Does Windows Autopatch use legacy authentication?




During the enrollment with Windows Autopatch, my block-legacy-authentication conditional access policy is also modified automatically by the service to exclude the service accounts.


Does it mean that Windows Autopatch is using legacy authentication?


I don't think so, hence need a confirmation to undo the modification with confidence.


Many thanks.

3 Replies
When you setup for the first time it does gives a prompt & it says allow administrator access for Microsoft where one of the action include following

Remove Microsoft Administrator accounts from Multifactor authentication & conditional Access policies

So i believe that's why you are seeing this issue
Yes, I knew the enrollment process will modify my CA policies.
But I think the modification is without considering of POLP (principle of least privilege).
It looks like the process doesn't check the real need, just exclude the service accounts from everywhere.

Microsoft promotes blocking legacy authentication for years.
I don't believe they will create a new service (Windows Autopatch) which is using legacy authentication.

Hence, I need a confirmation to undo the modification (just for the block-legacy-authentication one) with confidence.

best response confirmed by Alber (Contributor)

@Alber Thanks for the question, yes in Public Preview the authentication method for Windows Autopatch was traditional User and Password with a randomized password. With General Availability we introduced our 1st Party Enterprise App with and no longer use the Service account. We are introducing an option for customer on service account auth to transition to our Enterprise App. Stay tuned we will get an announcement out when it will be available in the MEM Portal.