News

Microsoft Commercially Releases Windows Autopatch

• By Kurt Mackie
• 07/11/2022

Microsoft on Monday announced that its new Windows Autopatch service is now commercially available.

With Autopatch, Microsoft takes over the updating of Windows devices. It also handles updates to Microsoft 365 Apps for Enterprise software for organizations.

Windows Autopatch was released back in June as a preview, but now it's at the "general availability" stage, which means that Microsoft deems it ready for production use by organizations. It can be turned on through the Microsoft Endpoint Manager Admin Portal by organizations meeting certain requirements, as described in this Microsoft FAQ document.

Free for Enterprise E3/E5 Licensees
The Autopatch service is free for organizations having "Windows Enterprise E3 and E5 licenses." It provides management support of Windows 10 and Windows 11 Enterprise edition clients, which gets carried out by Microsoft. Also, Professional edition Windows clients are eligible for Autopatch management, which seems to be new information added to Microsoft's FAQ.

These Windows devices must be either Azure Active Directory joined, or use the "hybrid" approach (Azure AD synced with local Active Directory). There's no Autopatch support for pure domain-joined devices.

Organizations also need licenses for both Azure Active Directory Premium and Microsoft Intune to use the Autopatch service.

Microsoft does not have plans to offer Autopatch to its government subscribers. Autopatch isn't available to academic (A3/A5) subscribers.

Autopatch handles Windows monthly quality patches. It also handles Windows feature updates (new operating system upgrades), as well as drivers cleared for automatic delivery. It doesn't apply the optional driver updates that are designated for manual updating.

Microsoft Takes Control
Autopatch takes control over the triage process for Windows software update rollouts. With this approach, users are allocated into small groups, called "rings," for testing purposes. An update gets tested with these groups before broader distribution.

Organizations using Autopatch must agree to relinquish control over these testing rings, as Microsoft's service creates the test-ring structure and decides on the timing of the software rollouts to them.

With Autopatch, Microsoft also takes over the management of devices using Microsoft Apps for Enterprise, a suite of productivity applications, including the Microsoft Teams collaboration service. The service will put users of Microsoft Apps for Enterprise on the "Monthly Enterprise Channel" update cycle. These updates arrive automatically. There are no testing rings used with the Microsoft Apps for Enterprise updates.

Updates to the Microsoft Edge browser also are controlled by Autopatch, which seems to be new information added to the FAQ by Microsoft. The Autopatch service puts the Edge browser on the Stable update cycle.

"Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel and will provide support for issues with Microsoft Edge updates," Microsoft's FAQ stated.

Microsoft appears to have control over updates, generally speaking, with the Autopatch service. However, the FAQ points to this section suggesting that organizations "can pause or resume a Windows quality update" using Microsoft Endpoint Manager.

Nothing was said in Microsoft's announcements, documentation and FAQ about how Autopatch users would handle bad patches that may require manually configured workarounds. Things do go bad with Microsoft's patches, as chronicled by the Patchmanagement.org discussion board, and other venues.

Windows Update for Business Used
Microsoft previously explained during its preview announcement that the Autopatch service uses Windows Update for Business cloud-based policies to manage client devices. Organizations can already freely use Windows Update for Business without being Autopatch users. With Autopatch, though, Microsoft simply takes control.

"Essentially, Microsoft engineers use the Windows Update for Business client policies and deployment service tools on your behalf," Microsoft's announcement explained." The [Autopatch] service creates testing rings and monitors rollouts-pausing and even rolling back changes where possible."

The announcement hinted that Microsoft could devise the Autopatch service to "meet more use cases and deliver more value" for the organizations that are currently using Windows Update for Business policies and Microsoft's testing rings approach, although the specifics weren't mentioned.

Microsoft did announce specific plans to add Autopatch support for "Windows 365 Cloud PCs," which is Microsoft's term for the virtual machines that get accessed via its Windows 365 desktop-as-a-service offering.

"We'll be covering this enhancement [Windows 365 Autopatch support] in the Windows in the Cloud on July 14th and that special episode will be available on demand on Windows IT Pro YouTube Channel later this month, so be sure to subscribe to the channel for updates," the announcement indicated.