Updating endpoints on a network can be a daunting task. Testing before rollout can take time. Delays to patches going live can cause all manner of headaches. Windows Autopatch aims to tackle some of these issues, and is now live for public preview. The release comes with a few caveats which you’ll want to keep in mind.
Fixing a patchy experience
First announced in April and slated for general release come July, Windows Autopatch is designed to free stressed sysadmins from some of the heavy lifting around updates. Billed as a managed service available to (some) users of Microsoft products, the software giant had this to say about it:
The development of Autopatch is a response to the evolving nature of technology. Changes like the pandemic-driven demand for increased remote or hybrid work represent particularly noteworthy moments but are nonetheless part of a cycle without a beginning or end. Business needs change in response to market shifts.
This service will keep Windows and Office software on enrolled endpoints up-to-date automatically, at no additional cost. IT admins can gain time and resources to drive value. For organizations who select this option, the second Tuesday of every month will be ‘just another Tuesday’.
This automated patching setup is complemented by four so-called “testing rings”. This is a way to divide up all of an organisation’s devices in a manner which allows for efficient testing and updating. The smallest ring is the initial “test ring”, which has an unspecified minimum number of devices. It’s followed by the “first”, “fast”, and “broad” rings which comprise 1%, 9% and 90% of devices under management respectively.
Assuming all is well after a validation period in one of the rings, the updates filter out to the next ring for more testing. All the while, performance is monitored to ensure everything works at least as well as it did pre-update.
The result, according to Microsoft, is a “rollout cadence that balances speed and efficiency, optimising product uptime”.
But not without caveats
It would be unrealistic to think all networks and devices can simply switch on this new service. Indeed, there’s quite a list of requirements before you can get anywhere near this process. There’s no hardware requirements, though you can’t use it in conjunction with a “bring your own device” (BYOB) policy.
From Microsoft’s blog:
- Azure Active Directory (Azure AD)
- Microsoft Intune
- Windows 10/11 supported versions
- Hybrid Azure AD-Joined or Azure AD-joined only
- Microsoft Intune
- Configuration Manager, version 2010 or later
- Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune (min Pilot Intune)
- Co-management workloads
What are the licensing requirements for Windows Autopatch?
- Windows 10/11 Enterprise E3 and up
- Azure AD Premium (for co-management)
- Microsoft Intune (includes Configuration Manager, version 2010 or greater via co-management)
Not a magic fix for everything
Patching is incredibly important to the well-being of your network and devices. However, as useful as Autopatch will no doubt be, it can’t fix everything. Sometimes vulnerabilities occur like the Follina zero-day, and there’s no patch forthcoming. When this happens, you need workarounds and mitigations, and defence in depth.
Security tools and smart security practises by device users are two of the additional ways to keep compromise at bay until updates are released. If you’ve been waiting on Microsoft Autopatch since it was first announced, stay tuned to upcoming Microsoft announcements. Just keep those caveats, and your security setup, in mind should you go and make the leap.