The Home windows Autopatch service, which permits enterprises to robotically roll out updates for Home windows 10, Home windows 11, Microsoft Edge, and Microsoft 365 software program, is now stay, Microsoft mentioned this week. Autopatch is meant to streamline updating operations and cut back the time it takes for programs to be patched. Initially introduced in April, the characteristic has been in public preview since Might.
“Primarily Microsoft engineers use the Home windows Replace for Enterprise shopper insurance policies and deployment service instruments in your behalf,” wrote Lior Bela, senior product advertising and marketing supervisor at Microsoft, on the Microsoft IT Professional weblog. “The service creates testing rings and screens rollouts—pausing and even rolling again modifications the place potential.”
This Tech Tip summarizes the stipulations
for utilizing Autopatch and directions on enabling the brand new characteristic.
Very Particular Stipulations
Clients should have Home windows 10/11 Enterprise E3 or E5 licenses. The group should even have Azure Energetic Listing Premium and Microsoft Intune. A proxy or firewall that makes use of TLS 1.2 can be required.
“Azure Energetic Listing should both be the supply of authority for all person accounts, or person accounts should be synchronized from on-premises Energetic Listing utilizing the most recent supported model of Azure Energetic Listing Connect with allow Hybrid Azure Energetic Listing be part of,” Microsoft mentioned within the deployment information.
The endpoints that can be enrolled into Home windows Autopatch should be managed by both Microsoft Intune or Configuration Supervisor Co-Administration. Intune should be set because the cell machine administration (MDM) authority or co-management should be turned on and enabled on the endpoints. The endpoints being enrolled should even have linked with Microsoft Intune inside the final 28 days as a way to be registered with Autopatch.
The endpoints, which should be corporate-owned (bring-your-own-device just isn’t at present supported) ought to have 64-bit editions of Home windows 10/11 Professional, Home windows 10/11 Enterprise, or Home windows 10/11 Professional for Workstations. Nonetheless, Home windows Autopatch will help updating of Home windows 365 cloud PCs in mid-July.
Configuring the Setting
Since Autopatch is cloud-based, there are particular Microsoft companies that should be accessible always. The 4 URLs that should be on the allowed listing of the proxy or firewall are mmdcustomer.microsoft.com, mmdls.microsoft.com, logcollection.mmd.microsoft.com, and help.mmd.microsoft.com.Â
The deployment information lists different firewall configurations, IP ranges, and port necessities for Azure Energetic Listing, Microsoft Intune, Home windows Replace for Enterprise, and particular person Microsoft purposes.
Azure Energetic Listing should have safety defaults enabled and never have any person names that battle with those Autopatch wants to make use of: MsAdmin, MsAdminInt, and MsTest. Azure AD should even be set in order that conditional entry insurance policies and multifactor authentication aren’t assigned to all customers. The purpose is that Autopatch can’t be required to have multifactor authentication enabled.Â
“Your conditional entry insurance policies should not stop our service accounts from accessing the service and should not require multi-factor authentication,” Microsoft mentioned.
How Do I Get Began?
Clients with Home windows Enterprise E3 and E5 licenses will discover Tenant Administration within the Microsoft Endpoint Supervisor administrator heart. The choice Tenant enrollment within the Home windows Autopatch part will start the method to arrange and configure Autopatch.
However first, Microsoft will run the net Readiness evaluation instrument to examine the settings in Microsoft Intune and Azure Energetic Listing to make sure they’re correctly configured to work with Home windows Autopatch. If points are discovered, the administrator should repair them earlier than persevering with.
As soon as every part is prepared, the instrument will present an Enroll
button to kick off the enrollment. In the course of the enrollment course of, directors can be guided to create the insurance policies, teams, and accounts essential to run Autopatch.
“As soon as you have enrolled gadgets into Autopatch, the service does a lot of the work. However via the Autopatch blade in Microsoft Endpoint Supervisor, you may fine-tune ring membership, entry the service well being dashboard, generate reviews, and file help requests,” Microsoft mentioned.
What Sysadmins Can’t Do
- It will not be potential to schedule the updates to roll out on sure days or instances. The choice of when to maneuver to the following ring can be not configurable.
- As soon as a tool is registered with Home windows Autopatch, updates are rolled out to the gadgets in accordance with its ring project. Presently, there isn’t a help for particular person machine degree management.
- Home windows Autopatch would not help managing replace ring membership utilizing your Azure AD teams.
- There’s at present no programmatic entry through PowerShell to Autopatch