Today we're sharing details on the new app-only authentication method and end-of-service account creation. We'll also take a deep dive into the device registration process, including some new capabilities to help resolve device issues, and touch on new reporting availability. For those hoping to get an update on when Windows Autopatch might be available for Education and Government customers, know that there's work in progress in that area, but nothing more we can share at this time. Stay tuned!
Windows Autopatch today
When we introduced Windows Autopatch back in April, we had a feeling that the service might catch on. Gartner's recently released "Magic Quadrant" on the Unified Endpoint Management market shows that patching is a frequently cited source of difficulty for corporate IT managers, especially for remote and hybrid employees. Our own experience managing updates drove our design of the service, and our north star has been to make the process of updating Windows and Microsoft 365 software easier for enterprise IT pros. And thanks to the incredible comments, questions, and requests we've received from users–we're happy to announce some updates to the service.
We will continue to use this blog to provide regular updates on all things Windows Autopatch, but for the most current news, and to ask questions and make recommendations IT pro to IT pro, we invite you to be a part of our Windows Autopatch Community. Some of the updates in today's post are a direct result of the feedback we get from Autopatch users, so please keep sending us your feedback. And later this month, we will launch our new video series for IT pros, Behind the Screens where our product engineers demonstrate and discuss Autopatch features in the time it would take for a decent coffee break.
Application-only authentication
One significant update we've made to Autopatch in response to your feedback is a change in the way the service interacts with your tenant.
We're pleased to announce that as of August 18, 2022, Autopatch now uses certificate-based authentication leveraging our first-party application "Modern Workplace Management".
This is a dramatic improvement to the security posture of the Autopatch service and reduces much of the complex back-end workload of password rotation across customer environments. This also streamlined the tenant enrollment process, thanks to a 50% reduction in prerequisites. For those keeping score, the update removed three service accounts, four groups, and one Conditional Access policy. For those looking to learn all the details, see Changes made at tenant enrollment.
The improvement in security extends to new core service permissions, based on a least-access approach and a limit in the service scope. Configurations made using CSPs have been moved to the settings catalog, increasing transparency.
In short, if you previously avoided piloting Windows Autopatch because of Conditional Access concerns, we invite you to try again.
If you enrolled your tenant in Autopatch prior to August 17, 2022, you'll get instructions soon on how to remove the service accounts previously created.
Post-registration device readiness checks in Windows Autopatch
The process of registering devices with Windows Autopatch was designed to be simple. We cover it in a video in this blog post in about two minutes, but we heard that you'd like us to go a little deeper on the device registration process. Done! We reached out to Senior Product Manager Andre Della Monica for the following in-depth explanation.
We heard that making sure devices remain healthy and eligible to receive updates—and reporting on the status of those devices—was time-consuming (and expensive). With this update to the device registration flow, IT admins can easily detect and take action to remediate configuration mismatches or other issues in their environments that prevent devices from receiving software updates from Windows Autopatch.
Before the most recent update, devices that were not successfully registered with Windows Autopatch showed up in the "Not ready" tab. The Autopatch device readiness check has 2 components, though, a prerequisite check and the post-registration check. The pre-requisite check is powered by the Intune Graph API. It verifies if the device is "corporate owned', the OS version, whether it is cloud-managed, and when it last checked in with Intune.
With this new 2208 release, devices that don't meet these prerequisites, and subsequently won't be registered with Windows Autopatch, are displayed in a new tab: "Not registered".
The post-registration device readiness checks are powered by the Microsoft Cloud Managed Desktop extension and verify whether devices have conflicting Windows Update policies managed via Group Policy or via Microsoft Intune (and seven more checks.) Devices that don't pass these checks are displayed under the "Not ready" tab.
The service automatically runs these checks once a day so it may take 24 hours for devices to appear in the "Ready' tab after you have taken steps to remedy any issues.
On that note, we've revamped the support features inside the readiness checks, so when devices end up in the "Not registered" or "Not ready" tab, you'll be able to click on a device entry and get specific solution steps right in the Devices blade.
For a more technical review of the prerequisites and post-registration checks, see the device registration overview, and look for a video to hit the Windows IT Pro YouTube channel in the coming weeks.
Reporting is live!
Reporting on quality updates helps IT admins with security and compliance, and we recently rolled out the ability to generate reports on enrolled devices. This video sums up the process in a minute, but if you're really in a hurry, just select "Windows Quality Updates' from the Windows Autopatch blade of the "Reports' screen in Endpoint Manager, as shown here:
What's next for Windows Autopatch
With the upcoming Microsoft Ignite event, Windows Autopatch will get some more attention – and maybe an exciting announcement or two. You'll have to join the event to see. Before then, a special Windows Autopatch edition of Microsoft Mechanics will drop in late September so make sure to subscribe to their YouTube Channel.
Feature-wise, we can't share everything that's coming, but thanks to input from people and organizations like you, we'll be rolling out a self-serve de-registration process and a new Tenant Management blade in the near future, with more updates on the way.
Go Behind the Screens
Subscribe to the Windows IT Pro YouTube channel so you don't miss our new Behind the Screens video series – snackable conversations with software engineers and other insiders about what's new and what's in development.
For even more Autopatch, join the Windows Autopatch community, bookmark and read the Windows Autopatch blog posts, and find Autopatch “Demo Bytes” videos.
