Getting started with Windows 365 - Part 7. Patching your Cloud PCs with Windows Autopatch

[anyweb]

Introduction

This is Part 7 in a new series of guides about getting started with Windows 365. This series of guides will help you to learn all about Windows 365 in a clear and insightful way. This series is co-written by Niall & Paul, both of whom are Enterprise Mobility MVP’s with broad experience in the area of modern management. At the time of writing, Paul is a 6 times Enterprise Mobility MVP based in the UK and Niall is a 12 times Enterprise Mobility MVP based in Sweden. In this series we aim to cover everything we learn about Windows 365 and share it with you to help you to deploy it safely and securely within your own organization. In Part 1 we introduced you to Windows 365, selecting the right edition with the level of management that you need, choosing the plan that suits your users needs at a cost you can afford, or modifying the configuration to make it more suited to your individual needs, purchasing licenses and saving money for your organization via the Windows Hybrid Benefit. In Part 2 you learned how to provision an Azure Ad joined Cloud PC and take a look at the different network options available when provisioning an Azure Ad joined Cloud PC. In Part 3 you learned about the steps needed to successfully provision a Hybrid Azure Ad Joined Cloud PC. In Part 4 you saw the many different ways you can connect to your Cloud PC from many device be it Android, Mac, Windows, Linux or iPhone and you learned that not all connection options have the same abilities. In Part 5 we covered the management capabilities of your Cloud PCs and explained the different options available depending on which version (Business versus Enterprise) that you purchase. In Part 6 we looked at the built in configurable backup technology in Windows 365 which is known as Point-in-time restore, which gives the admin (or user) the ability to restore Cloud PC's to an earlier time before a problem such as a Ransomware incident occurred.

Below you can find all parts in this series:

• Getting started with Windows 365 - Part 1. Introduction
• Getting started with Windows 365 - Part 2. Provisioning an Azure Ad Joined Cloud PC
• Getting started with Windows 365 - Part 3. Provisioning a Hybrid Azure Ad Joined Cloud PC
• Getting started with Windows 365 - Part 4. Connecting to your Cloud PC
• Getting started with Windows 365 - Part 5. Managing your Cloud PC
• Getting started with Windows 365 - Part 6. Point in time restore
• Getting started with Windows 365 - Part 7. Patching your Cloud PCs with Windows Autopatch <- you are here
• Getting started with Windows 365 - Part 8. Windows 365 boot
• Getting started with Windows 365 - Part 9. Windows 365 switch
• Getting started with Windows 365 - Part 10. Windows 365 offline

In this part we'll cover the following:

• Introduction to Windows Autopatch
• Prerequisites
• Allow access to admins without licenses
• Enroll into Windows Autopatch
  • Readiness assessment tool
  • Enroll
  • Device registration
• Moving devices between deployment rings
• Reports
• User Experience
• Create Provisioning policy
• Recommended reading
• Summary

Introduction to Windows Autopatch

Quote

"Do more with less"

Windows Autopatch was created to ease the pain of managing software updates by automating those tasks, improve security and thereby freeing up IT admins time. After registering devices with Windows Autopatch it can deal with multiple areas of update management including:

• Windows quality updates
• Windows feature updates
• Microsoft 365 apps for Enterprise
• Microsoft Edge
• Microsoft Teams

Windows Autopatch aims to reach the following SLO (Service Level Objective) at the time of writing.

• Windows quality updates  - 95% of eligible devices on the latest quality update within 21 days
• Windows feature updates - 99% of eligible devices on a supported version
• Microsoft 365 apps for Enterprise - 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC)

Prerequisites

Windows Autopatch like all Microsoft services has a list of prerequisites and you can review them here and it covers 4 main areas.

1. Licensing
2. Connectivity
3. Azure Active Directory
4. Device Management

In a nutshell you must be licensed to use Windows Autopatch, Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune licenses are required. You must also allow connectivity to all endpoints specified here including mmdcustomer.microsoft.com, mmdls.microsoft.com, logcollection.mmd.microsoft.com and support.mmd.microsoft.com. Your users must be created in Azure Active Directory or synced via the latest version of Azure AD Connect. Last but not least, your devices must already be enrolled into Intune management before you try to register them with the Windows Autopatch service. They can use co-management but, if so, make sure that the following workloads are pointing to Pilot Intune or Intune.

