Microsoft is planning to release a new tool that will automate the patch management process, all but eliminating Patch Tuesdays for many organisations.
The vendor's new Windows Autopatch service will keep business computers continuously updated as part of a new feature included with the Windows Enterprise E3 subscription service. Customers running systems with a Windows 10 or Windows 11 Enterprise E3 licence will be eligible for the new patch service, which is expected to be generally available in July.
“This service will keep Windows and Office software on enrolled endpoints up-to-date automatically, at no additional cost,” Lior Bela, senior product marketing manager at Microsoft, wrote in a blog post. “IT admins can gain time and resources to drive value. The second Tuesday of every month will be 'just another Tuesday.'"
Patch Tuesday (more recently called Update Tuesday) is a colloquial term used in the IT industry to refer to when Microsoft and others typically release spot repairs to their operating system and other software. Patch Tuesday is always the second Tuesday of each month.
Microsoft said it’s automating software updates in response to the “evolving nature of technology.” For example, the pandemic increased demand for more remote or hybrid work, making performance and security updates even more crucial, as systems are more often outside an organisation’s firewall.
“The value should be felt immediately by IT admins who won't have to plan update rollout and sequencing, and over the long term as increased bandwidth allows them more time to focus on driving value,” Bela said. “Quality updates should enhance device performance and reduce help-desk tickets — feature updates should give users an optimal experience, with increased uptime and new tools to create and collaborate.”
Windows Autopatch will be able to detect differences among endpoints, and place them into four “test rings” or groups, and then dynamically check them for necessary updates.
First there will be a “test ring” containing a minimum number of devices that are representative of all the types of devices and configurations under management. The next ring is slightly larger, containing about one per cent of all devices under management.
A third "fast" ring contains about nine per cent of endpoints, and the remaining 90 per cent of devices will be assigned to a "broad" ring. The percentages don’t change as devices are added or removed from the service network.
The point of the four rings is to ensure there are no software issues associated with firmware or software updates. As each group passes the tests, the updates are installed until all of an organization’s devices are patched.
Windows Autopatch will manage all aspects of device group deployments for Windows 10 and Windows 11 quality and feature updates, drivers, firmware, and Microsoft 365 Apps for enterprise updates, Bela said.
From an endpoint management standpoint, the main prerequisite for Autopatch is Intune or co-management. The service has a built-in readiness assessment tool that will check relevant settings in Intune, Azure Active Directory, and Microsoft 365 Apps for Enterprise to see that they are configured to work with Autopatch.
The online tool checks all of an organization’s settings in Microsoft Endpoint Manager — specifically, Microsoft Intune, Azure Active Director and Microsoft 365 — to ensure they’ll work with the Autopatch service. If any settings turn up as "not ready" the service has click-through instructions on how to resolve issues, Microsoft said.
“After providing consent, Microsoft completes all the other steps for you automatically, and will manage creating the right policies and groups so that updates are ready to be deployed,” Mark Florida, principal engineering product manager at Microsoft said in a video presentation. “Talk about saving time. Imagine doing all the policy configuration and group definitions yourself.”