The Microsoft ecosystem has a vast array of products and services that are integral to the operations of countless businesses across the globe. And it’s extremely important to ensure that your business can conduct affairs seamlessly without interruptions.
This is why you cannot ignore the issue of updates. You need to make sure that everything is always up to date and in doing so you guarantee that your Microsoft services are running at optimum levels.
But, keeping up with updates can be challenging at times and therefore, you can find some applications lacking the most recent updates. Fortunately, we now have Windows Autopatch to adequately deal with this task.
What is Windows Autopatch?
So, we’ll start by looking at what exactly Windows Autopatch is. This relatively new product is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.
By automating the management and rolling out of updates, this service will make life easier for admins. Especially in larger organizations where admins can be responsible for large numbers of devices.
Although most would agree that the quality of Windows updates has improved in recent years, the updating process can still be rather challenging. Admins are still responsible for making sure that the process performs seamlessly and that new Windows patches are applied without issue.
And when you consider the multitude of other tasks that admins need to manage, it’s easy to see how problems can arise. This is precisely why Windows Autopatch plays such a key role by automating this particular task and thus lightening the burden on admins.
Importance of updates
Another issue to look at it is why are updates so important. Why does it seem as though some people are always going on about updates? With the increasing threat of cybercrime, updates are one of the best ways to protect your organization against attacks.
Nefarious actors are constantly looking for vulnerabilities in your system and if they find any it can be catastrophic for your business. Updates can address any existing bugs and vulnerabilities that may be in your system. By patching these security flaws, you can lower the risk of successful attacks against your system.
In addition, updates will also address bugs that affect performance. As technology continues to evolve, organizations will also be improving their products and services. So, updates allow you to get the latest and best features for your applications. This will give you a better overall user experience and ultimately your business can run more efficiently. Furthermore, updates can help you get even better performances from your devices. We’ve all probably at one point or another had the frustrating experience of an application crashing.
It’s never a pleasant experience and can cost you some work progress. By updating your applications, you significantly reduce the chances of these occurrences. With that said, let’s take a look at some of the features that make Windows Autopatch such an amazing service.
Comparison to Windows Update
One of the first things that people may be wondering is how does Windows Autopatch differ from Windows Update for Business? With Windows Autopatch what organizations are getting is a service that eliminates the need for manually planning and operating the update process. The goal is to give you an automated update system that becomes the responsibility of Microsoft and in doing so frees up your IT team from this task.
So, when we look at Windows Update for Business, we find one of the components that Windows Autopatch uses for updating devices. And both Autopatch and Windows Update for Business are part of Windows Enterprise E3.
Therefore, we’re not talking about differences but rather how Windows Update for Business is one of the components that Autopatch uses. On the other hand, you also have the option to use ConfigMgr by adding a CMG if there’s an interest in adding a CMG.
In addition, you may also enable co-management after which you can migrate the Windows Updates workload to Intune so that you can take advantage of Windows Update for Business. Simply put, the greatest benefits of Windows Autopatch are not about which components get the job done, but rather the automation provided. Microsoft takes over responsibility for your updates in a manner that intends to offer greater convenience and satisfaction.
The next thing you’ll need to know is what the requirements are to be eligible for Autopatch. Below you’ll find the requirements that you need to meet before proceeding:
§ Licensing – to use Autopatch, you need your end-users to have Windows 10 and Windows 11 E3 or higher. There are also some additional licensing requirements such as Azure Active Directory Premium and Microsoft Intune.
§ Connectivity – as one would expect, you are going to need connectivity to Microsoft update services endpoints. There are several endpoints on this list but below are some of them:
§ Azure Active Directory – when it comes to the requirements for Azure AD, you get two options. The first option allows you to use Azure Active Directory as the source of authority for all user accounts. And then for the second option, you can synchronize your users from the on-premises Active Directory Domain Services by leveraging the Hybrid Azure AD Domain join.
§ Device management – your devices will need to be under Intune management and therefore, Intune should be the Mobile Device Management (MDM) authority. If not, then you need to opt for co-management. Furthermore, all the devices must be corporate-owned and not in a BYOD scenario. All devices should also have internet connectivity and will need to have been in contact with Microsoft Intune in the last 28 days. Minimally, you’ll also be required to ensure the configuration of the following in Microsoft Intune:
- Windows Update
- Device configuration
- Office click-to-run apps workloads
What does Autopatch update?