• Windows Update policies workload to Pilot Intune or Intune.
• Device configuration workload to Pilot Intune or Intune.
• Office Click-to-Run apps workload to Pilot Intune or Intune.

Allow access to admins without licenses

When turning on Windows Autopatch for your Tenant, one of the tests that will be done is admin licensing. You can make things smoother by configuring this setting in advance. You can give administrators access to Microsoft Endpoint Manager without them requiring an Intune license, see Unlicensed admins in Microsoft Intune | Microsoft Learn

Quote

This feature applies to any administrator, including Intune administrators, global administrators, Azure AD administrators, and so on. Other features or services, such as those in Azure Active Directory (AD) Premium, may require a license for the administrator.
The Unlicensed admins option has been enabled by default on all accounts created after the 2006 release.

To flip the setting go to your Tenant admin, click on Roles, and select Endpoint Manager roles, click on Administrator Licensing and you'll see this.

read the warning before clicking Yes (or No if you are unsure.)

Once done, there will simply be a blank space to greet you in the Administrator Licensing space.

 

Enroll into Windows Autopatch

Readiness assessment tool

At this point you are hopefully ready to enroll your tenant into Windows Autopatch, so let's do it. In the Tenant Admin node, click on Tenant enrollment and select Windows Autopatch.

place a tick in the checkbox and click Agree. this will launch the readiness assessment tool.

clicking on View details gives you an overview of what is OK or NOT OK in your tenant in relation to Windows Autopatch. Any errors marked in red must be fixed (notice the unlicensed admin error !)

You can click on a linked entry to get details of the problem, for example here is the co-management advisory.

and here's the advisory for Update rings for Windows 10, which is odd as you haven't created any for Windows Autopatch yet so how can you exclude them in advance ?

After fixing the minor problems noted above, you can click on Run checks again and this time it should report that it is Ready (to enroll).

If you are still curious about why there are still 2 advisories you can also click on View details again to review that.

Enroll

Now that the readiness assessment is happy, go ahead and click on Enroll. You'll have to agree to allow admin access for Microsoft requiring 2 admin users email and phone numbers.

supply the details of your Primary admin

and the Secondary admin

after clicking complete you might see an error, don't panic, we did in both our tenants.

but on the second attempt all was good ! Notice all the activity going crazy in the notification area.

After some time you should be notified that Windows Autopatch Setup is complete.

Changes to your tenant

When you enroll into Windows Autopatch the service creates many new objects including Azure AD Groups, policies, update rings and reports, here are a few snippets of some of those many changes.

New Azure AD Groups

 

New configuration profiles

New PowerShell script

Modern Workplace - Autopatch Client Setup v1.1

New Update Rings

New Feature Updates

New reports

Device registration

Clicking Continue (in the screenshot above) brings you to the Windows Autopatch devices view which will most likely be empty after enrollment. It's separated into three tabs

• Ready
• Not ready (Preview)
• Not registered

After reading the text and clicking the included link it was clear that there was a new Azure AD Group created by the Windows Autopatch service called Windows Autopatch Device Registration. We went ahead and added a Windows 365 Cloud PC to the Windows Autopatch Device Registration group.

Next, in the Windows Autopatch devices node, click on Discover Devices to get the service to look for new members in that group.

 

After some time it showed up.

We then looked at the Group Membership of that device directly after we registered it with Windows Autopatch.

Interesting how it detects that the Cloud PC is a Virtual Machine.

You'll notice that the Windows Autopatch service has automatically added this Cloud PC to a group called First, this is one of 4 update ring groups.

• Modern Workplace Devices-Windows Autopatch-Test       Deployment ring for testing update deployments prior to production rollout.
• Modern Workplace Devices-Windows Autopatch-First       First production deployment ring for early adopters.
• Modern Workplace Devices-Windows Autopatch-Fast       Fast deployment ring for quick rollout and adoption.
• Modern Workplace Devices-Windows Autopatch-Broad    Final deployment ring for broad rollout into the organization.

Intrigued we added another Cloud PC along with several unpatched, out of date devices in the tenant to see what would happen.

within some time the Windows Autopatch service had assigned these devices to groups automatically with both of the Windows 365 Cloud PC's added to the First update ring.

In addition to these Ready devices some were Not registered with the service due to not meeting prerequisites.

Moving device between deployment rings

To change the update ring a device is in you must select one of more devices and use the Device actions dropdown to move to another update ring group, do not simply move the device from one Azure ad group to another (more on those groups later).

