Event banner
AMA: Windows Autopatch
Event details
Find out how Windows Autopatch is evolving to make Windows and Microsoft 365 update management more secure and more capable. Members of the marketing, product, and customer acceleration engineering teams will be explaining the upcoming enhancements and looking for comments, questions, and feedback.
This session is part of the Microsoft Technical Takeoff: Windows + Intune. Add it to your calendar, RSVP for event reminders, and post your questions and comments below! This session will also be recorded and available on demand shortly after conclusion of the live event. |
- Microsoft_Andrew_RMicrosoft
The video Lior mentioned is here - and you can use these links to jump to specific topics of interest
00:51 - The Vision for Windows Autopatch03:30 – Customer Input and the Evolution of Windows Autopatch
06:10 – Autopatch Service Highlights
10:33 - Incident Response
11:55 – The Windows Autopatch App Assure Promise
13:54 - Windows Update for Business and Windows Autopatch
14:55 - Roadmap - Feature Updates
16:15 - Roadmap - Upgrade to Windows 11
17:06 - Roadmap - Microsoft 365 updates
17:45 - Roadmap -Business Groups
19:02 - Roadmap - Azure Virtual Desktops
- RainerP250458Iron Contributorthx for that, very comprehensive and helpful!
- Drizz_coopBrass ContributorDo you have a list of what products are covered by Autopatch. can autopatch take over the patching of other MS products i.e. Edge, Teams, webview. like on prem config manager does now.
- Drizz_coopBrass ContributorMake this tool the one for all patching tool. I don't want to configure my edge updates, my 365 updates etc
- TylerPlesetzMicrosoft
Hey Robert. Everything that Autopatch currently covers is listed in our documentation, here. (https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/overview/windows-autopatch-overview#update-management)
- Microsoft_Andrew_RMicrosoft
Hi Robert,
The short answer is 'yes' to most of your questions - the FAQ page on Autopatch spells out the scope of updates that Autopatch will be able to manage: Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams.
These updates are not all supported in the same manner as Windows Quality Updates currently. For more detail on Microsoft 365 Apps and Teams - this article has a great level of detail:
Microsoft 365 Apps for enterprise - Windows Deployment | Microsoft Learn
As for the other apps you mentioned, we will continue to aggregate customer requests and evaluate whether to expand the scope of the service as it evolves.
- PaulKlerkxIron Contributor
MECM, WSUS, Intune, WuFB, Windows Updates via Group policy, TPU's, Autopatch. What direction is the Microsoft recommended target path? (For all updates including drivers) For those of us using MECM with WSUS and TPU's currently, what should we be looking to go to. It feels like WSUS on the way out. What is the 'best' option to allow us to get updates to our users whether on-prem or off but still have enough control that if there is a problem update/driver etc, we can stop that going out and also allow us to push a vulnerability patch out of band quickly. Is there a comparison of all the various options you can do with the positives and negatives?
- David StowersBrass ContributorI have used the expedited OOB updates in my org during printnightmare and it worked beautifully. I have had a considerably smoother experience with WUfB and Intune for keeping things moving smoothly than I ever did with WSUS, primarily because it simplifies the experience and works independent of on-prem resources. We are lean on personnel so anything to make for lighter touch is beneficial. You can also pause and roll back quality updates. I usually just recommend a few days delay before a patch goes out so it's not bleeding edge anyway. the biggest drawback would be you cannot control individual patches, but on the workstation endpoints that's usually not as critical as the server side anyway.
- SoupAtMSFTMicrosoftThere's a continuum of capabilities in the technologies identified above. If you're looking to move to a more managed/modern approach, then Autopatch may work for you and your org. If you require elevated functionality, desire more fine grained control, then WUfB may be more appropriate. Many customers have shared that they just don't want to (as active) in the patch and update business and want to reduce their hardware server infrastructure related to device management. Autopatch is a great service and technology to consider in that case. We continue to listen to customers for where Autopatch and/or Microsoft Managed Desktop can be improved or expanded. We have a roadmap for enhancements and improvements - so stay tuned.
- bdam55Iron ContributorMEMCM/WSUS: On-prem solutions that give you the most granular control available. With MEMCM you can add a Cloud Management Gateway to manage endpoints anywhere there's internet. WUfB: An OS feature and now cloud service (WUfB Deployment Service) is an iteration of/improvement to the Windows Update GPOs of years gone by. The Windows OS team is starting to add their own business controls. Intune: A first party management tool for WUfB. Autopatch: A managed service built upon WUfB and bespoke Microsoft product update mechanisms (Office, Edge, ect) to deliver a set of patching configurations that lead to success.