Thus far, we know that Windows Autopatch seeks and intends to manage your updates for you. But you still need to know what exactly Autopatch will be responsible for. To make the task easier, Windows Autopatch will place devices into groups based on their software and hardware configurations. Doing it this way enables suitable test machines to receive updates first and if all goes well, then broader deployments can proceed as well.
Below is a list of what Autopatch will be responsible for updating:
- Windows 10 and Windows 11 quality updates
- Windows 10 and 11 features
- Windows 10 and 11 drivers
- Windows 10 and 11 firmware
- Microsoft 365 apps for enterprise updates
In addition to the above list, Windows Autopatch will also be responsible for patching drivers and firmware that are only published to Windows Update as automatic. Also, in terms of how Windows Autopatch operates, there are four deployment rings used, with the first one catering to a few of your company’s devices and the second one responsible for 1% of these devices. The third and fourth rings will contain 9% and then 90% of the organization’s devices respectively.
Enhancing business operations
One of the biggest things that Autopatch offers businesses is that it helps to eliminate the need for complex IT infrastructure. Doing so allows organizations to focus a lot more on core business matters. Windows Autopatch will help you to address some of the challenges below:
- Close the security gap: keeping your software up to date means that you’ll always have all the latest security features, making any vulnerabilities addressable. As a result, you can reduce your risk of suffering successful attacks.
- Close the productivity gap: getting all the latest productivity features as soon as they become available means that end-users can consistently perform at their best and improve creativity and overall productivity.
- Optimize your IT admin resources: because Autopatch takes over responsibility for routine updates, your IT staff can dedicate significantly more effort towards tasks that will enhance your organization’s operations.
- On-premises infrastructure: your organization can invest less in on-premises infrastructure by migrating to the cloud and adopting software-as-a-service solutions. And with updates delivering from the cloud, this can offer you an even more efficient system.
- Onboard new services: Windows Autopatch simplifies the addition of new services to your organization. By making the process easier, IT admins will no longer need to dedicate as much time to onboarding processes.
- Minimize end-user disruption: the sequential deployment rings mentioned above, as well as the ability to respond to reliability and compatibility signals, is helpful. It means that end-users will face far fewer disruptions because of updates.
Ultimately, Windows Autopatch is a service that removes some of the burdens from your IT team. Taking over the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge, or Teams, means your IT staff can focus more on core business activities.
The enrollment process is going to begin with you navigating to Intune Portal > Tenant administration > Windows Autopatch Tenant enrollment where you’ll proceed to tick the box. Doing this will launch the readiness tool whose objective is to verify that all requirements have been met before enrolling your tenant.
If the process fails, then you will see your status displayed as Not Ready. And you have an option to click on View Details so that you can get all the information regarding what requirements you’re missing. As soon as you address the relevant areas, you can click on Run Checks. From there, another verification will carry out to see if the issue has been resolved.
After addressing existing problems, you can now proceed to select Enroll. During this process, Microsoft will need you to provide consent to have certain access to your tenant.
Providing this consent allows the process of setting up Windows Autopatch to proceed. And it will also be necessary in case there are any problems that the support team may need to deal with. In addition to giving consent, the setup process also requires you to provide the contact details of two administrators.
It is necessary that these details be availed and that these admins be two separate individuals. Having completed this step, Autopatch will then proceed to set up the required policies, accounts, groups, and profiles. With all this done, Windows Autopatch will now be enabled for your tenant and available for use. However, you will still need to register the devices that you want for Autopatch.
Autopatch device registration
The device registration process will allow the devices that you want to be placed under the management of Windows Autopatch. It’s a relatively easy process that requires you to place devices in the Windows Autopatch Device Registration group. This happens to be an Azure AD group. There are two different pathways that you can utilize to register your devices.
But the path you choose will depend on the type of the device. Windows 365 Cloud PCs will have their own path and then all other Windows devices will have to use another path. The registration with Autopatch will begin during Cloud PC provisioning for Windows 365 Cloud PCs. And this will happen as soon as the provisioning policy is set up with Autopatch enabled.
When it comes to all the other Windows devices, they will first need to be added to the Windows Autopatch Device Registration Azure AD group. Only then can the registration with Autopatch begin.
Note: An important thing that you need to be aware of is that if anything happens to a device that causes a new Azure AD device ID to be generated, that device will need reading to the Azure AD group. Furthermore, you can add devices to the Azure AD group via a direct membership, by using bulk import of group members. You can also do so by nesting various other Azure AD groups.
