Most businesses have several technologies that they use to help their employees operate at the highest levels of efficiency. Without them, your ability to provide high-quality products and services would be severely hindered.
But, all these devices and the associated operating systems and applications need maintenance for them to work the way they were designed to. They need regular attention as well as updates and security patches. This is so businesses can fully benefit from their productivity tools.
Windows Autopatch gives you a great solution for your Microsoft products by automating the update process. Additionally, it simplifies the maintenance process for you. In this article, we’ll be going over how your business can set up this must-have solution.
What is Windows Autopatch?
Let’s start by explaining what exactly Windows Autopatch is and what it does. According to the Windows Autopatch page:
“Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.”
One of the key reasons this solution is a much-needed tool is that the process of implementing updates is not entirely seamless for a lot of organizations. IT admins are responsible for ensuring your organization’s devices get all the necessary updates upon release. And they’re responsible for overseeing that everything is working as it should.
So, even though Microsoft provides regular updates for its products and services, the task can sometimes be challenging and very time-consuming. Therefore, with a solution like Autopatch, IT admins can save a lot of time on the update processes. They can additionally cut time in positioning the overall security posture of the business, leading to improvements.
I’m sure most would agree that this is an excellent feature to have, given the increasing sophistication of cyber attacks. Additionally, end users will be able to work more efficiently with fewer distractions. Moreover, your IT personnel will potentially have a lot more time on their hands for dedicating to more productive tasks.
The role of Autopatch services
From what we have seen over the last year, we know that Windows Autopatch can manage your updates for you. But, you still need to know what exactly Autopatch will be responsible for regarding those updates. This is why it’s not too surprising that a lot of IT admins are hesitant about using Autopatch. They have concerns about losing control over their devices.
To simplify the rollout of the different updates, Windows Autopatch will place devices into groups based on their software and hardware configurations. Doing it this way enables suitable test machines to receive updates first. And if all goes well, broader deployments can proceed as well. Not only is this a crucial step for evaluating updates, but it can help alleviate some of the concerns that IT admins have.
Below is a list of what Autopatch will be responsible for updating:
- Windows 10 and Windows 11 quality
- Windows 10 and 11 features
- Windows 10 and 11 drivers
- Windows 10 and 11 firmware
- Microsoft 365 apps for enterprise updates
In addition to the above list, Windows Autopatch will also be responsible for patching drivers and firmware that are only published to Windows Update as automatic. Also, in terms of how Windows Autopatch operates, there are four deployment rings. The first one caters to a few of your company’s devices, and the second one is responsible for 1% of these devices. The third and fourth rings will contain 9% and then 90% of the organization’s devices respectively.
Setting up Windows Autopatch
The process of setting up Windows Autopatch includes several steps that we will be discussing in this section.
|Licensing||Windows 10/11 Enterprise E3 (or higher) in addition to Azure Active Directory Premium and Microsoft Intune.|
|Connectivity||All Windows Autopatch devices require dedicated connectivity to multiple Microsoft service endpoints across the corporate network.|
|Azure Active Directory||The source of authority for all user accounts needs to be Azure AD. Or, the user accounts can be synchronized from on-premises Active Directory using the very latest supported version of Azure AD Connect to enable Hybrid Azure Active Directory to join.|
|Device management||All devices must be registered with Microsoft Intune, be connected to the internet, have a Serial number, Model and Manufacturer, and must be corporate-owned. Furthermore, the target devices will need to have Intune set as the Mobile Device Management (MDM) authority or co-management must be turned on.|
- Proxy configuration – Windows Autopatch needs to reach certain endpoints for the various aspects of the Windows Autopatch service. Network optimization can be done by sending all trusted Microsoft 365 network requests directly through their firewall or proxy.
- Proxy requirements – should support TLS 1.2, and if not, then you may need to disable protocol detection.
- Required URLs – mmdcustomer.microsoft.com
- Delivery optimization – Microsoft recommends configuring and validating Delivery Optimization when you enroll into the Windows Autopatch service.
The first step in this next stage will require you to verify that you’ve met all the requirements discussed at the beginning of this section.
With that done, you’ll now need to run the readiness tool. This checks the settings in both Intune and Azure AD and verifies that they work with Autopatch. To access this readiness assessment tool, head over to the Intune admin center and select Tenant administration in the left pane. Once there, go to Windows Autopatch > Tenant enrollment. When the check is done, you’ll get one of four possible results: Ready, Advisory, Not ready, or Error. And if this check is showing any issues with your tenant, then your next step will involve fixing the issues picked up by the readiness assessment tool.
If everything is in order and the readiness assessment tool has given you the “Ready” result, then you can proceed and enroll the tenant. You’ll find the “Enroll” button that you need to select within the readiness assessment tool. Once you select this option, it will start the process of enrolling your tenant into the Windows Autopatch service. You’ll see the following during the process:
- Consent workflow to manage your tenant.
- Provide Windows Autopatch with IT admin contacts.
