required for update detection, metadata synchronization, and content download.
| Protocol | Endpoint URL |
|---|---|
| TLS 1.2 | *.prod.do.dsp.mp.microsoft.com |
| HTTP | emdl.ws.microsoft.com |
| HTTP | *.dl.delivery.mp.microsoft.com |
| HTTP | *.windowsupdate.com |
| HTTPS | *.delivery.mp.microsoft.com |
| TLS 1.2 | *.update.microsoft.com |
| TLS 1.2 | tsfe.trafficshaping.dsp.mp.microsoft.com |
| TLS 1.2 | definitionupdates.microsoft.com |
| HTTPS | adl.windows.com |
| TLSv1.2 / HTTPS / HTTP | *.api.cdp.microsoft.com |
Blocking any of the above endpoints may prevent Automated Patching from functioning as intended and can result in update detection, download, or installation failures on managed devices.
Enabling Automated Patch Management
When accessing the Automated Patching section for the first time, the feature is disabled by default.
Navigate to SureMDM Console > OS Updates > Windows > Automated Patching.
Click Enable Automated Patch Management.
Once enabled:
Automated Patching becomes active which has the following two sections:
- Overview
- Configuration
The system automatically creates the following four default deployment rings and five charts:
- Canary Ring
- Early Adopters Ring
- Broad Rollout Ring
- General Availability Ring
- Device with No Ring Assigned - (Available only as chart)
These default rings can be reviewed and configured from the Configuration tab.