Another point that should be of interest is the areas of management that Windows Autopatch will handle for you. In the table below you’ll find detailed information concerning this:
|Management area||Service level objective|
|Windows quality updates||The objective here is to ensure that at least 95% of eligible devices get to receive the latest Windows quality update 21 days after release.|
|Windows feature updates||In this case, the goal is to ensure that at least 99% of eligible devices remain on a supported version of Windows to enable them to continue receiving Windows feature updates.|
|Microsoft 365 Apps for Enterprise||Windows Autopatch wants to ensure that at least 90% of eligible devices are kept on a supported version of the Monthly Enterprise Channel (MEC).|
|Microsoft Edge||All eligible devices are going to be configured by Windows Autopatch so that they can leverage Microsoft Edge’s progressive rollouts on the Stable channel.|
|Microsoft Teams||For this particular scenario, the benefit of Windows Autopatch is that it enables all eligible devices to take advantage of the standard automatic update channel.|
More to know
However, users will need to be aware that for devices to receive specific updates, they will need to meet certain requirements for each management area. For instance, devices may need to have access to the required network endpoints for the Windows update. So, to avoid issues or unwanted disruptions, it’s best to ensure that you verify the eligibility of all devices for the various updates.
Also, all eligible devices will be tagged as either Healthy or Unhealthy. And doing so makes it possible to verify whether service level objectives are being met. Healthy devices are simply those that meet the eligibility criteria for a particular management area. Unhealthy devices are the opposite. So, you will find that an incident raises every time Windows Autopatch falls below any service level objective for a management area.
With all the benefits that come with using Windows Autopatch, we need to remember that IT staff will still retain certain responsibilities. As great a service as Autopatch may be, Microsoft does not intend for it to completely eliminate all human intervention in the process. Before applying patches, it would be wise for IT to look into them first. They need to check compatibility and stability. You can then avoid significant problems that may disrupt your organization’s operations.
Also, when it comes to the application of patches, it’s important to learn to prioritize patches. Some patches may be urgently required to address pressing security issues. However, that’s not to say the other patches are not important. But IT has to perform a delicate balancing act to ensure that all updates are done in a manner that does not expose you to threats nor compromise operational efficiency.
Furthermore, simply because the goal of Autopatch is to make the update process easier, it does not mean IT admins can fold their hands and forget about it. It’s critical that IT keeps an eye on the update process to see that everything proceeds as planned. Not only that, but admins need to prepare to intervene in case of unexpected issues so that they address them in a timely fashion.
Monitoring the system also allows the admins to periodically perform their own evaluations of the efficiency of the progress. This will ultimately help you pinpoint any areas of concern that need improving, so that the system can perform even better. Otherwise, if you don’t keep an eye on things, you may end up with security vulnerabilities that could prove very costly.
How to deregister a device
Occasionally, you may find yourself in a situation where you need to deregister a device. And you will want to do this without causing the end-user unnecessary disruptions. To ensure that this happens, Windows Autopatch will only delete the Windows Autopatch device record itself.
Also, device deregistration will not allow you to delete Microsoft Intune and/or the Azure Active Directory device records. This, therefore, means that the expectation is for you to continue managing those devices. However, please be aware that removing devices from the Windows Autopatch Device Registration Azure AD will not deregister devices from the Autopatch service.
To deregister a device, you follow the steps given below:
- Navigate to Intune admin center and sign in.
- In the navigation menu that appears, select Windows Autopatch.
- Select Devices.
- Choose the device or devices that you want to deregister from the Ready or Not Ready tab.
- After the device selection is done, select Device actions, then select Deregister device.
If you have deregistered a device from the Autopatch service, it will then flag as excluded. This will ensure that Autopatch won’t attempt to reregister the device into the service again. It’s because the deregistration command does not cause device membership removal from the Windows Autopatch Device Registration Azure AD group.
So, reregistration of a device that was previously deregistered from Autopatch will require the submission of a support request to the Windows Autopatch Service Engineering Team. The goal of this request is to ask that the excluded tag be removed during the deregistration process.
Organizations are constantly looking for services that can improve the way they operate from top to bottom. Especially when it comes to IT staff who can often be overburdened with the tasks at hand. This is precisely why Microsoft develops services like Windows Autopatch to simplify the patching process while simultaneously maintaining highly secure networks. It helps IT admins with task management by offering an extremely efficient service that automates the management of software updates and patches.
And Autopatch does not completely remove admins from the process so they will retain overall control over their devices. This is something that will help to alleviate fears that admins may have about device management. When all is said and done, Windows Autopatch is a service that can bring a lot of efficiency and security to the patching process but the decision to use it remains yours to make.