Windows Autopatch is a new automatic updates service for enterprise Windows customers that will manage all software, firmware, driver, and enterprise app updates, Microsoft said on April 5.
Windows Autopatch ensures that Windows and Office products on enrolled endpoints are automatically updated, helping administrators easily manage the monthly security updates.
Enterprises typically spend time testing patches within their environments to ensure the updates work with their devices and installed applications before deploying them. Depending on how the patches are tested, there is usually a bit of a delay between when the updates are released and when they are actually deployed throughout the enterprise. Autopatch will eliminate that time gap by delivering important updates in a timely manner.
"This service will keep Windows and Office software on enrolled endpoints up to date automatically, at no additional cost," says Lior Bela, senior product marketing manager at Microsoft. "The second Tuesday of every month will be 'just another Tuesday.'"
The service is available for customers with Windows 10 and 11 Enterprise E3 licenses. There is no additional cost to enable the service, which will officially launch in July.
Progressive Updates Give Control
On the surface, Windows Autopatch may not seem like anything new, as Microsoft has offered some form of automatic updates for a long time. The progressive rollout, however, is new and will allow enterprise IT teams to pace deployments.
Few organizations can claim to have a homogenous environment. There are variations between hardware configurations, installed applications, and network profiles. Windows Autopatch detects variations among endpoints and dynamically categorizes them across four groups, or "rings."
- Test ring: Contains a minimum number of representative devices.
- First ring: Contains 1% of managed devices.
- Fast ring: Contains roughly 9% of devices.
- Broad ring: Contains the remaining 90% of endpoints.
As devices are added and removed from the environment, the rings are adjusted automatically. However, enterprise IT administrators retain the ability to move devices across different rings, Microsoft says.
The Windows Autopatch service rolls out the updates gradually, deploying to the test ring first and slowly expanding through each ring after waiting a specific period of time to validate there are no issues with the updates. If issues crop up, the enterprise IT team has time to remove the problematic update before it hits the majority of the systems.
"As more devices receive updates, Autopatch monitors device performance and compares performance to pre-update metrics as well as metrics from the previous ring where applicable," Microsoft says. "The result is a rollout cadence that balances speed and efficiency, optimizing productive uptime."
IT teams will need to continue patching Windows servers as part of their own testing and deployment cycles, as server updates will not be included in Windows Autopatch, Microsoft says on its FAQ page. This makes sense, as servers running critical business applications are "typically more sensitive to upgrades/updates," says Danny Kim, senior principal architect for Virsec.
"Patching is always a recommended remediation tool but should be taken with a grain of salt for servers because, one, servers may have more restrictions in place to ensure the proper operation of the enterprise’s applications, and, two, patching works for known vulnerabilities that have a fix. Zero-day vulnerabilities make up a nontrivial percentage of the most noteworthy attacks," Kim says.
Autopatch Features and Capabilities
Microsoft highlighted three features: Halt, Rollback, and Selectivity. With Halt, updates cannot proceed to the next ring until specific stability targets are met. Rollback handles uninstalling updates if performance targets are not met or there are issues. Selectivity allows IT administrators to choose portions of the update package to deploy. Microsoft needs to provide some more details about the "stability thresholds," such as whether that refers to just the stability of the operating system or if application interactions would also be considered, says Tyler Reguly, manager of security R&D at Tripwire.
Reguly also notes that Rollback isn’t necessarily a feature, "as the ability to uninstall updates is standard practice, [and] it would be worrying if this was not available."
Selectivity lets administrators go back to Windows updates the old way, before cumulative updates were introduced. In the past, administrators could install fixes for specific vulnerabilities because each patch was its own individual download. With cumulative updates, if one patch interacted badly with installed applications, all other patches had to be avoided until the issue was resolved.
"Microsoft just seems to be bringing back the old way of patching for a few specific versions of Windows," Reguly says. "Microsoft brought in cumulative patching as a way of making the patching process easier. It’s interesting, and perhaps understandable, that they now seem to be backtracking on that decision."
To help enterprises assess whether they can use Windows Autopatch across their Microsoft environments, the company is offering a "built-in readiness assessment tool to check settings in Intune, Azure AD, and Microsoft 365 Apps for Enterprise." The tool will also help enterprises address identified issues and ensure the Microsoft platforms are configured to work with Autopatch. Enrollment is straightforward: accept the terms of service and add administrative contacts. Policies and groups are defined automatically, but administrators will get to choose what devices are enrolled or fine-tune ring memberships.
Windows Autopatch will manage Windows 10 and Windows 11 quality and feature updates, as well as drivers, firmware, and Microsoft 365 Apps for enterprise updates. Autopatch will deploy security, firmware, and "essential functionality" updates swiftly, while the feature updates – usually user interface or experience changes – will be rolled out on a slower schedule. There will be 30 days between each ring receiving the updates to give users time to interact and report issues.
"Whenever issues arise with any Autopatch update, the remediation gets incorporated and applied to future deployments, affording a level of proactive service that no IT admin team could easily replicate. As Autopatch serves more updates, it only gets better," Microsoft says.
Microsoft says Autopatch monitors device performance to balance speed and efficiency, as well as to optimize productivity. IT administrators can view details about schedules and update status through a centralized reporting and messaging center. However, for the service to truly be useful, Windows Autopatch needs to report more than just the fact that the updates have been applied, Reguly says.
Indeed, many Microsoft patches often require additional configuration steps after applying the update, such as setting registry keys, and it doesn’t seem Autopatch will be handling those types of tasks. If the service doesn’t warn the IT administrators that post-patching configuration steps are still missing, then seeing a report that updates have been installed is incomplete information. IT teams may need to invest in a separate vulnerability management tool that understands post-patching configuration if they wind up enabling the Autopatch service, Reguly suggests.
Future of Patching
There is a clear trend toward automated updates, both to speed up security fixes and to free up IT administrators to work on other high-priority tasks. The data suggests that software with auto-distributed patches see vulnerabilities remediated quicker, says Wade Baker, partner and co-founder of Cyentia Institute.
The half-life of vulnerabilities (days required to remediate half the vulnerabilities in assets) in a Windows system is 36 days, compared with 70 days for Macs and 254 days for Linux/Unix systems, according to "Prioritization to Prediction vol. 5," a report jointly produced by Cyentia and Kenna Security. Microsoft’s focus on quick patching and automation in newer versions of Windows seems to be paying off, as the latest Windows versions tend to have more than half of the vulnerabilities fixed by the first month.
"The recipe of a regular cadence for patch releases, automatic/forced updates (love them or loathe them), efficient tools for deploying patches, etc., appears to be yielding good fruit for fast fixes,” the report says.
Windows vulnerabilities also tend to be remediated sooner than the third-party vulnerabilities – "68% of Microsoft bugs are squashed in the first month compared to 30% for non-native software on those same assets," according to the report.
Microsoft says automating the management of updates can close the protection and productivity gaps, increase confidence around introducing new features, and reduce the amount of time IT admins spend on the planning, testing, and rolling out updates. While Microsoft is focused on making the service easy to use, the company will also need to provide more details about how the service works under the hood to convince enterprise IT teams the service will actually help in the long run.
"While there is the potential for this to be another tool in an admin’s toolbox, I don’t see this making the second Tuesday of every month 'just another Tuesday,'" Reguly says. "Instead, I see a lot of questions, a lot of work, and a lot of research in the future for operations teams looking to consider deploying this."