Most IT pros are fully aware of how challenging it can be to manage the update process for all the devices in their organization. It can be an incredibly complex and time-consuming task that takes away time from engaging your efforts in work that could be considered more productive for the business.
Fortunately, Microsoft knows about this challenge and offers you Windows Autopatch to help businesses with this process. With this service, your organization will get a product that can help you to “streamline updating operations and create new opportunities for IT pros.” By enabling organizations to automate tasks such as these, Windows Autopatch will help you to minimize the security and performance issues that can sometimes be encountered because of inefficient update processes.
What is Windows Autopatch?
In case you may not as yet be familiar with Windows Autopatch, let me start by going over a few things your teams should know. Released in 2022, Autopatch is a cloud-based service that is designed to automatically manage the updates for Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams.
As I’m sure you can imagine, a service like this can vastly improve the efficiency of your IT operations. Not only that but this will tighten your organization’s security, it will improve productivity, and it will enhance device management among other things.
Consequences of Poor Update Processes
Research done by Google has shown that 66% of users don’t automatically or immediately apply updates. And most of us can relate to the reasons given such as not wanting the unwelcome interruption, not seeing the need, worrying about the time it could take, and so on.
Unfortunately, though the consequences of not applying updates may not be immediate they can eventually be very damaging. It’s important to know that updates are critical for device performance and security. Malicious actors are constantly searching for vulnerabilities in your network and occasionally they find them. So, if security patches are made available and you ignore them it will leave your business exposed to all manner of cyber attacks.
In addition to that, hackers can potentially access organizational data and infect your network with malware. Not so long ago in 2017, Equifax was the victim of a brutal cyber attack that exposed the personal information of close to 150 million people. This kind of attack would be very damaging to an organization and as we saw in this case it cost the company over half a billion dollars in settlement. Clearly, this kind of situation needs to be avoided whenever possible. Furthermore, security concerns are not the only thing to worry about with neglecting updates. It can also result in your organization using poorly performing devices and not having access to the best and latest features. Obviously, this can cost you significantly especially if other businesses are gaining an advantage over you.
Before You Get Started
Just like any other service you would want to use, Windows Autopatch has some requirements you would need to meet before you can get started. There are several areas that you will have to consider if you want to deploy Autopatch.
Licensing
The most obvious starting point is going to be the licensing requirements for Autopatch. You’re going to need to assign Windows 10/11 Enterprise E3 (or higher) to all the various users who will require the service. Fortunately, users that already have Windows 10/11 Enterprise E3 or higher (user-based only), get Windows Autopatch with their licenses. There are several service plan SKUs that are eligible for Autopatch and they are given in the table below:
| License | ID |
| Microsoft 365 E3 | SPE_E3 |
| Microsoft 365 E3 (500 seats minimum_HUB) | Microsoft_365_E3Microsoft_365_E3 |
| Microsoft 365 E3 – Unattended License | SPE_E3_RPA1 |
| Microsoft 365 E5 | SPE_E5 |
| Microsoft 365 E5 (500 seats minimum)_HUB | Microsoft_365_E5 |
| Microsoft 365 E5 with calling minutes | SPE_E5_CALLINGMINUTES |
| Microsoft 365 E5 without audio conferencing | SPE_E5_NOPSTNCONF |
| Microsoft 365 E5 without audio conferencing (500 seats minimum)_HUB | Microsoft_365_E5_without_Audio_Conferencing |
| TEST – Microsoft 365 E3 | SPE_E3_TEST |
| TEST – Microsoft 365 E5 without audio conferencing | SPE_E5_NOPSTNCONF_TEST |
| Windows 10/11 Enterprise E3 | WIN10_VDA_E3 |
| Windows 10/11 Enterprise E5 | WIN10_VDA_E5 |
| Windows 10/11 Enterprise VDA | E3_VDA_only |
You’ll also find there are a few Windows 10, build versions and architectures that are eligible for registration with Windows Autopatch. These are as follows:
- Windows 10 (1809+)/11 Pro
- Windows 10 (1809+)/11 Enterprise
- Windows 10 (1809+)/11 Pro for Workstations
In addition to the licensing requirements given above, these users will also need to have Azure Active Directory Premium and Microsoft Intune.