- Setup of the Windows Autopatch service on your tenant. This step is where the policies, groups, and accounts necessary to run the service will be created.
Your tenant will be successfully enrolled upon completion of these actions. And then, after all this is done, you can delete the collected data by the readiness assessment tool if you want. To do so:
- Head over to the Microsoft Intune admin center.
- Go to Windows Autopatch > Tenant enrollment.
- Select Delete all data.
ADD AND VERIFY ADMIN CONTACTS
After you have finished the process of enrolling your tenant, you can move on to the addition and verification of admin contacts. Windows Autopatch has several ways of communicating with customers. And there’s a requirement to submit a set of admin contacts when onboarding. Each specific area of focus should have an admin contact. This provides that the Windows Autopatch Service Engineering Team has a contact for assistance with the support request. These areas of focus are given below.
|Area of focus||Description|
|Devices||Device registration Device health|
|Updates||Windows quality updates Windows feature updates Microsoft 365 Apps for enterprise updates Microsoft Edge updates Microsoft Teams updates|
To add the admin contacts, follow these steps:
- Sign in to the Intune admin center.
- Head over to the Windows Autopatch section, find Tenant administration, and then select Admin contacts.
- Select Add.
- Now, you need to provide all the necessary contact details. This includes name, an email, phone number, and language of choice.
- Choose an area of focus and provide information about the contact’s knowledge and authority in this particular area.
- Click Save and then repeat the steps for each area of focus.
- Windows Autopatch groups device registration
Autopatch groups will start the device registration process for devices that aren’t yet registered using your existing device-based Azure AD groups. This is instead of the Windows Autopatch Device Registration group. Windows Autopatch will support a couple of Azure AD nested group scenarios, namely Azure AD groups synced up from:
- On-premises Active Directory groups (Windows Server AD)
- Configuration Manager collections
- Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant
For an Azure AD dual state to occur, a device needs to be initially connected to Azure AD as an Azure AD registered device. And then, when you enable Hybrid Azure AD join, the same device will be connected twice to Azure AD as a Hybrid Azure AD device.
So, what you’ll find in the dual state is a device with two Azure AD device records with different join types. However, the Azure AD registered device record is stale because the Hybrid Azure AD device record will take precedence.
About the Registered, Not ready, and Not registered tabs
|Device blade tab||Purpose||Expected device readiness status|
|Registered||Shows successful registration of devices with Windows Autopatch||Active|
|Not ready||Shows successfully registered devices that aren’t yet ready to have one or more software update workloads managed by the Windows Autopatch service.||Readiness failed and/or Inactive|
|Not registered||Shows devices that have not passed the prerequisite checks and thus require remediation.||Prerequisites failed.|
Device readiness statuses
|Readiness status||Description||Device blade tab|
|Active||Shows devices that: +have passed all prerequisite checks +registered with Windows Autopatch +have passed all post-device registration readiness checks||Registered|
|Readiness failed||Shows devices that: +haven’t passed one or more post-device registration readiness checks +aren’t ready to have one or more software update workloads managed by Windows Autopatch||Not ready|
|Inactive||Shows devices that haven’t communicated with Microsoft Intune in the last 28 days.||Not ready.|
|Prerequisites failed||Shows devices that: +haven’t passed one or more prerequisite checks +have failed to successfully register with Windows Autopatch||Not registered|
Built-in roles required for device registration
Roles are permissions granted to dedicated users. And there are a couple of built-in users in Autopatch that you can use to register devices:
- Azure AD Global Administrator
- Intune Service Administrator
Less privileged user accounts can be assigned to perform specific tasks in the Windows Autopatch portal. You can do this by adding these user accounts into one of the two Azure AD groups created during the tenant enrollment process:
|Azure AD group name||Discover devices||Modify columns||Refresh device list||Export to .CSV|
|Modern Workplace Roles – Service Administrator||Yes||Yes||Yes||Yes|
|Modern Workplace Roles – Service Reader||No||Yes||Yes||Yes|
Details about the device registration process
The process of registering your devices with Windows Autopatch will accomplish a couple of things:
- Creation of a record of devices in the service.
- Device assignment to the two deployment ring sets and other groups required for software update management.
Windows Autopatch on Windows 365 Enterprise Workloads
As part of the Windows 365 provisioning policy creation, Windows 365 Enterprise admins will have the option to register devices with Windows Autopatch. This means that Cloud PC users will also benefit from the increased security and automated updates that Windows Autopatch provides. The process for registering new Cloud PC devices is as follows:
- Head over to the Intune admin center and select Devices.
- Next, go to Provisioning>Windows 365 and select Provisioning policies>Create policy.
- Type in the policy name, select Join Type, and then select Next.
- Pick your desired image and select Next.
- Navigate to the Microsoft managed services section, select Windows Autopatch, and then select Next.
- Assign the ideal policy, select Next, and then select Create.
- Your newly provisioned Windows 365 Enterprise Cloud PCs will then be automatically enrolled and managed by Autopatch.
