Update July 11: Windows Autopatch is now generally available.
The public preview for Windows Autopatch is now available for organizations that want to automate the process of managing and rolling out updates for Windows and Microsoft 365 apps about a month before it is expected to reach general availability.
The Autopatch service, free for certain Windows licenses, is designed to take the burden of monthly updates away from IT admins and shift it instead to Microsoft. By joining the public preview, IT admins can get comfortable with the new service before it is deployed throughout their organization.
Microsoft first announced Autopatch in April during the company’s Windows Powers the Future of Hybrid Work event, billing the new service as a tool to make Patch Tuesday easier to manage for IT professionals such as system administrators.
“It is definitely going to be a game changer for enterprises,” says Dustin Childs, senior communications manager at Zero Day Initiative and recurring guest on the My TechDecisions Podcast Patch Tuesday episodes.
Who can enroll in Autopatch?
While automating Windows patches sounds like a welcome tool for all organizations, Microsoft is currently limiting the feature to only customers with Enterprise E3 licenses and above.
However, organizations with Enterprise E3 or E5 licenses are generally larger organizations that require the expanded security offerings built into those enterprise editions.
That means smaller organizations operating on lesser versions of Windows and home users are still going to have to go through Patch Tuesday.
“So, Patch Tuesday is not going away quite yet,” Childs says.
According to Microsoft, Autopatch works with Windows 10 and 11 Enterprise versions, and when it reaches general availability, the service will also work on virtual machines including Windows 365 Cloud PCs.
What are the prerequisites?
Aside from Windows 1 or 11 Enterprise E3 licenses, corporate-owned devices need to be running a current, supported version of Windows 10 or 11. Bring-your-own-device scenarios are not currently supported.
Devices must be managed with either Microsoft Intune or Configuration Manager co-management, and user accounts must be managed by Azure Active Directory or Hybrid Azure Active Directory Join, Microsoft says.
What does Autopatch automate?
According to Microsoft, Autopatch applies updates to Windows operating systems and configures automatic updates for Office applications. For Windows updates, the general availability channel is the source for Windows updates, and policies for quality and feature updates can be set independently to meet the organizations’ needs.
Microsoft says admins will be able to see what updates have been applied through the Autopatch message center in Endpoint Manager and can learn about what updates to expect.
The company adds that familiar cadence monthly Windows security and quality updates, known as “B” releases, will continue, and out-of-band updates will be applied as needed.
For Office updates, Autopatch uses the Monthly Enterprise Channel to balance stability and feature availability. The updates will be also be released on the second Tuesday of each month. Office rollouts, meanwhile, follow a unique, fixed schedule and do not make use of Autopatch or ring-based progressive deployment.
Meanwhile, the Microsoft Teams client application is synchronize with changes to the Teams online service, so updates to this client occur on a different cadence that Windows or Office updates. Edge also has its own update channel to facilitate revisions to the browser, so Windows Autopatch progressive deployment won’t be used for either Teams or Edge updates. Pause or rollback actions also won’t be applied to either application. However, support issues for them can be raised via the Windows Autopatch support request portal, Microsoft says.
Should you enroll in Autopatch?
While automating security updates from Microsoft may seem appealing, Childs cautions organizations to think about the move before they sign up for the service.
“It’s good from Microsoft’s’ point of view as it allows them to kind of consolidate a bunch of different configurations,” Childs says. “However, for enterprises, it’s handing over your Active Directory to Microsoft and whether or not you trust for configurations on that.”
According to Childs, some system administrators are jumping at this opportunity to automate a large monthly chore, while others shudder at the idea of handing over that duty to Microsoft, which has a history of issuing patches that can cause other issues.
Another concern Childs has is the ring-based approach to rolling out updates and the tendency of attackers to begin exploiting a Patch Tuesday bug on “exploit Wednesday.”
“That’s leaving a large portion of your enterprise pretty much unprotected,” Childs says.
Leave your patch infrastructure in place
For admins that are leaning towards enrolling in Autopatch, they should still leave their patch infrastructure in place, since Autopatch currently only supports Microsoft systems.
“It doesn’t account for your Adobes, your Oracles, your Ciscos, your IBMs or everything else that you have to patch,” Childs says. “So, a lot of that infrastructure, especially on a large enterprise still needs to remain in place.”
How do I activate Windows Autopatch?
Per Microsoft, these are the basic steps to activate the public preview of Autopatch:
- Log in to Endpoint Manager as a Global Administrator and find the Windows Autopatch blade under the Tenant Administration menu. If you don’t see ‘Windows Autopatch’ you don’t have the right licenses. See Windows Autopatch prerequisites for more information on prerequisites, including licensing.
- Use an InPrivate or Incognito browser window to redeem your public preview code.
- Run the readiness assessment, add your admin contact, and add devices.
Read Microsoft’s blog on the public preview of Autopatch for more information, including instructional videos.