Windows Autopatch, How it Works

Mechanics Team
10 min readSep 20, 2022

--

Automate updates to Windows PCs and devices

Go inside our new cloud service with ring-based deployment built-in for the automation of software update management for Windows, Microsoft Edge and your Office and Microsoft 365 apps, including Teams. Windows Autopatch will provide upcoming support for Windows 11 upgrades. If you’re using our premium subscription services, it may be available to you at no additional cost.

Jeremy Chapman, Microsoft 365 Director, reverse engineers Windows Autopatch service to show how it works (within Intune and Azure Active Directory), how to get it running, and the time saving configurations it makes on your behalf.

Automate software updates and policies to your Windows PCs and devices.

Automation capabilities save time on updates across Windows, Microsoft 365 Apps, and Edge. Go make it run.

Deliver updates in batches.

Catch issues before your rollout changes. See how sequenced rollouts work with Windows Autopatch.

Use Windows Autopatch for more than Windows.

Work smarter, not harder. See how to configure policies for Office and Microsoft 365 apps.

Watch our video here.

QUICK LINKS:

00:00 — Introduction

02:11 — Enable Windows Autopatch

02:58 — Register devices

05:47 — How sequenced rollouts work

08:19 — Behind broad ring policy

09:42 — Office and Microsoft 365 app updates

10:13 — Wrap up

Link References:

Get started at https://aka.ms/WindowsAutopatch

Watch our Windows Management series at https://aka.ms/ManagementMechanics

Check out our previous show on Windows update policies at https://aka.ms/WUfBMechanics

See options for Microsoft 365 App updates at https://aka.ms/OfficeUpdateMechanics

Unfamiliar with Microsoft Mechanics?

As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

Keep getting this insider knowledge, join us on social:

Video Transcript:

-Coming up, we’ll take an inside look at Windows Autopatch, a new cloud service that has best practice, ring-based deployment built-in for the automation of software update management for Windows, Microsoft Edge and your Office and Microsoft 365 apps, including Teams. Importantly, I’ll also show you how in the future, it will automate and streamline your upgrades to Windows 11. And best of all, if you’re using our premium subscription services, there’s a good chance it’s available to you at no additional cost.

-Now, if you’ve been following our series on Windows Management, aka.ms/ManagementMechanics, you’ll know that we’ve published a number of shows to help you find available cloud-based enterprise controls for Windows and Office patch management, and how to configure them yourself, whether that’s using update rings and policies to deploy quality and feature updates for Windows, or how you use servicing profiles for monthly enterprise channel update delivery with Office.

-Now, while the tools and options with Intune and Microsoft 365 Apps admin center give you a lot of control, building the policies and monitoring them can add up to a lot of manual effort. And there’s probably a baseline level of experience that you need before you feel good about your implementation. So instead of doing all the work yourself, Windows Autopatch is designed to address this by providing an automated service that saves you time and effort and incorporates our experience across thousands of customers. It configures the Windows Update policies and Office Monthly Enterprise Channel policies that are required to deliver software updates, and as mentioned, coming soon will also work for upgrades to Windows 11. And it also uses configured rollout sequences or rings to deliver updates in batches over time so that you can catch issues before your rollout changes broadly. And here’s where a big part of the pain of manual effort goes away.

-So for each update, the service also monitors update compliance for devices that you specify. And importantly, it can also automatically take necessary actions like pausing or rolling back quality updates if issues are detected. And enabling Windows Autopatch is easy. You just need to have an active Microsoft 365 or Windows Enterprise E3 or higher tenant. Your Windows devices also need to be running Windows 10 or Windows 11. You’ll do this in the Endpoint Manager admin center in tenant administration and under Windows Autopatch tenant enrollment. Then you just need to approve the terms of service and confirm. Now, to enroll to the service, you’ll need to allow administrator access for Microsoft and grant permission for the Windows Autopatch service itself. Then once you agree, you’re prompted to enter a few basic details so that the Autopatch operations team at Microsoft can work with you. Now hitting complete then triggers Windows Autopatch setup for you. And that just takes a moment.

-And then from there, the next step is to register your devices to Autopatch. Note that you’ll need to already have enrolled your devices with Intune for this step to work. Then, to add them as registered devices for Windows Autopatch, you’ll do that in Azure Active Directory by assigning devices as members in the right security group. By default, the Windows Autopatch service will set up a security group in your tenant that’s called Windows Autopatch device registration. Then to scope devices for the Windows Autopatch service, you just need to add members to that security group. Before I do that though, notice that in addition to that group, there are a number of other groups that begin with the modern workplace prefix, which were also created by the service. And those are used as Autopatch scopes devices for different types of rollouts and operations. And I’ll explain more on that in a moment.

