You’ve likely been hearing a lot about Windows Autopatch lately! We’ve been getting a lot of questions around the solution, so I’ve collated some of them here to provide a quick round up. Here’s some key points you need to bear in mind if you’re considering using it.
What is Windows Autopatch?
Windows Autopatch simplifies the initial configuration for patching within an environment, giving IT teams a robust toolset to assign devices to waves of patching.
It also provides a bit of extra insight that isn’t normally available within the Intune console, and a channel to ask Microsoft for assistance – or be notified if there are general patching issues.
How easy is it to use?
So initial on boarding and activation is very easy, it’s literally a few mouse clicks.
However, that doesn’t mean it’s done and dusted. You still have to bring devices into scope to make sure they meet the prerequisites. You also have to make sure that other activities done within your environment don’t conflict with it, and you have to obviously get ready to have devices to be used in this state.
Note that you do need Intune, and you also need to have Microsoft M365E3 or E5 licensing – they are called out clearly as pre-reqs on the Microsoft documents.
Great, so it’s smooth sailing from here on?
This is the biggest thing – it’s not about clicking some buttons and never having to worry about patching again. Yes, it is a managed element from Microsoft, but no, it does not dissolve you of any responsibility or any actions within your environment. You and/or your team still need to be aware of when updates are landing, what business impact they might have, how they’re impacting test machines, and changes that need to be communicated to end users.
You also need to make sure you’re able to catch problems and pause the rings – Microsoft might not have caught it yet – and you still need to decide which devices go into which waves. Are they going to go into the very early first rings, or into the broader rings? What does that mean for your users and your environment? Has everything been communicated?
You still need to monitor for notifications from Microsoft in case there’s a potential issue that may impact you, and you are responsible for the overall health of the client (for example things like adequate disk space or making sure that they’ve been on long enough that they don’t again have conflicting policies).
Microsoft might flag some issues and explanations as to why devices aren’t updating, but you still need your team to investigate and resolve these issues.
Should you use it?
So, the pros and cons depend on your situation; if you’re doing nothing at the moment, then you should absolutely go down the Windows Autopatch route. It’s far better than doing nothing!
However, if you already have a refined, embedded process, then look at it a little differently. Compare to see whether it could help simplify your approach and provide some benefits, rather than blanket assuming it’s better than what you currently have in place.
And if you find you fall in between those two scenarios, again it’s something to look at, but consider carefully how you’re currently getting the job done. Analyse what Windows Autopatch delivers, the timescales it can deliver it to, and whether you have the resource to support it internally.
Does this work for Azure Virtual Desktop (AVD) and Windows 365?
The short and simple answer is yes, Windows Autopatch will work on any Windows 10/11 endpoint, be that physical or virtual – including AVD and Windows 365. I would absolutely consider it for Windows 365, however there are more efficient ways of keeping your AVD environment updated, so I wouldn’t necessarily use Autopatch for that.
Will this close all vulnerabilities within my devices?
Windows Autopatch is designed to deploy quality updates and feature updates across your estate. So, while that will close some vulnerabilities within the Microsoft operating system or add your teams and so on, it will not address either third party applications or wherever inability needs as configuration change.
That’s where something like Windows Defender for Endpoint can give you the awareness of what vulnerabilities and risks and threats you have within your environment, and then act on instances and alerts as they are raised.
So no, Autopatch will not take care of all vulnerability patching, only the ones within scope of the Windows OS, Office, Edge and Teams (if they don’t need additional configuration).