- Rob de RoosIron Contributor
Will you in the future also add Firmware updates to the solution? (like bios or hardware firmware). These updates are so often forgotten or not up to date and can be absolutely necessary for security or support reasons.
- WaagsMicrosoftDrivers and firmware that are published to Windows Update as Automatic will be delivered as part of Windows Autopatch. A subset of non-Microsoft device drivers is supported. Drivers and firmware that are published to Windows Update as ‘Automatic’ will be delivered as part of Windows Autopatch. Drivers published as ‘Manual’ will not be supported. These would need to be installed by other means. All drivers for the Microsoft Surface family of devices will be managed by Windows Autopatch.
- SoupAtMSFTMicrosoftAt present, Windows Autopatch only deploys those updates marked as "Required". We're investigating opportunities around optional updates in collaboration with the Windows Updates for Business team.
- Microsoft_Andrew_RMicrosoft
Look for the next Windows Autopatch blog to drop by the second week of November – and find all our posts in one place at: Aka.ms/MoreAboutAutopatch
- Ryan MorashIron ContributorWhy is Autopatch not currently available for educational customers (A3 and A5 licenses). Is there a timeline for it expanding to those licenses?
- Lior_BelaMicrosoftHi Ryan, we are currently working on bringing all the Autopatch capabilities to our Windows E3/5 customers. While we do not have a timeline, we are aware of the strong interest in Autopatch among our Education customers and working on a plan. I will share updates on our blog once available.
- Ryan MorashIron Contributor
It is nearly two years later and there has still not been any update other than as of March it is still not on the roadmap. The US government has been pushing vendors to give schools tools to make their devices secure and I’m surprised Microsoft is not following this directive.
- cvangorpCopper ContributorWhat about Out of Band updates? Example was this month MS released an update we needed for SSL VPN that fixed our VPN client and I was able to manually upload to our WSUS that superseded the regular Oct update and deployed on our normal schedule.
- EricMoeMicrosoftChris, for expediting updates, Autopatch supports accelerating deployment of updates as described at https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview#expedited-releases. In the event you have an issue with Autopatch managed devices, you can submit a Service Request to have the issue investigated and mitigated.
- JFSanchez987Copper ContributorSpecifically for this SSL/TLS fix update, the KB stated it wouldn't be released through Windows Update for Business, only microsoft update catalog. https://support.microsoft.com/en-us/topic/october-17-2022-kb5020435-os-builds-19042-2132-19043-2132-and-19044-2132-out-of-band-243f34de-2f44-4015-a224-1b68a4132ca5 If it's not being added to WUFB, how could autopatch handle it?
- CBarnes851Brass ContributorWhen using WUfB or Autopatch will all the systems in my tenant update on the same day if they are included in the same group or will I need to continue to keep them in different rings/groups?
- Matt_BaileyMicrosoft
Thanks for the question Christopher. Devices will be offered updates based on the deployment ring they are allocated to. Windows Autopatch will allocate the devices to the deployment rings when the device is registered with the service. You can move devices between deployment rings manually if you want a device to be in a certain ring in order to receive updates earlier or later. More details in our docs here
- SoupAtMSFTMicrosoftand a reminder that you'll need to manually assign devices to your TEST ring.
- Jack_EllerCopper ContributorWe are currently trialing autopatch in our environment and are seeing great success. With Windows 10 and 11 22H2 out now we are excited to get that out in our environment but see it is not available to our even our test group yet. For future Feature Updates, is there an expected timeline between release and when it makes its way to our autopatch rings?
- HeyHey16KSteel ContributorAlso interested in this
- Andre Della MonicaMicrosoftJack Eller - This is a great question. We're moving towards a model where we want to give you the opportunity to control what's the right cadence/speed in which you want to deploy Windows Feature updates in Windows Autopatch. If that maybe it's necessary for your patch management process, and you're okay with what Windows Autopatch sets up by default in its default 4 deployment rings, you can go that route. By default, Windows Autopatch aligns to the deployment cadence represented in this documentation: https://learn.microsoft.com/en-us/windows/release-health/release-information
- David StowersBrass ContributorWill there be any enhancement to autopatch for patching thirdparty software similar to the CM plugins that are available?