Get-AutopatchHealth

This script performs a read only, end to end Windows Autopatch health assessment for Windows devices. It validates OS servicing branch, telemetry level, Intune enrollment and IME activity, co‑management workloads, Windows Update policy authority, WSUS or registry blockers, required services, network endpoints, and scheduled tasks. It runs safely in SYSTEM or user context and outputs console results, a readiness summary, and an exit code suitable for Intune detection/remediation.

GENERAL CONFIGURATION HEALTH CHECKS
Operating System Release Branch:  
Ensures the device is on a supported GA/production channel (not Windows Insiders/Preview).

Registry Settings:  
Checks for Autopatch‑blocking or WSUS‑redirecting values:  
- HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
-- DoNotConnectToWindowsUpdateInternetLocations, DisableWindowsUpdateAccess, WUServer, WUStatusServer
- HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU  
-- NoAutoUpdate  
- Update source override keys:  
-- SetPolicyDrivenUpdateSourceForDriverUpdates, FeatureUpdates, OtherUpdates, QualityUpdates  
If set to '1' and a WUSserver is configured, the device tries to use WSUS instead of Autopatch.

Telemetry:  
Reads the AllowTelemetry policy value from the local registry to confirm minimum level = **1 (Required)**.

Intune Enrollment & IME Activity:
Validates Intune enrollment indicators and IME log activity within the last 28 days.  
For comanaged devices, checks required workload ownership:  
- Windows Update policies  
- Device configuration  
- Office Click to Run apps

Update Policy Authority:
Reads the PolicySources value to ensure Intune/Autopatch is configured:
HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState\PolicySources
Values:  
1=GPO, 2=SCCM, 4=Intune/Autopatch, 5=GPO+MDM (MDM wins), 6=SCCM+MDM (MDM wins).  
Also attempts to identify the Autopatch ring a device is assigned to (test, ring1, ring2, etc.)

AUTOPATCH SERVICE HEALTH CHECKS
Validates required Windows Update–related services:  
- BITS (downloads update payloads)  
- CryptSvc (signature validation)  
- DiagTrack (telemetry pipeline)  
- DoSvc (Delivery Optimization)  
- UsoSvc (update orchestration)  
- WaaSMedicSvc (repairs Windows Update stack)  
- wuauserv (core Windows Update client)

NETWORK ENDPOINT CONNECTIVITY CHECKS
Confirms reachability of required Autopatch and Microsoft endpoints:  
- mmdcustomer.microsoft.com (Microsoft Managed Desktop (MMD) / Windows Autopatch service endpoint)
- mmdls.microsoft.com (part of the Autopatch logging and service communication layer)
- login.windows.net (endpoint used to issue and refresh authentication tokens)
- device.autopatch.microsoft.com (Service endpoint that must be reachable from Autopatch devices)
- services.autopatch.microsoft.com (Service API endpoint that must be reachable for Autopatch functionality)
- payloadprod*.blob.core.windows.net (Azure Blob Storage–backed endpoint used by Autopatch)
- Global Device Listener: devicelistenerprod.microsoft.com (global Autopatch device listener communication endpoint required for Autopatch‑managed devices)  
- EU Device Listener: devicelistenprod.eudb.microsoft.com (EU tenants) (EU endpoint used instead of the global listener within the EU Data Boundary)

WINDOWS UPDATE SCHEDULED TASK CHECKS
Validates required scheduled tasks:
- \Microsoft\Windows\WindowsUpdate\Scheduled Start (triggers scans/downloads)  
- \Microsoft\Windows\UpdateOrchestrator\Report policies (evaluates effective policy)