Network configuration
The next area to review is the connectivity to multiple Microsoft service endpoints from the corporate network which will be needed. Autopatch being a cloud service means that for the service’s different elements to work properly there is a set of endpoints that Autopatch should be able to reach.
The network optimization for these can be done by using their firewalls or proxies to send all trusted Microsoft 365 network requests. Doing this allows you to bypass authentication, and all additional packet-level inspection or processing.
As a result, you can expect to directly benefit from less latency and reduced perimeter capacity requirements. The required proxy or firewall will need to support TLS 1.2. If it doesn’t, you might need to disable protocol detection.
REQUIRED WINDOWS AUTOPATCH ENDPOINTS FOR PROXY AND FIREWALL RULES
The allowed list for your proxy and firewall needs to contain certain URLs if Autopatch devices are to be able to communicate with Microsoft services. The Windows Autopatch URL is necessary for anything that the service runs on client APIs. Therefore, it’s important to verify that this URL remains consistently available on your corporate network. The URLs required on the allowed list are given below:
- mdcustomer.microsoft.com
- mmdls.microsoft.com
- logcollection.mmd.microsoft.com
- support.mmd.microsoft.com
REQUIRED MICROSOFT PRODUCT ENDPOINTS
The allowed list will also need to contain certain URLs from several Microsoft products if Autopatch devices are to be able to communicate with these Microsoft services. The table below shows the Microsoft services as well as the corresponding URLs.
| Microsoft Service | URLs required on Allowlist |
| Windows 10/11 Enterprise including Windows Update for Business | Manage connection endpoints for Windows 10 Enterprise, version 1909 Manage connection endpoints for Windows 10 Enterprise, version 2004 Connection endpoints for Windows 10 Enterprise, version 20H2 Manage connection endpoints for Windows 10 Enterprise, version 21H1 Manage connection endpoints for Windows 10 Enterprise, version 21H2 Manage connection endpoints for Windows 11 Enterprise |
| Microsoft 365 | Microsoft 365 URL and IP address ranges Hybrid identity required ports and protocols |
| Azure Active Directory | Active Directory and Active Directory Domain Services Port Requirements |
| Microsoft Intune | Intune network configuration requirements Network endpoints for Microsoft Intune |
| Microsoft Edge | Allowlist for Microsoft Edge Endpoints |
| Microsoft Teams | Office 365 URLs and IP address ranges |
| Windows Update for Business (WUfB) | Windows Update for Business firewall and proxy requirements |
DELIVERY OPTIMIZATION
One of the recommendations made by Windows Autopatch during your enrollment into the Autopatch service is that you configure and validate Delivery Optimization. Doing so will provide access to a P2P distribution technology that is offered in Windows 10 and Windows 11.
And the key advantage of this is that you get a service that enables devices to share content, such as updates, that the devices downloaded from Microsoft over the internet. Another core benefit of using this technology is that it can also reduce network bandwidth since portions of the update will already be available to the device from another device sharing the same local network. So, there won’t be an additional need to perform a complete update download from Microsoft.
Azure Active Directory
When it comes down to identifying the source of authority for all user accounts then Azure Active Directory would arguably be the most ideal. If not, however, you will need to ensure that all user accounts are synchronized from on-premises Active Directory. And this will have to be done using the latest supported version of the Azure Active Directory Connect so that Hybrid Azure Active Directory join can be enabled.
Azure AD Connect is a Microsoft service that your organization will receive as part of your Azure subscription. This tool is something that will help you to manage the synchronization of identity data between your on-premises Active Directory environment and Azure AD. So, users will benefit from the convenience of being able to use the same credentials to access on-premises applications and cloud services.
