Event details
71 Comments
- What would be the process and steps to offboard / deregister a device from AutoPatch?
- Andre Della Monica
Microsoft
Hi Tim. The steps to deregister devices from Autopatch are described here: https://docs.microsoft.com/en-us/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices Let me know if you have additional questions.- If you want to reregister a device that was previously deregistered from Windows Autopatch, you must submit a support request with the Windows Autopatch Service Engineering Team to request the removal of the "excluded" flag set during the deregistration process. After the Windows Autopatch Service Engineering Team removes the flag, you can reregister a device or a group of devices. --- Any plans to enhance this reregistering process in the future? Automation vs having to open a support case (and have quicker resolution time).
- Can Windows Autopatch be used in an Azure Virtual Desktop Multi-Session environment?
- Heather_Poulsen
Community Manager
Welcome to the Windows Autopatch AMA. Let's get started! Post your questions in the Comments. Our experts will be answering questions in the live stream—and others will be answering here in the chat.
- Will Office updates be separated out and configurable to channels other than "Monthly Enterprise Channel"? It is hard to test this within the IT team, because we need to stay on "Current Channel (Preview)".
- ShannonFritzAll Autopatch devices will have M365 Apps set to the Monthly Enterprise Channel, and as we approach GA, we will be introducing deferral periods so each ring will get the update available in that channel over a staggered time frame. But the different rings would not have different channels at this time. If this is something you think is needed, let us know! https://docs.microsoft.com/en-us/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise
- Having the option to set the M365 Apps update channel is definitely a requirement for us. Intune > Apps > Windows allows us to install M365 Apps with different update channels, but Autopatch overrides that. If our internal tech evangelists don't have access to the M365 Apps features ahead of the general population, they can't do preemptive training or head off potential issues.
- Is the public preview not available to education?
- RichardLian
Hi Nathan. Thanks for the question! The Public Preview is available to any customer holding Windows 10/11 Enterprise E3 or higher. Windows Autopatch is not available for ‘A’ (or 'F') series licensing. The service is only included with Windows 10/11 Enterprise E3 or higher.
You can find further information about licensing for Windows Autopatch in this doc: Prerequisites - Windows Deployment | Microsoft Docs
If you have any further feedback on this topic, please feel free to send us direct feedback at https://aka.ms/WindowsAutopatchFeedback
Our education customers are asking about this, but we Microsoft Gold Partner consultants have no answers for them.
Can the Autopatch FAQ be updated to provide additional details regarding Autopatch for Education and Frontline worker licensing? It would be helpful to know if Autopatch was on the roadmap, when it might be available, and what limitations / requirements / restrictions are anticipated.
Does Windows Autopatch support Education (A3) or Frontline worker (F3) licensing? (Updated: June 8, 2022)
Windows Autopatch is not currently available for ‘A’ or 'F' series licensing.
Thanks
- Did any questions get answered about Education?
Windows Autopatch looks like a massive value add to organizations and even better that its included with E3 and above licensing, I have some questions that I was hoping you could cover in the AMA:
- Are you able to provide more detail about how Service Accounts and conditional access policy changes relate to the service, what assurances would you give to an InfoSec team that might question the security of the service accounts and the changes to conditional access?
- Are the AzureAD Groups that are created as a part of enrollment able to be renamed to meet custom requirements that Orgs might be using already?
- Are the Configuration Profiles able to be renamed as well?
- What would a typical customer interaction look like where the Autopatch team/service would contact our admin with the details provided if there was an issue with a patch?
- For customers that are already using update rings in MEM (and have a great experience doing so) what is the value proposition for migrating to Windows Autopatch?
Formatted for readability by your friendly Windows Community Manager.- Why would there be the need to disable MFA and Conditional Access for the Microsoft Accounts ? That's the worst idea ever, and most likely THE reason we would not enroll to Autopatch service.
- Harman_Thind
Hi sfarnik
Thanks for your feedback on this item. For CA/MFA policies that target all users, Windows Autopatch currently requires our service accounts to be excluded from these policies to not prevent Windows Autopatch from connecting to your tenant. You can find more details here: Conditional access policies.
In our current solution, we have key controls in place for usage as well as audited sign-ins. Windows Autopatch maintains a separate conditional access policies to restrict access to these accounts. However, we are working on a solution to move away from Service Accounts. Stay tuned for an update on this!
- Our policy to block legacy auth got picked up by the readiness tool, but it didn't take issue with our CA that forces MFA, so also interested to hear if this (MFA) is true
- Please can someone confirm regarding needing to disable MFA ? Is this true??
While we understand the shift of planning and operation of moving from Windows Update for Business to Windows AutoPatch, once you have done the planning for WUFB, it's set and forget. Getting an understanding of the questions below will help us determine if we can make the shift and if it would be helpful. As we are in Australia, we won't be able to dial into the 'AMA". Happy for a separate call:
- If during a ring deployment, devices are offline due to users travelling, the user is on leave and comes back. How are these devices handled?
- General hesitation as patching is in our metrics which has board visibility. If we don't meet our SLAs, we can hold our MSP accountable. If we fail to meet our SLAs, it's now a Woodside problem. How are existing SLAs handled?
- If there is an issue with an update ring, this has to be paused. Who calls when to proceed, and what implications does this have if we miss our patching targets?
- At the moment, we exclude drivers/firmware. Can this be done with autopatch? An example is through Windows Update for Business, we deployed the latest sound audio driver update, and it broke our audio and stopped them working on all our devices. When a support case was raised, Microsoft (rightly so) mentioned that they couldn't be held responsible for vendors releasing faulty drivers. Another alternative would be to have a dedicated ring solely for Drivers/Firmware. Another example is the BIOS. When it updates, we don't have any granularity, i.e. device has to be plugged in, and the user isn't using it. At the moment, if we deploy it, a user could shut their laptop lid.
- What does the reporting look like?
- Who makes the call if an update gets pushed out and needs to be rolled back? Or if Woodside finds an issue with an update, what do we do?
- If we have update failures, as in update failed to install. Who fixes this? Microsoft or us?
Formatted for readability by your friendly Windows Community Manager.
- Chris_Tulip
1. In this case the Grace Period policy would kick in and all devices outside the test ring will have 2 days to schedule and update.
2. Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. If we don't meet that target then it's an active incident that Autopatch works to resolve.
3. At GA there are two types of pause: service pauses and customer pauses. A service pause is triggered when we detect a significant impact to devices based on a release. If you want to resume after the service has paused you will need to raise a support request. At GA we will have a capability for you to pause and resume different update rings.
4. Right now the scope of what Autopatch does for Drivers / Firmware is simply to allow drivers which are deployed through Windows Update to flow through the same ring structure as Quality Updates. We agree that this story isn't amazing right now and are investigating improvements in the future.
5. At GA we will have reporting on Windows Quality Updates which shows current patch status in your environment. We are working on additional reporting for other update types after GA.
6. Windows Autopatch makes the decision to release an update based on a set of quality signals. That article does a good job describing the process we use to assess build quality as it rolls out to customer devices. In the event of an issue please raise a support request
7. Windows Autopatch is responsible for patching eligible devices. The eligibility criteria are determined as the things which Autopatch can't fix and those devices will be marked ineligible for the service. Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. We prioritize getting all customers to 95% before working on the last 5% of devices for any customer. After all customers are at 95% we start working on the largest buckets of impacted devices to drive compliance numbers up across all customers.
