What Is Windows Autopatch?

In July of 2022 Microsoft released its new patching service: Windows Autopatch. The Windows Autopatch allows ring deployment-style, automated patch management for Windows 10 and Windows 11. The feature is available to customers with Windows Enterprise E3 and above.

It’s no secret that many organizations regularly test patches in their environments to ensure their updates are functional across their devices and installed software before they implement them. But, depending on exactly how those patches get tested, there can be a troubling lag time between when patch updates are released and when they’re actually deployed across the organization. Windows Autopatch aims to eliminate the delay.

Again, the new feature of Windows Enterprise E3 and up allows ring deployment-style patch management for Windows 10/11. It also requires Microsoft Intune or Azure AD premium for co-management.

Intune only:

• Azure Active Directory (Azure AD)

• Microsoft Intune

• Windows 10/11 supported versions

Co-management:

• Hybrid Azure AD-Joined or Azure AD-joined only

• Microsoft Intune

• Configuration Manager, version 2010 or later

• Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune (min Pilot Intune)

• Co-management workloads

• Windows 10/11 Enterprise E3 and up

• Azure AD Premium (for co-management)

• Microsoft Intune (includes Configuration Manager, version 2010 or greater via co-management)

To learn more about Autopatch requirements, you can access Microsoft's FAQs here.

And if you’re wondering what Windows Autopatch updates, check out the list below.

Autopatch updates the following:

• Windows 10 and Windows 11 quality

• Windows 10 and 11 features

• Windows 10 and 11 drivers

• Windows 10 and 11 firmware

• Microsoft 365 apps for enterprise updates

It should also be noted Windows Autopatch specifically patches drivers and firmware that are only published to Windows Update as automatic.

Furthermore, Autopatch utilizes four deployment rings. The first “test” ring contains a small number of your organization’s devices. The second ring contains 1% of all those devices. The third ring contains 9% of the devices. Finally, the last ring contains 90% of all of your enterprise’s devices.

The listed ratios are managed automatically. However, your devices can also be moved manually if you so choose. And, like any new feature, Windows Autopatch offers several pros. But there are some cons to the feature as well.

The newly-released Windows feature does offer a couple of benefits like the following:

• The ability to use ring deployment to manage your Windows environment

• As a managed service, the burden is on Microsoft instead of IT admins to manage orchestration for patch deployment to devices

As important as the product’s offered pros, however, are its perceived cons:

• The feature is only useful for Windows 10 and 11 device management

• Autopatch support for Windows Server is not on the roadmap

• You must use the feature in conjunction with Azure AD and Intune

• Windows Autopatch is of no use to those with Mac or Linux OS

If your organization requires third-party application support, Windows Server, or other operating systems like macOS or Linux, you won’t get it with Windows Autopatch.

To clarify, many customers will still use tools like WSUS, Intune, or SCCM to control patching, and they can expect few deviations from the “norms” of Patch Tuesday.

Windows Update for Business (WUfB) is an existing cloud-based tool from Microsoft that enables control over the approval and scheduling of updates for Windows 10 and 11. Both Windows Autopatch and Intune use WUfB as the underlying mechanism to manage updates.

Intune deployment rings use Windows Update for Business (WUfB) to allow administrators to control patch deployment, scheduling, and approval at a granular level from the cloud. Autopatch uses WUfB as well but removes scheduling and approval from admins.

That means that with Autopatch, administrators can assign devices to one of the three groups (First, Fast, Broad), but don’t have control over when updates are pushed to devices, or when they move from one ring to another. Administrators can’t control the dates or times of patch deployments either.

The feature is still new, so we'll have to wait a little longer to determine how useful it is for customers.

We do know, however, that Windows Server is not managed by Autopatch. Servers often run business-critical applications or are exposed to the internet, so a comprehensive patching and configuration product and process are essential to reducing your attack surface.

And finally, Linux, macOS, and third-party applications still require additional products and processes. So, even though this feature may help manage Windows 10 and 11 updates, organizations cannot forget they’ll still need to patch everything else outside of the Microsoft workstation ecosystem.