Blog Post

Windows IT Pro Blog
5 MIN READ

Windows Autopatch celebrates 1 year of managed updates

Lior_Bela's avatar
Lior_Bela
Icon for Microsoft rankMicrosoft
Jul 05, 2023

After an incredible year of increased security and productivity, today we recap the current capabilities of Windows Autopatch, highlight new features coming to general availability, and look ahead to more value being added to the service. Whether you're a long-time user or just learning about Autopatch, there's something for everyone below, so read on!

The first anniversary of Windows Autopatch

The idea for Windows Autopatch came from our customers. As the transition to hybrid work accelerated, managing enterprise endpoints became more complex, and as cybersecurity threats posed increasing risk, the need for applying updates in a timely fashion became more urgent. IT admins asked for help – and we at Microsoft realized we could manage much of the update process on behalf of our customers. The result: Windows Autopatch!

A still from the video explainer that launched with Windows Autopatch

Over the last year we've heard positive feedback from customers about the time and effort they save updating Windows, Microsoft 365, Microsoft Edge, and Microsoft Teams apps. When those conversations also surface ideas about how Windows Autopatch can be even more helpful, we listen.

This latest set of additional features comes directly from customer requests for customizations and flexibility to meet the needs of large enterprises while maintaining the simplicity that makes Autopatch so helpful.

New features become generally available July 25, 2023

In our May 2023 announcement, we announced the public preview of features that extend the capability of Windows Autopatch. We are excited to announce that these features will be generally available beginning July 25, 2023. Current customers will also see an announcement in the Microsoft Intune message center detailing updates to the service.

May's blog introduced the public preview of exciting new capabilities

Before explaining these new capabilities, here is brief recap of Windows Autopatch.

What can Windows Autopatch do for enterprises?

Autopatch is built on the deployment service and core features of Windows Update for Business. So an IT administrator could configure many of the operations managed by Autopatch themselves. But, the value of the Windows Autopatch service extends beyond the orchestration of updates and time-saving:

  • Evaluations of updates by Microsoft
  • Critical "zero day" update expediting
  • Progressive deployment ring grouping
    • Assign enrolled devices to ring groups automatically
    • Issues that may arise affect a smaller number of devices rather than the entire estate
    • Admins can move devices where needed
    • Learn more about the default rings

Customizable, flexible new Autopatch features

Among the most-requested capabilities from customers was to be able to configure Windows Autopatch to match existing organizational needs or structures.

The resulting features allow IT admins to apply different sets of Autopatch rules to sets of devices as needed:

  • Autopatch Groups (currently in public preview, general availability on July 25, 2023)
  • Custom deployment rings (currently in public preview, general availability on July 25, 2023)
    • Up to 15 deployment rings per group
    • Azure AD device groups or individual devices can be assigned dynamically or directly to rings
    • Each ring can have a custom Scheduled or Deadline-driven deployment policy. Deadline-driven allows custom deferrals, deadlines, and grace periods. Scheduled updates can reduce restarts and minimize interruptions
    • Read more about custom deployment cadences
    • Demo the custom cadence and timing process
  • Custom policy naming (currently in public preview, general availability on July 25, 2023)
    • Conform Autopatch policy names to fit your organizational naming standards
      Note: Renaming the underlying Autopatch deployment groups is not supported.

More controls to fit your needs

The default behaviors and settings of the service are configured to meet the needs of most organizations. The introduction of custom settings allows more enterprises to take advantage of Autopatch automation while addressing their unique use cases as with these content controls:

  • Feature updates (currently in Public Preview, general availability on July 25, 2023)
  • Microsoft 365 apps opt-out
    • Enrolled devices are set by default to "Monthly Enterprise channel"
    • Opt-out allows admins to set another channel for enrolled devices
    • Devices "opted-out" are updated according to the schedule defined for that channel. See Microsoft 365 update channels for more details.
  • Opt out of "Expedited" updates
  • Drivers and firmware
    • Microsoft pre-certifies and validates drivers from many original equipment manufacturers and independent hardware vendors.
    • Automated deployment of recommended drivers
    • Autopatch creates policies aligned with deployment rings Opt-out is available so IT admins can maintain manual control using Intune driver management features.
    • Granular controls around drivers and firmware update management (coming 2023 Q4) - includes the ability to manually approve drivers on a ring-by-ring basis
    • Better reporting and new issue remediation

Customers have emphasized the importance of having visibility into all the work that Autopatch is doing on their behalf. A refresh is coming to Autopatch reporting with this July 25 GA announcement that gives more confidence to IT admins that the service is working, more help in resolving issues that may arise, and new banners and notifications help admins identify issues that require attention.