Hybrid Azure AD join, in its simplest terms, means having a device that is available in both the on-premises Active Directory and the Azure AD environments. Therefore, this tool can simplify device management because of how a ‘hybrid-joined’ device is visible on both platforms.
Before registration with Windows Autopatch can proceed, all the concerned devices will need to be enrolled with Intune. Furthermore, Intune should be set as the Mobile Device Management authority. Alternatively, you’ll need to ensure that you turn on and enable co-management on the target devices. In addition, you are required to set to Pilot Intune or Intune the apps workloads for the Windows Update, Device configuration, and Office Click-to-Run. And then don’t forget to verify that the devices you want to bring to Windows Autopatch are in the targeted device collection.
Device Management
The device management requirements for Windows Autopatch are given below:
- All devices that you are going to use will need to be corporate-owned. This is because Windows bring-your-own-devices (BYOD) are not eligible and will therefore not pass the device registration prerequisite checks.
- Devices should be under Configuration Manager or Intune co-management. So, any devices that are only under Configuration Manager management will not be eligible.
- Registration with Windows Autopatch is only possible if a device has been in communication with Microsoft Intune in the last 28 days.
- It goes without saying that internet connectivity is required for the devices.
- Lastly, devices need to have a serial number, model, and manufacturer. Therefore, any device emulators that don’t provide this information will not pass the Intune or Cloud-attached prerequisite check.
A few things to note
Based on the aforementioned requirements, there are a few other things that we should be aware of. One of these issues involves the registration of devices that don’t meet the minimum Windows OS required.
Although these devices can be registered with Windows Autopatch, after that process is complete they will be offered the minimum Windows OS version. You’ll need to make the necessary changes concerning the minimum Windows OS version. From there, you’ll receive monthly security updates that maintain the health and security of your devices.
Furthermore, Windows Autopatch allows you to register Windows 10 Long-Term Servicing Channel (LTSC) devices. These devices are being currently serviced by the Windows LTSC. However, only devices that are currently serviced by the LTSC can have their Windows quality updates workloads managed by the service.
So, any devices that are part of the LTSC are not eligible for Windows feature updates from both the Windows Autopatch and Windows Update for Business services. In the case of Windows devices that are part of the LTSC, you’ll need to use either the Configuration Manager Operating System Deployment capabilities or LTSC media to carry out an in-place upgrade.
Configuration Manager Co-management Requirements
We’ve already gone through some of the information concerning co-management and Windows Autopatch. Since co-management is fully supported, you need to know what the requirements are:
- You need to use a current, supported version of Configuration Manager.
- Configuration Manager should also be cloud-attached with Intune (co-management.) And it will need to have the co-management workloads below enabled and set to either Pilot Intune or Intune:
- Windows Update policies workload
- Device configuration workload
- Office Click-to-Run apps workload
Switch Configuration Manager Workloads to Intune
Among the additional requirements for devices managed by Configuration Manager is the need to switch Configuration Manager workloads to Intune. This is something that can present a significant issue for a lot of people. Fortunately, however, you’ll still be able to switch workloads back to Configuration Manager if you later decide that’s what you want.
Different pilot collections can be configured for all of the co-management workloads. The benefit of using various pilot collections is the ability to leverage a more granular approach during the shifting of workloads. So, workloads can be switched at your convenience, meaning you can do so once you enable co-management. Rr you can postpone it until a later time. At this point, if you haven’t yet enabled co-management that’s what you’ll need to do first. And once done, you can proceed to modify the settings in the co-management properties.
Modify
- Head over to the Configuration Manager console and go to the Administration workspace. Next, you need to expand Cloud Services and then select the Cloud Attach node. If the version is 2103 or earlier, then select the Co-management node.
- Select the co-management object, and then choose Properties in the ribbon.
