Windows Autopatch
A a few weeks ago Microsoft announced a new service called Windows Autopatch for business customers that provides the ability to keep Windows, Office, Teams and Microsoft Edge software on devices enrolled and managed by Microsoft Intune up to date automatically. The service is now on public beta and scheduled to be GA sometime at before the end of summer. The new “managed service”, is free for devices with Windows Enterprise E3 license as well as Window 365 Cloud PCs.
As of this writing, the service is:
- in public beta
- not available for Windows Education (A3) license
- not available in Windows Front Line Worker (F3) license
- not available in Government Cloud (GCC)
User accounts must be managed by Azure Active Directory or Hybrid Azure Active Directory, and devices must be managed by Microsoft Endpoint Management and Microsoft Intune.
All or nothing….
In order to use Windows Autopilot, you must enroll (enable) your tenant into the service. Once a this is done, Windows Autopatch updates are rolled out to the devices according to its ring assignment automatically based on active hours policy (administrators have no control after enrollment). While normal updates will be release on a standard cadence, Windows Autopatch will treat zero-day threats with the expedited release cadence.
Couple of thoughts:
Patch management for IT organizations has always been a challenge. Many hours of setup, testing and remediation go into it. This is a promising (and much needed) step forward towards automatic and hands-free software management within organizations that have fully adopted the modern management concepts. Having said this, it manages only a subset of the pieces of the “modern device”. Organizations need much more than the focus on Microsoft platform products. (I undestand the product is called Windows Autopatch, but If keeping up with security is the focus, then BIOS and driver updates for organization is something that needs to be included. Looking forward to what is in the roadmap
Resources:
