Optimize IT admin resources with Windows Autopatch
Table of Contents
This article will speak about the latest announcement of Autopatch's general availability, what I think it is, and how it could suit an organization.
aaand don't worry. We will always need humans🤖
What is it?
Autopatch is focusing on Windows 10/11. For now, only Windows 10/11, Microsoft Edge, and Microsoft 365 Software updates. Microsoft has released the following overview, which shows the difference between Windows Autopatch and Customer managed.
- Tilføj alternativ tekst
Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.
Windows Autopatch (WA?)
By choosing this path, you are letting Microsoft control updates and policies deployed to Windows 10/11, Microsoft Edge, and Microsoft Software. This also means that they will have the responsibility of managing the updates. So you are giving up some of your control and letting Microsoft Engineers control it for you.
I would say that this is a big step in letting some of our tasks in the hands of others we trust. If you do fit into this category and do not have the time or wish to have a partner, I would encourage you to try it, but read below first.
Microsoft has put together a few bullets that highlight its unique features, which are translated to the following with comments (credit at the bottom)
- Security is accomplished by keeping software current, which results in fewer vulnerabilities (who does not like security, but we know updating is equal to gaps being closed)
- Productivity, since you let go of some control in return, you get the latest feature updates (New features are not always what we want before someone else did the beta testing for us. Which we by choosing an update channel that is not monthly)
- Optimize IT admin resources, automating routine Windows 10/11 updates. (Sure, we need to update our Windows fleet but make sure we don't get too many features too soon)
- On-premises infrastructure is not nessaccery since you will be on your way using software as a service(SaaS) (I suppose they are thinking of Windows Server Update Services(WSUS) and transit to Windows Update for Business(WUfB), which I also recommend)
- Onboard new services: Windows Autopatch will help new tenants to start adopting this new service (I agree that new tenants will be pushed further in their management instead of implementing from scratch)
- Minimize end-user disruption: By releasing sequential update rings, and responding to reliability and compatibility signals, user disruptions due to updates are minimized. (What WUfB is all about, that making update rings and letting the channel you picked be the one that decides which updates should be deployed)
Let's talk about management areas:
- Windows Quality updates with 21 days defer
- Windows Feature updates with 0 days defer
- M365 Apps for Enterprise (Office 365) with Monthly Enterprise channel
- Microsoft Edge Stable channel
- Microsoft Teams default channel
Customer Managed
Do want to be in control, then this one is for you. You will have to setup up everything yourself. I have put in my recommendations below for each management area. If you need help implementing, please reach out, and I will write a new blog.
- Windows Quality updates with 21 days defer (can be controlled by WUfB and policies)
- Windows Feature updates with 0 defer (can be controlled by WUfB and policies)
You will need to implement Update rings for WUfB to work correctly and keep track of Update Compliance.
- M365 Apps for Enterprise (Office 365) with Monthly Enterprise channel (can be controlled by policies - recommend Semi-Annual Enterprise Channel, since security updates are delivered all the same)
- Microsoft Edge Stable channel (can be controlled by policies in Intune - recommend Extended Stable)
- Microsoft Teams default channel (Uses only one channel)
Conclusion
Would I recommend it? You would expect a fast no, but if you are a new tenant, I would say yes quickly. The answer is a lot more complicated if you've existed for a while and have already started your cloud journey. In the future, I could only think that more "managed services" will be offered by Microsoft, and if your environment supports Windows Autopatch, you are only letting things go smoother in the long run.
Remember to align with your security policies and spare with security folks within your company since you will be touching security updates.
Credits
- Windows Autopatch has arrived! - Microsoft Tech Community
- What is Windows Autopatch? - Windows Deployment | Microsoft Docs
- Overview of update channels for Microsoft 365 Apps - Deploy Office | Microsoft Docs
- Microsoft Edge channel overview | Microsoft Docs
- Monitor Windows Updates and Microsoft Defender AV with Update Compliance - Windows Deployment | Microsoft Docs