The future of Windows Autopatch

While all these features add up to a more powerful and helpful solution – and we're proud to acknowledge all the progress made in just one year – the development and enhancement of the service will continue. We are grateful to all the developers, product managers who have built this service, and to the customers who have enrolled devices and shared their experiences with our team to help it get better.

All about Windows Autopatch

If you want to share feedback, request features, or ask questions, please join our Windows Autopatch Tech Community. For those who want to learn more about the value the service has brought to other enterprises, read this report commissioned from Forrester: New Technology: The Projected Total Economic Impact™ Of Windows Autopatch Cost Savings And Business Benefits Enabled By Windows Autopatch March 2023.

 

If you want to experience Windows Autopatch before enrolling devices, we have extensive demos – including some on the newly released features discussed above  – at aka.ms/AutopatchDemo. And, finally, if you want to dive deeper, you can find all our resources in the Windows Autopatch resource guide.

 

Want to stay up to date on all things Autopatch? Subscribe to Windows Autopatch blog updates and follow us at @MSWindowsITPro on Twitter!

 

Updated Jul 05, 2023
Version 1.0
  • ScrJeff thank you for sharing - this is a popular request. Please note that Autopatch is a Windows E3 feature and is not included in EDU (A SKU) license. We are always evaluating how we can share the Autopatch capabilities with more customers; while I have no news to share for now, I can guarantee that this is on our radar. For now, I suggest using Windows Update for Business  

  • Karl-WE Intune requires Intune P1 and AAD, while Autopatch requires Intune P1, AAD, and Windows E3/5 

  • ScrJeff's avatar
    ScrJeff
    Brass Contributor

    Lior_Bela Are there plans to extend autopatch to the EDU plans?  I'm an EDU with A3 + A5 security add-on for all users, but the the readiness reports show a licensing problem. Looking at the autopatch license requirements, non of the Ax equivalents of the Ex licensing qualify. 

     

    EDU IT teams can be small, and smaller than enterprise license customers, and if there is a sector that could really use the solution it is us.  

     

     

  • Pardon me, Lior_Bela so I understand correctly Autopatch has lesser licensing requirements, than patching via Intune?

  • Karl-WE  - thanks for the comment, currently you need to have Windows E3/5 (which included in M365 E3/5), Intune P1, and AAD. This is a solution that is included in E3 which means that there is no additional cost if you own WE3.

  • Hi wroot all metadata for WuFB is ingested into a log analytics workspace. There is an MVP custom solution for the WuFB dashboard, which is even much more verbose. ic

    That means basically the data requested exists, you might need to deploy an automation that grabs relevant data and save it for longer, because I believe the used log analytics workspace retention policy will only last 30 days, and EVENTUALLY, cannot be changed for this service. On the other hand as it is a default ressource, it should be possible.

    I encourage you to try out WuFB with Intune and the MSFT dashboard and dig into the workspace if you can setup a longer retention.

    https://learn.microsoft.com/en-us/azure/sentinel/configure-data-retention

    https://msendpointmgr.com/2022/09/14/windows-update-compliance-dashboard-v8-0/

  • wroot's avatar
    wroot
    Silver Contributor

    On Reporting bit. At some point we had to ditch our WSUS service and switch to a third party patching solutions, because we are audited yearly and they require us to show proof that a particular endpoint received a particular patch on a given date. Which can go back a year. We were not able to provide this with WSUS and default Windows Update. Now we export such logs from current system and keep them for auditors. We would probably like to switch to Intune/Autopatch, but i wonder if your reporting goes that far and can provide individual logs and not just graphs on how many machines installed latest patches.

  • Thank you so much Lior_Bela. Keep it up and happy anniversary!

     

    Would you mind adding licensing requirements / details and costs to your very in-depth product description?