Microsoft is planning to release a new tool that will automate the patch management process, all but eliminating Patch Tuesdays for many organizations.
The company’s new Windows Autopatch service will keep business computers continuously updated as part of a new feature included with the Windows Enterprise E3 subscription service.
Organizations running systems with a Windows 10 or Windows 11 Enterprise E3 license will be eligible for the new patch service, which is expected to be generally available in July.
“This service will keep Windows and Office software on enrolled endpoints up-to-date automatically, at no additional cost,” Lior Bela, senior product marketing manager at Microsoft, wrote in a blog post. “IT admins can gain time and resources to drive value. The second Tuesday of every month will be ‘just another Tuesday.'”
Patch Tuesday (more recently called Update Tuesday) is a colloquial term used in the IT industry to refer to when Microsoft and others typically release spot repairs to their operating system and other software. Patch Tuesday is always the second Tuesday of each month.
Microsoft said it’s automating software updates in response to the “evolving nature of technology.” For example, the pandemic increased demand for more remote or hybrid work, making performance and security updates even more crucial, as systems are more often outside an organization’s firewall.
“The value should be felt immediately by IT admins who won’t have to plan update rollout and sequencing, and over the long term as increased bandwidth allows them more time to focus on driving value,” Bela said. “Quality updates should enhance device performance and reduce help-desk tickets — feature updates should give users an optimal experience, with increased uptime and new tools to create and collaborate.”
Dan Wilson, a senior research director at Gartner, said there is unmet demand for endpoint patching services as traditional outsourcers tend to favor more full-service offerings.
“Autopatch can address the common challenge of keeping pace with Windows and Office updates. The $0 price tag should make it attractive to at least test. Third-party application patching is the other challenge, but that is not currently in scope for Autopatch,” Wilson said in an email reply to Computerworld.
Windows Autopatch will be able to detect differences among endpoints, and place them into four “test rings” or groups, and then dynamically check them for necessary updates.
First there will be a “test ring” containing a minimum number of devices that are representative of all the types of devices and configurations under management. The next ring is slightly larger, containing about 1% of all devices under management. A third “fast” ring contains about 9% of endpoints, and the remaining 90% of devices will be assigned to a “broad” ring. The percentages don’t change as devices are added or removed from the service network.
The point of the four rings is to ensure there are no software issues associated with firmware or software updates. As each group passes the tests, the updates are installed until all of an organization’s devices are patched.
Wilson noted that Autopatch follows ring-based deployment best practices with the ability to halt and roll-back should issues arise, and minimum license requirements (Windows E3 or up) shouldn’t be an issue “as most have or are upgrading to Microsoft 365 bundles that include this.”
“And the requirement to be enrolled in or co-managed by Intune and in Azure shouldn’t be a major concern at this point,” Wilson said. “Whether or not Autopatch is better than leveraging automated update capabilities already within Microsoft Endpoint Manager, Windows Update for Business and the Office 365 admin console is unclear, Wilson said. “They try to address that on their Windows Autopatch FAQ page, he said.
Windows Autopatch will manage all aspects of device group deployments for Windows 10 and Windows 11 quality and feature updates, drivers, firmware, and Microsoft 365 Apps for enterprise updates, Bela said.
From an endpoint management standpoint, the main prerequisite for Autopatch is Intune or co-management. The service has a built-in readiness assessment tool that will check relevant settings in Intune, Azure Active Directory, and Microsoft 365 Apps for Enterprise to see that they are configured to work with Autopatch.
The online tool checks all of an organization’s settings in Microsoft Endpoint Manager — specifically, Microsoft Intune, Azure Active Director and Microsoft 365 — to ensure they’ll work with the Autopatch service. If any settings turn up as “not ready” the service has click-through instructions on how to resolve issues, Microsoft said.
“After providing consent, Microsoft completes all the other steps for you automatically, and will manage creating the right policies and groups so that updates are ready to be deployed,” Mark Florida, principal engineering product manager at Microsoft said in a video presentation. “Talk about saving time. Imagine doing all the policy configuration and group definitions yourself.”
Copyright © 2022 IDG Communications, Inc.