This brings up a dropdown list of the available rings (update ring groups)

We selected the Test ring for this Cloud PC

after the change

Note that you can only move devices to other deployment rings when they are in an Active state in the Status tab.

Reports

Windows Autopatch includes new reports to assist with monitoring the effectiveness of automated software update management. Let's take a look. In the Reports node of Intune, select Windows Quality Updates in the Windows Autopatch section. You'll be presented with a summary of Windows Autopatch managed devices in their various states, listed below:

• Up to Date
• In Progress
• Paused
• Not Up to Date
• Ineligible
• Total

clicking on the Reports tab (beside summary) will show the actual reports.

In the first report, All devices report, you can see our Cloud PCs are currently up to date ! Great.

Truth be told however, they had an issue before Windows Autopatch could do it's thing, and that was they were getting a GPO applied (as they are Hybrid Azure AD joined) which was blocking automatic updates. Once that GPO was identified and delinked, they updated very quickly indeed.

Below you can see what they looked like before the GPO was identified. Notice how they are both showing with an Update Status of Not Up to Date, and the Update sub status looks confused (Other and No Heartbeat).

The offending GPO was setting the following registry key which was blocking Windows Autopatch (highlighted below in bold)

HKLM\software\policies\microsoft\windows\windowsupdate

• WUServer
• WUStatusServer
• DoNotConnectToWindowsUpdateInternetLocations
• DisableWindowsUpdateAccess
• AU\NoAutoUpdate
• AU\UseWUServer

the next report is the All devices Report - historical which gives you a historical view of how up to date (or not) your devices are over a period of time (90-day trend), notice how currently 7 out of 10 devices are up to date and none are not up to date.

You can click on any of the headings in the right pane to get time points and clarity of that section. You can also choose to Export trend to get a CSV file containing this data, unfortunately it doesn't go any deeper than what you see here so you won't for example see device names/serial numbers or anything useful like that. Hopefully we can get that data in a later release.

The next report is the Eligible devices report - historical where you can review the effectiveness of any of the Windows Autopatch update rings over a period of time.

And finally we have the ineligible devices report historical which shows data about your ineligible devices and whether they are on an unsupported build or not.

 

User Experience

the user experience is exactly what you'd expect from WUFB managed clients, you get the normal Windows notifications and they are goverened by the Windows Autopatch update ring policies, which you shouldn't change as they will be overwritten by the Windows Autopatch service. Below is one such notification received by our Cloud PCs over the last few weeks.

Create Provisioning policy

Lastly, we'd like to mention the Windows Autopatch setting in the Create Provisioning Policy section. It's there, but it's not clear exactly what it does (for example, would it kick off a Windows Autopatch readiness assessment tool if you hadn't yet enrolled into Windows Autopatch. This remains unanswered. We'll update it after getting clarification from Microsoft.

Recommended reading

• What is Windows Autopatch - https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/overview/windows-autopatch-overview
• Windows Autopatch fastrack support - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-in-windows-autopatch-january-2023-fasttrack-support/
• Windows Autopatch prerequisites - Prerequisites - Windows Deployment | Microsoft Learn
• Windows Autopatch device status - https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview
• Get current and stay current with Windows Autopatch - Blog | Get current and stay current with Windows Autopatch | Tech Community (microsoft.com)
• Whats new in Windows Autopatch - Fastrack support - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-in-windows-autopatch-january-2023-fasttrack-support/ba-p/3713988?WT.mc_id=EM-MVP-5003580
• Windows Autopatch Quality Update reports overview - https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview

Summary

The Windows Autopatch service is like your very own IT Admin for Software Update Management, much like what you get with Automatic Deployment Rules within Configuration Manager or Windows Intune's quality and feature update rings. The difference here is that when you enable Windows Autopatch, Microsoft define and manage these administrative tasks so you don't have to. Keep in mind that it is not recommended to change any settings in the preconfigured update rings or policies or scripts provided by the service as they could be overwritten by the service when it gets updated by Microsoft. Also, you should not manually populate the Azure AD groups created by the service except the one used for device registration. The fact that you can't really deviate from the settings, policies and parts that make up Windows Autopatch can be a downside for some customers. Hopefully Microsoft reads this and adds this ability going forward. Overall though, a thumbs up from us, well done to all involved with creating Windows Autopatch, it makes the management of updates, security patches and more to your Cloud PC's a walk in the park.