- Next, you need to switch to the Workloads tab. Take note that all workloads are by default set to the Configuration Manager setting. So, to switch a workload you must move the slider control for that workload to the desired setting. If you keep the slider where it is then Configuration Manager will continue to manage the workload. Moving the slider to Pilot Intune should only be done if the devices are in the pilot collection. And if you want to change the Pilot collections, you can do so by going to the Staging tab of the co-management properties page. And then lastly, move the slider to Intune for all Windows devices enrolled in co-management.
- If necessary, you can now go to the Staging tab and change the Pilot collection for any of the workloads you want.
NOTE: Always verify that any workloads you would like to switch, the corresponding workloads in Intune have been configured and deployed. In addition, workloads should always be managed by one of the available management tools for your devices. Furthermore, whenever you switch to a co-management workload, there will be an automatic synchronization of the MDM policy from Intune by the co-managed devices.
Data and Privacy
The administration of enrolled devices requires Windows Autopatch to use data from various sources. These sources, which include Intune, Azure AD, and Windows 10/11, are going to provide a comprehensive view of the devices under Autopatch management. Below is a helpful table containing a list of the various data sources. Also outlined is the intended purpose of the information:
| Data Source | Purpose |
| Windows 10/11 Enterprise | Handles the management of device setup experience, connections to other services, and operational support for IT pros. |
| Windows Update for Business | Leverages diagnostic data collected from Windows 10/11 Enterprise to provide additional information on Windows 10/11 update. |
| Microsoft Intune | Handles device management and plays a key role in maintaining device security. It makes use of a couple of endpoint management data sources: Microsoft Azure Active Directory: Authentication and identification of all user accountsMicrosoft Intune: Distributing device configurations, device management, and application management |
| Windows Autopatch | Data provided by the customer or generated by the service during the running of the service. |
| Microsoft 365 Apps for Enterprise | Management of Microsoft 365 Apps. |
Effective Service
Also, to effectively provide service to enterprise clients, Autopatch needs data from multiple Microsoft products and services. This data must be processed and copied from these services to Autopatch. This allows enrolled devices to be maintained and protected. The processor duties undertaken by Autopatch include maintaining security, confidentiality, and resilience. All this is done to ensure that Autopatch can offer clients high-level security in the handling of all personally identifiable data.
The vast amounts of data that Autopatch handles will be stored in Azure data centers depending on data residency. It’s also important to recognize that the data that is being accumulated is necessary for Autopatch to keep the service operational. If you decide to remove a device from Windows Autopatch, the data will be kept for no more than 30 days.
WINDOWS 10/11 DIAGNOSTIC DATA
To keep Windows secure, up to date, address any issues, and continuously make improvements, Autopatch leverages Windows 10/11 Enhanced diagnostic data. Within the enhanced diagnostic data setting, you’re going to find more comprehensive information concerning devices enrolled in Autopatch. Not only that but you also get detailed information about the devices’ health, capabilities, and settings.
So, when you select enhanced diagnostic data, data will be collected including the required diagnostic data. Because of how Autopatch only wants to process strictly necessary data, we can expect to see changes in the diagnostic data terminology in the future. The objective is to change the diagnostic level to Optional with Autopatch looking to implement the limited diagnostic policies to fine-tune the diagnostic data collection required for the service.
Not all system-level data from Windows 10/11 optional diagnostic data will be processed and stored by Windows Autopatch. It only caters to data obtained from enrolled devices such as application and device reliability, and performance information. Therefore, clients should know that their personal data such as chat and browser history, voice, text, or speech data will not be processed or stored by Autopatch.
Wrap up
All of us can benefit immensely from a service that can help us manage the update process a lot more efficiently. It can save us valuable time, minimize errors, and enable our businesses to be more productive. Microsoft has developed Windows Autopatch with all this and more in mind. Using this service is meant to help your IT staff by removing some of their burdens while simultaneously reducing the time taken by patching cycles. So, if you want a service that can add a lot of value to your business, then Autopatch is one that’s worth considering.
Pingback: Intune Newsletter - 16th June 2023 - Andrew Taylor