Event banner
AMA: Windows Autopatch
Event details
Find out how to make Windows and Microsoft 365 update management easier than ever with Windows Autopatch!
Members of the product and engineering teams will be answering your questions live and helping you get the information and clarity you need about Windows Autopatch capabilities, prerequisites, configuration, and more.
Continue the conversation. Join us in the Windows Autopatch Community. |
- Heather_PoulsenCommunity Manager
The Windows Autopatch AMA has concluded. Thanks for joining us today. Did you enjoy the event? Let us know in the Comments and keep the conversation going in the Windows Autopatch Community!
- TimDKBrass ContributorGood session - Thanks to all involved!
- grayman001Copper Contributor
While we understand the shift of planning and operation of moving from Windows Update for Business to Windows AutoPatch, once you have done the planning for WUFB, it's set and forget. Getting an understanding of the questions below will help us determine if we can make the shift and if it would be helpful. As we are in Australia, we won't be able to dial into the 'AMA". Happy for a separate call:
- If during a ring deployment, devices are offline due to users travelling, the user is on leave and comes back. How are these devices handled?
- General hesitation as patching is in our metrics which has board visibility. If we don't meet our SLAs, we can hold our MSP accountable. If we fail to meet our SLAs, it's now a Woodside problem. How are existing SLAs handled?
- If there is an issue with an update ring, this has to be paused. Who calls when to proceed, and what implications does this have if we miss our patching targets?
- At the moment, we exclude drivers/firmware. Can this be done with autopatch? An example is through Windows Update for Business, we deployed the latest sound audio driver update, and it broke our audio and stopped them working on all our devices. When a support case was raised, Microsoft (rightly so) mentioned that they couldn't be held responsible for vendors releasing faulty drivers. Another alternative would be to have a dedicated ring solely for Drivers/Firmware. Another example is the BIOS. When it updates, we don't have any granularity, i.e. device has to be plugged in, and the user isn't using it. At the moment, if we deploy it, a user could shut their laptop lid.
- What does the reporting look like?
- Who makes the call if an update gets pushed out and needs to be rolled back? Or if Woodside finds an issue with an update, what do we do?
- If we have update failures, as in update failed to install. Who fixes this? Microsoft or us?
Formatted for readability by your friendly Windows Community Manager.
- christulipMicrosoft
1. In this case the Grace Period policy would kick in and all devices outside the test ring will have 2 days to schedule and update.
2. Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. If we don't meet that target then it's an active incident that Autopatch works to resolve.
3. At GA there are two types of pause: service pauses and customer pauses. A service pause is triggered when we detect a significant impact to devices based on a release. If you want to resume after the service has paused you will need to raise a support request. At GA we will have a capability for you to pause and resume different update rings.
4. Right now the scope of what Autopatch does for Drivers / Firmware is simply to allow drivers which are deployed through Windows Update to flow through the same ring structure as Quality Updates. We agree that this story isn't amazing right now and are investigating improvements in the future.
5. At GA we will have reporting on Windows Quality Updates which shows current patch status in your environment. We are working on additional reporting for other update types after GA.
6. Windows Autopatch makes the decision to release an update based on a set of quality signals. That article does a good job describing the process we use to assess build quality as it rolls out to customer devices. In the event of an issue please raise a support request
7. Windows Autopatch is responsible for patching eligible devices. The eligibility criteria are determined as the things which Autopatch can't fix and those devices will be marked ineligible for the service. Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. We prioritize getting all customers to 95% before working on the last 5% of devices for any customer. After all customers are at 95% we start working on the largest buckets of impacted devices to drive compliance numbers up across all customers.
- mohan_infosecBrass ContributorThank you so much for taking the time to respond to all of our inquiries.
- ShannonFritzMicrosoftThank you for joining and asking ;]
- Harman_ThindMicrosoft
Thank you all for joining today, keep the questions coming! If you have feedback for our service, please submit it here at the Windows Autopatch Feedback Portal!
- LintonenCopper ContributorWill Office updates be separated out and configurable to channels other than "Monthly Enterprise Channel"? It is hard to test this within the IT team, because we need to stay on "Current Channel (Preview)".
- ShannonFritzMicrosoftAll Autopatch devices will have M365 Apps set to the Monthly Enterprise Channel, and as we approach GA, we will be introducing deferral periods so each ring will get the update available in that channel over a staggered time frame. But the different rings would not have different channels at this time. If this is something you think is needed, let us know! https://docs.microsoft.com/en-us/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise
- LintonenCopper ContributorHaving the option to set the M365 Apps update channel is definitely a requirement for us. Intune > Apps > Windows allows us to install M365 Apps with different update channels, but Autopatch overrides that. If our internal tech evangelists don't have access to the M365 Apps features ahead of the general population, they can't do preemptive training or head off potential issues.
- Florian-DECopper ContributorCan Windows Autopatch be used in an Azure Virtual Desktop Multi-Session environment?
- amshannonCopper ContributorIf an important zero day vulnerability definition remediation is needed will the CVE be deployed faster or will it still have to wait until patch Tuesday.
- TylerPlesetzMicrosoftThanks for flagging this gap in our service, it's great feedback. Right now Autopatch doesn't have a great Out of Band Update story. Action in this space means that we would likely need to change the service pre-requisites for Co-management to include Applications Workload so requires some thinking and planning.
- NigelIron ContributorIf a problem with an update is detected how does the service react in an automated way or is it reactive like wfub
- itstylerreillyBrass Contributor
Windows Autopatch looks like a massive value add to organizations and even better that its included with E3 and above licensing, I have some questions that I was hoping you could cover in the AMA:
- Are you able to provide more detail about how Service Accounts and conditional access policy changes relate to the service, what assurances would you give to an InfoSec team that might question the security of the service accounts and the changes to conditional access?
- Are the AzureAD Groups that are created as a part of enrollment able to be renamed to meet custom requirements that Orgs might be using already?
- Are the Configuration Profiles able to be renamed as well?
- What would a typical customer interaction look like where the Autopatch team/service would contact our admin with the details provided if there was an issue with a patch?
- For customers that are already using update rings in MEM (and have a great experience doing so) what is the value proposition for migrating to Windows Autopatch?
Formatted for readability by your friendly Windows Community Manager. - Nathan ObenhofferCopper ContributorIs the public preview not available to education?
- Nathan ObenhofferCopper ContributorDid any questions get answered about Education?
- RichardLianMicrosoft
Hi Nathan. Thanks for the question! The Public Preview is available to any customer holding Windows 10/11 Enterprise E3 or higher. Windows Autopatch is not available for ‘A’ (or 'F') series licensing. The service is only included with Windows 10/11 Enterprise E3 or higher.
You can find further information about licensing for Windows Autopatch in this doc: Prerequisites - Windows Deployment | Microsoft Docs
If you have any further feedback on this topic, please feel free to send us direct feedback at https://aka.ms/WindowsAutopatchFeedback
- Chad SimmonsIron Contributor
Our education customers are asking about this, but we Microsoft Gold Partner consultants have no answers for them.
Can the Autopatch FAQ be updated to provide additional details regarding Autopatch for Education and Frontline worker licensing? It would be helpful to know if Autopatch was on the roadmap, when it might be available, and what limitations / requirements / restrictions are anticipated.
Does Windows Autopatch support Education (A3) or Frontline worker (F3) licensing? (Updated: June 8, 2022)
Windows Autopatch is not currently available for ‘A’ or 'F' series licensing.
Thanks