Windows Autopatch on Azure Virtual Desktop workloads
Azure Virtual Desktop (AVD) workloads can also benefit from the features that Windows Autopatch has to offer. Your admins can use the existing device registration process to provision their AVD workloads to be managed by Autopatch.
One of the most appealing features of Windows Autopatch is how it offers the same quality of service to virtual devices as it does to physical ones. This ensures that if your business is looking to migrate to virtual devices or is already using them, then you won’t miss out on what Windows Autopatch offers.
It is worth noting, however, that any Azure Virtual Desktop specific support is deferred to Azure support unless otherwise specified. In addition, the prerequisites for Windows Autopatch for AVD are pretty much the same as those for Windows Autopatch and AVD.
The service will support personal persistent virtual machines. But, there are some AVD features that are not supported such as multi-session hosts, pooled non-persistent virtual machines, and remote app streaming.
Deploy Autopatch on Azure Virtual Desktop
Another great feature that you’ll get with Autopatch is that you can register your Azure Virtual Desktop workloads using the same method as your physical devices. Microsoft recommends nesting a dynamic device group in your Autopatch device registration group to simplify the process for your admins. And this dynamic device group is going to target the Name prefix defined in your session host while also excluding any Multi-Session Session Hosts.
Windows Autopatch provides businesses with excellent support services to ensure that any issues are addressed. You can access the appropriate support services through Windows 365, or the Windows Autopatch Service Engineering team for device registration-related incidents.
Device management lifecycle scenarios
Before you proceed and register your devices in Windows Autopatch, there are a few device management lifecycle scenarios that you may want to consider. These include the following:
- Device refresh – devices that were previously registered in Autopatch and require reimaging will require you to run one of the device provisioning processes available in Microsoft Intune to reimage these devices. Subsequently, these devices will be rejoined to Azure AD (Hybrid or Azure AD only) and then re-enrolled into Intune. And because the Azure AD device ID record of that device will not be altered, neither you nor Windows Autopatch will need to perform any additional actions.
- Device repair and hardware replacement – when devices require you to repair them by replacing certain hardware, then you’ll need to re-register these devices into Autopatch when you’re done. We are talking about the kind of repairs that include replacing parts such as the motherboard, non-removable network interface cards (NIC), or hard drives. And the reason why re-registration is necessary is that when you replace those parts, a new hardware ID will be generated, including:
- SMBIOS UUID (motherboard)
- MAC address (non-removable NICs)
- OS hard drive’s serial, model, manufacturer information
So, even though you still practically have the same device, whenever you replace major hardware, Azure AD will create a new ID record for that device.
Software update workloads
|Software update workload||Description|
|Windows quality update – on the second Tuesday of every month, Autopatch deploys monthly security update releases. Autopatch also uses mobile device management (MDM) policies to gradually release updates to devices. These policies are deployed to each update deployment ring to control the rollout.||Requires four deployment rings to manage these updates|
|Windows feature update – in this instance, you’ll be the one to inform Autopatch when you’re ready to upgrade to the new Windows OS version. The feature update release management process has been designed to make the task of keeping your Windows devices up to date much easier and more affordable. This also has the added benefit of lessening your burden, thus allowing you to dedicate more time to more productive tasks.||Requires four deployment rings to manage these updates|
|Anti-virus definition||Updated with each scan|
|Microsoft 365 Apps for Enterprise||Find information at Microsoft 365 Apps for Enterprise|
|Microsoft Edge||Find information at Microsoft Edge|
|Microsoft Teams||Find information at Microsoft Teams|
Autopatch groups play an essential role in helping Microsoft Cloud-Managed services work with businesses according to their various needs. When it comes to update management, Windows Autopatch groups provide an excellent tool that allows for the combining of Azure AD groups and software update policies. These might include Windows Update rings and feature update policies.
If there are any Windows Autopatch managed devices in your environment that are not up to date, you can monitor and remediate them using Windows quality and feature update reports. Not only that, but you can also resolve any device alerts to bring Windows Autopatch-managed devices back into compliance.
Policy health and remediation
To enable the management of Windows quality and feature updates, Autopatch needs to deploy Intune policies. Windows Update policies must be healthy at all times should you plan to remain up to date and receive Windows updates. Microsoft ensures continuous monitoring to maintain the health of the policies, as well as raise alerts and provide remediation actions.
The threat of attacks against businesses is something that is always lurking. And as we have seen on far too many occasions in recent years, these attacks can be devastating. Business operations can be severely compromised. Additionally, the financial penalties can be massive. Therefore, there is a need to do everything within your power to fortify your system defenses. Windows Autopatch allows you to bolster your security by automating certain tasks.
Make sure that update and patch deployments occur in a timely fashion. It can significantly reduce the risk of attacks against your business. And this is precisely what Autopatch is ready to help you prevent.
It helps you by automating the update process and simplifying tasks that are sometimes difficult and time-consuming. As a result, you get an easier and less expensive way of equipping your business with all the latest security updates necessary. Ultimately, it allows you to enhance your operations.