Getty Images/iStockphoto

Tip

How to make the most of Windows Autopatch with Intune

IT administrators can use Intune to manage numerous settings related to Windows OSes and business apps. The Windows Autopatch feature can automate and improve those processes.

Patching is and always will be an important task of the IT department to ensure that its organization's data stays secure, and IT administrators can turn to tools such as Windows Autopatch to ensure a strong security posture.

A strong patch management process will help IT administrators stay on top of the latest patches for both applications and OSes, leaving little room for security vulnerabilities. This is especially important for Windows devices, as their ubiquity in business settings makes them a significant target for malware.

IT departments can make the most of Windows Autopatch's flexibility and automation to standardize management best practices across an entire fleet of devices.

What is Windows Autopatch?

Windows Autopatch is a cloud service provided by Microsoft to automate update management for Windows, Microsoft 365 apps for enterprise, Microsoft Edge and Microsoft Teams. The focus of this service is to improve the security and productivity of the users within the organization by keeping an environment up to date. This is critical because it can lower the attack surface for ransomware attacks and other types of cybersecurity incidents. At the end of the day, security of the organization is as strong as its weakest link.

Microsoft provides multiple patch management options for cloud-native endpoints. These options are all centered around Windows Update for Business and Microsoft Intune. Windows Update for Business enables admins to connect Windows devices directly to the Windows Update service, while still relying on management platforms, such as Microsoft Intune, to control the update behavior for those devices.

That also means that IT administrators still need to configure that update behavior and invest time every month to make sure the process is running as expected. For more control around the approval, scheduling and safeguarding of updates, Microsoft introduced the Windows Update for Business deployment services. Windows Autopatch fully takes advantage of those deployment services.

Additionally, Windows Autopatch provides an automated layer within Microsoft Intune to cover the full patch management process for Windows, Microsoft 365 applications, Microsoft Edge and Microsoft Teams. That automated layer provides IT administrators with a configuration framework focused on making sure that all of those products receive patches on a monthly basis. That framework contains the ability to automatically group and configure devices to ensure Intune gradually introduces those patches.

What are the most important features of Windows Autopatch?

Before an organization can take advantage of Windows Autopatch, it purchases the necessary licensing because it is an add-on product. Once that's in place, the configuration framework becomes available within Microsoft Intune.

To use Windows Autopatch, IT administrators also need to ensure the devices are fully registered. They can perform this process via the Windows Autopatch device registration group. Nowadays, this can also be a custom group configured by IT administrators.

Once the device is registered, it becomes part of the release management cycle that belongs to the configured registration group. That release management cycle contains the configuration of the different deployment rings, as shown in Figure 1.

The Windows Autopatch menu within Intune showing the deployment rings and Windows update settings.
Figure 1. Administrators can review the settings for update status and frequency in the Windows Autopatch section of Intune.

Within the release management configuration, there are two important configurations areas that directly affect the monthly update cadence:

  1. Deployment rings and distribution. These configurations help IT determine the percentage of registered Windows devices that should be part of a specific deployment ring. If needed, IT can also adjust the number of deployment rings. Besides that, the Test and Last deployment rings always require manual configuration. That's mainly because those deployment rings contain the exceptions -- the former being the exceptions that should always be first and the latter being the exceptions that should always be last.
  2. Windows update settings. These configurations determine the broader configuration of the Windows update behavior within a specific deployment ring. The most important configuration options are the update cadence and update deferral. Together, those determine when updates become available and are required.

Besides those configurations, there are more generic release settings available that IT can use to configure additional features and products. At this moment, they can be used to enable expedited quality updates, Microsoft 365 app updates and Windows driver updates.

Windows Autopatch relies on Microsoft Intune for many functions, including the deployment of the actual configurations to registered Windows devices.

Reporting is also an important Windows Autopatch feature. It contains some helpful overviews about the deployment status of the updates and status updates via email to inform IT administrators about update availability and installation status for new updates.

How are the Windows Autopatch configurations applied?

To effectively manage Windows system updates, IT administrators should know how Autopatch applies those configurations to the Windows devices. Windows Autopatch relies on Microsoft Intune for many functions, including the deployment of the actual configurations to registered Windows devices, as in Figure 2.

The Intune interface with all configuration files for registered Windows devices.
Figure 2. The Windows Autopatch configuration files are shown within Intune.

Windows Autopatch is responsible for the creation of those configuration profiles. The configuration profiles themselves are sorted and configure the required data collection on Windows devices and the update behavior for Microsoft Edge and the Microsoft 365 apps for enterprise. This is all with a focus on creating the update deployment rings for those apps as well.

Besides these device configuration profiles, which are focused on the different Microsoft apps, there are also rings for the monthly Windows updates and feature update deployment profiles for the yearly feature updates. The latter deployment profiles are quite conservative by default and might need some customizations to bring them in line with an organization's feature update strategy.

Peter van der Woude works as a mobility consultant and knows the ins and outs of the ConfigMgr and Microsoft Intune tools. He is a Microsoft MVP and a Windows expert as well.

Dig Deeper on Windows OS and management