A New Tool to Patch Your Systems

For most of us, there’s a tension between what we should do and what we actually do. Many of us have had the experience of being told we should change our habits in some way: “eat more vegetables” or “eat less sugar” are two common examples. This doesn’t just apply to our personal habits, of course. Security experts are full of recommendations that are sometimes observed and sometimes ignored. We see proof of this in the wave of attacks that exploit known vulnerabilities in operating systems, firmware, and applications. The fact that vulnerabilities in Windows XP and Windows 7 are still commonly being exploited is proof.

If you ask people why they don’t patch their systems, there are lots of answers you might hear. One is “it’s too complicated.” This is often true; there’s a lot of overhead required to coordinate and track patches for large estates of devices, across multiple streams of patches, in a way that gets the right patches in the right place. Microsoft, Dell, Quest, and other large vendors have introduced paid solutions that are supposed to make this better. Now Microsoft has entered this space again with a new mechanism called Windows Autopatch that combines patch delivery for Windows 10/11 and the Windows versions of Microsoft 365 apps, Microsoft Edge, and Teams. All of these targets have their own patch delivery mechanisms, of course, but Autopatch seeks to combine them into a single system that is (supposed to be) more flexible and powerful than letting each component apply its own individual stream of patches.

What Autopatch Covers

Autopatch can manage and install patching for Windows quality (that is, “bug fix and security”) updates, Windows feature updates, Office app updates, Edge, and Teams. The simplest way to think of what Autopatch does is that it targets getting a set percentage of devices to be compliant with an update source. The Microsoft documentation outlines the targets (which it calls “management areas”):

  • Windows quality updates: 95% of eligible devices updated to the latest “Patch Tuesday” update within 21 days of release. In other words, when Microsoft releases a Patch Tuesday update (always on the 2nd Tuesday of the month), the goal is to ensure that 95% of eligible devices get that update within 21 days of its release, which will often be before the next Patch Tuesday.
  • Windows feature updates: 99% of eligible devices on the required version of Windows receive feature updates.
  • Microsoft 365 apps: 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC). MEC updates are released on Patch Tuesday too.
  • Edge updates and Teams updates work differently; there’s no percentage target or time target specified. In short, Microsoft wants all Edge and Teams devices to get the latest updates as quickly as possible. For Edge, all devices running Edge will get the Stable Channel updates for Edge; quality updates are released roughly weekly and feature updates are released every four weeks. Teams updates come from the standard Teams auto-update channel, which normally releases monthly for all users.
  • You can also use Autopatch to deliver updates for Windows drivers and firmware.

For each management area, eligible devices are marked as either “healthy” or “unhealthy”. A healthy device is one that meets all the requirements to get updates for a specific management area; for example, to be marked as healthy for Microsoft 365 app updates, the device must be powered on, have access to the network endpoints for the Office Content Delivery Network, and have checked in with Intune within the last five days.

Autopatch Prerequisites

In the previous paragraph, I mentioned Intune. That’s not accidental. Autopatch is really a layer that sits on top of multiple services. Intune and Windows Update for Business work together to actually deliver the updates, according to policies that are created and managed by Autopatch. Don’t think of Autopatch as a separate management tool; it’s more of an interface layer to automate using those other layers to deliver patches.

That, of course, means that you need Intune. You have to enroll your devices in Intune before they can be used with Autopatch. Autopatch only supports corporate-managed devices (so no BYOD). The users who use those devices must have Windows 10 or Windows 11 Enterprise E3 (or higher) or F3, meaning you can’t use Autopatch with OEM licenses of Windows. In general, I tend to think of Autopatch as requiring Microsoft 365 E3 or E5, although there are some additional service plans that still allow you to use it. In addition to these licenses, the users whose devices you want to apply Autopatch to must have an Intune license and Entra ID P1 or P2. For that reason, although you don’t have to purchase Autopatch as an additional service, it’s definitely not “free” and may in fact be more costly than a third-party patch management solution.

Autopatch Onboarding

You can’t just push a button and start using Autopatch. First, you must run an assessment tool from the Intune admin center (Windows Autopatch > Tenant enrollment) that will check to ensure that your Intune and Entra ID settings are configured properly. If the tool finds anything wrong, you’ll have to fix the problems before proceeding. Once the enrollment tool gives you a clean report, you can enroll your tenant. This enrollment process makes several changes, including adding an Entra ID enterprise application for Autopatch, creating groups to assign role-based permissions to users, and creating new device configuration policies in Intune. The most important change is that Autopatch enrollment will create a big set of policies that control how Windows features, Windows quality, and Microsoft 365 Apps updates are applied. You shouldn’t change these policies once they’re created.

After your enrollment has completed, the next step is to create admin contacts that Microsoft can use when support tickets are filed.  This may seem like an odd requirement, but since users and administrators can submit support requests to Microsoft through Intune, Microsoft naturally wants to know who in your organization should be included in the service discussion.

Although the documentation doesn’t say so explicitly, you must also enroll all the devices you want Autopatch to manage in Intune and ensure that they are visible there.

Autopatch does its daily work by using a set of groups. The “Default Autopatch” group is meant to use a set of five subgroups (each representing what Microsoft calls a ring) to apply updates on a set cadence. For example, Ring2 gets Windows quality updates 6 days after release with a two-day grace period, while Ring3 gets them starting within 9 days post-release.

You’ll control which devices get updates when by putting the devices into groups and then putting those groups into the corresponding Autopatch ring. You can customize this behavior by creating your own Custom Autopatch group and then creating a set of rings, each with a specific scope and update cadence. Microsoft says that this allows you to customize Autopatch to match your organizational structure, but doing so also adds quite a bit of complexity compared to using Default Autopatch.

Autopatch Operations and Maintenance

With a name like “Autopatch,” you might think that everything just happens automatically after you’ve enrolled your devices. That’s not quite true. Remember that Windows Autopatch is a tool that automates creating the management groups and policies for your devices: the patches themselves are still applied by Intune, so any problem in your Intune environment may result in problems with Autopatch operations. You can use the set of built-in Autopatch reports to monitor the deployment of Windows quality and feature updates, and then use the Apps Health reports in the Microsoft 365 Apps admin center to track the deployment of updates for the Office apps.

Ongoing operations of Autopatch thus becomes a cycle: Autopatch uses Intune to deliver application and OS updates, and then Intune and the Microsoft 365 Apps admin center updates their respective reports to show how the patching went, and then you inspect those reports and fix any broad-scale problems (such as devices that are getting the wrong updates because they’re in the wrong groups). This cycle gives you a great deal more control and visibility than just letting each of the targets pull and apply its own independent updates.

Autopatch isn’t for everyone, of course. It has hefty licensing requirements, and it can be argued that just leaving the Microsoft 365 apps alone will still result in over 90% of them being updated to their assigned update channels. However, if ensuring consistent application of security patches is important to you—and it should be—then Autopatch may be a better way to get you there, and is thus worth a look.

About the Author

Paul Robichaux

Paul Robichaux, an Office Apps and Services MVP since 2002, works as the senior director of product management at Keepit, spending his time helping to make awesome data protection solutions for the multi-cloud world we’re all living in. Paul's unique background includes stints writing Space Shuttle payload software in FORTRAN, developing cryptographic software for the US National Security Agency, helping giant companies deploy Office 365 to their worldwide users, and writing about and presenting on Microsoft’s software and server products. Paul’s an avid (but slow) triathlete, an instrument-rated private pilot, and an occasional blogger (at http://www.paulrobichaux.com) and Tweeter (@paulrobichaux).

Leave a Reply