Windows Autopatch: Managed enterprise patching for Windows and Office
While IT administrators are mentally preparing themselves for yet another Patch Tuesday, Microsoft has announced Windows Autopatch: a new service that aims make the second Tuesday of every month “just another Tuesday.”
About Windows Autopatch
Windows Autopatch is an automated, managed service by Microsoft to keep Windows and Office always up-to-date.
It’s expected to be released in July 2022, and will be offered for free to those users who have:
- Windows 10/11 supported versions
- A license for Windows Enterprise E3 or above
- Microsoft Intune (includes Configuration Manager, version 2010 or greater via co-management)
- Azure AD Premium (for co-management)
“Windows Autopatch manages all aspects of deployment groups for Windows 10 and Windows 11 quality and feature updates, drivers, firmware, and Microsoft 365 Apps for enterprise updates. Drivers and firmware that are published to Windows Update as Automatic will be delivered as part of Windows Autopatch,” Lior Bela, a Senior Product Marketing Manager on the Microsoft 365 team, explained.
The covered devices – i.e., devices with all supported versions of Windows 10 and Windows 11 – are categorized into four testing rings.
The “test” ring is comprised of a minimum number of representative devices, the “first” ring contains about 1% of all devices under management, the “fast” ring includes about 9% of endpoints, and the “broad” ring all of the remaining devices.
“The population of these rings is managed automatically, so as devices come and go, the rings maintain their representative samples. Since every organization is unique, though, the ability to move specific devices from one ring to another is retained by enterprise IT admins,” Bela added.
The service also allows IT admins to stop the implementation of updates and to undo updates if devices don’t meet performance targets after being updated.
Who’s it for?
Mark Florida, Principal Engineering Product Manager at Microsoft, says that when Microsoft Autopatch is launched in July 2022, they will initially use two release cadences: an “expedite” one for situations where there is a zero-day threat, and a “normal” one for regular updating.
“The Normal path is still being evaluated by customers so we might make a change here, but our general goal is to strike a balance between productivity and security. We are aiming to complete the deployment of an update throughout the entire environment in 21 days. We first release to early rings and allow for a few days to detect issues (they don’t always manifest right after installation), and then we release to the broad ring a little after a week. Then it can just take time for all devices to come online, get the update, and wait for for reboot,” he noted.
He says that Autopatch is a service aimed at a broad and diverse set of customers.
“Some customers do not care about how updates are deployed, they just need help if something goes wrong. Others need customization options to tailor the experience (for example update my executive devices last, and more). So there will be a range of customers where on one extreme they just want us to ‘do everything’, and then on the other end are customers with unique business logic or intent that needs to be honored while we keep their devices and managed apps up-to-date,” he explained.
“We are not asking customers to configure detailed policies, but rather tell us, ‘the update admin’ the business rules that need to be followed, and let our service deliver this outcome. Admittedly our capabilities will need to grow in this area as we get feedback from the community and customers on specific business rules they might need.”