Tuesday, April 5, 2022

Get current and stay current with Windows Autopatch

As IT departments are being asked to do more with less, Microsoft is pleased to introduce[1] Windows Autopatch as a feature of Windows Enterprise E3[2], enabling IT pros to do more for less. This service will keep Windows and Office software on enrolled endpoints up-to-date automatically, at no additional cost. IT admins can gain time and resources to drive value. The second Tuesday of every month will be 'just another Tuesday'. To learn how it all works, read on.

How Autopatch adds value to enterprises

The development of Autopatch is a response to the evolving nature of technology. Changes like the pandemic-driven demand for increased remote or hybrid work represent particularly noteworthy moments but are nonetheless part of a cycle without a beginning or end. Business needs change in response to market shifts. Security postures must be hardened as new threats emerge. Innovations in hardware and software enhance usability and productivity. Enterprises must continually respond to stay competitive, enhance protection, and optimize performance.

Managing complexity

Because enterprise IT systems are inherently unique and complex, introducing environment changes – like software updates - into these systems requires time and resources. Because technology is always evolving, the number of new changes to introduce is always growing. The result: gaps. A security gap forms when quality updates that protect against new threats aren't adopted in a timely fashion. A productivity gap forms when feature updates that enhance users' ability to create and collaborate aren't rolled out. As gaps widen, it can require more effort to catch up.

Closing the gaps

Autopatch, by automating the management of updates, can provide timely response to changes and confidence around introducing new changes, and close the protection and productivity gaps. The value should be felt immediately by IT admins who won't have to plan update rollout and sequencing, and over the long term as increased bandwidth allows them more time to focus on driving value. Quality updates should enhance device performance and reduce help-desk tickets – feature updates should give users an optimal experience, with increased uptime and new tools to create and collaborate.

Under the hood of Autopatch

Windows Autopatch is able to detect the variations among endpoints in an estate and dynamically create 4 testing rings. These rings are groups of devices that are representative of all the diversity in an enterprise. 


While the diagram above is useful for understanding the relationships of testing rings, the below illustrates the difference in ring population size. The 'test ring' contains a minimum number of representative devices. The 'first' ring is slightly larger, containing about 1% of all devices under management. The 'fast' ring contains about 9% of endpoints, with the rest assigned to the 'broad' ring.


The population of these rings is managed automatically, so as devices come and go, the rings maintain their representative samples. Since every organization is unique, though, the ability to move specific devices from one ring to another is retained by enterprise IT admins.

Progressive update deployment

This ability to curate ring populations is important because Autopatch uses a progressive update deployment. Updates are installed in the 'test' ring devices and, after a validation period, they progress to the next ring for a period of testing and so on. As more devices receive updates, Autopatch monitors device performance and compares performance to pre-update metrics as well as metrics from the previous ring where applicable. The result is a rollout cadence that balances speed and efficiency, optimizing productive uptime.

Quality Updates – those that deal with security, firmware, and other 'essential' functionality are rolled out relatively swiftly.

Feature Updates – those that may involve changes to user interfaces or user experience are rolled out more slowly. Each ring is afforded 30 days so that users have an opportunity to interact with software and report any issues that can't be detected automatically.

Whenever issues arise with any Autopatch update, the remediation gets incorporated and applied to future deployments, affording a level of proactive service that no IT admin team could easily replicate. As Autopatch serves more updates, it only gets better.

Halt, rollback, and selectivity

While issues should arise infrequently due to the above features, Autopatch has 3 key capabilities to keep users productive. The first is the 'Halt' feature – updates won't move from ring to ring unless targets for stability are met – and updates can be halted by customers, too.  The second is the 'Rollback' feature – if devices don't meet performance targets after being updated, the updates can be undone automatically. Third, is the 'Selectivity' feature. This allows for portions of an update package to be passed on and portions that don't perform to target to be halted or rolled back selectively and automatically.


Managing endpoints at scale requires visibility. Autopatch reporting and messaging capabilities are designed to allow visibility into update status, device health, and offer insights into your estate as a whole.

The Autopatch message center will have information about schedules, update status, and details from the Autopatch team. The reporting offers data on update compliance as well as device and application performance.

Autopatch and peace of mind

With its focus on ease, safety, and efficiency, Windows Autopatch is meant to offer peace of mind to IT admins. Our engineers are dedicated to optimizing the update process and shrinking the 'gaps' so that enterprise IT Pros can focus their attention elsewhere. The introduction of Autopatch, along with the App Assure promise, will hopefully allow for new avenues of value creation and inspiration from admins and users alike.

How to get started with Autopatch

When it becomes generally available, getting started with Windows Autopatch has been designed to be easy. Autopatch will require a license for Windows Enterprise E3 or above. From an endpoint management standpoint, the main prerequisite is Intune or co-management– more detailed information will be available closer to the service launch.

The service has a built-in readiness assessment tool that will check relevant settings in Intune, Azure AD, and Microsoft 365 Apps for Enterprise to see that they are configured to work with Autopatch. If any settings turn up as 'not ready' the service has click-through instructions on how to resolve issues.

Once the assessment comes back 'ready,' enrollment consists of accepting the terms of service and adding your administrative contacts. Policies and groups are defined automatically. You'll get the chance to choose what devices are enrolled or fine-tune your ring membership and then Windows Autopatch will be ready to go.

For a review of more great management features coming to Windows, visit:

We've also published a Windows Autopatch FAQ in anticipation of your questions.

[1] General availability expected July 2022.
[2] Windows Enterprise E3 features are included in Windows Enterprise E5.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community.

Looking for support? Visit Windows on Microsoft Q&A.


Posted at https://sl.advdat.com/3DJmtd7https://sl.advdat.com/3DJmtd7