-So going back to our main Windows Autopatch device registration security group, let me highlight a few more things. Importantly, you have control over which devices and how many devices you enroll into the service. And to automate device registration in the group’s properties using membership type, you can also make this a dynamic group so that new managed devices are automatically enrolled in Windows Autopatch in the future. For now, I’m going to keep this as assigned to do this manually. And in the group’s members page, I’m going to add a couple of members. So this one here for Adele. Then, I’m going to search for Miriam’s device. There it is, now I’ll add it. Okay. And once you’ve assigned members to the device registration group in Azure AD, you can go back to the Windows Autopatch enrollment page and kick off the device discovery process.

-Now, depending on the number of devices that you have, the process can run for up to an hour. So we sped things up a bit here. And once it’s done, you can see that it’s found our two devices and the service is ready to manage updates for Windows, Office, and the Edge browser on them. Now, at this point we’re actually finished, and Windows Autopatch is running on our registered devices. But since this is Mechanics, let me show you the level of manual effort that you save using Windows Autopatch. So behind the scenes, it’s configuring all the things that you would’ve had to set up yourself using Intune, device policies, plus Azure AD groups. I’m here in devices under Windows, and I have the update rings policy view open. And here, you’ll find that Windows Autopatch has created four policies on my behalf.

-Now, each of these represent rings for how updates will be deployed, and devices are automatically assigned to each policy grouping with the exception of the test group. Now, the quality deferral column really tells the story. Remember from our last show, the deferral here really represents the number of days that updates will wait until being applied to a device. Next, let me explain how sequenced rollouts work using Windows Autopatch. You can manually define devices that go into the test ring group, and these will get updates immediately with zero deferral days. Then by default, the first ring is assigned to just 1% of devices and has one day of deferral. Fast gets assigned to 9% of devices and waits six days, and broad will go to 90% of devices and waits nine days for quality updates. So now, there’s a level of flexibility here as well, even though the service assigns devices to specific groups, you can, for example, move a device from the first or fast ring group to the broad ring or vice versa.

-And to show you what’s in the policy itself, I’m going to open up this one for broad and go into its properties and highlight what’s been configured by the service. So you can see this policy allows updates to other Microsoft products like Edge, Office, as well as drivers from the Windows Update service. And there’s our nine-day deferral for quality updates. And you’ll also see that feature updates have a zero day deferral period. And that doesn’t mean that feature updates will be applied after zero days of availability because the feature update policies that I’ll show next will actually determine the start dates in this case.

-Now, continuing on in our policy, you’ll see that reset to default update behavior has been put in place so that Windows can automatically determine the best hours for that particular device to apply its updates as to not disrupt the user during their active hours. And pausing updates is disabled. Deadlines then, and days for each update type and the grace period have been set to five and two days, respectively, and auto reboot before deadline allows the cumulative update process to complete on each device. And that’s been set to yes. Finally, in assignments, you can see that the corresponding modern workplace devices Windows Autopatch broad group has been assigned. And this is the same for all other policy rings and their corresponding security groups.

-Now, going back to our feature update deferral day settings, feature update timing, as mentioned, is really controlled by what’s configured in feature update policies and Autopatch creates those for you too. So here, you can see that we have the same four groups represented as with our ring policies for test, first, fast, and broad, along with the Windows 11 policy. So I’m going to take a look at the broad policy for Windows 10 and see what’s behind it. So in this case, only the machines in the corresponding broad security group, which are also assessed as ready, will receive the feature update.

-Now, to simulate roughly what happens with feature updates in the future, and how that zero day deferral setting will work in this case, I’m going to use a new policy and I’m going to set the rollout option to make the update available gradually. I’ll set the first group availability, or what’s effectively its start date, to override the zero deferral day setting that we saw in the broad update ring policy from before. I’m going to set this to run in February 2023 with seven days in between groups.

-Remember from our last show that for feature updates, if there are policy mismatches between the deferral days and the ring policy and the availability dates in the feature update policy, the date that’s furthest out will win. Now, to round out the Windows policy options, at this point, there are no quality update policies configured here, and that’s actually a good thing. Remember, quality update policies are meant to be used like break glass policies to occasionally expedite the delivery of critical security fixes. And for more background on how all of these Windows update policies work and what each option does, check out our previous show at aka.ms/WUfBMechanics.

-Now, let’s switch gears for a sec and move on to Office and the Microsoft 365 App updates and what Windows Autopatch configures for those. So here, the service configures a policy on your behalf for registered devices, which uses the monthly enterprise channel to apply updates automatically on a predictable once per month schedule. To find out more about Microsoft 365 App updates and your options, check out our previous show at aka.ms/OfficeUpdateMechanics.

-So that was a quick overview of the Windows Autopatch service, how to get it running and all the configurations it makes for you on your behalf to save you time across Windows, Microsoft 365 Apps and Edge to meet its high service level objectives. And we’re continually evolving the service based on your feedback. In fact, soon you’ll see even more capabilities light up for 2022 feature updates, additional grouping options within deployment rings, and more, so keep the feedback coming. And to learn more and to get started, check out aka.ms/WindowsAutopatch, and start registering your devices for the service today. Now, of course, keep checking back to Microsoft Mechanics for all the latest updates. Be sure to subscribe if you haven’t already. And as always, thanks for watching.

--

--